amadey | cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea

Analysis

max time kernel
0s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dce9705c0c4c3f6175d0ac758a7aaad.exe
Size

791KB
MD5

8dce9705c0c4c3f6175d0ac758a7aaad
SHA1

6648dc678a7ca05cc9efa72cbc4be49a3e10ee9b
SHA256

cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea
SHA512

f3bb6b0f0f5284051243b787cabd226ceb2aa8089726019b5f99a95f33943fea65189357bb4344fd99a2ab6d3766ba7b2837d71c0f246c5f44a32c731b5b5731
SSDEEP

12288:qiX3xOEm6Yc4aWfAPDnHo7YNQn2YcKify3ieduiDtGnSr3/35elActMblmZunnh:qEmeDnIwQ2siK3PftGnQ3v0lAca0unn

Score

10^/10

amadey redline risepro xmrig zgrat 2024 @oleh_ps @pixelscloud @rlreborn cloud tg: @fatherofcarders)evasion infostealer miner persistence rat stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 9 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3044-83-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
behavioral2/memory/1332-309-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
behavioral2/memory/3044-336-0x0000000000270000-0x00000000002C8000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3044-83-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe	family_redline
behavioral2/memory/4364-131-0x00000000005A0000-0x00000000005F2000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe	family_redline
behavioral2/memory/2912-297-0x0000000002420000-0x0000000002462000-memory.dmp	family_redline
behavioral2/memory/2912-299-0x00000000049F0000-0x0000000004A2E000-memory.dmp	family_redline
behavioral2/memory/860-260-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
behavioral2/memory/3044-336-0x0000000000270000-0x00000000002C8000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/640-137-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/640-139-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/640-143-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/640-151-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/640-132-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/640-127-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3384 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

pid	process
3384	netsh.exe

.NET Reactor proctector 20 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/2260-179-0x0000000004F40000-0x00000000050EC000-memory.dmp	net_reactor
behavioral2/memory/2260-181-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-187-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-189-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-191-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-195-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-193-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-197-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-208-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-210-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-227-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-259-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-264-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-277-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/1332-309-0x0000000000400000-0x0000000000592000-memory.dmp	net_reactor
behavioral2/memory/2260-251-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-232-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-220-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-183-0x0000000004F40000-0x00000000050E5000-memory.dmp	net_reactor
behavioral2/memory/2260-177-0x0000000005100000-0x00000000052AC000-memory.dmp	net_reactor

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

35 pastebin.com
36 pastebin.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

WerFault.exe

pid process

2888 WerFault.exe

flow	ioc
35	pastebin.com
36	pastebin.com

pid	process
2888	WerFault.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1932	sc.exe
3688	sc.exe
3944	sc.exe
1196	sc.exe
2940	sc.exe
528	sc.exe
4684	sc.exe
2008	sc.exe
1628	sc.exe
4988	sc.exe
4864	sc.exe
3572	sc.exe
3952	sc.exe
4256	sc.exe
1088	sc.exe
5004	sc.exe
1064	sc.exe
4332	sc.exe
2780	sc.exe

Program crash 49 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1436	1300	WerFault.exe	toolspub1.exe
4084	1508	WerFault.exe
2296	2700	WerFault.exe	nsa932A.tmp
2416	1508	WerFault.exe
1444	1508	WerFault.exe
3768	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2700	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1444	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1636	1936	WerFault.exe	installs.exe
4320	1936	WerFault.exe	installs.exe
4308	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2036	3236	WerFault.exe	RegAsm.exe
2016	3236	WerFault.exe	RegAsm.exe
2784	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4488	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3400	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1088	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
860	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2440	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3596	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4524	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3236	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1764	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4432	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1564	1508	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2888	408	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3604	408	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2784	408	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2624	408	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1228	408	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1996	408	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1952	408	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1660	408	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3236	408	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4988	4264	WerFault.exe	csrss.exe
1108	4264	WerFault.exe	csrss.exe
4140	4264	WerFault.exe	csrss.exe
1416	4264	WerFault.exe	csrss.exe
1184	4264	WerFault.exe	csrss.exe
388	4264	WerFault.exe	csrss.exe
3376	4264	WerFault.exe	csrss.exe
4388	4264	WerFault.exe	csrss.exe
3716	4264	WerFault.exe	csrss.exe
2416	4264	WerFault.exe	csrss.exe
1840	4264	WerFault.exe	csrss.exe
920	4264	WerFault.exe	csrss.exe
1620	4264	WerFault.exe	csrss.exe
3488	4264	WerFault.exe	csrss.exe
3400	4264	WerFault.exe	csrss.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2772 schtasks.exe
4648 schtasks.exe
4228 schtasks.exe
1500 schtasks.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

8dce9705c0c4c3f6175d0ac758a7aaad.exe

pid process

2888 8dce9705c0c4c3f6175d0ac758a7aaad.exe

pid	process
2772	schtasks.exe
4648	schtasks.exe
4228	schtasks.exe
1500	schtasks.exe

pid	process
2888	8dce9705c0c4c3f6175d0ac758a7aaad.exe

C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe
"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
PID:1264

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:4228

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
"C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"
3⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
3⤵
PID:2468

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:1628

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:1064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
4⤵
PID:4808

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:2940

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:4332

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"
3⤵
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"
3⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"
3⤵
PID:2260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:1332

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
6⤵
PID:624

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"
3⤵
PID:4500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4388

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
5⤵
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:468

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"
3⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"
3⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 348
5⤵
- Program crash
PID:1436

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
PID:2512

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"
3⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1060
4⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 1100
4⤵
- Program crash
PID:4320

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"
3⤵
PID:2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"
3⤵
PID:4980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1080
5⤵
- Program crash
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1228
5⤵
- Program crash
PID:2016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3644

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"
3⤵
PID:2108

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:4388

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:640

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1300 -ip 1300
1⤵
PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1508 -ip 1508
1⤵
PID:856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 372
1⤵
- Program crash
PID:4084

C:\Users\Admin\AppData\Local\Temp\nsa932A.tmp
C:\Users\Admin\AppData\Local\Temp\nsa932A.tmp
1⤵
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 292
2⤵
- Program crash
PID:2296

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
2⤵
PID:1620

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
PID:4244

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
3⤵
- Launches sc.exe
PID:3688

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3944

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1196

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
3⤵
- Launches sc.exe
PID:1932

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:216

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:3276

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:4732

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:2108

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:4988

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:528

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:2780

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4864

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
2⤵
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 684
3⤵
- Program crash
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 724
3⤵
- Program crash
PID:2700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 696
3⤵
- Program crash
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 748
3⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 756
3⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 756
3⤵
- Program crash
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 784
3⤵
- Program crash
PID:3400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 636
3⤵
- Program crash
PID:1088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 624
3⤵
- Program crash
PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 768
3⤵
- Program crash
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 952
3⤵
- Program crash
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 868
3⤵
- Program crash
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 840
3⤵
- Program crash
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 904
3⤵
- Program crash
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 932
3⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 784
3⤵
- Program crash
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
3⤵
PID:408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 656
4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Program crash
PID:2888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 656
4⤵
- Program crash
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 728
4⤵
- Program crash
PID:2784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 736
4⤵
- Program crash
PID:2624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 716
4⤵
- Program crash
PID:1228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 644
4⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 360
4⤵
- Program crash
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 352
4⤵
- Program crash
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 336
4⤵
- Program crash
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:3488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2908

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 388
5⤵
- Program crash
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 684
5⤵
- Program crash
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 684
5⤵
- Program crash
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 684
5⤵
- Program crash
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 760
5⤵
- Program crash
PID:1184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 776
5⤵
- Program crash
PID:388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 752
5⤵
- Program crash
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 404
5⤵
- Program crash
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 372
5⤵
- Program crash
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 908
5⤵
- Program crash
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 784
5⤵
- Program crash
PID:1840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:1672

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:2080

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 964
5⤵
- Program crash
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 980
5⤵
- Program crash
PID:1620

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 1008
5⤵
- Program crash
PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 888
5⤵
- Program crash
PID:3400

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4648

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:3620

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:1924

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
2⤵
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1508 -ip 1508
1⤵
PID:1224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2700 -ip 2700
1⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 392
1⤵
- Program crash
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
1⤵
PID:3364

C:\Windows\SysWOW64\chcp.com
chcp 1251
2⤵
PID:4852

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
2⤵
- Creates scheduled task(s)
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1508 -ip 1508
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 436
1⤵
- Program crash
PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1508 -ip 1508
1⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
1⤵
PID:2540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1508 -ip 1508
1⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1508 -ip 1508
1⤵
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1936 -ip 1936
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1936 -ip 1936
1⤵
PID:1640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1508 -ip 1508
1⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3236 -ip 3236
1⤵
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3236 -ip 3236
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1508 -ip 1508
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1508 -ip 1508
1⤵
PID:896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1508 -ip 1508
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1508 -ip 1508
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1508 -ip 1508
1⤵
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1508 -ip 1508
1⤵
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1508 -ip 1508
1⤵
PID:3508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1508 -ip 1508
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1508 -ip 1508
1⤵
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1508 -ip 1508
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1508 -ip 1508
1⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1508 -ip 1508
1⤵
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 408 -ip 408
1⤵
PID:1784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 408 -ip 408
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 408 -ip 408
1⤵
PID:3880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 408 -ip 408
1⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 408 -ip 408
1⤵
PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 408 -ip 408
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 408 -ip 408
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 408 -ip 408
1⤵
PID:2296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 408 -ip 408
1⤵
PID:432

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:3384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4264 -ip 4264
1⤵
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4264 -ip 4264
1⤵
PID:1540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4264 -ip 4264
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4264 -ip 4264
1⤵
PID:1544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4264 -ip 4264
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4264 -ip 4264
1⤵
PID:1448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4264 -ip 4264
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4264 -ip 4264
1⤵
PID:2528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4264 -ip 4264
1⤵
PID:1220

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4264 -ip 4264
1⤵
PID:3896

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:2316

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:3572

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:3952

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5060

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:2480

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:4528

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:3928

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:2020

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:4552

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:4256

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:4684

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4264 -ip 4264
1⤵
PID:432

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:3284

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4264 -ip 4264
1⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4264 -ip 4264
1⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4264 -ip 4264
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4264 -ip 4264
1⤵
PID:2416

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:4512

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
1⤵
- Launches sc.exe
PID:5004

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:4032

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
628KB

MD5
b4a3cb038bb43372ac3bef23e1a59c82

SHA1
a570a0f450ab852a6a1575c7ddc0b8ab3d8888c1

SHA256
1b7e3885a13fcd252d8815cf2de9632770bc56be73d17b50cf0a7e2e44edbc87

SHA512
a4272e4696a2e8d7e1e39b3bc2163cccb47727564cc173c4986d54ceb01e1ee46d05ccf9280f358ec3ec5b8c9d486f7a05935aa38de525c52e6aa071c9757ab1

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
168KB

MD5
44ef2e123b64f56541f704fbc297ce2d

SHA1
488e75950f5721539ad257c1310b6e5e7f29629b

SHA256
e43428467e038485f2809950dfc493e6219abf194c8210d8b9872489ce7314b2

SHA512
192b1b5d46234030b3bd28fb015f9244570f218dbfb49e676394e85496461b8cd5df30504b870a6df3e867fc1b6f91fd55e189133d9287a89ba0e502d1add02e

Download Submit
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
Filesize
55KB

MD5
3d043d8f0629e5c47c54df18ec970f5e

SHA1
7e1236485a61c5663ef04ce6acc5b394ea21eaaa

SHA256
c6cba91ceec1f65469108f9e9b5acd1f4d1a8659a27df185d984fb2195c83dbe

SHA512
ca98d67d93fa341dc638449dcbf5ff71d70390c4c0b09efa8abd5112d3a00be92dd815f9c292ce371e6aa99f21e38813a08c279c6963f4356a39937b0daf4b2f

Download Submit
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
Filesize
64KB

MD5
4170409a428cda07f18e409756b246cb

SHA1
f62f985c25bb8fa739665ad8fc213e5a7e56e9a2

SHA256
ef263cd3950e5961dd168bf9408a3b6230f867b29e6960d1f97a9c57434fdc86

SHA512
2293163f0de692d5d59f4008ae4d5a259fa84760ff2c17c5aa362b0bdd0de74e1155e309b4ab184c6363ece07179c5a23fad3ce8fe797e6ea896a6a18449535d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
1dfbfa155719f83b510b162d53402188

SHA1
5b77bb156fff78643da4c559ca920f760075906c

SHA256
b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831

SHA512
be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
Filesize
323KB

MD5
6bbd7d448c1325b57cbb67f206bc0d57

SHA1
f06503ff5945880a318c0c0c2fd2502edf0bea72

SHA256
5375f5b08414a487cf1aa833ad9e6cc688b84bde26abdbeeecb0f4db27d39545

SHA512
1a4740989093ecc5228155ce721f311362a5f78f7ebf08bcd620b361776e519aaf9338c15fe2bfb36b0aaa459638d3c8d23e6156b78dec66efa62a0391985501

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
Filesize
228KB

MD5
9fab4c31f0ce88bf10ceccfc58d2ba47

SHA1
6c9105ef3dd48a3b4efbc257c897e41a75b0c5bb

SHA256
28f568375dde715d0fdf240087bb948d9e60b037ce833e5c2e168b24b2e30ae5

SHA512
56e9a244f7134748a3fd85a6657b819d54f0624e59097092681817d033b3bddb9698e8dd42ad3531e60c8b8d386ef694bccd41884a28917b2630ecb722e33ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
Filesize
153KB

MD5
f2fe9f71e23dcc89e41eb897f4463882

SHA1
e8b3196daf352eae2c4c5627124e180711b3fc60

SHA256
0fad825cf4b26527ef6a678ca455c0c0afa78059336fc57b7be38e368db0878f

SHA512
2cae1bc3db0ea284ac5ad82426b9e6ee888e0d2b0f2e90eb9a96bd5c1dbecc31e87add6664bd6a7bca485dbeeda4c7fa77348c05f00efe3c24d45ec180d616c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
271KB

MD5
c02fdee48962147f583ce9a7010e2c00

SHA1
ccd5ad201e44e7356d596eae04cbaa4dea11d856

SHA256
c6fb518fee357abbfb632f9d5a470f1cbba7c313a211e685eff27dfff75fe13d

SHA512
0eaeec11634007aed338239e13f801e88a1b386e676035724319a6367b07d6f7dfd10054413fb21c8fe881c92ce1739fa0689e8b060a67419f8cab548b078c59

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
242KB

MD5
eb08024765ae7be40c7e1dacced4cfc3

SHA1
735c28446957ceba0f2cc7087693ca77ab91e693

SHA256
721ebb84caabf3f55aaf4e91b4c1a19ff18880c31ab8f394879d0199a8b0f5ff

SHA512
c86e3800c8f92f9464ba68ec3b54dd470939251e3d1282ec7c2e937ecdfe088917f64a6649be3b740af1d0a42ca3b6d9debea075011bbfaaf2c360fe6ab97fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
137KB

MD5
e5d3a18362aa265cc81025ead01c05f2

SHA1
a325e8eefd16a38a53c19d298e890dadd8cacef7

SHA256
f11d34aa910e4b2c7351ef4d6e704138e1ddc8009c1a7715080e3e3fc66b5bfc

SHA512
571881892956d9eeef91ec6988849bdcd59832adbfda5df7f403ea78829f7b136a59a55d15c0cc63e5cf47532bf4fe2950358072d685e6c31fcc68370b21e958

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
Filesize
115KB

MD5
a200650f4891fb6c0b9d7c1577ce9130

SHA1
892db02ba082300ca848c20d12d9b6b0920ba4d7

SHA256
9b25795e83679af6bb953bdd48250a6d7ff88538ff58e557f2ff24e5870fe16e

SHA512
86cc416e52ea5d264239e31424473ed495772027a0e79d675909dbdb5fe58060cdface0ddfbbdb763a98b443e73e4a6cc48dbb8dfc51cdddc3bf721a7fef0cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
Filesize
64KB

MD5
3a74299b6fcb289c379515a38a9ef211

SHA1
1bd4fce8de93b6d10b5c46e1b0b84b774deac625

SHA256
597983549c3a5ae51fafab0b0fd1aa3711a122a01521b2cf9971b546dcf93f6c

SHA512
3812ac654623ddd1235b111b9b5101cddf0ba37d87fe0591f95a16c95ca95bcf47d9fe266bfab421f7f4e28e2b7c5d4483b436843f7d7f8c221315f601247a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
Filesize
87KB

MD5
dcfaeb5ac19c5080f081696daa9fb74b

SHA1
ad93978daf09cae550d623d29c523ba71d3cf549

SHA256
632e0762489e0f78d578b8c0eab1a08dbba950ee6f05170bbad656d7d65cb144

SHA512
cb8b03c4ea60b020bfdc9bc913c8e94e65bb51662bf0f37dc8ec49f036377a319c0ce82d68b7ad68240784cae179c673ec2ec52998ec1d353e66e73108a3286a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
Filesize
274KB

MD5
a4e5972233124e2569cf5f1d564fba20

SHA1
220c1e023a3220e1825a3eb9e69383dcc572a3b2

SHA256
66eedde368f26cd54eadb4bf64d58dba705251d0c26fed44b57f42bd95e1e8bb

SHA512
859260c25e39eca58094e60174eeefe90d4e8fd931934b575da1bc35e576a40baf229e17f284810ba1de1b6f34a0f2481e629d8df1a6da21f6c4ac1e07462fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
Filesize
78KB

MD5
1dd04da465cd598ecc2f92bbcaaf7e54

SHA1
f5feebd6c07e6befadd4ccf14dd6c1da78b9f84a

SHA256
5970aaa92a6e8e6ac070684da404f7b66aac5214b05e48ea1d1569632326e2be

SHA512
b8b0d1769f967632f548e1800d1dff35c0938febdede567ee7996489734b811bdcc5db920e45bf2a9d220c286757393460371a8ee129040dd9ad6ae88ebcb954

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
138KB

MD5
0716c86283fd5b3406eafb43eb9eb4c9

SHA1
648f6fa348d7da489f351c9dfdbcfd86c149b320

SHA256
6bfc175974ab111456bb96d7e1d5d383463300098bf7e354a4df7e84057792ac

SHA512
c84b15bfe91a0f4b8dd34f1349d7e6ad19ab5ab545c273553c33f9c0b46c9e28acee12c4d2431e9006e8a054423809f354e843616fb4551fb7cab14a93f2706d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
165KB

MD5
3d992e3e9ea11b973cc26c418c97a399

SHA1
e372787fb535806f8d5feaa8f7eb3cd542e7cdc4

SHA256
5b7cb36f2e1419c7035fcb0afffa10f433172974498a5621aa81edf27d2ab0d6

SHA512
27be34287102132d6e8c0b177f7c94d03a5ed1ed0aa9381e6ea7878f3b32d1935cf81d56a360d31f8aeb1653b5d92e58c7a4e827d0dede55297d71cd895dd083

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
112KB

MD5
aec084e17020db2cda0b1fbc795502c4

SHA1
b091b1f125ead72cd2268ffb3b6de7a56058c6a7

SHA256
c22964501e8a8b37fe456be552702358f7677fa2bf77014f8c0cd4605bf715ae

SHA512
a723a38985dba49725b406033e7cb044a712ed8458b99c8ad5daade4e9bd028d7643c6e3554d9908c5178e71338492571f8dde4f132c875184ef98e5315cee50

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
36KB

MD5
9c549a5bda8ba7a4c79dbc81871844c2

SHA1
44b9b67b7b240c7759dc9f064706a36cae552c38

SHA256
33e07b98da4d5cded0ac76242a90578497214684df9de498edb602e52d6a5a64

SHA512
da35bda0c5aff641aacd589648a605e86bf0fc71ff9d2789a72f83b61751f326425127d817f9cc811a990fceba42b522a9484e942420d80a886c50f6c9959235

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
126KB

MD5
189befdd17a9e5d245a91de4ab32aa54

SHA1
1c3b0323bffc83e87477728123ce714915226f27

SHA256
141b46f6b57ceabde0ee76a2ee2878f27e2aea5564c6e87b5818fc224cc42739

SHA512
d65ce5a8df5e831543f1fc5ddb6ebd3a588dbc92efc92342899a63aa9196c59ddc21d3524f2efd6db6df564ce5b24dded420e5cc72b1425250e5528566cc8326

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
26KB

MD5
0bc5d03bfd717b71fd68181cc2960a86

SHA1
61a3961f17606607d94997a7f9f34faaf3f17fd0

SHA256
c796e3334a001193567387c1442a0ce6516f0895f5f52af75e427535df2a81f7

SHA512
dbb80d0d829a65258dd1370e4f77fdfcf3d006709ebc72c26b4de57408683bfb6ae009f42f4b910803867cb75b78899b22826037f184d367559e13a016c5c774

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
23KB

MD5
3696eb9e12a8609381e2312f17b1bb8f

SHA1
fb738459344159bc3bd688095b6c8a9f8001735f

SHA256
7311a1ca8ca3bf2fdb500d59d2c0178409304dc03638ad4acb9ce4593c37fbfc

SHA512
9a116abd652baf2cce903383d4a02f6bbb5c4a9a1ad77fd6d41d2f4973b74223012232808b061e215200f866571f128785de8dd5ae7818f78157fca8b996fc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
75KB

MD5
680af1cb5233323be8d9c23d4b798751

SHA1
1dcb879401a9da9fce91e3e5b96a3fa7929c0423

SHA256
913d68b2cd03c13e88c26175ca86db72206be664d72ff4a8b1b995a710adf877

SHA512
14484537f2f9fd729ec7d07b742780dff7e539a4d969ee2471874fcb7e17fd7236d84a28e85011b9bad4c1f365624b95a3b7bc3bee1af68ee928c3e17b03aaf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
29KB

MD5
58a2f1dac413a2297f3cad8a56f5c8c5

SHA1
519a9a0c327909978c72a9961f59142659beadf5

SHA256
c3d93162e4fb1e0fa690ca5492fc4e7504cd767e81e6abcba2cec8d3764c7c5c

SHA512
a134e74e4c472fa530ea011fd506dc3e61e1421040717c5cc636836d0beb53068a07cadac181ff9daf4a2eb95efc018942846c6741f2d90fbef64660a7d241e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
18KB

MD5
643844e6ca066786c598718f0e9c0da6

SHA1
9183a7112dc330fed5b949036f68fde2d02636bf

SHA256
2501e26947cbb594ad31d9f3c300ef672b4d0bcf74e688f32c3c3bd3a6959745

SHA512
ac151928c59523a65dd1c96415f073ad37a4c28b382e1ee36aef1531458c48b4e6b4f16aa3989434d0d23432a8a9ae408cf3e937d05e34ecdfbc6356fe5bdecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
32KB

MD5
35e953b382debd5fe5cf315fb033a527

SHA1
858273599ac465f77073ba98f38d1d42eaca41b5

SHA256
67a837178b882640f05a759042888b701fa1d5acc8fcb4ec39a3f00f7539f7d5

SHA512
955a1bfb6df7253036b3054b43547d4b48dbb324c82b839ea8993a3befb664a41792724ca1ddfbd0b04d2d472b6f997d329fb59f152710f4b348f6ceaa7763ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
27KB

MD5
9680b1486562d36d7600a57466d3e5e5

SHA1
bc1d9a416e38b4a868a97048c9fc0a170d4dadd3

SHA256
cb2a5d55cfa78ce116066b5e595508930c05e8a62787fe5a4fcaf5ab61faf90e

SHA512
7fa9f6c607ccf4f13654210257052765ad590c7ffbb6f7f182b5671a3e7ac4f8b4e446c03d2a54492d1ebdc0850d98c2dec505b0d5a5c4ea46c57ca5a998b1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
254KB

MD5
7b4e887b50968070232a5ffffc657f03

SHA1
9e7e48c31f80086afe75e604b5222cdd2b5c09a6

SHA256
f320f9ca2deaba29fc28ae7d87b5abe85a66c84d6deb2141b5ee59d5fb1bbb27

SHA512
ae2adf8ada18bf7f0b9939aee9b0b6f3e44575285a60350f213fcfd4a1ba7ab6b3022f3805484885af451774cdd9d131c3cc0689d5878739f47b58a2be85f9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
118KB

MD5
d73f736dee1fe82c96dbefc6af21d0bd

SHA1
4bc0c9906b5a8d2c45757597649240a3f0f8988c

SHA256
4ab05d16477f5df90df56c334016f87753b3b966a80e78cc9403186a90dcaed5

SHA512
d3265fd1ce68ff05f0dc8053a2c54812175bcaf3eb7131f76d6cb5abcf200e25f8f2ecfd3f0f9408ffddaedee66cb3c5c1d84e8cfbc83c14b15fa6192f01323f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
27KB

MD5
41c5e8a4171718322b2b68a5d2139c6a

SHA1
7e883d9b4cc7d98d480364bea434dba5cde14e2a

SHA256
66a221704a8dfcd342adf5a52a00728cf6351433a1102ed8de5d714b1df8eb78

SHA512
a7d08b41de6bfb6d4105211ab2997b1dabeb32389b9d355a72399b9d9632a359654050f3518ec86a0621332aae7da747c20ba01bba61fccb174979189d96cf9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
9KB

MD5
a3ccfa51cc5c082d847fb7de7cb1905a

SHA1
51aeb93f78cf6a310d277c86b6554443c5c66432

SHA256
eeb0e2d7f0c57414cb1869c2f4d2cc069497f20cede18a9696e14be4149ca695

SHA512
07faddf8911b75f97e0fd08c35504374044a7d6716f406ce36d437b4d9144258726ad25d87568a8a2d9b574c4e3dca379b8347447c4cc4f999588ef8a2fb5e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
1KB

MD5
c9da0568b5e76fcd62fa5bf13c07a59f

SHA1
3e3fb138386563545e216e7a4c3e120c2296c640

SHA256
27b84fec84db126e7c77c75db51dc7963521c14908a305cd18613360f7bd3ffc

SHA512
9168c20e9b69ff9ce234cd22e883ed83d0b36c1bc53cd36fd5e50bf72ccb0ca97359604836fd0deaa5b9bf41c12086e2ab79076dc65100ab71b24e134dcc790d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
22KB

MD5
959bcb90643004e03e98a8437418e1bf

SHA1
04d67c3df4fac0a06d0f613eac0e25a546850d88

SHA256
b427ffdcc7b48926860eb41272d54dbeee4b60606aaac9b007bf4cb945d34f14

SHA512
df32ba4f25391ae11bfd0c22d90fea175358f6e485e811d7522e3a63ac2fec9e093f367e3930d3d61163f3a78502c5253f5d5f98007239adc105200c6b363607

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
49KB

MD5
c4db46f9f4de809dd318c4087eda8924

SHA1
6e7e6f7ff34cdabf5ec152bf821d19fc74bb58ce

SHA256
f4a12626f7709420e8fbdd87860365a7e6dce336440cd4df07d5814e41e29899

SHA512
17f7b1989f3cd518c1f78b695e953789f6df6a271224723de6d26befba3708eff75dcb3ff17211d1fe09113dd0c17005ee40c83997bb9827e20656ded4903bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
5KB

MD5
a7c183b63737f20dfdc4f309961f73b2

SHA1
2e84693d2fc4f41b638e8ad58cdfb242b7ab6b4a

SHA256
3888a189bf3e6c67cb171ce4b4951902d8259ac2a44d13979a911ad4fa9143bf

SHA512
35716b390660f18b938b84b9f4ddac1ad73932f63d2c354b7f653be05d80226795c32e5649b49ee1c63b492fd9db0c85293e29c5705d460bf5f5793a846f2793

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
92KB

MD5
82b89673f9ccf77e4bb5f7cf72b8b859

SHA1
876206287d8049ee26b701706689a35c3aad4b10

SHA256
40d509cd5b400c71f7decd77ae4d932d3325482e2fa984607e453be7bfc346fe

SHA512
433a91f1f615b8946c035ed17193e36dd3eea6563b604cb0a733f1fd65210b0c8a0fc52ee0038b2c7890735198f46b80dcef6af2994b81e41678933121531989

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
42KB

MD5
b1678d9e10d0b3b79f13325c87fc795c

SHA1
cebea070c5d7cd1ea8f8e89253cee0ad5b89a63e

SHA256
39a4b5c291f5c85a8a5370241a7fd087f02a25d6c574da769bdb8fb90dafb25f

SHA512
0d8a861deabb0b907345133a77992203ba60e26973edd56842695fd43ab601f621007d64ccefba7867470b40db7bc43501c65d15770bf57c16a56c2c26cb8b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
64KB

MD5
ba2a9bc1d1db14042b936f0ca0ff4cd3

SHA1
150d7d8428d3a41dc1a8c76bc609c5e48903edcf

SHA256
3f7099562d1dd515b37f60ee0c7b66f06c0316d00796b806ed892f353ef83c3f

SHA512
138796b26928f0fbd72180f6f9c2ef990110734a77c459c89687122bdfc7b6ba24761506538bb34555c89fc547d30c56ee0a034fcd99a45a1a1fb531789143ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
214KB

MD5
4e0593aeb08ce977218fd8385f1cd3fc

SHA1
2511e68dfbe9dd2633879a78a90708ef4249f9ac

SHA256
8d1a0d0c3e97787043dc63d744fb4e2a51b7cf1c3a1a6b035f7bd12b0c4c4f65

SHA512
0ff4acc8d32e6e43d1aba93cc8460687ed9b4c630fc9d6398f05262132f8690d21b7c91dadaee6a142a3af81b14e7af8e950f7975be06fb4e8c47dfa82fcbcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
82KB

MD5
dd0f2ebd1baa58596125c4470ca5354a

SHA1
6281c94667363ecd0519db7123d249846a270b89

SHA256
ee7a0aff028941ec29bc63d13bb5d01e19f2e2aed5c05e8a6a567cfcc3fdaa31

SHA512
7371c889319911f6a8e797590cefdc4ae3d612fa56d37132c9a0f2289c6362fa43077c37da370bec91798bde48a21dbb4f993a520064991d83f92dab7b3c453a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
76KB

MD5
b7bbc5378abcaa53433b44821f35fa4a

SHA1
8d1821f05af98daea8b07a0b797f2072fc669a34

SHA256
bb0abadb072b91af9cdefb9c3be9ed55c9862c479e63a3806dec59dd99323ba6

SHA512
ce4e3f6e61681ae9462b4875c72b9fb11c1fe23d7912f2da642aab9fc89c9933eb420176fd18c963ed06cbeec0a1db7047952e1f069fb479dd3a44a84fd04359

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
48KB

MD5
7178ab7997dbabb34b82b8aa689324b9

SHA1
a2b0a1ea24d0a289941fc27ff7e2c43e49cfb98b

SHA256
b9f02b6ce87bad1523d7373c862e15d3f560dbdd074cff769d2e5a6505bdf955

SHA512
55703a3f739f789aa86c0a7e2002b124d963541d18e198be55fc91b1f05ce07e268b394cb7c3303692a7b2000dbc6999844ab7d29580cc9a91dc3858df297085

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
85KB

MD5
6fb85ce3ae54858317e41941a163fd69

SHA1
a6c992fe91159da87efc6062c5e29eacce549897

SHA256
795b6d857d8c44aaf2c2ff76775a0388546ac456642ace3d82819be204bd144f

SHA512
2894bc2deaab78e0d10a77fa04b4300c3941346290adaf927a7c5328477f3c0b9f320cc2c146fbed8c77415c09bcbac4740af43fd6b4bcf6fdf5e4ef8797d74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
20KB

MD5
153d28eb5020880be9567980d0c63241

SHA1
5ece74ff1beaf307e86c10f85e5feea20a68620b

SHA256
fb4e5f8131f813064d0faf297c192d28d59c712841bfe41de2c909eb32668218

SHA512
e840c39f8e1edc20e662b3a15b37f26ba685be439fa3eacd58340d4eb2d8ff7e18e6b8fee3eaf0bd9523742b5d76abaca8424a1ade6c00f0294126c6b457b669

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
49KB

MD5
eff9b311ffba1b3e9e08ce9c118648ff

SHA1
09fc00199b561cb7511f06ba6f3da31079731ba0

SHA256
8222008a475505a084abfc5f550b49baf1d100cb6efdc6ee4b4f2825901faeac

SHA512
bb6a625d07dd05b8115ad67b1336e7547fb9e1b53222cefda8df11d86d1d8daf480cf2fde963e4966cded9619571f78faadf6ed3bda61b16729c1079f20da734

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
39KB

MD5
2e3db171e5473faaa92dfd3e37a6664c

SHA1
854ad354d74818cbf92968ad544f8bbb84280570

SHA256
352c9c90a78379dddb4f80fcbe2d3111125853a593caa677335704f263456a1e

SHA512
98d22f3a36d406696e045b38e46ae87c3aca03aa565e1dd695fc415a27522cb6b7a887b10279b0f316342aa0498bd072fd2782d8066eb9669a92ae4ec46ebe06

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
124KB

MD5
c7aacdce06b7832ed8e306df148ab916

SHA1
67f5fb4683ef927f2c0a2c02fc9d78d882736336

SHA256
1e58ebecc40a1a0b3c681b064196a419441f283347d1f1bc416facdfad099592

SHA512
8d23f5aeead08817ad305731f73f259508e9ca2be7cacedb701b2d151ba104baf70c7a9e859098ff791cb908b254ba358e2677fc7aadf24560d3a733f54fee21

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
150KB

MD5
044e72de2b01433962c07322368c01b3

SHA1
73ae6675f7c15190eb4a29747351aa79d3684aab

SHA256
d04dce308d3d242199a0c7fed96db72f77a443ff4a4f416e35846c99486d3550

SHA512
fcb611bfbeb3d437e228ce0163d168ce057316b995236c06dfc7ceca2f3f4641ca73e97261fd784bac4b51c46d23155e413155325b8b04bd04a7dc31e83d4ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kbe1rlny.tzr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
211KB

MD5
f389728389d8e610f1eddea26a846f99

SHA1
8f78c292c49f7fcc3e9553e7b3c1dbd63671de14

SHA256
ca6cca1c5241deb8f7ed1e79c88e20aba99fb7eb74fe2202a8f33a9fb6a81310

SHA512
6e53e6da1dcd726e64d0fa34a1daaeefc2bcc9e95f3bf7eb8119ad735caaa532485a69dde1485e04f3cb9addd1efd039f221e1620cfed64f9746c8dece6b192a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
276KB

MD5
637ebad7c000d01d6aebc59d5584db72

SHA1
e0216037f5a5f04794ab7cf669d42d518d8b25f9

SHA256
64548976b5b9fce3e34736131e9382613678476bef2b396fc9b8869d197e7f13

SHA512
72484cbdd4ffaeb732f458fdac8db0033e371e33815a12a09d1cc95a79b69e73b72ed5c9e9fa9e96a9a48378968aead39bcb213a3dc0e84362d1b52a2c0d2bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
264KB

MD5
7ceb1689b7ec7bbbde7b44f7eee21ee7

SHA1
94baa8d229a451ca9ce2eac579d6d09da1941b03

SHA256
a0e946f086822920bbec750d11d955f2fdfb5c0c0224bf981969c16a08135c23

SHA512
e9bc309d614ff2835d684cc1a134101707e77d78568c0e5912af4b9b237d3a16a3a5b5825234118fa210c3b743f847f115f8a5c7ecccc10ad870487178caaac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa932A.tmp
Filesize
13KB

MD5
2646e654a15b59703f1e50519244141f

SHA1
bc53fb82cd22e4d80991305a6eb8bddae13e6fa4

SHA256
160e64d70c3626973d04e04caab2b6811f97baababfc41b8864e64ddfb30875d

SHA512
5eda308950ef6dc0f077e187d4f97eeca7f185c1cb26b6bb08d9a8ada6acec942f0b9c1ec9c9c6d33897ad89555ea2c4e7d8664f15ddc8e719acd544da1927eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa932A.tmp
Filesize
96KB

MD5
6811917b432dbe75622146e0b2644f8f

SHA1
e473e2a25b64324b9c8f541a9af5345fd3dfbfce

SHA256
12a1ee1ec0e8afb0e3d721c31badefd6162ef9b5a04ed5e311faeeeb24882898

SHA512
eb72d28289efc16e36f5202835f87115a55ead0b4435a9fec81d45dbabd69b9650bd0942e911020d3b832d4816fe10825ce04dac4d7157bb2addee6b4bd12abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C91.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C91.tmp\INetC.dll
Filesize
11KB

MD5
688a6ea4edbd6e3c64ff092dd65a0e46

SHA1
7cc769697ba6820f3ff3873b211ca02cf1db49a7

SHA256
6430c41773ebcb814edbdf884dc1526ca46524a1375c4711920da1f737db8bc0

SHA512
3ef444c0d0c04905b93c27ae70e5a80e094adeaaee1dc1c1b8085e2981f3a88220898be5d75a914566005b15cef350a609f1276a428b7117cfd499327321e172

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc8C91.tmp\INetC.dll
Filesize
20KB

MD5
43346a5cd00340c5cbe2447ca6a3fc09

SHA1
6cda6c549175fd864aff7169a3c3135b92d6885a

SHA256
1a3fdb19fd933ae075d26cba61e57031ea3935f0d6f6ab569e6f26cf3ca03057

SHA512
5a41074967e316965901c378e20e3c1d5d0aedb58a195c2a498636714e193237c09906612cf3362ab7c01c6931b28c6a917c8cbd0c414ac05cb8022fdc456cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
162KB

MD5
90b5e652d71dc62391288a4ba81d8896

SHA1
b2dd9699c618fe96b7f0548abb76f31a2bb0e71c

SHA256
1a7f8e31441516579f9151d5584e0652e98fb675387aa9252daef33705487f11

SHA512
6aca61ca6e7110c7f2d79b8d355b3548e062f008dcb9b798b6677991a9d92d240c126b058c9902ef576b75278acc85d2790dd5f516ace8a08da82b0c1358c5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
36KB

MD5
69e78afb9c9e9f221b1b293dd9db0558

SHA1
10843e9f75eba7dbe7ef3afc63f7966e784892e4

SHA256
f675b89e9d003c4cee9d72ac926a7671ede8dbb66ed52721921e17534b929573

SHA512
86f42e66b6a687b2afb44ba8118c1f7d922e8eaa04a2b86fb108c16f598b83155a1993dfbfd0e049015aa5ce27355038f8e9aa5391a7b908ec099d2398f09466

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
61KB

MD5
3add26b00aa33bdde7ef0bf9a5efc7db

SHA1
9c385e4ad787606ac9bd05b71b51ff04e060bfdc

SHA256
60394ec4b9dc222725dd5fb2dc7b7e05805895546762b46d5726f9e80e98f767

SHA512
60e6601bffbbc40aaa415fc260e1988d9177644d534e55af2e5a861d8b7996a1289b039e16bc5d3e217ff5d891b0905c6fd08a313420229be33d775a571d220c

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
164KB

MD5
d7a37978fa8e1f0c3aa829c77a7646f6

SHA1
3ab9a1fa690c0f3a5eedd617a7fc21af29b80bfb

SHA256
bdf047e7fe5c15b6ae39d4a14684adf591a7a8b0ab2bf4fde0717cf783f05d56

SHA512
4b96d7da8401290642c84d688bc72df874fe17da21fa6c9bc254c84a72f483da42665825cb0fd9bc14418912ef4a19fa7f62463847bf1f58639386f45d224c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
224KB

MD5
4fe7bef521345515a1a3e94fa4a25c3a

SHA1
081fe1bedaabd9586b4c3af635814de71d41467d

SHA256
c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4

SHA512
3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
137KB

MD5
13069355e87f7bccb5542ca303a03fca

SHA1
f6f3781ea8f302fe76a3f32b91546c8980277324

SHA256
87b18acb95ea7fcbb00519c2b2544681b95c80367b60003e0965d82037f30e07

SHA512
eeaa9d07332d55430321c6d44630a8e5fafb1168974751db91c193dd3502847e347a7671648d7f11c3c20f8c73e0736ce107d5e5d04ab3fa3b541691d7c87055

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
1KB

MD5
13d0884c9089d2118f3aeaa368a2c135

SHA1
68052e28c79ceda019076eb28601696da430cca0

SHA256
e2fad8befcd09cbd6acd298e9ac424bb7fe2fe6715fc9f9daaac3031921752ef

SHA512
2ecb2d96d66b87d5315ecc7b01148b6332658dc177306e021a4d8c81410f39c4d166ef56b1fef7532bd27bb162ce91ee6a70647dc36215a11eb0e08dd939441f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
64KB

MD5
beab4df6f5f8df3cf2bcdcfc527c279c

SHA1
e405a857272293988958a65f0bd0369185234171

SHA256
08201d4fed732a446705fdb84cc69969592a5458cf2cb9ad6750ddb9ee9c648e

SHA512
75e117d239d0e542629a74bd6e517718dbb225aac49adbec681d71dcce56707683334fd6879ce761130d0a798f335c2491085dca27af2a10442a5d538e6d206d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
68KB

MD5
64cd44f9401a36ff5bf6a68c97145268

SHA1
533935d59224a72af5844c6b9c7df59a10b94f06

SHA256
409a6cff38b57676e55c65b0961012b7aaba2a0ecabe55c8337bb48c6cefb369

SHA512
c9e5ef36c4db2cde8bf6f283ed7e25fb4ecd9a9c8746aff78642d8eaac4b05d2ac6fec7c468ec370d8a27ff866c5d4c2f0d423f1a3569fe7902333d3ed0fc81f

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
26KB

MD5
bb89a973af4e11929ca87aa96aee7f45

SHA1
d84e87a8fd0e5287be4eaed1d14d9a4bd2befd43

SHA256
a0a6dd041c07f9fc725ee826bdb2324d6da85af3756723d2e3e90846b5bde725

SHA512
bab0efe0a268d4c4bae3bf6ab5ecba08bd1d2cfe31094606866fa29def8c4d3142f0851158bef0352fb8f1b199a8f786a7d515b4eda199102745305f5910efce

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
88KB

MD5
c3e9cd8f2757f953893ab26704bed332

SHA1
e06037970d5704d7c623858047fdfa2c8419036b

SHA256
c96a0ee18c3f177bd3377d271d553605ff00dc686a0f40b1cca53471d7a078ff

SHA512
12d8a02449abeb5fcaf3b6814942823977287b20e997de2f03aee7d5846aa6f475bcbd7eab9158a173abcef75c4f03d835517e81a6d1f65afd21fd8aaa2b50e9

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
74KB

MD5
32956a1e43cce80fc9b2adc3f11f1ef5

SHA1
30000baa671a0ad177b0245f65c9cdda13fa1800

SHA256
92d1488594e700cccd51123c0767d018626434a559fb1ef843a33a11ff22e152

SHA512
ef64c310188786094f9ce4615dfd55a4352f9cc8b21d376314facbc4f37c1fd013a870f2b50b3acbb725b4d06e658875dc0860f87aecab0a9f89ddc0c44de795

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
49KB

MD5
618c23c7c67ccb06aa6fe8355d8c8522

SHA1
d786346e094ce3cd25d6ff0eed1394a6b7f0bf7c

SHA256
27b8161c428697dd1b0c29d14f9dd382486ba995b98b51f90863aa5167e0a98e

SHA512
84a67129082e06f96e9a31cfd586c8cc612563985d793972e96e6415ce78782923240b4fdb091957463905cfb581c4a06ee6bae269b3f1b02113fb49da589f2b

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
134KB

MD5
9fdb407febdd14a8c1ccadeaf2b87027

SHA1
dfaa31c77f63129d69acd94fb1f1650b2825b12b

SHA256
afe43954b29fa541ac8f7d2c42df651941ce39a9ad5a0bd3f119b36cf92634fc

SHA512
29476613a1c365ca9f70173dc7d8526fe2c306bdc83361ee2ae30958367723b885f1c71ca3bde162e146c69d993741ee9f5f81726c86ccfb51addd5506570302

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
f1d2e16be0ad8b1e6c678eaf70e8e647

SHA1
a1ed6b335c39e45ca3e40c7ec5c3ff321a6b245a

SHA256
3fe6bf6bc1ab8a791576a4db5439256002c24d1beee8c645cd5c3b28eee480b5

SHA512
119d8a48360815c89306bcaaf96f65d136a1ac56130e67aa242153507562455e8b797691b0de3258ca7da9f0fa4e465f757b99fd3e202ca1f3f88b192e07252a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
dee7bdfd372b4e76004f987165bc988a

SHA1
bc261443e9456f23c0ff70600c04dd3daf83ad68

SHA256
903d705ba53b3bdd04379a22f5fc98b5cef9a12c9251bf4d23c0f7a8c976a090

SHA512
2d29b89fdf9d2ba6247b7476f04216f50b3a58d7c283b6be50e6619f213936a85d57edea6c94ce799d97279629bb8bf7c26a7a99c85f451fa846c8ffb355d15a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
5KB

MD5
51163ba1fde8463725f0e3535cb515b6

SHA1
193fd9adc3821b4a9a26c9f0db8cc5c427da6174

SHA256
943a5d5928c8c042c222f16cfb822f913c93533296a04918f347067897e3657f

SHA512
6c126ebe86518c1976bda89f30638ff4c9476903d8bcf9462b9fe55bf15226bc325b247b944b6a02b69b899e9de6935cc1a354cba10abca6e01829259f7b8f7c

Download Submit
C:\Windows\rss\csrss.exe
Filesize
33KB

MD5
24c638f04fbe29d3b51efd9bacf25055

SHA1
ff608050f1cb6b7fae4f930469948463e0d05107

SHA256
2c6ca281662a2b049c3eca1cc57685e815de106499d945429035e3e55f80b11a

SHA512
49b4c0f0f433d52cc5a07494dc32ebddfeb314193764d3581a638e3fd812cddeca97521b0813a0ac1e6c6c8e18e4bcba7c738dc1060e30b79da44fc9b27dfb3c

Download Submit
C:\Windows\rss\csrss.exe
Filesize
17KB

MD5
6590781d7c814d921da13507f958ea89

SHA1
155e90e271fd9a80eeeb3a12362eec26b39c6a53

SHA256
530e43a4d2c5f0ab43d7f6f602c467745d659a42b504a32b081fcf0e9e785561

SHA512
39270674536fa54264c85f581dfb134e8cceab2bb9c38d99f118a1b0cd474d0cc14ff042bbf425eccd24534623c0fa2f5ee08fbf26a32979a63cd6f629142142

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
86dcf064474fd20f25006f96ab661f01

SHA1
69375b55e39c2bab40cc6da7896762a56d631d91

SHA256
d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc

SHA512
86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

Download Submit
memory/624-255-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/624-258-0x00007FFDB23C0000-0x00007FFDB2E81000-memory.dmp

Filesize
10.8MB

Download
memory/640-143-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-145-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-126-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-127-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-132-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-130-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-134-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-137-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-150-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-288-0x000001A25EBD0000-0x000001A25EBF0000-memory.dmp

Filesize
128KB

Download
memory/640-152-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-142-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-139-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-153-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-147-0x000001A25EA40000-0x000001A25EA60000-memory.dmp

Filesize
128KB

Download
memory/640-149-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/640-151-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/860-260-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/860-291-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/860-293-0x0000000005570000-0x0000000005580000-memory.dmp

Filesize
64KB

Download
memory/868-36-0x0000000000D80000-0x0000000001263000-memory.dmp

Filesize
4.9MB

Download
memory/868-186-0x0000000000D80000-0x0000000001263000-memory.dmp

Filesize
4.9MB

Download
memory/1264-138-0x00000000000E0000-0x00000000004E8000-memory.dmp

Filesize
4.0MB

Download
memory/1264-226-0x00000000000E0000-0x00000000004E8000-memory.dmp

Filesize
4.0MB

Download
memory/1264-19-0x00000000000E0000-0x00000000004E8000-memory.dmp

Filesize
4.0MB

Download
memory/1264-16-0x00000000000E0000-0x00000000004E8000-memory.dmp

Filesize
4.0MB

Download
memory/1332-309-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1332-315-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/1556-110-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1556-118-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1556-108-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1556-111-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1556-113-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/1556-112-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/2260-177-0x0000000005100000-0x00000000052AC000-memory.dmp

Filesize
1.7MB

Download
memory/2260-313-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/2260-187-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-307-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/2260-208-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-182-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2260-251-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-181-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-232-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-179-0x0000000004F40000-0x00000000050EC000-memory.dmp

Filesize
1.7MB

Download
memory/2260-195-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-220-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-183-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-180-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2260-193-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-259-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-178-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/2260-184-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2260-191-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-227-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-314-0x0000000002980000-0x0000000004980000-memory.dmp

Filesize
32.0MB

Download
memory/2260-189-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-277-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-264-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-210-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2260-197-0x0000000004F40000-0x00000000050E5000-memory.dmp

Filesize
1.6MB

Download
memory/2468-94-0x00007FF66C6E0000-0x00007FF66D11D000-memory.dmp

Filesize
10.2MB

Download
memory/2468-58-0x00007FF66C6E0000-0x00007FF66D11D000-memory.dmp

Filesize
10.2MB

Download
memory/2888-15-0x00000000006F0000-0x0000000000AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2888-2-0x00000000006F0000-0x0000000000AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2888-0-0x00000000006F0000-0x0000000000AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2888-1-0x00000000006F0000-0x0000000000AF8000-memory.dmp

Filesize
4.0MB

Download
memory/2912-298-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/2912-297-0x0000000002420000-0x0000000002462000-memory.dmp

Filesize
264KB

Download
memory/2912-302-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/2912-300-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/2912-299-0x00000000049F0000-0x0000000004A2E000-memory.dmp

Filesize
248KB

Download
memory/3044-93-0x00000000055F0000-0x00000000056FA000-memory.dmp

Filesize
1.0MB

Download
memory/3044-155-0x0000000007550000-0x00000000075A0000-memory.dmp

Filesize
320KB

Download
memory/3044-256-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/3044-148-0x0000000006390000-0x0000000006406000-memory.dmp

Filesize
472KB

Download
memory/3044-154-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/3044-165-0x0000000007800000-0x00000000079C2000-memory.dmp

Filesize
1.8MB

Download
memory/3044-166-0x0000000007F00000-0x000000000842C000-memory.dmp

Filesize
5.2MB

Download
memory/3044-95-0x0000000005520000-0x000000000555C000-memory.dmp

Filesize
240KB

Download
memory/3044-91-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/3044-98-0x0000000005580000-0x00000000055CC000-memory.dmp

Filesize
304KB

Download
memory/3044-136-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/3044-83-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3044-86-0x0000000005430000-0x0000000005440000-memory.dmp

Filesize
64KB

Download
memory/3044-88-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/3044-89-0x0000000005A60000-0x0000000006078000-memory.dmp

Filesize
6.1MB

Download
memory/3044-337-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/3044-336-0x0000000000270000-0x00000000002C8000-memory.dmp

Filesize
352KB

Download
memory/4248-80-0x0000000005340000-0x0000000005350000-memory.dmp

Filesize
64KB

Download
memory/4248-84-0x0000000002DB0000-0x0000000004DB0000-memory.dmp

Filesize
32.0MB

Download
memory/4248-79-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/4248-90-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/4248-78-0x00000000008F0000-0x000000000095C000-memory.dmp

Filesize
432KB

Download
memory/4364-304-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/4364-141-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4364-135-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/4364-133-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/4364-140-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/4364-129-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/4364-305-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/4364-131-0x00000000005A0000-0x00000000005F2000-memory.dmp

Filesize
328KB

Download
memory/4388-146-0x00007FF711050000-0x00007FF711A8D000-memory.dmp

Filesize
10.2MB

Download
memory/4388-109-0x00007FF711050000-0x00007FF711A8D000-memory.dmp

Filesize
10.2MB

Download
memory/4500-229-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download
memory/4500-241-0x00000000049E0000-0x00000000049F0000-memory.dmp

Filesize
64KB

Download
memory/4500-224-0x00000000000E0000-0x0000000000136000-memory.dmp

Filesize
344KB

Download
memory/4500-275-0x0000000002340000-0x0000000004340000-memory.dmp

Filesize
32.0MB

Download
memory/4500-279-0x0000000072B90000-0x0000000073340000-memory.dmp

Filesize
7.7MB

Download