amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
24s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

amadey mylobot neshta xworm zgrat botnet discovery persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

new-coder.cc:7536

Attributes

install_file
USB.exe

Extracted

Family

mylobot

pqrqtaz.ru:9879

pickcas.ru:6464

quwkbin.ru:3496

rkbupij.ru:6653

pcqmayq.ru:3629

mmuliwe.ru:3541

stoizji.ru:5189

sfdfrhh.ru:3511

ynciazz.ru:4127

mkglhnw.ru:1946

njeeili.ru:9987

dldzeoo.ru:7525

tkbiqjq.ru:5145

uenosbl.ru:2935

faayshc.ru:9865

nttfazc.ru:6761

nfwsyog.ru:7172

uyfusxm.ru:7372

hxkclwx.ru:1294

zgoysam.ru:2338

Extracted

Family

amadey

Version

4.18

http://185.172.128.3

Attributes

install_dir
One_Dragon_Center
install_file
MSI.CentralServer.exe
strings_key
fd2f5851d3165c210396dcbe9930d294
url_paths
/QajE3OBS/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Neshta payload 30 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000016d6d-375.dat	family_neshta
behavioral1/files/0x000500000001939c-406.dat	family_neshta
behavioral1/files/0x00010000000104d7-414.dat	family_neshta
behavioral1/files/0x0006000000010480-413.dat	family_neshta
behavioral1/files/0x000100000000f7e1-464.dat	family_neshta
behavioral1/files/0x000100000000f7e6-465.dat	family_neshta
behavioral1/files/0x000100000000f711-501.dat	family_neshta
behavioral1/files/0x00010000000118f5-577.dat	family_neshta
behavioral1/files/0x00010000000118ee-576.dat	family_neshta
behavioral1/files/0x0001000000011881-575.dat	family_neshta
behavioral1/files/0x0001000000010f39-574.dat	family_neshta
behavioral1/files/0x0001000000011807-573.dat	family_neshta
behavioral1/files/0x0001000000010c1c-572.dat	family_neshta
behavioral1/files/0x0001000000010393-570.dat	family_neshta
behavioral1/files/0x0001000000010b9e-569.dat	family_neshta
behavioral1/files/0x00010000000114cf-568.dat	family_neshta
behavioral1/files/0x000300000001217d-591.dat	family_neshta
behavioral1/files/0x0003000000012180-590.dat	family_neshta
behavioral1/files/0x000300000001213e-589.dat	family_neshta
behavioral1/files/0x0003000000012141-588.dat	family_neshta
behavioral1/files/0x000300000001217f-587.dat	family_neshta
behavioral1/files/0x0003000000012140-585.dat	family_neshta
behavioral1/files/0x000300000001213f-584.dat	family_neshta
behavioral1/files/0x0001000000010903-583.dat	family_neshta
behavioral1/files/0x0001000000011b62-582.dat	family_neshta
behavioral1/files/0x0001000000011a23-580.dat	family_neshta
behavioral1/files/0x000100000000f83c-566.dat	family_neshta
behavioral1/files/0x000100000000f83b-565.dat	family_neshta
behavioral1/files/0x000100000000f880-567.dat	family_neshta
behavioral1/memory/524-2868-0x00000000007E0000-0x0000000000860000-memory.dmp	family_neshta

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/524-855-0x0000000000530000-0x000000000054A000-memory.dmp	family_xworm
behavioral1/memory/524-1198-0x00000000007B0000-0x00000000007C8000-memory.dmp	family_xworm

Detect ZGRat V1 30 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2624-84-0x0000000004980000-0x0000000004B88000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-85-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-86-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-88-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-90-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-92-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-96-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-94-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-99-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-103-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-118-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-122-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-129-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-126-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-140-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-138-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-136-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-133-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-158-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-156-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-154-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-152-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-150-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-148-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-146-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-144-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/2624-142-0x0000000004980000-0x0000000004B83000-memory.dmp	family_zgrat_v1
behavioral1/memory/524-2195-0x00000000007E0000-0x0000000000860000-memory.dmp	family_zgrat_v1
behavioral1/memory/524-2200-0x00000000007E0000-0x0000000000860000-memory.dmp	family_zgrat_v1
behavioral1/memory/2132-3448-0x0000000004800000-0x000000000492A000-memory.dmp	family_zgrat_v1

Mylobot
Botnet which first appeared in 2017 written in C++.
botnet mylobot
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detect binaries embedding considerable number of MFA browser extension IDs. 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2864-825-0x00000000006C0000-0x00000000007C0000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/memory/2864-828-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2864-825-0x00000000006C0000-0x00000000007C0000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2864-828-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/524-1198-0x00000000007B0000-0x00000000007C8000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2864-828-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables manipulated with Fody 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2020-940-0x0000000000030000-0x0000000001DAA000-memory.dmp	INDICATOR_EXE_Packed_Fody

Detects executables packed with unregistered version of .NET Reactor 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2044-2353-0x0000000000BA0000-0x000000000110C000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/2044-2353-0x0000000000BA0000-0x000000000110C000-memory.dmp	net_reactor

Executes dropped EXE 10 IoCs

Processes:

syncUpd.exenet.exeAlpha_Base_20240209210907868.exeAlpha_Base_20240209210907868.exesvchost.comTIDEX_~1.EXEsvchost.comnative.exesvchost.comSIGNED~1.EXE

pid	Process
2864	syncUpd.exe
2624	net.exe
1044	Alpha_Base_20240209210907868.exe
524	Alpha_Base_20240209210907868.exe
2752	svchost.com
2504	TIDEX_~1.EXE
2308	svchost.com
828	native.exe
1520	svchost.com
2732	SIGNED~1.EXE

Loads dropped DLL 20 IoCs

Processes:

4363463463464363463463463.exeAlpha_Base_20240209210907868.exesvchost.comsvchost.comsyncUpd.exeWerFault.exesvchost.com

pid	Process
2204	4363463463464363463463463.exe
2204	4363463463464363463463463.exe
2204	4363463463464363463463463.exe
2204	4363463463464363463463463.exe
2204	4363463463464363463463463.exe
1044	Alpha_Base_20240209210907868.exe
1044	Alpha_Base_20240209210907868.exe
2752	svchost.com
2752	svchost.com
2752	svchost.com
1044	Alpha_Base_20240209210907868.exe
2308	svchost.com
2864	syncUpd.exe
2864	syncUpd.exe
1812	WerFault.exe
1812	WerFault.exe
1044	Alpha_Base_20240209210907868.exe
1520	svchost.com
1520	svchost.com
1044	Alpha_Base_20240209210907868.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

Alpha_Base_20240209210907868.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Alpha_Base_20240209210907868.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
97	bitbucket.org
98	bitbucket.org
297	pastebin.com
300	pastebin.com

Drops file in Program Files directory 64 IoCs

Processes:

svchost.comAlpha_Base_20240209210907868.exe

description	ioc	Process
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	svchost.com
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Alpha_Base_20240209210907868.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	svchost.com

Drops file in Windows directory 5 IoCs

Processes:

svchost.comsvchost.comsvchost.comAlpha_Base_20240209210907868.exe

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	Alpha_Base_20240209210907868.exe
File opened for modification	C:\Windows\directx.sys	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1812	2504	WerFault.exe	36
1004	2656	WerFault.exe	73

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

syncUpd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	syncUpd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	syncUpd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exe

pid	Process
2700	schtasks.exe

Modifies registry class 1 IoCs

Processes:

Alpha_Base_20240209210907868.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Alpha_Base_20240209210907868.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Alpha_Base_20240209210907868.exe4363463463464363463463463.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Alpha_Base_20240209210907868.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Alpha_Base_20240209210907868.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Alpha_Base_20240209210907868.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	Alpha_Base_20240209210907868.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 4b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2190000000100000010000000ea6089055218053dd01e37e1d806eedf0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9040000000100000010000000285ec909c4ab0d2d57f5086b225799aa1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c2000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	Alpha_Base_20240209210907868.exe
Key created	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	4363463463464363463463463.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	4363463463464363463463463.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Alpha_Base_20240209210907868.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

syncUpd.exe

pid	Process
2864	syncUpd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

4363463463464363463463463.exenet.exenative.exe

description	pid	Process
Token: SeDebugPrivilege	2204	4363463463464363463463463.exe
Token: SeDebugPrivilege	2624	net.exe
Token: SeDebugPrivilege	828	native.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

4363463463464363463463463.exeAlpha_Base_20240209210907868.exesvchost.comsvchost.comTIDEX_~1.EXEsvchost.com

description	pid	Process	procid_target
PID 2204 wrote to memory of 2864	2204	4363463463464363463463463.exe	29
PID 2204 wrote to memory of 2864	2204	4363463463464363463463463.exe	29
PID 2204 wrote to memory of 2864	2204	4363463463464363463463463.exe	29
PID 2204 wrote to memory of 2864	2204	4363463463464363463463463.exe	29
PID 2204 wrote to memory of 2624	2204	4363463463464363463463463.exe	31
PID 2204 wrote to memory of 2624	2204	4363463463464363463463463.exe	31
PID 2204 wrote to memory of 2624	2204	4363463463464363463463463.exe	31
PID 2204 wrote to memory of 2624	2204	4363463463464363463463463.exe	31
PID 2204 wrote to memory of 1044	2204	4363463463464363463463463.exe	33
PID 2204 wrote to memory of 1044	2204	4363463463464363463463463.exe	33
PID 2204 wrote to memory of 1044	2204	4363463463464363463463463.exe	33
PID 2204 wrote to memory of 1044	2204	4363463463464363463463463.exe	33
PID 1044 wrote to memory of 524	1044	Alpha_Base_20240209210907868.exe	34
PID 1044 wrote to memory of 524	1044	Alpha_Base_20240209210907868.exe	34
PID 1044 wrote to memory of 524	1044	Alpha_Base_20240209210907868.exe	34
PID 1044 wrote to memory of 524	1044	Alpha_Base_20240209210907868.exe	34
PID 2204 wrote to memory of 2752	2204	4363463463464363463463463.exe	35
PID 2204 wrote to memory of 2752	2204	4363463463464363463463463.exe	35
PID 2204 wrote to memory of 2752	2204	4363463463464363463463463.exe	35
PID 2204 wrote to memory of 2752	2204	4363463463464363463463463.exe	35
PID 2752 wrote to memory of 2504	2752	svchost.com	36
PID 2752 wrote to memory of 2504	2752	svchost.com	36
PID 2752 wrote to memory of 2504	2752	svchost.com	36
PID 2752 wrote to memory of 2504	2752	svchost.com	36
PID 2204 wrote to memory of 2308	2204	4363463463464363463463463.exe	38
PID 2204 wrote to memory of 2308	2204	4363463463464363463463463.exe	38
PID 2204 wrote to memory of 2308	2204	4363463463464363463463463.exe	38
PID 2204 wrote to memory of 2308	2204	4363463463464363463463463.exe	38
PID 2308 wrote to memory of 828	2308	svchost.com	39
PID 2308 wrote to memory of 828	2308	svchost.com	39
PID 2308 wrote to memory of 828	2308	svchost.com	39
PID 2308 wrote to memory of 828	2308	svchost.com	39
PID 2504 wrote to memory of 1812	2504	TIDEX_~1.EXE	40
PID 2504 wrote to memory of 1812	2504	TIDEX_~1.EXE	40
PID 2504 wrote to memory of 1812	2504	TIDEX_~1.EXE	40
PID 2504 wrote to memory of 1812	2504	TIDEX_~1.EXE	40
PID 2204 wrote to memory of 1520	2204	4363463463464363463463463.exe	41
PID 2204 wrote to memory of 1520	2204	4363463463464363463463463.exe	41
PID 2204 wrote to memory of 1520	2204	4363463463464363463463463.exe	41
PID 2204 wrote to memory of 1520	2204	4363463463464363463463463.exe	41
PID 1520 wrote to memory of 2732	1520	svchost.com	42
PID 1520 wrote to memory of 2732	1520	svchost.com	42
PID 1520 wrote to memory of 2732	1520	svchost.com	42
PID 1520 wrote to memory of 2732	1520	svchost.com	42

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Users\Admin\AppData\Local\Temp\Files\net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
    3⤵
    PID:696
  - - C:\Users\Admin\AppData\Local\Temp\BBLb.exe
      C:\Users\Admin\AppData\Local\Temp\BBLb.exe
      4⤵
      PID:2132
- - C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    C:\Users\Admin\AppData\Local\Temp\Files\net.exe
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 124
      4⤵
      Program crash
      PID:1004
- C:\Users\Admin\AppData\Local\Temp\Files\Alpha_Base_20240209210907868.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Alpha_Base_20240209210907868.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\3582-490\Alpha_Base_20240209210907868.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\Alpha_Base_20240209210907868.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:524
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\TIDEX_~1.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\Files\TIDEX_~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\TIDEX_~1.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 464
      4⤵
      Loads dropped DLL
      Program crash
      PID:1812
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Users\Admin\AppData\Local\Temp\Files\native.exe
    C:\Users\Admin\AppData\Local\Temp\Files\native.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\Files\native.exe
      C:\Users\Admin\AppData\Local\Temp\Files\native.exe
      4⤵
      PID:1016
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE
    3⤵
    - Executes dropped EXE
    PID:2732
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CRAZYC~1.EXE"
  2⤵
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\Files\CRAZYC~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\CRAZYC~1.EXE
    3⤵
    PID:2020
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
    3⤵
    PID:2896
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
  2⤵
  PID:2280
- - C:\Users\Admin\AppData\Local\Temp\Files\3.exe
    C:\Users\Admin\AppData\Local\Temp\Files\3.exe
    3⤵
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\Files\3.exe
      C:\Users\Admin\AppData\Local\Temp\Files\3.exe
      4⤵
      PID:1240
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        5⤵
        
        PID:2544
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    3⤵
    PID:1760
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\NICEEY~1.EXE"
  2⤵
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\Files\NICEEY~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\NICEEY~1.EXE
    3⤵
    PID:1704
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
      4⤵
      PID:1604
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ECLIPS~1.EXE"
  2⤵
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\Files\ECLIPS~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\ECLIPS~1.EXE
    3⤵
    PID:2608
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\PINNAC~1.EXE"
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\Files\PINNAC~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\PINNAC~1.EXE
    3⤵
    PID:1280
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Windows.exe"
  2⤵
  PID:876
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    3⤵
    PID:2044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      PID:1956
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
    C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
    3⤵
    PID:1664
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\1BZ7KF~1.EXE"
  2⤵
  PID:1032
- - C:\Users\Admin\AppData\Local\Temp\Files\1BZ7KF~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\1BZ7KF~1.EXE
    3⤵
    PID:2172
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
      4⤵
      PID:1680
    - - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
        5⤵
        Creates scheduled task(s)
        
        PID:2700
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
  2⤵
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\Files\test.exe
    C:\Users\Admin\AppData\Local\Temp\Files\test.exe
    3⤵
    PID:2816
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
  2⤵
  PID:884
- - C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
    C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
    3⤵
    PID:1500
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\main.exe"
  2⤵
  PID:3040
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\COSMIC~1.EXE"
  2⤵
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\Files\COSMIC~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\COSMIC~1.EXE
    3⤵
    PID:2540
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ZENITH~1.EXE"
  2⤵
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\Files\ZENITH~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\ZENITH~1.EXE
    3⤵
    PID:1320
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\COLLAB~1.EXE"
  2⤵
  PID:2032
- - C:\Users\Admin\AppData\Local\Temp\Files\COLLAB~1.EXE
    C:\Users\Admin\AppData\Local\Temp\Files\COLLAB~1.EXE
    3⤵
    PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

Filesize
186KB

MD5
58b58875a50a0d8b5e7be7d6ac685164

SHA1
1e0b89c1b2585c76e758e9141b846ed4477b0662

SHA256
2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

SHA512
d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

Download Submit
C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

Filesize
1.1MB

MD5
566ed4f62fdc96f175afedd811fa0370

SHA1
d4b47adc40e0d5a9391d3f6f2942d1889dd2a451

SHA256
e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460

SHA512
cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

Filesize
285KB

MD5
831270ac3db358cdbef5535b0b3a44e6

SHA1
c0423685c09bbe465f6bb7f8672c936e768f05a3

SHA256
a8f78ac26c738b13564252f1048ca784bf152ef048b829d3d22650b7f62078f0

SHA512
f64a00977d4b6f8c43f53cee7bb450f3c8cbef08525975055fde5d8c515db32d2bfad92e99313b3a10a72a50dd09b4ffe28e9af4c148c6480622ba486776e450

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE

Filesize
313KB

MD5
8c4f4eb73490ca2445d8577cf4bb3c81

SHA1
0f7d1914b7aeabdb1f1e4caedd344878f48be075

SHA256
85f7249bfac06b5ee9b20c7f520e3fdc905be7d64cfbefb7dcd82cd8d44686d5

SHA512
65453075c71016b06430246c1ee2876b7762a03112caf13cff4699b7b40487616c88a1160d31e86697083e2992e0dd88ebf1721679981077799187efaa0a1769

Download Submit
C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe

Filesize
373KB

MD5
2f6f7891de512f6269c8e8276aa3ea3e

SHA1
53f648c482e2341b4718a60f9277198711605c80

SHA256
d1ee54eb64f31247f182fd62037e64cdb3876e1100bc24883192bf46bab42c86

SHA512
c677f4f7bfb2e02cd0babed896be00567aad08304cbff3a85fcc9816b10247fedd026fee769c9bd45277a4f2814eabe6534f0b04ea804d0095a47a1477188dd6

Download Submit
C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE

Filesize
100KB

MD5
6a091285d13370abb4536604b5f2a043

SHA1
8bb4aad8cadbd3894c889de85e7d186369cf6ff1

SHA256
909205de592f50532f01b4ac7b573b891f7e6e596b44ff94187b1ba4bcc296bb

SHA512
9696e4f60a5b1166535ca8ca3fb495d718086463d1a12fa1facc08219ad5b918208ddd2a102f7955e29153b081e05985c4ae6e4302ab36d548bb62991a47db18

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE

Filesize
130KB

MD5
7ce8bcabb035b3de517229dbe7c5e67d

SHA1
8e43cd79a7539d240e7645f64fd7f6e9e0f90ab9

SHA256
81a3a1dc3104973a100bf8d114b6be35da03767a0cbbaf925f970ffcbe5f217c

SHA512
be7fcd50b4f71b458ca001b7c019bf1169ec089d7a1ce05355134b11cbe75a5a29811f9efec803877aeb1a1d576ea2628926e0131361db23214275af6e89e80c

Download Submit
C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE

Filesize
2.4MB

MD5
a741183f8c4d83467c51abab1ff68d7b

SHA1
ddb4a6f3782c0f03f282c2bed765d7b065aadcc6

SHA256
78be3aeb507db7e4ee7468c6b9384ee0459deebd503e06bd4988c52247ecea24

SHA512
c15dbecc0754a662892ecaff4b9b6c1bad46f710d8e1b973f86eaee467444f8e5764b31ace8f5a9a5e936947cc4dcb97cb1b14a6930c1025f38a3544393b6b18

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE

Filesize
859KB

MD5
02ee6a3424782531461fb2f10713d3c1

SHA1
b581a2c365d93ebb629e8363fd9f69afc673123f

SHA256
ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

SHA512
6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE

Filesize
571KB

MD5
d4fdbb8de6a219f981ffda11aa2b2cc4

SHA1
cca2cffd4cf39277cc56ebd050f313de15aabbf6

SHA256
ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b

SHA512
7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE

Filesize
157KB

MD5
a24fbb149eddf7a0fe981bd06a4c5051

SHA1
fce5bb381a0c449efad3d01bbd02c78743c45093

SHA256
5d13230eae7cd9b4869145c3280f7208788a8e68c9930a5c9aa3e822684a963d

SHA512
1c73b762c340a8d7ea580985ba034a404c859d814690390a6e0b6786575c219db9ca20880ea20313bb244560e36cf24e4dda90229b3084d770495f4ceedfd5de

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE

Filesize
229KB

MD5
28f7305b74e1d71409fec722d940d17a

SHA1
4c64e1ceb723f90da09e1a11e677d01fc8118677

SHA256
706db4d832abdf4907a1386b917e553315660a59bfb4c180e38215b4a606d896

SHA512
117de88d0bc437023ca2f1f54b1f2cf03b00c8cb52e4b728cabcb3140659c67cdb6d2c203d3ca13767312831c6308622dfa65d6c5361ec28aaf4ec0870f9ba6e

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

Filesize
503KB

MD5
3f67da7e800cd5b4af2283a9d74d2808

SHA1
f9288d052b20a9f4527e5a0f87f4249f5e4440f7

SHA256
31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

SHA512
6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE

Filesize
153KB

MD5
12a5d7cade13ae01baddf73609f8fbe9

SHA1
34e425f4a21db8d7902a78107d29aec1bde41e06

SHA256
94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5

SHA512
a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe

Filesize
539KB

MD5
60f6a975a53a542fd1f6e617f3906d86

SHA1
2be1ae6fffb3045fd67ed028fe6b22e235a3d089

SHA256
be23688697af7b859d62519807414565308e79a6ecac221350cd502d6bf54733

SHA512
360872d256ef91ea3debfb9b3efa22ee80859af9df29e0687c8e1b3c386d88ff1dc5635b86e714fbf1a7d4d6bc3d791efa31a9d9d13e0f79547b631bddb5108d

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe

Filesize
1.1MB

MD5
034978c5262186b14fd7a2892e30b1cf

SHA1
237397dd3b97c762522542c57c85c3ff96646ba8

SHA256
159776d43dd2a8d843b82ece0faf469f9088a625d474ce4eea9db59d94a844e6

SHA512
d216e757616121d9902b0db2669b6e2aa9eb2697427c9ea2804ebda9690abbf9219c6e603d63ff19dc6115a072985ca862499b5f8319ca057a16e81aec9ea949

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe

Filesize
205KB

MD5
da31170e6de3cf8bd6cf7346d9ef5235

SHA1
e2c9602f5c7778f9614672884638efd5dd2aee92

SHA256
7737ab500cbbd5d507881d481eef9bd91cf6650bf8d2b41b47b1a8c5f2789858

SHA512
2759d938d6ad963e0bf63481a700f7c503d06011a60bcfc1071b511e38afa87d903deb36f9cbfa0b3fd08f1ecb88d2c0bddf0d3b5f2dea2a0cca1a80471669f3

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe

Filesize
1.2MB

MD5
467aee41a63b9936ce9c5cbb3fa502cd

SHA1
19403cac6a199f6cd77fc5ac4a6737a9a9782dc8

SHA256
99e5bea5f632ef4af76e4e5108486d5e99386c3d451b983bcd3ad2a49cc04039

SHA512
00c9ccdbbd6fd1be0c2dafd485d811be9bf2076d4efeabc256179befd92679b964e80edcb90ef21f3e874578fdb0003878227f560ca76498865770280f87113e

Download Submit
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE

Filesize
125KB

MD5
46e43f94482a27df61e1df44d764826b

SHA1
8b4eab017e85f8103c60932c5efe8dff12dc5429

SHA256
dc6658dec5bf89f65f2d4b9bdb27634bac0bf5354c792bc8970a2b39f535facd

SHA512
ce5bdd3f9a2394ffda83c93fc5604d972f90bd72e6aded357bdf27a2b21a0469f6ac71ce40d9fb4ed8c845468c4171a3c5b4501edbae79447c4f4e08342d4560

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE

Filesize
155KB

MD5
96a14f39834c93363eebf40ae941242c

SHA1
5a3a676403d4e6ad0a51d0f0e2bbdd636ae5d6fc

SHA256
8ee4aa23eb92c4aba9a46b18ac249a5fa11c5abb7e2c1ca82cd5196401db790a

SHA512
fbf307a8053e9478a52cfdf8e8bad3d7c6664c893458786ae6ee4fffc6fe93006e99a2a60c97fb62dad1addd5247621517f4edee5d9545717c4587a272cef9a2

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

Filesize
155KB

MD5
f7c714dbf8e08ca2ed1a2bfb8ca97668

SHA1
cc78bf232157f98b68b8d81327f9f826dabb18ab

SHA256
fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899

SHA512
28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE

Filesize
265KB

MD5
25e165d6a9c6c0c77ee1f94c9e58754b

SHA1
9b614c1280c75d058508bba2a468f376444b10c1

SHA256
8bbe59987228dd9ab297f9ea34143ea1e926bfb19f3d81c2904ab877f31e1217

SHA512
7d55c7d86ccabb6e9769ebca44764f4d89e221d5756e5c5d211e52c271e3ce222df90bc9938248e2e210d6695f30f6280d929d19ef41c09d3ea31688ae24d4bf

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE

Filesize
342KB

MD5
5da33a7b7941c4e76208ee7cddec8e0b

SHA1
cdd2e7b9b0e4be68417d4618e20a8283887c489c

SHA256
531e735e4e8940dfe21e30be0d4179ceaecb57ce431cf63c5044e07048ac1751

SHA512
977aeecfbc693c9d5746fedf08b99e0b0f6fd7b0c7b41ac2b34a832e68a2e6f3c68f38af2e65c87075fcf00c1c6103e34324df45d7da9412cbbeea7e410794b6

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE

Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\PROGRA~2\Google\Update\DISABL~1.EXE

Filesize
207KB

MD5
3b0e91f9bb6c1f38f7b058c91300e582

SHA1
6e2e650941b1a96bb0bb19ff26a5d304bb09df5f

SHA256
57c993cadf4bf84810cea23a7112c6e260624beaab48d0e4332d3462900fec1d

SHA512
a4fbe28a0135f4632e0a5b6bd775f8d010250b0fbfe223db1fe81d18552a6bc166ebce807853ba02e6a476e9829454805e415ca828a5e043bd1e63dc53599d0f

Download Submit
C:\ProgramData\{5BFE507A-BDB9-297B-7664-43E644A79EA3}\f64180e5.exe

Filesize
192KB

MD5
e872b81e2760a713cb4b3c496579a18c

SHA1
9774e169ebd3c18fc7c3b1f6204784f93630d96b

SHA256
ba5f8a2360d6dff261597cc8bca45cd9467e38688d359ef1ac551ce6d766bd1f

SHA512
703daa713257379a78f4892baf138cf806881984960e1b27da77ee3023ea525ca909eb53b0a2800c199e92d8315f79685ed8a54d32085a4fd4ea405e0b5f7f80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\Alpha_Base_20240209210907868.exe

Filesize
1.1MB

MD5
8a1715c5d0d71a304b76930a0c2f2098

SHA1
26b967c1f002bcd8a3cc436ce1a7599a200a1f22

SHA256
a946df233f1dd2c23cf01972b2ebf6b48e7c53567bb2fb798efa42cb85201fb0

SHA512
bba39f8f0ddca334ab15ada4757c8c7716b3390fcc987eac665362aa1b62bd86d3611b4c6d649c1eb494da611d5cd25c82d581667d7414519ad0ad2fefaa23bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\COLLAB~1.EXE

Filesize
320KB

MD5
25ae2b54712380ef158372f660e478f6

SHA1
2b3d98c15e4c108f0323f2f3b4b8d044c6beb91f

SHA256
82815355e4353fab537741750a38a73cbb05f4b9b83e6a413219ce8d6bddc964

SHA512
604615fd63a0873fb9fd50ce6a38075443694d236ba1113abcf0633cf74c46aab080787365f3c231f8d31c7648f8607b3dd4a39ed88c70dabb1511322b45c0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\COSMIC~1.EXE

Filesize
2.9MB

MD5
e239723309ad98b1d5672126179fdb30

SHA1
811237d6b1a464e04c4294fbfa1d4a95b767c59f

SHA256
adc5f8a44ea98703e2d2abf05435ca49c19479221b389818030c45b52f821fff

SHA512
92383a7aeb2d0334f494c7a4e581ff86c23bb4f5d1a72e4a0e88c780774cd77626f62b182876952e6bf6e1ef8ca59e19949f8fe8475a7b347e1a74fb4f01d01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ECLIPS~1.EXE

Filesize
896KB

MD5
2cddc8f527c229c68883896aab325dba

SHA1
f99d2dc44704e50902d0419c3572100e9b610545

SHA256
2dfaf2f3743b755c6ac8721ad25f9e001e994b0a5850e1826e757ea5a75a9af1

SHA512
c48c2fad47a7c2b5802b65886f2faff83f5a235026152d4f0ff98d6c52a9685dd17d93a57a9225f94c04bcd7c9005c0d06c879fcb5bf14c01a61c639cc6c102a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PINNAC~1.EXE

Filesize
256KB

MD5
22991eb0f45563cdfe236f87e5f7a87d

SHA1
68b3f14b4c2d954c519944499cea2b0f7f54f91c

SHA256
72d53e688835427edf8be75bd91d51176e5c5d465b140eca94598dd9228dd7d1

SHA512
faeda136c4b0d1bfabf10ef44d9c376d04b35108e4a010de49f13fed7ff27d837fbe9db6ab4fb05ac7f6bb1c416729686159d3c0632bd5d8a39316e178b8ce24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SIGNED~1.EXE

Filesize
2.9MB

MD5
210ab588f87a89f907e0f07641fdc199

SHA1
910ecbe4175638abe7921bb2ba5560f758e34e46

SHA256
3ac4fa2435d6d5a3e1f3a520018f55cff98923c17806c988b59df9c655ad681a

SHA512
d1c69b624872b11afa4d64eae338281c40afdfd2e53afbe6a98e2993e2215947a713cfd04ecb0e91bbeb9f582151a7da8b49f9cc07750588a9de95352a7a923d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TIDEX_~1.EXE

Filesize
14KB

MD5
674d01a41b61e42f0b7761712261e5dc

SHA1
4edd3b1ae2284db54b504258a9d8c54f1dc983c8

SHA256
3142397ba09a68329f93013aeee8ea89c84c01a4e6f337502d8f13f8da74660f

SHA512
065c8e2a1118a7d82a0c18396eaa836849f4ac856e9f7970141cd44c341eae1e00118deaf5bae25ab610788a9bf896496d349f971bd6ac0b135357f5d1d0e326

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ZENITH~1.EXE

Filesize
1.3MB

MD5
ae16ce1655bb21ce82d472a12f6a0d45

SHA1
10af68278bbd5be9a4a478839b967e00fb5f1f68

SHA256
7a6508b095cd88f10dad4004841e50f576606414bf1fa33213f65668ebb84bf6

SHA512
8de88920dde83d8436db858f2cec4795e28c85e7ef1cc6276cc2d4d1c54bbffabab1f724f4aa7d27dcce6e83643121dca2b938742391b92e07f76764a0b69138

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\native.exe

Filesize
1.1MB

MD5
76013b8fca20fd199c32cea1d2fb3fd9

SHA1
ca7edb55116ffc415c3755aad259715391cf8222

SHA256
2ca7d4a2fea9566d1898b8e2e8a1250234e6e528c012b6f590c09c9b65b39e33

SHA512
9827d73301458cb9da68387801548dfbaf69a21d89ac7711a64b6de3c1b2fddc844cefa8e0da90c7c080e6445e562be1d0e66440e3991af019d1a53cc0a861ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe

Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B41.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
fa5cfe14b60cdac315b2d6c520c90d0c

SHA1
35b0fdc3d6646c82ab851fa905c2bedc5711b22a

SHA256
69c0be48a6ae42f9f57790ee186f04dcfbb0f1c019c1dcf88f37a56b7718fd22

SHA512
6e3d9fe062f476c3cb586196badc69de4076c20260448f0ae26165b9d59fa886d21fa74b53ec9153cd4fdb93819a2ea03100bd8d9a97e7344f57f35e44eb5634

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
8aae215c3d17d4d0a5fe2bf26167f21f

SHA1
b03e7596bb2be476b5c208a88755ca331fb9aad5

SHA256
6da6c5c5be49a5a08313c0c581b647c34b23f518be0edb4c12c133c385a9bdc6

SHA512
25cd069b693c0edc0ab916ed899be7dd63d620892b9cc862270dc125b37902188b1d94fa343024a2863b2790be9c681d4299e736eb3cc813d4b09d3ae73a46d8

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
9daa1e6eaf5fa9979ea94389be47e8e2

SHA1
b52d0c4a4c7e6f1b8655b7c39584c0fc7766cc8f

SHA256
5618ef9062e7968d4b1eb765829416bc91e3f2490d41d4f46d9ecbb305335a7e

SHA512
4da1da6be4f1e874509ce7cfe762f18c25d792f025e8d806f4e3378b88821c8cdca740ce3c608131b623167a16ba0b3d502fd2792d57c827891f10533659d810

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
0ef09c2329128a617cdc7b329aea73e0

SHA1
a1598215475adc7eea8436f127d976d1175d59f1

SHA256
fc1d4626f47c872da30d860df0d8f274563f636097d14e7a9cce2364689836c0

SHA512
94b1f4a17734e799912c394bfdfac16b1a3ecbdd3133a0fc8b303f6bca55c524d61e7d13b7766d6ecfe0190e960fb606a2ebaf680d388c1963ae6a195b68bf6e

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
c970531b2ed1629c0cbe5a72f0a41c00

SHA1
fd74d7784e5b824ab1559dbc4ee9d3a59d4ad66b

SHA256
ebd7e31a6649869ec7ee83f76ae748bc04ca3f67b79c231a97ce6a961f23aa22

SHA512
87d9c0bce20a270c1ef2bb91f3021102c39490a061c42aa6f56c740104ca1face3319f25c5a37c8d2c099c80fd9fde27ce0167f94c281a6be1a25b188a833495

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
ef985f267fcd879467b6b5b54c9adcbc

SHA1
e74a4e15b5292cde36f64203ec807c6449059ab9

SHA256
2f222c16531c8ab29119c8d8b118153fa58ae7da2876277533ea231bf59d6f2a

SHA512
3cb525000c87c7465c11a3ed4a83975da1755f1ff4684144026149775dd76692327d3c0ad403395535a4b63a27d9c8bc8ef38a721b40daa42b01fc891355fec8

Download Submit
C:\Windows\directx.sys

Filesize
44B

MD5
4530ea9d39dbc63e467af34b38deca26

SHA1
c0ba0ac54080491848a4d608cbb5a7d211f065ce

SHA256
5376ba9bae9f633b25d02653e6fdb698e0059dac7fcb6592a32ada490edb37e9

SHA512
4ace7ba77be3f39c9756719f4017c31d736358e74ff699e52489c6b89dc1f1290e51363b8748b3d274dc205f2a4c7bd61d32b8a43ac0f5487e7c167cb2862aaa

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
b697066a885fd40b0ef4068a389a8a09

SHA1
a90f6ef31c809ce94966eb5efdb46a0958d8f73c

SHA256
748bc5f53e112deb3d464963a179bf30358dfcd9b4f22d57cabb0fe977569689

SHA512
af1ae9f181d9691fc7be93e5b025dcc5b8f4707cc825bd6595c581bbbf040e2d4f12573b8a343ec16adb70c5ba8ee57b78a274242eb71fe30657457d15faa1cc

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
d52a74ae922226156d05f0e6e620786e

SHA1
38f5ce7daf9f91ca315b0065a20df8ee23b76894

SHA256
9f1bff04375c97fbd9b13584c46b86f1180fba9ad68e940548668821b4172cf6

SHA512
17bf478f777a6be05db139e972d549cca4b5acdbef9c97efea9855162b30bfd59172824f3c25e479774cff696d90dfc396651c87ded985066eed0292d3d88e6d

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
398d8b48e492795a497aa826f5249f02

SHA1
fca2a85ec485c61274cea9917c2b0782c296c54b

SHA256
ff364204767cfc6696bf88116d184dc4c1e6d51d3d474033e3346e09366894b6

SHA512
0d38f56053fd36ee6ec1a280c57844619aa2badd47075f66fc3b6bdc0a02680f050794aa1e57f095cf26a26b7e3b99579e055edaac3f6becdf654b514cc1d9b3

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
6969077812d121f02a03cc1e0b5d06e5

SHA1
4b918d3708d1404bc0f9096fc0cfe201b775764f

SHA256
013e9ba1cfe581085576bf0f921fe87990f824c9461714648d95ee213a4d35ca

SHA512
30eaf509ab89baf8fa7a04911e5cda965879a942859abd32126bb82bb8a15bb7c6d19257534b89e91741a74aa91d4c1903dc287851d1fbf7020da4e5adf55aaf

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
f4c6ca12354a9a5943d035d7fc4fc378

SHA1
f5ca6a86b2a1fac0063b20c64baf46146ac12dab

SHA256
f19b0d81e3f584e1bf5e81d65aef20b8a089effb7df6cf2ebd5bd2a608dc1a25

SHA512
c235f378946454bbd026032be4b61b8dbe3368ba66cd020d8c3a6f619cd36f5b6c01ec7f0781dd91ee1f407170c4566a464bfb2dff368bebb4cb008252a87d61

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
4291c75042280ae580f902699f8e19c4

SHA1
4990bdc3febe77d14eb44cef06057f18e86907ad

SHA256
d364e6ce74ff38cb2886ddc5edf1e7bfce991b0903057535d7ed5c4289e76b8c

SHA512
667c34f4c6bf40a12576c3620fcda0230e848c7670fea5e2d7993c8cf99c63c119e0c1fc57169f8f1824c73cae3409e3a783da3a2534a5a1f2d53ff30e98211d

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
d0c0153e3902d054427af1412d4aac51

SHA1
3e0e2826b2638190f8bd06bf8f6cc48d39468be5

SHA256
ad77e3b5d6820603f5bd5e343117c09ff62bc504d622b5db16f9ea9dfe3e5fd4

SHA512
f4af96014c045ae2277d29df019f7bf3f942cbf6a011a2f3d8254e454c08e271f106cf1b168f2bec6017afa4a25296552d7ce706ee09d2a77e5a04bbee347db8

Download Submit
C:\Windows\directx.sys

Filesize
52B

MD5
57a59a9a5f38bd43afab1cd744363272

SHA1
c3facc0c86a6ac45a37c9380dbb8d98566ec21c0

SHA256
0ae49ccd9885ffeeb64bc28864031723887e700ae8c347dd4dd5bc09c39d840f

SHA512
0075a2caaef866307587e5f3fe2a62d4fcc4e473b24870022b5b755d7ddc36b0c25c19f534811fb4facbe33b6a42452e62ab1781b6570b1d9fbc93cdc8ab804c

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
3f6fddadfb4c23393d5bc3597c536f69

SHA1
4a439578281b7083bca8f19c7d481680f5f452b8

SHA256
f74b966c7b99f79d38ead6a25e937f3378cf91b8dc9c6cf66c7b420ee975ad6f

SHA512
de33eae8ed48520c8ea96ac44c67e7b6ef1322c751e08b43700a3696e0c08752bd47e0e0efddeebd38ff0d5572aa757052e3b36008b6a20b4197a913cfc31c8f

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
de849a8a4dd88a318b9fa89a5989911f

SHA1
923ac7b277415a65df70197c49be6242fa60de05

SHA256
c0e378a02461c413d5ce6c7746f313541495206d280ec0001cec1f41a2a22996

SHA512
6327930b464a09354fc88cbcb8076b3f31bac8ca6d9c17f75c27bd39ca90e50d8aef91c0be6995b134e0612ac7b40ad2dca3042a935e0a5526e720c8a252a3a0

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
3b3ea05416cf85e6a6ead88cf5b1ee60

SHA1
05f3551ace972a595d72ef3b5ab5398e2d6ae29b

SHA256
fb89e229b1602bea181fa40bba2005ec049ef54d0117eb3e756ff8da1691e8f2

SHA512
25c666f884f8a9b8299086e20745ffcba1c25a8fbb6f7a308f503a623e1c0ec0899d5a7a845c3f67fa857a1667e8749d0e287a52f5b11681b81733f09f4fd3a8

Download Submit
C:\Windows\svchost.com

Filesize
40KB

MD5
8fa91495aa472bea34f0746d9d8afa41

SHA1
a76f8c6827049cd9463f807d669da38a4fe29cb8

SHA256
81325e9702d79b2844cddc4b9215241d80017e91fc35d97ae6a4c0a247a989de

SHA512
d2986a7edb0cabfb96969a42e00d1764bc50e9f570cb98f69f6dd16aa41dffb0215d12efb8cab23f79b7731255850fdcc1a7a7bd837f44c1158be34c7f1736f6

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
704KB

MD5
a713877ba37f1bee7d1b6dcf3fc8f05e

SHA1
03f7738f8b5c0dc89345776913b5be1fb88d85ad

SHA256
46b4b7ebecbe6f0f7bd5b7aeaf7938be579a104a3c5667ed9925c55361ae3732

SHA512
7aa6abf806376ebd3851b36c21f79bd77038f34b76905089a9c68608109d60e779b36bb4b76ab55ebda8191c507337f3b1c5ffaf394263c907ccc17f72b6fc3a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\Alpha_Base_20240209210907868.exe

Filesize
1.2MB

MD5
02e7e2d88230e0c50304ac6b77e0df48

SHA1
e8c7e9bfa4b58dc69e6374f49a005572f91fb360

SHA256
2a11d63cdfc5e0d2c21ec758d06120b366cdb8390966a8d8c872311779b5ed7f

SHA512
53c59ff6d818f0e74feafd3dfec69fa5feb8ac429dc034590582c7cfac2a5e4b420dc33a3ab59027e3b2c20ce8058841cbb8266c5829f8eb2fda3fbbc6cbe820

Download Submit
\Users\Admin\AppData\Local\Temp\Files\native.exe

Filesize
768KB

MD5
322043c794ad3522f94fa730e9e90983

SHA1
5984423ad4a718d44e15249d0061be3244abe617

SHA256
8b9a40eb065663f2910ff851224b8ebcf65b03ad7a077618d2d79deb704a1c89

SHA512
e5a2c5d592aa3b26965ea30dd3cdc97675772e57eb14b5e7094edd3158c2f0b26d9ba5e6c238046d3f110b4fd540af51df36bcd9ccc1c5a56923bffd9b987fc4

Download Submit
\Users\Admin\AppData\Local\Temp\Files\net.exe

Filesize
2.1MB

MD5
1a917a85dcbb1d3df5f4dd02e3a62873

SHA1
567f528fec8e7a4787f8c253446d8f1b620dc9d6

SHA256
217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e

SHA512
341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec

Download Submit
\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe

Filesize
199KB

MD5
61a90bfc0ac2f1bcf686df0bb9b551a2

SHA1
319f78b33887e20b266220571e685a99a23c4b3a

SHA256
f51f44e64bd7d8ff0774df5dff4382f898fd510166fca640976d71372939cf65

SHA512
4c843d5de8d8def4004b8d69101a641844a8a865ef180434e38306e248bd2694701a07d84aa6a692d8a34cbf2e33860b49a30f603d6f24696debd199391f0c45

Download Submit
memory/524-1198-0x00000000007B0000-0x00000000007C8000-memory.dmp

Filesize
96KB

Download
memory/524-855-0x0000000000530000-0x000000000054A000-memory.dmp

Filesize
104KB

Download
memory/524-2123-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/524-2141-0x00000000007E0000-0x0000000000860000-memory.dmp

Filesize
512KB

Download
memory/524-2195-0x00000000007E0000-0x0000000000860000-memory.dmp

Filesize
512KB

Download
memory/524-2200-0x00000000007E0000-0x0000000000860000-memory.dmp

Filesize
512KB

Download
memory/524-2868-0x00000000007E0000-0x0000000000860000-memory.dmp

Filesize
512KB

Download
memory/524-3430-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

Filesize
9.9MB

Download
memory/524-3442-0x00000000007E0000-0x0000000000860000-memory.dmp

Filesize
512KB

Download
memory/828-2380-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/828-507-0x00000000010F0000-0x0000000001318000-memory.dmp

Filesize
2.2MB

Download
memory/828-516-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1240-1437-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1604-2218-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-2246-0x0000000004700000-0x0000000004740000-memory.dmp

Filesize
256KB

Download
memory/1604-1427-0x0000000001250000-0x0000000001264000-memory.dmp

Filesize
80KB

Download
memory/1664-2930-0x0000000000130000-0x000000000019C000-memory.dmp

Filesize
432KB

Download
memory/1664-3139-0x0000000000130000-0x000000000019C000-memory.dmp

Filesize
432KB

Download
memory/1760-3152-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1760-961-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/1760-953-0x00000000002D0000-0x00000000004F8000-memory.dmp

Filesize
2.2MB

Download
memory/2020-899-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-966-0x0000000006440000-0x0000000006480000-memory.dmp

Filesize
256KB

Download
memory/2020-2161-0x0000000001FD0000-0x0000000001FDA000-memory.dmp

Filesize
40KB

Download
memory/2020-940-0x0000000000030000-0x0000000001DAA000-memory.dmp

Filesize
29.5MB

Download
memory/2020-2185-0x0000000001FD0000-0x0000000001FDA000-memory.dmp

Filesize
40KB

Download
memory/2020-3447-0x0000000001FD0000-0x0000000001FDA000-memory.dmp

Filesize
40KB

Download
memory/2020-2226-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2020-2250-0x0000000006440000-0x0000000006480000-memory.dmp

Filesize
256KB

Download
memory/2020-2860-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2020-1192-0x0000000006440000-0x0000000006480000-memory.dmp

Filesize
256KB

Download
memory/2020-1323-0x0000000001FD0000-0x0000000001FDA000-memory.dmp

Filesize
40KB

Download
memory/2044-2353-0x0000000000BA0000-0x000000000110C000-memory.dmp

Filesize
5.4MB

Download
memory/2044-2349-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2044-3296-0x0000000006A40000-0x0000000006E20000-memory.dmp

Filesize
3.9MB

Download
memory/2132-3437-0x0000000000120000-0x0000000000260000-memory.dmp

Filesize
1.2MB

Download
memory/2132-3448-0x0000000004800000-0x000000000492A000-memory.dmp

Filesize
1.2MB

Download
memory/2132-3443-0x00000000042F0000-0x0000000004418000-memory.dmp

Filesize
1.2MB

Download
memory/2132-3438-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-0-0x00000000012F0000-0x00000000012F8000-memory.dmp

Filesize
32KB

Download
memory/2204-2204-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/2204-1-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-2-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/2204-906-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-954-0x00000000047A0000-0x00000000047E0000-memory.dmp

Filesize
256KB

Download
memory/2356-1037-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2544-2190-0x0000000000110000-0x0000000000146000-memory.dmp

Filesize
216KB

Download
memory/2608-2222-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/2624-96-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-3216-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2624-103-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-142-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-122-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-158-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-2235-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-156-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-154-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-99-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-152-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-150-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-140-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-133-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-94-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-129-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-138-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-126-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-82-0x00000000008D0000-0x0000000000AF8000-memory.dmp

Filesize
2.2MB

Download
memory/2624-136-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-3213-0x00000000043B0000-0x00000000043F0000-memory.dmp

Filesize
256KB

Download
memory/2624-118-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-3249-0x0000000005590000-0x0000000005730000-memory.dmp

Filesize
1.6MB

Download
memory/2624-3251-0x0000000002150000-0x000000000219C000-memory.dmp

Filesize
304KB

Download
memory/2624-83-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2624-92-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-90-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-148-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-146-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-84-0x0000000004980000-0x0000000004B88000-memory.dmp

Filesize
2.0MB

Download
memory/2624-88-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-85-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-144-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2624-86-0x0000000004980000-0x0000000004B83000-memory.dmp

Filesize
2.0MB

Download
memory/2864-825-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2864-828-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2864-74-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2864-73-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/2864-72-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/2864-98-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2896-902-0x0000000000F40000-0x0000000001168000-memory.dmp

Filesize
2.2MB

Download
memory/2896-920-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download
memory/2896-3144-0x0000000074870000-0x0000000074F5E000-memory.dmp

Filesize
6.9MB

Download