amadey | fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3

Analysis

max time kernel
82s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
24-03-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe
Size

1.9MB
MD5

15085bc8a44c0bceaaa6d67e55202baf
SHA1

7c0d973ca1e226333885d1d0f8e4400d0d5e9148
SHA256

fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3
SHA512

987cf8fde4b0b39fb5fa9498b4319ba3b98ccf8d5a7163654ed49bb8e19749a1eae9aded496a69c9ffe67a19a889751734fda09718b6f3b808081a2f113791fb
SSDEEP

49152:skZsgDYadFGnrR4ks5Y5X0BI7lOSJmXf/0Pty6h:xnDt+s5Y5u88SEXf/v6

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffic

4.185.137.132:1632

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

amadey

Version

4.18

http://193.233.132.56

Attributes

install_dir
09fd851a4f
install_file
explorha.exe
strings_key
443351145ece4966ded809641c77cfa8
url_paths
/Pneh2sXQk0/index.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://selebration17io.io/index.php

http://vacantion18ffeu.cc/index.php

http://valarioulinity1.net/index.php

http://buriatiarutuhuob.net/index.php

http://cassiosssionunu.me/index.php

http://sulugilioiu19.net/index.php

http://goodfooggooftool.net/index.php

rc4.i32

Extracted

Family

vidar

Version

8.4

Botnet

5fbf4a72841af58deea9444153ca55cc

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes

profile_id_v2
5fbf4a72841af58deea9444153ca55cc
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Extracted

Family

stealc

http://185.172.128.209

Attributes

url_path
/3cd2b41cbde8fc9c.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/5084-922-0x0000000000400000-0x0000000000AF7000-memory.dmp	family_vidar_v7

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe	family_zgrat_v1
behavioral2/memory/4276-82-0x0000000000310000-0x000000000038A000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe	family_zgrat_v1
C:\Users\Admin\Pictures\mnFh5i9cExjM3LNFKQ71QvwX.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4244-927-0x0000000000400000-0x0000000000ED5000-memory.dmp	family_glupteba
behavioral2/memory/4976-928-0x0000000000400000-0x0000000000ED5000-memory.dmp	family_glupteba
behavioral2/memory/1792-951-0x0000000000400000-0x0000000000ED5000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4592-88-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

amadka.exeexplorha.exefcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exeexplorgu.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amadka.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorgu.exe

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exerundll32.exe

flow pid process

11 1308 rundll32.exe
12 948 rundll32.exe
Downloads MZ/PE file

flow	pid	process
11	1308	rundll32.exe
12	948	rundll32.exe

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

amadka.exeexplorha.exefcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exeexplorgu.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amadka.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorha.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorgu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorgu.exe

Executes dropped EXE 11 IoCs

Processes:

explorgu.exeosminog.exegoldprimeldlldf.exeamadka.exeTeamFour.exeexplorha.exealex1234.exepropro.exeTraffic.exe987123.exelummalg.exe

pid	process
3360	explorgu.exe
4116	osminog.exe
4276	goldprimeldlldf.exe
2460	amadka.exe
1840	TeamFour.exe
3468	explorha.exe
4368	alex1234.exe
2060	propro.exe
2160	Traffic.exe
1216	987123.exe
572	lummalg.exe

Identifies Wine through registry keys 2 TTPs 4 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

explorha.exefcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exeexplorgu.exeamadka.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorha.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	explorgu.exe
Key opened	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Wine	amadka.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

784 rundll32.exe
1308 rundll32.exe
948 rundll32.exe
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
784	rundll32.exe
1308	rundll32.exe
948	rundll32.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\PsUHcOZ5E1RZclhUJsJlaSOA.exe	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\u1p0.1.exe	upx
C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe	upx
C:\Users\Admin\Pictures\IbMpuyAtapBCr3xSwhCjAVQP.exe	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorgu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000\Software\Microsoft\Windows\CurrentVersion\Run\amadka.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000875001\\amadka.exe"	explorgu.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

6 pastebin.com
27 pastebin.com
96 pastebin.com
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

208 api.myip.com
209 ipinfo.io
204 ipinfo.io
205 api.myip.com
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exeexplorgu.exeamadka.exeexplorha.exe

pid process

3712 fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe
3360 explorgu.exe
2460 amadka.exe
3468 explorha.exe

flow	ioc
6	pastebin.com
27	pastebin.com
96	pastebin.com

flow	ioc
208	api.myip.com
209	ipinfo.io
204	ipinfo.io
205	api.myip.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

osminog.exegoldprimeldlldf.exealex1234.exelummalg.exe

description	pid	process	target process
PID 4116 set thread context of 1928	4116	osminog.exe	RegAsm.exe
PID 4276 set thread context of 4592	4276	goldprimeldlldf.exe	RegAsm.exe
PID 4368 set thread context of 1640	4368	alex1234.exe	RegAsm.exe
PID 572 set thread context of 3924	572	lummalg.exe	RegAsm.exe

Drops file in Windows directory 2 IoCs

Processes:

amadka.exefcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe

description	ioc	process
File created	C:\Windows\Tasks\explorha.job	amadka.exe
File created	C:\Windows\Tasks\explorgu.job	fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
416	1928	WerFault.exe	RegAsm.exe
3388	3924	WerFault.exe	RegAsm.exe
4748	1008	WerFault.exe	RegAsm.exe
1924	1008	WerFault.exe	RegAsm.exe
1432	2196	WerFault.exe	1DolXbxEuummbXnr2feutlpx.exe
3636	772	WerFault.exe	5iBjb9QgBK1OAsVIYWu306Rp.exe
5956	5084	WerFault.exe	ZEuEybcg2ss6PyICBYpyxSyh.exe
6260	5732	WerFault.exe	RegAsm.exe
6724	5732	WerFault.exe	RegAsm.exe
1316	6520	WerFault.exe	2DDD.exe
832	6520	WerFault.exe	2DDD.exe
4372	6440	WerFault.exe	5nW3cRM2BWHMQffIq4WmeeHz.exe
2348	996	WerFault.exe	RegAsm.exe
7416	7112	WerFault.exe	oD71rDSGmeKjsqCZ7LPGnk1X.exe
7552	6292	WerFault.exe	uX3CcSEubffJgrtRxcxdhR6Q.exe
7840	996	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

987123.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	987123.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3424 schtasks.exe
3860 schtasks.exe
5244 schtasks.exe
6432 schtasks.exe
6996 schtasks.exe

pid	process
3424	schtasks.exe
3860	schtasks.exe
5244	schtasks.exe
6432	schtasks.exe
6996	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

propro.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	propro.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	propro.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exeexplorgu.exerundll32.exepowershell.exeRegAsm.exeamadka.exeexplorha.exeTeamFour.exe987123.exeTraffic.exe

pid	process
3712	fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe
3712	fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe
3360	explorgu.exe
3360	explorgu.exe
1308	rundll32.exe
1308	rundll32.exe
1308	rundll32.exe
1308	rundll32.exe
1308	rundll32.exe
1308	rundll32.exe
1308	rundll32.exe
1308	rundll32.exe
1308	rundll32.exe
1308	rundll32.exe
4884	powershell.exe
4884	powershell.exe
4592	RegAsm.exe
4592	RegAsm.exe
4592	RegAsm.exe
4592	RegAsm.exe
4592	RegAsm.exe
2460	amadka.exe
2460	amadka.exe
3468	explorha.exe
3468	explorha.exe
1840	TeamFour.exe
1216	987123.exe
1216	987123.exe
2160	Traffic.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

osminog.exepowershell.exeRegAsm.exeTeamFour.exeTraffic.exe

description	pid	process
Token: SeDebugPrivilege	4116	osminog.exe
Token: SeDebugPrivilege	4884	powershell.exe
Token: SeDebugPrivilege	4592	RegAsm.exe
Token: SeDebugPrivilege	1840	TeamFour.exe
Token: SeBackupPrivilege	1840	TeamFour.exe
Token: SeSecurityPrivilege	1840	TeamFour.exe
Token: SeSecurityPrivilege	1840	TeamFour.exe
Token: SeSecurityPrivilege	1840	TeamFour.exe
Token: SeSecurityPrivilege	1840	TeamFour.exe
Token: SeDebugPrivilege	2160	Traffic.exe
Token: SeBackupPrivilege	2160	Traffic.exe
Token: SeSecurityPrivilege	2160	Traffic.exe
Token: SeSecurityPrivilege	2160	Traffic.exe
Token: SeSecurityPrivilege	2160	Traffic.exe
Token: SeSecurityPrivilege	2160	Traffic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

explorgu.exeosminog.exegoldprimeldlldf.exerundll32.exerundll32.exeamadka.exealex1234.exeRegAsm.exe

description	pid	process	target process
PID 3360 wrote to memory of 4116	3360	explorgu.exe	osminog.exe
PID 3360 wrote to memory of 4116	3360	explorgu.exe	osminog.exe
PID 3360 wrote to memory of 4116	3360	explorgu.exe	osminog.exe
PID 4116 wrote to memory of 1928	4116	osminog.exe	RegAsm.exe
PID 4116 wrote to memory of 1928	4116	osminog.exe	RegAsm.exe
PID 4116 wrote to memory of 1928	4116	osminog.exe	RegAsm.exe
PID 4116 wrote to memory of 1928	4116	osminog.exe	RegAsm.exe
PID 4116 wrote to memory of 1928	4116	osminog.exe	RegAsm.exe
PID 4116 wrote to memory of 1928	4116	osminog.exe	RegAsm.exe
PID 4116 wrote to memory of 1928	4116	osminog.exe	RegAsm.exe
PID 4116 wrote to memory of 1928	4116	osminog.exe	RegAsm.exe
PID 4116 wrote to memory of 1928	4116	osminog.exe	RegAsm.exe
PID 3360 wrote to memory of 4276	3360	explorgu.exe	goldprimeldlldf.exe
PID 3360 wrote to memory of 4276	3360	explorgu.exe	goldprimeldlldf.exe
PID 3360 wrote to memory of 4276	3360	explorgu.exe	goldprimeldlldf.exe
PID 4276 wrote to memory of 4592	4276	goldprimeldlldf.exe	RegAsm.exe
PID 4276 wrote to memory of 4592	4276	goldprimeldlldf.exe	RegAsm.exe
PID 4276 wrote to memory of 4592	4276	goldprimeldlldf.exe	RegAsm.exe
PID 4276 wrote to memory of 4592	4276	goldprimeldlldf.exe	RegAsm.exe
PID 4276 wrote to memory of 4592	4276	goldprimeldlldf.exe	RegAsm.exe
PID 4276 wrote to memory of 4592	4276	goldprimeldlldf.exe	RegAsm.exe
PID 4276 wrote to memory of 4592	4276	goldprimeldlldf.exe	RegAsm.exe
PID 4276 wrote to memory of 4592	4276	goldprimeldlldf.exe	RegAsm.exe
PID 3360 wrote to memory of 784	3360	explorgu.exe	rundll32.exe
PID 3360 wrote to memory of 784	3360	explorgu.exe	rundll32.exe
PID 3360 wrote to memory of 784	3360	explorgu.exe	rundll32.exe
PID 784 wrote to memory of 1308	784	rundll32.exe	rundll32.exe
PID 784 wrote to memory of 1308	784	rundll32.exe	rundll32.exe
PID 1308 wrote to memory of 4996	1308	rundll32.exe	netsh.exe
PID 1308 wrote to memory of 4996	1308	rundll32.exe	netsh.exe
PID 1308 wrote to memory of 4884	1308	rundll32.exe	powershell.exe
PID 1308 wrote to memory of 4884	1308	rundll32.exe	powershell.exe
PID 3360 wrote to memory of 948	3360	explorgu.exe	rundll32.exe
PID 3360 wrote to memory of 948	3360	explorgu.exe	rundll32.exe
PID 3360 wrote to memory of 948	3360	explorgu.exe	rundll32.exe
PID 3360 wrote to memory of 2460	3360	explorgu.exe	amadka.exe
PID 3360 wrote to memory of 2460	3360	explorgu.exe	amadka.exe
PID 3360 wrote to memory of 2460	3360	explorgu.exe	amadka.exe
PID 3360 wrote to memory of 1840	3360	explorgu.exe	TeamFour.exe
PID 3360 wrote to memory of 1840	3360	explorgu.exe	TeamFour.exe
PID 2460 wrote to memory of 3468	2460	amadka.exe	explorha.exe
PID 2460 wrote to memory of 3468	2460	amadka.exe	explorha.exe
PID 2460 wrote to memory of 3468	2460	amadka.exe	explorha.exe
PID 3360 wrote to memory of 4368	3360	explorgu.exe	alex1234.exe
PID 3360 wrote to memory of 4368	3360	explorgu.exe	alex1234.exe
PID 3360 wrote to memory of 4368	3360	explorgu.exe	alex1234.exe
PID 4368 wrote to memory of 1640	4368	alex1234.exe	RegAsm.exe
PID 4368 wrote to memory of 1640	4368	alex1234.exe	RegAsm.exe
PID 4368 wrote to memory of 1640	4368	alex1234.exe	RegAsm.exe
PID 4368 wrote to memory of 1640	4368	alex1234.exe	RegAsm.exe
PID 4368 wrote to memory of 1640	4368	alex1234.exe	RegAsm.exe
PID 4368 wrote to memory of 1640	4368	alex1234.exe	RegAsm.exe
PID 4368 wrote to memory of 1640	4368	alex1234.exe	RegAsm.exe
PID 4368 wrote to memory of 1640	4368	alex1234.exe	RegAsm.exe
PID 1640 wrote to memory of 2060	1640	RegAsm.exe	propro.exe
PID 1640 wrote to memory of 2060	1640	RegAsm.exe	propro.exe
PID 1640 wrote to memory of 2060	1640	RegAsm.exe	propro.exe
PID 1640 wrote to memory of 2160	1640	RegAsm.exe	Traffic.exe
PID 1640 wrote to memory of 2160	1640	RegAsm.exe	Traffic.exe
PID 3360 wrote to memory of 1216	3360	explorgu.exe	ulg.1.exe
PID 3360 wrote to memory of 1216	3360	explorgu.exe	ulg.1.exe
PID 3360 wrote to memory of 1216	3360	explorgu.exe	ulg.1.exe
PID 3360 wrote to memory of 572	3360	explorgu.exe	lummalg.exe
PID 3360 wrote to memory of 572	3360	explorgu.exe	lummalg.exe

C:\Users\Admin\AppData\Local\Temp\fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe
"C:\Users\Admin\AppData\Local\Temp\fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe
  "C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1188
      4⤵
      Program crash
      PID:416
- C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe
  "C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:4996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4884
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:948
- C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe
  "C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
    "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3468
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
      4⤵
      PID:1092
    - - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
        5⤵
        
        PID:4268
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:3332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
        6⤵
        
        PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\1000022001\cd0017ac96.exe
      "C:\Users\Admin\AppData\Local\Temp\1000022001\cd0017ac96.exe"
      4⤵
      PID:5016
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
      4⤵
      PID:944
  - - C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
      "C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"
      4⤵
      PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe
      "C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"
      4⤵
      PID:1136
- C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe
  "C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe
  "C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2060
  - - C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
      "C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
      4⤵
      PID:964
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2528
- C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe
  "C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3924
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1172
      4⤵
      Program crash
      PID:3388
- C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe
  "C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe"
  2⤵
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe
  "C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe"
  2⤵
  PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2KG035
    3⤵
    PID:5640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd64933cb8,0x7ffd64933cc8,0x7ffd64933cd8
      4⤵
      PID:5652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1788 /prefetch:2
      4⤵
      PID:3036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
      4⤵
      PID:2804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
      4⤵
      PID:2740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
      4⤵
      PID:5608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
      4⤵
      PID:5724
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
      4⤵
      PID:5788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
      4⤵
      PID:6900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
      4⤵
      PID:3776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
      4⤵
      PID:5196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,409359937022346399,2096209334526781797,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
      4⤵
      PID:7284
- C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe"
  2⤵
  PID:1488
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:3100
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"' & exit
    3⤵
    PID:3800
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\.BLRVzdv\svchost.exe"'
      4⤵
      Creates scheduled task(s)
      PID:3424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:3096
  - - C:\Users\Admin\Pictures\ZEuEybcg2ss6PyICBYpyxSyh.exe
      "C:\Users\Admin\Pictures\ZEuEybcg2ss6PyICBYpyxSyh.exe"
      4⤵
      PID:5084
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 2228
        5⤵
        Program crash
        
        PID:5956
  - - C:\Users\Admin\Pictures\XUrJQjxPGS7iQR2rSUDDsCpz.exe
      "C:\Users\Admin\Pictures\XUrJQjxPGS7iQR2rSUDDsCpz.exe"
      4⤵
      PID:4244
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1756
    - - C:\Users\Admin\Pictures\XUrJQjxPGS7iQR2rSUDDsCpz.exe
        
        "C:\Users\Admin\Pictures\XUrJQjxPGS7iQR2rSUDDsCpz.exe"
        5⤵
        
        PID:5516
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:7124
  - - C:\Users\Admin\Pictures\eWn5KSeRqPxD8GoAbF5ZQSsb.exe
      "C:\Users\Admin\Pictures\eWn5KSeRqPxD8GoAbF5ZQSsb.exe"
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2020
    - - C:\Users\Admin\Pictures\eWn5KSeRqPxD8GoAbF5ZQSsb.exe
        
        "C:\Users\Admin\Pictures\eWn5KSeRqPxD8GoAbF5ZQSsb.exe"
        5⤵
        
        PID:6500
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:5464
  - - C:\Users\Admin\Pictures\5iBjb9QgBK1OAsVIYWu306Rp.exe
      "C:\Users\Admin\Pictures\5iBjb9QgBK1OAsVIYWu306Rp.exe"
      4⤵
      PID:772
    - - C:\Users\Admin\AppData\Local\Temp\ulg.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ulg.0.exe"
        5⤵
        
        PID:4156
    - - C:\Users\Admin\AppData\Local\Temp\ulg.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ulg.1.exe"
        5⤵
        
        PID:1216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:6432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1536
        5⤵
        Program crash
        
        PID:3636
  - - C:\Users\Admin\Pictures\mF7iuWyfG6X1rQH2D1hmHRnv.exe
      "C:\Users\Admin\Pictures\mF7iuWyfG6X1rQH2D1hmHRnv.exe"
      4⤵
      PID:1792
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2656
    - - C:\Users\Admin\Pictures\mF7iuWyfG6X1rQH2D1hmHRnv.exe
        
        "C:\Users\Admin\Pictures\mF7iuWyfG6X1rQH2D1hmHRnv.exe"
        5⤵
        
        PID:6844
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6056
  - - C:\Users\Admin\Pictures\mnFh5i9cExjM3LNFKQ71QvwX.exe
      "C:\Users\Admin\Pictures\mnFh5i9cExjM3LNFKQ71QvwX.exe"
      4⤵
      PID:1752
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 540
        6⤵
        Program crash
        
        PID:4748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 572
        6⤵
        Program crash
        
        PID:1924
  - - C:\Users\Admin\Pictures\1DolXbxEuummbXnr2feutlpx.exe
      "C:\Users\Admin\Pictures\1DolXbxEuummbXnr2feutlpx.exe"
      4⤵
      PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\u1p0.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1p0.0.exe"
        5⤵
        
        PID:1040
    - - C:\Users\Admin\AppData\Local\Temp\u1p0.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u1p0.1.exe"
        5⤵
        
        PID:964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        Creates scheduled task(s)
        
        PID:5244
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2196 -s 976
        5⤵
        Program crash
        
        PID:1432
  - - C:\Users\Admin\Pictures\BF0AhKA3LnyQBatouRRaLLQf.exe
      "C:\Users\Admin\Pictures\BF0AhKA3LnyQBatouRRaLLQf.exe"
      4⤵
      PID:2284
    - - C:\Users\Admin\AppData\Local\Temp\7zS12C3.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:1616
      - C:\Users\Admin\AppData\Local\Temp\7zS19B8.tmp\Install.exe
        
        .\Install.exe /gDgGCdidUcr "385118" /S
        6⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:4892
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:1916
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:6644
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:3644
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gpbwyrSss" /SC once /ST 15:34:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:6996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gpbwyrSss"
        7⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gpbwyrSss"
        7⤵
        
        PID:5180
  - - C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe
      "C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe" --silent --allusers=0
      4⤵
      PID:5976
    - - C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe
        
        C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x2f0,0x314,0x318,0x2c4,0x31c,0x6f3321f8,0x6f332204,0x6f332210
        5⤵
        
        PID:5800
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\iEjbEt5ED3efCQ6aucbrpNhG.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\iEjbEt5ED3efCQ6aucbrpNhG.exe" --version
        5⤵
        
        PID:5948
    - - C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe
        
        "C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5976 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240324190508" --session-guid=29d9da53-049d-46a5-b843-a66612df808a --server-tracking-blob=M2YyMTQwNTlhODFjZTEwODc2OTVkZmJkNTIyMjcwNjkzOTA3MjhjZDZhMzliNTI4OTczZDQ3NjNlNzYxZjdhNjp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxMTMwNzA5NC43MzkxIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI3NWE4NDE0Zi0xYzIyLTQ4ZjAtOGFlOS1jZDE2OTE3NTQ5OGYifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3405000000000000
        5⤵
        
        PID:780
      - C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe
        
        C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x308,0x30c,0x310,0x2e0,0x31c,0x6e7e21f8,0x6e7e2204,0x6e7e2210
        6⤵
        
        PID:6024
- C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe"
  2⤵
  PID:1172
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN boom8.exe /TR "C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
    "C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"
    3⤵
    PID:2348
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe
      "C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe"
      4⤵
      PID:4968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1928 -ip 1928
1⤵
PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3924 -ip 3924
1⤵
PID:1180

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:3116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1008 -ip 1008
1⤵
PID:1092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1008 -ip 1008
1⤵
PID:2324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2196 -ip 2196
1⤵
PID:4080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 772 -ip 772
1⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
1⤵
PID:4948
- C:\Users\Admin\AppData\Local\Temp\1000053001\amadka.exe
  "C:\Users\Admin\AppData\Local\Temp\1000053001\amadka.exe"
  2⤵
  PID:5896
- C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe
  "C:\Users\Admin\AppData\Local\Temp\1000063001\lummalg.exe"
  2⤵
  PID:3636
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 1136
      4⤵
      Program crash
      PID:6260
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 1136
      4⤵
      Program crash
      PID:6724
- C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe
  "C:\Users\Admin\AppData\Local\Temp\1000082001\boom8.exe"
  2⤵
  PID:5360
- C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe
  "C:\Users\Admin\AppData\Local\Temp\1000085001\file300un.exe"
  2⤵
  PID:5628
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:6012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:6048
  - - C:\Users\Admin\Pictures\uX3CcSEubffJgrtRxcxdhR6Q.exe
      "C:\Users\Admin\Pictures\uX3CcSEubffJgrtRxcxdhR6Q.exe"
      4⤵
      PID:6292
    - - C:\Users\Admin\AppData\Local\Temp\u4us.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4us.0.exe"
        5⤵
        
        PID:6260
    - - C:\Users\Admin\AppData\Local\Temp\u4us.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u4us.1.exe"
        5⤵
        
        PID:196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6292 -s 1520
        5⤵
        Program crash
        
        PID:7552
  - - C:\Users\Admin\Pictures\5nW3cRM2BWHMQffIq4WmeeHz.exe
      "C:\Users\Admin\Pictures\5nW3cRM2BWHMQffIq4WmeeHz.exe"
      4⤵
      PID:6440
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6440 -s 2232
        5⤵
        Program crash
        
        PID:4372
  - - C:\Users\Admin\Pictures\oOeiI9eHGUlmqK7bDDqwBJg6.exe
      "C:\Users\Admin\Pictures\oOeiI9eHGUlmqK7bDDqwBJg6.exe"
      4⤵
      PID:6732
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:1792
  - - C:\Users\Admin\Pictures\t9yucSnmAeBASMSdHrd2FAIm.exe
      "C:\Users\Admin\Pictures\t9yucSnmAeBASMSdHrd2FAIm.exe"
      4⤵
      PID:6868
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:6824
  - - C:\Users\Admin\Pictures\oD71rDSGmeKjsqCZ7LPGnk1X.exe
      "C:\Users\Admin\Pictures\oD71rDSGmeKjsqCZ7LPGnk1X.exe"
      4⤵
      PID:7112
    - - C:\Users\Admin\AppData\Local\Temp\u5hk.0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u5hk.0.exe"
        5⤵
        
        PID:2600
    - - C:\Users\Admin\AppData\Local\Temp\u5hk.1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\u5hk.1.exe"
        5⤵
        
        PID:620
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7112 -s 1228
        5⤵
        Program crash
        
        PID:7416
  - - C:\Users\Admin\Pictures\IbMpuyAtapBCr3xSwhCjAVQP.exe
      "C:\Users\Admin\Pictures\IbMpuyAtapBCr3xSwhCjAVQP.exe" --silent --allusers=0
      4⤵
      PID:4620
    - - C:\Users\Admin\Pictures\IbMpuyAtapBCr3xSwhCjAVQP.exe
        
        C:\Users\Admin\Pictures\IbMpuyAtapBCr3xSwhCjAVQP.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.40 --initial-client-data=0x310,0x314,0x318,0x2ec,0x31c,0x6d6c21f8,0x6d6c2204,0x6d6c2210
        5⤵
        
        PID:6532
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\IbMpuyAtapBCr3xSwhCjAVQP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\IbMpuyAtapBCr3xSwhCjAVQP.exe" --version
        5⤵
        
        PID:4812
  - - C:\Users\Admin\Pictures\NoAkFZm9Z4RzFQGIxKT3YzGe.exe
      "C:\Users\Admin\Pictures\NoAkFZm9Z4RzFQGIxKT3YzGe.exe"
      4⤵
      PID:2656
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1308
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:996
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 504
        6⤵
        Program crash
        
        PID:2348
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 512
        6⤵
        Program crash
        
        PID:7840
  - - C:\Users\Admin\Pictures\djiputqPYWYqW4W5Y4gKB2TK.exe
      "C:\Users\Admin\Pictures\djiputqPYWYqW4W5Y4gKB2TK.exe"
      4⤵
      PID:3416
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7720
  - - C:\Users\Admin\Pictures\PsUHcOZ5E1RZclhUJsJlaSOA.exe
      "C:\Users\Admin\Pictures\PsUHcOZ5E1RZclhUJsJlaSOA.exe"
      4⤵
      PID:6052
  - - C:\Users\Admin\Pictures\kInLBgccCSjvNwzH20SmyKK7.exe
      "C:\Users\Admin\Pictures\kInLBgccCSjvNwzH20SmyKK7.exe"
      4⤵
      PID:6840
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
  2⤵
  PID:4928
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
    3⤵
    PID:6276
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:6448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\181651180316_Desktop.zip' -CompressionLevel Optimal
      4⤵
      PID:6308
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
  2⤵
  PID:6876

C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe
1⤵
PID:5140

C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe
C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe
1⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5084 -ip 5084
1⤵
PID:5792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6004

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\192B.dll
1⤵
PID:6060
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\192B.dll
  2⤵
  PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5732 -ip 5732
1⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\2DDD.exe
C:\Users\Admin\AppData\Local\Temp\2DDD.exe
1⤵
PID:6520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 1152
  2⤵
  - Program crash
  PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 1208
  2⤵
  - Program crash
  PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5732 -ip 5732
1⤵
PID:6584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5732 -ip 5732
1⤵
PID:7088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6520 -ip 6520
1⤵
PID:6560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6440 -ip 6440
1⤵
PID:6728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6520 -ip 6520
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 996 -ip 996
1⤵
PID:660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7112 -ip 7112
1⤵
PID:7004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6292 -ip 6292
1⤵
PID:7232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 996 -ip 996
1⤵
PID:7540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ae626d9a72417b14570daa8fcd5d34a4

SHA1
c103ebaf4d760df722d620df87e6f07c0486439f

SHA256
52cc3f3028fab0d347a4a3fffef570b42f85748176d81a3344996d42fd1de32a

SHA512
a0690bda318bdf43d6f292f88d4ea2ebeec83b95e9ebca80083dbb08e7ddcdb9735cc58b89d369a34f10acf8a114d4a207ed8d0f070c5baf87c5798e9f35bc14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NoAkFZm9Z4RzFQGIxKT3YzGe.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Filesize
2KB

MD5
094ffdd6649bc24462f2950eb091abe4

SHA1
76a4e6d53272277c27219d96c6b63591384b02d5

SHA256
070193aa8a6e686ffeb508f561f18be89982ae38db6f090c016004e8d242baaa

SHA512
36c0fc55613904b992ed6e80b4dafa06ed96dc24bfb4c29164d1d85d11087c50143e8bc0a9ff4bedfd08e502635cbf24955fbec9b11532591e28be33cb690514

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c45a0683898477b17dc1fa24465c7dfc

SHA1
d7a4618437aace7ced18f5f79291ebfc0ecca864

SHA256
e316ec213bd0fb67170d7e93e4966c313216dcfca262f9c8dbebb1856afec7c3

SHA512
742b5ed4a78e51c344bacc7ea03d2595ceb4229fe89a3f81eec2921f7877c4c017460fd58b1c36fd52356e159a0f4542815bb8a2dba46cadf5e0baeb521e05bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
685ef49e4cc1a63a19486aa9e6830b1e

SHA1
7b90812667c44ea420e6302406c7842e3ca08e6a

SHA256
431e7bf3c71eb9263811c38bb6bd064822e8cac02c00059c71b8992df2282882

SHA512
044c1ec95bc4ef5ca1fd7c006ed96596f9ee38a07f160ea2d6110267b858f5eb77f72b8d94c09ae0df7c12f151e549cf22ce1d8b420a3e55503bc73cc9b9d7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51cc7070636ab9ee9aa6968551246372

SHA1
8dcdd38e594af18210f3822c33e5370ee7d79047

SHA256
f5a6bcb0a51ccef0719301013c3211bd673158854f8e09073aad674a33b2db83

SHA512
514d1cd3dd87d911049b299212afb65f73a7886ca0ff7624657ec299001143253f8c619280f41cc14f27697c12065ce8331571709295bd1e8135b62b73336271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596400.TMP

Filesize
707B

MD5
691704829cca2ae77edefb2e31aa8701

SHA1
edcb960f328b09f163261330e2c676b2924eb70a

SHA256
fffb8120c27c202b880d5e3c4ab9a100b674ea56825be2b5141d707477e4146c

SHA512
a617bd2211c9216e1a088bd2e0f123c53c45d8f545fbe96acd1858ac237844d3a87e82bae6ddb2ab95a9962a52367f20d9731a99dcf46faa0bf1d84cb92137b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
694b509ea103c3feba53850e3ab9c885

SHA1
aa5642db128e9b4285df714ad4a5ce01171cbee6

SHA256
4772b3b5b2f3bcb4c7a6bd4015cbe3f9dee274baea371273388beb2ce243a424

SHA512
cf288fadcb500a91e00236c66ae684ad5f21f0915fccc309e22ce872f774ef703b61b69dd0096449aa405c3114b3c3668f8fefa8e6168df235afefda2ed0d960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d0a491debdaef78b8d5662c9baa209d

SHA1
6aafccf0d3ec78adffd63419be80ecca1c504f79

SHA256
5699d20559e534de556496e6411b71394639777508c309354cc4754af1cb6840

SHA512
3a321d4149a878efc518cb4dab63427b4c3b963f7ae07653e2dfbfd9a01b25f9b9876098a093b4db69bdd4e2de6203ff7a1ac8afe298d9f764fb79729861e796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8f8f835b09fafdbc96385349fc78b899

SHA1
24b82251a2ec38dea5450c30a439c3108dabac3f

SHA256
146275ebe7c5452ef1c8b4110d674e119ba8fcd15ac2b17c6095b0a13e333fd0

SHA512
fffcca9f8e1beafd3ddeb4b196c96e8c31071586c440abd4746d155e2d58151b1bd6bcd26fd629549e49d51288ee8aecb98823de98482bef5e65fde1dd345750

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202403241905081\opera_package

Filesize
704KB

MD5
e67af704ce4a1ddc797bf172bdb2f1ac

SHA1
da04e120c5ea456c8ccb335007648134f96704cb

SHA256
55b599da10428501cf14f7b76404d390bc137207b651fbdd9fd9b2ce7a68f3b0

SHA512
2d89e63abb6b533e91948777524bb342cbf5bb00e3e313fae98098b8d59c1a5f8e4bd56c770fe9a2c506d644e66430831641e81961469632a3a916b96e979fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

Filesize
1.9MB

MD5
15085bc8a44c0bceaaa6d67e55202baf

SHA1
7c0d973ca1e226333885d1d0f8e4400d0d5e9148

SHA256
fcbc7c287b7d172e104e50be240ee3239a0b3bfd25026ab26698e6eb8987f6d3

SHA512
987cf8fde4b0b39fb5fa9498b4319ba3b98ccf8d5a7163654ed49bb8e19749a1eae9aded496a69c9ffe67a19a889751734fda09718b6f3b808081a2f113791fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\cd0017ac96.exe

Filesize
2.9MB

MD5
adc23d9f102f6d68ef65f4edaac8f39e

SHA1
4e6bb5c5e0f6f0c7514f76c6e984a5d82ec3791c

SHA256
c058cc60ecd08ac3f18c7a76c3891c4f2fb5512a7590f51ae44aae0ec57492a7

SHA512
5ca81db8874b8fc0198e28e9e72741bea8379996d206004cdb422a53eb1898cd1597cd676f1605177c0395de82b9eb4e0c98cc993c37c1152701924ab4254a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\cd0017ac96.exe

Filesize
2.6MB

MD5
46e1de7934d5c45da9243dca64aa0752

SHA1
0e57acef3dea4320cb089e5d49426364107b6e1c

SHA256
167023e16d9679a3913b5ac3aefc522fd69a5997672bb97d7142dd85cb92592d

SHA512
5a12ee9ecfc9cca684c66f944595364f925f388d8a5298018e370eb3f627f481a8c0c99e11ee5e56e7ad78302882b8912d1b55ca274db4a262853d1bc5cba641

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000022001\cd0017ac96.exe

Filesize
2.7MB

MD5
d4f8217e3c4a06cd0e59600ade1d8cb4

SHA1
5f0efe83b09f268ce7d02ac1ab58329659bddd4b

SHA256
49e588b7ef9aa2339058c3d1fe16787e2e264040597d92c7d99657b7c28af614

SHA512
5c6f358cf3d2615720912d1102cbb173a24a6290be28e00ba7c4a24b1cf7e55cc50a405d09152d5c3f46bd1750e01e6646bb1aae290fa37eb30abcb1b9d4d50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
1.1MB

MD5
c1a4e85597e5188898be5c4256a65ffd

SHA1
538a0be6a8c71b07dfb925ac98a362e816c36f7f

SHA256
b27a1787fc7838f89e44252a9405733e9e311723e7d67edbaeb400fd1d113f59

SHA512
1f355ba219a89adfcb468909624f5811c48dd9ffe1ab81474c572760eb4d02c3f61e1beb56121d9321331ab8c01d526ddad23c0365495f6f46b70eeea065de5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000174001\4767d2e713f2021e8fe856e3ea638b58.exe

Filesize
1.1MB

MD5
06813d56bcceb7b2f3a1f41f7590d2e7

SHA1
9c1fb5ddb66c7ccdadacac999d1a2a9e19f04d31

SHA256
aace3178638820a0e3809140eee3350fbf148427647ae08c91c24c60bc51e9e6

SHA512
9954fd711f6dc77a63cf20b1e3c65114fff8865e49944be906f8295d05ba7d170628a2dd7a4ba23ff5b17ece28b1cb0f1e5711e901e5f7fbe85939f8ee90ceb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000836001\osminog.exe

Filesize
534KB

MD5
a3f8b60a08da0f600cfce3bb600d5cb3

SHA1
b00d7721767b717b3337b5c6dade4ebf2d56345e

SHA256
0c608a9b1e70bf8b51a681a8390c8e4743501c45b84cf4d59727aba2fc33cadb

SHA512
14f63e415133ca438d3c217d5fb3ecf0ad76e19969c54d356f46282230230f1b254fbfc8ae5f78809dc189a9648be2dc1398927b3f089c525cd1105a3843f60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000837001\goldprimeldlldf.exe

Filesize
464KB

MD5
c084d6f6ba40534fbfc5a64b21ef99ab

SHA1
0b4a17da83c0a8abbc8fab321931d5447b32b720

SHA256
afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624

SHA512
a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000873001\random333.exe

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000875001\amadka.exe

Filesize
1.8MB

MD5
4568f01beecde7da90031897af161569

SHA1
0760f3477bea16b74b9821f0b788efccd0b3cfd9

SHA256
dc8512cd663a08a4228e570e2f1020498caf2bca7dfa0d88359d6706103ad33f

SHA512
67f8eb8e1dcae4635b3655a107821c37c659a361adaf378c9b8784dfe0c3bece92696ee6020296a1f33237b9ed6bc8acf39274b8ef59675f6680a5e6e8e71d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000979001\TeamFour.exe

Filesize
541KB

MD5
3b069f3dd741e4360f26cb27cb10320a

SHA1
6a9503aaf1e297f2696482ddf1bd4605a8710101

SHA256
f63bdc068c453e7e22740681a0c280d02745807b1695ce86e5067069beca533e

SHA512
bda58c074f7bd5171d7e3188a48cbdc457607ff06045e64a9e8e33fcb6f66f941d75a7bf57eb0ef262491622b4a9936342384237fa61c1add3365d5006c6d0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000985001\alex1234.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000986001\987123.exe

Filesize
315KB

MD5
5fe67781ffe47ec36f91991abf707432

SHA1
137e6d50387a837bf929b0da70ab6b1512e95466

SHA256
a8f1ae296787ddc24e0e7a241d0bc5829631c98a5eb186a8cfd5795c6d287db9

SHA512
0e32d9a72b562d4c4a8c4edbd3d0ece54b67ee87c8ac382c6508c62b04b11a2dcd1fba23c3a78004fcd0c2b623dc854fd2fd82eb372dc7becdcbdd7ec7fe1b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001008001\lummalg.exe

Filesize
350KB

MD5
04df085b57814d1a1accead4e153909e

SHA1
6d277da314ef185ba9072a9b677b599b1f46c35b

SHA256
91a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd

SHA512
f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001022001\chckik.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001025001\mk.exe

Filesize
297KB

MD5
cc1e287519f78a28dab6bde8e1093829

SHA1
9262753386caa4054aa845d918364e964e5505aa

SHA256
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2

SHA512
527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001029001\file300un.exe

Filesize
4.1MB

MD5
c59b5442a81703579cded755bddcc63e

SHA1
c3e36a8ed0952db30676d5cf77b3671238c19272

SHA256
cac7fc4ae9c97eba7455992b2d41449ee257ec485c562bfc7245a90033b1d774

SHA512
c9c834860982652e7ec1db085e534f6b1c35298ce75b29c2cbb0ac04ff40cd64363b458bcbd8c0983cf1ed778a4269372c6bc4ce7f831a6e1e70ee5f4a0772f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1001030001\boom8.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2403241905075535948.dll

Filesize
960KB

MD5
006f286d8e61a37ca2caa2e671591aed

SHA1
627dc45c99061571cf7ee93d416adc547f549032

SHA256
13d6408bc09c0a1166507becbe070463c03adc729a25db0aadef0378e48c26db

SHA512
601be310e3b10a32ac5ad194b01d4367c4320ac6c20cc1e1ed6f256ecbb98fae12e57f25c5ec6519f0a1cf276a752eb492e7479e71fa9fd848c9cca27d2ae1dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp98D0.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ozynqnpq.1j5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1p0.1.exe

Filesize
1.7MB

MD5
eee5ddcffbed16222cac0a1b4e2e466e

SHA1
28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5

SHA256
2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54

SHA512
8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ulg.0.exe

Filesize
291KB

MD5
bca9f45d45410be3485717c7eb4320e4

SHA1
41d6a52b47d5251176d78e39eea0915186bfc49e

SHA256
1a55c2c2e090256a83f5913fc1548a35fba33d5e6d411bd2486e52217acdb113

SHA512
3d95a4789eacb46b079d8c12fc330bb10619d01d27b851206a08247fab3b6d1c768914baf2675abe0348cd616cfbf9d2028d855015fc260d70749c72934563f8

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
808KB

MD5
ee9eaabe446770d1518182565ef034bd

SHA1
bd9669c6a969f785540e0692b33950156e496a74

SHA256
125883f456664784117922953dd5f8a74078e56f63ae7a96d9fb81949876b512

SHA512
8959f53842c463cf914f3b5be0c1f402286cc7d545773c186a8fbce2273537ddac44e82d013f6f907e4dd9e4791be1c9113d40394751470e12029b34998ec78a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
622KB

MD5
f2e5552184d26d14b4c9cd7ef3ddb7a5

SHA1
310b89725808d854bc9f2e481c17086df9bbf9b2

SHA256
1e7887715984d47bc88e1e5fc8fdd1b7e8d71703b18f41dbab5056a67063c5bd

SHA512
113a8ea926f8eab34b1040d8bc30a475ba3540b357905a658394ef0e8f591b2b608ca3d4b20517fe7dcf5ffcd9c2df660a0dea0fe328a60d409aaf1f1eb964ce

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
587KB

MD5
7277edc58540ce06b841f22f5c6dda2b

SHA1
ac569a4fe5da677ce27b911f4c1e57f7c4a18017

SHA256
07a995881f36d826dac552dcd80cd1868d0d4984b4de769816708c216d898d17

SHA512
d70704a3ef57ef41647b4564a346fced3583ffe7ed1e5f81086e118b9d4ddb48dfdb215056a7ed78039e417d8f548e39b20f3d2c9771305f0a7aea21f0b9cc64

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

Filesize
109KB

MD5
726cd06231883a159ec1ce28dd538699

SHA1
404897e6a133d255ad5a9c26ac6414d7134285a2

SHA256
12fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46

SHA512
9ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

Filesize
1.2MB

MD5
15a42d3e4579da615a384c717ab2109b

SHA1
22aeedeb2307b1370cdab70d6a6b6d2c13ad2301

SHA256
3c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103

SHA512
1eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

Filesize
109KB

MD5
154c3f1334dd435f562672f2664fea6b

SHA1
51dd25e2ba98b8546de163b8f26e2972a90c2c79

SHA256
5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f

SHA512
1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

Download Submit
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

Filesize
1.2MB

MD5
f35b671fda2603ec30ace10946f11a90

SHA1
059ad6b06559d4db581b1879e709f32f80850872

SHA256
83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7

SHA512
b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Pictures\1DolXbxEuummbXnr2feutlpx.exe

Filesize
436KB

MD5
23c80cf3c864384f8cc01cb46188531a

SHA1
adee1474c797b1ca5654d8c0cef9182a9784a888

SHA256
51695af669927b81ff90f13ecd63423b8868042de06ec20969b0c9ce59b0229c

SHA512
805de8a09553b66f145525b853c53fad739314070e4ed1b23bd9ad53f5d3d74542ef47ae63d4cb29603e4c269a096c5eb95cf6ab1717783e8712256e8a281d9f

Download Submit
C:\Users\Admin\Pictures\3MLAebq0OIbWsMKI3lSU8cft.exe

Filesize
3KB

MD5
168d61832160320058aece500ac962c2

SHA1
c455304814cc5868750191c76c9190bdf6616174

SHA256
cfb1353d5cd25056297108af282eb15624571f8395b5727ac4a33a4dbcd45271

SHA512
45c3f30b63b0c421e5cf9f926a297659af333255072138a03e7513d8d8c1aa7b6e3543dbcaada6c2326b409621892241a29e1c500adf66e85941f79478737af0

Download Submit
C:\Users\Admin\Pictures\5iBjb9QgBK1OAsVIYWu306Rp.exe

Filesize
436KB

MD5
5b3ec438cbce7c8dfad05aec92b7821c

SHA1
5ffad2442079c7ccf601c1419d86b35a37bd1b6e

SHA256
31dd0ddd1d4e95fe971f1ad96e943c0c1904831923fd586a75c1de4dc72710e6

SHA512
52e6b67dee87553417766e850b6805f83e46a37c0f72849206d16a14dd24766a3ed90be1da19332125e67d33af8aa35981bc6780048d2fb13d3efcdd783cdc74

Download Submit
C:\Users\Admin\Pictures\BF0AhKA3LnyQBatouRRaLLQf.exe

Filesize
2.2MB

MD5
c1f2294e4032ebd312a3d39ea1831734

SHA1
ccb1043f0f9e5010e15fa2e57da45374a7364530

SHA256
71d1716eb72b416fc00b68779525636bb115b5936cef4acb8806a88c49975671

SHA512
6a9cb0c9fd5f0f9c04871f2631caf91b45b715febbba54177fc7dc5d6dca9ec3bd737685fff07151b37e14238d99664b6746b302537aaaccd554a3323c4d4c32

Download Submit
C:\Users\Admin\Pictures\IbMpuyAtapBCr3xSwhCjAVQP.exe

Filesize
1.2MB

MD5
9a259f995c5d987231a9c74b0d4f3c0e

SHA1
d8af0113c8feaba505ede261e5c94f1816cf309e

SHA256
11e84cbd49ea5a149ceb8aa9b76a9822b0d528e2abaf61710cac1464595b93e5

SHA512
5d0d1ed8b82661b4e7850e2c50698e57bda9d85999cdaa524695cca4e490be877764a7333288444540402b8907e39b0d64f4ca63d2d37252e277ec456a98ab1c

Download Submit
C:\Users\Admin\Pictures\PsUHcOZ5E1RZclhUJsJlaSOA.exe

Filesize
3.7MB

MD5
fc0a7582b4673a01fe7580555fc631cb

SHA1
2f30727af1dae9c93b98ba6908f8919a92c8a498

SHA256
0cc6d0d3b0dd7f4dd6e94cc072638f2a7ae133a12987a6984ea5d229694f7f74

SHA512
def5e71ed6e49b6ea60cdbdc373b9855f420deece8a8c98eb7cb9a27d5b28551d55efd3b1b44b289fdf6c486fe542eff968f31f7684319cab4f7a471abb362d8

Download Submit
C:\Users\Admin\Pictures\XUrJQjxPGS7iQR2rSUDDsCpz.exe

Filesize
1.7MB

MD5
3e82b6a60bfa152cde614d8a46cbd2f9

SHA1
aa5c76c66eacf174eb6e5af9d3bbd0361d7524ab

SHA256
df12acb233adea8eb1b4291eb00f6ef0a2482a1440d28836845bb1ef820495e2

SHA512
bafe9291abdcd3d1ce87af130a4050c39f68ef3bde9503d5ffa3b98401bd7f83a24bc0398d8820a762e43560728e31f0d30df838d6242c9547b878e356c40ea8

Download Submit
C:\Users\Admin\Pictures\XUrJQjxPGS7iQR2rSUDDsCpz.exe

Filesize
1.5MB

MD5
5967c334b44a0c273745327eb22a6501

SHA1
96b9a3b3ff68fd2bf1202d505e3ad0a1023d11dd

SHA256
2bfaa73546bd1c3db2253e5e895ed81ccfe1dcc8d136c9a08cb9d7e84d856b02

SHA512
f1c36ed635a687409e3327e1dff89299a9e6a2d059c78b435a4e234f7db7e9af150af7ae83faf8f11092fd2566df04330974910f21f7c791194067c062239e56

Download Submit
C:\Users\Admin\Pictures\XUrJQjxPGS7iQR2rSUDDsCpz.exe

Filesize
1.6MB

MD5
cbef4ff675dd8cd48f21027b6d3ef122

SHA1
e179120251ac5c358078620a18a366f11d9bfaaa

SHA256
3f5a2080549ee87c21d8d33895db6f190378afb6b83d8b9843391d22a05a4cd6

SHA512
1962f94a87ae1f2fc591ee6ead01bf6516fb3902497fd177fc239c232b39eb3784de6bbf2c171381e70f6eb7392611d035df05f6a0d73fd1a25b4eb51ce2db15

Download Submit
C:\Users\Admin\Pictures\ZEuEybcg2ss6PyICBYpyxSyh.exe

Filesize
314KB

MD5
167f83d78c1b85f0bda119d96abf2002

SHA1
66f8332c0686dd040cf521f04dd6662d9053977d

SHA256
d49a3b37978e3d683475b49ac4374f054a943bf674819b4e6a7d4ba6f52cf082

SHA512
1d5dbbb61ed3586348a37c076a93b4b2b3781dd3d3cace99378dab4433ea3f62dbaffd282570bb31fbb6f774b095aea96f149cd3cfc838542ed58c1577bbdc8d

Download Submit
C:\Users\Admin\Pictures\cUsfVRBo0yT2g7zFmF7ynklJ.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\dUfSq6jOIA1lLaDNKl0u2nh6.exe

Filesize
3KB

MD5
b3a55c7ec7e56a6145d684c4646df020

SHA1
7847bb5d2d0712da0aea2ee8172a8ffed26aa24c

SHA256
f8700fe76eb5f09b4ed326d5d336767e237770eca2fe5c2b34b744caa5dbc572

SHA512
fe77b2fbcf78a2085d53b619eb908b257d1d36f565dea3792286ff84358e66909ca8bc3b6b5e79f3c7627216e225bfc4b0f113fe2115a0ba4cd1e9b3e371503e

Download Submit
C:\Users\Admin\Pictures\eWn5KSeRqPxD8GoAbF5ZQSsb.exe

Filesize
1.6MB

MD5
0c20d9626cbfe06c23bd6693ae4a19eb

SHA1
4b1147f8f1d7fc0400d10c0259664afd64117141

SHA256
c60d985374ed9677186a76cb3467e3b09bdb6d35bdf8f465eeb6cf804ad60150

SHA512
49c157084bb922f27ffbbda232cffd24f04f606c098307e768fad83800131a22c65f2c7fa065fa45430ba364ad8a94590e03821f76091267513ab20286ad657a

Download Submit
C:\Users\Admin\Pictures\eWn5KSeRqPxD8GoAbF5ZQSsb.exe

Filesize
1.5MB

MD5
6c63d3556621b31ca3af243839d8307e

SHA1
12ef9d6e8324bf4b3d07e0af7b5d1b33f43c6ef0

SHA256
d4ed31ed16ffaddfd7f4716f8c4d819862f90d9857865ab9a984e1bf524395ad

SHA512
4c69cff04824fcdeddd9fa62a8d5c5f78974d8ec0daf5b50768e0cd6342d43abaad99a48d7b9b9b396fa1ee82c104cf1a8f27fb0fa58e56728fe1939171d89fb

Download Submit
C:\Users\Admin\Pictures\eWn5KSeRqPxD8GoAbF5ZQSsb.exe

Filesize
2.1MB

MD5
b9d1eae16299d5451b3736896790d1f4

SHA1
2f9e1328fccf8736a75fbc6d9ffbeb021bb0981c

SHA256
e725a56818c939914bc7eae538095a087b16f3f677cecea1ba1e697c2e9cf971

SHA512
3325d41ae2aed4c061475f303c0298bc3bbea9963d677796b7281344eee2ebccd223906ce19d6e901280532fb8e1acd0938d13e65bb5e541ae1f5d651aeb2f3f

Download Submit
C:\Users\Admin\Pictures\iEjbEt5ED3efCQ6aucbrpNhG.exe

Filesize
1.9MB

MD5
681df812dff252e39fce43fd4f006b7e

SHA1
5c67bd1a87a3a7b7c3e1de86a431c278ea22f82a

SHA256
ed18e5c4066672cc23b65ff49104cdc587cef59a90ac0449221bdae2f782d8b3

SHA512
7b3b4931013ab45e97fa233d75da4504889bb2225e05da742889c43057934d9fb296e29b9c14dbdfdeeb9331f64970727596145bf835b96a8bfd8f87fd24bec4

Download Submit
C:\Users\Admin\Pictures\mF7iuWyfG6X1rQH2D1hmHRnv.exe

Filesize
2.3MB

MD5
2ee092edaf21ead7a13c7c3995986f72

SHA1
082341435acf04e6c3ddaedf0c8b9a658f5c8da9

SHA256
42280a4f70a09167dd121b7d617ac2695ec00a2cbc2022e81eabb62aa1d5f07a

SHA512
a15975b1b615b42688c57bb1a4d68b61f9cb746e34a6e053950f14787c5fdc0206c3e5503c53533bed0aa52550c7a690a71a719441bc97f3137fd47205ce6152

Download Submit
C:\Users\Admin\Pictures\mF7iuWyfG6X1rQH2D1hmHRnv.exe

Filesize
3.5MB

MD5
29848a75e6cc5c6f467088af67a0323a

SHA1
22a3d44669f06e9fe5e49b5f2c22f8a8d477fc21

SHA256
5f73d43589748aeb707ce0e272ad0efc99e304857e4b003ff4e5c8f0be76efbd

SHA512
ee14f72080c6194b367a035ae49d9a5091ccf61766dc0a2235300f61d73d1114581499b0379cc58079c56a77e7346bdc9d90834ebede86b8cf13b450ae382d19

Download Submit
C:\Users\Admin\Pictures\mnFh5i9cExjM3LNFKQ71QvwX.exe

Filesize
522KB

MD5
b8616322186dcdf78032a74cf3497153

SHA1
bf1c1568d65422757cc88300df76a6740db6eab5

SHA256
43dda2be3813b81729b3d388f546838a36ee3471da5ed266fe958e2316f1f6ea

SHA512
7b1e4ad944960fc2aa661426f77e64ff151cd8d5860e584874da1c4f03c6d195d4ee9031c36c24a234a851176b003254d14f9334712e07babc6934cf19a7b2fb

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
306B

MD5
7534b5b74212cb95b819401235bd116c

SHA1
787ad181b22e161330aab804de4abffbfc0683b0

SHA256
b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04

SHA512
ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

Download Submit
memory/772-935-0x0000000000400000-0x0000000000B16000-memory.dmp

Filesize
7.1MB

Download
memory/1008-687-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1008-691-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1008-775-0x0000000003DA0000-0x00000000041A0000-memory.dmp

Filesize
4.0MB

Download
memory/1008-777-0x0000000003DA0000-0x00000000041A0000-memory.dmp

Filesize
4.0MB

Download
memory/1008-780-0x00007FFD744C0000-0x00007FFD746C9000-memory.dmp

Filesize
2.0MB

Download
memory/1008-788-0x0000000075C50000-0x0000000075EA2000-memory.dmp

Filesize
2.3MB

Download
memory/1216-440-0x0000000000400000-0x0000000002D4D000-memory.dmp

Filesize
41.3MB

Download
memory/1640-260-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1792-951-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/1928-52-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1928-60-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1928-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1928-59-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/1928-123-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2196-948-0x0000000000400000-0x0000000000B16000-memory.dmp

Filesize
7.1MB

Download
memory/2460-223-0x0000000000430000-0x00000000008DB000-memory.dmp

Filesize
4.7MB

Download
memory/2460-177-0x0000000000430000-0x00000000008DB000-memory.dmp

Filesize
4.7MB

Download
memory/2460-182-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/2460-181-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/2460-180-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/3096-527-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3116-802-0x0000000075C50000-0x0000000075EA2000-memory.dmp

Filesize
2.3MB

Download
memory/3116-796-0x00007FFD744C0000-0x00007FFD746C9000-memory.dmp

Filesize
2.0MB

Download
memory/3116-795-0x0000000002A70000-0x0000000002E70000-memory.dmp

Filesize
4.0MB

Download
memory/3116-790-0x0000000000ED0000-0x0000000000ED9000-memory.dmp

Filesize
36KB

Download
memory/3316-438-0x0000000002BF0000-0x0000000002C06000-memory.dmp

Filesize
88KB

Download
memory/3360-21-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/3360-19-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3360-950-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3360-226-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3360-24-0x0000000005690000-0x0000000005691000-memory.dmp

Filesize
4KB

Download
memory/3360-86-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3360-62-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3360-25-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/3360-20-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3360-23-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/3360-22-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3360-433-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3360-27-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/3360-26-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/3360-61-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3360-147-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3360-637-0x0000000000F00000-0x00000000013CE000-memory.dmp

Filesize
4.8MB

Download
memory/3468-434-0x00000000008C0000-0x0000000000D6B000-memory.dmp

Filesize
4.7MB

Download
memory/3468-941-0x00000000008C0000-0x0000000000D6B000-memory.dmp

Filesize
4.7MB

Download
memory/3468-627-0x00000000008C0000-0x0000000000D6B000-memory.dmp

Filesize
4.7MB

Download
memory/3712-10-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/3712-3-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/3712-5-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/3712-1-0x0000000077486000-0x0000000077488000-memory.dmp

Filesize
8KB

Download
memory/3712-8-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/3712-16-0x0000000000690000-0x0000000000B5E000-memory.dmp

Filesize
4.8MB

Download
memory/3712-4-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/3712-6-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/3712-9-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/3712-11-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3712-7-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/3712-2-0x0000000000690000-0x0000000000B5E000-memory.dmp

Filesize
4.8MB

Download
memory/3712-0-0x0000000000690000-0x0000000000B5E000-memory.dmp

Filesize
4.8MB

Download
memory/3924-379-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3924-383-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4116-47-0x0000000000A30000-0x0000000000ABC000-memory.dmp

Filesize
560KB

Download
memory/4116-137-0x0000000002FF0000-0x0000000004FF0000-memory.dmp

Filesize
32.0MB

Download
memory/4116-49-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/4116-48-0x0000000072E40000-0x00000000735F1000-memory.dmp

Filesize
7.7MB

Download
memory/4116-58-0x0000000002FF0000-0x0000000004FF0000-memory.dmp

Filesize
32.0MB

Download
memory/4116-57-0x0000000072E40000-0x00000000735F1000-memory.dmp

Filesize
7.7MB

Download
memory/4156-864-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4156-1004-0x0000000000400000-0x0000000000AF2000-memory.dmp

Filesize
6.9MB

Download
memory/4244-927-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/4276-91-0x0000000002600000-0x0000000004600000-memory.dmp

Filesize
32.0MB

Download
memory/4276-83-0x0000000072420000-0x0000000072BD1000-memory.dmp

Filesize
7.7MB

Download
memory/4276-82-0x0000000000310000-0x000000000038A000-memory.dmp

Filesize
488KB

Download
memory/4276-93-0x0000000072420000-0x0000000072BD1000-memory.dmp

Filesize
7.7MB

Download
memory/4276-87-0x0000000004C80000-0x0000000004C90000-memory.dmp

Filesize
64KB

Download
memory/4592-92-0x0000000005CF0000-0x0000000006296000-memory.dmp

Filesize
5.6MB

Download
memory/4592-178-0x0000000009390000-0x00000000093E0000-memory.dmp

Filesize
320KB

Download
memory/4592-94-0x00000000057E0000-0x0000000005872000-memory.dmp

Filesize
584KB

Download
memory/4592-117-0x0000000006C90000-0x0000000006CA2000-memory.dmp

Filesize
72KB

Download
memory/4592-95-0x00000000057D0000-0x00000000057DA000-memory.dmp

Filesize
40KB

Download
memory/4592-88-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4592-179-0x0000000072420000-0x0000000072BD1000-memory.dmp

Filesize
7.7MB

Download
memory/4592-96-0x0000000072420000-0x0000000072BD1000-memory.dmp

Filesize
7.7MB

Download
memory/4592-116-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/4592-149-0x0000000009B60000-0x000000000A08C000-memory.dmp

Filesize
5.2MB

Download
memory/4592-106-0x0000000008580000-0x000000000868A000-memory.dmp

Filesize
1.0MB

Download
memory/4592-118-0x0000000006CF0000-0x0000000006D2C000-memory.dmp

Filesize
240KB

Download
memory/4592-148-0x0000000009460000-0x0000000009622000-memory.dmp

Filesize
1.8MB

Download
memory/4592-105-0x0000000006DC0000-0x00000000073D8000-memory.dmp

Filesize
6.1MB

Download
memory/4592-122-0x0000000006D30000-0x0000000006D7C000-memory.dmp

Filesize
304KB

Download
memory/4592-146-0x0000000006890000-0x00000000068F6000-memory.dmp

Filesize
408KB

Download
memory/4884-133-0x00007FFD533F0000-0x00007FFD53EB2000-memory.dmp

Filesize
10.8MB

Download
memory/4884-139-0x0000027E6A350000-0x0000027E6A35A000-memory.dmp

Filesize
40KB

Download
memory/4884-145-0x00007FFD533F0000-0x00007FFD53EB2000-memory.dmp

Filesize
10.8MB

Download
memory/4884-138-0x0000027E6A370000-0x0000027E6A382000-memory.dmp

Filesize
72KB

Download
memory/4884-136-0x0000027E69D90000-0x0000027E69DA0000-memory.dmp

Filesize
64KB

Download
memory/4884-135-0x0000027E69D90000-0x0000027E69DA0000-memory.dmp

Filesize
64KB

Download
memory/4884-134-0x0000027E69D90000-0x0000027E69DA0000-memory.dmp

Filesize
64KB

Download
memory/4884-129-0x0000027E6A0C0000-0x0000027E6A0E2000-memory.dmp

Filesize
136KB

Download
memory/4976-928-0x0000000000400000-0x0000000000ED5000-memory.dmp

Filesize
10.8MB

Download
memory/5016-785-0x00000000002E0000-0x0000000000675000-memory.dmp

Filesize
3.6MB

Download
memory/5084-922-0x0000000000400000-0x0000000000AF7000-memory.dmp

Filesize
7.0MB

Download
memory/5140-982-0x00000000008C0000-0x0000000000D6B000-memory.dmp

Filesize
4.7MB

Download