gh0strat | 822c9d934cb53ca7bf76f899ad40500b4d04d24a6b044be4ed6494564e8e99e0

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-05-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.7MB
MD5

6c99aa5d2bed8e90452d5a6a77c72f65
SHA1

c0c91c9c4be9285baeeabf0c48c637078ac0c9a1
SHA256

822c9d934cb53ca7bf76f899ad40500b4d04d24a6b044be4ed6494564e8e99e0
SHA512

2da92dbcb491370f99a253cdd62a5a9e3b905517ab2a31bbad53232d68b8eed946b423fec7dfb24aea878ab0184f9f3838cdeaba3bc65c2f923aad070d1ac1c2
SSDEEP

49152:KCwsbCANnKXferL7Vwe/Gg0P+WhdwTGH7sH:dws2ANnKXOaeOgmhdwTSsH

Score

10^/10

gh0strat purplefox persistence rat rootkit trojan upx

Malware Config

Extracted

Family

gh0strat

159.75.0.162

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1484-75-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/1484-74-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2044-101-0x00000000020C0000-0x0000000002196000-memory.dmp	purplefox_rootkit
behavioral1/memory/640-104-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/640-109-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/640-116-0x0000000010000000-0x00000000101B6000-memory.dmp	purplefox_rootkit
behavioral1/memory/2044-138-0x00000000020C0000-0x0000000002196000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 38 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\7088872.txt	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
\??\c:\windows\SysWOW64\7088872.txt	family_gh0strat
behavioral1/memory/1484-75-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1484-74-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/2044-100-0x00000000020C0000-0x0000000002196000-memory.dmp	family_gh0strat
behavioral1/memory/640-104-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/640-109-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1048-108-0x0000000010000000-0x0000000010015000-memory.dmp	family_gh0strat
behavioral1/memory/640-116-0x0000000010000000-0x00000000101B6000-memory.dmp	family_gh0strat
behavioral1/memory/1680-123-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
behavioral1/memory/108-136-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1048-145-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1584-147-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1304-153-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1664-160-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
behavioral1/memory/1328-172-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1888-177-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1688-186-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
behavioral1/memory/1372-198-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1672-203-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/544-211-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1364-223-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/568-228-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
behavioral1/memory/1816-238-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1544-251-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1340-256-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
behavioral1/memory/1948-263-0x0000000000400000-0x00000000004D6000-memory.dmp	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat
\Windows\SysWOW64\7088872.txt	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

TXPlatfor.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys TXPlatfor.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	TXPlatfor.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

R.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Remote Data\Parameters\ServiceDll = "C:\\Windows\\system32\\7088872.txt"	R.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TXPlatfor.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys"	TXPlatfor.exe

Executes dropped EXE 56 IoCs

Processes:

R.exeN.exeTXPlatfor.exeTXPlatfor.exeHD_tmp.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exe

pid	process
2028	R.exe
1484	N.exe
1768	TXPlatfor.exe
640	TXPlatfor.exe
1048	HD_tmp.exe
1680	Opyviil.exe
108	Opyviil.exe
1584	Opyviil.exe
1304	Opyviil.exe
1664	Opyviil.exe
1328	Opyviil.exe
1888	Opyviil.exe
1688	Opyviil.exe
1372	Opyviil.exe
1672	Opyviil.exe
544	Opyviil.exe
1364	Opyviil.exe
568	Opyviil.exe
1816	Opyviil.exe
1544	Opyviil.exe
1340	Opyviil.exe
1948	Opyviil.exe
1584	Opyviil.exe
596	Opyviil.exe
1628	Opyviil.exe
984	Opyviil.exe
1452	Opyviil.exe
620	Opyviil.exe
1644	Opyviil.exe
520	Opyviil.exe
564	Opyviil.exe
1332	Opyviil.exe
1956	Opyviil.exe
1732	Opyviil.exe
1464	Opyviil.exe
1688	Opyviil.exe
1712	Opyviil.exe
1216	Opyviil.exe
1980	Opyviil.exe
1548	Opyviil.exe
820	Opyviil.exe
1104	Opyviil.exe
1676	Opyviil.exe
588	Opyviil.exe
676	Opyviil.exe
1884	Opyviil.exe
1532	Opyviil.exe
1996	Opyviil.exe
1332	Opyviil.exe
1984	Opyviil.exe
1888	Opyviil.exe
584	Opyviil.exe
1568	Opyviil.exe
1620	Opyviil.exe
368	Opyviil.exe
1364	Opyviil.exe

Loads dropped DLL 20 IoCs

Processes:

tmp.exeR.exesvchost.exeTXPlatfor.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
2044	tmp.exe
2028	R.exe
2008	svchost.exe
2044	tmp.exe
1768	TXPlatfor.exe
2044	tmp.exe
2044	tmp.exe
1936	svchost.exe
1812	svchost.exe
972	svchost.exe
1508	svchost.exe
580	svchost.exe
772	svchost.exe
1708	svchost.exe
1600	svchost.exe
1872	svchost.exe
1732	svchost.exe
1880	svchost.exe
1220	svchost.exe
108	svchost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1484-72-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1484-75-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/1484-74-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe	upx
behavioral1/memory/2044-100-0x00000000020C0000-0x0000000002196000-memory.dmp	upx
behavioral1/memory/1048-102-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/640-104-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
behavioral1/memory/640-109-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\HD_TMP.EXE	upx
behavioral1/memory/640-116-0x0000000010000000-0x00000000101B6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1680-123-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/108-131-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/108-136-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1584-139-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1048-145-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1584-147-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1304-153-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1664-160-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1328-166-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1328-172-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1888-177-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1688-186-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1372-191-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1372-198-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1672-203-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/544-211-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1364-217-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1364-223-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/568-228-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1816-238-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1544-243-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
behavioral1/memory/1544-251-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1340-256-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1948-263-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
behavioral1/memory/1584-269-0x0000000000400000-0x00000000004D6000-memory.dmp	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	upx

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

HD_tmp.exe

description	ioc	process
File opened (read-only)	\??\E:	HD_tmp.exe
File opened (read-only)	\??\F:	HD_tmp.exe
File opened (read-only)	\??\Z:	HD_tmp.exe
File opened (read-only)	\??\K:	HD_tmp.exe
File opened (read-only)	\??\M:	HD_tmp.exe
File opened (read-only)	\??\X:	HD_tmp.exe
File opened (read-only)	\??\W:	HD_tmp.exe
File opened (read-only)	\??\G:	HD_tmp.exe
File opened (read-only)	\??\I:	HD_tmp.exe
File opened (read-only)	\??\J:	HD_tmp.exe
File opened (read-only)	\??\Q:	HD_tmp.exe
File opened (read-only)	\??\R:	HD_tmp.exe
File opened (read-only)	\??\S:	HD_tmp.exe
File opened (read-only)	\??\U:	HD_tmp.exe
File opened (read-only)	\??\Y:	HD_tmp.exe
File opened (read-only)	\??\V:	HD_tmp.exe
File opened (read-only)	\??\B:	HD_tmp.exe
File opened (read-only)	\??\H:	HD_tmp.exe
File opened (read-only)	\??\L:	HD_tmp.exe
File opened (read-only)	\??\N:	HD_tmp.exe
File opened (read-only)	\??\O:	HD_tmp.exe
File opened (read-only)	\??\P:	HD_tmp.exe
File opened (read-only)	\??\T:	HD_tmp.exe

Drops file in System32 directory 19 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exeR.exesvchost.exesvchost.exeN.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\7088872.txt	R.exe
File opened for modification	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	R.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\TXPlatfor.exe	N.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe
File created	C:\Windows\SysWOW64\Remote Data.exe	svchost.exe

Drops file in Program Files directory 2 IoCs

Processes:

HD_tmp.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	HD_tmp.exe
File opened for modification	C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe	HD_tmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	HD_tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	HD_tmp.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1544 PING.EXE

pid	process
1544	PING.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

tmp.exeHD_tmp.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exe

pid	process
2044	tmp.exe
1048	HD_tmp.exe
1680	Opyviil.exe
1048	HD_tmp.exe
108	Opyviil.exe
1584	Opyviil.exe
1304	Opyviil.exe
1664	Opyviil.exe
1328	Opyviil.exe
1888	Opyviil.exe
1688	Opyviil.exe
1372	Opyviil.exe
1672	Opyviil.exe
544	Opyviil.exe
1364	Opyviil.exe
568	Opyviil.exe
1816	Opyviil.exe
1544	Opyviil.exe
1340	Opyviil.exe
1948	Opyviil.exe
1584	Opyviil.exe
596	Opyviil.exe
1628	Opyviil.exe
984	Opyviil.exe
1452	Opyviil.exe
620	Opyviil.exe
1644	Opyviil.exe
520	Opyviil.exe
564	Opyviil.exe
1332	Opyviil.exe
1956	Opyviil.exe
1732	Opyviil.exe
1464	Opyviil.exe
1688	Opyviil.exe
1712	Opyviil.exe
1216	Opyviil.exe
1980	Opyviil.exe
1548	Opyviil.exe
820	Opyviil.exe
1104	Opyviil.exe
1676	Opyviil.exe
588	Opyviil.exe
676	Opyviil.exe
1884	Opyviil.exe
1532	Opyviil.exe
1996	Opyviil.exe
1332	Opyviil.exe
1984	Opyviil.exe
1888	Opyviil.exe
584	Opyviil.exe
1568	Opyviil.exe
1620	Opyviil.exe
368	Opyviil.exe
1364	Opyviil.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

TXPlatfor.exe

pid process

640 TXPlatfor.exe

pid	process
640	TXPlatfor.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

HD_tmp.exeOpyviil.exeOpyviil.exe

pid	process
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1048	HD_tmp.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
1680	Opyviil.exe
108	Opyviil.exe
108	Opyviil.exe
108	Opyviil.exe
108	Opyviil.exe
108	Opyviil.exe
108	Opyviil.exe
108	Opyviil.exe
108	Opyviil.exe
108	Opyviil.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

N.exeHD_tmp.exeTXPlatfor.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exeOpyviil.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1484	N.exe
Token: SeDebugPrivilege	1048	HD_tmp.exe
Token: SeLoadDriverPrivilege	640	TXPlatfor.exe
Token: SeDebugPrivilege	1680	Opyviil.exe
Token: SeDebugPrivilege	108	Opyviil.exe
Token: SeDebugPrivilege	1584	Opyviil.exe
Token: SeDebugPrivilege	1304	Opyviil.exe
Token: SeDebugPrivilege	1664	Opyviil.exe
Token: SeDebugPrivilege	1328	Opyviil.exe
Token: SeDebugPrivilege	1888	Opyviil.exe
Token: SeDebugPrivilege	1688	Opyviil.exe
Token: SeDebugPrivilege	1372	Opyviil.exe
Token: SeDebugPrivilege	1672	Opyviil.exe
Token: SeDebugPrivilege	544	Opyviil.exe
Token: SeDebugPrivilege	1364	Opyviil.exe
Token: SeDebugPrivilege	568	Opyviil.exe
Token: SeDebugPrivilege	1816	Opyviil.exe
Token: SeDebugPrivilege	1544	Opyviil.exe
Token: SeDebugPrivilege	1340	Opyviil.exe
Token: SeDebugPrivilege	1948	Opyviil.exe
Token: SeDebugPrivilege	1584	Opyviil.exe
Token: SeDebugPrivilege	596	Opyviil.exe
Token: 33	640	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	640	TXPlatfor.exe
Token: SeDebugPrivilege	1628	Opyviil.exe
Token: SeDebugPrivilege	984	Opyviil.exe
Token: SeDebugPrivilege	1452	Opyviil.exe
Token: SeDebugPrivilege	620	Opyviil.exe
Token: SeDebugPrivilege	1644	Opyviil.exe
Token: SeDebugPrivilege	520	Opyviil.exe
Token: SeDebugPrivilege	564	Opyviil.exe
Token: SeDebugPrivilege	1332	Opyviil.exe
Token: SeDebugPrivilege	1956	Opyviil.exe
Token: SeDebugPrivilege	1732	Opyviil.exe
Token: SeDebugPrivilege	1464	Opyviil.exe
Token: SeDebugPrivilege	1688	Opyviil.exe
Token: SeDebugPrivilege	1712	Opyviil.exe
Token: SeDebugPrivilege	1216	Opyviil.exe
Token: SeDebugPrivilege	1980	Opyviil.exe
Token: SeDebugPrivilege	1548	Opyviil.exe
Token: SeDebugPrivilege	820	Opyviil.exe
Token: SeDebugPrivilege	1104	Opyviil.exe
Token: SeDebugPrivilege	1676	Opyviil.exe
Token: SeDebugPrivilege	588	Opyviil.exe
Token: SeDebugPrivilege	676	Opyviil.exe
Token: SeDebugPrivilege	1884	Opyviil.exe
Token: SeDebugPrivilege	1532	Opyviil.exe
Token: 33	640	TXPlatfor.exe
Token: SeIncBasePriorityPrivilege	640	TXPlatfor.exe
Token: SeDebugPrivilege	1996	Opyviil.exe
Token: SeDebugPrivilege	1332	Opyviil.exe
Token: SeDebugPrivilege	1984	Opyviil.exe
Token: SeDebugPrivilege	1888	Opyviil.exe
Token: SeDebugPrivilege	584	Opyviil.exe
Token: SeDebugPrivilege	1568	Opyviil.exe
Token: SeDebugPrivilege	1620	Opyviil.exe
Token: SeDebugPrivilege	368	Opyviil.exe
Token: SeDebugPrivilege	1364	Opyviil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

tmp.exe

pid process

2044 tmp.exe
2044 tmp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

tmp.exeTXPlatfor.exeN.execmd.exeHD_tmp.exe

description	pid	process	target process
PID 2044 wrote to memory of 2028	2044	tmp.exe	R.exe
PID 2044 wrote to memory of 2028	2044	tmp.exe	R.exe
PID 2044 wrote to memory of 2028	2044	tmp.exe	R.exe
PID 2044 wrote to memory of 2028	2044	tmp.exe	R.exe
PID 2044 wrote to memory of 1484	2044	tmp.exe	N.exe
PID 2044 wrote to memory of 1484	2044	tmp.exe	N.exe
PID 2044 wrote to memory of 1484	2044	tmp.exe	N.exe
PID 2044 wrote to memory of 1484	2044	tmp.exe	N.exe
PID 2044 wrote to memory of 1484	2044	tmp.exe	N.exe
PID 2044 wrote to memory of 1484	2044	tmp.exe	N.exe
PID 2044 wrote to memory of 1484	2044	tmp.exe	N.exe
PID 1768 wrote to memory of 640	1768	TXPlatfor.exe	TXPlatfor.exe
PID 1768 wrote to memory of 640	1768	TXPlatfor.exe	TXPlatfor.exe
PID 1768 wrote to memory of 640	1768	TXPlatfor.exe	TXPlatfor.exe
PID 1768 wrote to memory of 640	1768	TXPlatfor.exe	TXPlatfor.exe
PID 1768 wrote to memory of 640	1768	TXPlatfor.exe	TXPlatfor.exe
PID 1768 wrote to memory of 640	1768	TXPlatfor.exe	TXPlatfor.exe
PID 1768 wrote to memory of 640	1768	TXPlatfor.exe	TXPlatfor.exe
PID 1484 wrote to memory of 620	1484	N.exe	cmd.exe
PID 1484 wrote to memory of 620	1484	N.exe	cmd.exe
PID 1484 wrote to memory of 620	1484	N.exe	cmd.exe
PID 1484 wrote to memory of 620	1484	N.exe	cmd.exe
PID 2044 wrote to memory of 1048	2044	tmp.exe	HD_tmp.exe
PID 2044 wrote to memory of 1048	2044	tmp.exe	HD_tmp.exe
PID 2044 wrote to memory of 1048	2044	tmp.exe	HD_tmp.exe
PID 2044 wrote to memory of 1048	2044	tmp.exe	HD_tmp.exe
PID 620 wrote to memory of 1544	620	cmd.exe	PING.EXE
PID 620 wrote to memory of 1544	620	cmd.exe	PING.EXE
PID 620 wrote to memory of 1544	620	cmd.exe	PING.EXE
PID 620 wrote to memory of 1544	620	cmd.exe	PING.EXE
PID 1048 wrote to memory of 372	1048	HD_tmp.exe	wininit.exe
PID 1048 wrote to memory of 372	1048	HD_tmp.exe	wininit.exe
PID 1048 wrote to memory of 372	1048	HD_tmp.exe	wininit.exe
PID 1048 wrote to memory of 372	1048	HD_tmp.exe	wininit.exe
PID 1048 wrote to memory of 372	1048	HD_tmp.exe	wininit.exe
PID 1048 wrote to memory of 372	1048	HD_tmp.exe	wininit.exe
PID 1048 wrote to memory of 372	1048	HD_tmp.exe	wininit.exe
PID 1048 wrote to memory of 384	1048	HD_tmp.exe	csrss.exe
PID 1048 wrote to memory of 384	1048	HD_tmp.exe	csrss.exe
PID 1048 wrote to memory of 384	1048	HD_tmp.exe	csrss.exe
PID 1048 wrote to memory of 384	1048	HD_tmp.exe	csrss.exe
PID 1048 wrote to memory of 384	1048	HD_tmp.exe	csrss.exe
PID 1048 wrote to memory of 384	1048	HD_tmp.exe	csrss.exe
PID 1048 wrote to memory of 384	1048	HD_tmp.exe	csrss.exe
PID 1048 wrote to memory of 420	1048	HD_tmp.exe	winlogon.exe
PID 1048 wrote to memory of 420	1048	HD_tmp.exe	winlogon.exe
PID 1048 wrote to memory of 420	1048	HD_tmp.exe	winlogon.exe
PID 1048 wrote to memory of 420	1048	HD_tmp.exe	winlogon.exe
PID 1048 wrote to memory of 420	1048	HD_tmp.exe	winlogon.exe
PID 1048 wrote to memory of 420	1048	HD_tmp.exe	winlogon.exe
PID 1048 wrote to memory of 420	1048	HD_tmp.exe	winlogon.exe
PID 1048 wrote to memory of 468	1048	HD_tmp.exe	services.exe
PID 1048 wrote to memory of 468	1048	HD_tmp.exe	services.exe
PID 1048 wrote to memory of 468	1048	HD_tmp.exe	services.exe
PID 1048 wrote to memory of 468	1048	HD_tmp.exe	services.exe
PID 1048 wrote to memory of 468	1048	HD_tmp.exe	services.exe
PID 1048 wrote to memory of 468	1048	HD_tmp.exe	services.exe
PID 1048 wrote to memory of 468	1048	HD_tmp.exe	services.exe
PID 1048 wrote to memory of 476	1048	HD_tmp.exe	lsass.exe
PID 1048 wrote to memory of 476	1048	HD_tmp.exe	lsass.exe
PID 1048 wrote to memory of 476	1048	HD_tmp.exe	lsass.exe
PID 1048 wrote to memory of 476	1048	HD_tmp.exe	lsass.exe
PID 1048 wrote to memory of 476	1048	HD_tmp.exe	lsass.exe
PID 1048 wrote to memory of 476	1048	HD_tmp.exe	lsass.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:864
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:1820
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:940
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:804
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1120
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1084
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:1000
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:824
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:764
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  PID:1996
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2008
- C:\Windows\SysWOW64\TXPlatfor.exe
  C:\Windows\SysWOW64\TXPlatfor.exe -auto
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\SysWOW64\TXPlatfor.exe
    C:\Windows\SysWOW64\TXPlatfor.exe -acsi
    3⤵
    - Drops file in Drivers directory
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1936
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1664
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1812
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:972
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1508
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:580
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:596
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:772
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:520
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1708
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1600
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1872
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1732
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1676
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:676
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1880
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1996
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1332
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1220
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:108
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:368
- C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe
  "C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\R.exe
    C:\Users\Admin\AppData\Local\Temp\\R.exe
    3⤵
    - Sets DLL path for service in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    PID:2028
- - C:\Users\Admin\AppData\Local\Temp\N.exe
    C:\Users\Admin\AppData\Local\Temp\\N.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
      4⤵
      Suspicious use of WriteProcessMemory
      PID:620
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:1544
- - C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
    C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1048

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:384
- C:\Windows\system32\conhost.exe
  \??\C:\Windows\system32\conhost.exe "1045833741-508416408-9727750435996382691211894696-733135753-20976167298860403"
  2⤵
  PID:1448

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Program Files (x86)\Microsoft Mqiuow\Opyviil.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\USERS\ADMIN\APPDATA\LOCAL\TEMP\HD_TMP.EXE

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat

Filesize
2.3MB

MD5
5b5a9ba7646021a05b29feb9d5679b9d

SHA1
5790107fe005a4901869fa2e5d9e4ec7204a63e4

SHA256
00afeed2c5cd8213bf8400c95fa6dcdd839a6a08cc49b812fc2b132958bc0a51

SHA512
0991d0b58c0e30f4424e5bf9e6c1a9f4ae1090f5eed24b9d313676108a81359f7289c1815b5b0614275b610ff342ac4ef7cbee99a2e8dbae6200ee5a40010b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_tmp.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
C:\Windows\SysWOW64\TXPlatfor.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\??\c:\windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Users\Admin\AppData\Local\Temp\HD_tmp.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
\Users\Admin\AppData\Local\Temp\HD_tmp.exe

Filesize
317KB

MD5
dd89479c44348b119c964870191d2f0a

SHA1
c8aec62f4f01275456d5f140e8a502cf864bfe4f

SHA256
f2960d4680bbfa92a658425fae8b462f5f847e72eda491c3cca1c03283f96825

SHA512
3fd5d6a11884e48f827128f8ca25f4521739fc32df4931d1551601e4e32155f018ac5e1c232866a9c487df7db306425f1094ac65992721f3539c712f2424e3ac

Download Submit
\Users\Admin\AppData\Local\Temp\N.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
\Users\Admin\AppData\Local\Temp\R.exe

Filesize
941KB

MD5
8dc3adf1c490211971c1e2325f1424d2

SHA1
4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

SHA256
bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

SHA512
ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\7088872.txt

Filesize
899KB

MD5
a8d613394ed4f0f7eb337e8cdfc53b4a

SHA1
b5ff45acc73c4123a1936ddb8931e4596d42b6c4

SHA256
515e4fa102d623b82a92a452f0e51c2c7e91976768c456867bbd9f1f3fc73fe1

SHA512
a97940e87c7640e7dc58c5a4365d986db3b8f7466c9b112dc0d9610f6db8714bddd951514ef0c94df65c37f2c48843c62de789248239d9b072e3ce4b2f1f5d50

Download Submit
\Windows\SysWOW64\TXPlatfor.exe

Filesize
377KB

MD5
4a36a48e58829c22381572b2040b6fe0

SHA1
f09d30e44ff7e3f20a5de307720f3ad148c6143b

SHA256
3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

SHA512
5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

Download Submit
memory/108-131-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/108-136-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/544-211-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/568-228-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/620-125-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/640-188-0x000000007EF10000-0x000000007EF1C000-memory.dmp

Filesize
48KB

Download
memory/640-221-0x000000007EED0000-0x000000007EEDC000-memory.dmp

Filesize
48KB

Download
memory/640-197-0x000000007EF60000-0x000000007EF6C000-memory.dmp

Filesize
48KB

Download
memory/640-192-0x000000007EF00000-0x000000007EF0C000-memory.dmp

Filesize
48KB

Download
memory/640-104-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/640-109-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/640-204-0x000000007EF50000-0x000000007EF5C000-memory.dmp

Filesize
48KB

Download
memory/640-205-0x000000007EEF0000-0x000000007EEFC000-memory.dmp

Filesize
48KB

Download
memory/640-187-0x000000007EF70000-0x000000007EF7C000-memory.dmp

Filesize
48KB

Download
memory/640-264-0x000000007EEE0000-0x000000007EEEC000-memory.dmp

Filesize
48KB

Download
memory/640-154-0x000000007EF50000-0x000000007EF5C000-memory.dmp

Filesize
48KB

Download
memory/640-161-0x000000007EF40000-0x000000007EF4C000-memory.dmp

Filesize
48KB

Download
memory/640-212-0x000000007EEE0000-0x000000007EEEC000-memory.dmp

Filesize
48KB

Download
memory/640-116-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/640-121-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/640-273-0x000000007EED0000-0x000000007EEDC000-memory.dmp

Filesize
48KB

Download
memory/640-124-0x000000007EF80000-0x000000007EF8C000-memory.dmp

Filesize
48KB

Download
memory/640-257-0x000000007EE90000-0x000000007EE9C000-memory.dmp

Filesize
48KB

Download
memory/640-178-0x000000007EF20000-0x000000007EF2C000-memory.dmp

Filesize
48KB

Download
memory/640-229-0x000000007EF20000-0x000000007EF2C000-memory.dmp

Filesize
48KB

Download
memory/640-135-0x000000007EF70000-0x000000007EF7C000-memory.dmp

Filesize
48KB

Download
memory/640-232-0x000000007EEC0000-0x000000007EECC000-memory.dmp

Filesize
48KB

Download
memory/640-265-0x000000007EE80000-0x000000007EE8C000-memory.dmp

Filesize
48KB

Download
memory/640-146-0x000000007EF60000-0x000000007EF6C000-memory.dmp

Filesize
48KB

Download
memory/640-239-0x000000007EF10000-0x000000007EF1C000-memory.dmp

Filesize
48KB

Download
memory/640-240-0x000000007EEB0000-0x000000007EEBC000-memory.dmp

Filesize
48KB

Download
memory/640-171-0x000000007EF30000-0x000000007EF3C000-memory.dmp

Filesize
48KB

Download
memory/640-152-0x000000007EF80000-0x000000007EF8C000-memory.dmp

Filesize
48KB

Download
memory/640-244-0x000000007EF00000-0x000000007EF0C000-memory.dmp

Filesize
48KB

Download
memory/972-213-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/972-214-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/1048-108-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/1048-145-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1048-128-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/1048-102-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1304-153-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1328-166-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1328-172-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1340-256-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1364-217-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1364-223-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1372-191-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1372-198-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1484-72-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1484-74-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1484-75-0x0000000010000000-0x00000000101B6000-memory.dmp

Filesize
1.7MB

Download
memory/1508-249-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/1508-248-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1544-243-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1544-251-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1544-103-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1584-147-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1584-139-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1584-269-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1664-160-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1672-203-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1680-123-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1688-186-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1812-180-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/1812-179-0x000000007EFA0000-0x000000007EFAC000-memory.dmp

Filesize
48KB

Download
memory/1816-238-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1888-177-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/1936-140-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/1948-263-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2008-126-0x000000007EF90000-0x000000007EF9C000-memory.dmp

Filesize
48KB

Download
memory/2044-138-0x00000000020C0000-0x0000000002196000-memory.dmp

Filesize
856KB

Download
memory/2044-101-0x00000000020C0000-0x0000000002196000-memory.dmp

Filesize
856KB

Download
memory/2044-100-0x00000000020C0000-0x0000000002196000-memory.dmp

Filesize
856KB

Download
memory/2044-144-0x00000000020C0000-0x0000000002196000-memory.dmp

Filesize
856KB

Download
memory/2044-167-0x000000007EF50000-0x000000007EF5C000-memory.dmp

Filesize
48KB

Download