amadey | 1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d

Analysis

max time kernel
77s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
21-03-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
Size

232KB
MD5

e9ae6966dade7577572dffda25045900
SHA1

0c74a09a308b8fa7ab849325618582f5c8f275b6
SHA256

1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d
SHA512

ad819c61f8cc592f4f30a0ce9dd87961853954f85b5d9062e5df0cfea2308315e608fbe7da55a3e22ea4dc995ddb33a601670dfa8fd1b0507815e24e5442c33a
SSDEEP

3072:W9iPm6pnv5LlfcFZA9SXC5j8+1ldkyCWyIxHEj4U/tHgfJPs9qZvoh:9m6pnBlcFy5jdl/CWy2BUVAfJk

Score

10^/10

amadey glupteba smokeloader stealc zgrat pub1 backdoor bootkit discovery dropper evasion loader persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\1YECoN8Ax88dRRFge6MSgAqM.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2056-294-0x0000000002F30000-0x000000000381B000-memory.dmp	family_glupteba
behavioral2/memory/2056-300-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2056-441-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2056-462-0x0000000002F30000-0x000000000381B000-memory.dmp	family_glupteba
behavioral2/memory/2056-468-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2056-513-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

C16.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C16.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

3768 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	C16.exe

pid	process
3768	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

C16.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	C16.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	C16.exe

Deletes itself 1 IoCs

Processes:

pid process

3240

pid	process
3240

Executes dropped EXE 18 IoCs

Processes:

B66F.exeD023.exeInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exeEasyAppns.exeapril.exeapril.tmpEasyApp.exeflashdecompiler32.exeflashdecompiler32.exeus0.0.exeEC76.exeus0.1.exeFFA1.exeC16.exeHIDGCFBFBF.exe288c47bbc1871b439df19ff4df68f076.exe6B00.exe

pid	process
4868	B66F.exe
4840	D023.exe
1008	InstallSetup_four.exe
2056	288c47bbc1871b439df19ff4df68f076.exe
4652	EasyAppns.exe
332	april.exe
3156	april.tmp
3124	EasyApp.exe
2984	flashdecompiler32.exe
3628	flashdecompiler32.exe
1840	us0.0.exe
1108	EC76.exe
1228	us0.1.exe
900	FFA1.exe
432	C16.exe
2652	HIDGCFBFBF.exe
3148	288c47bbc1871b439df19ff4df68f076.exe
4352	6B00.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

C16.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine C16.exe
Loads dropped DLL 4 IoCs

Processes:

regsvr32.exeapril.tmpus0.0.exe

pid process

1544 regsvr32.exe
3156 april.tmp
1840 us0.0.exe
1840 us0.0.exe
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Wine	C16.exe

pid	process
1544	regsvr32.exe
3156	april.tmp
1840	us0.0.exe
1840	us0.0.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe	upx
C:\Users\Admin\Pictures\zYwPHu52Cms4PbuNA5WKQWT7.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HIDGCFBFBF.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3594324687-1993884830-4019639329-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\HIDGCFBFBF.exe"	HIDGCFBFBF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

85 bitbucket.org
35 pastebin.com
35 bitbucket.org
41 pastebin.com
50 bitbucket.org
81 pastebin.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

EC76.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 EC76.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

C16.exe

pid process

432 C16.exe
Drops file in Windows directory 1 IoCs

Processes:

C16.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job C16.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2816 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
85	bitbucket.org
35	pastebin.com
35	bitbucket.org
41	pastebin.com
50	bitbucket.org
81	pastebin.com

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	EC76.exe

pid	process
432	C16.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	C16.exe

pid	process
2816	sc.exe

Program crash 19 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1168	3124	WerFault.exe	EasyApp.exe
3160	1008	WerFault.exe	InstallSetup_four.exe
3776	900	WerFault.exe	FFA1.exe
4828	900	WerFault.exe	FFA1.exe
3512	1840	WerFault.exe	us0.0.exe
3088	2172	WerFault.exe	RegAsm.exe
3552	2172	WerFault.exe	RegAsm.exe
1456	3148	WerFault.exe	288c47bbc1871b439df19ff4df68f076.exe
2548	1384	WerFault.exe	uwg.0.exe
5280	3204	WerFault.exe	RegAsm.exe
5440	3204	WerFault.exe	RegAsm.exe
5412	784	WerFault.exe	djdjdje1939_crypted_EASY.exe
5464	784	WerFault.exe	djdjdje1939_crypted_EASY.exe
4040	1168	WerFault.exe	dnp0wisNVybECaK8jTRTCSJN.exe
5888	5648	WerFault.exe	syncUpd.exe
1384	5416	WerFault.exe	RegAsm.exe
1396	5416	WerFault.exe	RegAsm.exe
6584	6060	WerFault.exe	gXJxuyIYNc2sv3Z6NBD3q4bj.exe
7032	2428	WerFault.exe	u4oc.0.exe

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\tBM6LaOw5fn6FmUmOb2yLCFs.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exeB66F.exeus0.1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B66F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	us0.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	us0.1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	us0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B66F.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	B66F.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

us0.0.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	us0.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	us0.0.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4664 schtasks.exe
4548 schtasks.exe
1008 schtasks.exe
1812 schtasks.exe
6200 schtasks.exe

pid	process
4664	schtasks.exe
4548	schtasks.exe
1008	schtasks.exe
1812	schtasks.exe
6200	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

288c47bbc1871b439df19ff4df68f076.exepowershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time"	288c47bbc1871b439df19ff4df68f076.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time"	288c47bbc1871b439df19ff4df68f076.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4576 PING.EXE

pid	process
4576	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe

pid	process
984	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
984	1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240
3240

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exeB66F.exe

pid process

984 1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
4868 B66F.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeHIDGCFBFBF.exe288c47bbc1871b439df19ff4df68f076.exepowershell.exe

description	pid	process
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeDebugPrivilege	788	powershell.exe
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeDebugPrivilege	404	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeShutdownPrivilege	3240
Token: SeCreatePagefilePrivilege	3240
Token: SeDebugPrivilege	2652	HIDGCFBFBF.exe
Token: SeDebugPrivilege	2056	288c47bbc1871b439df19ff4df68f076.exe
Token: SeImpersonatePrivilege	2056	288c47bbc1871b439df19ff4df68f076.exe
Token: SeDebugPrivilege	2116	powershell.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

us0.1.exe

pid process

1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
Suspicious use of SendNotifyMessage 7 IoCs

Processes:

us0.1.exe

pid process

1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
1228 us0.1.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

3240

pid	process
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe

pid	process
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe
1228	us0.1.exe

pid	process
3240

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exeD023.exeEasyAppns.exeapril.exeapril.tmpInstallSetup_four.exe288c47bbc1871b439df19ff4df68f076.exeus0.1.exeus0.0.execmd.exeHIDGCFBFBF.exe

description	pid	process	target process
PID 3240 wrote to memory of 4868	3240		B66F.exe
PID 3240 wrote to memory of 4868	3240		B66F.exe
PID 3240 wrote to memory of 4868	3240		B66F.exe
PID 3240 wrote to memory of 856	3240		regsvr32.exe
PID 3240 wrote to memory of 856	3240		regsvr32.exe
PID 856 wrote to memory of 1544	856	regsvr32.exe	regsvr32.exe
PID 856 wrote to memory of 1544	856	regsvr32.exe	regsvr32.exe
PID 856 wrote to memory of 1544	856	regsvr32.exe	regsvr32.exe
PID 3240 wrote to memory of 4840	3240		D023.exe
PID 3240 wrote to memory of 4840	3240		D023.exe
PID 3240 wrote to memory of 4840	3240		D023.exe
PID 4840 wrote to memory of 1008	4840	D023.exe	InstallSetup_four.exe
PID 4840 wrote to memory of 1008	4840	D023.exe	InstallSetup_four.exe
PID 4840 wrote to memory of 1008	4840	D023.exe	InstallSetup_four.exe
PID 4840 wrote to memory of 2056	4840	D023.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 4840 wrote to memory of 2056	4840	D023.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 4840 wrote to memory of 2056	4840	D023.exe	288c47bbc1871b439df19ff4df68f076.exe
PID 4840 wrote to memory of 4652	4840	D023.exe	EasyAppns.exe
PID 4840 wrote to memory of 4652	4840	D023.exe	EasyAppns.exe
PID 4840 wrote to memory of 4652	4840	D023.exe	EasyAppns.exe
PID 4840 wrote to memory of 332	4840	D023.exe	april.exe
PID 4840 wrote to memory of 332	4840	D023.exe	april.exe
PID 4840 wrote to memory of 332	4840	D023.exe	april.exe
PID 4652 wrote to memory of 3124	4652	EasyAppns.exe	EasyApp.exe
PID 4652 wrote to memory of 3124	4652	EasyAppns.exe	EasyApp.exe
PID 4652 wrote to memory of 3124	4652	EasyAppns.exe	EasyApp.exe
PID 332 wrote to memory of 3156	332	april.exe	april.tmp
PID 332 wrote to memory of 3156	332	april.exe	april.tmp
PID 332 wrote to memory of 3156	332	april.exe	april.tmp
PID 3156 wrote to memory of 2984	3156	april.tmp	flashdecompiler32.exe
PID 3156 wrote to memory of 2984	3156	april.tmp	flashdecompiler32.exe
PID 3156 wrote to memory of 2984	3156	april.tmp	flashdecompiler32.exe
PID 3156 wrote to memory of 3628	3156	april.tmp	flashdecompiler32.exe
PID 3156 wrote to memory of 3628	3156	april.tmp	flashdecompiler32.exe
PID 3156 wrote to memory of 3628	3156	april.tmp	flashdecompiler32.exe
PID 1008 wrote to memory of 1840	1008	InstallSetup_four.exe	us0.0.exe
PID 1008 wrote to memory of 1840	1008	InstallSetup_four.exe	us0.0.exe
PID 1008 wrote to memory of 1840	1008	InstallSetup_four.exe	us0.0.exe
PID 3240 wrote to memory of 1108	3240		EC76.exe
PID 3240 wrote to memory of 1108	3240		EC76.exe
PID 3240 wrote to memory of 1108	3240		EC76.exe
PID 1008 wrote to memory of 1228	1008	InstallSetup_four.exe	us0.1.exe
PID 1008 wrote to memory of 1228	1008	InstallSetup_four.exe	us0.1.exe
PID 1008 wrote to memory of 1228	1008	InstallSetup_four.exe	us0.1.exe
PID 3240 wrote to memory of 900	3240		FFA1.exe
PID 3240 wrote to memory of 900	3240		FFA1.exe
PID 3240 wrote to memory of 900	3240		FFA1.exe
PID 3240 wrote to memory of 432	3240		C16.exe
PID 3240 wrote to memory of 432	3240		C16.exe
PID 3240 wrote to memory of 432	3240		C16.exe
PID 2056 wrote to memory of 788	2056	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 2056 wrote to memory of 788	2056	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 2056 wrote to memory of 788	2056	288c47bbc1871b439df19ff4df68f076.exe	powershell.exe
PID 1228 wrote to memory of 404	1228	us0.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1228 wrote to memory of 404	1228	us0.1.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1840 wrote to memory of 2952	1840	us0.0.exe	cmd.exe
PID 1840 wrote to memory of 2952	1840	us0.0.exe	cmd.exe
PID 1840 wrote to memory of 2952	1840	us0.0.exe	cmd.exe
PID 2952 wrote to memory of 2652	2952	cmd.exe	HIDGCFBFBF.exe
PID 2952 wrote to memory of 2652	2952	cmd.exe	HIDGCFBFBF.exe
PID 2952 wrote to memory of 2652	2952	cmd.exe	HIDGCFBFBF.exe
PID 2652 wrote to memory of 4844	2652	HIDGCFBFBF.exe	cmd.exe
PID 2652 wrote to memory of 4844	2652	HIDGCFBFBF.exe	cmd.exe
PID 2652 wrote to memory of 4844	2652	HIDGCFBFBF.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe
"C:\Users\Admin\AppData\Local\Temp\1d76910c33b918dde3824d31fe0e328f008cacd84c96ab7483eaa528b57ae94d.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:984

C:\Users\Admin\AppData\Local\Temp\B66F.exe
C:\Users\Admin\AppData\Local\Temp\B66F.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4868

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BDF2.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\BDF2.dll
  2⤵
  - Loads dropped DLL
  PID:1544

C:\Users\Admin\AppData\Local\Temp\D023.exe
C:\Users\Admin\AppData\Local\Temp\D023.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\us0.0.exe
    "C:\Users\Admin\AppData\Local\Temp\us0.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIDGCFBFBF.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Users\Admin\AppData\Local\Temp\HIDGCFBFBF.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HIDGCFBFBF.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HIDGCFBFBF.exe
        6⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:4576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 2492
      4⤵
      Program crash
      PID:3512
- - C:\Users\Admin\AppData\Local\Temp\us0.1.exe
    "C:\Users\Admin\AppData\Local\Temp\us0.1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
      "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 1168
    3⤵
    - Program crash
    PID:3160
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
    "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:3148
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:1536
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:32
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:4968
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:4352
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3212
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:1812
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:3592
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:5844
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:1008
    - - C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        5⤵
        
        PID:5620
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        6⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        7⤵
        Launches sc.exe
        
        PID:2816
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 628
      4⤵
      Program crash
      PID:1456
- C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe
  "C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Public\Music\EasyApp.exe
    "C:\Users\Public\Music\EasyApp.exe"
    3⤵
    - Executes dropped EXE
    PID:3124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 1176
      4⤵
      Program crash
      PID:1168
- C:\Users\Admin\AppData\Local\Temp\april.exe
  "C:\Users\Admin\AppData\Local\Temp\april.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Users\Admin\AppData\Local\Temp\is-EK75O.tmp\april.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-EK75O.tmp\april.tmp" /SL5="$7016C,1485356,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe
      "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe" -i
      4⤵
      Executes dropped EXE
      PID:2984
  - - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe
      "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe" -s
      4⤵
      Executes dropped EXE
      PID:3628

C:\Users\Admin\AppData\Local\Temp\EC76.exe
C:\Users\Admin\AppData\Local\Temp\EC76.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3124 -ip 3124
1⤵
PID:2464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1008 -ip 1008
1⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\FFA1.exe
C:\Users\Admin\AppData\Local\Temp\FFA1.exe
1⤵
- Executes dropped EXE
PID:900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1132
  2⤵
  - Program crash
  PID:3776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1120
  2⤵
  - Program crash
  PID:4828

C:\Users\Admin\AppData\Local\Temp\C16.exe
C:\Users\Admin\AppData\Local\Temp\C16.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
PID:432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 900 -ip 900
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 900 -ip 900
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1840 -ip 1840
1⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\6B00.exe
C:\Users\Admin\AppData\Local\Temp\6B00.exe
1⤵
- Executes dropped EXE
PID:4352
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:3348

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
PID:1840
- C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe
  "C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe"
  2⤵
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\1001002001\lumma2.exe
  "C:\Users\Admin\AppData\Local\Temp\1001002001\lumma2.exe"
  2⤵
  PID:2032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4236
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2172
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 476
      4⤵
      Program crash
      PID:3088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2172 -s 1128
      4⤵
      Program crash
      PID:3552
- C:\Users\Admin\AppData\Local\Temp\1001003001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001003001\file300un.exe"
  2⤵
  PID:3784
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
    3⤵
    PID:2396
  - - C:\Users\Admin\Pictures\dnp0wisNVybECaK8jTRTCSJN.exe
      "C:\Users\Admin\Pictures\dnp0wisNVybECaK8jTRTCSJN.exe"
      4⤵
      PID:1168
    - - C:\Users\Admin\AppData\Local\Temp\uwg.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uwg.0.exe"
        5⤵
        
        PID:1384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1384 -s 1372
        6⤵
        Program crash
        
        PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\uwg.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\uwg.1.exe"
        5⤵
        
        PID:540
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 1164
        5⤵
        Program crash
        
        PID:4040
  - - C:\Users\Admin\Pictures\cxIVW6sBLWopDUFEWKakU8bZ.exe
      "C:\Users\Admin\Pictures\cxIVW6sBLWopDUFEWKakU8bZ.exe"
      4⤵
      PID:2180
    - - C:\Users\Admin\AppData\Local\Temp\is-DH28R.tmp\cxIVW6sBLWopDUFEWKakU8bZ.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DH28R.tmp\cxIVW6sBLWopDUFEWKakU8bZ.tmp" /SL5="$D0066,1402811,54272,C:\Users\Admin\Pictures\cxIVW6sBLWopDUFEWKakU8bZ.exe"
        5⤵
        
        PID:1104
      - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe
        
        "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe" -i
        6⤵
        
        PID:4700
      - C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe
        
        "C:\Users\Admin\AppData\Local\Senior Flash Decompiler\seniorflashdecompiler.exe" -s
        6⤵
        
        PID:3876
  - - C:\Users\Admin\Pictures\V40jQvS5tkqKmLNfjEOIvQTj.exe
      "C:\Users\Admin\Pictures\V40jQvS5tkqKmLNfjEOIvQTj.exe"
      4⤵
      PID:3228
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2104
    - - C:\Users\Admin\Pictures\V40jQvS5tkqKmLNfjEOIvQTj.exe
        
        "C:\Users\Admin\Pictures\V40jQvS5tkqKmLNfjEOIvQTj.exe"
        5⤵
        
        PID:6040
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6764
  - - C:\Users\Admin\Pictures\0nrUbqGB5UI67sImKdTOw8On.exe
      "C:\Users\Admin\Pictures\0nrUbqGB5UI67sImKdTOw8On.exe"
      4⤵
      PID:3528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3428
    - - C:\Users\Admin\Pictures\0nrUbqGB5UI67sImKdTOw8On.exe
        
        "C:\Users\Admin\Pictures\0nrUbqGB5UI67sImKdTOw8On.exe"
        5⤵
        
        PID:6052
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1384
  - - C:\Users\Admin\Pictures\1YECoN8Ax88dRRFge6MSgAqM.exe
      "C:\Users\Admin\Pictures\1YECoN8Ax88dRRFge6MSgAqM.exe"
      4⤵
      PID:1368
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:3204
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 544
        6⤵
        Program crash
        
        PID:5280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 568
        6⤵
        Program crash
        
        PID:5440
  - - C:\Users\Admin\Pictures\tBM6LaOw5fn6FmUmOb2yLCFs.exe
      "C:\Users\Admin\Pictures\tBM6LaOw5fn6FmUmOb2yLCFs.exe"
      4⤵
      PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        
        C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
        5⤵
        
        PID:5648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 1096
        6⤵
        Program crash
        
        PID:5888
    - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        5⤵
        
        PID:5280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:652
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:6200
  - - C:\Users\Admin\Pictures\vlL6xg8p5EpDtG0RUhWQSUrE.exe
      "C:\Users\Admin\Pictures\vlL6xg8p5EpDtG0RUhWQSUrE.exe"
      4⤵
      PID:5732
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4776
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4576
    - - C:\Users\Admin\Pictures\vlL6xg8p5EpDtG0RUhWQSUrE.exe
        
        "C:\Users\Admin\Pictures\vlL6xg8p5EpDtG0RUhWQSUrE.exe"
        5⤵
        
        PID:3560
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6296
  - - C:\Users\Admin\Pictures\p7vq4MKZK6P76gQzRVGsAZlF.exe
      "C:\Users\Admin\Pictures\p7vq4MKZK6P76gQzRVGsAZlF.exe"
      4⤵
      PID:5768
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2372
    - - C:\Users\Admin\Pictures\p7vq4MKZK6P76gQzRVGsAZlF.exe
        
        "C:\Users\Admin\Pictures\p7vq4MKZK6P76gQzRVGsAZlF.exe"
        5⤵
        
        PID:6088
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:608
  - - C:\Users\Admin\Pictures\zYwPHu52Cms4PbuNA5WKQWT7.exe
      "C:\Users\Admin\Pictures\zYwPHu52Cms4PbuNA5WKQWT7.exe" --silent --allusers=0
      4⤵
      PID:3088
    - - C:\Users\Admin\Pictures\zYwPHu52Cms4PbuNA5WKQWT7.exe
        
        C:\Users\Admin\Pictures\zYwPHu52Cms4PbuNA5WKQWT7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x304,0x308,0x30c,0x2e0,0x310,0x693421f8,0x69342204,0x69342210
        5⤵
        
        PID:4276
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\zYwPHu52Cms4PbuNA5WKQWT7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\zYwPHu52Cms4PbuNA5WKQWT7.exe" --version
        5⤵
        
        PID:5720
  - - C:\Users\Admin\Pictures\wuZtPhrUVQYhMbr93rPHsMNO.exe
      "C:\Users\Admin\Pictures\wuZtPhrUVQYhMbr93rPHsMNO.exe"
      4⤵
      PID:6924
    - - C:\Users\Admin\AppData\Local\Temp\7zS49C1.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:7032
      - C:\Users\Admin\AppData\Local\Temp\7zS5104.tmp\Install.exe
        
        .\Install.exe /Hretdidcbu "385118" /S
        6⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:3392
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:7120
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:856
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:2984
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gDSFomDbP" /SC once /ST 01:38:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:4548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gDSFomDbP"
        7⤵
        
        PID:6208
- C:\Users\Admin\AppData\Local\Temp\1001004001\djdjdje1939_crypted_EASY.exe
  "C:\Users\Admin\AppData\Local\Temp\1001004001\djdjdje1939_crypted_EASY.exe"
  2⤵
  PID:784
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1140
    3⤵
    - Program crash
    PID:5412
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 784 -s 1176
    3⤵
    - Program crash
    PID:5464
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  PID:3408
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:4944
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:1368
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\594324687199_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:5796
- C:\Users\Admin\AppData\Local\Temp\1001005001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001005001\file300un.exe"
  2⤵
  PID:1132
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:4280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:908
  - - C:\Users\Admin\Pictures\gXJxuyIYNc2sv3Z6NBD3q4bj.exe
      "C:\Users\Admin\Pictures\gXJxuyIYNc2sv3Z6NBD3q4bj.exe"
      4⤵
      PID:6060
    - - C:\Users\Admin\AppData\Local\Temp\u4oc.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4oc.0.exe"
        5⤵
        
        PID:2428
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 1096
        6⤵
        Program crash
        
        PID:7032
    - - C:\Users\Admin\AppData\Local\Temp\u4oc.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4oc.1.exe"
        5⤵
        
        PID:6308
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6060 -s 1168
        5⤵
        Program crash
        
        PID:6584
  - - C:\Users\Admin\Pictures\dwfS5JcNnz34Ughtc5yDdSsA.exe
      "C:\Users\Admin\Pictures\dwfS5JcNnz34Ughtc5yDdSsA.exe"
      4⤵
      PID:6112
    - - C:\Users\Admin\AppData\Local\Temp\is-3QCNQ.tmp\dwfS5JcNnz34Ughtc5yDdSsA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3QCNQ.tmp\dwfS5JcNnz34Ughtc5yDdSsA.tmp" /SL5="$202A2,1402811,54272,C:\Users\Admin\Pictures\dwfS5JcNnz34Ughtc5yDdSsA.exe"
        5⤵
        
        PID:5188
  - - C:\Users\Admin\Pictures\bH82qaBxpydfH2YqWjT1CKDR.exe
      "C:\Users\Admin\Pictures\bH82qaBxpydfH2YqWjT1CKDR.exe"
      4⤵
      PID:5644
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5512
    - - C:\Users\Admin\Pictures\bH82qaBxpydfH2YqWjT1CKDR.exe
        
        "C:\Users\Admin\Pictures\bH82qaBxpydfH2YqWjT1CKDR.exe"
        5⤵
        
        PID:3272
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5404
  - - C:\Users\Admin\Pictures\nQbShzDE0meWZ0eg1y1nXkDL.exe
      "C:\Users\Admin\Pictures\nQbShzDE0meWZ0eg1y1nXkDL.exe"
      4⤵
      PID:5912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5460
    - - C:\Users\Admin\Pictures\nQbShzDE0meWZ0eg1y1nXkDL.exe
        
        "C:\Users\Admin\Pictures\nQbShzDE0meWZ0eg1y1nXkDL.exe"
        5⤵
        
        PID:6196
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6496
  - - C:\Users\Admin\Pictures\GnB9Fqcge2PVVEOhWLvgkggD.exe
      "C:\Users\Admin\Pictures\GnB9Fqcge2PVVEOhWLvgkggD.exe"
      4⤵
      PID:5968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3228
    - - C:\Users\Admin\Pictures\GnB9Fqcge2PVVEOhWLvgkggD.exe
        
        "C:\Users\Admin\Pictures\GnB9Fqcge2PVVEOhWLvgkggD.exe"
        5⤵
        
        PID:2276
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6788
  - - C:\Users\Admin\Pictures\hagpHEpJ7bSwmXrqG77KdDQT.exe
      "C:\Users\Admin\Pictures\hagpHEpJ7bSwmXrqG77KdDQT.exe"
      4⤵
      PID:1956
  - - C:\Users\Admin\Pictures\ONsuzrtsHSouXK9S2S0uC8oZ.exe
      "C:\Users\Admin\Pictures\ONsuzrtsHSouXK9S2S0uC8oZ.exe"
      4⤵
      PID:5380
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4172
    - - C:\Users\Admin\Pictures\ONsuzrtsHSouXK9S2S0uC8oZ.exe
        
        "C:\Users\Admin\Pictures\ONsuzrtsHSouXK9S2S0uC8oZ.exe"
        5⤵
        
        PID:6968
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6200
  - - C:\Users\Admin\Pictures\zdhfVjsWA9bLKJgEJ21V0mBL.exe
      "C:\Users\Admin\Pictures\zdhfVjsWA9bLKJgEJ21V0mBL.exe"
      4⤵
      PID:5556
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:5416
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 496
        6⤵
        Program crash
        
        PID:1384
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5416 -s 504
        6⤵
        Program crash
        
        PID:1396
  - - C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe
      "C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe" --silent --allusers=0
      4⤵
      PID:5848
    - - C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe
        
        C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x300,0x304,0x308,0x2dc,0x30c,0x6abf21f8,0x6abf2204,0x6abf2210
        5⤵
        
        PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\uQ0hHhMwLPkhcbQUo6kvDoaH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\uQ0hHhMwLPkhcbQUo6kvDoaH.exe" --version
        5⤵
        
        PID:5496
    - - C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe
        
        "C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5848 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240321160527" --session-guid=d469d1a9-df54-4daa-bef4-c182ba03a915 --server-tracking-blob=MGRkNWFiZmUzNDllZTRiNTU5ODNlMmQwZWNiOWM2MDY2MTM4OTM2MDFlNzM2ZjBlOTE2OWFlZTc5OGMyODQyYzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTAzNzEyNC44NDk0IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJhOWQxMTI5MS1iYzNkLTQwOGItOWU5Yy1jNjg5Yzg3ODliYmIifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4005000000000000
        5⤵
        
        PID:3460
      - C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe
        
        C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x310,0x314,0x318,0x30c,0x31c,0x6a0021f8,0x6a002204,0x6a002210
        6⤵
        
        PID:5496
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211605271\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211605271\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
        5⤵
        
        PID:6036
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211605271\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211605271\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:6376
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211605271\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211605271\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x990040,0x99004c,0x990058
        6⤵
        
        PID:5872
  - - C:\Users\Admin\Pictures\zqmkWfVNzGjvtHX0zRsOJaak.exe
      "C:\Users\Admin\Pictures\zqmkWfVNzGjvtHX0zRsOJaak.exe"
      4⤵
      PID:6596
    - - C:\Users\Admin\AppData\Local\Temp\7zS237C.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:6884
      - C:\Users\Admin\AppData\Local\Temp\7zS2B2D.tmp\Install.exe
        
        .\Install.exe /Hretdidcbu "385118" /S
        6⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:6072
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:6468
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:6532
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:4944
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gHcAEHTAa" /SC once /ST 05:45:26 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:4664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gHcAEHTAa"
        7⤵
        
        PID:3648
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2172 -ip 2172
1⤵
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2172 -ip 2172
1⤵
PID:3316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2172 -ip 2172
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3148 -ip 3148
1⤵
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1384 -ip 1384
1⤵
PID:1956

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3204 -ip 3204
1⤵
PID:5048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3204 -ip 3204
1⤵
PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 784 -ip 784
1⤵
PID:5132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 784 -ip 784
1⤵
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1168 -ip 1168
1⤵
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5648 -ip 5648
1⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5416 -ip 5416
1⤵
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5416 -ip 5416
1⤵
PID:5716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6060 -ip 6060
1⤵
PID:6360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2428 -ip 2428
1⤵
PID:6936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6780
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:6544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3576
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:3648

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:6708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4236

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1012

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\PrintWorkflow 1.34.199.67\PrintWorkflow 1.34.199.67.exe

Filesize
1.7MB

MD5
7b179b99e2de5334019c8d553ad90da1

SHA1
4664d8a1e5d066ea2bc064175e7d8c0dcb987254

SHA256
d5228fb5e7b43545871b0ae1f84867722e1684281ef010a117cc1f62ed9dbb85

SHA512
6439c56e79df74c19f81f9c02f90e365f0ce56c5b803f69e3802cc20b3e867f8299d8f33481ac4b1ab17f9a5d6683d16af717516808f355dbcdd2bc8bb142477

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\flashdecompiler32.exe

Filesize
1.7MB

MD5
95dccef9f0bee7ef720486845368e79c

SHA1
e1a504d43e02b53b18bec110dbcb1e4b3f48681b

SHA256
777ea399013368cef357af77c88df152776feb2fa1bc3fae2cb01dd378adbbcc

SHA512
aea82c540ce49543e77a53f4376b5e88442bd3e0fdc29390b544274b9f2140b5e75b0043031adccd2cdee5e4b1a968bfac50ad1640290dc2839fd50b16ef5899

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-7DNQK.tmp

Filesize
66KB

MD5
f06b0761d27b9e69a8f1220846ff12af

SHA1
e3a2f4f12a5291ee8ddc7a185db2699bffadfe1a

SHA256
e85aecc40854203b4a2f4a0249f875673e881119181e3df2968491e31ad372a4

SHA512
5821ea0084524569e07bb18aa2999e3193c97aa52da6932a7971a61dd03d0f08ca9a2d4f98eb96a603b99f65171f6d495d3e8f2bbb2fc90469c741ef11b514e9

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-96LCR.tmp

Filesize
172KB

MD5
6896dc57d056879f929206a0a7692a34

SHA1
d2f709cde017c42916172e9178a17eb003917189

SHA256
8a7d2da7685cedb267bfa7f0ad3218afa28f4ed2f1029ee920d66eb398f3476d

SHA512
cd1a981d5281e8b2e6a8c27a57cdb65ed1498de21d2b7a62edc945fb380dea258f47a9ec9e53bd43d603297635edfca95ebcb2a962812cd53c310831242384b8

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-FND8H.tmp

Filesize
687KB

MD5
bda40d5cde0f48cc4f33ce405e3302b5

SHA1
8b251ac266f3b1e5659e5cc1e08a59961badade7

SHA256
238ff7104e59dfb660e1061ad2520c0704715383211d58d114f14486948dce2a

SHA512
0aeb8772bd997b59d9bae3522136df105bf0430718154a9ad3a9155aba9be9f5af359e5c7ecce8b1f0fddf9f1944f04559adecfd2abd4131ab71624382060408

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\is-KDBHR.tmp

Filesize
103KB

MD5
0c6452935851b7cdb3a365aecd2dd260

SHA1
83ef3cd7f985acc113a6de364bdb376dbf8d2f48

SHA256
f8385d08bd44b213ff2a2c360fe01ae8a1eda5311c7e1fc1a043c524e899a8ed

SHA512
5ff21a85ee28665c4e707c7044f122d1bac8e408a06f8ea16e33a8c9201798d196fa65b24327f208c4ff415e24a5ad2414fe7a91d9c0b0d8cff88299111f2e1d

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\libgcc_s_dw2-1.dll

Filesize
122KB

MD5
6231b452e676ade27ca0ceb3a3cf874a

SHA1
f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

SHA256
9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

SHA512
f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\libogg-0.dll

Filesize
40KB

MD5
f47e78ad658b2767461ea926060bf3dd

SHA1
9ba8a1909864157fd12ddee8b94536cea04d8bd6

SHA256
602c2b9f796da7ba7bf877bf624ac790724800074d0e12ffa6861e29c1a38144

SHA512
216fa5aa6027c2896ea5c499638db7298dfe311d04e1abac302d6ce7f8d3ed4b9f4761fe2f4951f6f89716ca8104fa4ce3dfeccdbca77ed10638328d0f13546b

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\unins000.dat

Filesize
8KB

MD5
22a08fe242ae606beddb4a8dc8733094

SHA1
d3098834606deb2eaf9bd7abf1f988d4e4f765f1

SHA256
40cc7d363ccf4cea3d46e4f6bf4c43a52e5e7e9ba011e5302ae48089c635beb0

SHA512
181bfa5561861bc4b3d3ff450aa76134afa84e116a1d8d9453f777e27a3f3bf1e63c939ccb146143a3a439f8efe108cf40985ad44f498715eab24d7ab1815a0e

Download Submit
C:\Users\Admin\AppData\Local\Senior Flash Decompiler\unins000.exe

Filesize
687KB

MD5
bce6e5f447d08b05490fb5d3405500a8

SHA1
1245fc2d0a04c5af1018ac729f81546ad69791ad

SHA256
ff206fbb3db0701109b5bcaa6a749dd47f06a5f9ad4c22d2ca7afffdcf305624

SHA512
04ed3c73f655329336d0e6c937d297cc3ba9c489b5909c9d32e46a68b4dbb11f19632bb8e5d9c336bf44f24f59084ac07fc74a99e798c8e01de4e2dbc1d919a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211605271\additional_file0.tmp

Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403211605271\opera_package

Filesize
2.8MB

MD5
2f85ca8a37a8bd0c45bd2d7f2afccb8a

SHA1
d008592bb8314dabb05e03a55555921a69f4e730

SHA256
f2b79982bc701736e506eb077b44d26d4cf3cce3bbf43d89f80f52910346afa4

SHA512
7278e8ccfec5b77a50f0178c9101afa95dd10d7d575de7984f63e6d64611c41c4cae5ed01e908900ec961a242a34af524dfde058bc283467a65a59d58880d91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
256KB

MD5
d904096b650ffab75d4c46fd99bde15a

SHA1
b6ee9aa5d224b7e2ef07ba82409f114250dd25bb

SHA256
ef52aaede1ffaa77b93f934c0a2874b58066910afbaed450c8ec4253c56e12c6

SHA512
963e81b3f030865a58070f64bd1c251d03efc56841a01791daf298c5a5f275c4824f1606393e553618be98a25cc7d5e0782de796e0addf68b73b12f7170cad25

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.8MB

MD5
2bde26322e0e1ff6b5e4fdb2fee9f603

SHA1
989c9014b294a41b25666e5007f4670ce70ff371

SHA256
608bf79f55ee1cc18a425b62b79981d2c5ea6d25fd4b2d44feef0bb20a505a1f

SHA512
0960594d61cd065703d4455301930b6ceba923c8cdb3a23f9822b2e6f60db8458e559d1d9024dc2d1f6ca29793dc99f9ee0b97cad9167d76e3910adda561393d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001001001\yoffens_crypted_EASY.exe

Filesize
832KB

MD5
e3c0b0533534c6517afc94790d7b760c

SHA1
4de96db92debb740d007422089bed0bcddf0e974

SHA256
198edf9613054f8a569ac804bf23081fbfa8566270fff05bba9dc3c9a32d9952

SHA512
d12631796afca877c710b9308d1236fca1bfe3abe6582445d9df1bbb404160cff220316e3f600b3a87b46dd3bfb859734008b5c668e410466e82be9dc033249e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001002001\lumma2.exe

Filesize
322KB

MD5
3c30dbf2e7d57fdb7babdf49b87d8b31

SHA1
33e72f2e8e6b93a2ecffccba64650bda87e08e0d

SHA256
8d2c29f6d94f4375450e54b8d9fcd645beb7642d4240a4137e7c8539a57040d2

SHA512
c48c83d1d9d459720bea88aa7fb56c13d886fff9ab65deb0ace750d7d35a7b61c66b5d697e506ec152534d788f1641c51bcba38610ae66a6a8e08b0dabdc7657

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001003001\file300un.exe

Filesize
4.1MB

MD5
1998fc3ec42e9e6a3d6d863661a3796b

SHA1
eda24df27f4f71012535be71f855eb7c2792900c

SHA256
4878feed268a52855902420197d1a8e08b93959998e5033ee500ead7278891df

SHA512
1fa807cfe0e16ff77db62516cd9d841c5e49d5196b86894ba073c70fa8d8a02d700bfb2e4c6312ce4f031dd02d411f4f9f48528f058e12a02ddd08644373a225

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001004001\djdjdje1939_crypted_EASY.exe

Filesize
570KB

MD5
d27ac79a31d3b896630513670235991b

SHA1
b4867d210bf20a8fda625f72d0ef474e4c3fefa3

SHA256
acde7f23d8aa2f926c565b87bd383c02c82ddc946e582fba61a50fd77565b463

SHA512
e31c56ca7b67bf32d5d6d0fa05799f461df963c95b6f76be384871256320ace5e436537ed9b6b4c0bc587d2b7cdb0042e709fe3bf5266d1f646476a3203fda9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
657KB

MD5
e78b3b382e2a236121ed077154ba185a

SHA1
999e9c40d875a99c4275fcc33ce2ae5184df621f

SHA256
01c820def9c14bcd26a1c81660ed2d0d591a31ae9d371801dd244ca5523122a2

SHA512
eaac12fe5f2bf01b5f7214bd04886e35f88024affd1b2f3c866472b94fa2f53007fef7645238bd1a6d3a5507629276c0f95f836d23f7845280bcf491b46083f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
576KB

MD5
76682faaf6357ad3fa0806ab4e1f7f56

SHA1
91162c6a18ea5276b55a226c17262050746eb2be

SHA256
b5ced11fc898657874e3098be96b6a4f204c0208b6d62c73cbb38bbe0f290e44

SHA512
f468e81d0aca685f832aba6813c3bef80e2dd6da6ba8d074cb96819974cd4f2434f082f63a82660d68028c7cf6ae90f8c2d1c4af7fa9d98565a61f22703c6b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
384KB

MD5
fcb0eec916858f1b4bfeee0822d2d19d

SHA1
e8f0d8228ebcf6d5cbca57a1e0ffe1af0a0edfcf

SHA256
696c20584467499051d7d844a2e3ecffbea72faf7d60c517dd518fe31136a2d1

SHA512
9cbffcfacd95ac58348867aa1d2af0eec6d37027e92edec73ad75b0ab8497944ce0c1a144428f228900a7fc05b56f121e6dd29acd1932e44f63e1ebb6ff98b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
3.1MB

MD5
c391fca4149be8a8fbca1f957fc42092

SHA1
945e7b4365d77e707d0331eab7cd99b521d000e9

SHA256
052a030b677160621a73979a46e315413d265c1fa7bd2cf6cbb1564a148d3f9f

SHA512
9ac73ba465723500ab6e57b6e64ef6df272f56f85f59cbacd3246a6a74ea469b7ca9ef675b90169e2191cd2c2ad6c2c442efa72835b1f030ca71e6b7763bfdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B00.exe

Filesize
1.5MB

MD5
941e244584e90e9015a4c22524418178

SHA1
8eb4f57be919b8bc726fd9c8c86d43ad0c724d70

SHA256
62f33f95d1464b7464cc46b6fafccc46e8633d8fbc6482f0e6c528cc9f7f23f5

SHA512
b72db97b625de7d28e7730600fed3e9daf2c011528cf3c6dba66863e16150ba01d422ede41cd93010855122322ceb4f898c0ad430bba4c7b5c3acf33c0971cef

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B00.exe

Filesize
2.6MB

MD5
0d180e9e2503e59ea159315eb3472550

SHA1
1471f904451cc40fcf0cd691a9bb1698f98c828b

SHA256
f141a25507b27582c2de22c551a968b03ef56903f75147844d53baaa6e25bd64

SHA512
b475c0f18714de9e34c53f652771b6bd31f0ad64acc3096383e70c4b6a8a2908a93ed151baba8adc3546c14236da18ad24da838450e8e6d50e6cba0530d11208

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5104.tmp\Install.exe

Filesize
2.0MB

MD5
a5401f932dd22b6be0994e9b32c6dca0

SHA1
805de4299dbe7dc2e57d23bd42d35f5a26a6194d

SHA256
91ceaf6f7327ce98fc9c4f6e05e7a1c792d9bbdcac3afce9be4cb87a9bf54b58

SHA512
1027cf3ba9b72dd8ba0cc23412386d30cd2af2405251accd7102886a473a8209dff81c6095a7a79d9a055ec6fba47ebe7a18acd9e790fc6266e15ed8d22cb273

Download Submit
C:\Users\Admin\AppData\Local\Temp\B66F.exe

Filesize
231KB

MD5
7694ef52baa1a858756293bced10a79d

SHA1
87d718a5e3ec8c0d4c4b493ebae2220afbce8c53

SHA256
c19fca4cdc631a54afc9108d3be724251504bc41025e41818662ac942e25fc5f

SHA512
c914f35c49566c894179efef74bc049594672eca15d18259b5961e6d33b2618329541f1db4086fb37edb9336b1fc05ed5e76b68a1579228dd373b2e18af30cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDF2.dll

Filesize
2.2MB

MD5
e69125300a060d1eb870d352de33e4c3

SHA1
60f2c2e6f2a4289a05b5c6212cdaf0d02dad82ea

SHA256
009de0571eb77c7ed594b9e5cda731e2953fd2198e00b25a0e2c4c4ef7414355

SHA512
257d3b61b2c85c1e71d2a80a5fbf44436e9734785fe6b0a643c1939dd01c1d8b98f1c454695296f7137ff035ec6c0118f053e4833e0be91618f2a9066a8cace9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C16.exe

Filesize
832KB

MD5
2546eb3fbae6719a4d936882d676b491

SHA1
67703af00080111fd6c9c02b887409bd965eabf9

SHA256
ab1a31ede58e52a8c32af8d099527def99af9125491114f58e31a69757add7bc

SHA512
c220a97e6e1db0cfb500bd4442009571fceae95b1186117635a588b096f36de9dae62025f3d43f1dece0d478ee5ee4637ca693f93fe4f0cf8e0bf1147dbc8a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\C16.exe

Filesize
768KB

MD5
e1e5c77e598eebf3d3673a08d649988e

SHA1
511925b88f461baaeda761776a193dab227b1ae5

SHA256
73659549da787631c806f2a7b1ddba49cc341f9e840e4b81a97e2b4581a72c20

SHA512
ca899ffac253289ad5c7105ffdf1f011868750e7dc1e702a51390fc11f9a838b2edd67dbd20d04192441ad76137563e2d61cc6a91934f41614cbf7f2f8214fc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D023.exe

Filesize
6.2MB

MD5
2e8b2f6b4b8456d3f629ac7f8dae06e3

SHA1
cc54b3a630007348ec505154befc566efa45e482

SHA256
6d9637b29433f30f74df6cae4b845a96f6767409fc7b562cb27f1d909107802e

SHA512
d89a1d5767fe4f673c7c8291cc71483366b796903b69e8128f351b20f3be17b7dc63e83632a76c4658cfd5f0f4ffad4474fea99413811d35bebbe891ea53b359

Download Submit
C:\Users\Admin\AppData\Local\Temp\D023.exe

Filesize
5.3MB

MD5
b651b18baaf269d476e2723f9d4ce717

SHA1
d84bf6ea0274bee3bc7504629f004096a5fdd162

SHA256
7975ac27368028253d45225a64640c35fda18b8cfb19d518d62e22345be8e83b

SHA512
63aa2c14e1565104ff5e803d714850c92f77aea420b782b9d3db9724c396fc7b71da75979a9220b9a5ff8a6a7ebfcc44385e0deaffedc84833d6b0fd60cb2934

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC76.exe

Filesize
2.4MB

MD5
306e29b0dff09a2fa5668fb8ad89f068

SHA1
4838ce3c069d0a539aa050badcc42ef6b0704640

SHA256
a1e5388485ea255e1923aae4fac68a96029e32bcfa56dab4f677e52b39961c04

SHA512
75eedeeb6f8fb908cc75682001f742c2f56c39b007bbb6923ef38de4bf8c66b18756fc785ed418653796879317677fe8bfacc1cc063782ce615ba443e311e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EC76.exe

Filesize
1.6MB

MD5
63a410cd87776a01c67eec7c2c5eab5a

SHA1
e618773d4e78c4aa6a04568058da5c31f3596875

SHA256
334ee5d1c3c3e484a70b8599b04f10a348d64ba32cf96604e076059a300ee73b

SHA512
f81d3e4d31bbcfd932ffcf75dda0806435b36124062d297956a61c52eb7c115edf1cf070aec7cffd23856d3595868474e0328f211918c5e7a51c95a152a002bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe

Filesize
320KB

MD5
fb469b83b695a9325b52cc8748416aab

SHA1
df6a90fc585d156b02134ea9cb653b17f7041fc9

SHA256
69b4bbd947321fca1ffaf13dd2414bde6214aac3851dcf4e04439b5bce355069

SHA512
5ff55453ea8c3c8db73375ab31b7aeaa63c94ad6ca9fca8907abf58f498344eca63b1e48cfa6217b3eab98084751289875112c3bc727c1f3d609b0d62cea1454

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe

Filesize
64KB

MD5
01889c87188467ab7c97f97c4400a7bc

SHA1
1fa9a17b21e438851d09d3535db7fbd3f6d86fb7

SHA256
5342fabf4cbea9e0f055c65a93967f1638aa46c02bf2aa45ba64d87203de61ec

SHA512
d4a6441ddfb150068c080ed7c8a54fd4e2b4d60e539e8c05ab5e611b0dd0026b993321a90e71d9871503e71c3ec9afe0de59560f47b5e2549947f0efe41af083

Download Submit
C:\Users\Admin\AppData\Local\Temp\EasyAppns.exe

Filesize
988KB

MD5
065760220981039db19b9701aaeffddf

SHA1
318170b5ca3673cff578d89b7de116f9d6fcd961

SHA256
cac5a59708cebec195aed03baf2c20b32b277ea73738d054ba40a072719160bf

SHA512
81bb505365d1a10dd902f76b24ec111b519d17c0ede500b5c47d6eab9f187f95ac2897b09e7004762455a17cfb068a47c854fd9c29957e13832bb108a6385895

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFA1.exe

Filesize
2.3MB

MD5
1a6212bd50131b501fd686aa403b5571

SHA1
c0ee0b6a73c0f6a4c3a3001cd0d4270446b6f62c

SHA256
ee744184fffb5722a24c893fc295ce92f4e8e448470bd57ed42f25db39663457

SHA512
80a0d40cf72993ca0053e948c65842a1f0a65b415f6c0fdc0f28c57d62a26e5f7ea5b6f63cb6ac90e88a712c9c970f909f67828ec644d0d5798cf5983675da15

Download Submit
C:\Users\Admin\AppData\Local\Temp\HIDGCFBFBF.exe

Filesize
101KB

MD5
42b838cf8bdf67400525e128d917f6e0

SHA1
a578f6faec738912dba8c41e7abe1502c46d0cae

SHA256
0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d

SHA512
f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

Filesize
404KB

MD5
383c48c7f64a6867db5b8577fa3abfbf

SHA1
926911f9581df56f5ac38fac01f6d45acdfb7dbd

SHA256
9b37a304f33bda4707c0dae60a20ac7c76c75752b0d06ad9fb2d6f07f8edd1b9

SHA512
53b5d42ed93ad6f1163ed00be8cd1b66d367fadf25853c16d8c6fb710f69d9e8a32cb85d0dbf36d95c85da16b214de2a564bc0750c264bb0547dd8910a6f4442

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403211605267055496.dll

Filesize
4.6MB

MD5
4bef2086f25c5813396d07b5fdce31ec

SHA1
89f3a0f7b5143abd610795bc2981ca5bbbc40071

SHA256
5a63f85ed97a4f41aa7e13228c35eef1ad60984f54ed2f843191c21fe7c45a98

SHA512
85dffa48f112024e9c644420f74c7bfff0e88b3c0e4b642f52927c5a5e46890acf8755d4f78d42badaf8512bdae2526bd9d79e61d71f99f5079fe50304ddf7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jpndjicy.wd0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
1.8MB

MD5
00afae68a43d8845cbe0555330b2d332

SHA1
4db6e7281ba89d9808bddd823cae64fa6f7c6ea4

SHA256
143d067bf572802cb8a76ad8e9e8b240b4f5cc6b757400a20fdfde18fb92a1fd

SHA512
40670fd43961e6f8c41052545361af45393b508991c40393d63481db1a0389ee1ea9dd8f9a0077f3db4178968d4d404646992cdea3983a34ab6f041e408f5742

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

Filesize
1.3MB

MD5
235b7e88be246b693382c4d2ac060dcf

SHA1
2bf97727bde4f19ab39ad3a35334c3b86dfee5a3

SHA256
45d891c1d7bccd6b087da1e268a6427737d716bdd220f1545d52641652b82924

SHA512
d880eac29d2a1bb2a96446742070092259f1aabf625822a236178e041e5ba096d7aeb09df81461ddbf7133da4695c4bf66af22e03b04a8f46c687ea311a198ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\april.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
71363bf4a77ef8a4cd03affba864454d

SHA1
614259b832e502879dfe624294de610cea67879e

SHA256
56dedf8c4dc08e43b73ba0ee14fe459192c14d36f346bdbc87b200c6bb718176

SHA512
51b03e80d9ca5925a07b07478e1fb9dd006cb9d0571cc25ffa0314a3b9ded80f13c70e514dd8d01c67fa91276a660e9d913c592c7320db93eeb853f1e02ee093

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
cd86b7e3a76dbea878a6f9e37d69935e

SHA1
1a7ec790af10902218db8d5aa37725e38c632375

SHA256
e303679a7f1e3cef4b43ad08c31c5c893ed33701f04c7fb9f5372dc8ebee64ec

SHA512
a47fe18f800f679d9f5cf32fc2753705dac8485d16e647e1406e9a53e92623af0e82f914b0bdae980425e6f80931a26504c8ff1e2f0b336860aaabf32d22975c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
4d244323abea231bd2ff7175d22c5184

SHA1
d0e275c9afa1ad8f1b2e6f6a8e8b57f0cd8b99e0

SHA256
a8230eae5ad284a21059e7a6db7525eca8eabe6c879e3e50362a385c69eb908a

SHA512
ee3653173b5efc8918878a4053734bb3f3aa6717ef301be8e0f6bb0334742e5f4d30582f8f912310b9ca348d0ec92a6dc46e785a6bf571bec17006421993cc84

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DH28R.tmp\cxIVW6sBLWopDUFEWKakU8bZ.tmp

Filesize
677KB

MD5
fc4d31e365a461bd4cb0a22fb31b22d8

SHA1
851aba9b8a189ee51f562f69e1b07dbd29dc5373

SHA256
2b4588a6381c9b8f0b02471d6164db22be667c70f060d948767a9ee825e32abe

SHA512
b6dd79f07248ff890dd7b1176ce05965a669be978cd96b356f262c460bdaae7dadc8aaa3510fe606c4b2904bb0bc3ad198b9c56a4f04aa2c60bdfe8ebbd3ef03

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EK75O.tmp\april.tmp

Filesize
677KB

MD5
8519bfba2d14dbdca979e73c62ed4b46

SHA1
388030278d4f7e4d88754adc3ff95df54e01eda9

SHA256
6848c671e27c33dd065e1d70c9be0a4205ad69ec9b4b4b356d03eb8dc73ddeb5

SHA512
a1bfd50e48a82f7b100de76674a082eb77ac385b7ccc5ba574f45b97e2e4a992541a992b979b266b9e6bd27eddec02f943b776ed0210d5b788954e15463921aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HHSMK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RP3SF.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuE84A.tmp\INetC.dll

Filesize
21KB

MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\us0.0.exe

Filesize
216KB

MD5
1b391ba41f3518334ac273d4e4278e5f

SHA1
a9802023f005d418014c045246ece5f601e73360

SHA256
e3a986731e2d94450a7784dcbcbee670bf89e4932be4b467e11aff6d84b7cca9

SHA512
4144fecde918d67c7b75328caaa43af15329a39542af5f5be601b3936dbdb51149afabd972fc39d115f907e3054bcad1f29e30926c9c9e0aa9ab16a162e0e0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\us0.1.exe

Filesize
2.8MB

MD5
186ab4f575d4fc73176307ef6f95c2da

SHA1
740995bedc1363d0a99fb05cc57299b798d5dc0c

SHA256
8855e60f848e3914b4e59baa000788e8ec81981bd4472ca31e277ce81ed48133

SHA512
fd616b340f37574216a6470dab2a663a27ad0abf2a5d4260a1e72b38a1c2f076d463c839d73938e28965cb6f7ecf3de0f56fb25e39020dd472373c7c169182ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\us0.1.exe

Filesize
2.2MB

MD5
6490a1b09dc5035de5c33b45f5b0af17

SHA1
248a388f0e1f070d5e1a216c66b79079c61ee142

SHA256
54775cc8edc04e86c8fa81006ff455137ba885ad0532d3ceb2416ff6955f1244

SHA512
deebf46841e3c3510d92ccae7f262ecf2e7fc9260b83c080c04ce9d721756906ffab4e122058c2de2974bfa12d2bbe7cf9d2d52f6ffc75c930e6886eb02a5b8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\us0.1.exe

Filesize
3.6MB

MD5
854e0d84c59231d3f52136222b914b9d

SHA1
9f8a85062f044d2d593ad01bbd4ba5e796f0c20b

SHA256
e8854a4836b9812f31827844ed961e2f35ec07418331ef9ac4d8cc7e79c9700d

SHA512
742dc48a0f189786f13ac3468844bd4d57a3da59f8406f7cd34c241efa1e04d5602f303b800b9b5c2d060a2f0303dd7999211aad98a9886a4b0aeccabd5fbd01

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
06696fddda4cffb4b0ac243f796ffe95

SHA1
bdb990e0efb194f4f4ca737b4af761f32d3959c5

SHA256
7cee23d171d590155cb4a7f3c27f1d472fc3f8d08c47ccc63ba564c08578f539

SHA512
8e56b883b9145c3f97ada0b6588b34ecf7fde9b0eba560b28c9b26cf83404c0e02c697ffb9d2d649fa37777a7432beeedb925db6cfcdf6972aa7051b7697723f

Download Submit
C:\Users\Admin\Pictures\1YECoN8Ax88dRRFge6MSgAqM.exe

Filesize
522KB

MD5
b8616322186dcdf78032a74cf3497153

SHA1
bf1c1568d65422757cc88300df76a6740db6eab5

SHA256
43dda2be3813b81729b3d388f546838a36ee3471da5ed266fe958e2316f1f6ea

SHA512
7b1e4ad944960fc2aa661426f77e64ff151cd8d5860e584874da1c4f03c6d195d4ee9031c36c24a234a851176b003254d14f9334712e07babc6934cf19a7b2fb

Download Submit
C:\Users\Admin\Pictures\DrDamgjlI0LdRS9gdEzzDZpJ.exe

Filesize
3KB

MD5
b35768fc20e31f3157916a7e0e703467

SHA1
a9e9406901956c85c8c87a7b23f72e14302984cf

SHA256
0c41b8e47bb3c072615e8dd64c208c96aa5f613f2e4f4d2b275785392442bf85

SHA512
d6dbad215212c3d26a7458b51697497d4e816d154912d03ecbe1015d2542f5d4a8dcfe87b0183cab58cfe6fe6cf1b55dbe134a72d534b656832b66aa70b67277

Download Submit
C:\Users\Admin\Pictures\PC6pr9fNHFITcmWY04N8Hmif.exe

Filesize
3KB

MD5
bbe879d3e38e6e9aca63c94d58689091

SHA1
5dfbf761723c62361c2721e683883184c2abba8c

SHA256
10845c5e794b4b120c725a3c2d8f4b8f67f07aa3217e936f7835e9ab8717e162

SHA512
ee8d7b4241aee85e21f4cf9b82738fe1e011f0420e2b67663735ea1d3694ca7555a90c94b6fef7369bd8a09016f15412ac3024f548fddd8360ca2fba233d2359

Download Submit
C:\Users\Admin\Pictures\V40jQvS5tkqKmLNfjEOIvQTj.exe

Filesize
4.1MB

MD5
dc3ea3c8a0dc12c77fc92c4ddfbcbc0b

SHA1
939109a28921f9424c9b312ca27a12836360d1ff

SHA256
ac074e5a2cab32d4944f21bad2fc38dd9dfaf4f7273ccd7b5bc780be8a68452e

SHA512
f5024a014262cfdadebad0d202912fe5106d15aab6afc514b43594c073d881cc910481ed8a7bf7ab8720678c736256a203fa8e8c91e0077c6a0d89bb6cda6db3

Download Submit
C:\Users\Admin\Pictures\YsGzH62dFSKqqK4G2PVzrLAW.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\cxIVW6sBLWopDUFEWKakU8bZ.exe

Filesize
1.0MB

MD5
f257c919b6a99bc693ea2bb6c632b588

SHA1
7f101667cd63487130fd0ea3bc81f17ada5d31b6

SHA256
e171c8b117e7bf112c06cff1ddb9c953c549f3900c092e3e1a45e9bd2d3897e9

SHA512
74f3cf46ae2280aabc67f51409be3f59bd4d90460de21f660770481fa0ad32fed8b89ddfb57969c9ebf85af35eb6d112bd39970fb85a7173e204a74f47306f5c

Download Submit
C:\Users\Admin\Pictures\cxIVW6sBLWopDUFEWKakU8bZ.exe

Filesize
1.2MB

MD5
aff2fe2a4c844bf017a6b692c6c90f03

SHA1
a558b0be2285210376e1f27cd01239623dab7dfa

SHA256
f6713621784e45edb7e20f74cba03421db6352e81133387dc673e59d90d7acd6

SHA512
e0d568877da143d1a4122ed4573e57bda31b2fa9dd9fcf465c2193a0281dffbf72d89eeb74c59fd3925944289032b4a373712351f90faba374d61c10cf7fe010

Download Submit
C:\Users\Admin\Pictures\dnp0wisNVybECaK8jTRTCSJN.exe

Filesize
410KB

MD5
114e205fbf7feb27d11c85e488d37aa0

SHA1
a995dc7dd7902ed88ed4fab9887d7a4ea1893a5b

SHA256
e426ba7a4df51a411423c0d8c2ad3ca32ab301731dc11ccd307279c64aefff3c

SHA512
92ea23836c70289940ddb8951555151ea7c07bacd5fcccec2edd6b84c529043dc2093d207280cfbf159355dceddc04b7379e91ffeb28a3e437e161f8039fe31c

Download Submit
C:\Users\Admin\Pictures\tBM6LaOw5fn6FmUmOb2yLCFs.exe

Filesize
2.1MB

MD5
7a210a611206a0174f13bb501df49194

SHA1
4753ab2e5fcfb7633d60fca9a4fb3fe102a1081c

SHA256
8712b68e897cdafe664b92ad795bd3c60334daa1cc3c903567496475bc80d371

SHA512
f1a845b618d7fab40424bef5156c791e53479dc7227cb3a745813dd8b008b81799a4dded387bb2c4b3cdc6d1933fd13378bdf740143e66cf798701d0de1afdbd

Download Submit
C:\Users\Admin\Pictures\uQ0hHhMwLPkhcbQUo6kvDoaH.exe

Filesize
2.8MB

MD5
cafe699bd3f7982efcdd12674a3e820c

SHA1
cfe6d318cd9bfe0f948b18db276dd47beb072128

SHA256
926ec8a4309f0487b9781225b8aa7529bc55ecb044aa2a854735161af7cead53

SHA512
edb63f050fdfe87cf7364915ddd47ee4ad37d4b31c8ffac99f780abd7f455030b6128f672ca54afdaf208805ea10d332d92864f06a6827fe0d7a029c7b5195c6

Download Submit
C:\Users\Admin\Pictures\vlL6xg8p5EpDtG0RUhWQSUrE.exe

Filesize
1.6MB

MD5
10b414a02c8de402acc4109bd8d3dad7

SHA1
45969fcde8a0fec9fb80e55610867004fbc1a223

SHA256
b49de72d35ff8d009db1ca7654b98c5a41f2b0943c2549c6c546495694175ef1

SHA512
57234d71d1e3d77bbd25992aa97246f810d8103f11a81746e0acf962f9e7533a1ac78555f8e079721dfb27fb02cd359e9ee6963e5896b440928666adefd2720d

Download Submit
C:\Users\Admin\Pictures\zYwPHu52Cms4PbuNA5WKQWT7.exe

Filesize
2.8MB

MD5
40f4170c5b664a749a324cacadc9b03c

SHA1
e5b2b34f4f2ecd81e95c9ea4382f5227b2b40ec0

SHA256
a9decc989f8937354f188b18cdf3606f35993f049c5e2acf05af27ccc3cc7e8b

SHA512
ce113a77289e82129004958fa0685507d8c1e3e878f71bb91cd75cb5143feb4cd20a785b0aa5ac41fcc5956adc2c5087aa049d9259b82e4640cc067604a39fe3

Download Submit
C:\Users\Admin\Pictures\zqmkWfVNzGjvtHX0zRsOJaak.exe

Filesize
1.6MB

MD5
08d3fc49ed764bc3fd2487d6620c96fa

SHA1
a727c03e8ed569dec41fd711a8bee7664361c002

SHA256
a391ccbec7fb6bfa492fc846753834af067c26cbb68548ae3cc8b947142f8702

SHA512
711b10ff463e5b49883ba12b0049c046699a3b8991e83d8d02e0a4a5f2ee593629cc00162b10a51c3b158f6db81e7d6e056fdb611e1f4b7e0c37157936240291

Download Submit
C:\Users\Public\Music\EasyApp.exe

Filesize
341KB

MD5
0e49e66fd0e90ac46ad9f027df419048

SHA1
357559abc784e69245db2e4302c838913df618b2

SHA256
599fbee1c0335d5f8efae7ed35eed9700001841005158a1c8c6648b53a6e4bda

SHA512
38aa37d633795de8ad65749a11da261e9f3aa2e1f285cd95e89a895c76e28a7d1fb72e87776013e8b508b9201d1b7ce92462c85cb4e3d55d5cf9b5a802479fed

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
ac4917a885cf6050b1a483e4bc4d2ea5

SHA1
b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f

SHA256
e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9

SHA512
092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
8c5155f45f66f7de909080dc6f9c7375

SHA1
73aa804e0874ceba5b9180ff28fe1f25febf0444

SHA256
013bc252efced80dfd5ba94e186f519a56c11db4590083ed7f53ed920f7a2d31

SHA512
12af75c9965337493289ced2a6c1c75de9fcaabaf70d86b32df3b3f1738a3f3533da63f2018c14e2612baa2f0e659953748334bb51764a3d8982df398dfe98cf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
f5dac3c30cae25b3d99cebf2e8c936cc

SHA1
f030b302ac6e3c3bc50abc462d4fb9bf2d0a05df

SHA256
5ea4cff01e94f0176105ab304636e1061fe1862620807a14e00aa6505e1725d5

SHA512
67fbea75aa70c5b33c8d5f78c4babd91509a28da2bc373a336cdd4cc358f1a5a6a127e25cea75ed4b6a926fa29a3ac98606d795da2024356ed472738665d7e27

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
35dae80ab42a0df5df0acf70560dd678

SHA1
9a75ec4dfc63649b5b124e8df6171a872bda6001

SHA256
7ca6639d6abcb4e6b0442aefe99654412685116b33f45521191ce6e953d79452

SHA512
38df33bce61b1202ebc333324a711570400b324474bba90f5305b91c8c3b27250f78b3bd0ca35bd29d3c3a76960f780038f0c080ca9f77d9276484f7d10b7cc5

Download Submit
C:\Windows\rss\csrss.exe

Filesize
4.1MB

MD5
c8564b4d627953e836d0faab99740a6a

SHA1
74b37a34950bd081d10072b4dae88952a4c52178

SHA256
051b0fe6b1d01ab0cc4dee0e7270b4dd54040a5c1783b78ea612bbf37d0c6f31

SHA512
77af3dd58d16effa1a307c174add6cdd1006b2a08add287388162bb2b7b3245a77e15375da1e508bcce10f024ab0e888b16862f087941e7b165834e8ae406776

Download Submit
memory/332-442-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/332-298-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/432-470-0x0000000000D70000-0x000000000123B000-memory.dmp

Filesize
4.8MB

Download
memory/432-482-0x0000000004E20000-0x0000000004E21000-memory.dmp

Filesize
4KB

Download
memory/432-463-0x0000000000D70000-0x000000000123B000-memory.dmp

Filesize
4.8MB

Download
memory/432-469-0x0000000077406000-0x0000000077408000-memory.dmp

Filesize
8KB

Download
memory/432-488-0x0000000000D70000-0x000000000123B000-memory.dmp

Filesize
4.8MB

Download
memory/432-483-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/432-472-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download
memory/432-473-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/432-474-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/432-475-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/432-476-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/432-471-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/432-477-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/788-554-0x0000000006780000-0x00000000067C6000-memory.dmp

Filesize
280KB

Download
memory/788-550-0x0000000005D30000-0x0000000005D96000-memory.dmp

Filesize
408KB

Download
memory/788-564-0x0000000007420000-0x0000000007454000-memory.dmp

Filesize
208KB

Download
memory/788-566-0x00000000737C0000-0x000000007380C000-memory.dmp

Filesize
304KB

Download
memory/788-553-0x0000000006340000-0x000000000638C000-memory.dmp

Filesize
304KB

Download
memory/788-552-0x0000000006200000-0x000000000621E000-memory.dmp

Filesize
120KB

Download
memory/788-551-0x0000000005DA0000-0x00000000060F7000-memory.dmp

Filesize
3.3MB

Download
memory/788-539-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/788-541-0x0000000005C50000-0x0000000005CB6000-memory.dmp

Filesize
408KB

Download
memory/788-540-0x0000000005260000-0x0000000005282000-memory.dmp

Filesize
136KB

Download
memory/788-534-0x0000000002D50000-0x0000000002D86000-memory.dmp

Filesize
216KB

Download
memory/788-535-0x00000000054B0000-0x0000000005ADA000-memory.dmp

Filesize
6.2MB

Download
memory/788-536-0x0000000072610000-0x0000000072DC1000-memory.dmp

Filesize
7.7MB

Download
memory/788-537-0x0000000004E70000-0x0000000004E80000-memory.dmp

Filesize
64KB

Download
memory/900-446-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/900-445-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/900-444-0x0000000002A20000-0x0000000002A60000-memory.dmp

Filesize
256KB

Download
memory/900-449-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/900-416-0x00000000002D0000-0x0000000000676000-memory.dmp

Filesize
3.6MB

Download
memory/984-1-0x0000000000910000-0x0000000000A10000-memory.dmp

Filesize
1024KB

Download
memory/984-3-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/984-2-0x00000000008E0000-0x00000000008EB000-memory.dmp

Filesize
44KB

Download
memory/984-5-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/1008-62-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1008-413-0x0000000000400000-0x0000000000568000-memory.dmp

Filesize
1.4MB

Download
memory/1008-58-0x00000000022B0000-0x000000000231F000-memory.dmp

Filesize
444KB

Download
memory/1008-55-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/1108-372-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/1108-371-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/1108-368-0x0000000000400000-0x0000000000DB4000-memory.dmp

Filesize
9.7MB

Download
memory/1228-588-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1228-525-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1228-447-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1544-22-0x0000000002BB0000-0x0000000002BB6000-memory.dmp

Filesize
24KB

Download
memory/1544-33-0x0000000003150000-0x0000000003258000-memory.dmp

Filesize
1.0MB

Download
memory/1544-30-0x0000000003150000-0x0000000003258000-memory.dmp

Filesize
1.0MB

Download
memory/1544-440-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/1544-27-0x0000000003020000-0x0000000003143000-memory.dmp

Filesize
1.1MB

Download
memory/1544-23-0x0000000010000000-0x0000000010239000-memory.dmp

Filesize
2.2MB

Download
memory/1840-455-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-450-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/1840-467-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/1840-451-0x0000000002260000-0x0000000002287000-memory.dmp

Filesize
156KB

Download
memory/1840-388-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1840-569-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2056-456-0x0000000002B30000-0x0000000002F30000-memory.dmp

Filesize
4.0MB

Download
memory/2056-462-0x0000000002F30000-0x000000000381B000-memory.dmp

Filesize
8.9MB

Download
memory/2056-294-0x0000000002F30000-0x000000000381B000-memory.dmp

Filesize
8.9MB

Download
memory/2056-513-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2056-441-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2056-468-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2056-71-0x0000000002B30000-0x0000000002F30000-memory.dmp

Filesize
4.0MB

Download
memory/2056-300-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2984-349-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/2984-350-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/2984-345-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3124-342-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/3124-338-0x00000000022C0000-0x0000000002308000-memory.dmp

Filesize
288KB

Download
memory/3124-346-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/3124-344-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/3124-373-0x0000000000400000-0x0000000000558000-memory.dmp

Filesize
1.3MB

Download
memory/3156-319-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3156-443-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3156-478-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3240-25-0x0000000005F60000-0x0000000005F76000-memory.dmp

Filesize
88KB

Download
memory/3240-4-0x0000000003240000-0x0000000003256000-memory.dmp

Filesize
88KB

Download
memory/3628-355-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3628-567-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3628-448-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3628-353-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/3628-538-0x0000000000400000-0x00000000005AD000-memory.dmp

Filesize
1.7MB

Download
memory/4840-299-0x00000000740F0000-0x00000000748A1000-memory.dmp

Filesize
7.7MB

Download
memory/4840-38-0x00000000000C0000-0x0000000000800000-memory.dmp

Filesize
7.2MB

Download
memory/4840-39-0x00000000740F0000-0x00000000748A1000-memory.dmp

Filesize
7.7MB

Download
memory/4868-28-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4868-16-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/4868-17-0x0000000000650000-0x000000000065B000-memory.dmp

Filesize
44KB

Download
memory/4868-18-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download