amadey | d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880

Analysis

max time kernel
121s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe
Size

387KB
MD5

6e1907b94df73ddfb6ae79e722e8617d
SHA1

7aa04e27de5333d83e1f74dac2cdac28ba98bfe4
SHA256

d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880
SHA512

3785eae1bfb7dce26bc42a725b422f2972106a8cb3ddfc227d35574461883e418b9fb194f8c632b9371204529b3caa940182f5b39ae064e24af71d304c4d0c22
SSDEEP

12288:lMrvy90pFAfy5Ofq5yQnD5czR1Mx9nI0nFOIwpM:WyGAozndYMxxLYIwpM

Score

10^/10

amadey aurora redline vidar 0759a1598875e73a9bab8e688f841ca2 discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

3.70

212.113.119.255/joomla/index.php

Extracted

Family

aurora

94.142.138.215:8081

Extracted

Family

redline

enentyllar.shop:80

Attributes

auth_value
afbea393ecce82b85f2ffac7867fcac7

Extracted

Family

vidar

Version

3.6

Botnet

0759a1598875e73a9bab8e688f841ca2

https://steamcommunity.com/profiles/76561199499188534

https://t.me/nutalse

Attributes

profile_id_v2
0759a1598875e73a9bab8e688f841ca2
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

o7528548.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o7528548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o7528548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o7528548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o7528548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o7528548.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	o7528548.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

vpn.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ vpn.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vpn.exe

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000040001\v123.exe	net_reactor
C:\Users\Admin\AppData\Local\Temp\1000040001\v123.exe	net_reactor
C:\Users\Admin\AppData\Local\Temp\1000040001\v123.exe	net_reactor
behavioral1/memory/2020-215-0x000001CEDB7F0000-0x000001CEDB97E000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpn.exe

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

oneetx.exeNfjyejcuamv.exebuild(3).exebuild(3).exebuild(3).exeBondage.exe.pif00480195771118345556.exes9792891.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	oneetx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Nfjyejcuamv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	build(3).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	build(3).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	build(3).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	Bondage.exe.pif
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	00480195771118345556.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	s9792891.exe

Executes dropped EXE 28 IoCs

Processes:

z2944142.exeo7528548.exer9229141.exes9792891.exeoneetx.exev123.exeNfjyejcuamv.exevpn.exebuild(3).exeoneetx.exevidars.exebuild(3).exevidars.exetor.exeggggg%20%281%29.exe77777.exeohhkarayelpayroll.exeEngine.exeBondage.exe.pifoneetx.exebuild(3).exetor.exeBondage.exe.pif95150707970672781154.exe00480195771118345556.exe03445428957698054908.exe55263378503195473341.exe00427777806287218761.exe

pid	process
3904	z2944142.exe
4944	o7528548.exe
696	r9229141.exe
2140	s9792891.exe
3708	oneetx.exe
2020	v123.exe
1628	Nfjyejcuamv.exe
1496	vpn.exe
4848	build(3).exe
1096	oneetx.exe
628	vidars.exe
4912	build(3).exe
3716	vidars.exe
1624	tor.exe
4784	ggggg%20%281%29.exe
1760	77777.exe
1148	ohhkarayelpayroll.exe
4964	Engine.exe
4208	Bondage.exe.pif
1644	oneetx.exe
4016	build(3).exe
1496	tor.exe
548	Bondage.exe.pif
4124	95150707970672781154.exe
3596	00480195771118345556.exe
3696	03445428957698054908.exe
3912	55263378503195473341.exe
596	00427777806287218761.exe

Loads dropped DLL 7 IoCs

Processes:

AddInProcess32.exeAddInProcess32.exerundll32.exeBondage.exe.pif

pid	process
3268	AddInProcess32.exe
3268	AddInProcess32.exe
2084	AddInProcess32.exe
2084	AddInProcess32.exe
4604	rundll32.exe
548	Bondage.exe.pif
548	Bondage.exe.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

o7528548.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" o7528548.exe
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	o7528548.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

z2944142.exeNfjyejcuamv.exe03445428957698054908.exed89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2944142.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ccucwfitu = "\"C:\\Users\\Admin\\AppData\\Roaming\\Falxxqr\\Ccucwfitu.exe\""	Nfjyejcuamv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asdfasdlkfjsdkfasdfnkjlsadnfsadf = "C:\\Users\\Admin\\AppData\\Roaming\\asdfasdlkfjsdkfasdfnkjlsadnfsadf\\asdfasdlkfjsdkfasdfnkjlsadnfsadf.exe"	03445428957698054908.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z2944142.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

vpn.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA vpn.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

43 ip-api.com
131 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

vpn.exe

pid process

1496 vpn.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vpn.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

flow	ioc
43	ip-api.com
131	ip-api.com

pid	process
1496	vpn.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

v123.exevidars.exevidars.exeNfjyejcuamv.exeBondage.exe.pif

description	pid	process	target process
PID 2020 set thread context of 3976	2020	v123.exe	jsc.exe
PID 628 set thread context of 3268	628	vidars.exe	AddInProcess32.exe
PID 3716 set thread context of 2084	3716	vidars.exe	AddInProcess32.exe
PID 1628 set thread context of 1572	1628	Nfjyejcuamv.exe	InstallUtil.exe
PID 4208 set thread context of 548	4208	Bondage.exe.pif	Bondage.exe.pif

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1328 4016 WerFault.exe build(3).exe

pid	pid_target	process	target process
1328	4016	WerFault.exe	build(3).exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AddInProcess32.exesvchost.exeBondage.exe.pif00427777806287218761.exeAddInProcess32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bondage.exe.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	00427777806287218761.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AddInProcess32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Bondage.exe.pif
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	00427777806287218761.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

528 schtasks.exe
864 schtasks.exe
4120 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2480 timeout.exe
960 timeout.exe
528 timeout.exe

pid	process
528	schtasks.exe
864	schtasks.exe
4120	schtasks.exe

pid	process
2480	timeout.exe
960	timeout.exe
528	timeout.exe

Modifies registry class 2 IoCs

Processes:

svchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2548970870-3691742953-3895070203-1000\{F91F91EA-BBB8-4CA2-B47C-260892F3F4C0}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2548970870-3691742953-3895070203-1000\{77CCD11F-07AB-4A2A-994A-E3C916598CEB}	svchost.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1328 PING.EXE
1184 PING.EXE

pid	process
1328	PING.EXE
1184	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

o7528548.exer9229141.exevpn.exepowershell.exev123.exevidars.exevidars.exejsc.exe

pid	process
4944	o7528548.exe
4944	o7528548.exe
696	r9229141.exe
696	r9229141.exe
1496	vpn.exe
1496	vpn.exe
2212	powershell.exe
2020	v123.exe
2020	v123.exe
2020	v123.exe
2020	v123.exe
2020	v123.exe
2020	v123.exe
2212	powershell.exe
628	vidars.exe
628	vidars.exe
628	vidars.exe
628	vidars.exe
628	vidars.exe
628	vidars.exe
628	vidars.exe
628	vidars.exe
628	vidars.exe
628	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3976	jsc.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe
3716	vidars.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

o7528548.exer9229141.exev123.exepowershell.exevidars.exebuild(3).exevidars.exejsc.exeohhkarayelpayroll.exepowershell.exepowershell.exeNfjyejcuamv.exebuild(3).exe95150707970672781154.exe03445428957698054908.exepowershell.exe00427777806287218761.exe

description	pid	process
Token: SeDebugPrivilege	4944	o7528548.exe
Token: SeDebugPrivilege	696	r9229141.exe
Token: SeDebugPrivilege	2020	v123.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	628	vidars.exe
Token: SeDebugPrivilege	4912	build(3).exe
Token: SeDebugPrivilege	3716	vidars.exe
Token: SeDebugPrivilege	3976	jsc.exe
Token: SeDebugPrivilege	1148	ohhkarayelpayroll.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	1628	Nfjyejcuamv.exe
Token: SeDebugPrivilege	4016	build(3).exe
Token: SeDebugPrivilege	4124	95150707970672781154.exe
Token: SeDebugPrivilege	3696	03445428957698054908.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	596	00427777806287218761.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

s9792891.exeBondage.exe.pif

pid process

2140 s9792891.exe
4208 Bondage.exe.pif
4208 Bondage.exe.pif
4208 Bondage.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Bondage.exe.pif

pid process

4208 Bondage.exe.pif
4208 Bondage.exe.pif
4208 Bondage.exe.pif
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe00480195771118345556.exe55263378503195473341.exe

pid process

2416 OpenWith.exe
3596 00480195771118345556.exe
3912 55263378503195473341.exe

pid	process
2140	s9792891.exe
4208	Bondage.exe.pif
4208	Bondage.exe.pif
4208	Bondage.exe.pif

pid	process
4208	Bondage.exe.pif
4208	Bondage.exe.pif
4208	Bondage.exe.pif

pid	process
2416	OpenWith.exe
3596	00480195771118345556.exe
3912	55263378503195473341.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exez2944142.exes9792891.exeoneetx.exeNfjyejcuamv.exev123.exebuild(3).execmd.exevidars.exe

description	pid	process	target process
PID 4556 wrote to memory of 3904	4556	d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe	z2944142.exe
PID 4556 wrote to memory of 3904	4556	d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe	z2944142.exe
PID 4556 wrote to memory of 3904	4556	d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe	z2944142.exe
PID 3904 wrote to memory of 4944	3904	z2944142.exe	o7528548.exe
PID 3904 wrote to memory of 4944	3904	z2944142.exe	o7528548.exe
PID 3904 wrote to memory of 696	3904	z2944142.exe	r9229141.exe
PID 3904 wrote to memory of 696	3904	z2944142.exe	r9229141.exe
PID 3904 wrote to memory of 696	3904	z2944142.exe	r9229141.exe
PID 4556 wrote to memory of 2140	4556	d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe	s9792891.exe
PID 4556 wrote to memory of 2140	4556	d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe	s9792891.exe
PID 4556 wrote to memory of 2140	4556	d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe	s9792891.exe
PID 2140 wrote to memory of 3708	2140	s9792891.exe	oneetx.exe
PID 2140 wrote to memory of 3708	2140	s9792891.exe	oneetx.exe
PID 2140 wrote to memory of 3708	2140	s9792891.exe	oneetx.exe
PID 3708 wrote to memory of 528	3708	oneetx.exe	schtasks.exe
PID 3708 wrote to memory of 528	3708	oneetx.exe	schtasks.exe
PID 3708 wrote to memory of 528	3708	oneetx.exe	schtasks.exe
PID 3708 wrote to memory of 2020	3708	oneetx.exe	v123.exe
PID 3708 wrote to memory of 2020	3708	oneetx.exe	v123.exe
PID 3708 wrote to memory of 1628	3708	oneetx.exe	Nfjyejcuamv.exe
PID 3708 wrote to memory of 1628	3708	oneetx.exe	Nfjyejcuamv.exe
PID 3708 wrote to memory of 1628	3708	oneetx.exe	Nfjyejcuamv.exe
PID 3708 wrote to memory of 1496	3708	oneetx.exe	vpn.exe
PID 3708 wrote to memory of 1496	3708	oneetx.exe	vpn.exe
PID 3708 wrote to memory of 1496	3708	oneetx.exe	vpn.exe
PID 1628 wrote to memory of 2212	1628	Nfjyejcuamv.exe	powershell.exe
PID 1628 wrote to memory of 2212	1628	Nfjyejcuamv.exe	powershell.exe
PID 1628 wrote to memory of 2212	1628	Nfjyejcuamv.exe	powershell.exe
PID 3708 wrote to memory of 4848	3708	oneetx.exe	build(3).exe
PID 3708 wrote to memory of 4848	3708	oneetx.exe	build(3).exe
PID 2020 wrote to memory of 344	2020	v123.exe	aspnet_state.exe
PID 2020 wrote to memory of 344	2020	v123.exe	aspnet_state.exe
PID 2020 wrote to memory of 380	2020	v123.exe	mscorsvw.exe
PID 2020 wrote to memory of 380	2020	v123.exe	mscorsvw.exe
PID 2020 wrote to memory of 4984	2020	v123.exe	WsatConfig.exe
PID 2020 wrote to memory of 4984	2020	v123.exe	WsatConfig.exe
PID 2020 wrote to memory of 3976	2020	v123.exe	jsc.exe
PID 2020 wrote to memory of 3976	2020	v123.exe	jsc.exe
PID 2020 wrote to memory of 3976	2020	v123.exe	jsc.exe
PID 2020 wrote to memory of 3976	2020	v123.exe	jsc.exe
PID 2020 wrote to memory of 3976	2020	v123.exe	jsc.exe
PID 2020 wrote to memory of 3976	2020	v123.exe	jsc.exe
PID 2020 wrote to memory of 3976	2020	v123.exe	jsc.exe
PID 2020 wrote to memory of 3976	2020	v123.exe	jsc.exe
PID 4848 wrote to memory of 3416	4848	build(3).exe	cmd.exe
PID 4848 wrote to memory of 3416	4848	build(3).exe	cmd.exe
PID 3416 wrote to memory of 3544	3416	cmd.exe	chcp.com
PID 3416 wrote to memory of 3544	3416	cmd.exe	chcp.com
PID 3416 wrote to memory of 1328	3416	cmd.exe	PING.EXE
PID 3416 wrote to memory of 1328	3416	cmd.exe	PING.EXE
PID 3708 wrote to memory of 628	3708	oneetx.exe	vidars.exe
PID 3708 wrote to memory of 628	3708	oneetx.exe	vidars.exe
PID 3416 wrote to memory of 864	3416	cmd.exe	schtasks.exe
PID 3416 wrote to memory of 864	3416	cmd.exe	schtasks.exe
PID 3416 wrote to memory of 4912	3416	cmd.exe	build(3).exe
PID 3416 wrote to memory of 4912	3416	cmd.exe	build(3).exe
PID 628 wrote to memory of 4316	628	vidars.exe	aspnet_regsql.exe
PID 628 wrote to memory of 4316	628	vidars.exe	aspnet_regsql.exe
PID 628 wrote to memory of 4060	628	vidars.exe	WsatConfig.exe
PID 628 wrote to memory of 4060	628	vidars.exe	WsatConfig.exe
PID 628 wrote to memory of 4344	628	vidars.exe	AddInProcess.exe
PID 628 wrote to memory of 4344	628	vidars.exe	AddInProcess.exe
PID 628 wrote to memory of 2140	628	vidars.exe	ilasm.exe
PID 628 wrote to memory of 2140	628	vidars.exe	ilasm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe
"C:\Users\Admin\AppData\Local\Temp\d89ce263da944a5607588cc024c074a003cf14d01d2952b84a6905e1b27c8880.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4556

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2944142.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2944142.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7528548.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7528548.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9229141.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9229141.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9792891.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9792891.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2140

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:528

C:\Users\Admin\AppData\Local\Temp\1000040001\v123.exe
"C:\Users\Admin\AppData\Local\Temp\1000040001\v123.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
5⤵
PID:380

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
5⤵
PID:4984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
5⤵
PID:344

C:\Users\Admin\AppData\Local\Temp\1000041001\Nfjyejcuamv.exe
"C:\Users\Admin\AppData\Local\Temp\1000041001\Nfjyejcuamv.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
5⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\1000042001\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\vpn.exe"
4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Users\Admin\AppData\Local\Temp\1000044001\build(3).exe
"C:\Users\Admin\AppData\Local\Temp\1000044001\build(3).exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "build(3)" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\1000044001\build(3).exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\system32\chcp.com
chcp 65001
6⤵
PID:3544

C:\Windows\system32\PING.EXE
ping 127.0.0.1
6⤵
- Runs ping.exe
PID:1328

C:\Windows\system32\schtasks.exe
schtasks /create /tn "build(3)" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe" /rl HIGHEST /f
6⤵
- Creates scheduled task(s)
PID:864

C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
"C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\System32\tar.exe
"C:\Windows\System32\tar.exe" -xvzf "C:\Users\Admin\AppData\Local\Temp\tmpF9D6.tmp" -C "C:\Users\Admin\AppData\Local\82t5k7skbj"
7⤵
PID:3696

C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
"C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\82t5k7skbj\torrc.txt"
7⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\1000048001\vidars.exe
"C:\Users\Admin\AppData\Local\Temp\1000048001\vidars.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
5⤵
PID:4316

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
5⤵
PID:4060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
5⤵
PID:4344

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
5⤵
PID:2140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
5⤵
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
5⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3268

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" & exit
6⤵
PID:4060

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:528

C:\Users\Admin\AppData\Local\Temp\1000049001\vidars.exe
"C:\Users\Admin\AppData\Local\Temp\1000049001\vidars.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
5⤵
PID:4028

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
5⤵
PID:4856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
5⤵
PID:904

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
5⤵
PID:4240

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
5⤵
PID:4256

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
5⤵
PID:4400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
5⤵
PID:396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
5⤵
PID:4368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
5⤵
PID:4360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
5⤵
PID:3824

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
5⤵
PID:2204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
5⤵
PID:1920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
5⤵
PID:4632

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
5⤵
PID:4220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
5⤵
PID:4148

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
5⤵
PID:2744

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
5⤵
PID:4436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
5⤵
PID:1896

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
5⤵
PID:2936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
5⤵
PID:1176

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
5⤵
PID:740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
5⤵
PID:4784

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
5⤵
PID:4416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
5⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" & exit
6⤵
PID:1952

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
7⤵
- Delays execution with timeout.exe
PID:2480

C:\Users\Admin\AppData\Local\Temp\1000058001\ggggg%20%281%29.exe
"C:\Users\Admin\AppData\Local\Temp\1000058001\ggggg%20%281%29.exe"
4⤵
- Executes dropped EXE
PID:4784

C:\Users\Admin\AppData\Local\Temp\1000074001\77777.exe
"C:\Users\Admin\AppData\Local\Temp\1000074001\77777.exe"
4⤵
- Executes dropped EXE
PID:1760

C:\Users\Admin\AppData\Local\Temp\SETUP_27122\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\Engine.exe /TH_ID=_3208 /OriginExe="C:\Users\Admin\AppData\Local\Temp\1000074001\77777.exe"
5⤵
- Executes dropped EXE
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Yugoslavia
6⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd
7⤵
PID:4576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^TiesHighsFridayPromisedOrganismsPromotedStronglyBannersTermExplainOrganisedPhpLastingMaritime$" Finding
8⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27645\Bondage.exe.pif
27645\\Bondage.exe.pif 27645\\M
8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4208

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "dZVxEGlqbg" /tr "C:\Users\Admin\AppData\Roaming\claRXiEwVe\dZVxEGlqbg.exe.com C:\Users\Admin\AppData\Roaming\claRXiEwVe\H" /sc onlogon /F /RL HIGHEST
9⤵
- Creates scheduled task(s)
PID:4120

C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27645\Bondage.exe.pif
C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27645\Bondage.exe.pif
9⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:548

C:\ProgramData\95150707970672781154.exe
"C:\ProgramData\95150707970672781154.exe"
10⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\ProgramData\00480195771118345556.exe
"C:\ProgramData\00480195771118345556.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:Temp -ExclusionProcess *.exe -ExclusionExtension exe; Set-MpPreference -SubmitSamplesConsent NeverSend -PUAProtection Disabled
11⤵
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Users\Admin\AppData\Local\Temp\2c614d8c-390c-4112-9933-17ee37ec6607.exe
"C:\Users\Admin\AppData\Local\Temp\2c614d8c-390c-4112-9933-17ee37ec6607.exe"
11⤵
PID:1436

C:\Windows\SysWOW64\nslookup.exe
nslookup dfslkdjfklhjsrhfgauiehruifghai
12⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < 5
12⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
cmd
13⤵
PID:3700

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
14⤵
PID:3464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
14⤵
PID:3648

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^syXbtyYOvRrtwlrwBarUhdXsBSlrxLhdlLzfzDGmXzfNBcLMWdWSExswiFWkUVxLDNTfQOHXMDWTqlQyibutOcMQzsiOHxFeZEpNCvVoIYu$" 8
14⤵
PID:1568

C:\ProgramData\03445428957698054908.exe
"C:\ProgramData\03445428957698054908.exe"
10⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\ProgramData\55263378503195473341.exe
"C:\ProgramData\55263378503195473341.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3912

C:\ProgramData\00427777806287218761.exe
"C:\ProgramData\00427777806287218761.exe"
10⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
11⤵
PID:2164

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:3776

C:\Windows\system32\netsh.exe
netsh wlan show profile
12⤵
PID:3820

C:\Windows\system32\findstr.exe
findstr All
12⤵
PID:4396

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
11⤵
PID:392

C:\Windows\system32\chcp.com
chcp 65001
12⤵
PID:4652

C:\Windows\system32\findstr.exe
findstr Key
12⤵
PID:3836

C:\Windows\system32\netsh.exe
netsh wlan show profile name="65001" key=clear
12⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\smzntdjf.xp4\27645\Bondage.exe.pif" & exit
10⤵
PID:4276

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
11⤵
- Delays execution with timeout.exe
PID:960

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 18
8⤵
- Runs ping.exe
PID:1184

C:\Users\Admin\AppData\Local\Temp\1000083001\ohhkarayelpayroll.exe
"C:\Users\Admin\AppData\Local\Temp\1000083001\ohhkarayelpayroll.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:4604

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:3292

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
1⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
"C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe" -f "C:\Users\Admin\AppData\Local\82t5k7skbj\torrc.txt"
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4016 -s 1644
2⤵
- Program crash
PID:1328

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 208 -p 4016 -ip 4016
1⤵
PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:1536

C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
1⤵
PID:312

C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
1⤵
PID:876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\00427777806287218761.exe
Filesize
337KB

MD5
9869818cccb536da4d77e1f203b455eb

SHA1
fcee3d5b03bfe0197dcbf93aa260a80b56d5c28c

SHA256
47ed6ce229c263f88cf7f06dbd5262ad56177ce10245ab15b54612a523e91927

SHA512
1a53550d8df3a6240fe7a282ed07014645c67604d7a39a9831d5bdee0e4e375c8bff6287d8f2a7f5ad1c8ca641af5519ad20704af1ac913aa9d2e42daa27ec50

Download Submit
C:\ProgramData\00480195771118345556.exe
Filesize
9.4MB

MD5
718d69c7e8baa9b2fea5078ac9adf6b7

SHA1
b409fa7ffde8cc8dbaff27ae6a51d3f599e0ed75

SHA256
21b3ec2a8f16bf7fb571925eda77f05c8c7a32fecd9c43cefba6223c47a80936

SHA512
ece9d1dac93453594fee0df92f8ad9ffa14ba17d4589773eac2c6f5ae1759d4b22e1067813245d2d5ab613d2b7c45173e5aebd1e72c7a720082474b76d403515

Download Submit
C:\ProgramData\03445428957698054908.exe
Filesize
33KB

MD5
7641caecd5021135bd5c03b4471715ff

SHA1
06ab473f6fcbd2af2fdc092ad464555ec4d209bb

SHA256
e53c407f87c47411d9b1d64c8ce8230705881c04514a30e8995c93853b7c4d16

SHA512
9a1eff8bb8ba7b42eda29446151c91065f10af19f231fb72525485fa0350f7ec39ad319e3e74671ceb6906307741c7097c14d4035322dffa3b7501218f0f3773

Download Submit
C:\ProgramData\08299987631020753933920763
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\12472479800999589513543372
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\22865876062766268931439728
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\31008117677080765311899772
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\ProgramData\34155597147332105590726322
Filesize
92KB

MD5
1c5b2c3154838883c4f502d401ca16c2

SHA1
a0663ced6caed0db13e9f925541c17802eb14aa7

SHA256
0503a74e60b2a1d90bc277a57bf4586f84ad7303e92291cfd2c8b7e5c790713f

SHA512
1ee14ee0778a6e4d53843add0f9c27f422fb89103b9211dc6ad25b9c3d3fe3982366b8092f4c06dd602d54a715b43c8fefec75464805cbbe2ae331e00aa6479f

Download Submit
C:\ProgramData\52670244735124542719455868
Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\ProgramData\55263378503195473341.exe
Filesize
5.8MB

MD5
67a388ee3e6e89fde50f780ecc5ca1fc

SHA1
c892ade7b8cdbbb573e88915c098809fb6a90325

SHA256
b7d4d61542c742b77631b7aef97c9fd6805ecb579c8bae8850097d7b51402544

SHA512
9b7f5054b4c2a25ffbb687c5e3ab41884bf6348ba06e0bb50be8bfa6a6413799a588539db761b32cde832c4c38eed22814c4fd1c5cb93d31826bbf23b6b74cb7

Download Submit
C:\ProgramData\60527957011573830059012598
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\71656237503015251247641149
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\95150707970672781154.exe
Filesize
9.7MB

MD5
1d9b67333e6b7513f6f1e5e37454993c

SHA1
afeeaf1b86e4b37528254aedc77d94db9d9dbfde

SHA256
21fd7af0b3046612bab9ca512bcafbe94643839137f46bb62f92efc2f6355d3c

SHA512
a08bf5ee1809f038c135c5e86e5aa5e006eb912f5fe8b7c49ba357fd70249dc559ab7e601d81cc32183329b8c6c1834af833db2aa308ca4dec2fa153ec498846

Download Submit
C:\ProgramData\98929467656452835374732369
Filesize
5.0MB

MD5
ea9117bea1fc25a8b6bd65d7edb794c6

SHA1
917dd46164e19c0a6a2bcb79de2f320bb28d5179

SHA256
95bc319e3ad1d92672105b343689b968b4ae4ef5ea1788f3797a331fe44cc46f

SHA512
1dadb5ac3daf424db006935f81bcb761dd80ec5cf847d5f9ae8bc5deeb4b0c0f2005114bc72e7243c1a090e798d5ad0f9e56fcb9735a6848584af91a454d59ed

Download Submit
C:\ProgramData\freebl3.dll
Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll
Filesize
64KB

MD5
fef383de063d9a06313fef7706559216

SHA1
ae4bc1e98fd31ef81be55445e68fadb1e12b9d2e

SHA256
a07223dcca324c67db2503a62e049839577f5bdacf3ded6bd2454aafbb7fe649

SHA512
f3c3816940245957764a17f708cef9822188669407dfee4faf967fa6831391d2c3a5041054b6238c986c802b391c45089502598d46d558988c16f4c0f271107f

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\softokn3.dll
Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
1KB

MD5
2cfb99b2abc0ec0e155148bcacb6f3ba

SHA1
700be4791bf70f3d061e4375aa80c408596d360e

SHA256
fca7f5076b8e3697c66a2501c4812d94a7134f9ff22cbf1a40e9b74684cc65cc

SHA512
0a41b981c8794c3a96bd70346d5aca364e247113fcab31f986c94a9e60e2a27c8f3877f1b9290a90fadaada6d3da3a18e7d7fb5ead7cc93f44c9a3b89a922016

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
Filesize
1KB

MD5
3b3282ca4e82933774599df1a6157d42

SHA1
8ded595ee338664ab1a24d492d669b5cd7e612e4

SHA256
b61acfc4b8e0e0aca874fce8b30db26395dc5ab023d85a085b2024c7a7a15dd2

SHA512
3901758e531d36e455ef535823602cff5071bc6488c8881e78b3777525f5d9e6649ae04538653416b012d8435b53c6c02ba6fee3ca9f3d24269bb31eb5547e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
1KB

MD5
ef3bb8d105b7235323b1ae08b520303d

SHA1
3c49d7ca5851025cef1280aa3fcffdd3053f66a0

SHA256
d6887eb3454539752b6dbe341bcac98a5241d2e25997b8740c9d4308f1dfb7ae

SHA512
7445e5d98f5a6fc08c9e516a9420581b47ab038ca71ff6e17b164ccffcc527f279aa2d065bc5e2667ba5f2094d10c5d4169ab67ed89f090295e06f78723d0944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
Filesize
450B

MD5
8d35de3a5e29ce66e3be50a0a4a234cf

SHA1
9042c5b561a75dfe388da716c96ee060ecf4f76f

SHA256
7a660ad3a8aa23c8780247483d1909e01db78c3f5584a27cc4ded354395345ea

SHA512
bed2c5d3e13eb297631fba964b4881a1976ece2f726e9247702eca2d2888ab30c4a0ec705c82ac585abb555b297b5de28d09162854464374236f32457d77b4aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
Filesize
474B

MD5
e5495995cb67f9b3e390367f35bc164a

SHA1
4976d7e7dae79c87dfcb60b45a36fdcb7c097555

SHA256
f6706cd1d5ed48a99a167c3ebd2cfa57530aa0198026710e58ae33cde15aa310

SHA512
bdc32473938fe68a2bbce7e98b6b6c21bd863e5bdf2ab0cb31f098329eb993938f26f04e873c320d44d476d2ff57ad9d7f359a00cdf36b82e7effc972cfbf560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
Filesize
458B

MD5
853c0ce8f288bc15f16b5c9938304acc

SHA1
768ef8a271cbaf3451895682df40aa3538fde13e

SHA256
9edcd3372881a4cae41cfd5d60f2307df3824429ace8ec6be54a7839b882fe5a

SHA512
08e028eba45112492ce3ecfa496ac33559ef4c2ce95f712d3f453734c21a5dac6b24e3b4b35b5b0d352b1a7f6478638dd45c723e3ddd4e4c08fe7d2ccc3ac0d6

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\data\cached-microdescs.new
Filesize
5.2MB

MD5
7f32883640958d62d955cd23aacf599a

SHA1
b6f87542ca1b41dfa7ffeec01546b2f0270ccf6b

SHA256
b28ea7d28e74789d7d6a7d3d36e6ae5be742f48509ffe6f7f086fb9036ef4b21

SHA512
099082918c6c13c9db580423eba19a2689c1c620f284d70a9aad446a8c330b2e940146bedcf1586c1803e1baca00da04196f49aef42ea7e05452d09ca20fcd47

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\data\unverified-microdesc-consensus
Filesize
2.3MB

MD5
75c8295f4aa15a72524f8bd7afe346ed

SHA1
9148b13288eb5fdbdf9fc305b7200c8022a693ff

SHA256
c3a82a9e74dac9c01489ce8bd7d85497ed86e1810eb0d9c7e5d7bbf4997da241

SHA512
7114c8d54893fec764474e0d90faee4deff855789d00ee4f4fb706b41aec79655b7f9004735d4f766bd2d7ee5a53995e27fa7d2d3a7b5ff48bc215b512d43e21

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\host\hostname
Filesize
64B

MD5
7ac7e076961c256f4251799f531fbc8e

SHA1
1b3d90cb1c86ffc2f06bf400ffb5336a8609da4c

SHA256
d055539d2a04f3e583a23544b5bf4c774d7b6d2e72ead2968e1a8f2a238d82a1

SHA512
0d1c1e2ad6738d13dcdb8eb04213e630d1a7b4f737fd2dd1799c17dc73f67cbdaa54eac6b396681fd998cb530bbc2b2fc7e21312fe501e00b65351518aea9ddf

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\tor\tor.exe
Filesize
7.4MB

MD5
88590909765350c0d70c6c34b1f31dd2

SHA1
129b27c3926e53e5df6d44cc6adf39c3a8d9ebf7

SHA256
46fe244b548265c78ab961e8f787bc8bf21edbcaaf175fa3b8be3137c6845a82

SHA512
a8af08d9169a31a1c3419d4e6e8fbe608c800d323840563b5a560d3e09e78a492201f07cc0d3864efbff8ad81e59885fc43a6b749e0a3377aa8555df258af192

Download Submit
C:\Users\Admin\AppData\Local\82t5k7skbj\torrc.txt
Filesize
218B

MD5
ffd86da5ae3152d92e0426093c15f917

SHA1
64e16c0772f9b1a120a58148613bfb3cc34b201c

SHA256
23293b4cf18ffc08d813eee976388af4c63fa42e55eb0913c8c1980f9d2b93b5

SHA512
3b5181b63c1451e039302793b6d011935a640f3f5d908f1ee36ca92773ba1dd5626e975e303d7a9292934f2875b790aa1d564723c4c1915fb9d315c7f8420f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build(3).exe.log
Filesize
847B

MD5
3308a84a40841fab7dfec198b3c31af7

SHA1
4e7ab6336c0538be5dd7da529c0265b3b6523083

SHA256
169bc31a8d1666535977ca170d246a463e6531bb21faab6c48cb4269d9d60b2e

SHA512
97521d5fb94efdc836ea2723098a1f26a7589a76af51358eee17292d29c9325baf53ad6b4496c5ca3e208d1c9b9ad6797a370e2ae378072fc68f5d6e8b73b198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\vidars.exe.log
Filesize
425B

MD5
fff5cbccb6b31b40f834b8f4778a779a

SHA1
899ed0377e89f1ed434cfeecc5bc0163ebdf0454

SHA256
b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

SHA512
1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
Filesize
50KB

MD5
8bc904cbf806e8b28b6c21f1321fa019

SHA1
64c0e9e09d37587d0b418e3aed6162ccc4948987

SHA256
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910

SHA512
0c41a756e62f81f567e78300b55bceb911dcfcff69f84d55e39b6d1f7431fc5dafcc9652ab3edc1da97a5c58e6d01eb4463a6e67bf67e00d662f599c619523f3

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
Filesize
50KB

MD5
8bc904cbf806e8b28b6c21f1321fa019

SHA1
64c0e9e09d37587d0b418e3aed6162ccc4948987

SHA256
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910

SHA512
0c41a756e62f81f567e78300b55bceb911dcfcff69f84d55e39b6d1f7431fc5dafcc9652ab3edc1da97a5c58e6d01eb4463a6e67bf67e00d662f599c619523f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000039001\Heaven.exe
Filesize
196KB

MD5
cf9395edbb47579473dd1e84e4fc6722

SHA1
721edf06732e2323fa1098e6e138ceaccd2b27c1

SHA256
94387d86c90cfe851c463af188931d59a8aff418b8ef9c695c3795782bfea0b1

SHA512
3ca392be3f7c7aa56b2cd7aba6c09af2e8a0173776e2eb5c47c2b35a19adbdb42a6727e0b86b4538c87b76ae97743f9fff8def70814d5cc5fa383932f1735e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000040001\v123.exe
Filesize
1.5MB

MD5
77437c98a8d412e5d30f155b4ebb01f1

SHA1
626ceeb6fc81d884d8d3d3c33285e936fb47d31e

SHA256
8dd28c0f9fe3b978a2c6bdf85dde5f3af6056cee4ae0ed198f5cf1476a8585bf

SHA512
5e509d6ba167dd5f406ecc34df9b3dd732ee02582d3951368ae64d6c180222ed20beecae4dd8184084fa79717470f678b3c278c558c0a404c0194632672c574f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000040001\v123.exe
Filesize
1.5MB

MD5
77437c98a8d412e5d30f155b4ebb01f1

SHA1
626ceeb6fc81d884d8d3d3c33285e936fb47d31e

SHA256
8dd28c0f9fe3b978a2c6bdf85dde5f3af6056cee4ae0ed198f5cf1476a8585bf

SHA512
5e509d6ba167dd5f406ecc34df9b3dd732ee02582d3951368ae64d6c180222ed20beecae4dd8184084fa79717470f678b3c278c558c0a404c0194632672c574f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000040001\v123.exe
Filesize
1.5MB

MD5
77437c98a8d412e5d30f155b4ebb01f1

SHA1
626ceeb6fc81d884d8d3d3c33285e936fb47d31e

SHA256
8dd28c0f9fe3b978a2c6bdf85dde5f3af6056cee4ae0ed198f5cf1476a8585bf

SHA512
5e509d6ba167dd5f406ecc34df9b3dd732ee02582d3951368ae64d6c180222ed20beecae4dd8184084fa79717470f678b3c278c558c0a404c0194632672c574f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\Nfjyejcuamv.exe
Filesize
1.5MB

MD5
acab984940bec865cd71484a347f19ef

SHA1
b1c3866c7b805332fbacc2fd82ae25a8e945e45c

SHA256
88d050c3294a0c9984be140c86843a23e5b7c318672cef7f8d1bd61335a6243f

SHA512
66eeda5a0ff32c097a81c8e4296da25d8dc96383c84f32bb243d2732d3bee8ae6db7978171bf8c52a9631497f16983cebe4e0804714f29f6333e9f9364ec4a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\Nfjyejcuamv.exe
Filesize
1.5MB

MD5
acab984940bec865cd71484a347f19ef

SHA1
b1c3866c7b805332fbacc2fd82ae25a8e945e45c

SHA256
88d050c3294a0c9984be140c86843a23e5b7c318672cef7f8d1bd61335a6243f

SHA512
66eeda5a0ff32c097a81c8e4296da25d8dc96383c84f32bb243d2732d3bee8ae6db7978171bf8c52a9631497f16983cebe4e0804714f29f6333e9f9364ec4a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000041001\Nfjyejcuamv.exe
Filesize
1.5MB

MD5
acab984940bec865cd71484a347f19ef

SHA1
b1c3866c7b805332fbacc2fd82ae25a8e945e45c

SHA256
88d050c3294a0c9984be140c86843a23e5b7c318672cef7f8d1bd61335a6243f

SHA512
66eeda5a0ff32c097a81c8e4296da25d8dc96383c84f32bb243d2732d3bee8ae6db7978171bf8c52a9631497f16983cebe4e0804714f29f6333e9f9364ec4a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\vpn.exe
Filesize
3.0MB

MD5
4b32941cd92e048e6a2d16c6069edf62

SHA1
5d167b4588575ffbc7a06cd9fa22552dced38951

SHA256
a1dc10eaa3d8eb09dfcb58123a48484639301d86165a8e3c76747cc04a2bf67d

SHA512
8b5c75642960991648fd18fb2c5421f8d082f0982a4b5950dd091547dc53943fccb287a404593fbb08282188c3c94d75e05c28f1a58f83a5b6559f34a516442e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\vpn.exe
Filesize
3.0MB

MD5
4b32941cd92e048e6a2d16c6069edf62

SHA1
5d167b4588575ffbc7a06cd9fa22552dced38951

SHA256
a1dc10eaa3d8eb09dfcb58123a48484639301d86165a8e3c76747cc04a2bf67d

SHA512
8b5c75642960991648fd18fb2c5421f8d082f0982a4b5950dd091547dc53943fccb287a404593fbb08282188c3c94d75e05c28f1a58f83a5b6559f34a516442e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\vpn.exe
Filesize
3.0MB

MD5
4b32941cd92e048e6a2d16c6069edf62

SHA1
5d167b4588575ffbc7a06cd9fa22552dced38951

SHA256
a1dc10eaa3d8eb09dfcb58123a48484639301d86165a8e3c76747cc04a2bf67d

SHA512
8b5c75642960991648fd18fb2c5421f8d082f0982a4b5950dd091547dc53943fccb287a404593fbb08282188c3c94d75e05c28f1a58f83a5b6559f34a516442e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\build(3).exe
Filesize
50KB

MD5
8bc904cbf806e8b28b6c21f1321fa019

SHA1
64c0e9e09d37587d0b418e3aed6162ccc4948987

SHA256
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910

SHA512
0c41a756e62f81f567e78300b55bceb911dcfcff69f84d55e39b6d1f7431fc5dafcc9652ab3edc1da97a5c58e6d01eb4463a6e67bf67e00d662f599c619523f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\build(3).exe
Filesize
50KB

MD5
8bc904cbf806e8b28b6c21f1321fa019

SHA1
64c0e9e09d37587d0b418e3aed6162ccc4948987

SHA256
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910

SHA512
0c41a756e62f81f567e78300b55bceb911dcfcff69f84d55e39b6d1f7431fc5dafcc9652ab3edc1da97a5c58e6d01eb4463a6e67bf67e00d662f599c619523f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000044001\build(3).exe
Filesize
50KB

MD5
8bc904cbf806e8b28b6c21f1321fa019

SHA1
64c0e9e09d37587d0b418e3aed6162ccc4948987

SHA256
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910

SHA512
0c41a756e62f81f567e78300b55bceb911dcfcff69f84d55e39b6d1f7431fc5dafcc9652ab3edc1da97a5c58e6d01eb4463a6e67bf67e00d662f599c619523f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000048001\vidars.exe
Filesize
2.6MB

MD5
4d998d76482527f07e8e4e6af24743f5

SHA1
a479fd8f41b3522687c33472989ec2c4609ebccf

SHA256
3c806d0324044d7d2adc3eda60299847e4b896e962b02aa0819ba878792ba854

SHA512
f275adb524f2b13111f01e5d9658732600dfa6591cf92af69497d19fc4b6b9de77f2bf6f2bc3fdafbc02b6bbe71ca4618600205edcb30da6adeddaab80e0ec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000048001\vidars.exe
Filesize
2.6MB

MD5
4d998d76482527f07e8e4e6af24743f5

SHA1
a479fd8f41b3522687c33472989ec2c4609ebccf

SHA256
3c806d0324044d7d2adc3eda60299847e4b896e962b02aa0819ba878792ba854

SHA512
f275adb524f2b13111f01e5d9658732600dfa6591cf92af69497d19fc4b6b9de77f2bf6f2bc3fdafbc02b6bbe71ca4618600205edcb30da6adeddaab80e0ec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000048001\vidars.exe
Filesize
2.6MB

MD5
4d998d76482527f07e8e4e6af24743f5

SHA1
a479fd8f41b3522687c33472989ec2c4609ebccf

SHA256
3c806d0324044d7d2adc3eda60299847e4b896e962b02aa0819ba878792ba854

SHA512
f275adb524f2b13111f01e5d9658732600dfa6591cf92af69497d19fc4b6b9de77f2bf6f2bc3fdafbc02b6bbe71ca4618600205edcb30da6adeddaab80e0ec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000049001\vidars.exe
Filesize
2.6MB

MD5
4d998d76482527f07e8e4e6af24743f5

SHA1
a479fd8f41b3522687c33472989ec2c4609ebccf

SHA256
3c806d0324044d7d2adc3eda60299847e4b896e962b02aa0819ba878792ba854

SHA512
f275adb524f2b13111f01e5d9658732600dfa6591cf92af69497d19fc4b6b9de77f2bf6f2bc3fdafbc02b6bbe71ca4618600205edcb30da6adeddaab80e0ec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000049001\vidars.exe
Filesize
2.6MB

MD5
4d998d76482527f07e8e4e6af24743f5

SHA1
a479fd8f41b3522687c33472989ec2c4609ebccf

SHA256
3c806d0324044d7d2adc3eda60299847e4b896e962b02aa0819ba878792ba854

SHA512
f275adb524f2b13111f01e5d9658732600dfa6591cf92af69497d19fc4b6b9de77f2bf6f2bc3fdafbc02b6bbe71ca4618600205edcb30da6adeddaab80e0ec4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058001\ggggg%20%281%29.exe
Filesize
136KB

MD5
74f4fa130b611331c21a4613e0174fcd

SHA1
0d91f77492adcc87f31a596c5515c49e6f05ffce

SHA256
81ce11a77a609094223e0b77aa938ceb4907bb8039a1366e13793be7d260f59e

SHA512
1476c52282b22212fbfa4cc7704bae42ca78da969d0926eec82137d070257416c67dd9239d2dd817f2cc0d56034fd5e28934ced951f0eff41c460e473237bc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058001\ggggg%20%281%29.exe
Filesize
136KB

MD5
74f4fa130b611331c21a4613e0174fcd

SHA1
0d91f77492adcc87f31a596c5515c49e6f05ffce

SHA256
81ce11a77a609094223e0b77aa938ceb4907bb8039a1366e13793be7d260f59e

SHA512
1476c52282b22212fbfa4cc7704bae42ca78da969d0926eec82137d070257416c67dd9239d2dd817f2cc0d56034fd5e28934ced951f0eff41c460e473237bc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000058001\ggggg%20%281%29.exe
Filesize
136KB

MD5
74f4fa130b611331c21a4613e0174fcd

SHA1
0d91f77492adcc87f31a596c5515c49e6f05ffce

SHA256
81ce11a77a609094223e0b77aa938ceb4907bb8039a1366e13793be7d260f59e

SHA512
1476c52282b22212fbfa4cc7704bae42ca78da969d0926eec82137d070257416c67dd9239d2dd817f2cc0d56034fd5e28934ced951f0eff41c460e473237bc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000064001\Client.exe
Filesize
12KB

MD5
f69ed4979e7baef8a199aad79ba5b287

SHA1
3c4a4e1ad43c3e0d63b5bf1e4154f86f96679011

SHA256
7bb963ef01c73ca9ae1fa290f4d7ca3c68aad0af4170ea774343b5d7877c5b15

SHA512
41f8b378c9a7505cc1acdabb6c3a3c0b53518a47062b2be9f6ce108622f504d9b1b17239743cc5b3193cfe51176b01b953301075f7b24e0237478ec59e1ce2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000074001\77777.exe
Filesize
1.7MB

MD5
4f24c94182a964c6706c1920a73822c0

SHA1
5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

SHA256
45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

SHA512
d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000074001\77777.exe
Filesize
1.7MB

MD5
4f24c94182a964c6706c1920a73822c0

SHA1
5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

SHA256
45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

SHA512
d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000074001\77777.exe
Filesize
1.7MB

MD5
4f24c94182a964c6706c1920a73822c0

SHA1
5fd5f215270c5f7ff7828d8e1fe7e784094ae2f0

SHA256
45afb3a562e84e75c19fe08404921b2c05900a6037f04d5aa61eca9ea7254ef3

SHA512
d1f7d8b5b6f1f3464a2946b861bc7c919623ad3fddeb7899d546fae93f6d864fd614a88b043c46d990942eaf59076a72702ad17dca26b178c8312c75219ce1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000075001\hlthot.exe
Filesize
10B

MD5
ef81e41d11c9e7193ddd3d470dbb3eda

SHA1
0c15d12755a0be84e6403445c427231c274919c6

SHA256
7515bf959b73b956ceb967351c7e299cbb3668a53d35f9c770eb72e00d93ced6

SHA512
bf69c60fbb6d5ff50d81cd093cbabe59cd4eed439822e9ed02472245c3dae033cec143f1c4bbe6f702b7530f87c020442217ca1859da8f4b0f578a93b46cbdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000083001\ohhkarayelpayroll.exe
Filesize
365KB

MD5
3d02b4b61431299d42e9494e515b5fa3

SHA1
7d2be26c893a652c135f31262cbab37ddfa5f7f9

SHA256
eb8bbe746f40294c2c305ecffb643a6f0e826cfdd4569f1e546bef2f465ce98d

SHA512
f540bf8a4ff2145741b8628e085463273718ab6441cd1674a27ee311c6f9cd4e8cb21efab52a64eb9101fb24cfb8218c0d5fda76746ca9701ecdd66d49e31d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000083001\ohhkarayelpayroll.exe
Filesize
365KB

MD5
3d02b4b61431299d42e9494e515b5fa3

SHA1
7d2be26c893a652c135f31262cbab37ddfa5f7f9

SHA256
eb8bbe746f40294c2c305ecffb643a6f0e826cfdd4569f1e546bef2f465ce98d

SHA512
f540bf8a4ff2145741b8628e085463273718ab6441cd1674a27ee311c6f9cd4e8cb21efab52a64eb9101fb24cfb8218c0d5fda76746ca9701ecdd66d49e31d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000083001\ohhkarayelpayroll.exe
Filesize
365KB

MD5
3d02b4b61431299d42e9494e515b5fa3

SHA1
7d2be26c893a652c135f31262cbab37ddfa5f7f9

SHA256
eb8bbe746f40294c2c305ecffb643a6f0e826cfdd4569f1e546bef2f465ce98d

SHA512
f540bf8a4ff2145741b8628e085463273718ab6441cd1674a27ee311c6f9cd4e8cb21efab52a64eb9101fb24cfb8218c0d5fda76746ca9701ecdd66d49e31d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c614d8c-390c-4112-9933-17ee37ec6607.exe
Filesize
1.8MB

MD5
ac9cdaa7e93365384a7af4c7deb940ef

SHA1
4458ab569efb896eebad6a0c11fd2b4bd2ea3c2d

SHA256
30cb69aad54794a964298c87be266406a84f7ff77492db61c9f477f0dae09e28

SHA512
eb14329d29e0a6527af1b22ee01470ae54b28aabce64cc96e44ce3a7fde075c63bf117cbd356519d374ea000d0a150eb8ab888067c5d028e67ca31e83f3b8223

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cb6818d6c\oneetx.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9792891.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s9792891.exe
Filesize
229KB

MD5
3308051ded87b1863a8d92925202c4b3

SHA1
7834ddc23e7976b07118fb580ae38234466dbdfb

SHA256
13b4b17671c12fd3f9db5491efb7fb389601b57ac7f89fd78638625c1ef201e4

SHA512
f8e016a2f9cd7851048811fa2846b1853f175916c32dc593e0c469614e87e4f6b07e3dee1f13c662fe9bb6865dc67837a1ab8036e238202e9353e3120f633ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2944142.exe
Filesize
204KB

MD5
d3994b0bafe7c16462b49ac6a01a51f9

SHA1
2d38bd4566546be5ad236f3cd855b7c1157cd9fb

SHA256
8c4b83589b1ba33095da8233334534ac6738c10e1661893ce80b765ddea16baa

SHA512
26f6930638177be90e1ffdae27f2ff153e56c16158ac2b82812e809602e74393be8c041887949c6c884c72b8c00d7f85f106df9d5413e225de3e9892b4ad8c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2944142.exe
Filesize
204KB

MD5
d3994b0bafe7c16462b49ac6a01a51f9

SHA1
2d38bd4566546be5ad236f3cd855b7c1157cd9fb

SHA256
8c4b83589b1ba33095da8233334534ac6738c10e1661893ce80b765ddea16baa

SHA512
26f6930638177be90e1ffdae27f2ff153e56c16158ac2b82812e809602e74393be8c041887949c6c884c72b8c00d7f85f106df9d5413e225de3e9892b4ad8c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7528548.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o7528548.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9229141.exe
Filesize
136KB

MD5
8a6f5b2cd42e9ea6fda25b05b7da6ca5

SHA1
610ba8fc587f004cdd3f2f10113e505a685742a9

SHA256
d9ece3c5739606b6b6ff5411cf9cfaca7d1f750eb9b888e3d054413e0e36266d

SHA512
1181045d6e2369a10ec246e5c38eadc04464f659643e8d23e9dae56df5c222caacf14a3393417f6111222f73b74f8f571db735474d1d7b620b41335c343ec23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9229141.exe
Filesize
136KB

MD5
8a6f5b2cd42e9ea6fda25b05b7da6ca5

SHA1
610ba8fc587f004cdd3f2f10113e505a685742a9

SHA256
d9ece3c5739606b6b6ff5411cf9cfaca7d1f750eb9b888e3d054413e0e36266d

SHA512
1181045d6e2369a10ec246e5c38eadc04464f659643e8d23e9dae56df5c222caacf14a3393417f6111222f73b74f8f571db735474d1d7b620b41335c343ec23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\00001#Foto
Filesize
199KB

MD5
60ad6b661b7d878936b63c39e7d94555

SHA1
655ca3b2c75ad015a02470c92e8d7b9d58541524

SHA256
650f797d33d5ecf29e1876324de2507a3b97cad3cc00c1e25ff02420a2e4e70e

SHA512
f44b3d36f26666c079354085471d44b2838c24553fd0797e12c3c96b14794aa24073574379e1e0abce3b38aaaa179dd1bf05c51ca3831aff82c90fe6699cc606

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\00002#Gp
Filesize
74KB

MD5
4f39ba8b1c907e52d53215ea79a1896f

SHA1
975c70c4973697cce66c149a00cc8b20e79526be

SHA256
ace9abce7314ca6736b6b6acf5a1f96c7d24f7764678f99ffb795a897a6e7bf2

SHA512
e862921fbad7a8118a1c12f1c9ca33b7f41251b69b0dc48dcbf3c40350174f5db8946c75797b0042e3d9633821b66e523212a1998a901f712bc8b0053d1e7572

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\00004#Piece
Filesize
43KB

MD5
bf7a0cdf40d3aa9fc94c9accd73298d2

SHA1
a049a7323a8468d1bbd3e96a1ace4266fce4429c

SHA256
96eab71166cc7df7ec1eae988487d76d463c080f1da98b194bc60a1701e5d3ae

SHA512
6a0eb5de2f23ff986c90835b7b24e5299fdb882186bcc88fece6a6a4363871dda00b8313ee729557778cf4c14456e9c25d79108be35f31df1d9b697f5d89009e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\00006#Stands
Filesize
1.2MB

MD5
4a1f67fc0cacc5cf1c9ab1ab05e25ec6

SHA1
e955600ae7c0f6bec15a4126f1be10acc6a6b875

SHA256
ed299bf8533de2b3f0965295aa5be53e8486dfa0887e20de0b4c6c2fd3b30b4b

SHA512
e0f1a52209c13937afcdb954e59daba04d80f82cba702788e1d6d359f2e4dd189d01455f32a167b6014c68e5d670686d2ace1bfea0b8c31b3c91f2f052669675

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\00008#Welfare
Filesize
54KB

MD5
f5802553964d59c3874a7ea7f0313c68

SHA1
106f605a2e7704cb8341b27ca982f5f70d09bc0f

SHA256
35cc1497dc397cf46815bfb41953a134170bbea3fd0d5178ca45b6bbb01084f9

SHA512
8f495fc3ceda40788b3dc7a2eec223e3d40b5edf1ff4ed159f20a256f1ba71d8baba135b3b1bf9f6f07851dc99bd4e29fd2af1bc7984bccca4fc390c0fc83b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\00009#Wines
Filesize
110KB

MD5
31ae6922272bfd6c6a863b679940d005

SHA1
df93b1021c3bb2087b249a82d4cbcd599659fcd6

SHA256
77031c9bf9a778abef4672a2b749dd7fb662a29b3e69ea391fe04dd4944601d8

SHA512
f0765279accdefbf611088e92433d258700bc97d28468b6cbd34c1be5b7cf27a54763009214bd4ce052c4bec87debd9464e2f040028fba40fb32da20d82669bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\Engine.exe
Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\Engine.exe
Filesize
1.3MB

MD5
e4656c54b03a03f816ab33101a324cdc

SHA1
48cd8d9c5a20d36362214d727e184fe4e0075d4f

SHA256
bb998a1e5e162c305a942ade944230c62b0e3bfe347a2a30c33af497109467ba

SHA512
c2980491ab8417feddb609391e14b8f662182f2ca28af47902b74687ac420d8fb2aee4ea9df858668a7affa03c799b2a478213d5629444e9276147096110f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_27122\Setup.txt
Filesize
2KB

MD5
9f82e028a899fe0dded45d76ed1ed06f

SHA1
fc0e0f3e34451087e28d8c51c486a52934e59d4a

SHA256
3dd4285197d7ad7004789eee6464594666ae8e5d913bec23e57151608bd3b109

SHA512
22d4ad271965c8c5fbe038ead00cb374c299e89f7d669ea7657064e5b3c18f4dc7f9d51b102dc388c6f79e805c7196c085edf6e990e6bb33c41ac36854192b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhchftm5.fe1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9D6.tmp
Filesize
13.3MB

MD5
89d2d5811c1aff539bb355f15f3ddad0

SHA1
5bb3577c25b6d323d927200c48cd184a3e27c873

SHA256
b630008f6d3887793d48b87091e56691e292894dd4fa100dc4a418a2f29dcc12

SHA512
39e576124c54143520c5435a2ef9b24506131e13403489c0692f09b89135015d611c4988d4772f8a1e6557fa68b4667d467334461009cee8c2227dfc3e295289

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
73df88d68a4f5e066784d462788cf695

SHA1
e4bfed336848d0b622fa464d40cf4bd9222aab3f

SHA256
f336fa91d52edf1a977a5b8510c1a7b0b22dd6d51576765e10a1fc98fb38109f

SHA512
64c7a2828b041fbc2792e8f4e39b9abea9a33356478d307681f1cba278293a0a22569bda5b7718993a5224f514c2af77fe989de14ab2a2ad219b0213fedf3817

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/628-347-0x000001FA16270000-0x000001FA16271000-memory.dmp

Filesize
4KB

Download
memory/628-339-0x000001FA15C60000-0x000001FA15F08000-memory.dmp

Filesize
2.7MB

Download
memory/628-346-0x000001FA305A0000-0x000001FA305B0000-memory.dmp

Filesize
64KB

Download
memory/696-152-0x0000000000570000-0x0000000000598000-memory.dmp

Filesize
160KB

Download
memory/696-158-0x0000000007640000-0x00000000076A6000-memory.dmp

Filesize
408KB

Download
memory/696-154-0x0000000007280000-0x0000000007292000-memory.dmp

Filesize
72KB

Download
memory/696-155-0x00000000073B0000-0x00000000074BA000-memory.dmp

Filesize
1.0MB

Download
memory/696-164-0x0000000008570000-0x000000000858E000-memory.dmp

Filesize
120KB

Download
memory/696-153-0x00000000077E0000-0x0000000007DF8000-memory.dmp

Filesize
6.1MB

Download
memory/696-165-0x00000000085C0000-0x0000000008610000-memory.dmp

Filesize
320KB

Download
memory/696-163-0x00000000094E0000-0x0000000009A0C000-memory.dmp

Filesize
5.2MB

Download
memory/696-162-0x0000000008DE0000-0x0000000008FA2000-memory.dmp

Filesize
1.8MB

Download
memory/696-161-0x0000000008430000-0x00000000084A6000-memory.dmp

Filesize
472KB

Download
memory/696-156-0x00000000072E0000-0x000000000731C000-memory.dmp

Filesize
240KB

Download
memory/696-160-0x0000000008830000-0x0000000008DD4000-memory.dmp

Filesize
5.6MB

Download
memory/696-157-0x0000000007360000-0x0000000007370000-memory.dmp

Filesize
64KB

Download
memory/696-159-0x00000000081E0000-0x0000000008272000-memory.dmp

Filesize
584KB

Download
memory/1148-740-0x0000000000430000-0x0000000000492000-memory.dmp

Filesize
392KB

Download
memory/1148-757-0x0000000007270000-0x0000000007280000-memory.dmp

Filesize
64KB

Download
memory/1496-280-0x0000000000160000-0x0000000000982000-memory.dmp

Filesize
8.1MB

Download
memory/1496-293-0x0000000000160000-0x0000000000982000-memory.dmp

Filesize
8.1MB

Download
memory/1496-287-0x0000000000160000-0x0000000000982000-memory.dmp

Filesize
8.1MB

Download
memory/1496-282-0x0000000000160000-0x0000000000982000-memory.dmp

Filesize
8.1MB

Download
memory/1496-317-0x0000000000160000-0x0000000000982000-memory.dmp

Filesize
8.1MB

Download
memory/1496-285-0x0000000000160000-0x0000000000982000-memory.dmp

Filesize
8.1MB

Download
memory/1496-292-0x0000000000160000-0x0000000000982000-memory.dmp

Filesize
8.1MB

Download
memory/1496-283-0x0000000000160000-0x0000000000982000-memory.dmp

Filesize
8.1MB

Download
memory/1496-291-0x0000000000160000-0x0000000000982000-memory.dmp

Filesize
8.1MB

Download
memory/1572-845-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1628-237-0x00000000000F0000-0x0000000000278000-memory.dmp

Filesize
1.5MB

Download
memory/1628-257-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/1628-406-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/1628-248-0x0000000004A70000-0x0000000004A92000-memory.dmp

Filesize
136KB

Download
memory/1760-829-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-238-0x000001CEF5ED0000-0x000001CEF5F46000-memory.dmp

Filesize
472KB

Download
memory/2020-251-0x000001CEF5F50000-0x000001CEF5F6E000-memory.dmp

Filesize
120KB

Download
memory/2020-233-0x000001CEDBCC0000-0x000001CEDBCC1000-memory.dmp

Filesize
4KB

Download
memory/2020-227-0x000001CEF5EC0000-0x000001CEF5ED0000-memory.dmp

Filesize
64KB

Download
memory/2020-215-0x000001CEDB7F0000-0x000001CEDB97E000-memory.dmp

Filesize
1.6MB

Download
memory/2084-621-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2084-638-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2084-657-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2084-544-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2084-415-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2084-410-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2084-409-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/2212-290-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/2212-439-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/2212-315-0x0000000005F00000-0x0000000005F1E000-memory.dmp

Filesize
120KB

Download
memory/2212-411-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/2212-318-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/2212-414-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/2212-327-0x0000000007770000-0x0000000007DEA000-memory.dmp

Filesize
6.5MB

Download
memory/2212-295-0x0000000000ED0000-0x0000000000EE0000-memory.dmp

Filesize
64KB

Download
memory/2212-328-0x0000000006410000-0x000000000642A000-memory.dmp

Filesize
104KB

Download
memory/2212-284-0x0000000002910000-0x0000000002946000-memory.dmp

Filesize
216KB

Download
memory/2212-298-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/2288-795-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2288-796-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2288-797-0x00000000064D0000-0x0000000006566000-memory.dmp

Filesize
600KB

Download
memory/2288-798-0x0000000006430000-0x0000000006452000-memory.dmp

Filesize
136KB

Download
memory/3268-445-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3268-528-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-529-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-353-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-526-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-352-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-527-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-385-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3268-349-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3716-386-0x0000014B93B60000-0x0000014B93B61000-memory.dmp

Filesize
4KB

Download
memory/3976-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3976-316-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/3976-426-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/4632-802-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/4632-801-0x0000000000B40000-0x0000000000B50000-memory.dmp

Filesize
64KB

Download
memory/4784-658-0x0000000000040000-0x0000000000068000-memory.dmp

Filesize
160KB

Download
memory/4784-659-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/4784-784-0x0000000007140000-0x0000000007150000-memory.dmp

Filesize
64KB

Download
memory/4848-281-0x00000199D92F0000-0x00000199D9302000-memory.dmp

Filesize
72KB

Download
memory/4848-286-0x00000199F3870000-0x00000199F3880000-memory.dmp

Filesize
64KB

Download
memory/4912-345-0x000001D05B380000-0x000001D05B3D0000-memory.dmp

Filesize
320KB

Download
memory/4912-508-0x000001D075570000-0x000001D075580000-memory.dmp

Filesize
64KB

Download
memory/4912-348-0x000001D075570000-0x000001D075580000-memory.dmp

Filesize
64KB

Download
memory/4944-147-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/4964-841-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/4964-763-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download