amadey | 1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d

Analysis

max time kernel
94s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21-03-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
Size

232KB
MD5

e9ae6966dade7577572dffda25045900
SHA1

0c74a09a308b8fa7ab849325618582f5c8f275b6
SHA256

1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d
SHA512

ad819c61f8cc592f4f30a0ce9dd87961853954f85b5d9062e5df0cfea2308315e608fbe7da55a3e22ea4dc995ddb33a601670dfa8fd1b0507815e24e5442c33a
SSDEEP

3072:W9iPm6pnv5LlfcFZA9SXC5j8+1ldkyCWyIxHEj4U/tHgfJPs9qZvoh:9m6pnBlcFy5jdl/CWy2BUVAfJk

Malware Config

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

lumma

https://herdbescuitinjurywu.shop/api

https://relevantvoicelesskw.shop/api

https://resergvearyinitiani.shop/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

DcRat 5 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

installutil.exe1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exeschtasks.exeschtasks.exeschtasks.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qewkcb2XyoiRaFnWsNDr7VNH.bat	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
7184	schtasks.exe
8116	schtasks.exe
5208	schtasks.exe

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\irPbDCCx19TvildxLcKKNTxg.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2344-213-0x0000000002E40000-0x000000000372B000-memory.dmp	family_glupteba
behavioral1/memory/2344-301-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2344-370-0x0000000002E40000-0x000000000372B000-memory.dmp	family_glupteba
behavioral1/memory/2344-466-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2344-475-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2344-500-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2344-541-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

44AA.exeexplorgu.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 44AA.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorgu.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

6576 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	44AA.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

pid	process
6576	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorgu.exe44AA.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	44AA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	44AA.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

F510.exeEasyAppns.exeInstallSetup_four.exeu154.1.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	F510.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	EasyAppns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	InstallSetup_four.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	u154.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	explorgu.exe

Deletes itself 1 IoCs

Processes:

pid process

3436

pid	process
3436

Drops startup file 4 IoCs

Processes:

installutil.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uiUQ54BZUMPzifHHhjKLw0p9.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kxiLiD1CUCAgnyD80G3GEJXm.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vDmxobl43s0xfALCeAwzuEDk.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qewkcb2XyoiRaFnWsNDr7VNH.bat	installutil.exe

Executes dropped EXE 24 IoCs

Processes:

DF44.exeF510.exeInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exeEasyAppns.exeapril.exeapril.tmpflashdecompiler32.exeEasyApp.exeflashdecompiler32.exeu154.0.exe20C5.exeu154.1.exe3A2A.exe44AA.exeexplorgu.exeyoffens_crypted_EASY.exelumma2.exe96F2.exefile300un.exedjdjdje1939_crypted_EASY.exefile300un.exe6F59xTzESAAwbZ9WnkSmI4u2.exe8RQ7WMYnlhbMv7VzdRf6AEXi.exe

pid	process
4300	DF44.exe
2204	F510.exe
1480	InstallSetup_four.exe
2344	288c47bbc1871b439df19ff4df68f076.exe
4992	EasyAppns.exe
1004	april.exe
4816	april.tmp
4564	flashdecompiler32.exe
4980	EasyApp.exe
4612	flashdecompiler32.exe
1220	u154.0.exe
2804	20C5.exe
3148	u154.1.exe
2384	3A2A.exe
3372	44AA.exe
4280	explorgu.exe
4768	yoffens_crypted_EASY.exe
4440	lumma2.exe
3084	96F2.exe
4584	file300un.exe
4820	djdjdje1939_crypted_EASY.exe
4768	file300un.exe
4364	6F59xTzESAAwbZ9WnkSmI4u2.exe
4488	8RQ7WMYnlhbMv7VzdRf6AEXi.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

44AA.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	44AA.exe
Key opened	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Wine	explorgu.exe

Loads dropped DLL 8 IoCs

Processes:

regsvr32.exeapril.tmpu154.0.exeyoffens_crypted_EASY.exerundll32.exerundll32.exe

pid	process
884	regsvr32.exe
4816	april.tmp
1220	u154.0.exe
1220	u154.0.exe
4768	yoffens_crypted_EASY.exe
4768	yoffens_crypted_EASY.exe
4632	rundll32.exe
1952	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe	upx
C:\Users\Admin\Pictures\qKaNJBuqrv1FUG862DWLpyB3.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

111 pastebin.com
114 pastebin.com
118 bitbucket.org
120 bitbucket.org
167 pastebin.com
171 bitbucket.org
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

20C5.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 20C5.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

44AA.exeexplorgu.exe

pid process

3372 44AA.exe
4280 explorgu.exe

flow	ioc
111	pastebin.com
114	pastebin.com
118	bitbucket.org
120	bitbucket.org
167	pastebin.com
171	bitbucket.org

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	20C5.exe

pid	process
3372	44AA.exe
4280	explorgu.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

lumma2.exefile300un.exefile300un.exe

description	pid	process	target process
PID 4440 set thread context of 1428	4440	lumma2.exe	RegAsm.exe
PID 4584 set thread context of 4228	4584	file300un.exe	installutil.exe
PID 4768 set thread context of 4420	4768	file300un.exe	jsc.exe

Drops file in Windows directory 1 IoCs

Processes:

44AA.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job 44AA.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	44AA.exe

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1648	4980	WerFault.exe	EasyApp.exe
4912	1480	WerFault.exe	InstallSetup_four.exe
2988	2384	WerFault.exe	3A2A.exe
2940	4768	WerFault.exe	yoffens_crypted_EASY.exe
4516	1428	WerFault.exe	RegAsm.exe
5580	4820	WerFault.exe	djdjdje1939_crypted_EASY.exe
1348	4820	WerFault.exe	djdjdje1939_crypted_EASY.exe
6132	5516	WerFault.exe	RegAsm.exe
5964	5516	WerFault.exe	RegAsm.exe
5268	4364	WerFault.exe	6F59xTzESAAwbZ9WnkSmI4u2.exe
7028	5316	WerFault.exe	RegAsm.exe
6404	5316	WerFault.exe	RegAsm.exe
5440	6024	WerFault.exe	l2RzxXrzPUeG3sG3mbrsnG36.exe
6228	1220	WerFault.exe	u154.0.exe
8012	5992	WerFault.exe	u3d8.0.exe
6292	6872	WerFault.exe	u4nc.0.exe
5012	5804	WerFault.exe	syncUpd.exe

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\cz6GKyqG5bWhjMrztoZ2szv9.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

DF44.exeu154.1.exe1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DF44.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DF44.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u154.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	DF44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u154.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u154.1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u154.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u154.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u154.0.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

7184 schtasks.exe
8116 schtasks.exe
5208 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

7192 PING.EXE

pid	process
7184	schtasks.exe
8116	schtasks.exe
5208	schtasks.exe

pid	process
7192	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe

pid	process
1356	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
1356	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436
3436

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exeDF44.exe

pid process

1356 1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
4300 DF44.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

powershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeinstallutil.exepowershell.exejsc.exe

description	pid	process
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	3476	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeDebugPrivilege	4228	installutil.exe
Token: SeDebugPrivilege	3396	powershell.exe
Token: SeShutdownPrivilege	3436
Token: SeCreatePagefilePrivilege	3436
Token: SeDebugPrivilege	4420	jsc.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

u154.1.exe

pid process

3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

u154.1.exe

pid process

3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe
3148 u154.1.exe

pid	process
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe

pid	process
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe
3148	u154.1.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeF510.exeapril.exeEasyAppns.exeapril.tmpInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exeu154.1.exeexplorgu.exelumma2.exe

description	pid	process	target process
PID 3436 wrote to memory of 4300	3436		DF44.exe
PID 3436 wrote to memory of 4300	3436		DF44.exe
PID 3436 wrote to memory of 4300	3436		DF44.exe
PID 3436 wrote to memory of 3920	3436		regsvr32.exe
PID 3436 wrote to memory of 3920	3436		regsvr32.exe
PID 3920 wrote to memory of 884	3920	regsvr32.exe	regsvr32.exe
PID 3920 wrote to memory of 884	3920	regsvr32.exe	regsvr32.exe
PID 3920 wrote to memory of 884	3920	regsvr32.exe	regsvr32.exe
PID 3436 wrote to memory of 2204	3436		F510.exe
PID 3436 wrote to memory of 2204	3436		F510.exe
PID 3436 wrote to memory of 2204	3436		F510.exe
PID 2204 wrote to memory of 1480	2204	F510.exe	InstallSetup_four.exe
PID 2204 wrote to memory of 1480	2204	F510.exe	InstallSetup_four.exe
PID 2204 wrote to memory of 1480	2204	F510.exe	InstallSetup_four.exe
PID 2204 wrote to memory of 2344	2204	F510.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2204 wrote to memory of 2344	2204	F510.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2204 wrote to memory of 2344	2204	F510.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 2204 wrote to memory of 4992	2204	F510.exe	EasyAppns.exe
PID 2204 wrote to memory of 4992	2204	F510.exe	EasyAppns.exe
PID 2204 wrote to memory of 4992	2204	F510.exe	EasyAppns.exe
PID 2204 wrote to memory of 1004	2204	F510.exe	april.exe
PID 2204 wrote to memory of 1004	2204	F510.exe	april.exe
PID 2204 wrote to memory of 1004	2204	F510.exe	april.exe
PID 1004 wrote to memory of 4816	1004	april.exe	april.tmp
PID 1004 wrote to memory of 4816	1004	april.exe	april.tmp
PID 1004 wrote to memory of 4816	1004	april.exe	april.tmp
PID 4992 wrote to memory of 4980	4992	EasyAppns.exe	EasyApp.exe
PID 4992 wrote to memory of 4980	4992	EasyAppns.exe	EasyApp.exe
PID 4992 wrote to memory of 4980	4992	EasyAppns.exe	EasyApp.exe
PID 4816 wrote to memory of 4564	4816	april.tmp	flashdecompiler32.exe
PID 4816 wrote to memory of 4564	4816	april.tmp	flashdecompiler32.exe
PID 4816 wrote to memory of 4564	4816	april.tmp	flashdecompiler32.exe
PID 4816 wrote to memory of 4612	4816	april.tmp	flashdecompiler32.exe
PID 4816 wrote to memory of 4612	4816	april.tmp	flashdecompiler32.exe
PID 4816 wrote to memory of 4612	4816	april.tmp	flashdecompiler32.exe
PID 1480 wrote to memory of 1220	1480	InstallSetup_four.exe	u154.0.exe
PID 1480 wrote to memory of 1220	1480	InstallSetup_four.exe	u154.0.exe
PID 1480 wrote to memory of 1220	1480	InstallSetup_four.exe	u154.0.exe
PID 3436 wrote to memory of 2804	3436		20C5.exe
PID 3436 wrote to memory of 2804	3436		20C5.exe
PID 3436 wrote to memory of 2804	3436		20C5.exe
PID 1480 wrote to memory of 3148	1480	InstallSetup_four.exe	u154.1.exe
PID 1480 wrote to memory of 3148	1480	InstallSetup_four.exe	u154.1.exe
PID 1480 wrote to memory of 3148	1480	InstallSetup_four.exe	u154.1.exe
PID 3436 wrote to memory of 2384	3436		3A2A.exe
PID 3436 wrote to memory of 2384	3436		3A2A.exe
PID 3436 wrote to memory of 2384	3436		3A2A.exe
PID 3436 wrote to memory of 3372	3436		44AA.exe
PID 3436 wrote to memory of 3372	3436		44AA.exe
PID 3436 wrote to memory of 3372	3436		44AA.exe
PID 2344 wrote to memory of 2340	2344	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 2344 wrote to memory of 2340	2344	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 2344 wrote to memory of 2340	2344	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 3148 wrote to memory of 3476	3148	u154.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3148 wrote to memory of 3476	3148	u154.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 4280 wrote to memory of 4768	4280	explorgu.exe	file300un.exe
PID 4280 wrote to memory of 4768	4280	explorgu.exe	file300un.exe
PID 4280 wrote to memory of 4768	4280	explorgu.exe	file300un.exe
PID 4280 wrote to memory of 4440	4280	explorgu.exe	lumma2.exe
PID 4280 wrote to memory of 4440	4280	explorgu.exe	lumma2.exe
PID 4280 wrote to memory of 4440	4280	explorgu.exe	lumma2.exe
PID 4440 wrote to memory of 2744	4440	lumma2.exe	RegAsm.exe
PID 4440 wrote to memory of 2744	4440	lumma2.exe	RegAsm.exe
PID 4440 wrote to memory of 2744	4440	lumma2.exe	RegAsm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
"C:\Users\Admin\AppData\Local\Temp\1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe"
1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1356

C:\Users\Admin\AppData\Local\Temp\DF44.exe
C:\Users\Admin\AppData\Local\Temp\DF44.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4300

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E65A.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\E65A.dll
  2⤵
  - Loads dropped DLL
  PID:884

C:\Users\Admin\AppData\Local\Temp\F510.exe
C:\Users\Admin\AppData\Local\Temp\F510.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\u154.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u154.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GDBAKKKFBG.exe"
      4⤵
      PID:376
    - - C:\Users\Admin\AppData\Local\Temp\GDBAKKKFBG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GDBAKKKFBG.exe"
        5⤵
        
        PID:4864
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\GDBAKKKFBG.exe
        6⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:7192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 2412
      4⤵
      Program crash
      PID:6228
- - C:\Users\Admin\AppData\Local\Temp\u154.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u154.1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
      "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1012
    3⤵
    - Program crash
    PID:4912
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:6348
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:6576
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:5936
- C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe
  "C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Public\Music\EasyApp.exe
    "C:\Users\Public\Music\EasyApp.exe"
    3⤵
    - Executes dropped EXE
    PID:4980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 1100
      4⤵
      Program crash
      PID:1648
- C:\Users\Admin\AppData\Local\Temp\april.exe
  "C:\Users\Admin\AppData\Local\Temp\april.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Users\Admin\AppData\Local\Temp\is-8PV7H.tmp\april.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-8PV7H.tmp\april.tmp" /SL5="$401DE,1485356,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4816
  - - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe
      "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe" -i
      4⤵
      Executes dropped EXE
      PID:4564
  - - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe
      "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe" -s
      4⤵
      Executes dropped EXE
      PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4980 -ip 4980
1⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\20C5.exe
C:\Users\Admin\AppData\Local\Temp\20C5.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1480 -ip 1480
1⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\3A2A.exe
C:\Users\Admin\AppData\Local\Temp\3A2A.exe
1⤵
- Executes dropped EXE
PID:2384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1120
  2⤵
  - Program crash
  PID:2988

C:\Users\Admin\AppData\Local\Temp\44AA.exe
C:\Users\Admin\AppData\Local\Temp\44AA.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2384 -ip 2384
1⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe
  "C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 784
    3⤵
    - Program crash
    PID:2940
- C:\Users\Admin\AppData\Local\Temp\1001002001\lumma2.exe
  "C:\Users\Admin\AppData\Local\Temp\1001002001\lumma2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1236
      4⤵
      Program crash
      PID:4516
- C:\Users\Admin\AppData\Local\Temp\1001003001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001003001\file300un.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4584
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    - DcRat
    - Drops startup file
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
  - - C:\Users\Admin\Pictures\6F59xTzESAAwbZ9WnkSmI4u2.exe
      "C:\Users\Admin\Pictures\6F59xTzESAAwbZ9WnkSmI4u2.exe"
      4⤵
      Executes dropped EXE
      PID:4364
    - - C:\Users\Admin\AppData\Local\Temp\u3d8.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3d8.0.exe"
        5⤵
        
        PID:5992
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5992 -s 1188
        6⤵
        Program crash
        
        PID:8012
    - - C:\Users\Admin\AppData\Local\Temp\u3d8.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u3d8.1.exe"
        5⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 1036
        5⤵
        Program crash
        
        PID:5268
  - - C:\Users\Admin\Pictures\8RQ7WMYnlhbMv7VzdRf6AEXi.exe
      "C:\Users\Admin\Pictures\8RQ7WMYnlhbMv7VzdRf6AEXi.exe"
      4⤵
      Executes dropped EXE
      PID:4488
    - - C:\Users\Admin\AppData\Local\Temp\is-75DN9.tmp\8RQ7WMYnlhbMv7VzdRf6AEXi.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-75DN9.tmp\8RQ7WMYnlhbMv7VzdRf6AEXi.tmp" /SL5="$F0202,1402811,54272,C:\Users\Admin\Pictures\8RQ7WMYnlhbMv7VzdRf6AEXi.exe"
        5⤵
        
        PID:1568
      - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe
        
        "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe" -i
        6⤵
        
        PID:4464
      - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe
        
        "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe" -s
        6⤵
        
        PID:5392
  - - C:\Users\Admin\Pictures\hvhdY6OXwVJQ4qABfagegf4t.exe
      "C:\Users\Admin\Pictures\hvhdY6OXwVJQ4qABfagegf4t.exe"
      4⤵
      PID:2816
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5792
    - - C:\Users\Admin\Pictures\hvhdY6OXwVJQ4qABfagegf4t.exe
        
        "C:\Users\Admin\Pictures\hvhdY6OXwVJQ4qABfagegf4t.exe"
        5⤵
        
        PID:7424
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6780
  - - C:\Users\Admin\Pictures\FsEbDiFefAkBzgsmS2Dn8e1p.exe
      "C:\Users\Admin\Pictures\FsEbDiFefAkBzgsmS2Dn8e1p.exe"
      4⤵
      PID:5136
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:8
    - - C:\Users\Admin\Pictures\FsEbDiFefAkBzgsmS2Dn8e1p.exe
        
        "C:\Users\Admin\Pictures\FsEbDiFefAkBzgsmS2Dn8e1p.exe"
        5⤵
        
        PID:7564
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6064
  - - C:\Users\Admin\Pictures\3u5YI6fGHfc4yVwyb7Z3By5z.exe
      "C:\Users\Admin\Pictures\3u5YI6fGHfc4yVwyb7Z3By5z.exe"
      4⤵
      PID:5172
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2940
    - - C:\Users\Admin\Pictures\3u5YI6fGHfc4yVwyb7Z3By5z.exe
        
        "C:\Users\Admin\Pictures\3u5YI6fGHfc4yVwyb7Z3By5z.exe"
        5⤵
        
        PID:7484
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5320
  - - C:\Users\Admin\Pictures\eeBvvDZsprZSXrP4o3d6ZaHu.exe
      "C:\Users\Admin\Pictures\eeBvvDZsprZSXrP4o3d6ZaHu.exe"
      4⤵
      PID:5232
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:868
    - - C:\Users\Admin\Pictures\eeBvvDZsprZSXrP4o3d6ZaHu.exe
        
        "C:\Users\Admin\Pictures\eeBvvDZsprZSXrP4o3d6ZaHu.exe"
        5⤵
        
        PID:7572
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:4316
  - - C:\Users\Admin\Pictures\irPbDCCx19TvildxLcKKNTxg.exe
      "C:\Users\Admin\Pictures\irPbDCCx19TvildxLcKKNTxg.exe"
      4⤵
      PID:5416
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5516
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 636
        6⤵
        Program crash
        
        PID:6132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 644
        6⤵
        Program crash
        
        PID:5964
  - - C:\Users\Admin\Pictures\cz6GKyqG5bWhjMrztoZ2szv9.exe
      "C:\Users\Admin\Pictures\cz6GKyqG5bWhjMrztoZ2szv9.exe"
      4⤵
      PID:5672
    - - C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        5⤵
        
        PID:5804
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 1300
        6⤵
        Program crash
        
        PID:5012
    - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        5⤵
        
        PID:5188
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:7184
  - - C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe
      "C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe" --silent --allusers=0
      4⤵
      PID:4340
    - - C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe
        
        C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2bc,0x2ec,0x6d1121f8,0x6d112204,0x6d112210
        5⤵
        
        PID:2340
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\jT0CkmH2TEWKrPiUZnnb11MG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\jT0CkmH2TEWKrPiUZnnb11MG.exe" --version
        5⤵
        
        PID:5528
    - - C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe
        
        "C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=4340 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240321160537" --session-guid=d564096a-6032-4849-9763-6ba95818e869 --server-tracking-blob=ZmYzNmQzN2U3OTljYzY1YmU3ZmJlZDY0YjY3OGQ2YjQ3ZmVhNmYzYzk1M2E1YTUzZjM5MTIyYzEyNzA3Y2FiMTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTAzNzExNy4wNTU2IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJkZDU2NWM3Yi1lNzc5LTRmMGUtOGYxNy03OTQwZWI3MGFkM2QifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=8005000000000000
        5⤵
        
        PID:5584
      - C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe
        
        C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2ec,0x2f0,0x2f4,0x2bc,0x2f8,0x6c7921f8,0x6c792204,0x6c792210
        6⤵
        
        PID:3724
  - - C:\Users\Admin\Pictures\kMlX6Xhf9IRbplCUkuSvaOyf.exe
      "C:\Users\Admin\Pictures\kMlX6Xhf9IRbplCUkuSvaOyf.exe"
      4⤵
      PID:6432
    - - C:\Users\Admin\AppData\Local\Temp\7zS1F84.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:116
      - C:\Users\Admin\AppData\Local\Temp\7zS2551.tmp\Install.exe
        
        .\Install.exe /Hretdidcbu "385118" /S
        6⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:4848
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:2596
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:6736
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:7204
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "ghwUJLmpF" /SC once /ST 07:50:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5208
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "ghwUJLmpF"
        7⤵
        
        PID:6132
- C:\Users\Admin\AppData\Local\Temp\1001004001\djdjdje1939_crypted_EASY.exe
  "C:\Users\Admin\AppData\Local\Temp\1001004001\djdjdje1939_crypted_EASY.exe"
  2⤵
  - Executes dropped EXE
  PID:4820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 1144
    3⤵
    - Program crash
    PID:5580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4820 -s 776
    3⤵
    - Program crash
    PID:1348
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  PID:4632
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Loads dropped DLL
    PID:1952
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\270530367132_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:5164
- C:\Users\Admin\AppData\Local\Temp\1001005001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001005001\file300un.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4768
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:4028
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
  - - C:\Users\Admin\Pictures\oCIHu36k0nd9WA3iYgX5gcEj.exe
      "C:\Users\Admin\Pictures\oCIHu36k0nd9WA3iYgX5gcEj.exe"
      4⤵
      PID:5948
    - - C:\Users\Admin\AppData\Local\Temp\is-37FV4.tmp\oCIHu36k0nd9WA3iYgX5gcEj.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-37FV4.tmp\oCIHu36k0nd9WA3iYgX5gcEj.tmp" /SL5="$190046,1402811,54272,C:\Users\Admin\Pictures\oCIHu36k0nd9WA3iYgX5gcEj.exe"
        5⤵
        
        PID:2452
  - - C:\Users\Admin\Pictures\rxc8dOesAq6V8tGupbKoktpa.exe
      "C:\Users\Admin\Pictures\rxc8dOesAq6V8tGupbKoktpa.exe"
      4⤵
      PID:5128
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4872
    - - C:\Users\Admin\Pictures\rxc8dOesAq6V8tGupbKoktpa.exe
        
        "C:\Users\Admin\Pictures\rxc8dOesAq6V8tGupbKoktpa.exe"
        5⤵
        
        PID:7720
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:7556
  - - C:\Users\Admin\Pictures\02MvaLjcy8MAgYOezpsIMeXn.exe
      "C:\Users\Admin\Pictures\02MvaLjcy8MAgYOezpsIMeXn.exe"
      4⤵
      PID:5356
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5316
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 584
        6⤵
        Program crash
        
        PID:7028
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 592
        6⤵
        Program crash
        
        PID:6404
  - - C:\Users\Admin\Pictures\Hvq7NbBShu3H1zqcDgtgZQqI.exe
      "C:\Users\Admin\Pictures\Hvq7NbBShu3H1zqcDgtgZQqI.exe"
      4⤵
      PID:3084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5668
    - - C:\Users\Admin\Pictures\Hvq7NbBShu3H1zqcDgtgZQqI.exe
        
        "C:\Users\Admin\Pictures\Hvq7NbBShu3H1zqcDgtgZQqI.exe"
        5⤵
        
        PID:7728
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5236
  - - C:\Users\Admin\Pictures\IyYiX6CDx9fGsTMcjZvEhoIA.exe
      "C:\Users\Admin\Pictures\IyYiX6CDx9fGsTMcjZvEhoIA.exe"
      4⤵
      PID:5228
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4392
    - - C:\Users\Admin\Pictures\IyYiX6CDx9fGsTMcjZvEhoIA.exe
        
        "C:\Users\Admin\Pictures\IyYiX6CDx9fGsTMcjZvEhoIA.exe"
        5⤵
        
        PID:7740
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6476
  - - C:\Users\Admin\Pictures\vZCyoPkBiNIK7SvF2h3LNnDo.exe
      "C:\Users\Admin\Pictures\vZCyoPkBiNIK7SvF2h3LNnDo.exe"
      4⤵
      PID:6048
  - - C:\Users\Admin\Pictures\l2RzxXrzPUeG3sG3mbrsnG36.exe
      "C:\Users\Admin\Pictures\l2RzxXrzPUeG3sG3mbrsnG36.exe"
      4⤵
      PID:6024
    - - C:\Users\Admin\AppData\Local\Temp\u4nc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4nc.0.exe"
        5⤵
        
        PID:6872
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6872 -s 1016
        6⤵
        Program crash
        
        PID:6292
    - - C:\Users\Admin\AppData\Local\Temp\u4nc.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4nc.1.exe"
        5⤵
        
        PID:6796
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6024 -s 1428
        5⤵
        Program crash
        
        PID:5440
  - - C:\Users\Admin\Pictures\Yp8fhKs2HTSdwpHy3crNmM0I.exe
      "C:\Users\Admin\Pictures\Yp8fhKs2HTSdwpHy3crNmM0I.exe"
      4⤵
      PID:6012
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6544
    - - C:\Users\Admin\Pictures\Yp8fhKs2HTSdwpHy3crNmM0I.exe
        
        "C:\Users\Admin\Pictures\Yp8fhKs2HTSdwpHy3crNmM0I.exe"
        5⤵
        
        PID:5672
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5540
  - - C:\Users\Admin\Pictures\qKaNJBuqrv1FUG862DWLpyB3.exe
      "C:\Users\Admin\Pictures\qKaNJBuqrv1FUG862DWLpyB3.exe" --silent --allusers=0
      4⤵
      PID:3696
    - - C:\Users\Admin\Pictures\qKaNJBuqrv1FUG862DWLpyB3.exe
        
        C:\Users\Admin\Pictures\qKaNJBuqrv1FUG862DWLpyB3.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x6c2d21f8,0x6c2d2204,0x6c2d2210
        5⤵
        
        PID:5052
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\qKaNJBuqrv1FUG862DWLpyB3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\qKaNJBuqrv1FUG862DWLpyB3.exe" --version
        5⤵
        
        PID:6136
  - - C:\Users\Admin\Pictures\EChMcF40VKM06mHfCkBOFjV7.exe
      "C:\Users\Admin\Pictures\EChMcF40VKM06mHfCkBOFjV7.exe"
      4⤵
      PID:6748
    - - C:\Users\Admin\AppData\Local\Temp\7zS2726.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:3232
      - C:\Users\Admin\AppData\Local\Temp\7zS2DFC.tmp\Install.exe
        
        .\Install.exe /Hretdidcbu "385118" /S
        6⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:7532
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:7552
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:7644
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:8036
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gvAFxicgW" /SC once /ST 05:30:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:8116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gvAFxicgW"
        7⤵
        
        PID:6776
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:5872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4768 -ip 4768
1⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\96F2.exe
C:\Users\Admin\AppData\Local\Temp\96F2.exe
1⤵
- Executes dropped EXE
PID:3084
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1428 -ip 1428
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4820 -ip 4820
1⤵
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4820 -ip 4820
1⤵
PID:2580

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:6028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5516 -ip 5516
1⤵
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5516 -ip 5516
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4364 -ip 4364
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5316 -ip 5316
1⤵
PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5316 -ip 5316
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6024 -ip 6024
1⤵
PID:6560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1220 -ip 1220
1⤵
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5992 -ip 5992
1⤵
PID:7908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 6872 -ip 6872
1⤵
PID:7180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5804 -ip 5804
1⤵
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\PrintWorkflow 1.34.199.64\PrintWorkflow 1.34.199.64.exe

Filesize
1.4MB

MD5
a6c0994e8f7e9c62fd0b60ec30da571b

SHA1
a59232ade92bf57f80c6594ac8d6b95dfb6ccaac

SHA256
58db50c6d66818fc189f27d929db52d1a9e263fb69e168bec45caf0102f19c93

SHA512
7dc1b5b9f3fe8824d681a79ab626dce792dd0fcbf60acf123277cb2baba9c67743a06c8d94c19485c2f79cb54f3a11810d197e26439b2b00991063c0a942dd9b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.1MB

MD5
ac48436d389db26393637a11a95bdd02

SHA1
bab6970df73fc413687f6888c56493c5df6afb02

SHA256
3f349ae78c4e78ea5e49ea261d3707dba72e528bd33e4cb2c4655d53c5c63958

SHA512
c3ef6626d84215d1c4e23a12ac8bb1c9e90ca0f9ea9d73511084037ba3d7932af1f82611d1f535582bb41c1718c2aa4b56122b1b152bdafa1f55d6a797303d0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
9c895ff8e141e338cc7291470e54f3c4

SHA1
f2579d6636f167a489f54bf11355ab36288f785e

SHA256
f18af4cfe0ddc3846be432eafb25fc2ab6a0df228ed7e749ca6cc421fc3c1f36

SHA512
d43e2cf57d47af2371e7b5052f50f8b39257c02936407ceb6f1fef1f84b9b72eaa9bf68cdf8fd796dc499268092948f9bd809700c41c4a707f4e86a2e5780bc0

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe

Filesize
320KB

MD5
4feb2aba3cd3dc43c8b18c0d58d2af34

SHA1
9bcc51dc24ebf0f11edded350a99f97e5c9be225

SHA256
a80d40eec3a15599b6f929266f7f7c22765c0def20d67f9da8dc5fe16d8c5686

SHA512
d637d7b1a7f87e71fe60148f7a760430e62dabf94e8c14d5139879ffca202f5387aeef5b8c0b778f47467cf60d362033fbaa337ca416a58a4f4c510bf18e3792

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe

Filesize
960KB

MD5
180eaf7caa9e887254a1401de17805b5

SHA1
3422f26d3faada0241134b6443814695e4da1326

SHA256
22d4224c3b3b64e42b1f2fd346884ef609a1256744057d333b66d8846dba0613

SHA512
5222e376193cf3ffd0d7fffc67a4533b5a4fd0484118a61499826c240b8673dd18e1a4817777f38b46dce2d5958445419c8d3a31ae77b74ece248cecebf57109

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe

Filesize
768KB

MD5
2b6f7dc3bf09d4e0daa985fb5e508e31

SHA1
537f14e913ffa3e5a96bb7e11ee022c7eda28239

SHA256
f885cbe0cca330a548ec82219b6ebf2a282933a6bcbed8a5f7ebd1de0cf59015

SHA512
813c1fe709281cd4ba8d0bf6b61e61d6a7a31a3a22bd1c78265ad0d4055f447e33fef4d66b113eee55ac3bbea173e3c92ab75b4734d299e90a71d68187ddd787

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-8MJKR.tmp

Filesize
66KB

MD5
f06b0761d27b9e69a8f1220846ff12af

SHA1
e3a2f4f12a5291ee8ddc7a185db2699bffadfe1a

SHA256
e85aecc40854203b4a2f4a0249f875673e881119181e3df2968491e31ad372a4

SHA512
5821ea0084524569e07bb18aa2999e3193c97aa52da6932a7971a61dd03d0f08ca9a2d4f98eb96a603b99f65171f6d495d3e8f2bbb2fc90469c741ef11b514e9

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-AR691.tmp

Filesize
40KB

MD5
f47e78ad658b2767461ea926060bf3dd

SHA1
9ba8a1909864157fd12ddee8b94536cea04d8bd6

SHA256
602c2b9f796da7ba7bf877bf624ac790724800074d0e12ffa6861e29c1a38144

SHA512
216fa5aa6027c2896ea5c499638db7298dfe311d04e1abac302d6ce7f8d3ed4b9f4761fe2f4951f6f89716ca8104fa4ce3dfeccdbca77ed10638328d0f13546b

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-CB3GT.tmp

Filesize
122KB

MD5
6231b452e676ade27ca0ceb3a3cf874a

SHA1
f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

SHA256
9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

SHA512
f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-I82RP.tmp

Filesize
687KB

MD5
bda40d5cde0f48cc4f33ce405e3302b5

SHA1
8b251ac266f3b1e5659e5cc1e08a59961badade7

SHA256
238ff7104e59dfb660e1061ad2520c0704715383211d58d114f14486948dce2a

SHA512
0aeb8772bd997b59d9bae3522136df105bf0430718154a9ad3a9155aba9be9f5af359e5c7ecce8b1f0fddf9f1944f04559adecfd2abd4131ab71624382060408

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-JTFKK.tmp

Filesize
172KB

MD5
6896dc57d056879f929206a0a7692a34

SHA1
d2f709cde017c42916172e9178a17eb003917189

SHA256
8a7d2da7685cedb267bfa7f0ad3218afa28f4ed2f1029ee920d66eb398f3476d

SHA512
cd1a981d5281e8b2e6a8c27a57cdb65ed1498de21d2b7a62edc945fb380dea258f47a9ec9e53bd43d603297635edfca95ebcb2a962812cd53c310831242384b8

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-L6PL5.tmp

Filesize
103KB

MD5
0c6452935851b7cdb3a365aecd2dd260

SHA1
83ef3cd7f985acc113a6de364bdb376dbf8d2f48

SHA256
f8385d08bd44b213ff2a2c360fe01ae8a1eda5311c7e1fc1a043c524e899a8ed

SHA512
5ff21a85ee28665c4e707c7044f122d1bac8e408a06f8ea16e33a8c9201798d196fa65b24327f208c4ff415e24a5ad2414fe7a91d9c0b0d8cff88299111f2e1d

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\unins000.dat

Filesize
8KB

MD5
29cde9ff66f1f93c140211a3a9e815f6

SHA1
3b54976c31dbceca279cbd48ce42d9beee00be5b

SHA256
8e92636d200f08d6d760f1042fe7681e9c6ae7747d31d83706fd185cbc36444f

SHA512
5ecbb159894c71e31e51805379bbf88c62719e60a386b010b7f0bd3cf9d0edd12cdb9ec231c08fc047f843403caaab4355b1df0796c7ef076969f145856a87da

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\unins000.exe

Filesize
687KB

MD5
bce6e5f447d08b05490fb5d3405500a8

SHA1
1245fc2d0a04c5af1018ac729f81546ad69791ad

SHA256
ff206fbb3db0701109b5bcaa6a749dd47f06a5f9ad4c22d2ca7afffdcf305624

SHA512
04ed3c73f655329336d0e6c937d297cc3ba9c489b5909c9d32e46a68b4dbb11f19632bb8e5d9c336bf44f24f59084ac07fc74a99e798c8e01de4e2dbc1d919a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe

Filesize
832KB

MD5
e3c0b0533534c6517afc94790d7b760c

SHA1
4de96db92debb740d007422089bed0bcddf0e974

SHA256
198edf9613054f8a569ac804bf23081fbfa8566270fff05bba9dc3c9a32d9952

SHA512
d12631796afca877c710b9308d1236fca1bfe3abe6582445d9df1bbb404160cff220316e3f600b3a87b46dd3bfb859734008b5c668e410466e82be9dc033249e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001002001\lumma2.exe

Filesize
322KB

MD5
3c30dbf2e7d57fdb7babdf49b87d8b31

SHA1
33e72f2e8e6b93a2ecffccba64650bda87e08e0d

SHA256
8d2c29f6d94f4375450e54b8d9fcd645beb7642d4240a4137e7c8539a57040d2

SHA512
c48c83d1d9d459720bea88aa7fb56c13d886fff9ab65deb0ace750d7d35a7b61c66b5d697e506ec152534d788f1641c51bcba38610ae66a6a8e08b0dabdc7657

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001003001\file300un.exe

Filesize
4.1MB

MD5
1998fc3ec42e9e6a3d6d863661a3796b

SHA1
eda24df27f4f71012535be71f855eb7c2792900c

SHA256
4878feed268a52855902420197d1a8e08b93959998e5033ee500ead7278891df

SHA512
1fa807cfe0e16ff77db62516cd9d841c5e49d5196b86894ba073c70fa8d8a02d700bfb2e4c6312ce4f031dd02d411f4f9f48528f058e12a02ddd08644373a225

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001003001\file300un.exe

Filesize
3.4MB

MD5
2071e013dda587bafb2268da3fb8f575

SHA1
32705045594a67963c03d4431fbd5377cb48e98e

SHA256
1b388fae54493c06cbefd639b05f2f8756004243a73f86d0fc0070ae1bbf3bb8

SHA512
a3df0b05ac83261e28be6b27d294b8e92db7cab3073dfcd39e74a7bbf9c3fbf663705bd3b47ead6f818b74ddb7c3cde8ea9fc5a45db29ac5eb5254b03b2cfe72

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001004001\djdjdje1939_crypted_EASY.exe

Filesize
570KB

MD5
d27ac79a31d3b896630513670235991b

SHA1
b4867d210bf20a8fda625f72d0ef474e4c3fefa3

SHA256
acde7f23d8aa2f926c565b87bd383c02c82ddc946e582fba61a50fd77565b463

SHA512
e31c56ca7b67bf32d5d6d0fa05799f461df963c95b6f76be384871256320ace5e436537ed9b6b4c0bc587d2b7cdb0042e709fe3bf5266d1f646476a3203fda9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001005001\file300un.exe

Filesize
3.1MB

MD5
1d2f2021a7182561dd051e12bc09f402

SHA1
a34ad89290cccfa7d1e96f6710ee5f493e628a27

SHA256
dcd3fbadebdc69a74a30ae184d36dcdf1b37c724cdd5b586ccb0577e87c4f7b2

SHA512
c494ead767cf8374e2ea5ceafc3a1eaad6c22530eaf19ffb1ae5534500348249f39b7a4f84507a8e458573e7da1b43dcdaeac40e1e0486e1d6659ce181b541a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001005001\file300un.exe

Filesize
1.6MB

MD5
47bdc30d99ae842fca3d3c25c875d931

SHA1
ecdfacef841a8c757755599a3bb442e1001d4f88

SHA256
3563af1994f557075d649dc462b84d29d2e584cb2fc66eac271c2c3187e54eda

SHA512
06ee3a6915adf94a28929ea150996dd14717e0c3cab7fe29471870c1b26b607f17c61d0305101e680a4c018c1124f45c9d914a07b791574565d4a7dd53ef0219

Download Submit
C:\Users\Admin\AppData\Local\Temp\20C5.exe

Filesize
1.8MB

MD5
5baf4f56810b3a10c8d9067eb3d5edb6

SHA1
94f941ea3282b80ca915088ab4674b8cedb482c2

SHA256
30b04c4198092ec46bd644b4e14c9eaf946aca0948fd0ddc48b1f31808e95f86

SHA512
a837693306abadbe4de29f9a7988985102956512969fefc543b37c171a4e93bf56a6b1554a07c98a1b48e1e9e25620ad4e0dd0a7c259b0df5637c60e957e5b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\20C5.exe

Filesize
4.1MB

MD5
f23bad8c7f18daf6c07c804a719e9c8c

SHA1
c994bcc773c5d09b4cb4cf5514db00906a9860f7

SHA256
b017a2e37c452ff752af18456e4e4c3a4af1ac138a361041e0f2f0f0382ed24a

SHA512
1dd235403cc6a3d3286ecec2cb3780caf4791ce5920bcd58b55b1bc581078ce8e958733c63bf1f9dba373e5e6cc088d48a22c8165d34b8c71bf4e322cd38ec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.2MB

MD5
7ffd77efae1af0374a130521565e5dcb

SHA1
448238afc2bcdb84c5cfa57303d0c52581754c6a

SHA256
540072775faf0bb142cbce89d152e710b5408149107068cd85de2a374a6866d5

SHA512
9ad6602e7f7ebfb674a88e6a492eba93cde43624df03f16b2b38ee2fe3c0860131621e198ed7d188d7187280447225b2a889d5fe0aa53331985663d6bd949c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
896KB

MD5
e4dfc14c9239ce29cd830bc68b0d5526

SHA1
82c54157211ba8ff2f699335082a484913a1f988

SHA256
d2a8b1a26abab3d2beccf4d80e59ae8624e867798201263f820323290f42a093

SHA512
fb2a9f741f73d119cdf409236d51b1b10f7840f872959472e6bf34beb12aeb38fbdab26ea75ecf1ce9c27665f022d2803746725f56c2656e9102275ac5452340

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
640KB

MD5
959b5992f4d0e58e750a12f9199cb096

SHA1
22848b274ef428d6e449c20045da6d7b24301b69

SHA256
98f0977d647910e6a3e69397945b3bfb1fa65dc82c354dd0966ad6c97f790c92

SHA512
f4e7cfe6d3e8e1b1c3a5ed01071912f2329fb4fbca910b5cd4d7afe9043377be6e3c31888ec812b1780041c7aec2c985dac6d0c901382e3328117f727b2d5c38

Download Submit
C:\Users\Admin\AppData\Local\Temp\3A2A.exe

Filesize
2.3MB

MD5
1a6212bd50131b501fd686aa403b5571

SHA1
c0ee0b6a73c0f6a4c3a3001cd0d4270446b6f62c

SHA256
ee744184fffb5722a24c893fc295ce92f4e8e448470bd57ed42f25db39663457

SHA512
80a0d40cf72993ca0053e948c65842a1f0a65b415f6c0fdc0f28c57d62a26e5f7ea5b6f63cb6ac90e88a712c9c970f909f67828ec644d0d5798cf5983675da15

Download Submit
C:\Users\Admin\AppData\Local\Temp\44AA.exe

Filesize
1.8MB

MD5
2bde26322e0e1ff6b5e4fdb2fee9f603

SHA1
989c9014b294a41b25666e5007f4670ce70ff371

SHA256
608bf79f55ee1cc18a425b62b79981d2c5ea6d25fd4b2d44feef0bb20a505a1f

SHA512
0960594d61cd065703d4455301930b6ceba923c8cdb3a23f9822b2e6f60db8458e559d1d9024dc2d1f6ca29793dc99f9ee0b97cad9167d76e3910adda561393d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS2DFC.tmp\Install.exe

Filesize
6.7MB

MD5
3281414d3675e4c0b3bcec436800f6cb

SHA1
d4aea34e5e4e238117fb3d07815995f46454536d

SHA256
c67a85e8acddba0f7a25426de4d9c541958ec568703450b07a1d326a340b6136

SHA512
3b3e54367894ad5a2cd9123cf65f3a0cbd9c05de31bd6be359011d17cca0d5967adfda1f36b3af717ddee609fe581a1447899da9fb56de446432b22f26317cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\96F2.exe

Filesize
5.4MB

MD5
49f9d97838ac4968b35b939f5b9f2a7e

SHA1
6fc307ec11f13b783cc6be26c96d90c79e66644d

SHA256
fe0c011c702bb9acf01549bec219a0eb21905d25033b905b579a798359ed21d3

SHA512
756085e22e986f47b06cb04ddddc4cc0be6ee3b67fcaf30a0a60a4f817cfa646d436aa30ce0dad65f8211f90e5cdfe754f318226331356a97e29ebfa7be9f79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96F2.exe

Filesize
4.3MB

MD5
71470fb2f6b4a84f94f5b0880e286356

SHA1
57253e6d619c76a8a2735e4cbf01466df210f9ba

SHA256
18d7fc73c4842461c9200434b245b17fecc940e575f479f37f68e235e35db6dc

SHA512
c8e9581044c2f030569d845d675bc10dc2e3be532953ae11d8738ebc85088153a16a299de7edc8438c0f7017b6f96db3448e78d1908c69d64d0551bc13408d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\DF44.exe

Filesize
231KB

MD5
7694ef52baa1a858756293bced10a79d

SHA1
87d718a5e3ec8c0d4c4b493ebae2220afbce8c53

SHA256
c19fca4cdc631a54afc9108d3be724251504bc41025e41818662ac942e25fc5f

SHA512
c914f35c49566c894179efef74bc049594672eca15d18259b5961e6d33b2618329541f1db4086fb37edb9336b1fc05ed5e76b68a1579228dd373b2e18af30cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\E65A.dll

Filesize
2.2MB

MD5
e69125300a060d1eb870d352de33e4c3

SHA1
60f2c2e6f2a4289a05b5c6212cdaf0d02dad82ea

SHA256
009de0571eb77c7ed594b9e5cda731e2953fd2198e00b25a0e2c4c4ef7414355

SHA512
257d3b61b2c85c1e71d2a80a5fbf44436e9734785fe6b0a643c1939dd01c1d8b98f1c454695296f7137ff035ec6c0118f053e4833e0be91618f2a9066a8cace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe

Filesize
988KB

MD5
065760220981039db19b9701aaeffddf

SHA1
318170b5ca3673cff578d89b7de116f9d6fcd961

SHA256
cac5a59708cebec195aed03baf2c20b32b277ea73738d054ba40a072719160bf

SHA512
81bb505365d1a10dd902f76b24ec111b519d17c0ede500b5c47d6eab9f187f95ac2897b09e7004762455a17cfb068a47c854fd9c29957e13832bb108a6385895

Download Submit
C:\Users\Admin\AppData\Local\Temp\F510.exe

Filesize
4.5MB

MD5
c6c104c19e4cdcead9bcc09fe3eb4840

SHA1
6b87e156df3952a6490fbe6155335e8f3d8b4aa2

SHA256
1ecf190761548868e3fa123ec7bae43137c0c948355c60a7041a7bfde877dde5

SHA512
4d31119591b588b1127329e0a9ee8d806403512964b1f7a5b3019568c1b8ab98f1d4213664f419ea1bc79e1f366bf23080dbcb5cb14e3d5dc61ee72630e6dbb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\F510.exe

Filesize
4.8MB

MD5
696e7fe0649c7d3569dd79858424b3e2

SHA1
712f720868316b55639b05643b1da1a0fdd5b91f

SHA256
893517d2521d39d8d3a420b4db4068b0c05c3a053234e4796794d319a2292631

SHA512
8b9841b6c5c137dc415e8ba0e73f5cf66f09fa43bb9d7334cfadbb3b6a7192ebad35c75a2ff3afca289ceb39ea232ed068ae2735a82e26e0fbf2eb95d4be2468

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

Filesize
404KB

MD5
383c48c7f64a6867db5b8577fa3abfbf

SHA1
926911f9581df56f5ac38fac01f6d45acdfb7dbd

SHA256
9b37a304f33bda4707c0dae60a20ac7c76c75752b0d06ad9fb2d6f07f8edd1b9

SHA512
53b5d42ed93ad6f1163ed00be8cd1b66d367fadf25853c16d8c6fb710f69d9e8a32cb85d0dbf36d95c85da16b214de2a564bc0750c264bb0547dd8910a6f4442

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403211605365305528.dll

Filesize
4.6MB

MD5
4bef2086f25c5813396d07b5fdce31ec

SHA1
89f3a0f7b5143abd610795bc2981ca5bbbc40071

SHA256
5a63f85ed97a4f41aa7e13228c35eef1ad60984f54ed2f843191c21fe7c45a98

SHA512
85dffa48f112024e9c644420f74c7bfff0e88b3c0e4b642f52927c5a5e46890acf8755d4f78d42badaf8512bdae2526bd9d79e61d71f99f5079fe50304ddf7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qgmu3f3f.lct.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
1.8MB

MD5
00afae68a43d8845cbe0555330b2d332

SHA1
4db6e7281ba89d9808bddd823cae64fa6f7c6ea4

SHA256
143d067bf572802cb8a76ad8e9e8b240b4f5cc6b757400a20fdfde18fb92a1fd

SHA512
40670fd43961e6f8c41052545361af45393b508991c40393d63481db1a0389ee1ea9dd8f9a0077f3db4178968d4d404646992cdea3983a34ab6f041e408f5742

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
1.3MB

MD5
e20d195d4288af7892d2ecd5323b1bd6

SHA1
9fe7a3502e9c763ca3cb608d0a68689e85082028

SHA256
e0b088e9c33e50f13357a7fb7ebd0b5487c0f70620ef0ddf1ae3b618b0f265c3

SHA512
5b39bfba8d82cb599ee0f648dc9c6a427428f83cd08f9bb0c3ad003ce98c7523bad98f45311f5960d4764eaecc0444c38090edfd08c45ad39b1d01ed425c763d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
5KB

MD5
346aa97e29b2e0ca1fbf713f3d127a3b

SHA1
7ff77d7ea1b133706918edc55c7dff7fe22c6613

SHA256
a3bbda9dc3030d026d7560b6a606e9331fa6a80772cb29311b829d86b9e9b12c

SHA512
017652efa16e43356dd1b2eadeeeb6941ba3b19a617f1b796481e5669ea7498a90bb9e52fe88417e2cfbe68bc3777608a74083b7c4792aed0badfa65ed90a08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
0496a9bfe3236039ee9826f8e9cde69a

SHA1
6b6d214cf791c6b712988140afa504e53b45a314

SHA256
0f0678cb723765de8926e8af49bc6e233256922edd3d3920accb48d856965021

SHA512
1e3836dee1c3bbce39761e20bad198049237ed1ed30d93c8d98d704b42078966b4b95f1541c77b353e5a20e605cb0f301491c2402dacd55896bee7fd84e22686

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
3904ea0a52929403624f7514e745e722

SHA1
84ecaf0b724aa99c14936227bfa1514144a57047

SHA256
04135164095b259504182925771b09d1351fc24e8ba430ded16f01800f463571

SHA512
c711678f44ed5243556d0698186e40ab20efd14d506c8c0a5a390e1c377e99df63e0582519d9bb3d93bca1fc259d49637387a15af290b980489058a7679afe70

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1ELM0.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-75DN9.tmp\8RQ7WMYnlhbMv7VzdRf6AEXi.tmp

Filesize
677KB

MD5
fc4d31e365a461bd4cb0a22fb31b22d8

SHA1
851aba9b8a189ee51f562f69e1b07dbd29dc5373

SHA256
2b4588a6381c9b8f0b02471d6164db22be667c70f060d948767a9ee825e32abe

SHA512
b6dd79f07248ff890dd7b1176ce05965a669be978cd96b356f262c460bdaae7dadc8aaa3510fe606c4b2904bb0bc3ad198b9c56a4f04aa2c60bdfe8ebbd3ef03

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-75DN9.tmp\8RQ7WMYnlhbMv7VzdRf6AEXi.tmp

Filesize
128KB

MD5
11292ce7f6dc3908b42abac623600d17

SHA1
d738e5475199564968d3cde0df90a3fd3f0819d0

SHA256
a3150d1c52a5362eedcabee10c0140d6ae7b391376efa2dbdc923e861dbd568e

SHA512
f9e17889b141da051a31645952efa146779a366befa5a20fb43669f610404a8301e4dc56b4c7748265e19fc3b6746d6a84aed56fabb358962eea01782e66d6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8PV7H.tmp\april.tmp

Filesize
677KB

MD5
8519bfba2d14dbdca979e73c62ed4b46

SHA1
388030278d4f7e4d88754adc3ff95df54e01eda9

SHA256
6848c671e27c33dd065e1d70c9be0a4205ad69ec9b4b4b356d03eb8dc73ddeb5

SHA512
a1bfd50e48a82f7b100de76674a082eb77ac385b7ccc5ba574f45b97e2e4a992541a992b979b266b9e6bd27eddec02f943b776ed0210d5b788954e15463921aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JOMQD.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswBB00.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\u154.0.exe

Filesize
216KB

MD5
1b391ba41f3518334ac273d4e4278e5f

SHA1
a9802023f005d418014c045246ece5f601e73360

SHA256
e3a986731e2d94450a7784dcbcbee670bf89e4932be4b467e11aff6d84b7cca9

SHA512
4144fecde918d67c7b75328caaa43af15329a39542af5f5be601b3936dbdb51149afabd972fc39d115f907e3054bcad1f29e30926c9c9e0aa9ab16a162e0e0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\u154.1.exe

Filesize
576KB

MD5
9ad529d04bba59270326802f05eea285

SHA1
9b0439ebc689c5ce31675a75219b33ba66eb8d1a

SHA256
337471d45b8cae5a0a6ca2b6f2f6d162adbd6f251a8cb510b6d4a400e4a0a96e

SHA512
5bc52c7c5f13aa8d282bf1615c84dcb82e5d1375a4c10342d2f726dbe6f250bce97141efe855f71b71ad0bf096fff62eeeea631e6ba5a5094cf2b375cfe5de0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u154.1.exe

Filesize
896KB

MD5
3479d3b7b0be258d1061db552c6d02a1

SHA1
d5c37c3d5bfd0b11b00c2b9502afce4809dfceb2

SHA256
0b9665f075ad8caaf161542f69cad94bf1ffbf662d283e6b24a578eaa9cf6656

SHA512
2178480655dd11a34cd89acb3ca99c3d21b93b6972e9151fe61ab5ae7c93bc3ecbd1ee85529c4d57caf8557b93284cd67cf05aa3e94aa64dd51717a9cc9c9131

Download Submit
C:\Users\Admin\AppData\Local\Temp\u154.1.exe

Filesize
64KB

MD5
1d67d31ae4c604259e783c8ae6dd0339

SHA1
d13770685a6eacc16c8670c0197b83f2aedb50bc

SHA256
6473c36460c22ea67f9d0821e5032491177403e8651832ba82336aa774f22668

SHA512
cd803a9ca71cca0ee9755ee6ead2505d303a60f04afc68277baf7d7947d8621cd6c709c2db0c2783c6339127e48df37e0350d8db5bc0aad12e8328c606aad54e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
768KB

MD5
0ce28fe2eceb639b18c48659b6fb8a99

SHA1
406a6446cf1cd49fc2d70289fa8c4d81f916c683

SHA256
24cc138962da1724642ea7956666183b20f97d2a49d0bf6a6c9cffd388a9742c

SHA512
a0ab8990614ad001a9961761325c0c3298bd31dada9b5610ea76e5c537ee2db8ed03b3bbc1cf5afadaec636c8b5a8bc71b6ec3be0d5442df8046efad576aca47

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
709KB

MD5
57280324f0b3fcfeb82457c06b7315ba

SHA1
a85cea91c8417239641e0ab205f099e686c49110

SHA256
7293d7a448144530166b3ad7e0cbc3e537c91caf9a015658e628c067ff03cd28

SHA512
c7d203f0b107bdb5d660eca50e06c8734761633ca3d6a3d2395516fc5585ad05ddf5c2acaaea81cfcab654fdeebb62c1ade479c5d0646371f3c95ab87c8629db

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\Pictures\3u5YI6fGHfc4yVwyb7Z3By5z.exe

Filesize
3.6MB

MD5
bbe6791d0d05b216f70b92e373586c35

SHA1
6fe1b3cf3517e97d543df31639d3b5bca551175a

SHA256
b3d9d3cd008683c1ec2fa48216705e36ed17cbe1743e79ba92831f0a93c7a288

SHA512
b1fda14dc938035b3a5aa82d8da61b398ca09548a58cd7e9e79f42e7358cf09db402a208d9bca28e666a0362a9d1230c7f0fe3f7faa71cf6f781877cea0061e0

Download Submit
C:\Users\Admin\Pictures\6F59xTzESAAwbZ9WnkSmI4u2.exe

Filesize
410KB

MD5
114e205fbf7feb27d11c85e488d37aa0

SHA1
a995dc7dd7902ed88ed4fab9887d7a4ea1893a5b

SHA256
e426ba7a4df51a411423c0d8c2ad3ca32ab301731dc11ccd307279c64aefff3c

SHA512
92ea23836c70289940ddb8951555151ea7c07bacd5fcccec2edd6b84c529043dc2093d207280cfbf159355dceddc04b7379e91ffeb28a3e437e161f8039fe31c

Download Submit
C:\Users\Admin\Pictures\8RQ7WMYnlhbMv7VzdRf6AEXi.exe

Filesize
1.6MB

MD5
61b8daecb1ee2e91ed9033b0ffc31219

SHA1
c3d87c46f32b1a16357dde7726042f74ef189f22

SHA256
7d486d748a983fb5074f03d9fe6f45563251463ffc476aa4ace4b9c5e69bbbe6

SHA512
bcdadd7234a61464507c94e4f4a2e1ac3d95d09abd95f58d6d5609ae8d4c36e4f84adddb0cfc1d9569b5d00f25b8c81066b8cdf61ba5e3086e6ca0febf160386

Download Submit
C:\Users\Admin\Pictures\8RQ7WMYnlhbMv7VzdRf6AEXi.exe

Filesize
1.1MB

MD5
6a2a2beb823f0fa480db6497c1469c15

SHA1
093e321c6fbfc6d674f2f00e90137e8ebe864548

SHA256
e8c34f810cef1cd32ca72f4158127d061bd95f57e5988e8b5698bbf0ec572519

SHA512
9bb78bf8a0d932c0345d5dfcdde2f1c70d08ca862902c6009c5f9c23424a5fb4acf252bfbd47df0729e01ba2abfdce20dc62d92115a9201d9d044fb8dfa8e3c9

Download Submit
C:\Users\Admin\Pictures\cz6GKyqG5bWhjMrztoZ2szv9.exe

Filesize
2.1MB

MD5
7a210a611206a0174f13bb501df49194

SHA1
4753ab2e5fcfb7633d60fca9a4fb3fe102a1081c

SHA256
8712b68e897cdafe664b92ad795bd3c60334daa1cc3c903567496475bc80d371

SHA512
f1a845b618d7fab40424bef5156c791e53479dc7227cb3a745813dd8b008b81799a4dded387bb2c4b3cdc6d1933fd13378bdf740143e66cf798701d0de1afdbd

Download Submit
C:\Users\Admin\Pictures\eKo3KIWNrKUlip9gFtnpaZns.exe

Filesize
3KB

MD5
c6ec7ce55291a4077c118f2404d8c0c6

SHA1
fc9cd463f214ed4991c37584da33dccbbd386e47

SHA256
5c86ac4d1ba514eb5668def497c2fc2445f14f0b23d3082147e7a164600db2de

SHA512
c9c787f4d7973f23b087343e758616871fd142aa40460187bab1c5f13477b69bfa599491fd3386c2207d0f40d041221bfabbe3a5ee5d04cfd0a90a9d15f5de41

Download Submit
C:\Users\Admin\Pictures\hvhdY6OXwVJQ4qABfagegf4t.exe

Filesize
1.8MB

MD5
ce2993da973efa1ac05dcaf2309dc413

SHA1
b29b59507371c53cd96c0aecf552f11824159a0d

SHA256
b88acad484a4c975d5eac16c53b17f484b037f3a00a8c4e689bfbc690c78e99b

SHA512
fcaa405d1786d2c7e372fa824692668a5fc97978369c9c3714bfc331a7b389db6ad80ef77679cd65fbce490332e52abb06801fc5746f57c3fdbfe78ee250a75b

Download Submit
C:\Users\Admin\Pictures\hvhdY6OXwVJQ4qABfagegf4t.exe

Filesize
2.2MB

MD5
3b7f63e30461153add2c48875b835586

SHA1
cd41bb5102796759b93394064b078254c134cf44

SHA256
84535324e8d1b344ac83d0eaf63b9571957d38cd97fb3c4bb8574d563a040040

SHA512
0089169837573b08fb8d8c730c4f8ac639510b1c69a714ab1df94d89ea60f4f83f5689d910aae13ec69bc8aee078bd2c2474f045558b966a798ba88f4a36574f

Download Submit
C:\Users\Admin\Pictures\irPbDCCx19TvildxLcKKNTxg.exe

Filesize
522KB

MD5
b8616322186dcdf78032a74cf3497153

SHA1
bf1c1568d65422757cc88300df76a6740db6eab5

SHA256
43dda2be3813b81729b3d388f546838a36ee3471da5ed266fe958e2316f1f6ea

SHA512
7b1e4ad944960fc2aa661426f77e64ff151cd8d5860e584874da1c4f03c6d195d4ee9031c36c24a234a851176b003254d14f9334712e07babc6934cf19a7b2fb

Download Submit
C:\Users\Admin\Pictures\jT0CkmH2TEWKrPiUZnnb11MG.exe

Filesize
2.8MB

MD5
c91f54955426e0f0d3f6a87794e4faba

SHA1
51bdbde6e5d8f91467fc46f0a1f460be1a7ef484

SHA256
ebb876ded2347c1abf9030c3e79d9cab84bbabeee8e1dff2fae06f00188ecb4f

SHA512
e24961d8753d2dba56fc0fcd04b44a8772125e43535596ca030f7ec15125cb4e2c012facc7ab30e2f4a77331050996898f603037936a6c42b394e9b401dea1c3

Download Submit
C:\Users\Admin\Pictures\k0menfQb3Nfc0wdeXqZSGLga.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\kMlX6Xhf9IRbplCUkuSvaOyf.exe

Filesize
3.5MB

MD5
e557312d4b4b6b5c1c9e4b0289f2110a

SHA1
5deef1369937346a7a1f0e6fed930dbb8194beea

SHA256
cd9fa328ab4be4a2a012f171a8552bf077afe11b0bc345d056617220d30c03e5

SHA512
99546369476d895a12cf40d840b5990f9a3d1b88c0d45543e79429ada6817298d9190cf2d5bca3162ce890185b8ba2a74cf8fb5ae9b443ebb8d42c6df8d983e2

Download Submit
C:\Users\Admin\Pictures\mXSnISKQUylY5Pw8USXED1nn.exe

Filesize
3KB

MD5
0381d878f56764d679386cc58f327247

SHA1
e8eabd4b463d62cc299b5133e61736baee1cd283

SHA256
44e64c4cbdc8d0bbbc04247720d7c7eb94689ff8cf10c1614871d09497c65eee

SHA512
9f0cc3e817514c0c83d4ea0d0347bf30bb2b326bfe23ef97787ad2a187ba0378eefe6ab375b12663f4a9cb428164cd3e20b63e26d2ef957b65c78162b34a1b9d

Download Submit
C:\Users\Admin\Pictures\qKaNJBuqrv1FUG862DWLpyB3.exe

Filesize
2.8MB

MD5
92c71d0a8ab99d37610460c15fbad6c6

SHA1
1bd0e0998c43dad49cb8c1b2452b0e5f6476a156

SHA256
dfb034a801f0582653713f6b583bdb713a82b3e0f37bc6205ffd7253867ed2c5

SHA512
f58302cbda7d6d29b289778e24bab5c14de0687b4d4d3afb3cafc8eef9d0432a7b880cd3c4b7fb21a4d501545954c4ba596223634873bd69562e8005d0a6c8b2

Download Submit
C:\Users\Public\Music\EasyApp.exe

Filesize
341KB

MD5
0e49e66fd0e90ac46ad9f027df419048

SHA1
357559abc784e69245db2e4302c838913df618b2

SHA256
599fbee1c0335d5f8efae7ed35eed9700001841005158a1c8c6648b53a6e4bda

SHA512
38aa37d633795de8ad65749a11da261e9f3aa2e1f285cd95e89a895c76e28a7d1fb72e87776013e8b508b9201d1b7ce92462c85cb4e3d55d5cf9b5a802479fed

Download Submit
C:\Users\Public\Music\EasyApp.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/884-41-0x0000000003200000-0x0000000003308000-memory.dmp

Filesize
1.0MB

Download
memory/884-462-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/884-44-0x0000000003200000-0x0000000003308000-memory.dmp

Filesize
1.0MB

Download
memory/884-23-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/884-33-0x00000000030D0000-0x00000000031F3000-memory.dmp

Filesize
1.1MB

Download
memory/884-22-0x0000000002C50000-0x0000000002C56000-memory.dmp

Filesize
24KB

Download
memory/1004-367-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1004-79-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1220-374-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1220-558-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1220-536-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1220-373-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1220-371-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/1220-470-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1220-372-0x00000000007B0000-0x00000000007D7000-memory.dmp

Filesize
156KB

Download
memory/1356-5-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1356-1-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/1356-3-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1356-2-0x00000000006E0000-0x00000000006EB000-memory.dmp

Filesize
44KB

Download
memory/1480-75-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1480-451-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1480-353-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/1480-63-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/1480-65-0x00000000021C0000-0x000000000222F000-memory.dmp

Filesize
444KB

Download
memory/1480-352-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/2204-35-0x0000000000270000-0x00000000009B0000-memory.dmp

Filesize
7.2MB

Download
memory/2204-82-0x0000000073F70000-0x0000000074720000-memory.dmp

Filesize
7.7MB

Download
memory/2204-34-0x0000000073F70000-0x0000000074720000-memory.dmp

Filesize
7.7MB

Download
memory/2344-368-0x0000000002A40000-0x0000000002E39000-memory.dmp

Filesize
4.0MB

Download
memory/2344-500-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2344-475-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2344-146-0x0000000002A40000-0x0000000002E39000-memory.dmp

Filesize
4.0MB

Download
memory/2344-466-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2344-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2344-541-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2344-370-0x0000000002E40000-0x000000000372B000-memory.dmp

Filesize
8.9MB

Download
memory/2344-213-0x0000000002E40000-0x000000000372B000-memory.dmp

Filesize
8.9MB

Download
memory/2384-471-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2384-474-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2384-459-0x0000000000680000-0x0000000000A26000-memory.dmp

Filesize
3.6MB

Download
memory/2384-473-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2804-411-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2804-421-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/2804-420-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/3148-476-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/3148-537-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/3372-507-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/3372-503-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/3372-508-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/3372-513-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/3372-499-0x00000000002D0000-0x000000000079B000-memory.dmp

Filesize
4.8MB

Download
memory/3372-504-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3372-501-0x0000000077154000-0x0000000077156000-memory.dmp

Filesize
8KB

Download
memory/3372-509-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/3372-502-0x00000000002D0000-0x000000000079B000-memory.dmp

Filesize
4.8MB

Download
memory/3372-506-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/3372-518-0x00000000002D0000-0x000000000079B000-memory.dmp

Filesize
4.8MB

Download
memory/3372-514-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3436-4-0x00000000029B0000-0x00000000029C6000-memory.dmp

Filesize
88KB

Download
memory/3436-25-0x0000000004190000-0x00000000041A6000-memory.dmp

Filesize
88KB

Download
memory/4280-557-0x0000000004A20000-0x0000000004A21000-memory.dmp

Filesize
4KB

Download
memory/4280-546-0x0000000000950000-0x0000000000E1B000-memory.dmp

Filesize
4.8MB

Download
memory/4280-555-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/4280-547-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4280-548-0x0000000004A00000-0x0000000004A01000-memory.dmp

Filesize
4KB

Download
memory/4280-554-0x00000000049C0000-0x00000000049C1000-memory.dmp

Filesize
4KB

Download
memory/4280-544-0x0000000000950000-0x0000000000E1B000-memory.dmp

Filesize
4.8MB

Download
memory/4280-553-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/4280-551-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/4300-18-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4300-16-0x0000000000890000-0x0000000000990000-memory.dmp

Filesize
1024KB

Download
memory/4300-27-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4300-17-0x0000000000690000-0x000000000069B000-memory.dmp

Filesize
44KB

Download
memory/4564-344-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4564-340-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4564-510-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4612-535-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4612-469-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4612-347-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4612-538-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4612-350-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4816-316-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4816-494-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4816-468-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4980-361-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4980-439-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4980-354-0x0000000000660000-0x0000000000760000-memory.dmp

Filesize
1024KB

Download
memory/4980-359-0x00000000021D0000-0x0000000002218000-memory.dmp

Filesize
288KB

Download
memory/4980-360-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4980-364-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/4980-362-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download