glupteba | 82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

Resubmissions

09/04/2024, 07:01

240409-htps3scd2w 10

09/04/2024, 07:01

09/04/2024, 07:00

09/04/2024, 07:00

07/03/2024, 22:29

Analysis

max time kernel
78s
max time network
602s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document mod.exe
Size

8KB
MD5

69994ff2f00eeca9335ccd502198e05b
SHA1

b13a15a5bea65b711b835ce8eccd2a699a99cead
SHA256

2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2
SHA512

ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3
SSDEEP

96:y7ov9wc1dN1Unh3EHJ40CUJCrQt0LpCBIW12nEtgpH9GIkQYQoBNw9fnmK5iLjTv:yZyTFJfCB20LsBIW12n/eIkQ2BNg5S1

Malware Config

Extracted

Family

risepro

193.233.132.62

147.45.47.116:50500

Extracted

Family

redline

Botnet

cheat

91.198.77.158:4483

Extracted

Family

socks5systemz

http://aqubweo.ru/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4de8889b5e4fa9281ae978ff71ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ef619c5ed9d9832

http://aqubweo.ru/search/?q=67e28dd86a5cf47e155fff1a7c27d78406abdd88be4b12eab517aa5c96bd86e9908748835a8bbc896c58e713bc90c91836b5281fc235a925ed3e5cd6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ef9c923ecf67941f

Signatures

Detect Neshta payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023461-1559.dat	family_neshta

Detect Socks5Systemz Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1812-568-0x00000000007B0000-0x0000000000853000-memory.dmp	family_socks5systemz

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/6064-505-0x0000000002BD0000-0x00000000034BC000-memory.dmp	family_glupteba
behavioral1/memory/5124-515-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001e586-1101.dat	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023369-170.dat	family_redline
behavioral1/memory/2764-173-0x0000000000E40000-0x0000000000E5E000-memory.dmp	family_redline
behavioral1/files/0x00080000000233f0-1522.dat	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023369-170.dat	family_sectoprat
behavioral1/memory/2764-173-0x0000000000E40000-0x0000000000E5E000-memory.dmp	family_sectoprat

Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
StealthWorker
StealthWorker is golang-based brute force malware.
botnet stealthworker
Contacts a large (2272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tupak.exe

StealthWorker payload 1 IoCs

botnet

resource	yara_rule
behavioral1/files/0x000e000000023219-1293.dat	stealthworker

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2324	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tupak.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tupak.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	timeSync.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	288c47bbc1871b439df19ff4df68f07666.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	installer.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	InstallSetup_four.exe

Executes dropped EXE 26 IoCs

pid	Process
2756	june.exe
2976	june.tmp
1932	cruisemailer.exe
1812	cruisemailer.exe
624	tupak.exe
1080	new.exe
2820	low.exe
4828	may.exe
4368	may.tmp
2832	timeSync.exe
2764	s1.exe
5888	288c47bbc1871b439df19ff4df68f07666.exe
6008	InstallSetup_four.exe
6064	288c47bbc1871b439df19ff4df68f076.exe
6116	FourthX.exe
556	installer.exe
1884	installer.tmp
972	netcorecheck_x64.exe
5124	288c47bbc1871b439df19ff4df68f076.exe
5256	netcorecheck_x64.exe
5352	netcorecheck_x64.exe
5420	netcorecheck_x64.exe
5644	u4mw.0.exe
5932	u4mw.1.exe
5208	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Software\Wine	tupak.exe

Loads dropped DLL 4 IoCs

pid	Process
2976	june.tmp
4368	may.tmp
2832	timeSync.exe
2832	timeSync.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000233ec-574.dat	upx
behavioral1/files/0x00080000000233ec-580.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
282	raw.githubusercontent.com
283	raw.githubusercontent.com
926	raw.githubusercontent.com
1428	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 6064 set thread context of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 5208 set thread context of 5428	5208	288c47bbc1871b439df19ff4df68f076.exe	144

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	288c47bbc1871b439df19ff4df68f076.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5196	sc.exe
4316	sc.exe
412	sc.exe
5424	sc.exe
6028	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000233dd-905.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
6140	6008	WerFault.exe	115
5948	2832	WerFault.exe	111
2656	5644	WerFault.exe	131
2256	4152	WerFault.exe	251

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	timeSync.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	timeSync.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4764	schtasks.exe
1240	schtasks.exe
5492	schtasks.exe
2020	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3696	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
2976	june.tmp
2976	june.tmp
1080	new.exe
1080	new.exe
1080	new.exe
1080	new.exe
4368	may.tmp
4368	may.tmp
4368	may.tmp
4368	may.tmp
4368	may.tmp
4368	may.tmp
4368	may.tmp
4368	may.tmp
4368	may.tmp
4368	may.tmp
4368	may.tmp
4368	may.tmp
2832	timeSync.exe
2832	timeSync.exe
2764	s1.exe
2764	s1.exe
2764	s1.exe
5488	powershell.exe
5488	powershell.exe
5488	powershell.exe
5124	288c47bbc1871b439df19ff4df68f076.exe
5124	288c47bbc1871b439df19ff4df68f076.exe
2832	timeSync.exe
2832	timeSync.exe
5200	powershell.exe
5200	powershell.exe
5200	powershell.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
5428	288c47bbc1871b439df19ff4df68f076.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	848	New Text Document mod.exe
Token: SeDebugPrivilege	2764	s1.exe
Token: SeDebugPrivilege	5488	powershell.exe
Token: SeDebugPrivilege	5124	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	5124	288c47bbc1871b439df19ff4df68f076.exe
Token: SeDebugPrivilege	5200	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2976	june.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5932	u4mw.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 2756	848	New Text Document mod.exe	92
PID 848 wrote to memory of 2756	848	New Text Document mod.exe	92
PID 848 wrote to memory of 2756	848	New Text Document mod.exe	92
PID 2756 wrote to memory of 2976	2756	june.exe	93
PID 2756 wrote to memory of 2976	2756	june.exe	93
PID 2756 wrote to memory of 2976	2756	june.exe	93
PID 2976 wrote to memory of 1932	2976	june.tmp	96
PID 2976 wrote to memory of 1932	2976	june.tmp	96
PID 2976 wrote to memory of 1932	2976	june.tmp	96
PID 2976 wrote to memory of 1812	2976	june.tmp	97
PID 2976 wrote to memory of 1812	2976	june.tmp	97
PID 2976 wrote to memory of 1812	2976	june.tmp	97
PID 848 wrote to memory of 624	848	New Text Document mod.exe	103
PID 848 wrote to memory of 624	848	New Text Document mod.exe	103
PID 848 wrote to memory of 624	848	New Text Document mod.exe	103
PID 848 wrote to memory of 1080	848	New Text Document mod.exe	107
PID 848 wrote to memory of 1080	848	New Text Document mod.exe	107
PID 848 wrote to memory of 1080	848	New Text Document mod.exe	107
PID 848 wrote to memory of 2820	848	New Text Document mod.exe	108
PID 848 wrote to memory of 2820	848	New Text Document mod.exe	108
PID 848 wrote to memory of 2820	848	New Text Document mod.exe	108
PID 848 wrote to memory of 4828	848	New Text Document mod.exe	109
PID 848 wrote to memory of 4828	848	New Text Document mod.exe	109
PID 848 wrote to memory of 4828	848	New Text Document mod.exe	109
PID 4828 wrote to memory of 4368	4828	may.exe	110
PID 4828 wrote to memory of 4368	4828	may.exe	110
PID 4828 wrote to memory of 4368	4828	may.exe	110
PID 848 wrote to memory of 2832	848	New Text Document mod.exe	111
PID 848 wrote to memory of 2832	848	New Text Document mod.exe	111
PID 848 wrote to memory of 2832	848	New Text Document mod.exe	111
PID 848 wrote to memory of 2764	848	New Text Document mod.exe	112
PID 848 wrote to memory of 2764	848	New Text Document mod.exe	112
PID 848 wrote to memory of 2764	848	New Text Document mod.exe	112
PID 848 wrote to memory of 5888	848	New Text Document mod.exe	114
PID 848 wrote to memory of 5888	848	New Text Document mod.exe	114
PID 848 wrote to memory of 5888	848	New Text Document mod.exe	114
PID 5888 wrote to memory of 6008	5888	288c47bbc1871b439df19ff4df68f07666.exe	115
PID 5888 wrote to memory of 6008	5888	288c47bbc1871b439df19ff4df68f07666.exe	115
PID 5888 wrote to memory of 6008	5888	288c47bbc1871b439df19ff4df68f07666.exe	115
PID 5888 wrote to memory of 6064	5888	288c47bbc1871b439df19ff4df68f07666.exe	116
PID 5888 wrote to memory of 6064	5888	288c47bbc1871b439df19ff4df68f07666.exe	116
PID 5888 wrote to memory of 6064	5888	288c47bbc1871b439df19ff4df68f07666.exe	116
PID 5888 wrote to memory of 6116	5888	288c47bbc1871b439df19ff4df68f07666.exe	117
PID 5888 wrote to memory of 6116	5888	288c47bbc1871b439df19ff4df68f07666.exe	117
PID 848 wrote to memory of 556	848	New Text Document mod.exe	118
PID 848 wrote to memory of 556	848	New Text Document mod.exe	118
PID 848 wrote to memory of 556	848	New Text Document mod.exe	118
PID 556 wrote to memory of 1884	556	installer.exe	119
PID 556 wrote to memory of 1884	556	installer.exe	119
PID 556 wrote to memory of 1884	556	installer.exe	119
PID 1884 wrote to memory of 972	1884	installer.tmp	120
PID 1884 wrote to memory of 972	1884	installer.tmp	120
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 6064 wrote to memory of 5124	6064	288c47bbc1871b439df19ff4df68f076.exe	122
PID 1884 wrote to memory of 5256	1884	installer.tmp	123

C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\a\june.exe
  "C:\Users\Admin\AppData\Local\Temp\a\june.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\is-2FLTL.tmp\june.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-2FLTL.tmp\june.tmp" /SL5="$5021C,1513159,56832,C:\Users\Admin\AppData\Local\Temp\a\june.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe
      "C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe" -i
      4⤵
      Executes dropped EXE
      PID:1932
  - - C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe
      "C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe" -s
      4⤵
      Executes dropped EXE
      PID:1812
- C:\Users\Admin\AppData\Local\Temp\a\tupak.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tupak.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:624
- C:\Users\Admin\AppData\Local\Temp\a\new.exe
  "C:\Users\Admin\AppData\Local\Temp\a\new.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\a\low.exe
  "C:\Users\Admin\AppData\Local\Temp\a\low.exe"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\a\may.exe
  "C:\Users\Admin\AppData\Local\Temp\a\may.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\is-9PCME.tmp\may.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-9PCME.tmp\may.tmp" /SL5="$60208,1667658,56832,C:\Users\Admin\AppData\Local\Temp\a\may.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4368
- C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
  "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:5928
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3696
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 2548
    3⤵
    - Program crash
    PID:5948
- C:\Users\Admin\AppData\Local\Temp\a\s1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\s1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://lightminer.co/7171174
    3⤵
    PID:5272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff876b646f8,0x7ff876b64708,0x7ff876b64718
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
      4⤵
      PID:5624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
      4⤵
      PID:5772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
      4⤵
      PID:1536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:2676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:2876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
      4⤵
      PID:5344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
      4⤵
      PID:4568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
      4⤵
      PID:5468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
      4⤵
      PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
      4⤵
      PID:6120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
      4⤵
      PID:4216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17046535115377984429,9480610286977636330,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
      4⤵
      PID:2284
- C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe
  "C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5888
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:6008
  - - C:\Users\Admin\AppData\Local\Temp\u4mw.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u4mw.0.exe"
      4⤵
      Executes dropped EXE
      PID:5644
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5644 -s 2012
        5⤵
        Program crash
        
        PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\u4mw.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u4mw.1.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        5⤵
        
        PID:4516
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:1504
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        6⤵
        Creates scheduled task(s)
        
        PID:4764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6008 -s 1516
      4⤵
      Program crash
      PID:6140
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:6064
  - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5124
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5488
    - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5208
      - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        6⤵
        Executes dropped EXE
        Checks for VirtualBox DLLs, possible anti-VM trick
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        
        PID:5428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Drops file in System32 directory
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        7⤵
        
        PID:5096
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        8⤵
        Modifies Windows Firewall
        
        PID:2324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:2396
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        7⤵
        
        PID:4036
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        8⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:2712
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        9⤵
        Creates scheduled task(s)
        
        PID:1240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        9⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        9⤵
        
        PID:5300
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        9⤵
        
        PID:5956
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        9⤵
        Creates scheduled task(s)
        
        PID:5492
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        9⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        10⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        11⤵
        Launches sc.exe
        
        PID:5424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        9⤵
        Creates scheduled task(s)
        
        PID:2020
- - C:\Users\Admin\AppData\Local\Temp\FourthX.exe
    "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
    3⤵
    - Executes dropped EXE
    PID:6116
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:3060
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4916
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "UTIXDCVF"
      4⤵
      Launches sc.exe
      PID:6028
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:5196
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:412
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "UTIXDCVF"
      4⤵
      Launches sc.exe
      PID:4316
- C:\Users\Admin\AppData\Local\Temp\a\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Users\Admin\AppData\Local\Temp\is-VF558.tmp\installer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-VF558.tmp\installer.tmp" /SL5="$A01D0,3121405,832512,C:\Users\Admin\AppData\Local\Temp\a\installer.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 3.1.22
      4⤵
      Executes dropped EXE
      PID:972
  - - C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 5.0.13
      4⤵
      Executes dropped EXE
      PID:5256
  - - C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 6.0.11
      4⤵
      Executes dropped EXE
      PID:5352
  - - C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe" Microsoft.NETCore.App 7.0.0
      4⤵
      Executes dropped EXE
      PID:5420
- C:\Users\Admin\AppData\Local\Temp\a\test.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
  2⤵
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\a\test.exe
    "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
    3⤵
    PID:5340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c fortniteselenium.bat
      4⤵
      PID:5452
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  PID:5916
- C:\Users\Admin\AppData\Local\Temp\a\pef.exe
  "C:\Users\Admin\AppData\Local\Temp\a\pef.exe"
  2⤵
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\a\p.exe
  "C:\Users\Admin\AppData\Local\Temp\a\p.exe"
  2⤵
  PID:5144
- C:\Users\Admin\AppData\Local\Temp\a\nc64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nc64.exe"
  2⤵
  PID:5332
- C:\Users\Admin\AppData\Local\Temp\a\Rar.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Rar.exe"
  2⤵
  PID:5880
- C:\Users\Admin\AppData\Local\Temp\a\win.exe
  "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
  2⤵
  PID:1016
- - C:\Windows\SysWOW64\cmd.exe
    cmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat
    3⤵
    PID:5784
- C:\Users\Admin\AppData\Local\Temp\a\beacon.exe
  "C:\Users\Admin\AppData\Local\Temp\a\beacon.exe"
  2⤵
  PID:5792
- C:\Users\Admin\AppData\Local\Temp\a\momsstiflersdgjboigfnbio.exe
  "C:\Users\Admin\AppData\Local\Temp\a\momsstiflersdgjboigfnbio.exe"
  2⤵
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
    C:\Users\Admin\AppData\Local\Temp\eoq_cli_dbg\vmtoolsd.exe
    3⤵
    PID:2152
  - - C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe
      "C:\Users\Admin\AppData\Roaming\eoq_cli_dbg\vmtoolsd.exe"
      4⤵
      PID:4488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        
        PID:4980
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:2408
- C:\Users\Admin\AppData\Local\Temp\a\poolsdnkjfdbndklsnfgb.exe
  "C:\Users\Admin\AppData\Local\Temp\a\poolsdnkjfdbndklsnfgb.exe"
  2⤵
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
    C:\Users\Admin\AppData\Local\Temp\Updatemonitor\livecall.exe
    3⤵
    PID:3724
  - - C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe
      "C:\Users\Admin\AppData\Roaming\Updatemonitor\livecall.exe"
      4⤵
      PID:4964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        
        PID:2828
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        6⤵
        
        PID:1300
- C:\Users\Admin\AppData\Local\Temp\a\tg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tg.exe"
  2⤵
  PID:5848
- C:\Users\Admin\AppData\Local\Temp\a\Vertex_Craze_20240225061753481.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Vertex_Craze_20240225061753481.exe"
  2⤵
  PID:1532
- - C:\Users\Admin\AppData\Local\Temp\3582-490\Vertex_Craze_20240225061753481.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\Vertex_Craze_20240225061753481.exe"
    3⤵
    PID:2452
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\random.exe"
  2⤵
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\a\random.exe
    C:\Users\Admin\AppData\Local\Temp\a\random.exe
    3⤵
    PID:4952
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"
  2⤵
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
    C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
    3⤵
    PID:4152
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 1016
      4⤵
      Program crash
      PID:2256
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\PINNAC~1.EXE"
  2⤵
  PID:5888
- - C:\Users\Admin\AppData\Local\Temp\a\PINNAC~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\PINNAC~1.EXE
    3⤵
    PID:3772
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\QUANTU~1.EXE"
  2⤵
  PID:4444
- - C:\Users\Admin\AppData\Local\Temp\a\QUANTU~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\QUANTU~1.EXE
    3⤵
    PID:2144
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\TEST_2~1.EXE"
  2⤵
  PID:4588
- - C:\Users\Admin\AppData\Local\Temp\a\TEST_2~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\TEST_2~1.EXE
    3⤵
    PID:1380
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\GOLDPR~1.EXE"
  2⤵
  PID:3520
- - C:\Users\Admin\AppData\Local\Temp\a\GOLDPR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\a\GOLDPR~1.EXE
    3⤵
    PID:2184
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3032
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\a\juditttt.exe"
  2⤵
  PID:5700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6008 -ip 6008
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2832 -ip 2832
1⤵
PID:1632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
1⤵
PID:4268
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 5644 -ip 5644
1⤵
PID:3084

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4152 -ip 4152
1⤵
PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\freebl3.dll

Filesize
11KB

MD5
c8137aed8c92dccdb9b24462831bfdbf

SHA1
80b3c17aad575db77c6affc53bb1d73b267e470b

SHA256
55bbe2d98c2ed8a1a269ff7012402cfb0831484710b459457454c734d5279489

SHA512
36690911017cf2297ab992bc1cdb32ffd84354eae808b59162e2a83d9371bfb0772e135554c60b4d527eb114550c4ce7889f64f88817d7c0269d169823c6058c

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\mozglue.dll

Filesize
11KB

MD5
3016af45a4c7045b394c9a131197754e

SHA1
04ddb46a00ec97a965f199fdc80bb5eb1088a5c0

SHA256
077707610bbfd5f1e371e5eebbf263de599863ae3fe3c3ca93bbe8a70eb3aedc

SHA512
1bae6407a7870c2e0720b548b4e9b5855d2a1b155ad13be48173fb3625abe4141b94d1fbbbc32f177b5646dfe929de863e9bd68794c344cda5b304e927b01244

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
11KB

MD5
513432ca71353833b1bad5786607ca02

SHA1
8a59f7fbff4b4c7cedff9cc12f6c34c0e5f41504

SHA256
88fcbe1b2929df055f2be2369efb95a6a90704d5e755d2050959a64f32c517d9

SHA512
aa8b16ec2986e74136c814fe707d74edad5ec93840c172f1eb449e5e1b8db7da5c59cb0de6f1403914c0439319257de7017171ed26b4e84e9f0be43a510864ca

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\cruisemailer.exe

Filesize
1.6MB

MD5
93bcb34ff41fb9302a3dbf3f7a759ee2

SHA1
ad2ca7aa6f8f486675ab7dfff69623a88c67ca05

SHA256
24ae78f8f8979e1dff2d42757bd4c6de9f82e58e5f95758b469d47de28a5306e

SHA512
bd9ef77bf8cb6d953f99ad45cf399e2cccf0286c4c185a59b6008841f59f05088314c8370cd388079907105c9dbc4a49eb3267664657815973b36da552400c78

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libbz2-1.dll

Filesize
103KB

MD5
0c6452935851b7cdb3a365aecd2dd260

SHA1
83ef3cd7f985acc113a6de364bdb376dbf8d2f48

SHA256
f8385d08bd44b213ff2a2c360fe01ae8a1eda5311c7e1fc1a043c524e899a8ed

SHA512
5ff21a85ee28665c4e707c7044f122d1bac8e408a06f8ea16e33a8c9201798d196fa65b24327f208c4ff415e24a5ad2414fe7a91d9c0b0d8cff88299111f2e1d

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libgcc_s_dw2-1.dll

Filesize
122KB

MD5
6231b452e676ade27ca0ceb3a3cf874a

SHA1
f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

SHA256
9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

SHA512
f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libogg-0.dll

Filesize
40KB

MD5
f47e78ad658b2767461ea926060bf3dd

SHA1
9ba8a1909864157fd12ddee8b94536cea04d8bd6

SHA256
602c2b9f796da7ba7bf877bf624ac790724800074d0e12ffa6861e29c1a38144

SHA512
216fa5aa6027c2896ea5c499638db7298dfe311d04e1abac302d6ce7f8d3ed4b9f4761fe2f4951f6f89716ca8104fa4ce3dfeccdbca77ed10638328d0f13546b

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libvorbis-0.dll

Filesize
57KB

MD5
e7344e7805ced8f7f238c7a4285b46f9

SHA1
bdf666b93f8305e6de695a7a68f19c636f04a992

SHA256
ef972c2244d4544431505f6edf3a6aa345a52975577c9562a5ca2a8c1a66ccd1

SHA512
771dfecb9614ac8dfc94641dec2fa42ae446f99c7d0dddbaffdcc1afcc6c2703c83c480e0229338e38f4e0a96014e233f5398e26746d489423ec5dfef57c29e9

Download Submit
C:\Users\Admin\AppData\Local\Cruise Mailer\libwinpthread-1.dll

Filesize
66KB

MD5
f06b0761d27b9e69a8f1220846ff12af

SHA1
e3a2f4f12a5291ee8ddc7a185db2699bffadfe1a

SHA256
e85aecc40854203b4a2f4a0249f875673e881119181e3df2968491e31ad372a4

SHA512
5821ea0084524569e07bb18aa2999e3193c97aa52da6932a7971a61dd03d0f08ca9a2d4f98eb96a603b99f65171f6d495d3e8f2bbb2fc90469c741ef11b514e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
b414d2c112759b635cd6998ace824512

SHA1
03ed4ea83da66cd19bd94395203195cc105566c7

SHA256
998508ab8aa1e48c75b4334e95e08660bf4557fb0421cd94acdb4e2357710bd3

SHA512
6928302d8181465a2bc8cde4117c08583bf8010b78c87b18f4600ea216aa337cdc4829b75976408a6c22950428de8e096956e720b564727ce87b3993a2447d0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
d0a97bc41bc1285ff64b00d38657ca90

SHA1
33bf3fa1f1abcc77310d22f4c58b50fdecf876db

SHA256
8a55cf19c2dabf89331990f3d5b3b51f8599e6bbb64969e94e1abd9dab4e8bca

SHA512
e48fca04844dba30749baaa3afd4761187219e07819bd84ff8b2d1a64da412e4f45b772a1640631e1eb216d6e4d780cd68fad4d3da47be7714f4b4d145a1586b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ce4d9d245926687446e719062ad22d7

SHA1
264632a8bc6d07901831097e3fe90b774e7cf901

SHA256
fdb75c5a5d730815a71010db9652332ebea86f6c202d92b464ec1e3b31d81bde

SHA512
b5d57ce2b0416bc4208534195d65d7bfaf05170e192d45fe81f37f7ffd3318eb644bd3df2038c3b817f74c70b5ebbc57eb6aa0a40be29fedd0f8d5bce9799fa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
35cda57bb77769be236f9b9a9158e994

SHA1
5e3a6fe61ab6314eb9c997d3d2d9891092ab88f9

SHA256
7dae42980539174931bca06248001050283abe2bf3b526df3003290892407a22

SHA512
472e09c3dd89c1033a5620457773ab2db99fa9880bf5309013a7c00e15c512122a14546abe66317a4452602c71d88629963db0c36d9ed619d3c7b4ca82296fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
35640b343cfca5ce471d37d25dbaa6e6

SHA1
9608b8ead939f874ed211bcef00861078a7de611

SHA256
2df2ed61b5e5a3579c07a439fb37f519b9d4bb1186dd8ac2777c6fff4656bfb0

SHA512
e8ef1fb6cb2bfe5fdde5b60a2da200f1bca3b5fe544cebcfc3faed0fc69f6eb04d583aeaf2cc010ce18072d840e43c2568400a71034c2edf7d5647a272782f7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
168e94765a68881e0dda998be8928eec

SHA1
6bb722ced79dc61b71dcaf867d87502f5ac4a1ed

SHA256
fad284672c387d683d860b6b2666b15a87e11a4dd3f7505dc20063e9f1986984

SHA512
1f0cf442011ef802246e5161d421f57e1911cab974ddc82ff6d05b1cee4cec06ea5f8e3067289dd10301b1cc3a6d5d2624a7168b595e876e6697b74ed405570d

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
210KB

MD5
d3848f2c293adaf08b84192c82dd4fe2

SHA1
7186c525e1e511bb51d268c4abf3e2bc1c16cc06

SHA256
549f26a192e91dc8f84888182cf59ad4b2ffffaf7cee859546d2ab1f19c614d5

SHA512
fa06a74e5af13a9f0b1152e59bc053a21004d28d062055e3d78902700e3f8cf3be939558ced306ff5f17489ab584529c926fedd47ad9964500fd5222f9c85084

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
126KB

MD5
24cbe2e00cf0b1009d96c50c0b1787c6

SHA1
c04c42b93a798703a7016aa1f12c03abc6e2f471

SHA256
6e338b7f68513604591e3afd3e61f3286d7d82dfa208addeb0a16e170b26ad88

SHA512
f2a948d825cbbbdfce35dba2ee8728f10f278d18ee162988462673259d48beefe892829ad7aaada37d424e5468e6f5825fe1d80a3e0f216d15eae992a3f13b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
88KB

MD5
dce4d733b6dfb2343bf0c0b7f42fba07

SHA1
f6679a7080521f120e8e897109d9c181be67b888

SHA256
5d9683ee9ddb0ff94b1e64b72d7cc1d3d64d1442162bc3915b3a5c53f08a6d8f

SHA512
b5eabc545fc3ce3eddce5f0dcdbe5623e2290dff3cdecca97439ddc8006f4dfcb3160740819e1f867f4d8c5c02bd22d0f32c1b8c57f8123f6050d575d2ce7e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.2MB

MD5
0224097668db5b17ba3a41ea1bd9d138

SHA1
71d7c3bc7f745d288ae8f99e9ab48d03142c6977

SHA256
10d3af9a6caef67b7b799e00d7aa59e59a4f6960415a95da79c7b207da27c98a

SHA512
e51116ebc1f5f5aba384639754c002d2501792429153ee6bb15519df9355dc078652616e45d5e73fb13f1f86431ba2f05b99efb998181c1e25f78dd1c688e172

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.3MB

MD5
5f1eb54fa092a19885668e597be0331c

SHA1
2576d01b5d3b8dc3d4c7ed035d4a3026d3fe4ecf

SHA256
58ffe50122e52c2a58bf0749f8a30fe4b4c124883770a449040b7a213e4ac66a

SHA512
af24084035fe7befe674833be5ee726e837be3244d1a3a2b32e371c6eecffa35fe34c856a01aaf291b78927fc7aece989c5999472ad3d2cb64e8f99a6772c72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.1MB

MD5
a60b385bd5e853fafedf82539ba3cedc

SHA1
9dae08f5e719d65b5426f6a86d0f863fb8d5ee0a

SHA256
e26ab27ad4b2daad3faf965873e70208f6fa88a577c930ed5a314f31a393336f

SHA512
e66e4050f19502f9003c53365b88b57591e32581d9d94d0055cdadf8633a19782cf32cd702ae60b72a2710f21da76f6257ae9787ede120f053c886218b3b312c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Vertex_Craze_20240225061753481.exe

Filesize
809KB

MD5
33b29b92bd8bca80dcfc32932fea6eb8

SHA1
e13329c304b3aa344ac97a2403a1ead823cf1b75

SHA256
0326d321db31d2ab5775eda8c4dae03a0b06b03dec651e1bd952e8d8db17fffb

SHA512
76f990a584c6cdf42dd2dc4011701bdce52779f3f1a94d8cb4e10846eba111b9d5b0481840d03f562428f25653009744ff4e8a10505394559849b479f3f20b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Filesize
64KB

MD5
02df76a7b45d874395b4274c2e5b7b1f

SHA1
1b8d7060e9fa5204fa74efeb4192a168b778e9ca

SHA256
2f84a4b95126d6047929174a1d44106d9d4f62ba23c77e10218f79eca126d7a9

SHA512
5675e3895878a8b558aa4a31e06ea9858ece0dde7eca67d7e80033a96571786790ddaa0a53859f84222eb87e6eaa451245e41b31b8b66ab946a50072d6ab249e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Filesize
1.7MB

MD5
1695e2da3a72abbab1dd3cfb8ac40b21

SHA1
f3832fbcb04e99588b2a2929d63ff88d3a94f2f2

SHA256
69ddaed01da1ee6a620c6142ab9f8015440efd70c1314563d951e8490bcecf17

SHA512
657c2379291d38ce0dbf66c3b98573ae12d8fdc6e57618ceac62ce7da9d6d145db7eae12a6fc0807e1b3999a53d405bde8eb6bf7cafc95e70a04ebde4e377cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Filesize
1.6MB

MD5
5218ad19b026922fb6618dc06a69f036

SHA1
d71702e646c6ac65e42c89f2d3758450714871c9

SHA256
7fe8e5e1183b91de963f219ed11588ed54eba4894aed4b0dbef2de522c081dba

SHA512
74484a45eef3541078ae968ff4ed3a606978fa480d4b48031f1c063fb768d848ba71be913566dacdc70ca2ad289d72e5f51edce4a4fcc9fd4482c4bed64dae1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

Filesize
319KB

MD5
e90d116eea923bb8daf8ff301b1f6c90

SHA1
602231a9ba516d0de14833f0a73b7f30014bd7fe

SHA256
306a6d0b41b29ca87da91ae5b94571546500c597479e4167ee538216a0ee52a4

SHA512
fbab2fbb674abf44162c0eb742eb695aa849c1b29eacfcd7b0e5856a433166ae762ef967765e35b48fbbf5f98038d20232223e0d292fe263304564e67f09705a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3ygyeb1.zkf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1.exe

Filesize
640KB

MD5
da205ea7b78c8dc32c849e402bb83c31

SHA1
8b0777eefccf6960af70006bcb7ddc0943a9761f

SHA256
d3456f52ddbb2ac4b5bc2e3d6d9eb0a2d43ffd399332f48d41ec59a574a4bea4

SHA512
a97a946f5f2095cf5498e0029b969794594b4dd5a59e23926c273b0d9a3f33df7966cabec4a84ea031e548a5e3bb219f2d02d7a9998304454cf4df3010917d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe

Filesize
4.0MB

MD5
dbfbc91f87303a988ac738352bfcdc6c

SHA1
6cf59495f54a7ff6e6a468c7188322c582071627

SHA256
8cd7e07a969100c35056f936030f2d3863efe23941e7166f5971fff4be929b7a

SHA512
797d04a453194935dba6d9860eec2100f9ae89e6ff4206f01447db48d9f383ffcb39f2a53995ea0ba560bb3cf128c20338abc088756087fb5d0b254715585aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe

Filesize
1.8MB

MD5
f87e194d7c200668f1298cd602d478ed

SHA1
baa7c4cfacd9be422b2059e52e942477f1859c14

SHA256
a072651140d4a887b2682af6a98f92544f4026416cda1013cdefc72dcc992898

SHA512
be51a171d5cc3201a879d1fd2f945053e6938dd65224726bb1fab1eff5fe8835682f7ca125ea3f209b0e2eb52c166fc37c2518578a8d8e13b967c5719f742625

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f07666.exe

Filesize
1.5MB

MD5
04490b5e5fdf537d554178ee85b068fc

SHA1
f4b785e581ffc241327f91a7ae2cf9682d284e14

SHA256
b502d3439fbb3e627651a18ee129f802175e61d00e0f2108095b32f9bdc5e1a2

SHA512
fabb06e679fbd30c6f73989ee17f0374580ad4481a805e20a095ac570a8a034bff83b8912cdef0fa0d5b71d44229e8b3d87f6bfe85e2c701ba141f505154c503

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Rar.exe

Filesize
622KB

MD5
f7c0c38bdf23992fc92ca8a55afa28f2

SHA1
e3aef33b09bea58a37f0f9a25f6ac055cb4293dd

SHA256
a9cec009503d067f241b5eddaea4e42c38edcb0b57c1b46e946c5281b7f1ea21

SHA512
2a7ecfa14ee8d3cc83b07a7f89185f1acd082622dc859c550b694a4a587abe37e2fe5006111ccb474cfb1b205f4744d2fb4235545f23131c3fd9dfb327490160

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Vertex_Craze_20240225061753481.exe

Filesize
960KB

MD5
16927a9c4b35b49e28350f53b74ddde7

SHA1
c083ded97632a36b76501b63c5a0348bce7b5f54

SHA256
a2126aa5a99a73afa162bb7c800cb07f8bfb087e717bea21925b1645eb45c56a

SHA512
3dd6c8fa4d1e0b406e4f6039500df024bb6de3ccdce3504667e27d0803e71d4c2c253f2ec7631c41822bdf1b88c2e37f5f66091756c2714f416cc69e396395c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\beacon.exe

Filesize
281KB

MD5
de65b501459697d36d11dbf2491236e7

SHA1
5714627e6db00c4e69cc8df46c41ea13281fd01d

SHA256
d4c42f794660fc88a72901227f235bd0842f876af1d709c3a02fca4a13eb3364

SHA512
fa17a41b2e52e35a272a8779cf1dd6e32fae87fcec17a777f3909bdbc7e6ee1125b2e06a79d9df22e2d97a3c09e9dd66d87cb78582351f776ad204fef53cf063

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\goldpromedffdg.exe

Filesize
319KB

MD5
0e0225b03f164fc9cb9689a284a5c785

SHA1
63fc22c1797f3b7e0f71e411344ce4c878f2a530

SHA256
88dc09b808718d7f9f1d32246c5a1db18effa7886f4bf8866ea18dd1cad9835b

SHA512
5ba8d2ad81cee6b83a0e0a60a60ada2c9c6d6b678ea64f3fe866b6e72ea2909ea0e6505e0f365aaa70261449ce41cd7a9b555574df1672e58f9184dfc0c9c6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\installer.exe

Filesize
1.8MB

MD5
f1194c95bc4646122c1682009e987634

SHA1
018ddb4740750110f8243ac36e74d6a4e0c652ed

SHA256
94dd722c1a0ed2afbaa10dab8a30a754570ca89853450456cd6aafe261a77e2c

SHA512
ec810247ef8d90d83cefe82cdfc1cc24db9f7e8824a3aa365dfd9506276ddbdba820fcfacef490f4400fd9103bad0df9ca5e151b461159aca8dcaf04b654de6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\installer.exe

Filesize
1.1MB

MD5
0920e8711fa307ebef821115838befed

SHA1
32d675d89fe88a3fb203a6d9f27031f32c221517

SHA256
10ee64bd0b4ab3497ac0591bff9ce81c4761027f9cd6036bd23d709530a5e0d5

SHA512
e3802a93d3031b29d426e9e22060e4818fe92f40fd896e6595ed534d12d6bb86f6850be551f1e6211e56e6351ea39f90f3674f9c6d2a9245713bb2f47a68ea0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\installer.exe

Filesize
512KB

MD5
67ac8e5e95d55514e782f137f28e997b

SHA1
cbd846e1315340aa0decd141238d6e5ceb3de929

SHA256
e791773845109681a1751e47fdd4170745a2e45e28b04877b52ec5077941fdbe

SHA512
4d89d6e06d70050f75a68afa2cf0d523f88b9413efb8e8c13ade672b1c1c83b9b1062f4db2331b114b04c52a5e5233b063297701948c0b58be8b413928a0dab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\juditttt.exe

Filesize
2.5MB

MD5
a57240944427875dea31430e68833662

SHA1
0ac37f92584340636389d2628d3d7b66f0f8895a

SHA256
32580587d7509ca1b41927baea3076c7f6bbdd9e24fa84dfda701e102c5fc5e9

SHA512
ada86c11a85cc398773b37706cd72b246949d6600b4260132f50efe3348544f3c181c01f4834d81d64b76d31b70f6a56c84823d0ff2ae25211d9c548cbd70473

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\june.exe

Filesize
1.8MB

MD5
8547adaf86a7ab657c3ae9f8fe0835fe

SHA1
4202647cf87c0263ad059f30b06b04f5d8a7e8a5

SHA256
55d05fd5a19e6c9163da28136e8f06f9be8654ef3099af24faa8eeb5345068e9

SHA512
336b7fcc843a253fea60526aa1800160fe27969d757edc52e22d7e8e290ebaf02921d3c5c5b8435ca7da6fcc1227e5e25fa4d21b49b459394b412cf53b0cb8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\low.exe

Filesize
249KB

MD5
a16e47ad70613c0dbec21543650bb807

SHA1
ea3bf6916f64843c92aa237a2e0fba4206497262

SHA256
095bd7063bc3c5172e2953bd50a01720b7721f4a17b8f6214ef9322da5aabda9

SHA512
73eb4e6cb4e491dba8ab6a47590e9dae8325ee5f2ac203b951b063acd0acebc57bf2007e88e5909690ec7be59f1e1356615ce77a4622e3ba9a88deec56f4b500

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\may.exe

Filesize
735KB

MD5
4386f42995c6f2f3c97d356db07877fb

SHA1
b3c2f9b081e37e93832c00874145525a8357446a

SHA256
1527326530709c6d47100ca0463a77983306c8f2e4e082489c6f0cb78e2ef059

SHA512
7863efc9f10a2fd9555ca671a576d7ff56315dd97bf5e3bdac03e6622334ed8ce24596973e72d089f9fe36da8beb97d87d11b481f97dcdbeb12037c7469bbd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\may.exe

Filesize
1.1MB

MD5
1ff5e01ffc7e43f78f4cbbf068d2fd05

SHA1
d62d10c847254ee0278b49d2f860cf80ece830fb

SHA256
b3d616fbbe06832579c44a04a3a4e2904720e44ba49aa7ab744a9a663bbcacb3

SHA512
20453ef3c6a9ff508339b5b3d665bfa8ef8fbb03274508c30de68ef459c105398d2629e71544536c3234effcb7efb5c2312281f6f24f5a938ec2c7f8a4ab8062

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\momsstiflersdgjboigfnbio.exe

Filesize
512KB

MD5
8d57ce34e4061b109200a53103734b84

SHA1
04b8e9e559e46017b4ee3c55409cda48dca5326b

SHA256
e6c461c98ddc251732e8960ea926a351be5532906501d73a4c1cc5f6ab96f815

SHA512
e1f710efd0bc612b5199dad37f01a30d525a9a4c5dc2d215a503fd49009f3774f23d5d57d1babca09850dcf400b09aac959a3d3c756b88ddfd58b9bce50b1290

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nc64.exe

Filesize
42KB

MD5
470797a25a6b21d0a46f82968fd6a184

SHA1
dac7867ee642a65262e153147552befb0b45b036

SHA256
ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419

SHA512
4bf0a43c55ce86b79b87fca3bc48927f9d049c3d67131f5fb04bd9a5c56bde79a46013be8b17a5e7ac7fcc1c0c6ba24166a5627e75c2573117a7039c7724a63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new.exe

Filesize
2.3MB

MD5
10de029893d7898012c50d07dd6da9e9

SHA1
75e154321c1d9e682eedfee00c3d954e4eb7c0a4

SHA256
c340971d59ec3092279eb31406f70521aeaffb8597a6ad10c41e7b72f93a6167

SHA512
d83d5ff54a4c395f08eb7207591f123c8c9af8183e3d0dd0f14d87f2371939db9cb3b311cb379ace1b98fc1394fc41e96eb0f573e4609b9036e3b4ab17eabc25

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new.exe

Filesize
817KB

MD5
c67b3bc4626f5838ec07e0c524d07b55

SHA1
312aeb84228b4e6561e96682eda879dea421ecc5

SHA256
d4ace89c18327fd2386c92fd642008eeca36db10ffb2ffb7bf513d2dd89d51c8

SHA512
9b09be836f3b4291671cbd2da8c4a99dea11d0472d0d63ef2ed56eae99c45996811b12fa68e9effd2e2e60d930d34446468a2a72249e871e976af28e250c14e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new.exe

Filesize
921KB

MD5
b73d71e352fb2092a8a2170925076578

SHA1
ced6e4320294c54fbf41889366844bec609a5ebb

SHA256
42bf41161ce093fc2c933c1de6695a3b87100c2c79c65e345876f0c40f999d69

SHA512
8cbf19578009335429fb932154575967111908b4bef3d75433e90027866d86d86a214a0ed5877ceb50ba23f51db5600983122d1aa595b7a74deadbe4ce1ce2b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\p.exe

Filesize
391KB

MD5
031a9d832c3409593a826eb20668997a

SHA1
434c43802e7846fb35a7c85d9d8e048383d6ad61

SHA256
adb98bc1c95a9817819146a8194f1799f68ab6bfac0123408964c97fd96a3ccd

SHA512
511bc4d9070e4acca77861b5f7bc6f6b0f33597ab5b1332c7407d9afb032b5405d75361a6fcc45598332c2d8302f0cf3d1c84f8ba8193b244e7cdb1e2c91a9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pef.exe

Filesize
390KB

MD5
30c18d7c44c5cc5fcedd46f9a8f3c082

SHA1
bf2f02e3ed04733df5602366a739b1ee082885dd

SHA256
f6a2580dde68de0e01d87ca5c8b33afc2067b071402391167cfcaf132356a7d3

SHA512
5c31c25e5ef0ad4dd3b9cbf6448338f3db2f4daf41f93e1e3c1b9563fb7e05b69e32e8468c5cd4d55a368e85a2c14f7e43fbff75c37ef286a03ef4642780e18c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\poolsdnkjfdbndklsnfgb.exe

Filesize
1.8MB

MD5
2cb074f6edf3962fe0a1dde5e0488ac7

SHA1
2711749798e0dd6f5b3766359aeb4cf0e03733df

SHA256
f5d1c183bf2814b357451b19433cfe15351f9de0f09926718844150e9b83e100

SHA512
9abc0eed8f5e46a9e4121d01338f8f419dc5a290d20dbfb64f8f9a22634f4c5da23873df2228e0e8c1ab106a1d06e41da88ecf2714e5dc446ab75cabffa466e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
384KB

MD5
a78a5b96bcac4b344b7d185538b3e112

SHA1
9b6f7c11999369ded34630ffbd180d39a7da7845

SHA256
44cdf6d4ee52790c5950a43ddb7e3e1ac6927bea250e12171f177489673fcbfc

SHA512
ae59547d97e532f7513250a72d9ecdda898dbdec76bd6ae67ef7a1fcc1dda520b2ea4312b51ccf90ffb4dd4873f85719178a23982324a61eca37d6da81cabb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\s1.exe

Filesize
95KB

MD5
b116641699225bbcea28892995f65115

SHA1
b43f932fa89ba3ca01bbd7739a7e01d0508cfd70

SHA256
309d20f7a18a1ae1fed72e5c27b0ef2cc0d52dd1629efc250ca74b916730258f

SHA512
ac921b0d78f61070903096d31a0cf8d6a80375fbbbb5f1c211bcc8b8d88d982b40cc9088991ddd53b0fe553b0e1bf1f779a2ccae0779c756bea269cd857d79ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
7.3MB

MD5
e383ab7954ba97d6e21a70a25395f911

SHA1
60f5399962eeabbe22374a8315be3294845d33aa

SHA256
c982682b3f4063d45606a6455b57a7a77e5d70871e2ae585f6a6e9d5fae7ac8b

SHA512
444454f5a1f0c012335b5176a0c35a8bc81a0bf5178b7e8e03f1b02a16aeb9983b459d099d48853df00d88250cdd7a49574df7c477cda248a38c69b599c4a08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tg.exe

Filesize
286KB

MD5
69b45d4bc58736d36246e384c06e9473

SHA1
41a1e6007fe97ec691fe54ffc3453feb74d0aab0

SHA256
3835fe3e13b67d406cc7c1412098bbf2fcb28371c6628539ddf46d98aa716ef2

SHA512
d5acf13c06554dfd724cb7e8f3b4dd2b91a44926b4b303c9695c4b4380d7ec6675a5514cc320f02d1e30afc62df48322cb44246f2a7fe47fb2df594f80b1b684

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe

Filesize
262KB

MD5
8fda308056d24d841864a87494023d8e

SHA1
136980e387ad035d9bb50d9a9c532beeef880491

SHA256
9cf7ee67e65a92a0d98b235df926821c9663ac75dbf0e4414a12548b46f8cc0f

SHA512
90c50f119505d945964c24eeabf0cf461b919a0219bc3b960da79e89f8031ef4aa995e1be40d25648fc9d73a37d765cc54a4fb8adc13e4ba952d04505045b104

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe

Filesize
192KB

MD5
2168eda94062a63df06894cc774fabf1

SHA1
cb2db18aecf723b90e3a3199cc375f026cbde0f2

SHA256
57e87def008c2ea1eebc6b812e1ba51afca99fe8cc62301bf08b6947e4b60c58

SHA512
30483328492ced9748d39c804c650889babb69156994376f3bd42aa722830ce288a5349432d7eb1ea8288fa2ffbd9363ffb8eefb4c63319c9e813c8aa8d919e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\tupak.exe

Filesize
2.9MB

MD5
bd71c3f444fdf4187e4b78e697ded481

SHA1
b592b2fe76c0dc1c09b6f9d3e86a33b4496eff29

SHA256
ecae9833d81f48acfd05582b2e3d1a94fe633c83e7649e14d0ae6b7a5613f3d6

SHA512
ee547ba7e98e477b2dbb0267bd89a2962322b11c710f435613e9993ebfa44f63cb97964925c02dff687a6bc3a3aa5190331a3c4e32caa3db32e1523701d3f916

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\win.exe

Filesize
1.1MB

MD5
4e718b04d2e94a23dac114ab1998f6c3

SHA1
d7b3c71508b8bff844daf3ae16a30233fb8339a4

SHA256
09c1982b6815acc576062071521a081243e983104392bfac78c08b10465c5f0a

SHA512
41dc7cad53496ac072d0ab1652cef2fb85506138965f1191aa078673bf46da2edbe8ebd1209df0351422c8f54053242dbb8143af76331c6d654cc2eb48cb4f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2FLTL.tmp\june.tmp

Filesize
690KB

MD5
87041e1189809c2e27890dcacfb5f12b

SHA1
0692e4718bfbadd453ed7d7e2b1337993ad97ba5

SHA256
447741a1ef3c1892a69ca7375da921ba39cabcb225cf82e26d5af69d54864086

SHA512
705abf93f24423ef3b12f4a677509ffe14ab4deea6974e56cd59ceaf9bdb8483f2ee393d0a33f8828240227b2c847d45d5153cf3663b14de4bf1826b743f8013

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9PCME.tmp\may.tmp

Filesize
481KB

MD5
34b4160356b1a43766f38def6d50ed24

SHA1
e6d7439770dfb3a0108283d9a034201e2d6f933e

SHA256
c978cfa18614845372d869d3c4c2274584c159c12ec0d32827757bda61a8079b

SHA512
6334589accfa5ddf9b39095d7ea65a3895c1cdd4cbdf38fb560092a035f16d51b3de359e027bfe4536ca4eb6f828154410e4bdc09dfaaa2fa75e3c53d7b8c596

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9PCME.tmp\may.tmp

Filesize
496KB

MD5
2278b1cfdc259068145d88106be64e05

SHA1
7da7aed6c461cfaca0adaa38b43dec90f781c60b

SHA256
63ed2be96a1dc10844967216e2bbafd833ff944aed5783e930925042cfa8cb37

SHA512
149cb0a6bad2a59539da481a7baa9f1de520dcfab54e286f0014bcd72f24ed9e0c965ca61b0c48dd8e21146df466acb0efc22f5e55803c9d70ee71de8146bb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CIU88.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K0T92.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\Test.runtimeconfig.json

Filesize
97B

MD5
07b7a016eb86bef13dae471f9a1db4f7

SHA1
80c835c7126b728f6ca103471ac0c51a620e992b

SHA256
d351f91b7943f9ea9b1055abb758719c0508652e4225381cfb0497c820af5867

SHA512
ae7fb7bd52ed3773b4de2a4298e8bfec17956a28403f05179ef5899ebc9b0d844fadf14038cebf5d96ade5499a5d8a109126b2c474ad35b0d218e037e65bfee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\Test.runtimeconfig.json

Filesize
97B

MD5
6eb8afedb2a593ffdb64b2130228b2c0

SHA1
afdacb2af90895171dfa9765ebe256e6a46c1d95

SHA256
e81c39ffb1628161bec7e8cb667dcb9df2d5d334e57535286fc109e8c1a43bcf

SHA512
e886d3a16520ba5006a37e002ef9dc28a54c46f5c2e7022d271cef11529fd4b22515af5713c0871b22f561996767bf3bc0da0d8b4fd50f1dcef6f1a87a28503d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\Test.runtimeconfig.json

Filesize
97B

MD5
5e8dcf8d938b6616939444a4cb1af172

SHA1
664f9d2a178a8bcc41bd306dc94a68aeb9c759e7

SHA256
a29aa7c522850e190bf64f5068364007e7d75985fe40bee3decba74991beb692

SHA512
13a900b98a51672c23b2a8721ce992845b7d5abb3ce735999c53842cff61d1fca7d680d70e5b3094f19e2cc47e2ccd5dcd4c0d7365f22211ee16c46c0ac63d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe

Filesize
140KB

MD5
de54c196cfe1bd90152460b6242f5ad3

SHA1
e1bc2721b1ba41b8157ce72bb6d56bf55b7b4785

SHA256
3b26fe9d187ce9e8275e970bd3884acaae4e0bbf7089759b3378ba44201a3b8b

SHA512
88a29b3788ad4da5f0581bc1e58dcd860060aaf1d3e3def3741d256652b8f257203e1e2b378dd7d38ae648f2efbd11268717a4107b4edb873babd8441b7f68d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QLFUQ.tmp\netcorecheck_x64.exe

Filesize
89KB

MD5
980d72a745468a526c2946e0017bf28d

SHA1
e542bf54f226209d72b4e1820bc90c639d221362

SHA256
1097a5526ca18bb5842e7b8c74e64fb174ddd7be10500a097d379efe42eb8892

SHA512
dedf986a37ec2b2b5980d283715ed8f59884faecdfabd6f2d3afd7e363818ae54d4c483096a9ccdb9026d35651a7615938c4e92aa228c6d1b046402f39414ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-VF558.tmp\installer.tmp

Filesize
832KB

MD5
b09d6aff2c02720123f2f0f84484ce2c

SHA1
630f6fad253f0628e8e8977e039f5ddc43f5da01

SHA256
26836190f9bddff847b685687870a1786193c9461c1e2f7b16055b01a1f329b3

SHA512
abc2a682efa1955b9672df68915463f665388d370cad63006f5fccead2fa7ef2d8ce152777fc2496dc28e78de7848cfe5ad2502ff77d6d552b02eda9314fe159

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1EFE.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F23.tmp

Filesize
92KB

MD5
d8258cfea30050e289acf9aa882159f2

SHA1
26acf382025e2880308c3cb82ee11b935f52d6fa

SHA256
97f3a97af8aad5da47509b3b5639b85c82f5b67fb34193ef409c9bb84c2e334b

SHA512
caa184c63653b9b8be5b76833be8caf40d8a6804cc26b329d955e5b59e5cf75c0e9e654f5e4fef9fdb76536f43fe3d9a4017a3446f0610d6df61f3737f44a74a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F9C.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1FA2.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1FA8.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1FC4.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4mw.0.exe

Filesize
262KB

MD5
f7229609248c51f2730080b0d18d886f

SHA1
a30a44b09977c77b91e6fc15a458a14502bd4009

SHA256
6c0ee4d9900a2f5a4692825b9e82301bf8bb2f50de1e3d38ecc760e46b8d475a

SHA512
98237be0f6f9e5570eb1e484fb0e90dd030aab1e3fa16f9ad9d29db0a5ad4442094d74d825674c02924a445ce85a3688d69f8ccf03cbf5e68941cbaec2ba7653

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4mw.1.exe

Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4mw.1.exe

Filesize
1.6MB

MD5
ef4148092112a17f2bf1788710814dd9

SHA1
05873a9de8674a2f1cfc10473295beb7b60f2257

SHA256
7667c2057479eb63681b29e6171820d62e4139a6b51cc4a69360a3aff231ce6f

SHA512
b12468832bb3942126da08853c9496ba2f09ad675af2b53f7aecbb9cb711e992afe0660fb6b52f2955a346ff4511242fafa3ec0882a34db71b8e4305fb40c061

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f4f38fccabbb9ebb43208631b79a0c09

SHA1
45cc6071b6e6e0afa9d1bfe3e79b2f8d3409c0a0

SHA256
5b463b0ae755e1646da889d0512a941e7f894810f4e8c104d34f3e88c1c384c7

SHA512
7b466bb747e1b1daed509cef90ccbf11239685396ecc0ffc509aded9b888d24f9ac18dd6a08593b12f957758014d33c2fcd3d2a33558a4b79ae1c10c9d5100cb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
476ec42036cd7e219a0f66d953ffde8c

SHA1
bc032797277e9060d37494e16f8f35aee80799d0

SHA256
7a3047e35e8060b1a17928ea7066a82770b4c711d54d1fc4bdacf4639a1f7b4e

SHA512
cab31b1743cb0d86388ccb4ae2df67ea013913c5e31487ba0285a671a73d61d38a658a93a49ca1b35c1a27c94a3d9e67d3a67b26477309fe9646fe452f3cf9c5

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
e3551e0e25da6bcfb70960ab8063d9d7

SHA1
b0e56c42379c2d5f65fcf21182766cfe1ce4d520

SHA256
e90b5262c8d39b81cbf2ba2e4149a82514560ae0e7973d513dc7c542c3fbedd8

SHA512
e289b22e42d6e24c8ffc48e810ed0c351fdd1521a7f13d06a8c69772a5f3251f013acab98e715198138d1d74c7092229b4b3c8de8b79d6087ca680046bf7b703

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
b56e17cee122cfa566f2b42ea6a55724

SHA1
13bc4ca233dfbf4e97fdba8cf57255de747ea91d

SHA256
b892ed1314ea076fc6836e4cd7a2ad88c0532d43ec00bd4a0d9d59a58af6e571

SHA512
483c50b8448c2814bc2a35c148ac3aaab18f44675b4b94ea560a6fc83069e319dbe9120498db8682441b71bdc4cecfd0590e46fa696e48b6789644b0c3f1cb14

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
7df76031c0af93e3da3c4ff59e33de8e

SHA1
ff673e146eb076ba3663c2f54d7d650cc4c43dfb

SHA256
7bb20aa56a129ff2d882d69ad3f8e83885a094479f364e2f6068bb802d202ec5

SHA512
1f78228c403eb0139d26bcb4176f37c2695341f8867bf337e729107d688ef959ed4881a281ca8f49836daa7e2514a3f814777497e0faa5d27c77b4460849ee56

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
272b832c5be8b1083233fb4e8ab2c2f5

SHA1
cb238c1568ed332bde01aeeb9994df5c97faa4c4

SHA256
01011ee0d9a4730b4022f302de342c2f91bc3709529959dae3c4937be5a724e9

SHA512
12ac285c76115c0fdb8b9bf1836d85c2c2f0ef98dfafacceed0b41f5bb3c009efddd60eae73932457f1bbf6fb910ba9282597b3e668a605467d283cf0a787c0c

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
b0edfdabcd0c60648a45ac9ac22d8506

SHA1
41affe99a36e592db22dfe1a5de07122bcd5e60a

SHA256
cdeaa16d2d813a98760f24684154dbe26f7e1ecbca6a6a7a6d5739d6cdbde830

SHA512
ae213330439e41f097581a7f1f6721d4b666f8fab44202872c25119caa94611729b9848c0257de202cdfc620baa3823267d26305ff07eb1cefb5d4edb0d3341c

Download Submit
memory/556-472-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/556-480-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/624-75-0x0000000000220000-0x00000000007B6000-memory.dmp

Filesize
5.6MB

Download
memory/624-85-0x0000000000220000-0x00000000007B6000-memory.dmp

Filesize
5.6MB

Download
memory/624-81-0x0000000000220000-0x00000000007B6000-memory.dmp

Filesize
5.6MB

Download
memory/624-183-0x0000000000220000-0x00000000007B6000-memory.dmp

Filesize
5.6MB

Download
memory/624-423-0x0000000000220000-0x00000000007B6000-memory.dmp

Filesize
5.6MB

Download
memory/848-61-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/848-1-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/848-60-0x00007FF87C590000-0x00007FF87D051000-memory.dmp

Filesize
10.8MB

Download
memory/848-2-0x000000001B440000-0x000000001B450000-memory.dmp

Filesize
64KB

Download
memory/848-0-0x00000000008B0000-0x00000000008B8000-memory.dmp

Filesize
32KB

Download
memory/1080-108-0x0000000002020000-0x0000000002021000-memory.dmp

Filesize
4KB

Download
memory/1080-111-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/1080-94-0x0000000000CD0000-0x00000000019B1000-memory.dmp

Filesize
12.9MB

Download
memory/1080-109-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/1080-187-0x0000000000CD0000-0x00000000019B1000-memory.dmp

Filesize
12.9MB

Download
memory/1080-114-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/1080-110-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/1080-112-0x0000000003A20000-0x0000000003A21000-memory.dmp

Filesize
4KB

Download
memory/1080-113-0x0000000000CD0000-0x00000000019B1000-memory.dmp

Filesize
12.9MB

Download
memory/1812-59-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1812-80-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1812-84-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1812-79-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1812-64-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1812-568-0x00000000007B0000-0x0000000000853000-memory.dmp

Filesize
652KB

Download
memory/1812-182-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1812-411-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1884-502-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/1932-56-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1932-55-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1932-52-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/1932-51-0x0000000000400000-0x00000000005A2000-memory.dmp

Filesize
1.6MB

Download
memory/2756-62-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2756-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2756-14-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2764-177-0x0000000005720000-0x000000000575C000-memory.dmp

Filesize
240KB

Download
memory/2764-188-0x0000000007070000-0x00000000070E6000-memory.dmp

Filesize
472KB

Download
memory/2764-191-0x0000000007290000-0x00000000072AE000-memory.dmp

Filesize
120KB

Download
memory/2764-180-0x0000000005760000-0x00000000057AC000-memory.dmp

Filesize
304KB

Download
memory/2764-190-0x0000000007E90000-0x0000000008434000-memory.dmp

Filesize
5.6MB

Download
memory/2764-173-0x0000000000E40000-0x0000000000E5E000-memory.dmp

Filesize
120KB

Download
memory/2764-189-0x00000000071D0000-0x0000000007262000-memory.dmp

Filesize
584KB

Download
memory/2764-516-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/2764-174-0x0000000072F30000-0x00000000736E0000-memory.dmp

Filesize
7.7MB

Download
memory/2764-175-0x0000000005E40000-0x0000000006458000-memory.dmp

Filesize
6.1MB

Download
memory/2764-176-0x00000000056C0000-0x00000000056D2000-memory.dmp

Filesize
72KB

Download
memory/2764-179-0x0000000005810000-0x0000000005820000-memory.dmp

Filesize
64KB

Download
memory/2764-186-0x0000000006E80000-0x0000000006EE6000-memory.dmp

Filesize
408KB

Download
memory/2764-507-0x0000000072F30000-0x00000000736E0000-memory.dmp

Filesize
7.7MB

Download
memory/2764-185-0x00000000073B0000-0x00000000078DC000-memory.dmp

Filesize
5.2MB

Download
memory/2764-181-0x00000000059D0000-0x0000000005ADA000-memory.dmp

Filesize
1.0MB

Download
memory/2764-184-0x0000000006CB0000-0x0000000006E72000-memory.dmp

Filesize
1.8MB

Download
memory/2832-474-0x0000000001D10000-0x0000000001E10000-memory.dmp

Filesize
1024KB

Download
memory/2832-496-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/2832-192-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2832-160-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/2832-158-0x0000000001D10000-0x0000000001E10000-memory.dmp

Filesize
1024KB

Download
memory/2832-401-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/2832-159-0x0000000001CB0000-0x0000000001CD7000-memory.dmp

Filesize
156KB

Download
memory/2976-63-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2976-21-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/2976-76-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/4368-425-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4368-135-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4368-400-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4828-128-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4828-130-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4828-399-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5124-515-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/5488-558-0x0000000005E50000-0x0000000005E72000-memory.dmp

Filesize
136KB

Download
memory/5488-549-0x0000000002D20000-0x0000000002D30000-memory.dmp

Filesize
64KB

Download
memory/5488-548-0x0000000072F30000-0x00000000736E0000-memory.dmp

Filesize
7.7MB

Download
memory/5488-547-0x00000000057F0000-0x0000000005E18000-memory.dmp

Filesize
6.2MB

Download
memory/5488-543-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

Filesize
216KB

Download
memory/5488-569-0x00000000065F0000-0x000000000660E000-memory.dmp

Filesize
120KB

Download
memory/5488-567-0x0000000006290000-0x00000000065E4000-memory.dmp

Filesize
3.3MB

Download
memory/5488-565-0x0000000002D20000-0x0000000002D30000-memory.dmp

Filesize
64KB

Download
memory/5488-564-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/5644-550-0x0000000001B90000-0x0000000001BB7000-memory.dmp

Filesize
156KB

Download
memory/5644-566-0x0000000001C00000-0x0000000001D00000-memory.dmp

Filesize
1024KB

Download
memory/5644-562-0x0000000000400000-0x0000000001A2E000-memory.dmp

Filesize
22.2MB

Download
memory/5888-427-0x0000000072F30000-0x00000000736E0000-memory.dmp

Filesize
7.7MB

Download
memory/5888-458-0x0000000072F30000-0x00000000736E0000-memory.dmp

Filesize
7.7MB

Download
memory/5888-424-0x00000000005D0000-0x0000000000CC4000-memory.dmp

Filesize
7.0MB

Download
memory/6008-481-0x0000000003A50000-0x0000000003AB7000-memory.dmp

Filesize
412KB

Download
memory/6008-486-0x0000000000400000-0x0000000001F27000-memory.dmp

Filesize
27.2MB

Download
memory/6008-497-0x0000000002070000-0x0000000002170000-memory.dmp

Filesize
1024KB

Download
memory/6064-505-0x0000000002BD0000-0x00000000034BC000-memory.dmp

Filesize
8.9MB

Download
memory/6064-506-0x00000000027D7000-0x0000000002BCF000-memory.dmp

Filesize
4.0MB

Download