ffdroider | e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555

Analysis

max time kernel
103s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
18-05-2022 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
Size

9.1MB
MD5

93e23e5bed552c0500856641d19729a8
SHA1

7e14cdf808dcd21d766a4054935c87c89c037445
SHA256

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555
SHA512

3996d6144bd7dab401df7f95d4623ba91502619446d7c877c2ecb601f23433c9447168e959a90458e0fae3d9d39a03c25642f611dbc3114917cad48aca2594ff

Score

10^/10

ffdroider glupteba metasploit onlylogger smokeloader socelars backdoor discovery dropper evasion loader persistence spyware stealer suricata trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.znsjis.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://govsurplusstore.com/upload/

http://best-forsale.com/upload/

http://chmxnautoparts.com/upload/

http://kwazone.com/upload/

rc4.i32

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3312-334-0x0000000000090000-0x000000000063C000-memory.dmp	family_ffdroider

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/492-231-0x00000000038C0000-0x00000000041DE000-memory.dmp	family_glupteba
behavioral2/memory/492-234-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/3604-309-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba
behavioral2/memory/3620-341-0x0000000000400000-0x0000000002FBF000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	3776	rUNdlL32.eXe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	3776	rundll32.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 2620 created 492 2620 svchost.exe Graphics.exe
PID 2620 created 3620 2620 svchost.exe csrss.exe
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata: ET MALWARE Win32/FFDroider CnC Activity M2
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata

description	pid	process	target process
PID 2620 created 492	2620	svchost.exe	Graphics.exe
PID 2620 created 3620	2620	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3488-343-0x0000000000610000-0x0000000000640000-memory.dmp	family_onlylogger
behavioral2/memory/3488-344-0x0000000000400000-0x00000000004BF000-memory.dmp	family_onlylogger

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

md9_1sjm.exeFoxSBrowser.exeFolder.exeGraphics.exeUpdbdate.exeFolder.exeInstall.exeFile.exepub2.exeFiles.exeDetails.exeGraphics.execsrss.exeinjector.exeGxBGbULnv2HKKjFKzb2yCdUX.exeOgZE2VfsOoQTPIepzjv1sq5t.exePQyy65uQ2DGZPRR9AvncThVA.exe82UvrhYHG4VrlCRQ02e4xFtR.exeq_Zn4zeo8oS1q13rLxYQt2Mw.exeCongiunto.exe.pif

pid	process
3312	md9_1sjm.exe
4168	FoxSBrowser.exe
4360	Folder.exe
492	Graphics.exe
4784	Updbdate.exe
256	Folder.exe
4464	Install.exe
3136	File.exe
5092	pub2.exe
1904	Files.exe
3488	Details.exe
3604	Graphics.exe
3620	csrss.exe
2240	injector.exe
2296	GxBGbULnv2HKKjFKzb2yCdUX.exe
5092	OgZE2VfsOoQTPIepzjv1sq5t.exe
2352	PQyy65uQ2DGZPRR9AvncThVA.exe
1500	82UvrhYHG4VrlCRQ02e4xFtR.exe
220	q_Zn4zeo8oS1q13rLxYQt2Mw.exe
3500	Congiunto.exe.pif

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

File.exeOgZE2VfsOoQTPIepzjv1sq5t.exe82UvrhYHG4VrlCRQ02e4xFtR.exee4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exeFolder.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	OgZE2VfsOoQTPIepzjv1sq5t.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	82UvrhYHG4VrlCRQ02e4xFtR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	Folder.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

872 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
872	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Graphics.exePQyy65uQ2DGZPRR9AvncThVA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IcyLake = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	PQyy65uQ2DGZPRR9AvncThVA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	PQyy65uQ2DGZPRR9AvncThVA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 ip-api.com
99 ipinfo.io
100 ipinfo.io
125 ipinfo.io
134 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
25	ip-api.com
99	ipinfo.io
100	ipinfo.io
125	ipinfo.io
134	ipinfo.io

Drops file in Program Files directory 2 IoCs

Processes:

OgZE2VfsOoQTPIepzjv1sq5t.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	OgZE2VfsOoQTPIepzjv1sq5t.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	OgZE2VfsOoQTPIepzjv1sq5t.exe

Drops file in Windows directory 2 IoCs

Processes:

Graphics.exe

description ioc process

File opened for modification C:\Windows\rss Graphics.exe
File created C:\Windows\rss\csrss.exe Graphics.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\rss	Graphics.exe
File created	C:\Windows\rss\csrss.exe	Graphics.exe

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2812	872	WerFault.exe	rundll32.exe
5060	3136	WerFault.exe	File.exe
2156	1528	WerFault.exe	mFlGl1KlnlsFbWWj_zybT6qO.exe
4688	1528	WerFault.exe	mFlGl1KlnlsFbWWj_zybT6qO.exe
4400	2952	WerFault.exe	rundll32.exe
2344	1528	WerFault.exe	mFlGl1KlnlsFbWWj_zybT6qO.exe
4708	1528	WerFault.exe	mFlGl1KlnlsFbWWj_zybT6qO.exe
2252	1528	WerFault.exe	mFlGl1KlnlsFbWWj_zybT6qO.exe
3192	1528	WerFault.exe	mFlGl1KlnlsFbWWj_zybT6qO.exe
5040	1528	WerFault.exe	mFlGl1KlnlsFbWWj_zybT6qO.exe
2304	1528	WerFault.exe	mFlGl1KlnlsFbWWj_zybT6qO.exe
4200	1528	WerFault.exe	mFlGl1KlnlsFbWWj_zybT6qO.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1828 schtasks.exe
2376 schtasks.exe
2844 schtasks.exe
4712 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

4312 tasklist.exe
816 tasklist.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 67 Go-http-client/1.1
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1384 taskkill.exe
1160 taskkill.exe

pid	process
1828	schtasks.exe
2376	schtasks.exe
2844	schtasks.exe
4712	schtasks.exe

pid	process
4312	tasklist.exe
816	tasklist.exe

description	flow	ioc
HTTP User-Agent header	67	Go-http-client/1.1

pid	process
1384	taskkill.exe
1160	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.execsrss.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Graphics.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	csrss.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time"	csrss.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	csrss.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Graphics.exeInstall.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d601030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Graphics.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c137e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Graphics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Install.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Install.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53	Install.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\151682F5218C0A511C28F4060A73B9CA78CE9A53\Blob = 030000000100000014000000151682f5218c0a511c28f4060a73b9ca78ce9a531400000001000000140000007c4296aede4b483bfa92f89e8ccf6d8ba972379504000000010000001000000029f1c1b26d92e893b6e6852ab708cce10f00000001000000200000005aef843ffcf2ec7055f504a162f229f8391c370ff3a6163d2db3f3d604d622be19000000010000001000000070d4f0bec2078234214bd651643b02405c0000000100000004000000800100001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da62000000001000000640400003082046030820248a0030201020210079e492886376fd40848c23fc631e463300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f742058323076301006072a8648ce3d020106052b8104002203620004cd9bd59f80830aec094af3164a3e5ccf77acde67050d1d07b6dc16fb5a8b14dbe27160c4ba459511898eea06dff72a161ca4b9c5c532e003e01e8218388bd745d80a6a6ee60077fb02517d22d80a6e9a5b77dff0fa41ec39dc75ca68070c1feaa381e53081e2300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604147c4296aede4b483bfa92f89e8ccf6d8ba9723795301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b050003820201001b7f252b907a0876007718e1c32e8a364c417ebf174be330d75b0c7e9c96986f7bb068c02444cce2f2fcd1eadbd29f01f9174d0c9d55fda5ad6dd22f3f4b72c02eae73c7251657c23e15ade031d10a84846c6278423122461aed7a40bf9716814477ca6c7b5d215c07f2119121bfe12fc2ef6efd0520e4b4f779f32dbb372af0c6b1acac51f51fb35a1e66ce580718387f71a93c83bad7bc829e9a760f9eb029fdcbf38907481bfeab932e14210d5faf8eb754ab5d0ed45b4c71d092ea3da3369b7c1fe03b55b9d85353cc8366bb4adc810600188bf4b3d748b11341b9c4b69ecf2c778e42200b807e9fc5ab48dbbc6f048d6c4629020d708a1df11273b64624429e2a1718e3acc798c272cc6d2d766ddd2c2b2696a5cf21081be5da2fcbef9f7393aef8365f478f9728ceabe29826988bfdee28322229ed4c9509c420fa07e1862c44f68147c0e46232ed1dd83c488896c35e91b6af7b59a4eee3869cc78858ca282a66559b8580b91dd8402bc91c133ca9ebde99c21640f6f5a4ae2a256c52bac7044cb432bbfc385ca00c617b57ec774e50cfaf06a20f378ce10ed2d32f1abd9c713ecce1f8d1a8a3bd04f619c0f986aff50e1aaa956befca47714b631c4d96db55230a9d0f8175a0e640f56446036ecefa6a7d06eca4340674da53d8b9b8c6237da9f82a2da482a62e2d11cae6cd31587985e6721ca79fd34cd066d0a7bb	Install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Graphics.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1220 PING.EXE

pid	process
1220	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exe

pid	process
5092	pub2.exe
5092	pub2.exe
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044
3044

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3044
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

5092 pub2.exe

pid	process
3044

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeFoxSBrowser.exetaskkill.exemd9_1sjm.exeGraphics.exesvchost.exeGraphics.execsrss.exe

description	pid	process
Token: SeCreateTokenPrivilege	4464	Install.exe
Token: SeAssignPrimaryTokenPrivilege	4464	Install.exe
Token: SeLockMemoryPrivilege	4464	Install.exe
Token: SeIncreaseQuotaPrivilege	4464	Install.exe
Token: SeMachineAccountPrivilege	4464	Install.exe
Token: SeTcbPrivilege	4464	Install.exe
Token: SeSecurityPrivilege	4464	Install.exe
Token: SeTakeOwnershipPrivilege	4464	Install.exe
Token: SeLoadDriverPrivilege	4464	Install.exe
Token: SeSystemProfilePrivilege	4464	Install.exe
Token: SeSystemtimePrivilege	4464	Install.exe
Token: SeProfSingleProcessPrivilege	4464	Install.exe
Token: SeIncBasePriorityPrivilege	4464	Install.exe
Token: SeCreatePagefilePrivilege	4464	Install.exe
Token: SeCreatePermanentPrivilege	4464	Install.exe
Token: SeBackupPrivilege	4464	Install.exe
Token: SeRestorePrivilege	4464	Install.exe
Token: SeShutdownPrivilege	4464	Install.exe
Token: SeDebugPrivilege	4464	Install.exe
Token: SeAuditPrivilege	4464	Install.exe
Token: SeSystemEnvironmentPrivilege	4464	Install.exe
Token: SeChangeNotifyPrivilege	4464	Install.exe
Token: SeRemoteShutdownPrivilege	4464	Install.exe
Token: SeUndockPrivilege	4464	Install.exe
Token: SeSyncAgentPrivilege	4464	Install.exe
Token: SeEnableDelegationPrivilege	4464	Install.exe
Token: SeManageVolumePrivilege	4464	Install.exe
Token: SeImpersonatePrivilege	4464	Install.exe
Token: SeCreateGlobalPrivilege	4464	Install.exe
Token: 31	4464	Install.exe
Token: 32	4464	Install.exe
Token: 33	4464	Install.exe
Token: 34	4464	Install.exe
Token: 35	4464	Install.exe
Token: SeDebugPrivilege	4168	FoxSBrowser.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeManageVolumePrivilege	3312	md9_1sjm.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeManageVolumePrivilege	3312	md9_1sjm.exe
Token: SeDebugPrivilege	492	Graphics.exe
Token: SeImpersonatePrivilege	492	Graphics.exe
Token: SeTcbPrivilege	2620	svchost.exe
Token: SeTcbPrivilege	2620	svchost.exe
Token: SeManageVolumePrivilege	3312	md9_1sjm.exe
Token: SeSystemEnvironmentPrivilege	3604	Graphics.exe
Token: SeManageVolumePrivilege	3312	md9_1sjm.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeManageVolumePrivilege	3312	md9_1sjm.exe
Token: SeBackupPrivilege	2620	svchost.exe
Token: SeRestorePrivilege	2620	svchost.exe
Token: SeSystemEnvironmentPrivilege	3620	csrss.exe
Token: SeBackupPrivilege	2620	svchost.exe
Token: SeRestorePrivilege	2620	svchost.exe
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044
Token: SeCreatePagefilePrivilege	3044
Token: SeShutdownPrivilege	3044

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

Congiunto.exe.pif

pid process

3500 Congiunto.exe.pif
3044
3044
3500 Congiunto.exe.pif
3500 Congiunto.exe.pif
3044
3044
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Congiunto.exe.pif

pid process

3500 Congiunto.exe.pif
3500 Congiunto.exe.pif
3500 Congiunto.exe.pif
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OgZE2VfsOoQTPIepzjv1sq5t.exePQyy65uQ2DGZPRR9AvncThVA.exeCongiunto.exe.pif

pid process

5092 OgZE2VfsOoQTPIepzjv1sq5t.exe
2352 PQyy65uQ2DGZPRR9AvncThVA.exe
3500 Congiunto.exe.pif

pid	process
3500	Congiunto.exe.pif
3044
3044
3500	Congiunto.exe.pif
3500	Congiunto.exe.pif
3044
3044

pid	process
3500	Congiunto.exe.pif
3500	Congiunto.exe.pif
3500	Congiunto.exe.pif

pid	process
5092	OgZE2VfsOoQTPIepzjv1sq5t.exe
2352	PQyy65uQ2DGZPRR9AvncThVA.exe
3500	Congiunto.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exeFolder.exerUNdlL32.eXeInstall.execmd.exesvchost.exeGraphics.execmd.execsrss.exeFile.exePQyy65uQ2DGZPRR9AvncThVA.exe

description	pid	process	target process
PID 4080 wrote to memory of 3312	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	md9_1sjm.exe
PID 4080 wrote to memory of 3312	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	md9_1sjm.exe
PID 4080 wrote to memory of 3312	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	md9_1sjm.exe
PID 4080 wrote to memory of 4168	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	FoxSBrowser.exe
PID 4080 wrote to memory of 4168	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	FoxSBrowser.exe
PID 4080 wrote to memory of 4360	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Folder.exe
PID 4080 wrote to memory of 4360	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Folder.exe
PID 4080 wrote to memory of 4360	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Folder.exe
PID 4080 wrote to memory of 492	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Graphics.exe
PID 4080 wrote to memory of 492	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Graphics.exe
PID 4080 wrote to memory of 492	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Graphics.exe
PID 4080 wrote to memory of 4784	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Updbdate.exe
PID 4080 wrote to memory of 4784	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Updbdate.exe
PID 4080 wrote to memory of 4784	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Updbdate.exe
PID 4360 wrote to memory of 256	4360	Folder.exe	Folder.exe
PID 4360 wrote to memory of 256	4360	Folder.exe	Folder.exe
PID 4360 wrote to memory of 256	4360	Folder.exe	Folder.exe
PID 4080 wrote to memory of 4464	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Install.exe
PID 4080 wrote to memory of 4464	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Install.exe
PID 4080 wrote to memory of 4464	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Install.exe
PID 4080 wrote to memory of 3136	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	File.exe
PID 4080 wrote to memory of 3136	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	File.exe
PID 4080 wrote to memory of 3136	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	File.exe
PID 4080 wrote to memory of 5092	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	pub2.exe
PID 4080 wrote to memory of 5092	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	pub2.exe
PID 4080 wrote to memory of 5092	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	pub2.exe
PID 4080 wrote to memory of 1904	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Files.exe
PID 4080 wrote to memory of 1904	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Files.exe
PID 4080 wrote to memory of 3488	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Details.exe
PID 4080 wrote to memory of 3488	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Details.exe
PID 4080 wrote to memory of 3488	4080	e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe	Details.exe
PID 2156 wrote to memory of 872	2156	rUNdlL32.eXe	rundll32.exe
PID 2156 wrote to memory of 872	2156	rUNdlL32.eXe	rundll32.exe
PID 2156 wrote to memory of 872	2156	rUNdlL32.eXe	rundll32.exe
PID 4464 wrote to memory of 816	4464	Install.exe	cmd.exe
PID 4464 wrote to memory of 816	4464	Install.exe	cmd.exe
PID 4464 wrote to memory of 816	4464	Install.exe	cmd.exe
PID 816 wrote to memory of 1384	816	cmd.exe	taskkill.exe
PID 816 wrote to memory of 1384	816	cmd.exe	taskkill.exe
PID 816 wrote to memory of 1384	816	cmd.exe	taskkill.exe
PID 2620 wrote to memory of 3604	2620	svchost.exe	Graphics.exe
PID 2620 wrote to memory of 3604	2620	svchost.exe	Graphics.exe
PID 2620 wrote to memory of 3604	2620	svchost.exe	Graphics.exe
PID 3604 wrote to memory of 1448	3604	Graphics.exe	cmd.exe
PID 3604 wrote to memory of 1448	3604	Graphics.exe	cmd.exe
PID 1448 wrote to memory of 8	1448	cmd.exe	Conhost.exe
PID 1448 wrote to memory of 8	1448	cmd.exe	Conhost.exe
PID 3604 wrote to memory of 3620	3604	Graphics.exe	csrss.exe
PID 3604 wrote to memory of 3620	3604	Graphics.exe	csrss.exe
PID 3604 wrote to memory of 3620	3604	Graphics.exe	csrss.exe
PID 2620 wrote to memory of 1828	2620	svchost.exe	schtasks.exe
PID 2620 wrote to memory of 1828	2620	svchost.exe	schtasks.exe
PID 3620 wrote to memory of 2240	3620	csrss.exe	injector.exe
PID 3620 wrote to memory of 2240	3620	csrss.exe	injector.exe
PID 3136 wrote to memory of 2296	3136	File.exe	GxBGbULnv2HKKjFKzb2yCdUX.exe
PID 3136 wrote to memory of 2296	3136	File.exe	GxBGbULnv2HKKjFKzb2yCdUX.exe
PID 3136 wrote to memory of 5092	3136	File.exe	OgZE2VfsOoQTPIepzjv1sq5t.exe
PID 3136 wrote to memory of 5092	3136	File.exe	OgZE2VfsOoQTPIepzjv1sq5t.exe
PID 3136 wrote to memory of 5092	3136	File.exe	OgZE2VfsOoQTPIepzjv1sq5t.exe
PID 3136 wrote to memory of 2352	3136	File.exe	PQyy65uQ2DGZPRR9AvncThVA.exe
PID 3136 wrote to memory of 2352	3136	File.exe	PQyy65uQ2DGZPRR9AvncThVA.exe
PID 3136 wrote to memory of 2352	3136	File.exe	PQyy65uQ2DGZPRR9AvncThVA.exe
PID 2352 wrote to memory of 1188	2352	PQyy65uQ2DGZPRR9AvncThVA.exe	ftp.exe
PID 2352 wrote to memory of 1188	2352	PQyy65uQ2DGZPRR9AvncThVA.exe	ftp.exe

C:\Users\Admin\AppData\Local\Temp\e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe
"C:\Users\Admin\AppData\Local\Temp\e4b23ebeb82594979325357ce20f14f70143d98ff49a9d5a2e6258fbfb33e555.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
"C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:256

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:492

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:8

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1828

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:2240

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:4784

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3136

C:\Users\Admin\Pictures\Adobe Films\GxBGbULnv2HKKjFKzb2yCdUX.exe
"C:\Users\Admin\Pictures\Adobe Films\GxBGbULnv2HKKjFKzb2yCdUX.exe"
3⤵
- Executes dropped EXE
PID:2296

C:\Users\Admin\Pictures\Adobe Films\OgZE2VfsOoQTPIepzjv1sq5t.exe
"C:\Users\Admin\Pictures\Adobe Films\OgZE2VfsOoQTPIepzjv1sq5t.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Users\Admin\Documents\82UvrhYHG4VrlCRQ02e4xFtR.exe
"C:\Users\Admin\Documents\82UvrhYHG4VrlCRQ02e4xFtR.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:1500

C:\Users\Admin\Pictures\Adobe Films\q_Zn4zeo8oS1q13rLxYQt2Mw.exe
"C:\Users\Admin\Pictures\Adobe Films\q_Zn4zeo8oS1q13rLxYQt2Mw.exe"
5⤵
- Executes dropped EXE
PID:220

C:\Users\Admin\Pictures\Adobe Films\CpFnX4ulaChAE_3zW1dgtudI.exe
"C:\Users\Admin\Pictures\Adobe Films\CpFnX4ulaChAE_3zW1dgtudI.exe"
5⤵
PID:2320

C:\Users\Admin\Pictures\Adobe Films\rbjw2euw5iQGEQrMaCzRESig.exe
"C:\Users\Admin\Pictures\Adobe Films\rbjw2euw5iQGEQrMaCzRESig.exe"
5⤵
PID:2380

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /Y .\HvoN.2wz
6⤵
PID:3572

C:\Users\Admin\Pictures\Adobe Films\mFlGl1KlnlsFbWWj_zybT6qO.exe
"C:\Users\Admin\Pictures\Adobe Films\mFlGl1KlnlsFbWWj_zybT6qO.exe"
5⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 336
6⤵
- Program crash
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 480
6⤵
- Program crash
PID:4688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 784
6⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 816
6⤵
- Program crash
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 856
6⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 796
6⤵
- Program crash
PID:3192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 840
6⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1356
6⤵
- Program crash
PID:2304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mFlGl1KlnlsFbWWj_zybT6qO.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mFlGl1KlnlsFbWWj_zybT6qO.exe" & exit
6⤵
PID:4792

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mFlGl1KlnlsFbWWj_zybT6qO.exe" /f
7⤵
- Kills process with taskkill
PID:1160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 720
6⤵
- Program crash
PID:4200

C:\Users\Admin\Pictures\Adobe Films\DWLjf8IKyva5r8alBgkILMPV.exe
"C:\Users\Admin\Pictures\Adobe Films\DWLjf8IKyva5r8alBgkILMPV.exe"
5⤵
PID:3808

C:\Windows\SysWOW64\ftp.exe
ftp -?
6⤵
PID:2848

C:\Users\Admin\Pictures\Adobe Films\0c3wthxCKe8xfJkf2VzWaHIh.exe
"C:\Users\Admin\Pictures\Adobe Films\0c3wthxCKe8xfJkf2VzWaHIh.exe"
5⤵
PID:2004

C:\Users\Admin\Pictures\Adobe Films\0c3wthxCKe8xfJkf2VzWaHIh.exe
"C:\Users\Admin\Pictures\Adobe Films\0c3wthxCKe8xfJkf2VzWaHIh.exe" -h
6⤵
PID:3820

C:\Users\Admin\Pictures\Adobe Films\U4DAKuVXAIOEER3aBb2mGlS4.exe
"C:\Users\Admin\Pictures\Adobe Films\U4DAKuVXAIOEER3aBb2mGlS4.exe"
5⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\7zSBD40.tmp\Install.exe
.\Install.exe
6⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\7zSCF51.tmp\Install.exe
.\Install.exe /S /site_id "525403"
7⤵
PID:3200

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
8⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
9⤵
PID:4308

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
10⤵
PID:4676

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
10⤵
PID:4636

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
8⤵
PID:1032

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
9⤵
PID:3508

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
10⤵
PID:4616

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
10⤵
PID:424

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gsDZSxSKG" /SC once /ST 00:18:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
8⤵
- Creates scheduled task(s)
PID:4712

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gsDZSxSKG"
8⤵
PID:4020

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2376

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 1788
3⤵
- Program crash
PID:5060

C:\Users\Admin\Pictures\Adobe Films\PQyy65uQ2DGZPRR9AvncThVA.exe
"C:\Users\Admin\Pictures\Adobe Films\PQyy65uQ2DGZPRR9AvncThVA.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\ftp.exe
ftp -?
4⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Esistenza.wbk
4⤵
PID:3484

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:4676

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
6⤵
- Enumerates processes with tasklist
PID:4312

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
6⤵
PID:4036

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:816

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:2040

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^VBNKEZcFuClIqCwDfZLYyYSgBIFmwizNsZNbuKFwcrNiUBFraGQiScYWImpWzVEYpvswOEbFzKCelLzZeCux$" Dattero.wbk
6⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunto.exe.pif
Congiunto.exe.pif P
6⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
6⤵
- Runs ping.exe
PID:1220

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5092

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
PID:1904

C:\Users\Admin\AppData\Local\Temp\Details.exe
"C:\Users\Admin\AppData\Local\Temp\Details.exe"
2⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 604
3⤵
- Program crash
PID:2812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 872 -ip 872
1⤵
PID:4960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3136 -ip 3136
1⤵
PID:2552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1528 -ip 1528
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1528 -ip 1528
1⤵
PID:1320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 608
2⤵
- Program crash
PID:4400

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2952 -ip 2952
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1528 -ip 1528
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1528 -ip 1528
1⤵
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1528 -ip 1528
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1528 -ip 1528
1⤵
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1528 -ip 1528
1⤵
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1528 -ip 1528
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1528 -ip 1528
1⤵
PID:2892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
d87e44d46978b582734dff56d2f6c642

SHA1
245f46a957b6302e55e97e5d74abc6ec7338e21e

SHA256
730421c9ff1d63c5e33217e6c276c45f2623938d4a3727b9ded2657934191e72

SHA512
f4151fce654a15ed7848254cadaf0cbfe67dd7caf5ebe51615f2615760a456a0b1a12632c0e3c4ad080f7b427088e3e9b64469c4aa7f1786e8b97ac324fd05c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
d46ea0bc2b417db23d38987713267d79

SHA1
db79410c7beb595f7104a8206952edd25d949c20

SHA256
b346426baae1d98bb4e412a0d5ae6c926a26b4277ed5e8455cc4d39b901845f0

SHA512
7fb0c6a90b9a77a33925cebe4343b6d36d5e468bcd1c2f051c0cd31737490e1a95a13aec5594c4a0aa1256ebe3b42a7d83fcf712ad42bbcdff4763fd20cf1312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
408B

MD5
410ce266879986cb6422653343f65425

SHA1
46c66587b5b1ccefeffabcfbba2913e40d34cc56

SHA256
2d026e03fda7685350605aefbe89d3d7b2823fda7ce1ba0b28175565b24e4c6c

SHA512
570ae4d8bf59ddeb63c61eff7f7e2643ef34b6be20fa032335f0fd5d9c3f7e86f361da014b109251922d63e46ee04b87b453913cac5cba69de7bdac8ffe69476

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBD40.tmp\Install.exe
Filesize
6.1MB

MD5
64cacdf5de4c9e50add38fd30bcbef24

SHA1
a695317e247b11efa3727dfc15ef39211f3505fa

SHA256
cb80553b43c1ad7accbec9ec793838869a171d8cce06d0f26178a0ff3a74c8b8

SHA512
d273c2a9e81a9901e0b0c8522d11b0d0246fd7f3c6f52b7bb8ba3d9faf4d9bdf5160651ae6b848ffc90b2bb171bcc8a76709f19ce1b79c31dbf9b84baf562a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBD40.tmp\Install.exe
Filesize
6.1MB

MD5
64cacdf5de4c9e50add38fd30bcbef24

SHA1
a695317e247b11efa3727dfc15ef39211f3505fa

SHA256
cb80553b43c1ad7accbec9ec793838869a171d8cce06d0f26178a0ff3a74c8b8

SHA512
d273c2a9e81a9901e0b0c8522d11b0d0246fd7f3c6f52b7bb8ba3d9faf4d9bdf5160651ae6b848ffc90b2bb171bcc8a76709f19ce1b79c31dbf9b84baf562a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Details.exe
Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Details.exe
Filesize
224KB

MD5
913fcca8aa37351d548fcb1ef3af9f10

SHA1
8955832408079abc33723d48135f792c9930b598

SHA256
2f59e661904f9a4c62123f024eb7968cdc234f826bab077914ad8896ebf001c9

SHA512
0283e875dfbc7b04eb5ce5a82e66fb99e945626ed7e2ed4f2bc90e54e4ef99c065e2f98464f0aec24c921bae020ff3a6f1b3a01bfd8bdcea8459113670519c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
426KB

MD5
ece476206e52016ed4e0553d05b05160

SHA1
baa0dc4ed3e9d63384961ad9a1e7b43e8681a3c5

SHA256
ebc2784e2648e4ff72f48a6251ff28eee69003c8bd4ab604f5b43553a4140f4b

SHA512
2b51d406c684a21ad4d53d8f6c18cbc774cf4eacae94f48868e7ac64db1878792840fc3eea9bb27f47849b85382604492400e60b0f9536cf93ca78d7be7c3b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
Filesize
1.3MB

MD5
37db6db82813ddc8eeb42c58553da2de

SHA1
9425c1937873bb86beb57021ed5e315f516a2bed

SHA256
65302460bbdccb8268bc6c23434bcd7d710d0e800fe11d87a1597fdedfc2a9c7

SHA512
0658f3b15a4084ae292a6c0640f4e88fe095a2b2471633ca97c78998ee664631156e9cea1bee3d5ac5428ca600c52495437468770fbda6143e11651e797298c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FoxSBrowser.exe
Filesize
153KB

MD5
849b899acdc4478c116340b86683a493

SHA1
e43f78a9b9b884e4230d009fafceb46711125534

SHA256
5f5eed76da09dc92090a6501de1f2a6cc7fb0c92e32053163b28f380f3b06631

SHA512
bdff9dbac1de6e1af7807a233c4e8c36ae8c45e0b277d78b636124b6ffe0df6ed16c78f2f3222eeb383501b2f3eec90c8736da540017b8b35592fa49eb3f720c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Aspettavo.wbk
Filesize
1.2MB

MD5
24aaea9dc591e115bc9c7c4458319893

SHA1
5c4d2a94454eddfdf13e343d8ac0577a6c5a64a1

SHA256
9089784acede92f102d559b37ea5b414915bedaadcf9a3298042d874a36996fd

SHA512
5e45bc701091f03d0227807eaded3c6b9d9d4d7661f06259323e3706c468e52c3ad675de30ba89c54eded1b7ef2063f9b2c1553c86008c6408d421309046291f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunto.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Congiunto.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Dattero.wbk
Filesize
924KB

MD5
6e5e76c8fc8ca8d6f5980a32bfbe4946

SHA1
f056244b3c42cff6fbd07678aafe988567cc1f0d

SHA256
d4795556443a71f653e3d811bdf00ae07a8ca3936d2eb0e6ac776c6aecbb1e0c

SHA512
7ed05fb388c9ce5973d268ef6c68a239c7e7b7b893459bbe2a8fe58722dbc20129e9fd5477869c59a44755c6b1ae6755ad717c6a3b64d03dd903b43c11e50041

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Esistenza.wbk
Filesize
8KB

MD5
e0499c0ffea9d65dd93c48396aaf48eb

SHA1
a8872f6c50d8fd31b8d80317a80178e0ce2d5495

SHA256
91f70d7c2d6ada3d6af02fc65688562dfba33f270f7b11f4b9e98892d18e9d4e

SHA512
92d4cf1c75bdc1b02516999fcbe3acc89acfd981e9b3d005626304ddf884c522b366d9389563e1c183e8c564245e40fa2460438be89ac9a2ae7e97be30449f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
Filesize
1.4MB

MD5
deeb8730435a83cb41ca5679429cb235

SHA1
c4eb99a6c3310e9b36c31b9572d57a210985b67d

SHA256
002f4696f089281a8c82f3156063cee84249d1715055e721a47618f2efecf150

SHA512
4235fa18fcc183ef02a1832790af466f7fdeda69435ebc561cb11209e049e890917b2c72be38fa8e1039493ae20fdbbe93776895b27a021d498f81d3e00c7379

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
Filesize
359KB

MD5
3d09b651baa310515bb5df3c04506961

SHA1
e1e1cff9e8a5d4093dbdabb0b83c886601141575

SHA256
2599fed90469c6c2250883f90d1c9d20fe41755b9da670a306a884797dbd7df6

SHA512
8f8499c73297be7c1743361dfcb352a3ce93aca4e81c0355f1814f9eedf92d22b40104d32eb4dbd776ccc9051613eee9b8ff57178c6240a787815e0dc8dc6889

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
Filesize
552KB

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
Filesize
2.1MB

MD5
3b3d48102a0d45a941f98d8aabe2dc43

SHA1
0dae4fd9d74f24452b2544e0f166bf7db2365240

SHA256
f4fdf9842d2221eb8910e6829b8467d867e346b7f73e2c3040f16eb77630b8f0

SHA512
65ae273b5ea434b268bbd8d38fe325cf62ed3316950796fa90defbc8a74c55fba0a99100f2ae674206335a08e8ea827d01eeccf26adf84ebfeebb0f17cfb7ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
Filesize
167KB

MD5
f07ac9ecb112c1dd62ac600b76426bd3

SHA1
8ee61d9296b28f20ad8e2dca8332ee60735f3398

SHA256
28859fa0e72a262e2479b3023e17ee46e914001d7f97c0673280a1473b07a8c0

SHA512
777139fd57082b928438b42f070b3d5e22c341657c5450158809f5a1e3db4abded2b566d0333457a6df012a4bbe3296b31f1caa05ff6f8bd48bfd705b0d30524

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
Filesize
285KB

MD5
f9d940ab072678a0226ea5e6bd98ebfa

SHA1
853c784c330cbf88ab4f5f21d23fa259027c2079

SHA256
0be77f05a9c4d30f2ec4f5636179f0e2f85e3f5441f5854a0872de4f63aceffd

SHA512
6766488893d9975ce44e1cdba427f0e65adba47dec26f6d16708be4efeb7f431da9a76647e8ec2ecd00bfb8d5d7e37c5a168b9de3cca45cc8c9b144bc650a1ef

Download Submit
C:\Users\Admin\Documents\82UvrhYHG4VrlCRQ02e4xFtR.exe
Filesize
232KB

MD5
5546c1ab6768292b78c746d9ea627f4a

SHA1
be3bf3f21b6101099bcfd7203a179829aea4b435

SHA256
93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

SHA512
90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Download Submit
C:\Users\Admin\Documents\82UvrhYHG4VrlCRQ02e4xFtR.exe
Filesize
232KB

MD5
5546c1ab6768292b78c746d9ea627f4a

SHA1
be3bf3f21b6101099bcfd7203a179829aea4b435

SHA256
93708ec7bc1f9f7581cc2e1310a46000ad38128e19eb1e92db88e59d425b3e15

SHA512
90d341f42f80c99558b9659e6cc39f7211acaf4010234c51f7cc66d729102f25b50bf29688ee29b8a4031b4f35d4666617a278ba1754c96c26aa6759027f601f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0c3wthxCKe8xfJkf2VzWaHIh.exe
Filesize
308KB

MD5
06233dd15d171ae5dbee1e82766faf17

SHA1
355f7f80e6acaa4b8906f12ea6992895126fe830

SHA256
e5506029470ae02a111b175e59122bfc9ba622c4924d97d06719054d22e29ac8

SHA512
f518a243f0d429e300ff209027551f20ffbe32751ed213213438b6b96bf858cc20e0b9eb78eb333022edb82742b27d33dc5970141e313475beb4a88e69148930

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0c3wthxCKe8xfJkf2VzWaHIh.exe
Filesize
308KB

MD5
06233dd15d171ae5dbee1e82766faf17

SHA1
355f7f80e6acaa4b8906f12ea6992895126fe830

SHA256
e5506029470ae02a111b175e59122bfc9ba622c4924d97d06719054d22e29ac8

SHA512
f518a243f0d429e300ff209027551f20ffbe32751ed213213438b6b96bf858cc20e0b9eb78eb333022edb82742b27d33dc5970141e313475beb4a88e69148930

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0c3wthxCKe8xfJkf2VzWaHIh.exe
Filesize
308KB

MD5
06233dd15d171ae5dbee1e82766faf17

SHA1
355f7f80e6acaa4b8906f12ea6992895126fe830

SHA256
e5506029470ae02a111b175e59122bfc9ba622c4924d97d06719054d22e29ac8

SHA512
f518a243f0d429e300ff209027551f20ffbe32751ed213213438b6b96bf858cc20e0b9eb78eb333022edb82742b27d33dc5970141e313475beb4a88e69148930

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CpFnX4ulaChAE_3zW1dgtudI.exe
Filesize
668KB

MD5
10e4443ce2353752f039def6d498551d

SHA1
299fe4fe32de52b52371c88a9b58fb9493c4b2b2

SHA256
e6519b812c285d6ad48df92a70e235a28ee05d7c87e3b6dd8d4f1a29a9b77856

SHA512
57a3ee519b53c5ba93638b885d1cc519c601f99913044650c3ec4926df323b9379b06e57f8103582288776dee10532a4e25b6ce024995d20822c6b2784b8add6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CpFnX4ulaChAE_3zW1dgtudI.exe
Filesize
668KB

MD5
10e4443ce2353752f039def6d498551d

SHA1
299fe4fe32de52b52371c88a9b58fb9493c4b2b2

SHA256
e6519b812c285d6ad48df92a70e235a28ee05d7c87e3b6dd8d4f1a29a9b77856

SHA512
57a3ee519b53c5ba93638b885d1cc519c601f99913044650c3ec4926df323b9379b06e57f8103582288776dee10532a4e25b6ce024995d20822c6b2784b8add6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DWLjf8IKyva5r8alBgkILMPV.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\DWLjf8IKyva5r8alBgkILMPV.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GxBGbULnv2HKKjFKzb2yCdUX.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GxBGbULnv2HKKjFKzb2yCdUX.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\OgZE2VfsOoQTPIepzjv1sq5t.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\OgZE2VfsOoQTPIepzjv1sq5t.exe
Filesize
385KB

MD5
45abb1bedf83daf1f2ebbac86e2fa151

SHA1
7d9ccba675478ab65707a28fd277a189450fc477

SHA256
611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f

SHA512
6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PQyy65uQ2DGZPRR9AvncThVA.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\PQyy65uQ2DGZPRR9AvncThVA.exe
Filesize
970KB

MD5
f29fe566b8797d64ac411332c46012f5

SHA1
4a443134a6f354c063dafcbf83a09b81c164be9f

SHA256
025263cde993621dab74b48373910273a8e770930b6e564068377b73a41ac0ab

SHA512
90cd8d3132d4c483c47d0bfdc4d9cc3b44b4f096720ef624f01c8811dc52bc77040b063fa7a2df9819b3d493815d9d39578fdb57d88baf42210eede99f284619

Download Submit
C:\Users\Admin\Pictures\Adobe Films\U4DAKuVXAIOEER3aBb2mGlS4.exe
Filesize
7.2MB

MD5
4d152e7cf521bc1636c8cead609f4701

SHA1
c40a4e1425b6a611d050ee6d90c4b49b958f7f41

SHA256
2a6577b58b2ddba3032aa40adfa69876d3f1277917cb0a86ae63343bfe09c29e

SHA512
700a13286993214ba7e723a11a9a5f46bdfcaf109620d1130fa39d7bd3740b8c80b638095d0a53cc5f2fcbe07643e062c3737eab6b1b898fa99216ab4568f5ad

Download Submit
C:\Users\Admin\Pictures\Adobe Films\U4DAKuVXAIOEER3aBb2mGlS4.exe
Filesize
7.2MB

MD5
4d152e7cf521bc1636c8cead609f4701

SHA1
c40a4e1425b6a611d050ee6d90c4b49b958f7f41

SHA256
2a6577b58b2ddba3032aa40adfa69876d3f1277917cb0a86ae63343bfe09c29e

SHA512
700a13286993214ba7e723a11a9a5f46bdfcaf109620d1130fa39d7bd3740b8c80b638095d0a53cc5f2fcbe07643e062c3737eab6b1b898fa99216ab4568f5ad

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mFlGl1KlnlsFbWWj_zybT6qO.exe
Filesize
418KB

MD5
b2016c0a7970f307d99f7d135485b739

SHA1
6881de22e977fc59102e159e494a40c1edc39a58

SHA256
2c2296cab4065e250f37b7400074545bcd9c96312a81fdcd6e11c124937ba27f

SHA512
b3d9fe9b2091151af08dcf9e6c9299606aa6e97459893d2739068871e9c42f538015e5c0ca5bfc3ab028234ae34e6ef1b4ab92fd6b2d07995e50a2a1f766b198

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mFlGl1KlnlsFbWWj_zybT6qO.exe
Filesize
418KB

MD5
b2016c0a7970f307d99f7d135485b739

SHA1
6881de22e977fc59102e159e494a40c1edc39a58

SHA256
2c2296cab4065e250f37b7400074545bcd9c96312a81fdcd6e11c124937ba27f

SHA512
b3d9fe9b2091151af08dcf9e6c9299606aa6e97459893d2739068871e9c42f538015e5c0ca5bfc3ab028234ae34e6ef1b4ab92fd6b2d07995e50a2a1f766b198

Download Submit
C:\Users\Admin\Pictures\Adobe Films\q_Zn4zeo8oS1q13rLxYQt2Mw.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\q_Zn4zeo8oS1q13rLxYQt2Mw.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rbjw2euw5iQGEQrMaCzRESig.exe
Filesize
2.0MB

MD5
5f1f901d7c1772f877d42efc4d4a5166

SHA1
602ee01c07bed44c6d70d2eee15ca3c47e79cfbb

SHA256
0e7b47b7755ae9acc94743d2fd0af6631532dcc0ee258b1299b16a8e0ad9d1a4

SHA512
01601ce8d584e3a365656e696839f9d0399bec14ebf8eaaf04ba17a9f86fb69e2d1e485f2ddb222a736d9f70953c5285d65dcb50966f81c0c29f3b57d9709200

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rbjw2euw5iQGEQrMaCzRESig.exe
Filesize
2.0MB

MD5
5f1f901d7c1772f877d42efc4d4a5166

SHA1
602ee01c07bed44c6d70d2eee15ca3c47e79cfbb

SHA256
0e7b47b7755ae9acc94743d2fd0af6631532dcc0ee258b1299b16a8e0ad9d1a4

SHA512
01601ce8d584e3a365656e696839f9d0399bec14ebf8eaaf04ba17a9f86fb69e2d1e485f2ddb222a736d9f70953c5285d65dcb50966f81c0c29f3b57d9709200

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
C:\Windows\rss\csrss.exe
Filesize
4.5MB

MD5
7c20b40b1abca9c0c50111529f4a06fa

SHA1
5a367dbc0473e6f9f412fe52d219525a5ff0d8d2

SHA256
5caae6f11abc0a10481f56f9e598f98332b6144e24bf6efa67b63becc7debd36

SHA512
f1afdb5d0c396e4929dfc22f205079cdbea2eccbd19c90c20cc87990c0cb11f29f392eb62e9218341965c4358e79b5d7f8ee216eba915f712a6d3578e1818473

Download Submit
memory/8-290-0x0000000000000000-mapping.dmp

Download
memory/220-377-0x0000000000000000-mapping.dmp

Download
memory/256-145-0x0000000000000000-mapping.dmp

Download
memory/424-425-0x0000000000000000-mapping.dmp

Download
memory/492-231-0x00000000038C0000-0x00000000041DE000-memory.dmp

Filesize
9.1MB

Download
memory/492-234-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/492-230-0x000000000347B000-0x00000000038B6000-memory.dmp

Filesize
4.2MB

Download
memory/492-139-0x0000000000000000-mapping.dmp

Download
memory/816-372-0x0000000000000000-mapping.dmp

Download
memory/816-168-0x0000000000000000-mapping.dmp

Download
memory/872-164-0x0000000000000000-mapping.dmp

Download
memory/1032-420-0x0000000000000000-mapping.dmp

Download
memory/1160-433-0x0000000000000000-mapping.dmp

Download
memory/1188-359-0x0000000000000000-mapping.dmp

Download
memory/1220-385-0x0000000000000000-mapping.dmp

Download
memory/1384-169-0x0000000000000000-mapping.dmp

Download
memory/1448-289-0x0000000000000000-mapping.dmp

Download
memory/1500-373-0x0000000003690000-0x0000000003850000-memory.dmp

Filesize
1.8MB

Download
memory/1500-363-0x0000000000000000-mapping.dmp

Download
memory/1528-390-0x0000000000000000-mapping.dmp

Download
memory/1528-432-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1528-431-0x0000000000800000-0x000000000083F000-memory.dmp

Filesize
252KB

Download
memory/1528-430-0x00000000004F8000-0x000000000051E000-memory.dmp

Filesize
152KB

Download
memory/1828-340-0x0000000000000000-mapping.dmp

Download
memory/1904-157-0x0000000000000000-mapping.dmp

Download
memory/1948-375-0x0000000000000000-mapping.dmp

Download
memory/2004-399-0x0000000000000000-mapping.dmp

Download
memory/2040-374-0x0000000000000000-mapping.dmp

Download
memory/2240-346-0x0000000000000000-mapping.dmp

Download
memory/2296-350-0x0000000000000000-mapping.dmp

Download
memory/2320-388-0x0000000000000000-mapping.dmp

Download
memory/2352-356-0x0000000000000000-mapping.dmp

Download
memory/2376-366-0x0000000000000000-mapping.dmp

Download
memory/2380-391-0x0000000000000000-mapping.dmp

Download
memory/2844-367-0x0000000000000000-mapping.dmp

Download
memory/2848-406-0x0000000000000000-mapping.dmp

Download
memory/2952-415-0x0000000000000000-mapping.dmp

Download
memory/3044-345-0x0000000002600000-0x0000000002615000-memory.dmp

Filesize
84KB

Download
memory/3136-349-0x0000000003460000-0x0000000003620000-memory.dmp

Filesize
1.8MB

Download
memory/3136-151-0x0000000000000000-mapping.dmp

Download
memory/3200-412-0x0000000000000000-mapping.dmp

Download
memory/3312-258-0x0000000005310000-0x0000000005318000-memory.dmp

Filesize
32KB

Download
memory/3312-232-0x0000000005330000-0x0000000005338000-memory.dmp

Filesize
32KB

Download
memory/3312-170-0x0000000004830000-0x0000000004840000-memory.dmp

Filesize
64KB

Download
memory/3312-191-0x0000000005630000-0x0000000005638000-memory.dmp

Filesize
32KB

Download
memory/3312-176-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/3312-392-0x0000000000000000-mapping.dmp

Download
memory/3312-334-0x0000000000090000-0x000000000063C000-memory.dmp

Filesize
5.7MB

Download
memory/3312-187-0x0000000005430000-0x0000000005438000-memory.dmp

Filesize
32KB

Download
memory/3312-262-0x0000000005330000-0x0000000005338000-memory.dmp

Filesize
32KB

Download
memory/3312-261-0x0000000005330000-0x0000000005338000-memory.dmp

Filesize
32KB

Download
memory/3312-260-0x0000000005C00000-0x0000000005C08000-memory.dmp

Filesize
32KB

Download
memory/3312-259-0x0000000005330000-0x0000000005338000-memory.dmp

Filesize
32KB

Download
memory/3312-190-0x00000000054F0000-0x00000000054F8000-memory.dmp

Filesize
32KB

Download
memory/3312-130-0x0000000000000000-mapping.dmp

Download
memory/3312-189-0x0000000005450000-0x0000000005458000-memory.dmp

Filesize
32KB

Download
memory/3312-227-0x0000000005330000-0x0000000005338000-memory.dmp

Filesize
32KB

Download
memory/3312-226-0x0000000005330000-0x0000000005338000-memory.dmp

Filesize
32KB

Download
memory/3312-225-0x0000000005310000-0x0000000005318000-memory.dmp

Filesize
32KB

Download
memory/3312-200-0x0000000005670000-0x0000000005678000-memory.dmp

Filesize
32KB

Download
memory/3312-199-0x0000000005450000-0x0000000005458000-memory.dmp

Filesize
32KB

Download
memory/3312-198-0x0000000005670000-0x0000000005678000-memory.dmp

Filesize
32KB

Download
memory/3312-197-0x0000000005450000-0x0000000005458000-memory.dmp

Filesize
32KB

Download
memory/3312-196-0x0000000005670000-0x0000000005678000-memory.dmp

Filesize
32KB

Download
memory/3312-195-0x0000000005800000-0x0000000005808000-memory.dmp

Filesize
32KB

Download
memory/3312-194-0x0000000005900000-0x0000000005908000-memory.dmp

Filesize
32KB

Download
memory/3312-192-0x0000000005650000-0x0000000005658000-memory.dmp

Filesize
32KB

Download
memory/3484-360-0x0000000000000000-mapping.dmp

Download
memory/3488-343-0x0000000000610000-0x0000000000640000-memory.dmp

Filesize
192KB

Download
memory/3488-160-0x0000000000000000-mapping.dmp

Download
memory/3488-342-0x000000000088E000-0x00000000008AA000-memory.dmp

Filesize
112KB

Download
memory/3488-344-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/3500-382-0x0000000000000000-mapping.dmp

Download
memory/3508-422-0x0000000000000000-mapping.dmp

Download
memory/3572-438-0x000000002D790000-0x000000002D89A000-memory.dmp

Filesize
1.0MB

Download
memory/3572-413-0x0000000000000000-mapping.dmp

Download
memory/3572-439-0x000000002D960000-0x000000002DA1C000-memory.dmp

Filesize
752KB

Download
memory/3604-308-0x00000000034E6000-0x0000000003921000-memory.dmp

Filesize
4.2MB

Download
memory/3604-228-0x0000000000000000-mapping.dmp

Download
memory/3604-309-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/3620-341-0x0000000000400000-0x0000000002FBF000-memory.dmp

Filesize
43.7MB

Download
memory/3620-339-0x0000000003A00000-0x0000000003E3B000-memory.dmp

Filesize
4.2MB

Download
memory/3620-305-0x0000000000000000-mapping.dmp

Download
memory/3808-389-0x0000000000000000-mapping.dmp

Download
memory/3820-407-0x0000000000000000-mapping.dmp

Download
memory/4020-428-0x0000000000000000-mapping.dmp

Download
memory/4036-371-0x0000000000000000-mapping.dmp

Download
memory/4104-419-0x0000000000000000-mapping.dmp

Download
memory/4168-133-0x0000000000000000-mapping.dmp

Download
memory/4168-140-0x00000000005C0000-0x00000000005EE000-memory.dmp

Filesize
184KB

Download
memory/4168-335-0x00007FF85CC70000-0x00007FF85D731000-memory.dmp

Filesize
10.8MB

Download
memory/4308-421-0x0000000000000000-mapping.dmp

Download
memory/4312-370-0x0000000000000000-mapping.dmp

Download
memory/4360-136-0x0000000000000000-mapping.dmp

Download
memory/4464-148-0x0000000000000000-mapping.dmp

Download
memory/4616-423-0x0000000000000000-mapping.dmp

Download
memory/4636-426-0x0000000000000000-mapping.dmp

Download
memory/4676-362-0x0000000000000000-mapping.dmp

Download
memory/4676-424-0x0000000000000000-mapping.dmp

Download
memory/4712-427-0x0000000000000000-mapping.dmp

Download
memory/4784-183-0x0000000007DA0000-0x0000000007DB2000-memory.dmp

Filesize
72KB

Download
memory/4784-193-0x0000000007ED0000-0x0000000007F0C000-memory.dmp

Filesize
240KB

Download
memory/4784-180-0x0000000007720000-0x0000000007D38000-memory.dmp

Filesize
6.1MB

Download
memory/4784-143-0x0000000000000000-mapping.dmp

Download
memory/4784-167-0x0000000007170000-0x0000000007714000-memory.dmp

Filesize
5.6MB

Download
memory/4784-338-0x0000000000400000-0x0000000002BA2000-memory.dmp

Filesize
39.6MB

Download
memory/4784-185-0x0000000007DC0000-0x0000000007ECA000-memory.dmp

Filesize
1.0MB

Download
memory/4784-336-0x0000000002EF3000-0x0000000002F16000-memory.dmp

Filesize
140KB

Download
memory/4784-337-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/4792-429-0x0000000000000000-mapping.dmp

Download
memory/4864-409-0x0000000000000000-mapping.dmp

Download
memory/5092-186-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/5092-184-0x0000000002D27000-0x0000000002D38000-memory.dmp

Filesize
68KB

Download
memory/5092-188-0x0000000000400000-0x0000000002B8F000-memory.dmp

Filesize
39.6MB

Download
memory/5092-154-0x0000000000000000-mapping.dmp

Download
memory/5092-353-0x0000000000000000-mapping.dmp

Download