amadey | 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

Resubmissions

17/11/2023, 19:12

231117-xwf2aaeb6w 10

13/11/2023, 20:48

11/11/2023, 00:27

26/10/2023, 01:21

17/10/2023, 19:09

14/10/2023, 18:16

08/10/2023, 21:51

03/10/2023, 17:46

Analysis

max time kernel
35s
max time network
305s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
08/10/2023, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

raccoon

Botnet

5ff7bc68b712d0b2c95bc2d831e79eaf

http://45.15.156.141:80

Attributes

user_agent
SunShineMoonLight

xor.plain

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Extracted

Family

stealc

http://5.42.65.39

Attributes

url_path
/bed95ea4798a5204.php

rc4.plain

Extracted

Family

eternity

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Extracted

Family

redline

Botnet

cheat

54.91.200.119:80

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Poverty Stealer Payload 5 IoCs

resource	yara_rule
behavioral1/memory/316-132-0x0000000000D80000-0x0000000000D8A000-memory.dmp	family_povertystealer
behavioral1/memory/316-194-0x0000000000D80000-0x0000000000D8A000-memory.dmp	family_povertystealer
behavioral1/memory/316-201-0x0000000000D80000-0x0000000000D8A000-memory.dmp	family_povertystealer
behavioral1/memory/316-190-0x0000000000D80000-0x0000000000D8A000-memory.dmp	family_povertystealer
behavioral1/memory/316-181-0x0000000000D80000-0x0000000000D8A000-memory.dmp	family_povertystealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

resource	yara_rule
behavioral1/memory/1628-154-0x0000000000400000-0x0000000002668000-memory.dmp	family_glupteba
behavioral1/memory/1628-204-0x0000000000400000-0x0000000002668000-memory.dmp	family_glupteba
behavioral1/memory/1628-222-0x0000000004830000-0x000000000511B000-memory.dmp	family_glupteba

Poverty Stealer
Poverty Stealer is a crypto and infostealer written in C++.
stealer povertystealer
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer payload 3 IoCs

resource	yara_rule
behavioral1/memory/2116-179-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/2116-171-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon
behavioral1/memory/2116-218-0x0000000000400000-0x000000000041B000-memory.dmp	family_raccoon

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

resource	yara_rule
behavioral1/memory/4840-84-0x00000000006D0000-0x000000000072A000-memory.dmp	family_redline
behavioral1/memory/1864-88-0x0000000000490000-0x00000000004EA000-memory.dmp	family_redline
behavioral1/files/0x000600000001b000-83.dat	family_redline
behavioral1/files/0x000600000001b000-82.dat	family_redline
behavioral1/files/0x000600000001b031-321.dat	family_redline
behavioral1/files/0x000600000001b031-328.dat	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001b031-321.dat	family_sectoprat
behavioral1/files/0x000600000001b031-328.dat	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/3012-241-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programfiles.vbs	lnstalIer.exe

Executes dropped EXE 24 IoCs

pid	Process
5024	minda.exe
3208	netTimer.exe
2440	lnstalIer.exe
4392	toolspub2.exe
1628	31839b57a4f11171d6abc8bbc4451ee4.exe
4840	trafico.exe
4600	kos1.exe
4880	Setup.exe
4424	987123.exe
2112	latestX.exe
1864	cats.exe
1964	set16.exe
4644	toolspub2.exe
3292	kos.exe
316	deluxe_crypted1234.exe
1468	is-RMU9R.tmp
2516	toolspub2.exe
2752	htmlc.exe
3984	dslwsx.exe
872	previewer.exe
3540	deluxe_crypted.exe
3012	dslwsx.exe
4656	zoeg4a5.exe
4472	Lopbf.exe

Loads dropped DLL 5 IoCs

pid	Process
4840	trafico.exe
4840	trafico.exe
1468	is-RMU9R.tmp
1468	is-RMU9R.tmp
1468	is-RMU9R.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000800000001b020-406.dat	themida
behavioral1/files/0x000800000001b020-407.dat	themida
behavioral1/files/0x000600000001b046-484.dat	themida

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001b063-877.dat	upx
behavioral1/files/0x000600000001b0cb-1812.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
344	ipinfo.io
54	ip-api.com
257	ipinfo.io
258	ipinfo.io
340	api.myip.com
345	ipinfo.io
251	api.myip.com
254	api.myip.com
338	api.myip.com

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4392 set thread context of 4644	4392	toolspub2.exe	84
PID 2440 set thread context of 2116	2440	lnstalIer.exe	100
PID 3984 set thread context of 3012	3984	dslwsx.exe	103
PID 4880 set thread context of 4768	4880	Setup.exe	106
PID 3540 set thread context of 424	3540	deluxe_crypted.exe	107
PID 3012 set thread context of 3176	3012	dslwsx.exe	13

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\PA Previewer\is-B2JO8.tmp	is-RMU9R.tmp
File created	C:\Program Files (x86)\PA Previewer\is-L2DKL.tmp	is-RMU9R.tmp
File created	C:\Program Files (x86)\PA Previewer\is-T2EP1.tmp	is-RMU9R.tmp
File created	C:\Program Files (x86)\PA Previewer\is-D5QU1.tmp	is-RMU9R.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\unins000.dat	is-RMU9R.tmp
File opened for modification	C:\Program Files (x86)\PA Previewer\previewer.exe	is-RMU9R.tmp
File created	C:\Program Files (x86)\PA Previewer\unins000.dat	is-RMU9R.tmp

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
7624	sc.exe
4304	sc.exe
7356	sc.exe
1412	sc.exe
96	sc.exe
7852	sc.exe
6140	sc.exe
8056	sc.exe
3016	sc.exe
2132	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
2128	4840	WerFault.exe	76
5060	4424	WerFault.exe	80
1848	3540	WerFault.exe	95
3000	4472	WerFault.exe	110
5136	6044	WerFault.exe	182
5148	3528	WerFault.exe	171
3028	6024	WerFault.exe	165

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6620	schtasks.exe
6884	schtasks.exe
7588	schtasks.exe
7968	schtasks.exe
2440	schtasks.exe
5624	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4364	timeout.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1080	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4644	toolspub2.exe
4644	toolspub2.exe
2440	lnstalIer.exe
2440	lnstalIer.exe
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3208	netTimer.exe
3208	netTimer.exe
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
3176	Explorer.EXE
4880	Setup.exe
4880	Setup.exe
3012	dslwsx.exe
3012	dslwsx.exe
3012	dslwsx.exe
3176	Explorer.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3176	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4644	toolspub2.exe
3984	dslwsx.exe
3012	dslwsx.exe
3012	dslwsx.exe
3012	dslwsx.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	696	New Text Document.exe
Token: SeDebugPrivilege	3208	netTimer.exe
Token: SeDebugPrivilege	3292	kos.exe
Token: SeDebugPrivilege	2440	lnstalIer.exe
Token: SeDebugPrivilege	2516	toolspub2.exe
Token: SeDebugPrivilege	872	previewer.exe
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeDebugPrivilege	4880	Setup.exe
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeDebugPrivilege	3012	dslwsx.exe
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeShutdownPrivilege	3176	Explorer.EXE
Token: SeCreatePagefilePrivilege	3176	Explorer.EXE
Token: SeDebugPrivilege	4472	Lopbf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 5024	696	New Text Document.exe	71
PID 696 wrote to memory of 5024	696	New Text Document.exe	71
PID 696 wrote to memory of 5024	696	New Text Document.exe	71
PID 696 wrote to memory of 3208	696	New Text Document.exe	72
PID 696 wrote to memory of 3208	696	New Text Document.exe	72
PID 696 wrote to memory of 2440	696	New Text Document.exe	73
PID 696 wrote to memory of 2440	696	New Text Document.exe	73
PID 696 wrote to memory of 2440	696	New Text Document.exe	73
PID 5024 wrote to memory of 4392	5024	minda.exe	74
PID 5024 wrote to memory of 4392	5024	minda.exe	74
PID 5024 wrote to memory of 4392	5024	minda.exe	74
PID 5024 wrote to memory of 1628	5024	minda.exe	75
PID 5024 wrote to memory of 1628	5024	minda.exe	75
PID 5024 wrote to memory of 1628	5024	minda.exe	75
PID 696 wrote to memory of 4840	696	New Text Document.exe	76
PID 696 wrote to memory of 4840	696	New Text Document.exe	76
PID 696 wrote to memory of 4840	696	New Text Document.exe	76
PID 5024 wrote to memory of 4600	5024	minda.exe	78
PID 5024 wrote to memory of 4600	5024	minda.exe	78
PID 5024 wrote to memory of 4600	5024	minda.exe	78
PID 5024 wrote to memory of 4880	5024	minda.exe	77
PID 5024 wrote to memory of 4880	5024	minda.exe	77
PID 5024 wrote to memory of 4880	5024	minda.exe	77
PID 696 wrote to memory of 4424	696	New Text Document.exe	80
PID 696 wrote to memory of 4424	696	New Text Document.exe	80
PID 696 wrote to memory of 4424	696	New Text Document.exe	80
PID 5024 wrote to memory of 2112	5024	minda.exe	81
PID 5024 wrote to memory of 2112	5024	minda.exe	81
PID 696 wrote to memory of 1864	696	New Text Document.exe	82
PID 696 wrote to memory of 1864	696	New Text Document.exe	82
PID 696 wrote to memory of 1864	696	New Text Document.exe	82
PID 4392 wrote to memory of 4644	4392	toolspub2.exe	84
PID 4392 wrote to memory of 4644	4392	toolspub2.exe	84
PID 4392 wrote to memory of 4644	4392	toolspub2.exe	84
PID 4600 wrote to memory of 1964	4600	kos1.exe	90
PID 4600 wrote to memory of 1964	4600	kos1.exe	90
PID 4600 wrote to memory of 1964	4600	kos1.exe	90
PID 4392 wrote to memory of 4644	4392	toolspub2.exe	84
PID 4392 wrote to memory of 4644	4392	toolspub2.exe	84
PID 4392 wrote to memory of 4644	4392	toolspub2.exe	84
PID 4600 wrote to memory of 3292	4600	kos1.exe	88
PID 4600 wrote to memory of 3292	4600	kos1.exe	88
PID 696 wrote to memory of 316	696	New Text Document.exe	85
PID 696 wrote to memory of 316	696	New Text Document.exe	85
PID 696 wrote to memory of 316	696	New Text Document.exe	85
PID 1964 wrote to memory of 1468	1964	set16.exe	87
PID 1964 wrote to memory of 1468	1964	set16.exe	87
PID 1964 wrote to memory of 1468	1964	set16.exe	87
PID 2440 wrote to memory of 1552	2440	lnstalIer.exe	121
PID 2440 wrote to memory of 1552	2440	lnstalIer.exe	121
PID 2440 wrote to memory of 1552	2440	lnstalIer.exe	121
PID 1468 wrote to memory of 2772	1468	is-RMU9R.tmp	101
PID 1468 wrote to memory of 2772	1468	is-RMU9R.tmp	101
PID 1468 wrote to memory of 2772	1468	is-RMU9R.tmp	101
PID 2440 wrote to memory of 2116	2440	lnstalIer.exe	100
PID 2440 wrote to memory of 2116	2440	lnstalIer.exe	100
PID 2440 wrote to memory of 2116	2440	lnstalIer.exe	100
PID 1468 wrote to memory of 2516	1468	is-RMU9R.tmp	137
PID 1468 wrote to memory of 2516	1468	is-RMU9R.tmp	137
PID 1468 wrote to memory of 2516	1468	is-RMU9R.tmp	137
PID 2440 wrote to memory of 2116	2440	lnstalIer.exe	100
PID 2440 wrote to memory of 2116	2440	lnstalIer.exe	100
PID 2440 wrote to memory of 2116	2440	lnstalIer.exe	100
PID 2440 wrote to memory of 2116	2440	lnstalIer.exe	100

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3176
- C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
  "C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\a\minda.exe
    "C:\Users\Admin\AppData\Local\Temp\a\minda.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:4392
    - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      Executes dropped EXE
      PID:1628
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        5⤵
        
        PID:7268
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        
        PID:4224
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        
        PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\kos1.exe
      "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\kos.exe
        
        "C:\Users\Admin\AppData\Local\Temp\kos.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
    - - C:\Users\Admin\AppData\Local\Temp\set16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\set16.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1964
  - - C:\Users\Admin\AppData\Local\Temp\latestX.exe
      "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
      4⤵
      Executes dropped EXE
      PID:2112
- - C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3208
- - C:\Users\Admin\AppData\Local\Temp\a\lnstalIer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\lnstalIer.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:2116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:1552
- - C:\Users\Admin\AppData\Local\Temp\a\trafico.exe
    "C:\Users\Admin\AppData\Local\Temp\a\trafico.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 756
      4⤵
      Program crash
      PID:2128
- - C:\Users\Admin\AppData\Local\Temp\a\987123.exe
    "C:\Users\Admin\AppData\Local\Temp\a\987123.exe"
    3⤵
    - Executes dropped EXE
    PID:4424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 480
      4⤵
      Program crash
      PID:5060
- - C:\Users\Admin\AppData\Local\Temp\a\cats.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cats.exe"
    3⤵
    - Executes dropped EXE
    PID:1864
- - C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted1234.exe
    "C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted1234.exe"
    3⤵
    - Executes dropped EXE
    PID:316
- - C:\Users\Admin\AppData\Local\Temp\a\htmlc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\htmlc.exe"
    3⤵
    - Executes dropped EXE
    PID:2752
  - - C:\Users\Admin\AppData\Local\Temp\dslwsx.exe
      "C:\Users\Admin\AppData\Local\Temp\dslwsx.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:3984
    - - C:\Users\Admin\AppData\Local\Temp\dslwsx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dslwsx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
- - C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 144
      4⤵
      Program crash
      PID:1848
- - C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe"
    3⤵
    - Executes dropped EXE
    PID:4656
- - C:\Users\Admin\AppData\Local\Temp\a\Lopbf.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Lopbf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1748
      4⤵
      Program crash
      PID:3000
- - C:\Users\Admin\AppData\Local\Temp\a\Stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Stealer.exe"
    3⤵
    PID:1888
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      PID:1552
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2504
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        
        PID:4932
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:4464
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key
      4⤵
      PID:420
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:372
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile name="65001" key=clear
        5⤵
        
        PID:2132
    - - C:\Windows\system32\findstr.exe
        
        findstr Key
        5⤵
        
        PID:656
- - C:\Users\Admin\AppData\Local\Temp\a\buildtest.exe
    "C:\Users\Admin\AppData\Local\Temp\a\buildtest.exe"
    3⤵
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\a\cllip.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cllip.exe"
    3⤵
    PID:224
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s68.0.bat" "
      4⤵
      PID:4016
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4364
    - - C:\ProgramData\presepuesto\LEAJ.exe
        
        "C:\ProgramData\presepuesto\LEAJ.exe"
        5⤵
        
        PID:2292
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f
        6⤵
        Creates scheduled task(s)
        
        PID:5624
- - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
    3⤵
    PID:504
  - - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
      "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
      4⤵
      PID:4940
- - C:\Users\Admin\AppData\Local\Temp\a\build5555.exe
    "C:\Users\Admin\AppData\Local\Temp\a\build5555.exe"
    3⤵
    PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\a\build5555.exe
      "C:\Users\Admin\AppData\Local\Temp\a\build5555.exe"
      4⤵
      PID:5412
- - C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
    3⤵
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2516
- - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe"
    3⤵
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
      C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
      4⤵
      PID:5996
- - C:\Users\Admin\AppData\Local\Temp\a\get4.exe
    "C:\Users\Admin\AppData\Local\Temp\a\get4.exe"
    3⤵
    PID:1408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\get4.exe" -Force
      4⤵
      PID:3164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:3468
    - - C:\Users\Admin\Pictures\6HadII2IbmIkvdLXM1ue7kRw.exe
        
        "C:\Users\Admin\Pictures\6HadII2IbmIkvdLXM1ue7kRw.exe"
        5⤵
        
        PID:5680
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe
        6⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe
        7⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectively.exe
        7⤵
        
        PID:5400
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectiively.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\describeeffectiively.exe
        6⤵
        
        PID:2168
    - - C:\Users\Admin\Pictures\W71KnY972JqdlBLWFZrWNM9V.exe
        
        "C:\Users\Admin\Pictures\W71KnY972JqdlBLWFZrWNM9V.exe"
        5⤵
        
        PID:5644
      - C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
        6⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
        7⤵
        Creates scheduled task(s)
        
        PID:6884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit
        7⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:N"
        8⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:R" /E
        8⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        8⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:N"
        8⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:R" /E
        8⤵
        
        PID:7980
    - - C:\Users\Admin\Pictures\MBsejckAYiOx6nsKiov8GJN6.exe
        
        "C:\Users\Admin\Pictures\MBsejckAYiOx6nsKiov8GJN6.exe" --silent --allusers=0
        5⤵
        
        PID:5856
      - C:\Users\Admin\Pictures\MBsejckAYiOx6nsKiov8GJN6.exe
        
        C:\Users\Admin\Pictures\MBsejckAYiOx6nsKiov8GJN6.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6d1f8538,0x6d1f8548,0x6d1f8554
        6⤵
        
        PID:6128
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\MBsejckAYiOx6nsKiov8GJN6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\MBsejckAYiOx6nsKiov8GJN6.exe" --version
        6⤵
        
        PID:2080
      - C:\Users\Admin\Pictures\MBsejckAYiOx6nsKiov8GJN6.exe
        
        "C:\Users\Admin\Pictures\MBsejckAYiOx6nsKiov8GJN6.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5856 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231008215249" --session-guid=55107975-bd99-45eb-8794-0bc2ff612165 --server-tracking-blob=ZjQ5ODcyMjk1MzEzMTQxZDc1OGNmYzU3NzQ3MGRkNjc4YzY1ZjU2MTcwMWVhMTIzNzFkMDM2MTczM2JhMGMwYTp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5NjgwMTk1NC42MzcxIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4Y2EzN2MxMS1iN2MwLTRjN2MtYWNlYS1jYzZlNjBmYTJjOGMifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=6C04000000000000
        6⤵
        
        PID:6036
        
        C:\Users\Admin\Pictures\MBsejckAYiOx6nsKiov8GJN6.exe
        
        C:\Users\Admin\Pictures\MBsejckAYiOx6nsKiov8GJN6.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6be88538,0x6be88548,0x6be88554
        7⤵
        
        PID:4264
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310082152491\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310082152491\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        6⤵
        
        PID:356
    - - C:\Users\Admin\Pictures\KbIad5cWqMmEIF0R6S1VxSq2.exe
        
        "C:\Users\Admin\Pictures\KbIad5cWqMmEIF0R6S1VxSq2.exe"
        5⤵
        
        PID:1072
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3364
    - - C:\Users\Admin\Pictures\grfQb2myCnhPdOTIF105Xg5s.exe
        
        "C:\Users\Admin\Pictures\grfQb2myCnhPdOTIF105Xg5s.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
        5⤵
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\is-LEA34.tmp\grfQb2myCnhPdOTIF105Xg5s.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LEA34.tmp\grfQb2myCnhPdOTIF105Xg5s.tmp" /SL5="$702C8,5025136,832512,C:\Users\Admin\Pictures\grfQb2myCnhPdOTIF105Xg5s.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
        6⤵
        
        PID:5240
        
        C:\Users\Admin\AppData\Local\Temp\is-GLGH1.tmp\_isetup\_setup64.tmp
        
        helper 105 0x344
        7⤵
        
        PID:5912
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /Query /TN "DigitalPulseUpdateTask"
        7⤵
        
        PID:2676
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /Create /TN "DigitalPulseUpdateTask" /SC HOURLY /TR "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:6620
        
        C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe
        
        "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=
        7⤵
        
        PID:7148
    - - C:\Users\Admin\Pictures\du7E31mNtK9QnIy1tXzkOprU.exe
        
        "C:\Users\Admin\Pictures\du7E31mNtK9QnIy1tXzkOprU.exe"
        5⤵
        
        PID:4016
    - - C:\Users\Admin\Pictures\goXY4kFHZsvR6BIeKZl3R8rb.exe
        
        "C:\Users\Admin\Pictures\goXY4kFHZsvR6BIeKZl3R8rb.exe"
        5⤵
        
        PID:5784
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4300
    - - C:\Users\Admin\Pictures\PUayEyCi761NFzqhG6PTd2A6.exe
        
        "C:\Users\Admin\Pictures\PUayEyCi761NFzqhG6PTd2A6.exe"
        5⤵
        
        PID:5788
    - - C:\Users\Admin\Pictures\14FZ6vh43ZUYAQwIVLbGxUDx.exe
        
        "C:\Users\Admin\Pictures\14FZ6vh43ZUYAQwIVLbGxUDx.exe"
        5⤵
        
        PID:5096
    - - C:\Users\Admin\Pictures\FY2vupBZ5b5numpy6uEttskc.exe
        
        "C:\Users\Admin\Pictures\FY2vupBZ5b5numpy6uEttskc.exe"
        5⤵
        
        PID:3652
- - C:\Users\Admin\AppData\Local\Temp\a\zinda.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zinda.exe"
    3⤵
    PID:6024
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
        5⤵
        
        PID:5852
  - - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
      "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
      4⤵
      PID:5948
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7972
  - - C:\Users\Admin\AppData\Local\Temp\kos1.exe
      "C:\Users\Admin\AppData\Local\Temp\kos1.exe"
      4⤵
      PID:6044
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 752
        5⤵
        Program crash
        
        PID:5136
  - - C:\Users\Admin\AppData\Local\Temp\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
      4⤵
      PID:5512
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        5⤵
        
        PID:6072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 1596
      4⤵
      Program crash
      PID:3028
- - C:\Users\Admin\AppData\Local\Temp\a\Akh.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Akh.exe"
    3⤵
    PID:348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\Akh.exe" -Force
      4⤵
      PID:5360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:3020
    - - C:\Users\Admin\Pictures\sPq5HuZcUdFRcNDzwDbAT9rH.exe
        
        "C:\Users\Admin\Pictures\sPq5HuZcUdFRcNDzwDbAT9rH.exe"
        5⤵
        
        PID:6864
    - - C:\Users\Admin\Pictures\3uEZVwVvNsRQK40Jwee71gHO.exe
        
        "C:\Users\Admin\Pictures\3uEZVwVvNsRQK40Jwee71gHO.exe"
        5⤵
        
        PID:6896
    - - C:\Users\Admin\Pictures\XVxfiziRJNx5s14H7alvp3Md.exe
        
        "C:\Users\Admin\Pictures\XVxfiziRJNx5s14H7alvp3Md.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
        5⤵
        
        PID:6960
      - C:\Users\Admin\AppData\Local\Temp\is-6ABVQ.tmp\XVxfiziRJNx5s14H7alvp3Md.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6ABVQ.tmp\XVxfiziRJNx5s14H7alvp3Md.tmp" /SL5="$401EC,5025136,832512,C:\Users\Admin\Pictures\XVxfiziRJNx5s14H7alvp3Md.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
        6⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\is-1US1F.tmp\_isetup\_setup64.tmp
        
        helper 105 0x3C0
        7⤵
        
        PID:7248
        
        C:\Windows\system32\schtasks.exe
        
        "schtasks" /Query /TN "DigitalPulseUpdateTask"
        7⤵
        
        PID:7980
        
        C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe
        
        "C:\Users\Admin\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=
        7⤵
        
        PID:2924
    - - C:\Users\Admin\Pictures\XzGKMtueJufQCUtDusdx6vI6.exe
        
        "C:\Users\Admin\Pictures\XzGKMtueJufQCUtDusdx6vI6.exe"
        5⤵
        
        PID:6760
    - - C:\Users\Admin\Pictures\6BVRvUinyrgLQpZPaFOLazSo.exe
        
        "C:\Users\Admin\Pictures\6BVRvUinyrgLQpZPaFOLazSo.exe"
        5⤵
        
        PID:7108
      - C:\Users\Admin\AppData\Local\Temp\7zS3C25.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\7zS4126.tmp\Install.exe
        
        .\Install.exe /DdidCJjeH "385120" /S
        7⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gMXpDYZmP" /SC once /ST 00:59:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:2440
    - - C:\Users\Admin\Pictures\aU8Hq0qMESFDK3ftDPJe5P2O.exe
        
        "C:\Users\Admin\Pictures\aU8Hq0qMESFDK3ftDPJe5P2O.exe"
        5⤵
        
        PID:6320
      - C:\Users\Admin\AppData\Local\Temp\is-JVUJS.tmp\is-F6FA2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-JVUJS.tmp\is-F6FA2.tmp" /SL4 $402BA "C:\Users\Admin\Pictures\aU8Hq0qMESFDK3ftDPJe5P2O.exe" 2846236 52224
        6⤵
        
        PID:6428
        
        C:\Program Files (x86)\OSNMount\OSNMount.exe
        
        "C:\Program Files (x86)\OSNMount\OSNMount.exe" -i
        7⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 29
        7⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 29
        8⤵
        
        PID:7904
        
        C:\Program Files (x86)\OSNMount\OSNMount.exe
        
        "C:\Program Files (x86)\OSNMount\OSNMount.exe" -s
        7⤵
        
        PID:7664
    - - C:\Users\Admin\Pictures\nPZzsFgoCObqZhQd3oy0OCbI.exe
        
        "C:\Users\Admin\Pictures\nPZzsFgoCObqZhQd3oy0OCbI.exe"
        5⤵
        
        PID:1564
    - - C:\Users\Admin\Pictures\Mwo7lj6JIIrCoX5mW39188Bx.exe
        
        "C:\Users\Admin\Pictures\Mwo7lj6JIIrCoX5mW39188Bx.exe" --silent --allusers=0
        5⤵
        
        PID:6804
      - C:\Users\Admin\Pictures\Mwo7lj6JIIrCoX5mW39188Bx.exe
        
        C:\Users\Admin\Pictures\Mwo7lj6JIIrCoX5mW39188Bx.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.16 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x688c8538,0x688c8548,0x688c8554
        6⤵
        
        PID:5116
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Mwo7lj6JIIrCoX5mW39188Bx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\Mwo7lj6JIIrCoX5mW39188Bx.exe" --version
        6⤵
        
        PID:6668
    - - C:\Users\Admin\Pictures\Nclp75gy35DbL65Gfl1B00Rr.exe
        
        "C:\Users\Admin\Pictures\Nclp75gy35DbL65Gfl1B00Rr.exe"
        5⤵
        
        PID:6572
      - C:\Users\Admin\Pictures\Nclp75gy35DbL65Gfl1B00Rr.exe
        
        "C:\Users\Admin\Pictures\Nclp75gy35DbL65Gfl1B00Rr.exe"
        6⤵
        
        PID:7596
    - - C:\Users\Admin\Pictures\pbq6J1oi6jPvsoufRvKjtqjH.exe
        
        "C:\Users\Admin\Pictures\pbq6J1oi6jPvsoufRvKjtqjH.exe"
        5⤵
        
        PID:6468
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:6100
- - C:\Users\Admin\AppData\Local\Temp\a\r.exe
    "C:\Users\Admin\AppData\Local\Temp\a\r.exe"
    3⤵
    PID:3528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3212
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 356
      4⤵
      Program crash
      PID:5148
- - C:\Users\Admin\AppData\Local\Temp\a\Crypted_new.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Crypted_new.exe"
    3⤵
    PID:5184
- - C:\Users\Admin\AppData\Local\Temp\a\2-3-0_2023-10-05_14-14.exe
    "C:\Users\Admin\AppData\Local\Temp\a\2-3-0_2023-10-05_14-14.exe"
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\a\rus.exe
    "C:\Users\Admin\AppData\Local\Temp\a\rus.exe"
    3⤵
    PID:5328
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4476
- - C:\Users\Admin\AppData\Local\Temp\a\nano.exe
    "C:\Users\Admin\AppData\Local\Temp\a\nano.exe"
    3⤵
    PID:5268
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:5220
- - C:\Users\Admin\AppData\Local\Temp\a\EpPDrE.exe
    "C:\Users\Admin\AppData\Local\Temp\a\EpPDrE.exe"
    3⤵
    PID:5488
- - C:\Users\Admin\AppData\Local\Temp\a\HTML.exe
    "C:\Users\Admin\AppData\Local\Temp\a\HTML.exe"
    3⤵
    PID:6856
- - C:\Users\Admin\AppData\Local\Temp\a\foto3553.exe
    "C:\Users\Admin\AppData\Local\Temp\a\foto3553.exe"
    3⤵
    PID:7132
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hU1vI4bT.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hU1vI4bT.exe
      4⤵
      PID:3884
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BJ8jK4tA.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\BJ8jK4tA.exe
        5⤵
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zf7pw6jc.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zf7pw6jc.exe
        6⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\au6AT3NJ.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\au6AT3NJ.exe
        7⤵
        
        PID:6484
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fd31Sb4.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1fd31Sb4.exe
        8⤵
        
        PID:3736
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        9⤵
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ts281HE.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ts281HE.exe
        8⤵
        
        PID:5208
- - C:\Users\Admin\AppData\Local\Temp\a\audiogse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiogse.exe"
    3⤵
    PID:6756
  - - C:\Users\Admin\AppData\Local\Temp\dmnvd.exe
      "C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"
      4⤵
      PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\dmnvd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"
        5⤵
        
        PID:7380
- - C:\Users\Admin\AppData\Local\Temp\a\Wblxhuaksujvhq.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Wblxhuaksujvhq.exe"
    3⤵
    PID:7872
  - - C:\Windows\SysWOW64\colorcpl.exe
      C:\Windows\System32\colorcpl.exe
      4⤵
      PID:2796
- - C:\Users\Admin\AppData\Local\Temp\a\server1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\server1.exe"
    3⤵
    PID:5344
  - - C:\Users\Admin\AppData\Local\Temp\a\server1.exe
      C:\Users\Admin\AppData\Local\Temp\a\server1.exe
      4⤵
      PID:2444
- - C:\Users\Admin\AppData\Local\Temp\a\222.exe
    "C:\Users\Admin\AppData\Local\Temp\a\222.exe"
    3⤵
    PID:7448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:6760
- - C:\Users\Admin\AppData\Local\Temp\a\3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\3.exe"
    3⤵
    PID:7640
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:1080
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\dslwsx.exe"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\autochk.exe
    "C:\Windows\SysWOW64\autochk.exe"
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\help.exe
    "C:\Windows\SysWOW64\help.exe"
    3⤵
    PID:3888
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:6568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3560
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1636
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3016
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2132
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1412
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:96
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4304
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5128
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:5360
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:5652
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5784
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:5140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3068
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:4596
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6456
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7852
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7356
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6140
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:8056
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:7624
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  PID:7700
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:7388
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4440
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:8128
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4420
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3280
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xyvvnnvseiqa.xml"
  2⤵
  - Creates scheduled task(s)
  PID:7968
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:7680

C:\Users\Admin\AppData\Local\Temp\is-GMU9R.tmp\is-RMU9R.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GMU9R.tmp\is-RMU9R.tmp" /SL4 $20254 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Program Files (x86)\PA Previewer\previewer.exe
  "C:\Program Files (x86)\PA Previewer\previewer.exe" -s
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Program Files (x86)\PA Previewer\previewer.exe
  "C:\Program Files (x86)\PA Previewer\previewer.exe" -i
  2⤵
  PID:2516
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\system32\net.exe" helpmsg 8
  2⤵
  PID:2772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 8
1⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\7zSA5FF.tmp\Install.exe
.\Install.exe
1⤵
PID:5848
- C:\Users\Admin\AppData\Local\Temp\7zSA9E7.tmp\Install.exe
  .\Install.exe /JUdidlwJ "385121" /S
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
    3⤵
    PID:7236
  - - C:\Windows\SysWOW64\cmd.exe
      /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
      4⤵
      PID:4992
- - C:\Windows\SysWOW64\forfiles.exe
    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
    3⤵
    PID:8124
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "giPwoKIlL" /SC once /ST 16:24:35 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:7588
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /run /I /tn "giPwoKIlL"
    3⤵
    PID:2996

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:6412

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:6404

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20231008-2154.dm
1⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:7468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\Program Files (x86)\PA Previewer\previewer.exe

Filesize
1.9MB

MD5
27b85a95804a760da4dbee7ca800c9b4

SHA1
f03136226bf3dd38ba0aa3aad1127ccab380197c

SHA256
f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245

SHA512
e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

Download Submit
C:\ProgramData\presepuesto\LEAJ.exe

Filesize
6.2MB

MD5
ab470dd42f581145478a79e4891b66ac

SHA1
23a1dc67cb9256403eb01ce469277969416878f5

SHA256
99326f7f1bbeba49536083cf460cc8ca004c1c0ef9e156b806be0c5c59f7ddd5

SHA512
27afd14aada2a12bf5f162da31ed2fcdc8e47492d82f99ea7610e231cd742eae5fa7514b1fba3d4fe1e3936f1c7613c3881f6e83d98d6e48b00433c328a41a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310082152491\additional_file0.tmp

Filesize
1.9MB

MD5
b0f128c3579e6921cfff620179fb9864

SHA1
60e19c987a96182206994ffd509d2849fdb427e3

SHA256
1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee

SHA512
17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310082152491\opera_package

Filesize
44.5MB

MD5
0ddb6bd86ed234ebfa2d1c0e09088b68

SHA1
6364193c02867ac2c11b9a402ef7dba4f5fe425a

SHA256
64fefe35d0796e1c315f95e396bd8fa5c59cd04d961b1d2b94b2b05c177107f3

SHA512
0badf1f2f251997e85cf0421fc7ed046b2c30c93990794ba47deb73b099594c4d8dd1cd84d05a28f147d28c47b12cb73780dc50b755d4656e1382837e6d7540a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Filesize
226KB

MD5
aebaf57299cd368f842cfa98f3b1658c

SHA1
cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7

SHA256
d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce

SHA512
989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
567762f610c543a765a64c2df4d285b5

SHA1
f7bdff9c32e7d14e4b71649435206858760268cf

SHA256
c95f6f9a37246d3dc6db5067e8738d31bc8e80b998e86913fcc5b4e5e4ebc6ca

SHA512
0d8e505baab9ad2a357c9ae7523d3e680a6fedbd95bf23cee658494720eab45fcdbc4e0128e9ad00267a7480a3775d3ecdd42c734766092d7dd46d9cb366a4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
4.2MB

MD5
567762f610c543a765a64c2df4d285b5

SHA1
f7bdff9c32e7d14e4b71649435206858760268cf

SHA256
c95f6f9a37246d3dc6db5067e8738d31bc8e80b998e86913fcc5b4e5e4ebc6ca

SHA512
0d8e505baab9ad2a357c9ae7523d3e680a6fedbd95bf23cee658494720eab45fcdbc4e0128e9ad00267a7480a3775d3ecdd42c734766092d7dd46d9cb366a4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\445638973215

Filesize
66KB

MD5
5428b35a23d011785b93bd194ac19bf9

SHA1
bb2847a1d21d5ef0ad7a2b4a9c270472ef2fd76a

SHA256
80debbe7afc694d98454f4a8233aeac71de1379febfa6f0b01eabf38065bc32d

SHA512
174d932b8d8f7a77e701310bf5bbcecc45df080125e4af1a8573192beddfdab7f13244e2e9491aeccad6cca86910d516833fe07f9dd650c1154150649e9c3b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSA5FF.tmp\Install.exe

Filesize
6.1MB

MD5
66122dacf1a3ebcf39f4cc9259f43867

SHA1
181f02767c77464b25011a6cc9d11bad16cac602

SHA256
f7f696c1254930aff52889eb4e18d00194f80e3569f4703fc9ba4dd01cf7f4b7

SHA512
414012010c7e67f85b1c3abed5a1e11555ebbc0dac1bc2b5a12247293106901ce31fc640c38644661c0da3504fa223cdacdf5961c6aaea43694f06ed71660501

Download Submit
C:\Users\Admin\AppData\Local\Temp\H463K8L2P

Filesize
92KB

MD5
b026cbec847a4147a39121ef2ab08d57

SHA1
873fdf4347274d9d28185833651c464ddd23619c

SHA256
f42fa8497c679d46943757f52821896589a53d50f86d8cc55b58e0f8ee628019

SHA512
a9dd8ee84a4303eeb1ad1982641c4c72cc8117dbca9e29f1bc2091b39c7525fc9b639933676b0bfc126d345228d1876944ae9f137d47441c0f57edffd36b9606

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310082152477612080.dll

Filesize
4.7MB

MD5
e23e7fc90656694198494310a901921a

SHA1
341540eaf106932d51a3ac56cb07eeb6924f5ebd

SHA256
bf1aa65c0b76c41f6c27c89a527720958505e5568a63a7530494fb89e8fdcf75

SHA512
d0a437dac1af3587bc85a075d2ec3cf6e6cc23cdb6f4adfe8e87502c39c91807e7833b42aca63a85c0d329de89e348f71700b0ba9fca37fdf167f8b8ec25cf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
1.9MB

MD5
4c7efd165af03d720ce4a9d381bfb29a

SHA1
92b14564856155487a57db57b8a222b7f57a81e9

SHA256
f5bbe3fdc27074249c6860b8959a155e6c79571daa86e7a574656a3c5c6326b8

SHA512
38a26722e2669e7432b5a068b08ff852988a26ed875e8aa23156ea4bd0e852686ccabe6e685d5b0e888cb5755cbe424189fb8033ada37994417d3549b10637dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
1.9MB

MD5
4c7efd165af03d720ce4a9d381bfb29a

SHA1
92b14564856155487a57db57b8a222b7f57a81e9

SHA256
f5bbe3fdc27074249c6860b8959a155e6c79571daa86e7a574656a3c5c6326b8

SHA512
38a26722e2669e7432b5a068b08ff852988a26ed875e8aa23156ea4bd0e852686ccabe6e685d5b0e888cb5755cbe424189fb8033ada37994417d3549b10637dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe

Filesize
1.9MB

MD5
4c7efd165af03d720ce4a9d381bfb29a

SHA1
92b14564856155487a57db57b8a222b7f57a81e9

SHA256
f5bbe3fdc27074249c6860b8959a155e6c79571daa86e7a574656a3c5c6326b8

SHA512
38a26722e2669e7432b5a068b08ff852988a26ed875e8aa23156ea4bd0e852686ccabe6e685d5b0e888cb5755cbe424189fb8033ada37994417d3549b10637dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_clwxtoer.see.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\987123.exe

Filesize
280KB

MD5
f4c938b171b29f26a4964b45425bfcfa

SHA1
11f049d298c6176d250f99dc83bcd17c0fb8a0a8

SHA256
e9142e3ca7865f56e7d0c881b8eab627d77d9e08102191f1e55fd074a7e44fc8

SHA512
88c8902f55e53834786ab77fd8d3a1dc11140709d0935d022be4d55f8271a8bf2be7da83e2c64e8e6b394e3f333ecbb823bb86361b4fa7daa7b7726e6603d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\987123.exe

Filesize
280KB

MD5
f4c938b171b29f26a4964b45425bfcfa

SHA1
11f049d298c6176d250f99dc83bcd17c0fb8a0a8

SHA256
e9142e3ca7865f56e7d0c881b8eab627d77d9e08102191f1e55fd074a7e44fc8

SHA512
88c8902f55e53834786ab77fd8d3a1dc11140709d0935d022be4d55f8271a8bf2be7da83e2c64e8e6b394e3f333ecbb823bb86361b4fa7daa7b7726e6603d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Lopbf.exe

Filesize
778KB

MD5
5399d7a2060eca17c4c1648fd6b09505

SHA1
e809cd291f45ad73bfc0ab35b3c23883f4f4eee9

SHA256
3751dae5d0813f6ec2fcc253c65854ddad340be058b199f4eb0a540bbf878efe

SHA512
18943b818a64357bf3aa3edfb8b5cdff36376b58c5d8180610127c60ed5b944d5d454d35fbed14de7ecad4c2dda794bdbff38054d1a865737223f371cd2a8b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Lopbf.exe

Filesize
778KB

MD5
5399d7a2060eca17c4c1648fd6b09505

SHA1
e809cd291f45ad73bfc0ab35b3c23883f4f4eee9

SHA256
3751dae5d0813f6ec2fcc253c65854ddad340be058b199f4eb0a540bbf878efe

SHA512
18943b818a64357bf3aa3edfb8b5cdff36376b58c5d8180610127c60ed5b944d5d454d35fbed14de7ecad4c2dda794bdbff38054d1a865737223f371cd2a8b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Stealer.exe

Filesize
334KB

MD5
242c47b16c8755e72d7d1fdbc9ff0f17

SHA1
445486022335d121378877268cfc5a0625b53e4f

SHA256
3898dfa5cb6bbc6d6c48c202d31333d3b214d0f2ac7c4396eb54d6ed09bf24ba

SHA512
f46985cb70a351a57fcf2dfb4b6a0733ac26b93c09daecadc611c5c80e749cc5a52fe10b03a761a4c6de903f3f79bacde7c1f61d056e51040d55bb1ee77317b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Stealer.exe

Filesize
334KB

MD5
242c47b16c8755e72d7d1fdbc9ff0f17

SHA1
445486022335d121378877268cfc5a0625b53e4f

SHA256
3898dfa5cb6bbc6d6c48c202d31333d3b214d0f2ac7c4396eb54d6ed09bf24ba

SHA512
f46985cb70a351a57fcf2dfb4b6a0733ac26b93c09daecadc611c5c80e749cc5a52fe10b03a761a4c6de903f3f79bacde7c1f61d056e51040d55bb1ee77317b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe

Filesize
545KB

MD5
dc250811cd9d21cc9333e83cec40bbb8

SHA1
cea9f4e20a75ee7007f663b776565fc430878576

SHA256
571221d35fd44b833267f06b7bc7fce39ca9c7bb6cb6fed30c0cd1aa3be037a1

SHA512
be819a383d695ba564b3492d7244b3a67ec8fe62bd77607a69fd577e1cc643e9efb0e86f392cc5a5526bc3c3b44d9350422e72d2410e8c907ed086941dde5cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe

Filesize
545KB

MD5
dc250811cd9d21cc9333e83cec40bbb8

SHA1
cea9f4e20a75ee7007f663b776565fc430878576

SHA256
571221d35fd44b833267f06b7bc7fce39ca9c7bb6cb6fed30c0cd1aa3be037a1

SHA512
be819a383d695ba564b3492d7244b3a67ec8fe62bd77607a69fd577e1cc643e9efb0e86f392cc5a5526bc3c3b44d9350422e72d2410e8c907ed086941dde5cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build5555.exe

Filesize
1.4MB

MD5
82eecea4083e39c33733428c2d845b15

SHA1
02cfb61e8cb6242890cf58e25c26136d4ce46709

SHA256
ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef

SHA512
4528e6033ea1cf4a0de232d3ec74bffead24d17dd2d4a2ceac4f73f2e2b94babd53e14bc9eca5661c41f4692b730d9096f5255936c19de7b2671bf8f226899df

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build5555.exe

Filesize
1.4MB

MD5
82eecea4083e39c33733428c2d845b15

SHA1
02cfb61e8cb6242890cf58e25c26136d4ce46709

SHA256
ebd41d486952eddaa670358497f33abc615cd311fca173b8833575893aea83ef

SHA512
4528e6033ea1cf4a0de232d3ec74bffead24d17dd2d4a2ceac4f73f2e2b94babd53e14bc9eca5661c41f4692b730d9096f5255936c19de7b2671bf8f226899df

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\buildtest.exe

Filesize
95KB

MD5
38c00f3dbe989174579203220c7de44b

SHA1
67be09415db4aca841cddb6e3d1d6b44044d6cd9

SHA256
354d51ea315aef152ea91d36ec8a6a799b743c43ccf383187ff28a223fbe83c4

SHA512
84323956126aa91b02bd587c01539ac7fcbd80c0437e375ccc797a00cb7efda43e1312c383eb574ef59dac93c633a3cd5035112fb8a3fac29c6d7d6472824d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\buildtest.exe

Filesize
95KB

MD5
38c00f3dbe989174579203220c7de44b

SHA1
67be09415db4aca841cddb6e3d1d6b44044d6cd9

SHA256
354d51ea315aef152ea91d36ec8a6a799b743c43ccf383187ff28a223fbe83c4

SHA512
84323956126aa91b02bd587c01539ac7fcbd80c0437e375ccc797a00cb7efda43e1312c383eb574ef59dac93c633a3cd5035112fb8a3fac29c6d7d6472824d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cats.exe

Filesize
341KB

MD5
6733a0b9f804367c450d7d650612f288

SHA1
8fe29d30ee573ddfd09bb9698ae58b8dbcb808a7

SHA256
64b4fdff6a88ebf1ba203f97e6a6d0a5428033bc68dbbba82a617b45f3b49dab

SHA512
c5f002f43288f9094ac99363837c18a462277149c7ba2b68d22ba6be531705e1f1353fedd146828699f54be412ddadf5d31ace1f7869ce92f749771f95bc1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cats.exe

Filesize
341KB

MD5
6733a0b9f804367c450d7d650612f288

SHA1
8fe29d30ee573ddfd09bb9698ae58b8dbcb808a7

SHA256
64b4fdff6a88ebf1ba203f97e6a6d0a5428033bc68dbbba82a617b45f3b49dab

SHA512
c5f002f43288f9094ac99363837c18a462277149c7ba2b68d22ba6be531705e1f1353fedd146828699f54be412ddadf5d31ace1f7869ce92f749771f95bc1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cllip.exe

Filesize
6.2MB

MD5
ab470dd42f581145478a79e4891b66ac

SHA1
23a1dc67cb9256403eb01ce469277969416878f5

SHA256
99326f7f1bbeba49536083cf460cc8ca004c1c0ef9e156b806be0c5c59f7ddd5

SHA512
27afd14aada2a12bf5f162da31ed2fcdc8e47492d82f99ea7610e231cd742eae5fa7514b1fba3d4fe1e3936f1c7613c3881f6e83d98d6e48b00433c328a41a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cllip.exe

Filesize
6.2MB

MD5
ab470dd42f581145478a79e4891b66ac

SHA1
23a1dc67cb9256403eb01ce469277969416878f5

SHA256
99326f7f1bbeba49536083cf460cc8ca004c1c0ef9e156b806be0c5c59f7ddd5

SHA512
27afd14aada2a12bf5f162da31ed2fcdc8e47492d82f99ea7610e231cd742eae5fa7514b1fba3d4fe1e3936f1c7613c3881f6e83d98d6e48b00433c328a41a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted.exe

Filesize
2.1MB

MD5
d466bda2f8c5f5fb0595547e5a97d843

SHA1
f245ec07d53fbc3a9ee1309a006cac099a8548cf

SHA256
09bcfef16ebdb6eb335b71ec950e173c7488c0b071e7ad217ef66acf1e9bc5a9

SHA512
3af45d088013ffcd5e14e09bfa973ecc762cf35c9b2d722a7c029d0dffa23367272b8c2373bedbf670add6f877dd07e4c8b70126a31623b6cfbd3a7c3d71be22

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted.exe

Filesize
2.1MB

MD5
d466bda2f8c5f5fb0595547e5a97d843

SHA1
f245ec07d53fbc3a9ee1309a006cac099a8548cf

SHA256
09bcfef16ebdb6eb335b71ec950e173c7488c0b071e7ad217ef66acf1e9bc5a9

SHA512
3af45d088013ffcd5e14e09bfa973ecc762cf35c9b2d722a7c029d0dffa23367272b8c2373bedbf670add6f877dd07e4c8b70126a31623b6cfbd3a7c3d71be22

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted1234.exe

Filesize
888KB

MD5
b8303120c1bf50b01dbc9f8d6fea45d8

SHA1
6c94bd065520ce1fb4eaac4b0479ff6087573cec

SHA256
c1ae35cd9be8a69a397e7b1e24229847a71bf7ff80bf4021429ee9804bf02652

SHA512
73b6a12703d2cc5534a3e502c79b8bb8cde78ef97daa9d6e91762ee30739c16b329fb9ff29bb6a05c4089cb1bd9ebc7c289edd5454e8f862879158686021c3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted1234.exe

Filesize
888KB

MD5
b8303120c1bf50b01dbc9f8d6fea45d8

SHA1
6c94bd065520ce1fb4eaac4b0479ff6087573cec

SHA256
c1ae35cd9be8a69a397e7b1e24229847a71bf7ff80bf4021429ee9804bf02652

SHA512
73b6a12703d2cc5534a3e502c79b8bb8cde78ef97daa9d6e91762ee30739c16b329fb9ff29bb6a05c4089cb1bd9ebc7c289edd5454e8f862879158686021c3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\htmlc.exe

Filesize
303KB

MD5
90f56eefb533c21d5a62577184244aa9

SHA1
bab21f9682bb038b175a87f9c50026acffbf5150

SHA256
180fce98cac3dd64109fcf09745194ced61a15c25ff1e698754105dde6586a58

SHA512
150c6d771df9ef95a2111186e7e4dd35d403b9d437d8975e92ac6c5016114dbb1810d6894efd9655c6f34ebfb1656540cbacd491663006c091937c86aed11a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\htmlc.exe

Filesize
303KB

MD5
90f56eefb533c21d5a62577184244aa9

SHA1
bab21f9682bb038b175a87f9c50026acffbf5150

SHA256
180fce98cac3dd64109fcf09745194ced61a15c25ff1e698754105dde6586a58

SHA512
150c6d771df9ef95a2111186e7e4dd35d403b9d437d8975e92ac6c5016114dbb1810d6894efd9655c6f34ebfb1656540cbacd491663006c091937c86aed11a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lnstalIer.exe

Filesize
5.3MB

MD5
0e10ea38b2c0569203a5f46efdec60dc

SHA1
2a85e47f44d07d52a55095c78b42127e290c5069

SHA256
d4224f288dd203d784301459d37aed4a0e908f53b7b60b83c4d7f2b65cc007d1

SHA512
29e909457cfeb8de60a9eecc3aed132bb59a5bfae8e81c76c414a54b5638500adf839e3bf0f26ee56d9bad2084c34a04886d0d35a64eb8761f0cc8449bdb8f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lnstalIer.exe

Filesize
5.3MB

MD5
0e10ea38b2c0569203a5f46efdec60dc

SHA1
2a85e47f44d07d52a55095c78b42127e290c5069

SHA256
d4224f288dd203d784301459d37aed4a0e908f53b7b60b83c4d7f2b65cc007d1

SHA512
29e909457cfeb8de60a9eecc3aed132bb59a5bfae8e81c76c414a54b5638500adf839e3bf0f26ee56d9bad2084c34a04886d0d35a64eb8761f0cc8449bdb8f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\minda.exe

Filesize
13.4MB

MD5
c7f2b50a51b84d1108430e3fb119d0d4

SHA1
456b0ddbe6ab80c883835fa2de911cc94a94e001

SHA256
31c5da8614998e7836aaf3c70559f7710edbd4b536b840e0c63babfdc95c5921

SHA512
97aa1f31559bb42b690b6331d0c06c3a8c282feafea2adac4ad313ff6f1757500696c5495ccf144eb6c543bead806384d207f8eac37d8342149c6487ba794116

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\minda.exe

Filesize
13.4MB

MD5
c7f2b50a51b84d1108430e3fb119d0d4

SHA1
456b0ddbe6ab80c883835fa2de911cc94a94e001

SHA256
31c5da8614998e7836aaf3c70559f7710edbd4b536b840e0c63babfdc95c5921

SHA512
97aa1f31559bb42b690b6331d0c06c3a8c282feafea2adac4ad313ff6f1757500696c5495ccf144eb6c543bead806384d207f8eac37d8342149c6487ba794116

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe

Filesize
2.8MB

MD5
e674688f489f2e6dcfdf18af1ac37858

SHA1
269430f3fce8699d09b1a5e8919c70ef89d6ab08

SHA256
2e16414b9a060e10b673f184cb2b09f163c05eb8c3e7cd2d0b87cb7b6f72912c

SHA512
c5e1d1c57414d23c4e559990bff740fc1fd87de36d5aa3363d59d1403b0a5233ed763bb21e0deab901e471ceb378a1607a17a92ff2c524447bbe4a7f3f54a496

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe

Filesize
2.8MB

MD5
e674688f489f2e6dcfdf18af1ac37858

SHA1
269430f3fce8699d09b1a5e8919c70ef89d6ab08

SHA256
2e16414b9a060e10b673f184cb2b09f163c05eb8c3e7cd2d0b87cb7b6f72912c

SHA512
c5e1d1c57414d23c4e559990bff740fc1fd87de36d5aa3363d59d1403b0a5233ed763bb21e0deab901e471ceb378a1607a17a92ff2c524447bbe4a7f3f54a496

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub2.exe

Filesize
279KB

MD5
b7534d01c6386124583519382c9f0b85

SHA1
aedb8aa1748af3533ecf5a660c3aa4eb3588f227

SHA256
6b8c4d830b03bd087e955254ffa65ad9756e500737a551227a56aad0cbf3eb86

SHA512
b5dc624c8e84ed89b519c9dc8df667382cdf122cf01d011bcf55900c594c780df3a5abcdfe0ee3253ed0f6f753f2da094dfc4175b29bef8400ebf1a77be34ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\trafico.exe

Filesize
425KB

MD5
79fc2bbcfaf64935a0e9cd7260735982

SHA1
2ff56bf7614cfd06e3b8f2918d94177bb9bae348

SHA256
88c4433841a3f22709ba3b3775add2ec137a2fa9b129c55e33c92cea478d47d5

SHA512
f33a33fa984f52a782689820e41fa15a31b32c78ec3027aba6bcecd3cdc87e9be9cd3f21772c6ff376f9a729e00a12ad7cf16ae4715269a1136715f0fbb9f9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\trafico.exe

Filesize
425KB

MD5
79fc2bbcfaf64935a0e9cd7260735982

SHA1
2ff56bf7614cfd06e3b8f2918d94177bb9bae348

SHA256
88c4433841a3f22709ba3b3775add2ec137a2fa9b129c55e33c92cea478d47d5

SHA512
f33a33fa984f52a782689820e41fa15a31b32c78ec3027aba6bcecd3cdc87e9be9cd3f21772c6ff376f9a729e00a12ad7cf16ae4715269a1136715f0fbb9f9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe

Filesize
416KB

MD5
637dbce64106ecb582f119403822e138

SHA1
da2989852244e0b0a90e8916635ab35c0f4906eb

SHA256
c82c8f3777d5193351ffc815625ad1e03e2816c88a4a4e0fdaf9c1fce8ba8921

SHA512
602a85efa48ada65dd74a76a3f814e652cf78b806947028e417f0d69c5fff49a33ab50c1ea434f629246b11b3609e0abfffe997e2521dcd030809cad5f2933db

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe

Filesize
416KB

MD5
637dbce64106ecb582f119403822e138

SHA1
da2989852244e0b0a90e8916635ab35c0f4906eb

SHA256
c82c8f3777d5193351ffc815625ad1e03e2816c88a4a4e0fdaf9c1fce8ba8921

SHA512
602a85efa48ada65dd74a76a3f814e652cf78b806947028e417f0d69c5fff49a33ab50c1ea434f629246b11b3609e0abfffe997e2521dcd030809cad5f2933db

Download Submit
C:\Users\Admin\AppData\Local\Temp\dslwsx.exe

Filesize
167KB

MD5
4c8ad0278799a9b8d2c6cb18670d9ad8

SHA1
aa81206db55e8cb1ca12c4310768430420e40bb6

SHA256
d9905be210770b924b678eb92683d9e560293351881d070a1a26659763f81926

SHA512
0449472a82f53a3656c69c45397212a25c8d2e4e61ef5bd820dccf34ffddbd42a6d13907e353d9f16f51ae6678eb43c27eaa5810f3790051252665a302918e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\dslwsx.exe

Filesize
167KB

MD5
4c8ad0278799a9b8d2c6cb18670d9ad8

SHA1
aa81206db55e8cb1ca12c4310768430420e40bb6

SHA256
d9905be210770b924b678eb92683d9e560293351881d070a1a26659763f81926

SHA512
0449472a82f53a3656c69c45397212a25c8d2e4e61ef5bd820dccf34ffddbd42a6d13907e353d9f16f51ae6678eb43c27eaa5810f3790051252665a302918e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\dslwsx.exe

Filesize
167KB

MD5
4c8ad0278799a9b8d2c6cb18670d9ad8

SHA1
aa81206db55e8cb1ca12c4310768430420e40bb6

SHA256
d9905be210770b924b678eb92683d9e560293351881d070a1a26659763f81926

SHA512
0449472a82f53a3656c69c45397212a25c8d2e4e61ef5bd820dccf34ffddbd42a6d13907e353d9f16f51ae6678eb43c27eaa5810f3790051252665a302918e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\grnygiepllh.d

Filesize
205KB

MD5
5441b38cdb8e10b3f57e5b13ffd93b5a

SHA1
c10d3f23524aadcad3b3dc8d600636b478fdc9f3

SHA256
660ba8058e16df44482ce35879d35bf4a9349f4e709c701b5b05ffd238d44739

SHA512
9196dbc80838763cc4d232e609f545ec8c0fe3f386746fd357c8ec773f7f0e066109f22813af101c6305687ab337ef58c51f79c1118d5433bac8d550646a4c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6ABVQ.tmp\XVxfiziRJNx5s14H7alvp3Md.tmp

Filesize
3.1MB

MD5
ebec033f87337532b23d9398f649eec9

SHA1
c4335168ec2f70621f11f614fe24ccd16d15c9fb

SHA256
82fdd2282cf61cfa6155c51a82c4db79487ffeb377d0245d513edeb44d731c16

SHA512
3875c2dd9bbeb5be00c2ccf8391bcb92d328a3294ce5c2d31fd09f20d80e12bd610d5473dfc2e13962578e4bb75336615cdf16251489a31ecbe4873d09cf1b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EMA33.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EMA33.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMU9R.tmp\is-RMU9R.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GMU9R.tmp\is-RMU9R.tmp

Filesize
647KB

MD5
2fba5642cbcaa6857c3995ccb5d2ee2a

SHA1
91fe8cd860cba7551fbf78bc77cc34e34956e8cc

SHA256
ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa

SHA512
30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos.exe

Filesize
8KB

MD5
076ab7d1cc5150a5e9f8745cc5f5fb6c

SHA1
7b40783a27a38106e2cc91414f2bc4d8b484c578

SHA256
d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90

SHA512
75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos1.exe

Filesize
1.4MB

MD5
85b698363e74ba3c08fc16297ddc284e

SHA1
171cfea4a82a7365b241f16aebdb2aad29f4f7c0

SHA256
78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe

SHA512
7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\s68.0.bat

Filesize
173B

MD5
88b35ddb7b7a9aed80a2214d2b6a485e

SHA1
de269ffe6f7d320ca0c7a09f54547c769eff94a6

SHA256
a0a26e97287d89eb457509c776f4227086dfd9671e98d4002ccc8463e561ac74

SHA512
3c766a5835940cdba8a39fb026c58a5ef8ff82e9c6b45f45ce5adb50ac069986b8cbf9e91c26238e891cb4308e2130f8cf1a0fca2176693c920e545853ae843f

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.4MB

MD5
22d5269955f256a444bd902847b04a3b

SHA1
41a83de3273270c3bd5b2bd6528bdc95766aa268

SHA256
ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd

SHA512
d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
278KB

MD5
d2ff6b5f2b7469fe3f6dc12c573735d1

SHA1
62a82a6d1a68eecdbbff34026a7fc9f6af78f2ef

SHA256
04969e573fe6dc8e69b1733c56164f9c53b0c33a823b940ee7a08167ff067252

SHA512
560715d7c861c218d21d21d6cd15b1150adf9e94f744d6f721eb02209c701fb87e296081d64844f574c7531045220c8ebe789c0be67dd3980043a203976a2259

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
278KB

MD5
d2ff6b5f2b7469fe3f6dc12c573735d1

SHA1
62a82a6d1a68eecdbbff34026a7fc9f6af78f2ef

SHA256
04969e573fe6dc8e69b1733c56164f9c53b0c33a823b940ee7a08167ff067252

SHA512
560715d7c861c218d21d21d6cd15b1150adf9e94f744d6f721eb02209c701fb87e296081d64844f574c7531045220c8ebe789c0be67dd3980043a203976a2259

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
278KB

MD5
d2ff6b5f2b7469fe3f6dc12c573735d1

SHA1
62a82a6d1a68eecdbbff34026a7fc9f6af78f2ef

SHA256
04969e573fe6dc8e69b1733c56164f9c53b0c33a823b940ee7a08167ff067252

SHA512
560715d7c861c218d21d21d6cd15b1150adf9e94f744d6f721eb02209c701fb87e296081d64844f574c7531045220c8ebe789c0be67dd3980043a203976a2259

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
278KB

MD5
d2ff6b5f2b7469fe3f6dc12c573735d1

SHA1
62a82a6d1a68eecdbbff34026a7fc9f6af78f2ef

SHA256
04969e573fe6dc8e69b1733c56164f9c53b0c33a823b940ee7a08167ff067252

SHA512
560715d7c861c218d21d21d6cd15b1150adf9e94f744d6f721eb02209c701fb87e296081d64844f574c7531045220c8ebe789c0be67dd3980043a203976a2259

Download Submit
C:\Users\Admin\AppData\Local\c1hI4MGa3R6PobfJuxwSC8rx.exe

Filesize
5.2MB

MD5
7af78ecfa55e8aeb8b699076266f7bcf

SHA1
432c9deb88d92ae86c55de81af26527d7d1af673

SHA256
f7284ade2ca0aeb432cf1fdae5ab0c724f81d10b914f6d4c2c15ef0f60ff316e

SHA512
3c0ae6b6e4a896da52faff4fb2e958abb2856330cbba6ff4b7a59e7512475e1739cccf2cfda7dde492f381d3225263bc77e3154983e86933fa074696e92a059e

Download Submit
C:\Users\Admin\AppData\Local\ceI8kB87QyESOOvEwzrpwqRa.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\AppData\Local\inlweZYPFKxvqwNfNVScIQeY.exe

Filesize
5.6MB

MD5
fe469d9ce18f3bd33de41b8fd8701c4d

SHA1
99411eab81e0d7e8607e8fe0f715f635e541e52a

SHA256
b253f2cc3cafc35941d978a4d14b65610e641cb461e862fb0c155f3c30ce127a

SHA512
5b40c5259d01944e718bb14b8e6b994f2ea5bd391058aa8d086033cd609cb54231c7e07b4ab307ecfd5be28936e1c5576d3448504b99d9ac05c5442e5e1e85d9

Download Submit
C:\Users\Admin\AppData\Local\r9xSgE39jGyTb7mCnC26NPoT.exe

Filesize
4.2MB

MD5
1ddcd4e2aa0f6817b0990dadf887ed3a

SHA1
4f5e7d264ecfdbe47afcee5bfb4b8eaf4b8739fa

SHA256
867901138440929aaf9de90f48a5134c65c092f2de35f84cdbcb6d8ac6e46f26

SHA512
74c98dd8bc73f7b9bc441428f5415c0f39cc06bcc60809c450fbc1b02a9cc9839fec9a6ece870b0b20618c676bc6777b1ebdf0504376f1d9c41900d679b2959c

Download Submit
C:\Users\Admin\AppData\Roaming\DigitalPulse\is-N4NM7.tmp

Filesize
10.5MB

MD5
3945df42a2cbe47502705ecde2ff2a87

SHA1
1545a5a72ffaf6c6c8e9df0ca6aa8d2aff5cc5b5

SHA256
c767ecc88396047716862b881480450b517715bfc7bdd12c878cf2d54262f1f8

SHA512
0850ac896ae1d8e766d34746294d212fe071c45e0f740085d37236e0caa05d823ad4ddfeba2baf1bcc71b20612058f08dbafd62fb3deb1a8ed1074d2eae71ead

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2445638973-2158012892-84912826-1000\0f5007522459c86e95ffcc62f32308f1_af46e3cf-7ea1-499d-b1c2-77ac54aa606b

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2445638973-2158012892-84912826-1000\0f5007522459c86e95ffcc62f32308f1_af46e3cf-7ea1-499d-b1c2-77ac54aa606b

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
6cfc7bfacf31b46d8b9961cac8ded329

SHA1
1342a2e32c90156c5bd6a545e2feb2ac2094a4a8

SHA256
5adab101a149b289b9cd64b9ecbb8f720c254d618e51e9976e7f53e3e9e236cd

SHA512
df9a55acf747cb735c3f1a25596058358bda9e3ccf8e453c0945e7d31e89535504e7fff2c828270fb4c19fe6dfecf6be29d32254d8c5e322fe570ff64b5a3a87

Download Submit
C:\Users\Admin\AppData\Roaming\a967e0f403b652\cred64.dll

Filesize
1.1MB

MD5
4bd56443d35c388dbeabd8357c73c67d

SHA1
26248ce8165b788e2964b89d54d1f1125facf8f9

SHA256
021882d0f0cdc7275247b2ef6cc02a28cf0f02971de5b9afa947ffe7b63fb867

SHA512
100dc81a0d74725d74ed3801d7828c53c36315179427e88404cb482f83afc0e8766fd86642b4396b37dd7e3262d66d7138c8b4a175354af98254869fbdd43192

Download Submit
C:\Users\Admin\Pictures\MBsejckAYiOx6nsKiov8GJN6.exe

Filesize
2.8MB

MD5
c6c03ab8d0137b81e44a2448bfbc2d2c

SHA1
c02f9e111dcb15a45960a067fda21e224bc85533

SHA256
6eca87aecac31dcf8a4b6c81da2ff76a20c8be76c2cf825549be11b119113d23

SHA512
3c5b45ce0b15494536ccd238485298255ae164b5c6d35762480c671be1fc8180834364ee2567ed78b9915d086afc96dab843ac34528cc0866dea85be745cd79e

Download Submit
C:\Users\Admin\Pictures\Mwo7lj6JIIrCoX5mW39188Bx.exe

Filesize
2.8MB

MD5
f10a553a455a634e4649be2533b2812e

SHA1
f4efd70f510357b9da442ad1d80ac6f0b30faa3c

SHA256
445e81aa38b82577b55e8e76ad59d3c72ee0e7397c5057f5d9a6391cb8321380

SHA512
4f797382f28498486e104f035cf1b0728e0ec1c9cb255244172c05c2be516f29992d1c63992d7036eae5a374653353963dea2b6e2ba90f116198aae7c63be1a7

Download Submit
C:\Users\Admin\Pictures\z41AKlurHloA8YizIDB1mHLr.exe

Filesize
7B

MD5
24fe48030f7d3097d5882535b04c3fa8

SHA1
a689a999a5e62055bda8c21b1dbe92c119308def

SHA256
424a2551d356754c882d04ac16c63e6b50b80b159549d23231001f629455756e

SHA512
45a842447d5e9c10822f7d5db1192a0e8e7917e6546dab6aebe2542b5a82bedc26aa8d96e3e99de82e2d0b662fcac70d6914248371af034b763f5dd85dab0c51

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\a\trafico.exe

Filesize
425KB

MD5
79fc2bbcfaf64935a0e9cd7260735982

SHA1
2ff56bf7614cfd06e3b8f2918d94177bb9bae348

SHA256
88c4433841a3f22709ba3b3775add2ec137a2fa9b129c55e33c92cea478d47d5

SHA512
f33a33fa984f52a782689820e41fa15a31b32c78ec3027aba6bcecd3cdc87e9be9cd3f21772c6ff376f9a729e00a12ad7cf16ae4715269a1136715f0fbb9f9c3

Download Submit
\Users\Admin\AppData\Local\Temp\a\trafico.exe

Filesize
425KB

MD5
79fc2bbcfaf64935a0e9cd7260735982

SHA1
2ff56bf7614cfd06e3b8f2918d94177bb9bae348

SHA256
88c4433841a3f22709ba3b3775add2ec137a2fa9b129c55e33c92cea478d47d5

SHA512
f33a33fa984f52a782689820e41fa15a31b32c78ec3027aba6bcecd3cdc87e9be9cd3f21772c6ff376f9a729e00a12ad7cf16ae4715269a1136715f0fbb9f9c3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6FOFK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-6FOFK.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
\Users\Admin\AppData\Local\Temp\is-6FOFK.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b4786eb1e1a93633ad1b4c112514c893

SHA1
734750b771d0809c88508e4feb788d7701e6dada

SHA256
2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f

SHA512
0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

Download Submit
memory/316-190-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/316-201-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/316-194-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/316-228-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/316-181-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/316-132-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/696-2-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

Filesize
64KB

Download
memory/696-25-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

Filesize
64KB

Download
memory/696-0-0x0000000000830000-0x0000000000838000-memory.dmp

Filesize
32KB

Download
memory/696-15-0x00007FF95A410000-0x00007FF95ADFC000-memory.dmp

Filesize
9.9MB

Download
memory/696-1-0x00007FF95A410000-0x00007FF95ADFC000-memory.dmp

Filesize
9.9MB

Download
memory/872-219-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/1468-220-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1468-244-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1628-154-0x0000000000400000-0x0000000002668000-memory.dmp

Filesize
34.4MB

Download
memory/1628-222-0x0000000004830000-0x000000000511B000-memory.dmp

Filesize
8.9MB

Download
memory/1628-123-0x0000000004330000-0x000000000472E000-memory.dmp

Filesize
4.0MB

Download
memory/1628-204-0x0000000000400000-0x0000000002668000-memory.dmp

Filesize
34.4MB

Download
memory/1864-113-0x0000000007420000-0x0000000007432000-memory.dmp

Filesize
72KB

Download
memory/1864-183-0x0000000007CE0000-0x0000000007D46000-memory.dmp

Filesize
408KB

Download
memory/1864-89-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/1864-131-0x0000000007510000-0x000000000755B000-memory.dmp

Filesize
300KB

Download
memory/1864-110-0x0000000008210000-0x0000000008816000-memory.dmp

Filesize
6.0MB

Download
memory/1864-115-0x0000000007590000-0x000000000769A000-memory.dmp

Filesize
1.0MB

Download
memory/1864-106-0x0000000007470000-0x0000000007480000-memory.dmp

Filesize
64KB

Download
memory/1864-88-0x0000000000490000-0x00000000004EA000-memory.dmp

Filesize
360KB

Download
memory/1864-126-0x00000000074C0000-0x00000000074FE000-memory.dmp

Filesize
248KB

Download
memory/1964-99-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1964-224-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2112-216-0x00007FF76E0A0000-0x00007FF76E641000-memory.dmp

Filesize
5.6MB

Download
memory/2116-171-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2116-218-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2116-179-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2440-50-0x0000000005090000-0x00000000050C6000-memory.dmp

Filesize
216KB

Download
memory/2440-24-0x0000000000680000-0x00000000007D0000-memory.dmp

Filesize
1.3MB

Download
memory/2440-31-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-34-0x0000000004F30000-0x0000000004F78000-memory.dmp

Filesize
288KB

Download
memory/2440-35-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/2440-52-0x0000000005110000-0x000000000515C000-memory.dmp

Filesize
304KB

Download
memory/2440-180-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/2440-45-0x0000000005020000-0x0000000005066000-memory.dmp

Filesize
280KB

Download
memory/2516-195-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/2516-182-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3012-266-0x0000000001730000-0x0000000001A50000-memory.dmp

Filesize
3.1MB

Download
memory/3012-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3176-199-0x0000000001010000-0x0000000001026000-memory.dmp

Filesize
88KB

Download
memory/3208-246-0x000000001C180000-0x000000001C190000-memory.dmp

Filesize
64KB

Download
memory/3208-37-0x0000000001A10000-0x0000000001A11000-memory.dmp

Filesize
4KB

Download
memory/3208-96-0x00007FF95A410000-0x00007FF95ADFC000-memory.dmp

Filesize
9.9MB

Download
memory/3208-40-0x000000001C180000-0x000000001C190000-memory.dmp

Filesize
64KB

Download
memory/3208-13-0x0000000000FA0000-0x0000000001276000-memory.dmp

Filesize
2.8MB

Download
memory/3208-14-0x00007FF95A410000-0x00007FF95ADFC000-memory.dmp

Filesize
9.9MB

Download
memory/3292-129-0x00007FF95A410000-0x00007FF95ADFC000-memory.dmp

Filesize
9.9MB

Download
memory/3292-170-0x000000001B500000-0x000000001B510000-memory.dmp

Filesize
64KB

Download
memory/3292-122-0x00000000008C0000-0x00000000008C8000-memory.dmp

Filesize
32KB

Download
memory/3984-230-0x0000000000930000-0x0000000000932000-memory.dmp

Filesize
8KB

Download
memory/4392-92-0x00000000022B0000-0x00000000022B9000-memory.dmp

Filesize
36KB

Download
memory/4392-102-0x00000000023D0000-0x00000000024D0000-memory.dmp

Filesize
1024KB

Download
memory/4424-198-0x0000000000400000-0x0000000002284000-memory.dmp

Filesize
30.5MB

Download
memory/4424-173-0x00000000001F0000-0x00000000001FB000-memory.dmp

Filesize
44KB

Download
memory/4424-226-0x0000000002460000-0x0000000002560000-memory.dmp

Filesize
1024KB

Download
memory/4600-53-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/4600-51-0x00000000004B0000-0x0000000000624000-memory.dmp

Filesize
1.5MB

Download
memory/4600-134-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/4644-109-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4644-95-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4644-200-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4656-263-0x00007FF6F6DD0000-0x00007FF6F6E3A000-memory.dmp

Filesize
424KB

Download
memory/4768-262-0x0000000000400000-0x000000000062D000-memory.dmp

Filesize
2.2MB

Download
memory/4840-85-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4840-84-0x00000000006D0000-0x000000000072A000-memory.dmp

Filesize
360KB

Download
memory/4840-112-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/4880-237-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-80-0x0000000005230000-0x000000000523A000-memory.dmp

Filesize
40KB

Download
memory/4880-221-0x0000000005280000-0x000000000529C000-memory.dmp

Filesize
112KB

Download
memory/4880-225-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-223-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-234-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-232-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-260-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-240-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-245-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-248-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-250-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-252-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-229-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/4880-72-0x0000000005490000-0x000000000598E000-memory.dmp

Filesize
5.0MB

Download
memory/4880-261-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/4880-77-0x0000000005B10000-0x0000000005B20000-memory.dmp

Filesize
64KB

Download
memory/4880-75-0x00000000052C0000-0x000000000535C000-memory.dmp

Filesize
624KB

Download
memory/4880-74-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/4880-69-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/4880-68-0x0000000000630000-0x0000000000828000-memory.dmp

Filesize
2.0MB

Download
memory/4880-256-0x0000000005280000-0x0000000005295000-memory.dmp

Filesize
84KB

Download
memory/5024-78-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download
memory/5024-16-0x0000000000600000-0x0000000001374000-memory.dmp

Filesize
13.5MB

Download
memory/5024-17-0x0000000073E20000-0x000000007450E000-memory.dmp

Filesize
6.9MB

Download