amadey | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

09-04-2024 08:32

240409-kfg77aaf85 10

09-04-2024 08:32

09-04-2024 08:32

09-04-2024 08:32

11-03-2024 08:03

10-03-2024 15:15

Analysis

max time kernel
30s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FUCKER.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Score

10^/10

amadey parallax raccoon redline risepro xworm zgrat dave evasion infostealer pyinstaller rat stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

4.17

http://185.215.113.32

Attributes

install_dir
00c07260dc
install_file
explorgu.exe
strings_key
461809bd97c251ba0c0c8450c7055f1d
url_paths
/yandex/index.php

rc4.plain

Extracted

Family

xworm

163.5.215.245:9049

Mutex

r3SLo8kx59hai6gX

aes.plain

Extracted

Family

risepro

37.120.237.196:50500

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe	family_xworm
behavioral3/memory/400-121-0x00000000002B0000-0x00000000002C6000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe	family_xworm

Detect ZGRat V1 13 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2176-304-0x0000000005400000-0x00000000058AB000-memory.dmp	family_zgrat_v1
behavioral3/memory/2176-306-0x0000000005400000-0x00000000058AB000-memory.dmp	family_zgrat_v1
behavioral3/memory/2176-310-0x0000000005400000-0x00000000058AB000-memory.dmp	family_zgrat_v1
behavioral3/memory/2176-314-0x0000000005400000-0x00000000058AB000-memory.dmp	family_zgrat_v1
behavioral3/memory/2176-320-0x0000000005400000-0x00000000058AB000-memory.dmp	family_zgrat_v1
behavioral3/memory/2176-327-0x0000000005400000-0x00000000058AB000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\alex12.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe	family_zgrat_v1

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

ParallaxRat payload 19 IoCs

Detects payload of Parallax Rat, a small portable Rat usually digitally signed with a Sectigo certificate.

Processes:

resource	yara_rule
behavioral3/memory/3908-57-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-64-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-65-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-66-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-67-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-69-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-68-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-70-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-71-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-72-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-73-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-74-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-76-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-75-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-77-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-79-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-78-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-80-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat
behavioral3/memory/3908-141-0x0000000000400000-0x000000000042C000-memory.dmp	parallax_rat

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

amert.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ amert.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	amert.exe

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\ps.exe	WebBrowserPassView

Nirsoft 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\ps.exe	Nirsoft

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\win.exe	dave

Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

amert.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	amert.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	amert.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FUCKER.exebuild6_unencrypted.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	FUCKER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	build6_unencrypted.exe

Drops startup file 2 IoCs

Processes:

DllHost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe	DllHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\retero.exe	DllHost.exe

Executes dropped EXE 7 IoCs

Processes:

amert.exeTrueCrypt_nKJqAu.exehtml.exewin.exebuild6_unencrypted.exeTdkdsxz.exeYellow%20Pages%20Scraper.exe

pid process

2776 amert.exe
720 TrueCrypt_nKJqAu.exe
3156 html.exe
3468 win.exe
400 build6_unencrypted.exe
2332 Tdkdsxz.exe
960 Yellow%20Pages%20Scraper.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

amert.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine amert.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Wine	amert.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

278 bitbucket.org
280 bitbucket.org
308 pastebin.com
309 pastebin.com
45 raw.githubusercontent.com
46 raw.githubusercontent.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

160 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

amert.exe

pid process

2776 amert.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

TrueCrypt_nKJqAu.exe

description pid process target process

PID 720 set thread context of 3828 720 TrueCrypt_nKJqAu.exe ADelRCP.exe
Drops file in Windows directory 1 IoCs

Processes:

amert.exe

description ioc process

File created C:\Windows\Tasks\explorgu.job amert.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

7340 sc.exe

flow	ioc
278	bitbucket.org
280	bitbucket.org
308	pastebin.com
309	pastebin.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com

flow	ioc
160	ip-api.com

description	pid	process	target process
PID 720 set thread context of 3828	720	TrueCrypt_nKJqAu.exe	ADelRCP.exe

description	ioc	process
File created	C:\Windows\Tasks\explorgu.job	amert.exe

pid	process
7340	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2248	3924	WerFault.exe	ISetup10.exe
5300	4092	WerFault.exe	ISetup5.exe
5612	5788	WerFault.exe	koooooo.exe
5504	2224	WerFault.exe	u310.0.exe
6552	5324	WerFault.exe	u35o.0.exe
7592	7852	WerFault.exe	1111.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

388 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6264 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

6112 WMIC.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

6512 tasklist.exe
2880 tasklist.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

6736 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6760 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

build6_unencrypted.exe

pid process

400 build6_unencrypted.exe

pid	process
388	schtasks.exe

pid	process
6264	timeout.exe

pid	process
6112	WMIC.exe

pid	process
6512	tasklist.exe
2880	tasklist.exe

pid	process
6736	reg.exe

pid	process
6760	PING.EXE

pid	process
400	build6_unencrypted.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

amert.exehtml.exeADelRCP.exe

pid	process
2776	amert.exe
2776	amert.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3156	html.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe
3828	ADelRCP.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

FUCKER.exebuild6_unencrypted.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3808 FUCKER.exe
Token: SeDebugPrivilege 400 build6_unencrypted.exe
Token: SeDebugPrivilege 5108 powershell.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

amert.exe

pid process

2776 amert.exe

description	pid	process
Token: SeDebugPrivilege	3808	FUCKER.exe
Token: SeDebugPrivilege	400	build6_unencrypted.exe
Token: SeDebugPrivilege	5108	powershell.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

FUCKER.exehtml.exeTrueCrypt_nKJqAu.exebuild6_unencrypted.exe

description	pid	process	target process
PID 3808 wrote to memory of 2776	3808	FUCKER.exe	amert.exe
PID 3808 wrote to memory of 2776	3808	FUCKER.exe	amert.exe
PID 3808 wrote to memory of 2776	3808	FUCKER.exe	amert.exe
PID 3808 wrote to memory of 720	3808	FUCKER.exe	TrueCrypt_nKJqAu.exe
PID 3808 wrote to memory of 720	3808	FUCKER.exe	TrueCrypt_nKJqAu.exe
PID 3808 wrote to memory of 3156	3808	FUCKER.exe	html.exe
PID 3808 wrote to memory of 3156	3808	FUCKER.exe	html.exe
PID 3808 wrote to memory of 3156	3808	FUCKER.exe	html.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 3156 wrote to memory of 3908	3156	html.exe	pipanel.exe
PID 720 wrote to memory of 3828	720	TrueCrypt_nKJqAu.exe	ADelRCP.exe
PID 720 wrote to memory of 3828	720	TrueCrypt_nKJqAu.exe	ADelRCP.exe
PID 720 wrote to memory of 3828	720	TrueCrypt_nKJqAu.exe	ADelRCP.exe
PID 720 wrote to memory of 3828	720	TrueCrypt_nKJqAu.exe	ADelRCP.exe
PID 720 wrote to memory of 3828	720	TrueCrypt_nKJqAu.exe	ADelRCP.exe
PID 3808 wrote to memory of 3468	3808	FUCKER.exe	win.exe
PID 3808 wrote to memory of 3468	3808	FUCKER.exe	win.exe
PID 3808 wrote to memory of 3468	3808	FUCKER.exe	win.exe
PID 3808 wrote to memory of 400	3808	FUCKER.exe	build6_unencrypted.exe
PID 3808 wrote to memory of 400	3808	FUCKER.exe	build6_unencrypted.exe
PID 400 wrote to memory of 5108	400	build6_unencrypted.exe	powershell.exe
PID 400 wrote to memory of 5108	400	build6_unencrypted.exe	powershell.exe
PID 3808 wrote to memory of 2332	3808	FUCKER.exe	Tdkdsxz.exe
PID 3808 wrote to memory of 2332	3808	FUCKER.exe	Tdkdsxz.exe
PID 3808 wrote to memory of 2332	3808	FUCKER.exe	Tdkdsxz.exe
PID 3808 wrote to memory of 960	3808	FUCKER.exe	Yellow%20Pages%20Scraper.exe
PID 3808 wrote to memory of 960	3808	FUCKER.exe	Yellow%20Pages%20Scraper.exe
PID 3808 wrote to memory of 960	3808	FUCKER.exe	Yellow%20Pages%20Scraper.exe

C:\Users\Admin\AppData\Local\Temp\FUCKER.exe
"C:\Users\Admin\AppData\Local\Temp\FUCKER.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808

C:\Users\Admin\AppData\Local\Temp\Files\amert.exe
"C:\Users\Admin\AppData\Local\Temp\Files\amert.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2776

C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_nKJqAu.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_nKJqAu.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:720

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3828

C:\Users\Admin\AppData\Local\Temp\Files\html.exe
"C:\Users\Admin\AppData\Local\Temp\Files\html.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156

C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe
"C:\Users\Admin\AppData\Local\Temp\Files\html.exe"
3⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\Files\win.exe
"C:\Users\Admin\AppData\Local\Temp\Files\win.exe"
2⤵
- Executes dropped EXE
PID:3468

C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
"C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe'
3⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\Files\Tdkdsxz.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Tdkdsxz.exe"
2⤵
- Executes dropped EXE
PID:2332

C:\Users\Admin\AppData\Local\Temp\Files\Yellow%20Pages%20Scraper.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Yellow%20Pages%20Scraper.exe"
2⤵
- Executes dropped EXE
PID:960

C:\Users\Admin\AppData\Local\Temp\Files\lenin.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lenin.exe"
2⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe"
2⤵
PID:4100

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:5456

C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe"
2⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\u310.0.exe
"C:\Users\Admin\AppData\Local\Temp\u310.0.exe"
3⤵
PID:2224

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HCAKFBGCBF.exe"
4⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\HCAKFBGCBF.exe
"C:\Users\Admin\AppData\Local\Temp\HCAKFBGCBF.exe"
5⤵
PID:5736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\HCAKFBGCBF.exe
6⤵
PID:6236

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
7⤵
- Runs ping.exe
PID:6760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 2200
4⤵
- Program crash
PID:5504

C:\Users\Admin\AppData\Local\Temp\u310.1.exe
"C:\Users\Admin\AppData\Local\Temp\u310.1.exe"
3⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
4⤵
PID:5372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1420
3⤵
- Program crash
PID:2248

C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
"C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
2⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe
"C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe"
2⤵
PID:4416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe'
3⤵
PID:3520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BrawlB0t.exe'
3⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\Files\output_64.exe
"C:\Users\Admin\AppData\Local\Temp\Files\output_64.exe"
2⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe"
2⤵
PID:2980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:1848

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
PID:5184

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
PID:5200

C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe"
2⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\u35o.0.exe
"C:\Users\Admin\AppData\Local\Temp\u35o.0.exe"
3⤵
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 1216
4⤵
- Program crash
PID:6552

C:\Users\Admin\AppData\Local\Temp\u35o.1.exe
"C:\Users\Admin\AppData\Local\Temp\u35o.1.exe"
3⤵
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1532
3⤵
- Program crash
PID:5300

C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exe"
2⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\Files\Hero.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Hero.exe"
3⤵
PID:5992

C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
2⤵
PID:5404

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
3⤵
PID:6524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv' -Value '"C:\Users\Admin\AppData\Local\kwweifjdskdv\kwweifjdskdv.exe"' -PropertyType 'String'
3⤵
PID:6396

C:\Users\Admin\AppData\Local\Temp\Files\koooooo.exe
"C:\Users\Admin\AppData\Local\Temp\Files\koooooo.exe"
2⤵
PID:5788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 852
3⤵
- Program crash
PID:5612

C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe"
2⤵
PID:5984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5944

C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe"
2⤵
PID:6116

C:\Users\Admin\AppData\Local\Temp\Files\rtx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rtx.exe"
2⤵
PID:5208

C:\Users\Admin\AppData\Local\Temp\Files\rtx.exe
"C:\Users\Admin\AppData\Local\Temp\Files\rtx.exe"
3⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
2⤵
PID:2936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6378.tmp.bat""
3⤵
PID:5108

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:6264

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
4⤵
PID:5012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
5⤵
PID:6536

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
6⤵
- Creates scheduled task(s)
PID:388

C:\Users\Admin\AppData\Local\Temp\Files\USA123.exe
"C:\Users\Admin\AppData\Local\Temp\Files\USA123.exe"
2⤵
PID:5168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\Files\USA123.exe /f
3⤵
PID:5760

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ChromeUpdate /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\Files\USA123.exe /f
4⤵
- Modifies registry key
PID:6736

C:\Users\Admin\AppData\Local\Temp\Files\images.exe
"C:\Users\Admin\AppData\Local\Temp\Files\images.exe"
2⤵
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT /delete /yes
3⤵
PID:1580

C:\Windows\SysWOW64\at.exe
AT /delete /yes
4⤵
PID:6440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
3⤵
PID:6816

C:\Windows\SysWOW64\at.exe
AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
4⤵
PID:6208

C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
2⤵
PID:5484

C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe"
3⤵
PID:6320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
4⤵
PID:6148

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:6512

C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
"C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
2⤵
PID:7004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
3⤵
PID:6724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
3⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\Files\judith1234.exe
"C:\Users\Admin\AppData\Local\Temp\Files\judith1234.exe"
2⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\onefile_2604_133571324186246508\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\judith1234.exe"
3⤵
PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
4⤵
PID:7032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
4⤵
PID:6344

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Detects videocard installed
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
4⤵
PID:6356

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
5⤵
PID:7136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
4⤵
PID:6340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
4⤵
PID:7044

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
4⤵
PID:6804

C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
5⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe"
2⤵
PID:6876

C:\Users\Admin\AppData\Local\Temp\Files\Runtime.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Runtime.exe"
2⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
"C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe"
2⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
3⤵
PID:5748

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:6896

C:\Users\Admin\AppData\Local\Temp\Files\alex12.exe
"C:\Users\Admin\AppData\Local\Temp\Files\alex12.exe"
2⤵
PID:6596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6196

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4820

C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe"
4⤵
PID:5584

C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe"
4⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\Files\ps.exe
"C:\Users\Admin\AppData\Local\Temp\Files\ps.exe"
2⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\Files\conan.exe
"C:\Users\Admin\AppData\Local\Temp\Files\conan.exe"
2⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
"C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
2⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\245341610.exe
C:\Users\Admin\AppData\Local\Temp\245341610.exe
3⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\2903716859.exe
C:\Users\Admin\AppData\Local\Temp\2903716859.exe
4⤵
PID:7332

C:\Users\Admin\AppData\Local\Temp\98283674.exe
C:\Users\Admin\AppData\Local\Temp\98283674.exe
5⤵
PID:8032

C:\Users\Admin\AppData\Local\Temp\621533012.exe
C:\Users\Admin\AppData\Local\Temp\621533012.exe
5⤵
PID:8664

C:\Users\Admin\AppData\Local\Temp\1760415418.exe
C:\Users\Admin\AppData\Local\Temp\1760415418.exe
4⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\1880326226.exe
C:\Users\Admin\AppData\Local\Temp\1880326226.exe
4⤵
PID:8384

C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
"C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
2⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\Files\Pac-Man.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Pac-Man.exe"
2⤵
PID:5564

C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
"C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
2⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\Files\3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
2⤵
PID:5768

C:\Users\Admin\AppData\Local\Temp\Files\3.exe
"C:\Users\Admin\AppData\Local\Temp\Files\3.exe"
3⤵
PID:8000

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:7324

C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe
"C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe"
2⤵
PID:6556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7552

C:\Users\Admin\AppData\Local\Temp\Files\RtkAudUKZ1.exe
"C:\Users\Admin\AppData\Local\Temp\Files\RtkAudUKZ1.exe"
2⤵
PID:7112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
3⤵
PID:6828

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Control.exe
4⤵
PID:7932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
3⤵
PID:5536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Anyns.exe
4⤵
PID:7060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
3⤵
PID:5508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Header.exe
4⤵
PID:5640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files
3⤵
PID:5608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files
4⤵
PID:7756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
3⤵
PID:5232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\
4⤵
PID:5412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
3⤵
PID:5184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Taskhost.exe
4⤵
PID:2932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
3⤵
PID:4536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess Microsoft.ServiceHub.Runtime.exe
4⤵
PID:6296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" powershell -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
3⤵
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath C:\ProgramData\Microsoft\Diagnosis\Sideload\
4⤵
PID:8008

C:\Users\Admin\AppData\Local\Temp\Files\native.exe
"C:\Users\Admin\AppData\Local\Temp\Files\native.exe"
2⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
"C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
2⤵
- Launches sc.exe
PID:7340

C:\Users\Admin\AppData\Local\Temp\Files\1111.exe
"C:\Users\Admin\AppData\Local\Temp\Files\1111.exe"
2⤵
PID:7852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7852 -s 156
3⤵
- Program crash
PID:7592

C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
"C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe"
2⤵
PID:8048

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hf0a2jbe.cmdline"
3⤵
PID:5660

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57CC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC57CB.tmp"
4⤵
PID:2312

C:\Windows\system32\chcp.com
"C:\Windows\system32\chcp.com" 437
3⤵
PID:6368

C:\Users\Admin\AppData\Local\Temp\Files\Tester.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Tester.exe"
2⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
"C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe"
2⤵
PID:7252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1
3⤵
PID:8076

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}
1⤵
- Drops startup file
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3924 -ip 3924
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
1⤵
PID:5064

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
2⤵
PID:6096

C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
3⤵
PID:5844

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\045580317372_Desktop.zip' -CompressionLevel Optimal
4⤵
PID:6564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
2⤵
PID:6540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4092 -ip 4092
1⤵
PID:4044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5788 -ip 5788
1⤵
PID:5336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2224 -ip 2224
1⤵
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5324 -ip 5324
1⤵
PID:6300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7952

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d8 0x4e8
1⤵
PID:8068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 7852 -ip 7852
1⤵
PID:5448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:8548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:9020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8ab6456a8ec71255cb9ead0bb5d27767

SHA1
bc9ff860086488478e7716f7ac4421e8f69795fb

SHA256
bcb14f15fbe23bf51a657c69b24f09cd51e33a2530f89ad17c44f660769611e2

SHA512
87c5368dbd7c85f341edf8992d8b1c87984f9a3549a4802c6054da4e12a8674f10f56d03afc1a72b2cfc40895150d3b0f4d9d4c355c79cdf364ace35eb8ebf15

Download Submit
C:\Users\Admin\AppData\Local\Temp\1880326226.exe
Filesize
85KB

MD5
34a87206cee71119a2c6a02e0129718e

SHA1
806643ae1b7685d64c2796227229461c8d526cd6

SHA256
ecea49f9a754af7055b60a860acfd8ce2bc63048c947c9ee6324f07d45c4787d

SHA512
e83b0e003687ebe5d5df5bd405b12b267e07252838d1575dc390b409e03279f9d0ce4a4691971a9601f58d52e55af2fa8ea9596ace4bef246f9ef511b65cdbc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
Filesize
2.6MB

MD5
21112c87b4bb2b0bb8004c1f1653d36e

SHA1
31aed7e1843c4cc528931710ba578f909e71d764

SHA256
556b87267249b63a0e4ab4e0afd7924e88f72e036c55c1e18c40c7889762449c

SHA512
b95c5603d090c79c8e67bd8f6f5cedffd2d0c5b1d453489d99733997ff2722d83a138c925790ed4341d61756f859ff5523ef54674553b6602b730a7042eccb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
Filesize
20.4MB

MD5
5270e1e98ab2019d0ac4177c74fd4fe5

SHA1
557f0b35844e7091a51ca7341c3af3649f9a676c

SHA256
cbd9640f8c6a434ce60b03a549902323ca9fcab61682fbf5fc7db211ebb01d82

SHA512
f2fbee669aede2791018b243781f54f7e47e81cfca26c93c76eb5339df2c9489ffc3f90186fd627356f42898bfdfba39567141bc4e2ee8fd5935b93ab4499ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\$77_loader.exe
Filesize
397KB

MD5
6f593dbea0a8703af52bd66f582251a4

SHA1
2201a210e9680ec079b08bdb1da6d23112d87dcc

SHA256
a3357e7ea44e4d30304b1e5a4f53da37c848ce10fda0bd03a4f0dc0c5220e336

SHA512
97ebc0b7f27a76efead93fce05a8d059b4c6629e6348d5d4b728ed910ab00848b44737c6b5a48ac070d62a1da9273fc72b809fcf36bd17afb573fccc33d5aa73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1111.exe
Filesize
1.9MB

MD5
e9643855e72593683cbc5257b6687fc2

SHA1
6b5b7c5d605f223a8a05e0e2d2e5ec4a3f326a61

SHA256
1e11f472999240b1b8474119e7d0be5069dda02af979e27cc4c0d83a70c4c2f5

SHA512
abe73037d629e4e30acd3836008a5f59d02d1002a389e524d80929504e56fbc03581184003ebbbf325c803ea7ecab6c13dab3b000490bf7aa45efe307313a50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\2.3.1.1.exe
Filesize
80KB

MD5
7fbe056c414472cc2fcc6362bb66d212

SHA1
0df63fe311154434f7d14aae2f29f47a6222b053

SHA256
aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9

SHA512
38edc08d3fd41c818ae9457e200ade74ac22aabc678adce6a99d4789b621e43b298ca8e4189be4e997f66559325d76ad941d604d4375175f174de8521e779220

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\3.exe
Filesize
576KB

MD5
5a222c7172583195cc21e3a6f723cf7f

SHA1
3f4aaf39675d570731e46902d2e3d4cf065c87ed

SHA256
24b032f29a1a947f1c65090c2bae96d1fffb33e9e546dbcc413c7a1ddb6e5283

SHA512
0b22d3fd52d74230b8f77a53839cdc077f82664ec63ba91c60b4de40fa3934ffee1aa933d921b20d1b2a3efcf8e3ae3f4f5b926bc3d02e0ef467bf204a91f5c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BrawlB0t.exe
Filesize
65KB

MD5
3a71554c4a1b0665bbe63c19e85b5182

SHA1
9d90887ff8b7b160ffc7b764de8ee813db880a89

SHA256
9340551164eb763cd63db1f251b535dea497edfcf1eb46febcb642b1369f8595

SHA512
49c869db9a74c8054a477396c205685f41d4fe79ed1bb9088c1d528d7df8dfd1e251ec016939a0207484e6fd2f3338afad06b4f242c7fcb5d16d2293db16e772

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Creal.exe
Filesize
13.2MB

MD5
125a5c30fd99f5f53b2914e9f6cf1627

SHA1
c26195a24760f7c6621c63bf79b8d1f36e3ec04b

SHA256
15548dc4aab59a1ecc65d7cbe37b2a6224e8be7682621e8f6b9ed851ab6f4e97

SHA512
a40f99dbf33afbb7a9a6f8425da9f3fdc564fcd3a8a0e8f76a830a5c6da558158ef51fb907c24897aba82c1499156aeac636ca0eeb4f527bf5ec8fb43b39905a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe
Filesize
413KB

MD5
9e47f0bc22fd2adb6fae78cebb480544

SHA1
26b5c4878279efcbb5f8aefdc4ac361c0d1841fa

SHA256
ce93c6599da043a6a01ee9126b037ddc19467f30808d575f9bd8b2971a1dd53b

SHA512
1b0bd1e8df033c017fd3644f0e132af923f80ae71df5f6fda8e0858855dc96287d70837cf4920804feee05aba727dea9639d7ae12f88a1db59a4c5b0b9d95146

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ISetup5.exe
Filesize
413KB

MD5
765e590bdf6597f282def847dd94d4bd

SHA1
1029898323e174062d9d0adb298bb0f6874675ae

SHA256
6d9a0fff1e5344852494b9eb3a12f4c8119d2009c16b7d762386217e6924e2fd

SHA512
bfde5fa68047b4fada753c110dd1830431467756d2881ad63a32fad9fdb29091fba35887935ac745036bcd88530fbcc2a0ad05b444ae5159c1c5e2c9bf9a4fa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Pac-Man.exe
Filesize
5.7MB

MD5
8951c19af1a1bc8423823007abdf9ade

SHA1
86aec431d6bba08dbc76e236ca490a7ad3f0ded9

SHA256
420b23eea40a6a4bf0f1cdfffe85d1e6ca59da357268c0373c8d30d1b5c99fa3

SHA512
459a37abe6b364b81111b177c655e02446cc66f7667a772f7340f54151d3a783a3dce0fa8e61658c265773f93ea3615b55384e952134f04427878c2b5762d262

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RtkAudUKZ1.exe
Filesize
16KB

MD5
2644dec48ca3539cfc4a7b4dba0bd212

SHA1
d5fd9c4b6f865ba7dec0604bdd7b06f0f00023f8

SHA256
ea7efe5b685adb6324eea4717d5a9ef0c09c0222acc527d3bff2dc752d0cdcf9

SHA512
756a9acf67292a0cc2107188316e0ccf15c3ca8317e65fb5add57a525bb0fece07f5e0d9ef430a54ec21ae6b2a9242f7bd3926b1791dc3e704ae40f10b194ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Runtime.exe
Filesize
16KB

MD5
be5041fb817fe1edf7e6c487db9b5534

SHA1
38040d570af54917957504bd88ab7c555e0ee3ba

SHA256
9663cb27096c5592837253411ddee56a54b84b1851cd77e7b33768091ef26fa2

SHA512
8a0200768436ec3e06b11b2447136720af887398d37bc3e635dd417b5dfd86734f8ebc425ed1e8eb2b2689838f3acda0f9a3f6192a54460b4da1027112d28e62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Tdkdsxz.exe
Filesize
4.0MB

MD5
673dd7435b21ae0bd9a753e8a3479d93

SHA1
939562bb513b604400bc53d7cd26915f8d378f46

SHA256
fdecb6d9df9205cb6f46e80d6a0dceff4fb65ec54e1768afbe6ad8116c5621ab

SHA512
a1d2f6e84c487438d0c3721a1815c786b62f33e6675205dfa32222c07a8fa80ab9537a8cba23ec21612f74005ff3ebb38d182761077fcc39f0700e98e132ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Tester.exe
Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TrueCrypt_nKJqAu.exe
Filesize
3.9MB

MD5
0cb4cc8a9f145e69c6765bc81faacc7e

SHA1
ce6f40a67bd31738f47ed4d8f017e7c13aa90ceb

SHA256
adad8b635d0e68f9bbef153e5abb427d85de2e3a4f786668912074b8419ee239

SHA512
04c86d223e6ed60af03102a704dacf8b5107edfb99a22db567990d2325b75a8208c1cc3e64f98d7a86ab3c4d44129a7d0e6bf9a79e5922edaef1ad23e5e17ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TrumTrum.exe
Filesize
4.3MB

MD5
dd00d5501f388f4422cce9bd559394e0

SHA1
aedb099cd36fb77bd85921dbea5f60e8fdedcb04

SHA256
cebeab296875244d1748a0ffe1c23b01f41e93cb684e03eb4ddf42b226fb97c2

SHA512
5942eb9aa7f6a116338bd0eb44becb4a2ff095821b8864ecf345d8e7fefac574b04843b70d309d81ad540f6a385592660ab16031fca0d56c97487cc0607162b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\USA123.exe
Filesize
2.5MB

MD5
60788d9aaf351fd3d262b7465df7b8e5

SHA1
c69d189f0c68b6d937831e5cb4df543426a89aa6

SHA256
35b5f1ecbedb1bd24453420b7e34d743ea9af6cde269eaa20be9ef81775de6e2

SHA512
9a125b7200ed7da59088d168573bd6cd53b92e814c3552a9a9bfd6187608e4bca0938b5039aa33a2f19dd9bfb8a51a9d1a4216df1e5e9899c90b18436db4504b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Yellow%20Pages%20Scraper.exe
Filesize
684KB

MD5
60ee968291e60900894fc9d914a48a80

SHA1
2c26edf35ac813a2f83148f62676e30b45f171a9

SHA256
52d5d347126a7a686f2da37c2e8868f4bcec2e5affabd850ad45f2b81b21b664

SHA512
9ea212bb0eb25f5309a8717218693306b18fb092d0910015fe4ef569f35377a73647507cb5629266f55550cc2fcc8d73a30d4f4e3c2d2ddd7ba22b575106cfd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\alex12.exe
Filesize
1.7MB

MD5
211c3659790c88b15827ec89ffa5898f

SHA1
f0ef5847fb9a1db37b3307e3b2b6f90098aa6e65

SHA256
0f2f61669d3bc852e0defe69777a70627ae072b167425a64f4c88ac9ca84389c

SHA512
a7aa227100c27ba414d53af42c9dbedd3f509fa7b32fc442d2f0ede75292c917e226ec78238a66c6d46531d23856a4d1bcf1ad9567d4c1e75bfdeb975769e708

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\alexxxxxxxx.exe
Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\amert.exe
Filesize
1.8MB

MD5
b8b5138dc6f97136cfebece16f80203d

SHA1
e020d3ac6d101791801e8ce8c921a5f54f78abf5

SHA256
7d1e736b876ad9f4effc5736323bbb1db9d53b49abda5a13d238cbe5f56e136c

SHA512
f26e295c0845b57520ee8392761c532527ca41974f68f189bb37637b45455edceb098ca23d2952e495635719a8da8a39d86d880467bc6ad79071afd870dd9877

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
Filesize
65KB

MD5
3b5926b1dca859fa1a51a103ab0fd068

SHA1
9b41d9e1810454b00e12cc386e8e31fc1bd29ef6

SHA256
e1f3e0bc705e2917d285f9a9ab49cc6444ff9267b46cbf1be3b97f9a716e6d08

SHA512
6f924f3b1a7bcce36cea2ef0f73dfcf837b2ec03da44e0a12d6afcd2af1a92d20af251d04fd3970beedad082d646fc84ae7107b4111f43abc12b5a1e3d03a794

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cacd6bf810543a9d46c9b104dfd72778.exe
Filesize
3.8MB

MD5
cacd6bf810543a9d46c9b104dfd72778

SHA1
bc4c9a7d0871b083bc66d755d9b00adc8d17ae80

SHA256
1af7a03173c23128329d2fde2fa307b4e340e967eb2942c770dcfcd953661d3a

SHA512
d49e9f9f8fbd99a9508f0106f832e1ecd694dfa91020b517945cfae7c3f4d4d693daf2626d22eca1f3e5569242261c72861e5aec40ffd87c2a00dca96b1f223a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\conan.exe
Filesize
822KB

MD5
f29bb9918f3803046c2bab24c20b458d

SHA1
c162f42333a6a7ef23ea9fc17e470daece374b6c

SHA256
b84760ded0544c86d23849130082b99c3000b1e4ca5da0690fcdfbf2771b7993

SHA512
e9f27f3be82a4b32ad155067b5e7c8652ec2031321eec64574152f2ddb01ff20dc9f44ee75ff7c363b103e3d8a7952c013416f360527e969963a11dea023a164

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dais123.exe
Filesize
278KB

MD5
1de21cf446488e0be215304d37fb6fbc

SHA1
f2fc46d719178d2613c61a780f128ea0e9a71e51

SHA256
b44daa31105868bafd0a0b29762e614ef238547a256577ae5671efedd3c652c1

SHA512
b2c425fd5dbfecf84942e869f44c7d1fee19dc7da9b9fef6c3aa367953f3b0cc4914cbd884d0c42410a96be501fdce21b20fcb1e0f73237c314853dbd2635d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\e0cbefcb1af40c7d4aff4aca26621a98.exe
Filesize
4.1MB

MD5
78a9e69486fa214a1af7dc245ab3ec06

SHA1
be22322f2b14aed57af4db18a6abe516f1c07ce4

SHA256
502e18361730ced7e40e00a36d11de51a07a05f29d5b5c9ea54c662260a5d47c

SHA512
84ee6f4fc283a47522cc2e863dfb51279c4fa4aeeeacb1f75367383c0f2c9fa4224cd007b33a1f1aa25f277af66799bbe47d3a74fa95dfda2ec8443c4af4bd7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\html.exe
Filesize
1.5MB

MD5
77f82a88068d77ba9ece00d21bf3a4db

SHA1
cedf93d2a9dae5a41c7797baaf535f008d0166e9

SHA256
33dd66da63f57e1d64d469172a5d5e7615924bcde919e962c4a5a00c51306051

SHA512
1c3e8eb58ea6139e738bcf1662037669f470d46cdc60c9b4297542bcc545a2673447686a99827a8d07ae06d0260d5b1778159cd41552bc2c571a06ef297a9e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\images.exe
Filesize
477KB

MD5
34e03669773d47d0d8f01be78ae484e4

SHA1
4b0a7e2af2c28ae191737ba07632ed354d35c978

SHA256
2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

SHA512
8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\judith1234.exe
Filesize
10.7MB

MD5
f42baf224056715224666a1e9689e63b

SHA1
b557257a7b60d52ba9775665b9355962ad0f7983

SHA256
70f56988e66c41598b992831c2fac72ebcd00f339959013bccc5e4a667a54f5e

SHA512
2ea2323cf2b6b01f5d44c49fea1dacc8da3f5c38a6d24a6506a2225a143bd9c6bfc358f1dec0c863501ffd8ee4fc1250ff76a5fba554fe44bb527ae966fe457c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\koooooo.exe
Filesize
379KB

MD5
90f41880d631e243cec086557cb74d63

SHA1
cb385e4172cc227ba72baf29ca1c4411fa99a26d

SHA256
23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0

SHA512
eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lenin.exe
Filesize
2.1MB

MD5
b929da8c9fcb6cb73857a40ddac5aab1

SHA1
b24c4024d3b05f95f784af653603f25210de4354

SHA256
458a716c62104a5a109edcab77c4b7bb25c52ceb1458efa42d3a9b723018c39c

SHA512
8c1cd44820273de254c1e4e2af61429280cabaf50f93c88a3890df6f7db072290febc8366ab8f9b09d592533c51287f90946d72f7131e96cd02137fb7677ab41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lumma123142124.exe
Filesize
600KB

MD5
cad41f50c144c92747eee506f5c69a05

SHA1
f08fd5ec92fd22ba613776199182b3b1edb4f7b2

SHA256
1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6

SHA512
64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\output_64.exe
Filesize
130KB

MD5
43400a439dc5122ee54a9ed53e481d41

SHA1
e6d70e4105b344743191c9af1b4b94b2bf4ff34e

SHA256
9c06fc50ba0e17ffecfc28fc535525d5d7dfe70746ca61fac042002fe1ae5e9e

SHA512
edcf2ed1a5aba05de073dcdd1af46ee09e90f681396b43036fa15bd0303febda744d829279c4580faaa4d4136ab085f95c21319a9f30b0c1e7d83d1372d920c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
Filesize
9KB

MD5
62b97cf4c0abafeda36e3fc101a5a022

SHA1
328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

SHA256
e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

SHA512
32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ps.exe
Filesize
459KB

MD5
1edba8a76c4a327f6e0b81e85c14ede6

SHA1
89b68d190315e6476b0a8b135e6e515ab931c10a

SHA256
72c3a786661ee9742cf1d0e3b99b89e976911ed87971695f08487cf42d7fc29d

SHA512
3347452e348f52a17a787574136d8d0fccc70511205e47bd2fdc546718b87d22f9280621bc5a849c6b5834e1226a453ccc1657ff34f63877f052713ca9710562

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\rtx.exe
Filesize
1.9MB

MD5
86f2f5b1e021249025236f1c3a1935d4

SHA1
4d102ec935c274bded67400a90dcd253fd57805f

SHA256
518c488150a5d11ad06aeb133ce63696e2f3918d3c6c997f69ae8ebe9c3870e6

SHA512
0f239c4ed770b0e03d0d0794cb3be21bcea2bc5fda5ac70ca057b92262f9c5362e98c5f672fc865a52f69c219e188a58e864ced8aa79fd127be92b1299259451

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
Filesize
282KB

MD5
e86471da9e0244d1d5e29b15fc9feb80

SHA1
5e237538eb5b5d4464751a4391302b4158e80f38

SHA256
50dd267b25062a6c94de3976d9a198a882a2b5801270492d32f0c0dadc6caa81

SHA512
d50a934923ec9133e871d797a59334ad92e0e51bcd3e3fd47f2c00510b87e69d6ac012682ac661121f6bbd0ece47872d79e4f9eae5550aae6dda3dd36bdb2088

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
Filesize
268KB

MD5
21eaa1da67a8d9f3b76b4a63a1da1442

SHA1
677a156ca20cabf46fce1085e8743344ce075e9f

SHA256
76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335

SHA512
f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
Filesize
3.8MB

MD5
4443b57c1262fbc156765ba2a9019391

SHA1
b02b8b4c0ee1f8b850e420d754ef1f398c1ebf4d

SHA256
f6631cb0b90dad50436e54e1626d6684bb4188a451dd1168e72df5ca67583af7

SHA512
84e4854c82c5fbd789ce1973b73d60aef138cee9b492a693a8a9d49a24488cdc719d54a8434fdc4b8e7057be33126e09aae2f04a88d9bfbb7abb9264aa0d596d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
Filesize
7.1MB

MD5
45d20d471e6f3f8f088d489d62058f23

SHA1
d261d037781fb5e7124a40df3d2e32e4d694c2c4

SHA256
36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711

SHA512
3e04852233147146e76684ebcc335e6281413796cf148d34234b86753a3f2b2afb2e58853d44873dc43f9578639ef55f35aab98aaee7dda718f6cfaeb4e4a02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\swizzyy.exe
Filesize
664KB

MD5
0072b23f74d405feb1c244ee4aaced80

SHA1
9eccaf8981c27d8e7a75b367f64e8e78a4fd117a

SHA256
7da8532f8079b65e932d2923949bf6e8885fe5fbc96e36a67dddfa9967df271c

SHA512
50a278b53bbcf02cdcaf64e7cf0265506197cee22b0512ad2b80aaa1f30cdce183f2fabf96b60813d91ff77f1cff50f62816ba2493e4957b66c01afeef59dd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\win.exe
Filesize
4.3MB

MD5
a263a25d204194fa5e17f07330b9a411

SHA1
a1d4f97dd06f2e3bb343a564601a6055e12ebcec

SHA256
faea4ccd802391bf9a6d71bc6052f269b6ca370c124bfe4d2faae55b43a5c0c8

SHA512
003d70099729511e04ca0104a5315aba1495112bcdd64e3f07d2286a9f0e61b1fa6a8ca78d296220bd835b9c2a741813fa5a57dc9f86650492dc3b228d6e3ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2F39.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jppp0xud.hs0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
3KB

MD5
fdd9494177f0ecfef0fc90c5aa4cebb8

SHA1
cadffe1f3684b757d1d20973a6f16f55b286f562

SHA256
6b40bd3736127132ca17e34a68d8a6c6fe988611d8922cd143cba1050ee6646e

SHA512
1281a3e1b10f4bd01e185d54b1a781c8625828d7fa518b47022afb4f88d22fc7d9688354cddd3875f304fc1342874fc8b00956d058e1aa8f9846125009bc2b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
931B

MD5
9eff640c82e8c41ad5365d604dd91662

SHA1
61811be7499a4d6ac1e3f2b218bec4cc75b8771e

SHA256
7b0893c5a4f3d13c93c830943c434e9630c768db8ebf03d81ce5256298cff448

SHA512
9adcb6fec347c9816112941c5e99d1d1208b32562709877a0697a90e361e695eb4be7703404552568c1011764664ffbcb33c13c34da1df13c2fc704c5ed8312a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
Filesize
2KB

MD5
e05f606bb12b4f5947266f5554ec1754

SHA1
34309a340085b68f21c60a9fe8d6d452fc904f5c

SHA256
ea67f0a3621717d4097354203d89bc4e03889a755315f47e9ac5837201246f7f

SHA512
16bba6de16a6affaa5821541e6a5f94d703727db21b1b949d618f2940e888b55c99a058b10b6db54173736e90c60403f5d7596b03ac1ced014a9e6c432f1cabc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7CBE.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F41.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\u310.0.exe
Filesize
272KB

MD5
31765c43b9bf0da3a52bfeb68733655c

SHA1
c6ccc6b435e123ef62c4996a82019432cde58d4b

SHA256
06d92df4f5d05897df05e9a9b89986a7b4e534cec4d46e3219d79c90edb645b2

SHA512
0f4b867ff7680c2946f0c801b69157de9b2f5007030a1c17d15ac99d4acd1933e9515e48c9109206f4498f4c020ef89aca21c0de920609a77cef2c03d3258c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\u310.1.exe
Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
109KB

MD5
2afdbe3b99a4736083066a13e4b5d11a

SHA1
4d4856cf02b3123ac16e63d4a448cdbcb1633546

SHA256
8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee

SHA512
d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\fate.exe
Filesize
296KB

MD5
28f30e43da4c45f023b546fc871a12ea

SHA1
ab063bbb313b75320f4335a8cd878f7a02e5f91c

SHA256
1e246855bc5d7648a3425771faa304d08ce84496a3afa7a023937ac41d381c6b

SHA512
559099480bc8518f740249b096c123bc5dfb9dc0126d1c681f4e650329cfb4383754ec8a307057f24b2692c36f4fa8e90b5b5d2debe1061e1ece27a7b26335b4

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehpsp.exe
Filesize
310KB

MD5
afbc408680d16aa491e10c002dc9c3d0

SHA1
272e07bc68d862f65fc2006d9d714ad03cb09086

SHA256
7b32e5045377a79d4f7f552d9971022f6883799eebeffa8f48f3c76e66acb80d

SHA512
05601f82bc44aaca332b7357b745a5658199c6bb86d26cbf9a110686351717359a6b64f1c713e278a3517b470cf7bc6db48c647f587999931606a137d0040fbb

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
3f8ab198d2eb19ddc6ac86e6f6b29c14

SHA1
6964b8f430342e316af82b2896cf82615b69d60e

SHA256
e0fa1c4803d9b8971df2cddb900df570edb0406c90d17027de9e1ec64ebc5a01

SHA512
6d53ff45b62658067b92aa5daabf846a1c39ab5c55e91d80fe906ebef14c093f2f6c1c9b81c3197545c0e221dbaeb4d526bb9d1f4ad79e85963a2b18820dc2ae

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\SysWOW64\setting.ini
Filesize
141KB

MD5
83e2a9054bd87abdef3e0ed34184d51f

SHA1
2811598b93b756a0212c260148fbe6efd275ca66

SHA256
3cba711d01250007f16486e9fcccfc3161395ea02bfeb0012c65eda7fbc99cc9

SHA512
6acd149a145c4d94f67b7c85c84b943f91f0431f3c028c27cc9cc119575179175151736d499aa224a6e0744fd56e6c41f4494682d27a278ff7d882d12d28ca8d

Download Submit
C:\Windows\sysdinrdvs.exe
Filesize
84KB

MD5
161a475bfe57d8b5317ca1f2f24b88fa

SHA1
38fa8a789d3d7570c411ddf4c038d89524142c2c

SHA256
98fb81423a107a5359e5fc86f1c4d81ff2d4bc73b79f55a5bf827fdb8e620c54

SHA512
d9f61f80c96fbac030c1105274f690d38d5dc8af360645102080a7caed7bad303ae89ed0e169124b834a68d1a669781eb70269bf4e8d5f34aeef394dd3d16547

Download Submit
C:\Windows\syspplsvc.exe
Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Windows\winakrosvsa.exe
Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
memory/400-124-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/400-122-0x00007FF97D350000-0x00007FF97DE11000-memory.dmp

Filesize
10.8MB

Download
memory/400-121-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/400-207-0x0000000000BB0000-0x0000000000BC0000-memory.dmp

Filesize
64KB

Download
memory/400-203-0x00007FF97D350000-0x00007FF97DE11000-memory.dmp

Filesize
10.8MB

Download
memory/720-82-0x00007FF763830000-0x00007FF763C78000-memory.dmp

Filesize
4.3MB

Download
memory/960-189-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/960-187-0x0000000004D40000-0x0000000004D96000-memory.dmp

Filesize
344KB

Download
memory/960-171-0x0000000004AF0000-0x0000000004B82000-memory.dmp

Filesize
584KB

Download
memory/960-170-0x00000000050A0000-0x0000000005644000-memory.dmp

Filesize
5.6MB

Download
memory/960-165-0x0000000000080000-0x0000000000130000-memory.dmp

Filesize
704KB

Download
memory/960-206-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

Filesize
64KB

Download
memory/960-164-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/960-186-0x00000000049E0000-0x00000000049EA000-memory.dmp

Filesize
40KB

Download
memory/2176-306-0x0000000005400000-0x00000000058AB000-memory.dmp

Filesize
4.7MB

Download
memory/2176-310-0x0000000005400000-0x00000000058AB000-memory.dmp

Filesize
4.7MB

Download
memory/2176-314-0x0000000005400000-0x00000000058AB000-memory.dmp

Filesize
4.7MB

Download
memory/2176-304-0x0000000005400000-0x00000000058AB000-memory.dmp

Filesize
4.7MB

Download
memory/2176-320-0x0000000005400000-0x00000000058AB000-memory.dmp

Filesize
4.7MB

Download
memory/2176-327-0x0000000005400000-0x00000000058AB000-memory.dmp

Filesize
4.7MB

Download
memory/2224-297-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2332-151-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/2332-166-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/2332-150-0x00000000005D0000-0x00000000009DC000-memory.dmp

Filesize
4.0MB

Download
memory/2776-16-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/2776-12-0x0000000000290000-0x0000000000743000-memory.dmp

Filesize
4.7MB

Download
memory/2776-17-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/2776-19-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/2776-18-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/2776-20-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/2776-21-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

Filesize
4KB

Download
memory/2776-26-0x0000000000290000-0x0000000000743000-memory.dmp

Filesize
4.7MB

Download
memory/2776-15-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/2776-14-0x0000000000290000-0x0000000000743000-memory.dmp

Filesize
4.7MB

Download
memory/2776-13-0x0000000077814000-0x0000000077816000-memory.dmp

Filesize
8KB

Download
memory/3156-50-0x0000000002FE0000-0x0000000003060000-memory.dmp

Filesize
512KB

Download
memory/3156-52-0x0000000077812000-0x0000000077813000-memory.dmp

Filesize
4KB

Download
memory/3156-58-0x0000000003390000-0x0000000003480000-memory.dmp

Filesize
960KB

Download
memory/3156-61-0x0000000002FE0000-0x0000000003060000-memory.dmp

Filesize
512KB

Download
memory/3468-123-0x0000000002D50000-0x0000000002E94000-memory.dmp

Filesize
1.3MB

Download
memory/3468-205-0x0000000002D50000-0x0000000002E94000-memory.dmp

Filesize
1.3MB

Download
memory/3808-51-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/3808-0-0x0000000074D00000-0x00000000754B0000-memory.dmp

Filesize
7.7MB

Download
memory/3808-3-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/3808-2-0x0000000005500000-0x000000000559C000-memory.dmp

Filesize
624KB

Download
memory/3808-1-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/3808-59-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/3828-84-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-96-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-83-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-109-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-100-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-98-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-97-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-81-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-94-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-92-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-90-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-88-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-87-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-86-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3828-85-0x0000000000F80000-0x000000000106E000-memory.dmp

Filesize
952KB

Download
memory/3908-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-63-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/3908-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-80-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-78-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-79-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-77-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-75-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-76-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-74-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-73-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-72-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-70-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-68-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-69-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-67-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-64-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3908-62-0x0000000077812000-0x0000000077813000-memory.dmp

Filesize
4KB

Download
memory/4408-188-0x00000190B9580000-0x00000190B9590000-memory.dmp

Filesize
64KB

Download
memory/4408-185-0x00000190B9580000-0x00000190B9590000-memory.dmp

Filesize
64KB

Download
memory/4408-194-0x00007FF97D350000-0x00007FF97DE11000-memory.dmp

Filesize
10.8MB

Download
memory/4408-184-0x00000190B9580000-0x00000190B9590000-memory.dmp

Filesize
64KB

Download
memory/4408-182-0x00007FF97D350000-0x00007FF97DE11000-memory.dmp

Filesize
10.8MB

Download
memory/4616-231-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4616-228-0x0000000005130000-0x0000000005131000-memory.dmp

Filesize
4KB

Download
memory/4616-232-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download
memory/4616-204-0x0000000000610000-0x0000000000B87000-memory.dmp

Filesize
5.5MB

Download
memory/4616-226-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4616-225-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4616-222-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4616-221-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/4616-220-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4616-219-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4616-329-0x0000000000610000-0x0000000000B87000-memory.dmp

Filesize
5.5MB

Download
memory/5108-137-0x0000016FC8F30000-0x0000016FC8F52000-memory.dmp

Filesize
136KB

Download
memory/5108-155-0x0000016FC8FB0000-0x0000016FC8FC0000-memory.dmp

Filesize
64KB

Download
memory/5108-138-0x00007FF97D350000-0x00007FF97DE11000-memory.dmp

Filesize
10.8MB

Download
memory/5108-140-0x0000016FC8FB0000-0x0000016FC8FC0000-memory.dmp

Filesize
64KB

Download
memory/5108-139-0x0000016FC8FB0000-0x0000016FC8FC0000-memory.dmp

Filesize
64KB

Download
memory/5108-169-0x00007FF97D350000-0x00007FF97DE11000-memory.dmp

Filesize
10.8MB

Download